Skip to main content
Skip table of contents

5b - Configure the cloudhsm-client - SDK3

This version of the client is being deprecated by AWS at the end of 2024. Please use SDK5.  This version is bundled with EJBCA Cloud as of versions greater than 3.5.2.


This guide assumes that the CloudHSM client is pre-installed on  an EJBCA Cloud instance.  If the cloudHSM client is not yet installed, refer to Appendix D - Installing the CloudHSM Client


To configure the CloudHSM client cloudhsm-client, do the following:

  1. SSH into the EJBCA instance.

  2. Copy your issuing certificate (the one that you used to sign the cluster's certificate) to the following location on the client instance: 

    CODE 
    /opt/cloudhsm/etc/customerCA.crt

    (warning) You need root permissions on the client instance to copy your certificate to this location. If you used your EJBCA instance to generate this file it is located in /home/ec2-user and you may also move or copy it to this location.

  3. Stop the cloudhsm-client

    CODE 
    # sudo stop cloudhsm-client
or
# sudo service cloudhsm-client stop

  4. Use the following command to update the configuration files for the AWS CloudHSM client and command line tools, specifying the IP address of the HSM in your cluster.
    If you don't know the HSM's IP address, view your cluster in the AWS CloudHSM console

    CODE 
    # sudo /opt/cloudhsm/bin/configure -a <IP address>
  Updating server config in /opt/cloudhsm/etc/cloudhsm_client.cfg
  Updating server config in /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg

  5. Set the CloudHSM client to start on boot

    BASH 
    # systemctl enable cloudhsm-client

  6. Start the CloudHSM client:

    CODE 
    # sudo start cloudhsm-client
or
# sudo service cloudhsm-client start

  7. Ensure the cloudhsm_mgmt_util configuration file is up to date. We need to do this to ensure cloudhsm_mgmt_util is aware of all the HSM instances in the cluster.

    CODE 
    # sudo /opt/cloudhsm/bin/configure -m

  8. Connect to the HSM instances, enable end-to-end encryption, and log in to the HSM instances. Enabling end-to-end encryption encrypts the communication between cloudhsm_mgmt_util and the HSM to prevent interception of sensitive information such as passwords:

    CODE 
    # /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
aws-cloudhsm> enable_e2e


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close