By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS CloudHSM

Sort by most recent
  • 1
  • 2
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Cloudhsm mgmt util - partition owner certificate error

I am testing out the cloudhsm and setting it up on a EC2 Win2019 server. I get the following error when I run the cloudhsm mgmt util to connect the server to the cloud HSM: ``` PS C:\Program Files\Amazon\CloudHSM> .\cloudhsm_mgmt_util.exe C:\ProgramData\Amazon\CloudHSM\data\cloudhsm_mgmt_util.cfg Ignoring E2E enable flag in the configuration file Connecting to the server(s), it may take time depending on the server(s) load, please wait... Connecting to server '172.xx.xx.xx': hostname '172.xx.xx.xx', port 2225... Connected to server '172.xx.xx.xx': hostname '172.xx.xx.xx', port 2225. C:\ProgramData\Amazon\CloudHSM\customerCA.crt, partition owner certificate not exist at given path Server 0(172.xx.xx.xx) is in unencrypted mode now... running in limited commands mode Error: partition owner certificate doesn't exist at given path. Failed to create client ssl ctx E2E Session failed: E2E setup failed Enabling E2E failed aws-cloudhsm>quit disconnecting from servers, please wait... PS C:\Program Files\Amazon\CloudHSM> ls Directory: C:\Program Files\Amazon\CloudHSM Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/2/2022 2:17 PM tools -a---- 12/30/2021 8:47 PM 18019 client_info -a---- 12/30/2021 9:18 PM 5475875 client_info.exe -a---- 12/30/2021 9:16 PM 2680320 cloudhsm_client.exe -a---- 12/30/2021 8:47 PM 24373 CLOUDHSM_LICENSE -a---- 12/30/2021 9:16 PM 2541056 cloudhsm_mgmt_util.exe -a---- 12/30/2021 9:16 PM 10240 cng_config.exe -a---- 12/30/2021 9:17 PM 5489038 configure.exe -a---- 6/2/2022 2:18 PM 1416 CustomerCA.crt -a---- 12/30/2021 9:17 PM 188416 import_key.exe -a---- 12/30/2021 9:17 PM 1641472 key_mgmt_util.exe -a---- 12/30/2021 9:16 PM 10240 ksp_config.exe -a---- 12/30/2021 9:17 PM 1417216 pkpspeed_blocking.exe PS C:\Program Files\Amazon\CloudHSM> ``` I have copied as per the manual the self signed root ca I created to sign the HSM cluster when initializing.. not sure what this partition certificate error is.
1
answers
0
votes
86
views
asked 4 months ago

Application side data protection with FIPS 140-2 Level 3 : what to use out of Encryption SDK, KMS or Cloud HSM?

Hello there, I do have a requirement in my application to encrypt and decrypt data using a symmetric key algorithm (mostly AES/CBC/PKCS5Padding). CONSTRAINT and Requirements are 1. I need to use FIPS 140-2 Level 3 compliant key storage solution 2. This is an existing encrypted data and hence I should be able to import my existing keys (plain keys) to whatever solution I use. 3. Even in the future, keys should be open for EXPORT so that encrypted data with this new solution WILL NOT require another re-encryption with new keys. Keeping the above points in mind, I came across below solutions so far and need guidance and help if someone finds that not a good solution or it will break any of the above requirements I listed. 1. I can use AWS Encryption SDK with AWS KMS using a custom key store where the custom key store would be my own Cloud HSM. 2. I can directly use Cloud HSM by leveraging standard Cloud HSM integration using Cloud HSM JCE provider and client SDK. 3. I can AWS KMS with KMS API with a custom key store where the custom key store would be my own Cloud HSM. I knew #2 will work without breaking any of my requirement and compliance list but I want to see if I can use Encryption SDK and/or KMS for my use case as I can get help of SDK to choose best industry practices to write cryptography code instead of I write whole code (in case of Cloud HSM integration) but below points will stop me. 1. Custom key stores can not work with imported keys so it will break my requirement #2. 2. I can use AWS Encryption SDK with KMS but as import does not work for custom key stores, it's not usable any more. Can I use AWS Encryption SDK somehow to help me with data encryption directly with Cloud HSM? 3. Data enveloper protection (by AWS Encryption SDK) is really more secure for symmetric key encryption. If I use that today and later want to move to Cloud HSM, will it break the decryption flow? Any suggestion/experience learning/insights or architectural direction is greatly appreciated.
1
answers
0
votes
139
views
asked 7 months ago

CloudHSM Cavium integration fails with exception during two-way SSL handshake (client-side) in a Java based Lambda

Hi, I am trying to use Cavium in a Java application for two-way SSL handshake. My application is the client application. However when the application runs, the client handshake fails with the following exception: 2022-02-21T18:30:39.152Z java.lang.RuntimeException: com.cavium.cfm2.CFM2Exception: A call to the API getRSAPrivateKeyComponents for size failed with error code ffffffff : Error: new error from underlying FW/SW, might need to upgrade to new SW to decode 2022-02-21T18:30:39.152Z at com.cavium.key.CaviumRSAPrivateKey.populateKeyComponents(CaviumRSAPrivateKey.java:154) 2022-02-21T18:30:39.152Z at com.cavium.key.CaviumRSAPrivateKey.getPrimeP(CaviumRSAPrivateKey.java:82) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSACore.crtCrypt(RSACore.java:168) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSACore.rsa(RSACore.java:122) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSAPSSSignature.engineSign(RSAPSSSignature.java:371) 2022-02-21T18:30:39.152Z at java.security.Signature$Delegate.engineSign(Signature.java:1382) 2022-02-21T18:30:39.152Z at java.security.Signature.sign(Signature.java:698) 2022-02-21T18:30:39.152Z at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:608) 2022-02-21T18:30:39.152Z at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:760) 2022-02-21T18:30:39.152Z at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421) 2022-02-21T18:30:39.152Z at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) 2022-02-21T18:30:39.152Z at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) 2022-02-21T18:30:39.152Z at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) 2022-02-21T18:30:39.152Z at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) 2022-02-21T18:30:39.152Z at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) The application adds CaviumProvder at start-up: Security.addProvider(new com.cavium.provider.CaviumProvider()); My client application also attempts to sign a message using "NONEwithRSA" at the start of the application and successfully verifies the signing using the same key alias. I have also verified that the user my application is using to authenticate towards CloudHSM is of type CU (Crypto User). The CloudHSM jar file is cloudhsm-3.1.0.jar. Please help.
0
answers
0
votes
37
views
asked 7 months ago
  • 1
  • 2
  • 12 / page