Known issues for hsm2m.medium instances - AWS CloudHSM
Issue: Login latency increases due to increased PBKDF2 iterationsIssue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlierIssue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS mode

Known issues for hsm2m.medium instances

The following issues impact all hsm2m.medium instances.

Issue: Login latency increases due to increased PBKDF2 iterations

  • Impact: For increased security, hsm2m.medium performs 60,000 iterations of Password-Based Key Derivation Function 2 (PBKDF2) during login requests compared to 1,000 in hsm1.medium. This increase may result in an increased latency of up to 2 seconds (2s) per login request.

    The default timeout for the AWS CloudHSM Client SDKs is 20s. Login requests may timeout and result in an error.

  • Workaround: If possible, serialize login requests in the same application to avoid extended latency during login. Multiple login requests in parallel will cause increased latency.

  • Resolution status: Future versions of the Client SDK will have an increased default timeout for login requests to account for this increased latency.

Issue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlier

  • Impact: Any CO user attempting to set the trusted attribute of a key will receive an error indicating that User type should be CO or CU.

  • Resolution: Future versions of the Client SDK will resolve this issue. Updates will be announced in our user guide's Document history.

Issue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS mode

  • Impact: ECDSA verify operation performed for hsms in FIPS mode will fail.

  • Resolution status: This issue has been resolved in the client SDK 5.13.0 release. You must upgrade to this client version or later to benefit from the fix.