Connect the client SDK to the AWS CloudHSM cluster
To connect to the cluster with either Client SDK 5 or Client SDK 3, you must first do two things:
-
Have an issuing certificate in place on the EC2 instance
-
Bootstrap the Client SDK to the cluster
Place the issuing certificate on each EC2 instance
You create the issuing certificate when you initialize the cluster. Copy the issuing certificate to the default location for the platform on each EC2 instance that connects to the cluster.
Specify the location of the issuing certificate
With Client SDK 5, you use the configure tool to specify the location of the issuing certificate.
For more information, see Configure Tool.
For more information about initializing the cluster or creating and signing the certificate, see Initialize the Cluster.
Bootstrap the Client SDK
The bootstrap process is different depending on the version of the Client SDK you're using, but you must have the IP address of one of the hardware security modules (HSM) in the cluster. You can use the IP address of any HSM attached to your cluster. After the Client SDK connects, it retrieves the IP addresses of any additional HSMs and performs load balancing and client-side key synchronization operations.
To get an IP address for an HSM (console)
Open the AWS CloudHSM console at https://console.aws.amazon.com/cloudhsm/home
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
To open the cluster detail page, in the cluster table, choose the cluster ID.
-
To get the IP address, on the HSMs tab, choose one of the IP addresses listed under ENI IP address.
To get an IP address for an HSM (AWS CLI)
-
Get the IP address of an HSM by using the describe-clusters command from the AWS CLI. In the output from the command, the IP address of the HSMs are the values of
EniIp
.$
aws cloudhsmv2 describe-clusters
{ "Clusters": [ { ... } "Hsms": [ { ... "EniIp": "10.0.0.9", ... }, { ... "EniIp": "10.0.1.6", ...
For more information about bootstrapping, see Configure Tool.
Note
you can use the –-cluster-id
parameter in place of -a <HSM_IP_ADDRESSES>
. To see requirements for using –-cluster-id
, see Client SDK 5 configure tool.
To bootstrap a Linux EC2 instance for Client SDK 3
-
Use configure to specify the IP address of an HSM in your cluster.
sudo /opt/cloudhsm/bin/configure -a
<IP address>
To bootstrap a Windows EC2 instance for Client SDK 3
-
Use configure to specify the IP address of an HSM in your cluster.
C:\Program Files\Amazon\CloudHSM\bin\
configure-jce.exe -a
<HSM IP address>
For more information about configure, see Configure tool.