- Newest
- Most votes
- Most comments
Hello,
Please see the following recommendations that are based on previous testing from my side:
-
Ensure that you are making use of the most recent version of Client SDK5 (version 5.10.0). You can download it via this download link. Install the latest version of Client SDK 5 PKCS11 library and set it up according to AWS recommendations.
-
If you only have 1 HSM node in your CloudHSM cluster, please also disable key availability check requirement by running the command "sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check".
With the recommendations above, I only expect that 2 test will fail:
18 - unwrap_with_template (Failed)
21 - ecdh (Failed)
SDK 5 does not use the same key handles across different sessions (test 18) and the PKCS#11 mechanism used for key derivation is CKM_ECDH1_DERIVE which is not supported by SDK 5 (test 21).
It is important to use the latest version of client SDK5 because some earlier versions (for example version 5.0.0) were released with limited support for just a few key types, mechanisms, API operations and client attributes. Hence you will get failures if you are testing all the samples against a version of Client SDK 5 that does not support a mechanism that is being tested. In a similar way, you will also get failures for certain tests that involve API operations where the "key availability check" is performed, but you only have 1 HSM node in your cluster.
To conclude, please also note that Amazon Linux 2023 is not yet listed as an officially supported platform by AWS CloudHSM at this time. The recommendation is to use a platform that is officially supported so that you can get support from the CloudHSM support team and service team, if you run into any issues.
Relevant content
- asked 7 months ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
Thank you, Teneng T, this is also related to my other question. I'm very interested in SDK 5 and this is the first time I'm giving it a try. Also, we only have 1 HSM in the cluster because it is not a production environment. Would you recommend SoftHSM for "cost-free" testing?
Hello,
I understand this is not a production environment but if your end goal of the tests you are performing is to finally integrate your applications/workloads with AWS CloudHSM, then I will suggest that you continue testing with CloudHSM. You will find some best practices to Reduce costs by scaling to your needs in the public documentation. https://docs.aws.amazon.com/cloudhsm/latest/userguide/best-practices.html#bp-reduce-cost
In essence, you can delete the HSM(s) in your cluster when not in use in order to save on cost.
However if you are just using your environment to test PKCS11 APIs, then a "cost free" option such as SoftHSM might be best for you.