PKCS#11 Extension HA Status Call - improved

A Luna extension to the PKCS#11 standard allows query of the HA group state in near real-time.

Unlike the old, similar-named CA_GetHAState, this function CA_GetCurrentHAState

>performs all checks in parallel

>does not open a session with each member partition and then close it -- aside from the overhead of the old approach, it also took place behind the auto-recovery mechanism, which could result in orphan sessions, so the newer approach avoids that risk

>rather, this API

first, checks the driver instance (there is one for every member), and only if that is valid does it go on (for that member) and

second, checks socket status attached to the instance, and if that is OK, then

third, uses a lightweight call (via existing session) to confirm that the member is reachable and usable; this call is sent only to those members that have the ability to handle it (determined by their passing the first two checks).

If any of those checks fails the check on that member stops trying and the failed status goes to the report that is displayed following the configured timeout. Timout defaults to 3 seconds for the check of all group members, but can be set as high as 60 seconds by the statusTimeout configuration option in the HAConfiguration section of the Chrystoki.conf / crystoki.ini file (see Configuration File Summary).

The default of 3 seconds assumes the environment is supportive, meaning an operational environment with good IT conditions (including network, CPU, RAM, storage), and reasonable levels of perturbations, within 20% of optimal conditions.

NOTE   This feature includes internal fail-safes to avoid race conditions, but invocation from an outside application must be threadsafe.

At the time of introduction (December 2023) this feature is implemented for C++.

Function Definition

CK_RV CK_ENTRY CA_GetCurrentHAState( CK_SLOT_ID slotId, CK_HA_STATE_PTR pState );

The structure definitions for a CK_HA_STATE_PTR and CK_HA_MEMBER are:

typedef struct CK_HA_MEMBER{
CK_ULONG memberSerial;
CK_RV memberStatus;
}CK_HA_MEMBER;


typedef struct CK_HA_STATUS{
CK_ULONG groupSerial;
CK_HA_MEMBER memberList[CK_HA_MAX_MEMBERS];
CK_USHORT listSize;
}CK_HA_STATUS;