User type Syntax Examples Arguments Related topics

Log in and out of an HSM using AWS CloudHSM Management Utility

Use the loginHSM and logoutHSM commands in the AWS CloudHSM cloudhsm_mgmt_util to log in and out of each HSM in a cluster. Any user of any type can use these commands.

Note

If you exceed five incorrect login attempts, your account is locked out. To unlock the account, a cryptographic officer (CO) must reset your password using the changePswd command in cloudhsm_mgmt_util.

Before you run these cloudhsm_mgmt_util commands, you must start cloudhsm_mgmt_util.

If you add or delete HSMs, update the configuration files that the AWS CloudHSM client and the command line tools use. Otherwise, the changes that you make might not be effective on all HSMs in the cluster.

If you have more than one HSM in your cluster, you may be allowed additional incorrect login attempts before your account is locked out. This is because the CloudHSM client balances load across various HSMs. Therefore, the login attempt may not begin on the same HSM each time. If you are testing this functionality, we recommend you do so on a cluster with only one active HSM.

If you created your cluster before February 2018, your account is locked out after 20 incorrect login attempts.

User type

The following users can run these commands.

Precrypto officer (PRECO)
Crypto officer (CO)
Crypto user (CU)

Syntax

Enter the arguments in the order specified in the syntax diagram. Use the -hpswd parameter to mask your password. To login with two-factor authentication (2FA), use the -2fa parameter and include a file path. For more information, see Arguments.


loginHSM <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]


logoutHSM

Examples

These examples show how to use loginHSM and logoutHSM to log in and out of all HSMs in a cluster.

Example : Log in to the HSMs in a cluster

This command logs you in to all HSMs in a cluster with the credentials of a CO user named admin and a password of co12345. The output shows that the command was successful and that you have connected to the HSMs (which, in this case, are server 0 and server 1).


aws-cloudhsm>loginHSM CO admin co12345

loginHSM success on server 0(10.0.2.9)
loginHSM success on server 1(10.0.3.11)

Example : Log in with a hidden password

This command is the same as the example above, except this time you specify that the system should hide the password.


aws-cloudhsm>loginHSM CO admin -hpswd

The system prompts you for your password. You enter the password, the system hides the password, and the output shows that the command was successful and that the you have connected to the HSMs.


Enter password:

loginHSM success on server 0(10.0.2.9)
loginHSM success on server 1(10.0.3.11)

aws-cloudhsm>

Example : Log out of an HSM

This command logs you out of the HSMs that you are currently logged in to (which, in this case, are server 0 and server 1). The output shows that the command was successful and that you have disconnected from the HSMs.


aws-cloudhsm>logoutHSM

logoutHSM success on server 0(10.0.2.9)
logoutHSM success on server 1(10.0.3.11)

Arguments


loginHSM <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]

<user type>

Specifies the type of user who is logging in to the HSMs. For more information, see User Type above.

Required: Yes

<user name>

Specifies the user name of the user who is logging in to the HSMs.

Required: Yes

<password | -hpswd >

Specifies the password of the user who is logging in to the HSMs. To hide your password, use the -hpswd parameter in place of the password and follow the prompt.

Required: Yes

[-2fa </path/to/authdata>]

Specifies that the system should use a second factor to authenticate this 2FA-enabled CO user. To get the necessary data for logging in with 2FA, include a path to a location in the file system with a file name after the -2fa parameter. For more information about working with 2FA, see Manage user 2FA .

Required: No