Known Issues for Integrating Third-Party Applications - AWS CloudHSM

Known Issues for Integrating Third-Party Applications

Issue: Oracle sets the PKCS #11 attribute CKA_MODIFIABLE during master key generation, but the HSM does not support it

This limit is defined in the PKCS #11 library. For more information, see annotation 1 on Supported PKCS #11 Attributes.

  • Impact: Oracle master key creation fails.

  • Workaround: Set the special environment variable CLOUDHSM_IGNORE_CKA_MODIFIABLE_FALSE to TRUE when creating a new master key. This environment variable is only needed for master key generation and you do not need to use this environment variable for anything else. For example, you would use this variable for the first master key you create and then you would only use this environment variable again if you wanted to rotate your master key edition. For more information, see Generate the Oracle TDE Master Encryption Key.

  • Resolution status: We are improving the HSM firmware to fully support the CKA_MODIFIABLE attribute. Updates will be announced in the AWS CloudHSM forum and on the version history page