AWS CloudHSM Client SDK 5 key replicate failures - AWS CloudHSM

AWS CloudHSM Client SDK 5 key replicate failures

The key replicate command in the CloudHSM CLI replicates a key from a source AWS CloudHSM cluster to a destination AWS CloudHSM cluster. The steps outlined below are to resolve failures when the key replicate command fails due to inconsistencies within the source cluster or between the source and destination clusters.

Problem: The selected key is not synchronized throughout the cluster

The key replication process includes a check for if the key is synchronized throughout the source cluster. If any of the key information or key attributes have the value "inconsistent", this means that the key is not synchronized across the cluster. If a key is desynchronized throughout the cluster, key replicate will fail with the following error message:

{ "error_code": 1, "data": "The selected key is not synchronized throughout the cluster" }

To see if the key is desynchronized on the source cluster, run the key list command in the CloudHSM CLI with the --filter flag to filter for a specific key and the --verbose flag to see the full output with key coverage information:

aws-cloudhsm > key list --filter attr.label=my-desynchronized-key-label --verbose { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x000000000048000f", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "my-desynchronized-key-label", "id": "0x", "check-value": "0xbe79db", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": "inconsistent", "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 16 } } ], "total_key_count": 1, "returned_key_count": 1 } }
Resolution: To keep key information and attributes synchronized throughout the source cluster, follow one of these steps:
  1. If the key attributes are inconsistent, use the key set-attribute command to set the desired attribute for the specific key.

  2. If the coverage for shared users is inconsistent, run the key share or key unshare commands to share or unshare the key with the desired users.

Problem: The key with the same key reference exists in the destination cluster with different key information or key attributes.

If a key with the same key reference exists in the destination cluster with different key information or key attributes, you may see an error similar to the following:

{ "error_code": 1, "data": "Key replicate failed on 1 of 3 connections" }

Resolution: First, determine which the key which needs to be kept. Then, delete the key in the corresponding cluster using the key delete command. Finally, replicate the key from the cluster that the key is on.