How can I resolve connection issues between the CloudHSM client and the CloudHSM cluster?

Resolution

Verify that the CloudHSM client package is installed

You must install the CloudHSM client software to communicate with the HSM. To confirm that the CloudHSM package is installed, run one of the following commands:

Red Hat Enterprise Linux (RHEL) and Amazon Linux:

rpm -qa | grep cloudhsm

Ubuntu:

dpkg --list | grep cloudhsm

Windows PowerShell:

Get-Service -Name AWSCloudHSMClient

If the CloudHSM client software isn't installed, then see Install and configure the AWS CloudHSM client (Linux) and Install and configure the AWS CloudHSM client (Windows).

Verify that the CloudHSM security group is associated with the CloudHSM client instance

When you create a cluster, CloudHSM automatically creates a security group that's named cloudhsm-cluster-clusterID-sg, and then associates the groups with the cluster. To access the HSM, you must associate the client instances with the cluster security group.

Complete the following steps:

1. Open the CloudHSM console, and then choose Clusters.
2. Select your cluster ID.
3. In General configuration under Security group, note the cloudhsm-cluster-clusterID-sg security group ID.
4. Open the Amazon EC2 console, and then choose Instances.
5. Select your instance ID, and then choose the Description tab.
6. Check the Security groups that are associated with the instance.
7. If the cloudhsm-cluster-clusterID-sg security group ID isn't associated with the EC2 instance, then connect the Amazon EC2 instance to the AWS CloudHSM cluster.

Verify that the CloudHSM client daemon runs

If the CloudHSM client daemon doesn't run, then application hosts can't connect to HSMs. To verify that the CloudHSM client daemon runs, run one of the following commands:

Amazon Linux 2, CentOS 7, RHEL 7, and Ubuntu 16.04 LTS:

sudo systemctl is-active cloudhsm-client

CentOS 6, Amazon Linux, and RHEL 6:

sudo status cloudhsm-client

Windows PowerShell:

Get-Service -Name AWSCloudHSMClient | Format-Table DisplayName,Status -AutoSize

If the output shows the CloudHSM client daemon status as stopped, then start the CloudHSM client.

Update the configuration file for the CloudHSM client elastic network interface IP address

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

1. Open the CloudHSM console, and then choose Clusters.
2. Select your cluster ID.
3. Choose the HSMs tab, and then note network interface IP address.
   Note: You can also use the AWS Command Line Interface (AWS CLI) describe-clusters command.
4. To update the client's configuration file with the network interface IP address, see Lost connection to the cluster.

For more information, see Troubleshooting AWS CloudHSM.

Related information

Which CloudHSM certificates are used for the client-server end-to-end encrypted connection?