Failing to Connect to HSM Because No Token was Found

You guys need to update your docs. The default slot is no longer 'cavium', it is 'hsm1'. I had to actually go look in the library for PKCS_11 and find the value.

Hello,

This error -> HSMTokenError: ('Could not find matching token - {'token_label': 'cavium'}",)) hints at usage of a token label that is invalid. Token is a concept used in the PKCS#11 SDK [1][2]

In regards to the following -

I am trying to understand what token it is looking for as it seems that this is the default setting to connect to a slot on the HSM. Do I have to setup a token initially in order for sessions to start?

We will need to dive deeper on your environment to query your SDK version (3 or 5), your code snippet etc., to understand how are you starting the session here. Please do not post any sensitive information over re:Post since this is a public platform. I would recommend creating a support case with our team so we may discuss details on your resource configurations.

A general session would look something along the lines like this -

1) Load the PKCS#11 module
2) Load AWS-provided Cryptoki library 
3) Get list of slots (C_GetSlotList) -- note: for CloudHSM there's just one slot available at all times
4) Open a session (C_OpenSession)
5) Provide the credentials of a crypto-user 
		Format: <CU_Username>:<CU_Password>
6) Perform the crypto-operations (C_Encrypt, C_Sign, …)
7) Log out (C_Logout)
8) Close the active session (C_CloseSession)	

You will need to follow steps 1-4 to open a session, and there’s only one slot in CloudHSM.

https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html

Please note that we have also provided samples/examples for aws-cloudhsm-pkcs11

https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html

https://github.com/awsdocs/aws-cloudhsm-user-guide/blob/master/doc_source/pkcs11-samples.md

Additionally, the common errors, or known issues in PKCS11 Doc can be found here.

https://docs.aws.amazon.com/cloudhsm/latest/APIReference/CommonErrors.html

https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html

References:

[1] https://docs.oracle.com/middleware/11119/otd/admin/security004.htm

[2] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959687

Hello again atull,

This is Yash from Premium Support team, and I reached out to the internal team on your behalf to confirm upon your findings and I would like to summarize their corresponding findings below -

• Internal team current didn't find any information regarding the slot label hsm1, and according to them this looks incorrect. They have attached the worklog for Token label in CloudHSM SDK 3 and Token label in CloudHSM SDK 5: for your reference as well -

Token label in CloudHSM SDK 3:

ssh AmazonLinux2ClientInstanceSDK3ForXXXXXXXXXXx22
tmux ls
tmux new-session -s tt_v7XXXXXXX5
tmux display-message -p '#S'
	tt_v754553755
rpm -qa | grep cloudhsm | sort -u
	cloudhsm-client-3.4.4-1.el7.x86_64
	cloudhsm-client-dyn-3.4.4-1.el7.x86_64
	cloudhsm-client-jce-3.4.4-1.el7.x86_64
	cloudhsm-client-pkcs11-3.4.4-1.el7.x86_64
~/pkcs11_scripts/pkcs11_test.py -u $HSM_USER -p $HSM_PASSWORD --omit-mechanisms
	Slots found: [1]
	Slot no: 1
	  CK_SLOT_INFO - slotDescription: Cavium Slot
	  CK_SLOT_INFO - manufacturerID: Cavium Networks
	  CK_SLOT_INFO - hardwareVersion: 5.03
	  CK_SLOT_INFO - firmwareVersion: 2.06
	  CK_SLOT_INFO - flags: 5
	        CKF_TOKEN_PRESENT: ENABLED
	        CKF_REMOVABLE_DEVICE: DISABLED
	        CKF_HW_SLOT: ENABLED
	Token information:
	  CK_TOKEN_INFO - label: cavium
	  CK_TOKEN_INFO - manufacturerID: Cavium Networks
	  CK_TOKEN_INFO - model: NITROX-III CNN35
	  CK_TOKEN_INFO - serialNumber: 5.3G1941-ICM0005
	  CK_TOKEN_INFO - ulMaxSessionCount: 4278648832
	  CK_TOKEN_INFO - ulSessionCount: 0
	  CK_TOKEN_INFO - ulMaxRwSessionCount: 0
	  CK_TOKEN_INFO - ulRwSessionCount: 0
	  CK_TOKEN_INFO - ulMinPinLen: 117440512
	  CK_TOKEN_INFO - ulMaxPinLen: 536870912
	  CK_TOKEN_INFO - ulTotalPublicMemory: 2492336128
	  CK_TOKEN_INFO - ulFreePublicMemory: 3301770240
	  CK_TOKEN_INFO - ulTotalPrivateMemory: 0
	  CK_TOKEN_INFO - ulFreePrivateMemory: 0
	  CK_TOKEN_INFO - hardwareVersion: (5, 3)
	  CK_TOKEN_INFO - firmwareVersion: (2, 6)
	  CK_TOKEN_INFO - utcTime:                 
	  CK_TOKEN_INFO - flags: 1036

Token label in CloudHSM SDK 5:

ssh AmazonLinux2ClientInstanceSDK5ForXXXXXXXXXXx22
tmux ls
tmux new-session -s tt_v7XXXXXXX5
tmux display-message -p '#S'
	tt_v754553755
rpm -qa | grep cloudhsm | sort -u
	cloudhsm-client-3.4.4-1.el7.x86_64
	cloudhsm-client-dyn-3.4.4-1.el7.x86_64
	cloudhsm-client-jce-3.4.4-1.el7.x86_64
	cloudhsm-client-pkcs11-3.4.4-1.el7.x86_64
~/pkcs11_scripts/pkcs11_test.py -u $HSM_USER -p $HSM_PASSWORD --omit-mechanisms
	Slots found: [1]
	Slot no: 1
	  CK_SLOT_INFO - slotDescription: Cavium Slot
	  CK_SLOT_INFO - manufacturerID: Cavium Networks
	  CK_SLOT_INFO - hardwareVersion: 5.03
	  CK_SLOT_INFO - firmwareVersion: 2.06
	  CK_SLOT_INFO - flags: 5
	        CKF_TOKEN_PRESENT: ENABLED
	        CKF_REMOVABLE_DEVICE: DISABLED
	        CKF_HW_SLOT: ENABLED
	Token information:
	  CK_TOKEN_INFO - label: cavium
	  CK_TOKEN_INFO - manufacturerID: Cavium Networks
	  CK_TOKEN_INFO - model: NITROX-III CNN35
	  CK_TOKEN_INFO - serialNumber: 5.3G1941-ICM0005
	  CK_TOKEN_INFO - ulMaxSessionCount: 4278648832
	  CK_TOKEN_INFO - ulSessionCount: 0
	  CK_TOKEN_INFO - ulMaxRwSessionCount: 0
	  CK_TOKEN_INFO - ulRwSessionCount: 0
	  CK_TOKEN_INFO - ulMinPinLen: 117440512
	  CK_TOKEN_INFO - ulMaxPinLen: 536870912
	  CK_TOKEN_INFO - ulTotalPublicMemory: 2492336128
	  CK_TOKEN_INFO - ulFreePublicMemory: 3301770240
	  CK_TOKEN_INFO - ulTotalPrivateMemory: 0
	  CK_TOKEN_INFO - ulFreePrivateMemory: 0
	  CK_TOKEN_INFO - hardwareVersion: (5, 3)
	  CK_TOKEN_INFO - firmwareVersion: (2, 6)
	  CK_TOKEN_INFO - utcTime:                 
	  CK_TOKEN_INFO - flags: 1036

• To generate these, the internal team connected to two of their CloudHSM client instances, one with the PKCS#11 SDK 3 installed and another with the PKCS#11 SDK 5 installed. In both cases, they used the PKCS#11 script.

• As you can see, for SDK 3 the tokenl label is cavium, and for SDK 5 the token label is cluster-myjXXXXXXXe. In SDK 3 the token label will always be cavium for all customers, but in SDK 5 the token label will be the customer's CloudHSM cluster ID. In internal team's case, cluster-myjXXXXXXXe is the ID of the cluster they have in EU region (and this instance is also located in that region).

Also the internal team shared the following pointers further for clarification regarding slot and PKCS session establishment -

• For both SDK versions, there's only one slot. You can confirm that by looking at the "Slots found:" lines shown in the screenshots. In both cases, the array contains only one element.
• For SDK 3, the slot number is always 1. For SDK 5, it's a random number (it's 23XXXXXXXXXXXX3953 internal team's case).
• You shouldn't rely on any assumed slot number to interact with CloudHSM via PKCS#11. Instead, you must invoke the PKCS#11 operation C_GetSlotList (which will return an array of one element), and then use the slot number specified in the array when invoking the PKCS#11 operation C_OpenSession. This is the right way to establish a PKCS#11 session with CloudHSM.
• Also notice that the internal team never use the token label to establish a PKCS#11 session with CloudHSM. Internal team knows that there are some PKCS#11 systems that have several options to establish a session: using a token label, using a slot number, and using a slot array number (or index). For these systems, the best way is to specify a slot array number because it will be the same for both SDK 3 and 5 (the slot array number is always zero since C_GetSlotList always returns a one-element array).

• I hope the shared above information is insightful to your query. In case if you still have any queries or concerns then please feel free to create a support ticket with our Premium Support team and we will be happy to assist you further ahead.