Step 1: Set up the prerequisites - AWS CloudHSM

Step 1: Set up the prerequisites

Follow these prerequisites to use a Tomcat web server with AWS CloudHSM for SSL/TLS offload on Linux. These prerequisites must be met to set up web server SSL/TLS offload with Client SDK 5 and a Tomcat web server.


Different platforms require different prerequisites. Always follow the correct installation steps for your platform.


  • An Amazon EC2 instance running a Linux operating system with A tomcat web server installed.

  • A crypto user (CU) to own and manage the web server's private key on the HSM.

  • An active AWS CloudHSM cluster with at least two hardware security modules (HSMs) that have JCE for Client SDK 5 installed and configured.


    You can use a single HSM cluster, but you must first disable client key durability. For more information, see Manage Client Key Durability Settings and Client SDK 5 Configure Tool.

How to meet the prerequisites

  1. Install and configure the JCE for AWS CloudHSM on an active AWS CloudHSM cluster with at least two hardware security modules (HSMs). For more information about installation, see JCE for Client SDK 5.

  2. On an EC2 Linux instance that has access to your AWS CloudHSM cluster, follow the Apache Tomcat instructions to download and install the Tomcat web server.

  3. Use CloudHSM CLI to create a crypto user (CU). For more information about managing HSM users, see Managing HSM users with CloudHSM CLI.


    Keep track of the CU user name and password. You will need them later when you generate or import the HTTPS private key and certificate for your web server.

  4. To setup JCE with Java Keytool, follow the instructions in Using Client SDK 5 to integrate with Java Keytool and Jarsigner.

After you complete these steps, go to Step 2: Generate or import a private key and SSL/TLS certificate.


  • To use Security-Enhanced Linux (SELinux) and web servers, you must allow outbound TCP connections on port 2223, which is the port Client SDK 5 uses to communicate with the HSM.

  • To create and activate a cluster and give an EC2 instance access to the cluster, complete the steps in Getting Started with AWS CloudHSM. This section offers step-by-step instructions for creating an active cluster with one HSM and an Amazon EC2 client instance. You can use this client instance as your web server.

  • To avoid disabling client key durability, add more than one HSM to your cluster. For more information, see Adding an HSM.

  • To connect to your client instance, you can use SSH or PuTTY. For more information, see Connecting to Your Linux Instance Using SSH or Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 documentation.