AWS CloudHSM Client SDK 5 key replicate failures
The key replicate
command in the CloudHSM CLI replicates a key from a source AWS CloudHSM cluster to a destination AWS CloudHSM cluster. The steps outlined below
are to resolve failures when the key replicate
command fails due to inconsistencies within the source cluster or between the source and destination clusters.
Problem: The selected key is not synchronized throughout the cluster
The key replication process includes a check for if the key is synchronized throughout the source cluster. If any of the key information or key attributes have the value "inconsistent", this means that the key is not synchronized across the cluster. If a key is desynchronized throughout the cluster, key replicate will fail with the following error message:
{
"error_code": 1,
"data": "The selected key is not synchronized throughout the cluster"
}
To see if the key is desynchronized on the source cluster, run the key list
command in the CloudHSM CLI with the --filter
flag to filter for a specific key
and the --verbose
flag to see the full output with key coverage information:
aws-cloudhsm >
key list --filter attr.label=my-desynchronized-key-label --verbose
{ "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x000000000048000f", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "my-desynchronized-key-label", "id": "0x", "check-value": "0xbe79db", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": "inconsistent", "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 16 } } ], "total_key_count": 1, "returned_key_count": 1 } }
Resolution: To keep key information and attributes synchronized throughout the source cluster, follow one of these steps:
-
If the key attributes are inconsistent, use the
key set-attribute
command to set the desired attribute for the specific key. -
If the coverage for shared users is inconsistent, run the
key share
orkey unshare
commands to share or unshare the key with the desired users.
Problem: The key with the same key reference exists in the destination cluster with different key information or key attributes.
If a key with the same key reference exists in the destination cluster with different key information or key attributes, you may see an error similar to the following:
{
"error_code": 1,
"data": "Key replicate failed on 1 of 3 connections"
}
Resolution: First, determine which the key which needs to be kept. Then, delete the key in the corresponding cluster using the key delete
command.
Finally, replicate the key from the cluster that the key is on.