Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudHSM cluster initialized but HSM not accepting TCP connections despite successful activation

0

I have initialized a CloudHSM cluster and the HSM shows as ACTIVE, but I cannot establish any TCP connections to the HSM ports (2223-2225).

Current State:

  • Cluster State: INITIALIZED
  • HSM State: ACTIVE
  • CloudWatch logs confirm successful user creation (admin/PRECO user created)
  • Both EC2 instance and HSM are in the same subnet (10.11.1.0/24)
  • Security groups configured to allow ports 2223-2225

Network Diagnostics Performed:

  • ARP responds successfully (Layer 2 connectivity confirmed)
  • TCP SYN packets sent but no SYN-ACK received (captured via tcpdump)
  • Connection attempts timeout with error code 11 (EAGAIN)
  • Same VPC, same subnet, no Network ACLs blocking traffic
  • No local firewall (iptables/firewalld) on EC2 instance

Configuration Steps Taken:

  1. Created cluster using CloudFormation
  2. Generated and signed certificates successfully
  3. Initialized cluster with signed certificates
  4. Installed both CloudHSM v3 client and v5 CLI tools
  5. Configured clients with HSM IP address
  6. Verified certificates match between client and cluster

Tools Tested:

  • cloudhsm_mgmt_util - Times out on port 2225
  • cloudhsm-cli (v5) - "Failed to establish connection after retries"
  • key_mgmt_util - "LIQUIDSECURITY: Daemon socket connection error"
  • Direct TCP connection via Python socket - Error code 11

CloudWatch Logs Show Successful Activation:

  • CN_INIT_TOKEN completed
  • CN_CREATE_USER for admin (PRECO) completed
  • CN_LOGIN successful for admin user
  • CN_INIT_DONE completed

Despite these successful log entries, the HSM refuses all TCP connections. Has anyone encountered this issue where an activated HSM becomes unreachable? What steps can resolve this beyond cluster deletion and recreation?

Environment: Amazon Linux 2, same availability zone as HSM, using FIPS mode cluster.

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon EC2AWS CloudHSMNetworking & Content DeliverySecurity
Language
English
asked 10 months ago207 views
2 Answers
1
Accepted Answer

It appears you're experiencing connectivity issues with your AWS CloudHSM cluster despite proper initialization and activation. Based on your description, there are a few key areas to investigate:

  1. Security Group Configuration: While you mentioned that security groups are configured to allow ports 2223-2225, ensure that the specific cluster security group named cloudhsm-cluster-<clusterID>-sg is attached to your EC2 instance. This security group contains preconfigured rules that allow inbound and outbound communication over ports 2223-2225. Without this specific security group attached to your EC2 instance, communication with the HSM will fail.

  2. Client Configuration: When you configured the AWS CloudHSM client, you provided the IP address of the HSM. If this HSM has been deleted or failed, the client won't be able to connect, resulting in errors like "LIQUIDSECURITY: Daemon socket connection error" or "LIQUIDSECURITY: Invalid Operation." Verify that the IP address in your client configuration file points to an active, reachable HSM in your cluster.

  3. Cluster Activation Status: You mentioned the cluster state is "INITIALIZED" but should be "ACTIVE" after activation. When you activate a CloudHSM cluster, its state changes from initialized to active, allowing you to manage HSM users and use the HSM. Verify that the cluster activation was fully completed, which includes changing the unactivated-admin role to admin.

  4. Client-HSM Communication: The error "Failed to establish connection after retries" suggests that while your network configuration might allow traffic, there could be an issue with the client's ability to establish a secure connection to the HSM.

To resolve these issues:

  • Double-check that the cluster security group is attached to your EC2 instance
  • Verify the IP address in your client configuration matches an active HSM
  • Ensure the cluster has been fully activated (not just initialized)
  • Try stopping the client, updating the configuration with the correct HSM IP address, and restarting the client

If these steps don't resolve the issue, you might need to check for any VPC configuration issues that could be blocking traffic despite being in the same subnet.
Sources
Lost connection to the AWS CloudHSM cluster - AWS CloudHSM
Configure the Client Amazon EC2 instance security groups for AWS CloudHSM - AWS CloudHSM
Activate the cluster in AWS CloudHSM - AWS CloudHSM
Review the security group for your cluster in AWS CloudHSM - AWS CloudHSM

answered 10 months ago
EXPERT
reviewed 10 months ago
0

Updating the EC2 by adding the missing Scurity Groups fixed the issue.

Thanks

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content