How do I resolve the error "RET_MXN_AUTH_FAILED" that I get when I use the cloudhsm_mgmt_util command for CloudHSM?

2 minute read
0

The cloudhsm_mgmt_util command line tool for my AWS CloudHSM cluster returned the error "RET_MXN_AUTH_FAILED".

Short description

The RET_MXN_AUTH_FAILED error occurs when you don't provide quorum authentication, also known as M of N access control. At least two users must sign a token to run a command with quorum authentication. Quorum authentication makes sure that a single user can't cause incorrect activity on the CloudHSM cluster.

In this example, the output from the listUsers command shows that the MofnPubKey value is set to NO:

aws-cloudhsm>aws-cloudhsm>listUsers  
Users on server 0(172.31.21.34):
Number of users found:6
    User Id        User Type    User Name     MofnPubKey    LoginFailureCnt     2FA
         1            CO        admin           NO               0               NO
         2            AU        app_user        NO               0               NO
         3            CU        cryptouser      NO               0               NO
         4            CO        admin1          NO               0               NO
         5            CO        palmep          NO               0               NO
         6            CU        user1           NO               0               NO

When the MofnPubKey value is set to NO, users don't have a public key that can sign quorum tokens. To register the public key, crypto officers (COs) must run the registerMofnPubKey command for the CloudHSM cluster. 

Resolution

Run the getMValue command on the CloudHSM cluster. Use the parameter 3 to indicate the value for commands under service 3. This operation uses createuser, deleteUser, and changePswd:

aws-cloudhsm>getMValue 3MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]

In the preceding example, the value for the HSM servers for the cluster is 2. You can't lower this value below 2, but you can raise the value. If you unintentionally turn on this value, then you can restore the value from a CloudHSM cluster backup.

To resolve this issue, you must create and register an asymmetric key with the number of users specified in the getMValue. Then, get the quorum token and have the users that are specified in the getMValue sign the token. For instructions, see Using quorum authentication for crypto officers: first-time setup.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
No comments