Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Getting connection error when trying to connect to CloudHSM through cloudhsm-cli

0

Install Cloudhsm-cli using the link https://docs.aws.amazon.com/cloudhsm/latest/userguide/gs_cloudhsm_cli-install.html.

ip and port are set. customerCA.crt is setup properly.

Cluster is in initilized state and one hsm is active. Trying to setup user and password.

running sudo cloudhsm-cli interactive gives below logs.

2025-04-09T07:43:16.508Z INFO [34682] ThreadId(1) [cloudhsm_provider::hsm1::hsm_connection::server_properties][][] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 9 }
2025-04-09T07:43:16.508Z INFO [34682] ThreadId(1) [hsm1_marshaling::server_handshake][][] Reporting sdk version CLI:5.15.0-amzn2023:Linux 2023 Amazon Linux:CodeBuildBatchProject-uFu5sNXfquqK:80f3cdab-3610-4359-a36c-d0ac36a1eae1
2025-04-09T07:43:16.623Z ERROR [34682] ThreadId(1) [cloudhsm_provider::hsm1::hsm_connection::error][][] Handshake failed. Message: HSM returned an error during E2E handshake.
2025-04-09T07:43:16.624Z INFO [34682] ThreadId(1) [cloudhsm_provider_common::dispatcher][][] Exiting all active dispatcher operations
2025-04-09T07:43:16.624Z ERROR [34682] ThreadId(1) [cloudhsm_provider::hsm1::connection::connection_pool][][] Failed to connect to HSM {ip}:2223 with internal error: HSM is disconnected
2025-04-09T07:43:16.624Z ERROR [34682] ThreadId(1) [cloudhsm_provider::hsm1::connection::connection_pool][][] Not enough HSMs are created successfully.
Required 1, created 0.
2025-04-09T07:43:16.624Z ERROR [34682] ThreadId(1) [cloudhsm_cli][][] HSM is disconnected

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
asked 8 months ago552 views
2 Answers
0

The error you're encountering suggests there's a connection issue between your CloudHSM CLI and the HSM cluster. Here are some steps to troubleshoot and potentially resolve this issue:

  1. Verify the HSM IP address: Ensure that the IP address specified in your CloudHSM client configuration file is correct and points to an active HSM in your cluster. The configuration file is typically located at /opt/cloudhsm/etc/cloudhsm-client.cfg.

  2. Check network connectivity: Make sure there are no network issues preventing communication between your client and the HSM. Verify that the necessary ports (especially 2223) are open in your security groups and network ACLs.

  3. Validate the customerCA.crt: Although you mentioned it's set up properly, double-check that the certificate is in the correct location and has the proper permissions.

  4. Restart the CloudHSM client: Try stopping and restarting the CloudHSM client daemon. This can sometimes resolve connection issues.

  5. Check HSM status: Verify that your HSM cluster is indeed active and initialized as you mentioned. Sometimes the cluster state might change unexpectedly.

  6. Review client version compatibility: Ensure that your CloudHSM CLI version is compatible with your HSM cluster version.

  7. Check system time: Ensure that your system time is correctly synchronized. Time discrepancies can cause handshake failures.

  8. Examine CloudHSM client logs: Look for additional error messages or clues in the CloudHSM client logs.

If these steps don't resolve the issue, you may need to contact AWS support for further assistance. They can help diagnose any potential problems with your HSM cluster or network configuration that might be preventing the CloudHSM CLI from connecting successfully.
Sources
Cannot connect to cloudhsm using openssl | AWS re:Post

answered 8 months ago
0

Based on the error logs, it appears you're experiencing an E2E (End-to-End) handshake failure when trying to connect to CloudHSM. Here are some steps to troubleshoot:

  1. Verify Certificate Setup:

    • Ensure customerCA.crt is in the correct location: /opt/cloudhsm/etc/customerCA.crt
    • Check certificate permissions: ls -l /opt/cloudhsm/etc/customerCA.crt

  2. Check Network Connectivity:

    • Verify the HSM IP is reachable: ping <hsm-ip>
    • Check if port 2223 is accessible: telnet <hsm-ip> 2223
    • Verify no firewall rules are blocking the connection

  3. Validate Cluster State:

    • Use AWS Console or AWS CLI to confirm the HSM is truly active
    • Check cluster health: aws cloudhsmv2 describe-clusters

  4. Check Configuration:

    • Verify the configuration file: /opt/cloudhsm/etc/cloudhsm-cli.cfg
    • Ensure it contains the correct HSM IP and port

  5. Common Solutions:

    • Try restarting the CloudHSM client service:
     sudo service cloudhsm-client stop
     sudo service cloudhsm-client start
  • Verify you're using compatible versions of the client and CLI
  • Check if the HSM needs to be reactivated

If these steps don't resolve the issue, please check the CloudHSM client logs for additional error messages:

bash
sudo tail -f /opt/cloudhsm/run/cloudhsm_client.log
AWS
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content