I completed the setup for CloudHSM and installed the CloudHSM client. I was able to log in CloudHSM and changed PRECO to CO and created another CO. But when I tried to load cloudhsm in OpenSSL (openssl engine -t cloudhsm), it gave me the following error message:
"(cloudhsm) CloudHSM hardware engine support
SDK Version: 2.03
Cfm2LoginHSM returned 206 HSM Error: This user doesn't exist
[ unavailable ]"

Any suggestion would be appreciated.

Hello,

On URI:
https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-windows-create-csr-and-certificate.html
there's a broken link at the beginning with the sentence "AWS CloudHSM key storage provider (KSP) for Microsoft's Cryptography API: Next Generation (CNG)"

I guess it should redirect to: https://docs.aws.amazon.com/cloudhsm/latest/userguide/ksp-library-install.html

The Markdown source doesn't match on Github so I'm not submitting changes directly.

Amazon is currently shipping with Ubuntu 20.04, this does not provide a link to the appropriate "focal" download.

I have added the following directive to the nginx.conf file:

ssl_engine cloudhsm;

SSL termination is offloaded to the CloudHSM and works just fine. But when I send a USR2 signal to Nginx process, nothing happens.

$ kill -USR2 $(cat /var/run/nginx.pid)

When I comment out ssl_engine cloudhsm directive, and restart nginx it begins to recognize USR2 signal again. It looks like all other signals including QUIT and WINCH work just fine.

I have straced nginx process when USR2 signal is sent to both processes. Here is the result:

NGINX without ssl_engine set

rt_sigsuspend([])                       = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGUSR2 {si_signo=SIGUSR2, si_code=SI_USER, si_pid=23440, si_uid=0} ---
gettimeofday({1570839012, 596258}, NULL) = 0
getppid()                               = 1
rt_sigreturn()                          = -1 EINTR (Interrupted system call)
gettimeofday({1570839012, 596492}, NULL) = 0
rename("/var/run/nginx.pid", "/var/run/nginx.pid.oldbin") = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f180aa89b50) = 6133
rt_sigsuspend([] <detached ...>

NGINX with ssl_engine set to cloudhsm

rt_sigsuspend([])                       = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGUSR2 {si_signo=SIGUSR2, si_code=SI_USER, si_pid=23440, si_uid=0} ---
gettimeofday({1570838962, 952874}, NULL) = 0
getppid()                               = 1
rt_sigreturn()                          = -1 EINTR (Interrupted system call)
gettimeofday({1570838962, 953140}, NULL) = 0
rename("/var/run/nginx.pid", "/var/run/nginx.pid.oldbin") = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f3e4a531b50) = 5619
rt_sigsuspend([])                       = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5619, si_status=1, si_utime=0, si_stime=0} ---
gettimeofday({1570838962, 960453}, NULL) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], WNOHANG, NULL) = 5619
wait4(-1, 0x7fff59a47b7c, WNOHANG, NULL) = 0
rt_sigreturn()                          = -1 EINTR (Interrupted system call)
gettimeofday({1570838962, 960769}, NULL) = 0
rename("/var/run/nginx.pid.oldbin", "/var/run/nginx.pid") = 0
rt_sigsuspend([] <detached ...>

The following code does not compile:

// Import the key as extractable and persistent.
// You can use the key handle to identify the key in other operations.
long importedKeyHandle = importKey(keyToBeImported, "Test", true, true);
System.out.println("Imported Key Handle : " + importedKeyHandle);

The reason for this is that the local importKey method is specified as void, not as returning a long.

importKey in turn calls ImportKey.importKey(key, spec); but this returns a Key, not a handle.

In addition, this code:

KeyGenerator kg = KeyGenerator.getInstance("AES");

... does not compile because of an uncaught checked exception.

Several resource imply there is a singlecmd command that is useful for scripting interactions with CloudHSM but this isn't documented in the KMU command reference here. It would be great to get documentation on how to use this.

Here are some examples of references to singlecmd

• https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-import-keys-openssl/
• https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-genSymKey.html
• https://youtu.be/_gezaWmwzYY?t=1921 <-- 2019 AWS re:Inforce presentation

Each of these docs show singlecmd being used in slightly different ways, and it's not clear from any of these if there is a way to authenticate to the CloudHSM without providing a password in plan text. It would be great to get documentation on best practices for using singlecmd

In the cluster initialization process, it's not obvious that the pass phrase for the customerCA.key is created at that time, rather than earlier. Also, the permissions for the my-key-pair.pem file have to be changed beforehand, or the procedure will fail. Have created a pull request to add information to clarify insructions on these two points.

It would be great to have some more information about how Cloud HSM presents slots and tokens to the user. Probably this deserves a separate (small) page in the PKCS#11 section.

As a bare minimum, it would be useful to know what label to expect on the token. Or perhaps some reassurance that there is only one slot, and that slot definitely contains the right token (whatever the label is).

It would also be useful to know whether applications using different HSMs in the same cluster will see the same label / slot layout / identifying information.

The issue seems to be related to #8, but the solutions proposed there don't resolve the problem.

The EC2 host is running Ubuntu 16.04:

$ uname -a
Linux 4.4.0-1069-aws #79-Ubuntu SMP Mon Sep 24 15:01:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.5 LTS
Release:	16.04
Codename:	xenial

The OpenSSL shared library is installed and working fine:

$ openssl engine -t cloudhsm
(cloudhsm) CloudHSM hardware engine support
     	SDK Version: 2.03
[ available ]

although it is not displayed in the list of available engines:

$ openssl engine -t
(rdrand) Intel RDRAND engine
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

And nginx cannot load it as nginx fails to launch with the following line in /etc/nginx/nginx.conf:

ssl_engine cloudhsm;

with the following error:

$ cat /var/log/nginx/error.log
2018/10/17 22:05:15 [emerg] 31975#31975: ENGINE_by_id("cloudhsm") failed (SSL: error:260B606D:engine routines:DYNAMIC_LOAD:init failed error:2606A074:engine routines:ENGINE_by_id:no such engine:id=cloudhsm)

I've tried loading the engine dynamically, and add it to the list of available engines with:

$ openssl engine -vvvv dynamic -pre SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so -pre ID:cloudhsm -pre LIST_ADD:1 -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so
[Success]: ID:cloudhsm
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (cloudhsm) CloudHSM hardware engine support

The command succeeds, but it does not make a difference, and cloudhsm is still not included in the list of available engines.

Any suggestions on how nginx can load the cloudhsm module?

Circumstances forced us to stop the project adding support for AWS Cloud HSM from the Vormetric Data Security Platform.

If you have any code samples that you think would improve the CloudHSM User Guide, please let me know!
Submit a pull request as explained in these directions: https://github.com/awsdocs/amazon-s3-developer-guide/blob/master/CONTRIBUTING.md .

From my experiments, the CKA_ID value must be unique for a key. Or, at least, unique for a given key type (I haven't tested this further).

This should be mentioned somewhere in the documentation. CloudHSM currently returns CKR_ATTRIBUTE_VALUE_INVALID when you attempt to create a second key with the same CKA_ID.

Documentation Install and Configure the AWS CloudHSM Client (Linux) states that user needs "AWS account root user permissions on the client instance to copy your certificate to this location." However, in this case the user needs the administrative permissions (root user) in the operation system not the AWS root account.

Could you create a guide as to how to get started writing apps using the CloudHSM SDK? (especially the Go version). It's really hard to know where to begin, for example how to set up a VPN so that I can write code that can access an HSM that is tucked away inside a private subnet in a VPC.

Based on my testing, the CKM_RSA_PKCS_OAEP mechanism doesn't support source data. I.e. when constructing a CK_RSA_PKCS_OAEP_PARAMS, one must set pSourceData to NULL and ulSourceDataLen to zero.

If my understanding is correct, it would be good to update the docs at https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-mechanisms.html. The limitation is not apparent on that page.

The PKCS#11 library page has a section:

Generate, Create, Import Keys

• CKM_AES_KEY_GEN
• CKM_DES3_KEY_GEN
• CKM_EC_KEY_PAIR_GEN
• CKM_GENERIC_SECRET_KEY_GEN
• CKM_RSA_X9_31_KEY_PAIR_GEN

I'm not a PKCS #11 expert, but I don't believe any of these mechanisms can be used to import keys.

As far as I can tell from reading that page, the only way to import keys is to unwrap them using C_UnWrapKey and CKM_AES_KEY_WRAP, or use C_CreateObject (for public keys, presumably).

Key_mgmt_util.exe shows 0kb as the size. I have used a windows instance in AWS. After walking through the system files i see all other files in program files/Amazon/cloudHSM folder. But just the key_mgmt_util.exe file shows 0kb as the size. And when I try to open this file through cmd it shows an error giving “Find a version for your windows”.

Please help what to do. I tried to re-install the setup but nothing changed.

The Encrypting and Decrypting with an RSA Key Pair Example uses the private key to encrypt and public key to decrypt. It should be the opposite (e.g. public key for encryption).

It's not the first case when we can't reset password for logged in user:

aws-cloudhsm>changePswd CU user pass
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the 
nodes on which this operation is not executed or failed, please 
ensure this operation is executed on all nodes in the cluster.  
****************************************************************

Do you want to continue(y/n)?y
Changing password for user (CU) on 1 nodes
changePswd failed: HSM Error: Deletion or Changing password of a logged in User is denied
Changing password on node 0(10.11.12.13) failed

Retry/Ignore/Abort?(R/I/A):A

The same problem for removing.

I've tried to do that later for billion times. Is it possible to overcome this problem? I mean for example to force logout for that user or at least to find from where that session is?

In the CloudHSM landing page, you have a minor typo:
https://aws.amazon.com/cloudhsm/

Secure key storage in tamper-resistent hardware available in multiple Availability Zones (AZs)

It should be: tamper-resistant

Hi,
OS: Microsoft Windows Server 2019 Datacenter.
CloudHSM Client: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Windows/AWSCloudHSMClient-latest.msi

I generate a private key and CSR using cloudhsm engine in a Linux client. I find a CA sign the CSR and get a certificate (Without private Key). I am going to install the certificate in a Windows Server. I tried following ways to install the certificate but all failed. Can you please help me on it?

1. Follow the instruction directly: C:>certreq -accept IISCert.crt (https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-configure-web-server-windows.html). It seems my Windows server can't find the private key.

So I try to 2) associate an AWS CloudHSM key with my certificate (https://docs.aws.amazon.com/cloudhsm/latest/userguide/ksp-library-associate-key-certificate.html), but I can't open the import_key.exe file in CMD. It shows This app can't run on my PC.

Then I try to use the third way. I merge the fake PEM private key generated from CloudHSM with the certificate signed by CA. I import the certificate into the IIS server and set it in the Service site binding, but I can't load the certificate and face an error there was an error while performing this operation A specified logon session does not exst it may already have been terminated.

I don't know how to solve the problem, can you please give me some help? Thanks!

Best,
Shaoyi

I generate a 128-bit AES object using "C_CreateObject". I then do the following to encrypt a piece of data and get a "Bad Argumnents" error on the call to "C_Encrypt" to get the encrypted data length.

       char clear[] = "My name is Rohan!";
       buf_len = sizeof(clear) -1;

       rv = pfunc11->C_EncryptInit(session, pMechanism, hObject);
       if (rv != CKR_OK)    
      {
           printf("ERROR: rv=0x%08X: initializing encryption:\n", (unsigned int)rv);
            return false;
       }

       rv = pfunc11->C_Encrypt(session, (CK_BYTE_PTR)clear, (CK_ULONG)buf_len, NULL, pulEncryptedDataLen);
        if (rv != CKR_OK) 
        {                                   
              printf("ERROR: rv=0x%08X: derror getting encryption data buffer length:\n", (unsigned int)rv);
              return false;
        }

Here is my mechanism definition -

CK_MECHANISM myMechanism = {CKM_AES_CBC_PAD, (CK_VOID_PTR)"01020304050607081122334455667788", (CK_ULONG)16};
CK_MECHANISM_PTR pMechanism = &myMechanism;

What am I doing wrong here ?

I am trying to offload SSL processing to CloudHSM. The web server is an nginx server. While trying to configure the web server by adding

ssl_engine cloudhsm;

this error is received in the error log and nginx does not get restarted:

2018/05/30 09:02:50 [emerg] 5429#0: ENGINE_by_id("cloudhsm") failed (SSL: error:25066067:DSO support routines:dlfcn_load:could not load the shared library:filename(/usr/lib/x86_64-linux-gnu/engines-1.1/cloudhsm.so): /usr/lib/x86_64-linux-gnu/engines-1.1/cloudhsm.so: cannot open shared object file: No such file or directory error:25070067:DSO support routines:DSO_load:could not load the shared library error:260B6084:engine routines:dynamic_load:dso not found error:2606A074:engine routines:ENGINE_by_id:no such engine:id=cloudhsm)

The cloudhsm.so file is not present at the location. Is there any library that needs to be installed to solve this?

I am integrating the AWS CloudHSM PKCS11 library with our JAVA based application. My application supports standard SunPKCS11 library, where we pass the PKCS11 configuration parameters like 'library, slot, name etc'. The AWS CloudHSM documentation having only the 'C' sample code. It would be great if you could provide the 'Java' sample code for PKCS11 provider.

Below is the code which i am using to create keys in AWS CloudHSM:

Config File:

name = cloudHSM
library = /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
slot = 0
attributes(generate, *, *) = {
   CKA_TOKEN = true
}

Java code:

String configName = "pkcs11.cfg";
Provider p = new SunPKCS11(configName);
if (-1 == Security.addProvider(p)) {
         throw new RuntimeException("could not add security provider");
}

// Load the key store
char[] pin = "<CU_user_name>:<password>".toCharArray();
KeyStore keyStore = KeyStore.getInstance("PKCS11", p);
keyStore.load(null, pin);
KeyGenerator kgen = KeyGenerator.getInstance("AES"); 

Add needed information regarding creating an EC2 to use with the cluster directly in the getting-started.md document on step 3. Users who are already familiar with the EC2 creation process may not read the linked document. Have created a pull request and added in the missing info.

My test code opens a lot of sessions quickly. I've noticed on CloudHSM, this can result in:

C_OpenSession failed with error CKR_ARGUMENTS_BAD : 0x00000007
HSM error 8c: HSM Error: Already maximum number of sessions are issued

There is a limit being hit here somewhere. Artificially slowing down the code removes the errors.

The links for version 1.1.1 of the software are missing, throughout the documentation.

On https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-history.html, only the Amazon Linux link appears to point to a 1.1.1 release. The rest still point to 1.1.0-2.

The same is true on https://docs.aws.amazon.com/cloudhsm/latest/userguide/install-and-configure-client-linux.html.

How come this repo doesn't get updated when the guide on amazon.com is updated? There is many new pages in the guide that aren't shown in this repo

Hey I am currently using Safenet Luna client with PKCS11 library, We are using pin and label mechanism to fetch classic hsm keys. Now we are thinking to migrate to CloudHSM with same library. Is there any official guild for migration of classic keys to CloudHSM?
Thanks.

The token reports a minimum supported RSA key of 1024 bits via C_GetMechanismInfo. But it seems like 1024-bits is forbidden by the FIPS settings on the token. The reported minimum should therefore be bigger. (Not sure where we are supposed to report these kinds of issues).

Including key sizes in the documentation would also be a good thing.