Create an AWS CloudHSM user with CMU - AWS CloudHSM
User typeSyntaxExamplesArgumentsRelated topics

Create an AWS CloudHSM user with CMU

Use the createUser command in cloudhsm_mgmt_util (CMU) to create a user on the hardware security modules (HSM) in the AWS CloudHSM cluster. Only crypto officers (COs and PRECOs) can run this command. When the command succeeds, it creates the user in all HSMs in the cluster.

If your HSM configuration is inaccurate, the user might not be created on all HSMs. To add the user to any HSMs in which it is missing, use the syncUser or createUser command only on the HSMs that are missing that user. To prevent configuration errors, run the configure tool with the -m option.

Before you run any CMU command, you must start CMU and log in to the HSM. Be sure that you log in with a user type that can run the commands you plan to use.

If you add or delete HSMs, update the configuration files for CMU. Otherwise, the changes that you make might not be effective for all HSMs in the cluster.

User type

The following types of users can run this command.

  • Crypto officers (CO, PRECO)

Syntax

Enter the arguments in the order specified in the syntax diagram. Use the -hpswd parameter to mask your password. To create a CO user with two-factor authentication (2FA), use the -2fa parameter and include a file path. For more information, see Arguments.

createUser <user-type> <user-name> <password> |-hpswd> [-2fa </path/to/authdata>]

Examples

These examples show how to use createUser to create new users in your HSMs.

Example : Create a crypto officer

This example creates a crypto officer (CO) on the HSMs in a cluster. The first command uses loginHSM to log in to the HSM as a crypto officer.

aws-cloudhsm> loginHSM CO admin 735782961

loginHSM success on server 0(10.0.0.1)
loginHSM success on server 1(10.0.0.2)
loginHSM success on server 1(10.0.0.3)

The second command uses the createUser command to create alice, a new crypto officer on the HSM.

The caution message explains that the command creates users on all of the HSMs in the cluster. But, if the command fails on any HSMs, the user will not exist on those HSMs. To continue, type y.

The output shows that the new user was created on all three HSMs in the cluster.

aws-cloudhsm> createUser CO alice 391019314

*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************

Do you want to continue(y/n)?Invalid option, please type 'y' or 'n'

Do you want to continue(y/n)?y
Creating User alice(CO) on 3 nodes

When the command completes, alice has the same permissions on the HSM as the admin CO user, including changing the password of any user on the HSMs.

The final command uses the listUsers command to verify that alice exists on all three HSMs on the cluster. The output also shows that alice is assigned user ID 3.. You use the user ID to identify alice in other commands, such as findAllKeys.

aws-cloudhsm> listUsers
Users on server 0(10.0.0.1):
Number of users found:3

    User Id             User Type       User Name                          MofnPubKey    LoginFailureCnt         2FA
         1              PRECO           admin                                   YES               0               NO
         2              AU              app_user                                 NO               0               NO
         3              CO              alice                                    NO               0               NO
Users on server 1(10.0.0.2):
Number of users found:3

    User Id             User Type       User Name                          MofnPubKey    LoginFailureCnt         2FA
         1              PRECO           admin                                   YES               0               NO
         2              AU              app_user                                 NO               0               NO
         3              CO              alice                                    NO               0               NO

Users on server 1(10.0.0.3):
Number of users found:3

    User Id             User Type       User Name                          MofnPubKey    LoginFailureCnt         2FA
         1              PRECO           admin                                   YES               0               NO
         2              AU              app_user                                 NO               0               NO
         3              CO              alice                                    NO               0               NO
Example : Create a crypto user

This example creates a crypto user (CU), bob, on the HSM. Crypto users can create and manage keys, but they cannot manage users.

After you type y to respond to the caution message, the output shows that bob was created on all three HSMs in the cluster. The new CU can log in to the HSM to create and manage keys.

The command used a password value of defaultPassword. Later, bob or any CO can use the changePswd command to change his password.

aws-cloudhsm> createUser CU bob defaultPassword

*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************

Do you want to continue(y/n)?Invalid option, please type 'y' or 'n'

Do you want to continue(y/n)?y
Creating User bob(CU) on 3 nodes

Arguments

Enter the arguments in the order specified in the syntax diagram. Use the -hpswd parameter to mask your password. To create a CO user with 2FA enabled, use the -2fa parameter and include a file path. For more information about 2FA, see Manage user 2FA.

createUser <user-type> <user-name> <password> |-hpswd> [-2fa </path/to/authdata>]
<user-type>

Specifies the type of user. This parameter is required.

For detailed information about the user types on an HSM, see HSM user types for AWS CloudHSM Management Utility.

Valid values:

  • CO: Crypto officers can manage users, but they cannot manage keys.

  • CU: Crypto users can create an manage keys and use keys in cryptographic operations.

The PRECO is converted to a CO when you assign a password during HSM activation.

Required: Yes

<user-name>

Specifies a friendly name for the user. The maximum length is 31 characters. The only special character permitted is an underscore ( _ ).

You cannot change the name of a user after it is created. In cloudhsm_mgmt_util commands, the user type and password are case-sensitive, but the user name is not.

Required: Yes

<password | ‐hpswd >

Specifies a password for the user. Enter a string of 7 to 32 characters. This value is case-sensitive. The password appears in plaintext when you type it. To hide your password, use the -hpswd parameter in place of the password and follow the prompts.

To change a user password, use changePswd. Any HSM user can change their own password, but CO users can change the password of any user (of any type) on the HSMs.

Required: Yes

[-2fa </path/to/authdata>]

Specifies the creation of a CO user with 2FA enabled. To get the data necessary for setting up 2FA authentication, include a path to a location in the file system with a file name after the -2fa parameter. For more information about setting up and working with 2FA, see Manage user 2FA.

Required: No

Related topics