7b - Activate the Cluster - SDK3

This version of the client is being deprecated by AWS at the end of 2024. Please use SDK5. This version is bundled with EJBCA Cloud as of versions greater than 3.5.2.

To activate the cluster, do the following:

SSH into the EJBCA instance if not already done so.
Use the following command to start the AWS CloudHSM cloudhsm_mgmt_util command line tool:
```
# sudo /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
If you get an error “connection timed out”, the security group has not been added to the instance. If you get the error "E2E failed: unable to establish ssl connection" this is because there is no customerCA.crt (or the file is incorrect) in /opt/cloudhsm/etc.

Use the enable_e2e command to enable end-to-end encryption:

aws-cloudhsm> enable_e2e
E2E enabled on server 0(server1)

Use the loginHSM command to log in to the HSM as the precrypto officer (PRECO) user:

aws-cloudhsm> loginHSM PRECO admin password
loginHSM success on server 0(server1)

Use the changePswd command to change the precrypto officer (PRECO) user's password:

aws-cloudhsm> changePswd PRECO admin <NewPassword>
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. Cav server does NOT synchronize these changes with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
 
Do you want to continue(y/n)?y
Changing password for admin(PRECO) on 1 nodes

Log out as user PRECO:

aws-cloudhsm> logoutHSM
logoutHSM success on server 0

From now on, use the following syntax to log in to the HSM:

loginHSM <usertype><username><password>

For example:
```
aws-cloudhsm> loginHSM CO admin <password>
```