Connect the Client SDK to the AWS CloudHSM Cluster - AWS CloudHSM

Connect the Client SDK to the AWS CloudHSM Cluster

To connect to the cluster with either Client SDK 5 or Client SDK 3, you must first do two things:

  • Have an issuing certificate in place on the EC2 instance

  • Bootstrap the Client SDK to the cluster

Place the Issuing Certificate

You create the issuing certificate when you initialize the cluster. Copy the issuing certificate to the default location for the platform on each EC2 instance that connects to the cluster.

Linux

/opt/cloudhsm/etc/customerCA.crt

Windows

C:\ProgramData\Amazon\CloudHSM\customerCA.crt

With Client SDK 5 you can use the configure tool to specify the location of the issuing certificate.

PKCS #11 library

To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate.

    sudo /opt/cloudhsm/bin/configure-pkcs11 --hsm-ca-cert <customerCA certificate file>

To place the issuing certificate on Windows for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate.

    C:\Program Files\Amazon\CloudHSM\configure-pkcs11.exe --hsm-ca-cert <customerCA certificate file>
OpenSSL Dynamic Engine

To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate.

    sudo /opt/cloudhsm/bin/configure-dyn --hsm-ca-cert <customerCA certificate file>

For more information, see Configure Tool.

For more information about initializing the cluster or creating and signing the certificate, see Initilize the Cluster.

Bootstrap the Client SDK

The bootstrap process is different depending on the version of the Client SDK you're using, but you must have the IP address of one of the hardware security modules (HSM) in the cluster. You can use the IP address of any HSM attached to your cluster. After the Client SDK connects, it retrieves the IP addresses of any additional HSMs and performs load balancing and client-side key synchronization operations.

To get an IP address for a HSM (console)

  1. Open the AWS CloudHSM console at https://console.aws.amazon.com/cloudhsm/.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Clusters.

  4. To open the cluster detail page, in the cluster table, choose the cluster ID.

  5. To get the IP address, on the HSMs tab, choose one of the IP addresses listed under ENI IP address.

To get an IP address for a HSM (AWS CLI)

  • Get the IP address of an HSM by using the describe-clusters command from the AWS CLI. In the output from the command, the IP address of the HSMs are the values of EniIp.

    $ aws cloudhsmv2 describe-clusters { "Clusters": [ { ... } "Hsms": [ { ... "EniIp": "10.0.0.9", ... }, { ... "EniIp": "10.0.1.6", ...

For more information about bootstrapping, see Configure Tool.

PKCS #11 library

To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of a HSM in your cluster.

    sudo /opt/cloudhsm/bin/configure-pkcs11 -a <HSM IP address>

To bootstrap a Windows EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of a HSM in your cluster.

    C:\Program Files\Amazon\CloudHSM\configure-pkcs11.exe -a <HSM IP address>
OpenSSL Dynamic Engine

To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of a HSM in your cluster.

    sudo /opt/cloudhsm/bin/configure-dyn -a <HSM IP address>

To bootstrap a Linux EC2 instance for Client SDK 3

  • Use configure to specify the IP address of a HSM in your cluster.

    sudo /opt/cloudhsm/bin/configure -a <IP address>

To bootstrap a Windows EC2 instance for Client SDK 3

  • Use configure to specify the IP address of a HSM in your cluster.

    C:\Program Files\Amazon\CloudHSM\configure.exe -a <HSM IP address>

For more information about configure, see Configure Tool.