How can I resolve the error "RET_MXN_AUTH_FAILED" with the cloudhsm_mgmt_util command for CloudHSM?

Short description

This error means that there is no M of N authentication provided. M of N is a quorum-based authentication, meaning that at least two users must sign a token to run a command. This makes sure that a single user can't cause incorrect activity on the CloudHSM cluster. For more information, see Managing quorum authentication (M of N access control).

The listUsers command indicates that the MofnPubKey value is set to NO.

aws-cloudhsm>aws-cloudhsm>listUsers
Users on server 0(172.31.21.34):
Number of users found:6
    User Id        User Type    User Name     MofnPubKey    LoginFailureCnt     2FA
         1            CO        admin           NO               0               NO
         2            AU        app_user        NO               0               NO
         3            CU        cryptouser      NO               0               NO
         4            CO        admin1          NO               0               NO
         5            CO        palmep          NO               0               NO
         6            CU        user1           NO               0               NO

This indicates that no users have a public key that can sign quorum tokens. CO (crypto officer) users must register the public key using the registerMofnPubKey command for the CloudHSM cluster. For more information, see Create and register a key for signing.

Resolution

Run the getMValue command on the CloudHSM cluster. Use the parameter 3 to indicate the value for commands under service 3. This operation uses createuser, deleteUser, and changePswd.

aws-cloudhsm>getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]

In this example, the value for the HSM servers for the cluster is 2. This value can't be lowered below 2, but the value can be raised. If this value is enabled by accident, you can restore it from an older CloudHSM cluster backup. To resolve this, you must create and register an asymmetric key with the number of users specified in the getMValue. You must then retrieve and sign a quorum token by the number of users specified in the getMValue. For instructions, see Using quorum authentication for crypto officers: first-time setup.