Error code 2147484548

401 views
Skip to first unread message

pier...@gmail.com

unread,
Dec 14, 2017, 2:36:42 AM12/14/17
to Pkcs11Interop
Hi all,

can you help me to find out what is the code of the following message?

"Method C_OpenSession returned 2147484548"

I got this error while trying to open a session when the connection went out, so the cause is the lack of connectivity, but I'd like to know if this code can help me to manage better this case, to avoid further problem when there isn't connection to the HSM.

Jaroslav Imrich

unread,
Dec 16, 2017, 1:42:13 PM12/16/17
to Pkcs11Interop, pier...@gmail.com
Exception you are getting says that low level PKCS#11 function C_OpenSession returned vendor specific error 0x80000384. You will need to discuss documentation provided by the device vendor or contact vendor support to get better understanding how to handle or avoid this specific error. Pkcs11Interop allows you to handle this specific error with following code:

try
{
    // Your code
}
catch (Pkcs11Exception p11ex)
{
    if (p11ex.Method == "C_OpenSession" && (uint)p11ex.RV == (uint)0x80000384)
    {
        // Handle vendor defined error 0x80000384 here
    }
    else
    {
        // Rethrow other exceptions
        throw;
    }
}

Regards, Jaroslav



--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11interop+unsubscribe@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.

Message has been deleted

pier...@gmail.com

unread,
Dec 22, 2017, 8:10:31 AM12/22/17
to Pkcs11Interop
Hi Jaroslav,

the error, in my documentation, is CKR_SMS_ERROR: "General error from secure messaging system - probably caused by HSM failure or network failure".

This confirm the problem it happens when the connectivity is lacking.

The problem is when this happens, the service isn't able to resume the communication when the connectivity is back, until I restart manually the service managing the HSM access.

When the service starts, I call this:

private Pkcs11 _pkcs11 = null;
private Slot _slot = null;
private Session _session = null;

public async void InitPkcs11()
{
try
{
_pkcs11 = new Pkcs11(pathCryptoki, Inter_Settings.AppType);
_slot = Inter_Helpers.GetUsableSlot(_pkcs11, nSlot);
_session = _slot.OpenSession(SessionType.ReadOnly);
_session.Login(CKU.CKU_USER, Inter_Settings.NormalUserPin);
}
catch (Exception e)
{
...
}
}

When I have to use the HSM, I call something like:

using (var LocalSession = _slot.OpenSession(SessionType.ReadOnly))
{
...
}

And, when I fail the communication due to a connectivity lack, I call a function to reset the connection and try to change the slot:

private bool switching = false;

public async void SwitchSlot()
{
try
{
if (!switching)
{
switching = true;
if (nSlot == 0)
{
nSlot = 2;
}
else
{
nSlot = 0;
}
_session.Logout();
_slot.CloseAllSessions();
_pkcs11.Dispose();
InitPkcs11();
switching = false;
}
}
catch (Exception e)
{
...
}
}

But, this last snippet doens't work as expected: it try to change the slot, but it fails always to communicate with the HSM. If I restart the service manually (when the connectivity is back), it works like charms. So, I'm sure I'm doing something wrong in the SwitchSlot function, when I try to close the _session and open a new one.

Do you see any errors/misunderstoonding here?

pier...@gmail.com

unread,
Jan 2, 2018, 11:26:23 AM1/2/18
to Pkcs11Interop
I noticed I have the same error code when I try to close the connection before to open a new one.

"Method C_Logout returned 2147484548"

Which method is returnig this? This is in the excetpion branch of the SwitchSlot function.

Jaroslav Imrich

unread,
Jan 2, 2018, 11:36:11 AM1/2/18
to Pkcs11Interop, Piero Alberto
OK so _pkcs11.Dispose(); is not called because _session.Logout(); throws exception.

Delete these lines:

            _session.Logout();
            _slot.CloseAllSessions();

You need to call just:

            _pkcs11.Dispose();
            InitPkcs11();

You don't need to logout from or close any sessions when PKCS#11 library is unloaded. Unloading should clear everything.

One thing that still concerns me is that _pkcs11.Dispose(); calls internally C_Finalize() function which might fail depending on its implementation. Let's just test it and we will see if that will cause any problems.

Regards, Jaroslav

pier...@gmail.com

unread,
Jan 3, 2018, 6:03:48 AM1/3/18
to Pkcs11Interop
I modified the code and I was ready to test it.

We have 2 HSM, both linked to our production server. I can call them also from a test server. So, I just tried this: call the HSMs from the test server and simulate a network down.

But, as I start the service in the test service, the production one starts to fail the request to the HSM.

I make further tests, and I noticed the same behavior with Safenet tool: if, for example, I connect to the HSM with ctbrowse, my service starts haveing problems.

It's like if it gets in troubles when other software access the HSMs. Is it possible? Why? How can I avoid it?

Jaroslav Imrich

unread,
Jan 3, 2018, 6:35:00 AM1/3/18
to Pkcs11Interop, Piero Alberto
On 3 January 2018 at 12:03, <pier...@gmail.com> wrote:
I modified the code and I was ready to test it.

We have 2 HSM, both linked to our production server. I can call them also from a test server. So, I just tried this: call the HSMs from the test server and simulate a network down.

But, as I start the service in the test service, the production one starts to fail the request to the HSM.

How exactly does it fail? Do you have any stacktrace or any error code?
 

I make further tests, and I noticed the same behavior with Safenet tool: if, for example, I connect to the HSM with ctbrowse, my service starts haveing problems.

It's like if it gets in troubles when other software access the HSMs. Is it possible? Why? How can I avoid it?

The only option I see is to discuss the situation with HSM vendor support. That may be bug but also a feature :)


Regards, Jaroslav

pier...@gmail.com

unread,
Jan 3, 2018, 7:30:43 AM1/3/18
to Pkcs11Interop
For the point 1):

it fails to retrive the keys. For example:

using (var LocalSession = _slot.OpenSession(SessionType.ReadOnly))
{

List<ObjectHandle> foundObjects = LocalSession.FindAllObjects(objectAttributes);
if (foundObjects.Count > 0)
{}
else
{}


Here, it goes in the else branch, after this network problem...

pier...@gmail.com

unread,
Jan 4, 2018, 1:59:59 AM1/4/18
to Pkcs11Interop
So, I don't have a stackTrace since, there is no real error, but it starts to not found the key when I search for them... why?

Jaroslav Imrich

unread,
Jan 4, 2018, 2:07:01 AM1/4/18
to Pkcs11Interop
You'll need to discuss it with HSM vendor support.

Regards, Jaroslav


On 4 January 2018 at 07:59, <pier...@gmail.com> wrote:
So, I don't have a stackTrace since, there is no real error, but it starts to not found the key when I search for them... why?

Jaroslav Imrich

unread,
Jan 4, 2018, 2:13:03 AM1/4/18
to Pkcs11Interop, Piero Alberto
On the second thought this might be correct behavior when you are not logged in to the session. In such case your code don't see private objects.
Anyway discussing the whole situation with HSM vendor support is currently your best option.

Regards, Jaroslav

pier...@gmail.com

unread,
Jan 4, 2018, 2:17:24 AM1/4/18
to Pkcs11Interop
Ok, I will try to contact them.

Anyway, the HSM are 2 Safenet Protect Server Gold (external). Did you ever worked with this brand? Can be this info be useful?

Jaroslav Imrich

unread,
Jan 4, 2018, 2:28:10 AM1/4/18
to Pkcs11Interop, Piero Alberto
I know that it exists but have no previous hands-on experience.

Regards, Jaroslav


On 4 January 2018 at 08:17, <pier...@gmail.com> wrote:
Ok, I will try to contact them.

Anyway, the HSM are 2 Safenet Protect Server Gold (external). Did you ever worked with this brand? Can be this info be useful?

pier...@gmail.com

unread,
Jan 4, 2018, 8:30:07 AM1/4/18
to Pkcs11Interop
Ok. Anyway, dear Jaroslav, thanks for the support!!

Very useful, thanks again!

pier...@gmail.com

unread,
Jan 4, 2018, 8:30:37 AM1/4/18
to Pkcs11Interop
Il giorno giovedì 4 gennaio 2018 14:30:07 UTC+1, pier...@gmail.com ha scritto:
> Ok. Anyway, dear Jaroslav, thanks for the support!!
>
> Very useful, thanks again!

I will come back to update you if I found something interesting :)

pier...@gmail.com

unread,
Jan 4, 2018, 11:37:30 AM1/4/18
to Pkcs11Interop
Dear Jaroslav,

Returning to the main topic, I just tested the new code you suggested to me.

Now the error is:

Method C_OpenSession returned 2147484548

The error code is the same as before.

So, the same as before, but on the OpenSession method now, when I try to use the HSM (so, not the Init function).

using (var LocalSession = _slot.OpenSession(SessionType.ReadOnly))
{

...
}

Also in this case, I had to restart the service to solve the issue and proceed with all the stuff.

What can I try here?

Jaroslav Imrich

unread,
Jan 14, 2018, 9:52:07 AM1/14/18
to Pkcs11Interop, Piero Alberto
So, the same as before, but on the OpenSession method now, when I try to use the HSM (so, not the Init function).

using (var LocalSession = _slot.OpenSession(SessionType.ReadOnly))
{
    ...
}

Also in this case, I had to restart the service to solve the issue and proceed with all the stuff.

What can I try here?

You can try to gather logs with PKCS11-LOGGER as described in this guide: https://github.com/Pkcs11Interop/Pkcs11Interop/blob/4.0.0/doc/TROUBLESHOOTING.md

Logs will tell us if you are correctly reloading PKCS#11 library or not.

Regards, Jaroslav

hablu...@gmail.com

unread,
May 26, 2020, 12:33:11 AM5/26/20
to Pkcs11Interop
ProtectServer Cryptoki Library in its default mode (NORMAL) doesn't know how to recover after connectivity problems, but the High Availability (HA) mode does. Check your ProtectServer documentation on activating the HA mode and you will get the library to recover from connectivity problems automatically after a given period of time (e.g. 1 minute).

hablu...@gmail.com

unread,
May 26, 2020, 1:40:48 PM5/26/20
to Pkcs11Interop
Here is a Java example showcasing the ProtectServer HA mode capability for recovery after connectivity problems, https://github.com/hablutzel1/simple-protectserver-pkcs11-usage-from-java-demo/commit/68516e6a2874a21685719161bf9bfa6345e80b74.
Reply all
Reply to author
Forward
0 new messages