How to retrieve CloudHSM partition and key info using SDK 5

0

I'd like to view the current keys as well as the max key count that is allocated to my CloudHSM server.

I have an existing Amazon Linux server with SDK 3 software in use that could use the CloudHSM Management Utility tool for the following command:

/opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s username -p password getPartitionInfo

The issue is, the key management utility isn't available in SDK 5 supported instances, is there a different method to retrieve information similar to this command?

I just want to view the Max keys and OccupiedTokenKeys.

harry
asked 7 months ago411 views
2 Answers
0
Accepted Answer

Hello,

As rightly noticed by you, with SDK 5, the "key_mgmt_util" tool that was available in SDK 3 is no longer present. But there are still ways to manage your keys:

  1. CloudHSM CLI: While its primary focus is on managing HSM users, it's a handy tool for some user-related operations. For a more detailed list of CloudHSM CLI commands. [+]https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-reference.html

  2. cloudhsm_mgmt_util Tool: This is a more robust tool that provides commands for both users and keys management. It's particularly useful for changing key attributes. A detailed list of its commands can be found here. [+]https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-reference.html

Although Client SDK 5 does not include a standalone Key Management Utility, I believe you can use the CloudHSM CLI utility that is associated with the Client SDK 5 in order to perform some key management functions. In version 5.10.0 (latest version of the Client SDK 5) [1], the CloudHSM service team added new features to the CloudHSM CLI that can be used to perform key management functions. You can download the appropriate installation package of the CloudHSM CLI for your operating system from link [1], then install it and set it up according to AWS recommendations (use the configure tool to bootstrapp IP address of HSM in your cluster etc...). If this is setup correctly, you can login to the CloudHSM CLI as a crypto-user and then use the "key generate-file" command [2] in order to export a private key reference from an HSM in fake PEM format. This would be similar to the fake PEM file that you export with the "getCaviumPrivKey" command for SDK 3 KMU and you can use this file with the SDK 5 version of the CloudHSM Dynamic Engine for Openssl just like you did with the SDK3 version.

The approach above is effective for scenarios where you already have existing private keys that are present in the HSM and you want to get a fake PEM of this private key that you can use with Openssl commands via the CloudHSM Dynamic Engine for Openssl. If we now consider a scenario where you have setup Client SDK 5 already and are using it's corresponding Dynamic Engine for Openssl already, you can directly use Openssl to create a new private key in the HSM as well as export the fake PEM file in a single command. A command similar to the one below should work as expected:

$ openssl genrsa -out rsa_private_key.pem -f4 -engine cloudhsm 2048

The result will be a new key in your CloudHSM cluster (the real key) and a fake key in 'rsa_private_key.pem'. If you take a look at the fake key file ('cat rsa_private_key.pem'), you'll notice there are lots of repeated sequences of characters at the end of the encoded body. This only happens with fake keys. Before running the command above, you can initially list the keys in your HSM for the crypto-user and take note of them, and then list the keys again after running the command in order to identify the key that was created in the HSM when you ran the command. Otherwise you can use the modulus parameter of the fake PEM key to find the corresponding "real" key in the HSM.

You can now use the fake PEM key to generate a CSR:

$ openssl req -new -key rsa_private_key.pem -out my_certificate.csr -engine cloudhsm

In addition to the command line tools and AWS CloudHSM Dynamic Engine for Openssl, please also note that Client SDK 5 also provides corresponding ("full") SDKs for PKCS11 and Java (JCE Provider) that you can also implement on the client side. These SDKs give you the ability to directly consume private keys stored in the HSMs and use them for the type of operations you mentioned. However you would have to write custom code on your side that contains logic to make use of the APIs that these libraries provide.

References:

[1] https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-history.html#client-version-5-10-0

[2] https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-generate-file.html

[3] https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html

[4] https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library.html

AWS
Priya_s
answered 7 months ago
0

Hello, I am not sure what minor version of SDK5 are you using. But the recently launched SDK 5.10.0 adds key management functionality to the CloudHSM CLI. Ref - https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-history.html#client-version-5-10-0

AWS
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions