By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloud HSM daemon not starting

0

Hello , AWS newbie here.

I've followed this guide: https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sdk-3.html Done all steps in "Getting started" (excluding optional ones).

Managed to create a CU (Crypto User) via CloudHSM CLI from an EC2 instance.

But I'd like to use the KMU (Key Management Utility) , having found SDK 3 and 5 and not compatible, I've uninstalled CloudHSM CLI and installed CloudHSM Client.

I've placed the customerCA.crt file in /opt/cloudhsm/etc and configured IP of HSM with sudo /opt/cloudhsm/bin/configure -a <ip address of HSM>

Now when I do sudo systemctl start cloudhsm-client it doesnt start. I check sudo systemctl status cloudhsm-client and it shows exited with code 127.

How do I solve this ? Any help is greatly appreciated !

Topics
Security, Identity, & ComplianceComputeAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceHigh Performance ComputeAmazon EC2Security
Language
English
cryptojvnior
asked a year ago597 views
1 Answer
0

Hi,

In most cases when the client daemon does not want to start, it is generally due to a permissions error in the /opt/cloudhsm/etc directory. Therefore, can you check the permissions using the following command:

$ ls -l /opt/cloudhsm/etc/

All of the files in that directory should be at least 644, and the "certs" directory should be 755. The files in the "certs" directory should also be 644. What’s important is that “Others” must have read permissions because the hsmuser is not a part of the root group.

Note: The "client.crt" and "client.key" files can be 755 or 644, as long as "Others" has read permissions.

A working example of the correct permissions looks like this:

drwxr-xr-x. 2 root root 42 Oct 26 15:37 certs -rwxr-xr-x. 1 root root 1342 Oct 8 16:17 client.crt -rwxr-xr-x. 1 root root 1704 Oct 8 16:17 client.key -rw-r--r--. 1 root root 1145 Oct 26 15:45 cloudhsm_client.cfg -rw-r--r--. 1 root root 1140 Oct 8 16:17 cloudhsm_client.cfg.old -rw-r--r--. 1 root root 1255 Oct 26 15:46 cloudhsm_mgmt_util.cfg -rw-r--r--. 1 root root 719 Oct 26 15:45 cloudhsm_mgmt_util.cfg.old -rw-r--r--. 1 root root 600 Oct 8 16:17 cloudhsm_mgmt_util.cfg.old.1 -rw-r--r--. 1 root root 1265 Oct 26 15:37 customerCA.crt

To change the permissions of the file, you can use chmod. For example, this command changes the permissions on the "cloudhsm_client.cfg" file to 644 (-rw-r--r--).

$ sudo chmod 644 /opt/cloudhsm/etc/cloudhsm_client.cfg

Alternatively, you can also attempt to use the following command to check/change the file system permissions under /opt/cloudhsm:

sudo chmod go+rX -R /opt/cloudhsm

Once this is done, please attempt to start the daemon again.

If you can confirm that the permissions as shown above is indeed correct, we would then require details that are non-public information. Please open a support case with AWS using the following link so that we can perform a deep dive into your issue:

https://console.aws.amazon.com/support/home#/case/create

AWS
SUPPORT ENGINEER
Qasim_D
answered a year ago
  • cryptojvnior
    a year ago

    Thank you for the response ! Permissions are on point. I tried running it with a different command: sudo /opt/cloudhsm/bin/cloudhsm_client start now it shows: /opt/cloudhsm/bin/cloudhsm_client: error while loading shared libraries: libssl.so.10: cannot open shared object file: No such file or directory

    though I confirmed openssl is installed.

  • brennanb
    a year ago

    I am having the same issue as above, using the exact same commands that worked a few months ago in SDK3. Would love to see this resolved.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content