Client SDK 5 configure tool - AWS CloudHSM
SyntaxAdvanced configurationsExamplesParametersRelated topics

Client SDK 5 configure tool

Use the Client SDK 5 configure tool to update client-side configuration files.

Each component in Client SDK 5 includes a configure tool with a designator of the component in the file name of the configure tool. For example, the PKCS #11 library for Client SDK 5 includes a configure tool named configure-pkcs11 on Linux or configure-pkcs11.exe on Windows.

Syntax

PKCS #11
configure-pkcs11[ .exe ] 
             -a <ENI IP address>
             [--hsm-ca-cert <customerCA certificate file path>]
             [--cluster-id <cluster ID>]
             [--endpoint <endpoint>]
             [--region <region>] 
             [--server-client-cert-file <client certificate file path>]
             [--server-client-key-file <client key file path>]
             [--client-cert-hsm-tls-file <client certificate hsm tls path>]
             [--client-key-hsm-tls-file <client key hsm tls path>]
             [--log-level <error | warn | info | debug | trace>]
                  Default is <info>
             [--log-rotation <daily | weekly>]
                  Default is <daily>
             [--log-file <file name with path>]
                  Default is </opt/cloudhsm/run/cloudhsm-pkcs11.log>
                  Default for Windows is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-pkcs11.log>
             [--log-type <file | term>]
                  Default is <file>
             [-h | --help]
             [-V | --version]
             [--disable-key-availability-check]
             [--enable-key-availability-check]
             [--disable-validate-key-at-init]
             [--enable-validate-key-at-init]
                  This is the default for PKCS #11
OpenSSL
configure-dyn[ .exe ] 
             -a <ENI IP address>
             [--hsm-ca-cert <customerCA certificate file path>]
             [--cluster-id <cluster ID>]
             [--endpoint <endpoint>]
             [--region <region>] 
             [--server-client-cert-file <client certificate file path>]
             [--server-client-key-file <client key file path>]
             [--client-cert-hsm-tls-file <client certificate hsm tls path>]
             [--client-key-hsm-tls-file <client key hsm tls path>]
             [--log-level <error | warn | info | debug | trace>]
                  Default is <error>
             [--log-type <file | term>]
                  Default is <term>
             [-h | --help]
             [-V | --version]
             [--disable-key-availability-check]
             [--enable-key-availability-check]
             [--disable-validate-key-at-init]
                  This is the default for OpenSSL
             [--enable-validate-key-at-init]
JCE
configure-jce[ .exe ] 
             -a <ENI IP address>
             [--hsm-ca-cert <customerCA certificate file path>]
             [--cluster-id <cluster ID>]
             [--endpoint <endpoint>]
             [--region <region>] 
             [--server-client-cert-file <client certificate file path>]
             [--server-client-key-file <client key file path>]
             [--client-cert-hsm-tls-file <client certificate hsm tls path>]
             [--client-key-hsm-tls-file <client key hsm tls path>]
             [--log-level <error | warn | info | debug | trace>]
                  Default is <info>
             [--log-rotation <daily | weekly>]
                  Default is <daily>
             [--log-file <file name with path>]
                  Default is </opt/cloudhsm/run/cloudhsm-jce.log>
                  Default for Windows is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-jce.log>
             [--log-type <file | term>]
                  Default is <file>
             [-h | --help]
             [-V | --version]
             [--disable-key-availability-check]
             [--enable-key-availability-check]
             [--disable-validate-key-at-init]
                  This is the default for JCE
             [--enable-validate-key-at-init]
CloudHSM CLI
configure-cli[ .exe ] 
             -a <ENI IP address>
             [--hsm-ca-cert <customerCA certificate file path>]
             [--cluster-id <cluster ID>]
             [--endpoint <endpoint>]
             [--region <region>] 
             [--server-client-cert-file <client certificate file path>]
             [--server-client-key-file <client key file path>]
             [--client-cert-hsm-tls-file <client certificate hsm tls path>]
             [--client-key-hsm-tls-file <client key hsm tls path>]
             [--log-level <error | warn | info | debug | trace>]
                  Default is <info>
             [--log-rotation <daily | weekly>]
                  Default is <daily>
             [--log-file <file name with path>]
                  Default for Linux is </opt/cloudhsm/run/cloudhsm-cli.log>
                  Default for Windows is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-cli.log>
             [--log-type <file | term>]
                  Default setting is <file>
             [-h | --help]
             [-V | --version]
             [--disable-key-availability-check]
             [--enable-key-availability-check]
             [--disable-validate-key-at-init]
                  This is the default for CloudHSM CLI
             [--enable-validate-key-at-init]

Advanced configurations

For a list of advanced configurations specific to the Client SDK 5 configure tool, refer to Advanced configurations for the Client SDK 5 configure tool.

Important

After making any changes to your configuration, you need to restart your application for the changes to take effect.

Examples

These examples show how to use the configure tool for Client SDK 5.

This example uses the -a parameter to update the HSM data for Client SDK 5. To use the -a parameter, you must have the IP address for one of the HSMs in your cluster.

PKCS #11 library
To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-pkcs11 -a <HSM IP addresses>
To bootstrap a Windows EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of an HSM in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" -a <HSM IP addresses>
OpenSSL Dynamic Engine
To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-dyn -a <HSM IP addresses>
JCE provider
To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-jce -a <HSM IP addresses>
To bootstrap a Windows EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of an HSM in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" -a <HSM IP addresses>
CloudHSM CLI
To bootstrap a Linux EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of the HSM(s) in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-cli -a <The ENI IP addresses of the HSMs>
To bootstrap a Windows EC2 instance for Client SDK 5

  • Use the configure tool to specify the IP address of the HSM(s) in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" -a <The ENI IP addresses of the HSMs>
Note

you can use the –-cluster-id parameter in place of -a <HSM_IP_ADDRESSES>. To see requirements for using –-cluster-id, see Client SDK 5 configure tool.

For more information about the -a parameter, see Parameters.

This example uses the cluster-id parameter to bootstrap Client SDK 5 by making a DescribeClusters call.

PKCS #11 library
To bootstrap a Linux EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --cluster-id cluster-1234567
To bootstrap a Windows EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\configure-pkcs11.exe" --cluster-id cluster-1234567
OpenSSL Dynamic Engine
To bootstrap a Linux EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-dyn --cluster-id cluster-1234567
JCE provider
To bootstrap a Linux EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-jce --cluster-id cluster-1234567
To bootstrap a Windows EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\configure-jce.exe" --cluster-id cluster-1234567
CloudHSM CLI
To bootstrap a Linux EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
$ sudo /opt/cloudhsm/bin/configure-cli --cluster-id cluster-1234567
To bootstrap a Windows EC2 instance for Client SDK 5 with cluster-id

  • Use the cluster ID cluster-1234567 to specify the IP address of an HSM in your cluster. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --cluster-id cluster-1234567

You can use the --region and --endpoint parameters in combination with the cluster-id parameter to specify how the system makes the DescribeClusters call. For instance, if the region of the cluster is different than the one configured as your AWS CLI default, you should use the --region parameter to use that region. Additionally, you have the ability to specify the AWS CloudHSM API endpoint to use for the call, which might be necessary for various network setups, such as using VPC interface endpoints that don’t use the default DNS hostname for AWS CloudHSM.

PKCS #11 library
To bootstrap a Linux EC2 instance with a custom endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint. 

    
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
To bootstrap a Windows EC2 instance with a endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.

    
C:\Program Files\Amazon\CloudHSM\configure-pkcs11.exe --cluster-id cluster-1234567--region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
OpenSSL Dynamic Engine
To bootstrap a Linux EC2 instance with a custom endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint. 

    
$ sudo /opt/cloudhsm/bin/configure-dyn --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
JCE provider
To bootstrap a Linux EC2 instance with a custom endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint. 

    
$ sudo /opt/cloudhsm/bin/configure-jce --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
To bootstrap a Windows EC2 instance with a endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.

    
"C:\Program Files\Amazon\CloudHSM\configure-jce.exe" --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
CloudHSM CLI
To bootstrap a Linux EC2 instance with a custom endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint. 

    
$ sudo /opt/cloudhsm/bin/configure-cli --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com
To bootstrap a Windows EC2 instance with a endpoint and region

  • Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.

    
"C:\Program Files\Amazon\CloudHSM\configure-cli.exe" --cluster-id cluster-1234567 --region us-east-1 --endpoint https://cloudhsmv2.us-east-1.amazonaws.com

For more information about the --cluster-id, --region, and --endpoint parameters, see Parameters.

This examples shows how to use the --server-client-cert-file and --server-client-key-file parameters to reconfigure SSL by specifying a custom key and SSL certificate for AWS CloudHSM

PKCS #11 library
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.crt /opt/cloudhsm/etc
$ sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.crt and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-pkcs11 \
            --server-client-cert-file /opt/cloudhsm/etc/ssl-client.crt \
            --server-client-key-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.crt C:\ProgramData\Amazon\CloudHSM\ssl-client.crt
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.crt and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" `
            --server-client-cert-file C:\ProgramData\Amazon\CloudHSM\ssl-client.crt `
            --server-client-key-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key
OpenSSL Dynamic Engine
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.crt /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.crt and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-dyn \
            --server-client-cert-file /opt/cloudhsm/etc/ssl-client.crt \
            --server-client-key-file /opt/cloudhsm/etc/ssl-client.key
JCE provider
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.crt /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.crt and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-jce \
            --server-client-cert-file /opt/cloudhsm/etc/ssl-client.crt \
            --server-client-key-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.crt C:\ProgramData\Amazon\CloudHSM\ssl-client.crt
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.crt and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" `
            --server-client-cert-file C:\ProgramData\Amazon\CloudHSM\ssl-client.crt `
            --server-client-key-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key
CloudHSM CLI
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.crt /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.crt and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-cli \
            --server-client-cert-file /opt/cloudhsm/etc/ssl-client.crt \
            --server-client-key-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-server mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.crt C:\ProgramData\Amazon\CloudHSM\ssl-client.crt
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.crt and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" `
            --server-client-cert-file C:\ProgramData\Amazon\CloudHSM\ssl-client.crt `
            --server-client-key-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key

For more information about the --server-client-cert-file and --server-client-key-file parameters, see Parameters.

This examples shows how to use the --client-cert-hsm-tls-file and --client-key-hsm-tls-file parameters to reconfigure SSL by specifying a custom key and SSL certificate for AWS CloudHSM

PKCS #11 library
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.pem /opt/cloudhsm/etc
$ sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.pem and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-pkcs11 \
            --client-cert-hsm-tls-file /opt/cloudhsm/etc/ssl-client.pem \
            --client-key-hsm-tls-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.pem C:\ProgramData\Amazon\CloudHSM\ssl-client.pem
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.pem and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" `
            --client-cert-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.pem `
            --client-key-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key
OpenSSL Dynamic Engine
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.pem /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.pem and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-dyn \
            --client-cert-hsm-tls-file /opt/cloudhsm/etc/ssl-client.pem \
            --client-key-hsm-tls-file /opt/cloudhsm/etc/ssl-client.key
JCE provider
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.pem /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.pem and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-jce \
            --client-cert-hsm-tls-file /opt/cloudhsm/etc/ssl-client.pem \
            --client-key-hsm-tls-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.pem C:\ProgramData\Amazon\CloudHSM\ssl-client.pem
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.pem and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" `
            --client-cert-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.pem `
            --client-key-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key
CloudHSM CLI
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux

  1. Copy your key and certificate to the appropriate directory.

    $ sudo cp ssl-client.pem /opt/cloudhsm/etc
sudo cp ssl-client.key /opt/cloudhsm/etc

  2. Use the configure tool to specify ssl-client.pem and ssl-client.key.

    $ sudo /opt/cloudhsm/bin/configure-cli \
            --client-cert-hsm-tls-file /opt/cloudhsm/etc/ssl-client.pem \
            --client-key-hsm-tls-file /opt/cloudhsm/etc/ssl-client.key
To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows

  1. Copy your key and certificate to the appropriate directory.

    cp ssl-client.pem C:\ProgramData\Amazon\CloudHSM\ssl-client.pem
cp ssl-client.key C:\ProgramData\Amazon\CloudHSM\ssl-client.key

  2. With a PowerShell interpreter, use the configure tool to specify ssl-client.pem and ssl-client.key.

    & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" `
            --client-cert-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.pem `
            --client-key-hsm-tls-file C:\ProgramData\Amazon\CloudHSM\ssl-client.key

For more information about the --client-cert-hsm-tls-file and --client-key-hsm-tls-file parameters, see Parameters.

This example uses the --disable-key-availability-check parameter to disable client key durability settings. To run a cluster with a single HSM, you must disable client key durability settings.

PKCS #11 library
To disable client key durability for Client SDK 5 on Linux

  • Use the configure tool to disable client key durability settings. 

    
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check
To disable client key durability for Client SDK 5 on Windows

  • Use the configure tool to disable client key durability settings. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" --disable-key-availability-check
OpenSSL Dynamic Engine
To disable client key durability for Client SDK 5 on Linux

  • Use the configure tool to disable client key durability settings. 

    
$ sudo /opt/cloudhsm/bin/configure-dyn --disable-key-availability-check
JCE provider
To disable client key durability for Client SDK 5 on Linux

  • Use the configure tool to disable client key durability settings. 

    
$ sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check
To disable client key durability for Client SDK 5 on Windows

  • Use the configure tool to disable client key durability settings. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" --disable-key-availability-check
CloudHSM CLI
To disable client key durability for Client SDK 5 on Linux

  • Use the configure tool to disable client key durability settings. 

    
$ sudo /opt/cloudhsm/bin/configure-cli --disable-key-availability-check
To disable client key durability for Client SDK 5 on Windows

  • Use the configure tool to disable client key durability settings. 

    
"C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --disable-key-availability-check

For more information about the --disable-key-availability-check parameter, see Parameters.

Client SDK 5 uses the log-file, log-level, log-rotation, and log-type parameters to manage logging.

Note

To configure your SDK for serverless environments such as AWS Fargate or AWS Lambda, we recommend you configure your AWS CloudHSM log type to term. The client logs will be output to stderr and captured in the CloudWatch Logs log group configured for that environment.

PKCS #11 library
Default logging location

  • If you do not specify a location for the file, the system writes logs to the following default location:

    Linux

    /opt/cloudhsm/run/cloudhsm-pkcs11.log

    Windows

    C:\Program Files\Amazon\CloudHSM\cloudhsm-pkcs11.log
To configure the logging level and leave other logging options set to default
  • $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level info
To configure file logging options
  • $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-type file --log-file <file name with path> --log-rotation daily --log-level info
To configure terminal logging options
  • $ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-type term --log-level info
OpenSSL Dynamic Engine
Default logging location

  • If you do not specify a location for the file, the system writes logs to the following default location:

    Linux

    stderr
To configure the logging level and leave other logging options set to default
  • $ sudo /opt/cloudhsm/bin/configure-dyn --log-level info
To configure file logging options
  • $ sudo /opt/cloudhsm/bin/configure-dyn --log-type <file name> --log-file file --log-rotation daily --log-level info
To configure terminal logging options
  • $ sudo /opt/cloudhsm/bin/configure-dyn --log-type term --log-level info
JCE provider
Default logging location

  • If you do not specify a location for the file, the system writes logs to the following default location:

    Linux

    /opt/cloudhsm/run/cloudhsm-jce.log

    Windows

    C:\Program Files\Amazon\CloudHSM\cloudhsm-jce.log
To configure the logging level and leave other logging options set to default
  • $ sudo /opt/cloudhsm/bin/configure-jce --log-level info
To configure file logging options
  • $ sudo /opt/cloudhsm/bin/configure-jce --log-type file --log-file <file name> --log-rotation daily --log-level info
To configure terminal logging options
  • $ sudo /opt/cloudhsm/bin/configure-jce --log-type term --log-level info
CloudHSM CLI
Default logging location

  • If you do not specify a location for the file, the system writes logs to the following default location:

    Linux

    /opt/cloudhsm/run/cloudhsm-cli.log

    Windows

    C:\Program Files\Amazon\CloudHSM\cloudhsm-cli.log
To configure the logging level and leave other logging options set to default
  • $ sudo /opt/cloudhsm/bin/configure-cli --log-level info
To configure file logging options
  • $ sudo /opt/cloudhsm/bin/configure-cli --log-type file --log-file <file name> --log-rotation daily --log-level info
To configure terminal logging options
  • $ sudo /opt/cloudhsm/bin/configure-cli --log-type term --log-level info

For more information about the log-file, log-level, log-rotation,and log-type parameters, see Parameters.

This example uses the --hsm-ca-cert parameter to update the location of the issuing certificate for Client SDK 5.

PKCS #11 library
To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --hsm-ca-cert <customerCA certificate file>
To place the issuing certificate on Windows for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
"C:\Program Files\Amazon\CloudHSM\configure-pkcs11.exe" --hsm-ca-cert <customerCA certificate file>
OpenSSL Dynamic Engine
To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
$ sudo /opt/cloudhsm/bin/configure-dyn --hsm-ca-cert <customerCA certificate file>
JCE provider
To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
$ sudo /opt/cloudhsm/bin/configure-jce --hsm-ca-cert <customerCA certificate file>
To place the issuing certificate on Windows for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
"C:\Program Files\Amazon\CloudHSM\configure-jce.exe" --hsm-ca-cert <customerCA certificate file>
CloudHSM CLI
To place the issuing certificate on Linux for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
$ sudo /opt/cloudhsm/bin/configure-cli --hsm-ca-cert <customerCA certificate file>
To place the issuing certificate on Windows for Client SDK 5

  • Use the configure tool to specify a location for the issuing certificate. 

    
"C:\Program Files\Amazon\CloudHSM\configure-cli.exe" --hsm-ca-cert <customerCA certificate file>

For more information about the --hsm-ca-cert parameter, see Parameters.

Parameters

-a <ENI IP address>

Adds the specified IP address to Client SDK 5 configuration files. Enter any ENI IP address of an HSM from the cluster. For more information about how to use this option, see Bootstrap Client SDK 5.

Required: Yes

--hsm-ca-cert <customerCA certificate file path>

Path to the directory storing the certificate authority (CA) certificate use to connect EC2 client instances to the cluster. You create this file when you initialize the cluster. By default, the system looks for this file in the following location:

Linux

/opt/cloudhsm/etc/customerCA.crt

Windows

C:\ProgramData\Amazon\CloudHSM\customerCA.crt

For more information about initializing the cluster or placing the certificate, see Place the issuing certificate on each EC2 instance and Initialize the cluster.

Required: No

--cluster-id <cluster ID>

Makes a DescribeClusters call to find all of the HSM elastic network interface (ENI) IP addresses in the cluster associated with the cluster ID. The system adds the ENI IP addresses to the AWS CloudHSM configuration files.

Note

If you use the --cluster-id parameter from an EC2 instance within a VPC that does not have access to the public internet, then you must create an interface VPC endpoint to connect with AWS CloudHSM. For more information about VPC endpoints, see AWS CloudHSM and VPC endpoints.

Required: No

--endpoint <endpoint>

Specify the AWS CloudHSM API endpoint used for making the DescribeClusters call. You must set this option in combination with --cluster-id.

Required: No

--region <region>

Specify the region of your cluster. You must set this option in combination with --cluster-id.

If you don’t supply the --region parameter, the system chooses the region by attempting to read the AWS_DEFAULT_REGION or AWS_REGION environment variables. If those variables aren’t set, then the system checks the region associated with your profile in your AWS config file (typically ~/.aws/config) unless you specified a different file in the AWS_CONFIG_FILE environment variable. If none of the above are set, the system defaults to the us-east-1 region.

Required: No

--server-client-cert-file <client certificate file path>

Path to the client certificate used for TLS client-server mutual authentication.

Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-key-file.

Required: No

--server-client-key-file <client key file path>

Path to the client key used for TLS client-server mutual authentication.

Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-cert-file.

Required: No

--client-cert-hsm-tls-file <client certificate hsm tls path>

Path to the client certificate used for TLS client-HSM mutual authentication.

Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with --client-key-hsm-tls-file.

Required: No

--client-key-hsm-tls-file <client key hsm tls path>

Path to the client key used for TLS client-HSM mutual authentication.

Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with --client-cert-hsm-tls-file.

Required: No

--log-level <error | warn | info | debug | trace>

Specifies the minimum logging level the system should write to the log file. Each level includes the previous levels, with error as the minimum level and trace the maximum level. This means that if you specify errors, the system only writes errors to the log. If you specify trace, the system writes errors, warnings, informational (info) and debug messages to the log. For more information, see Client SDK 5 Logging.

Required: No

--log-rotation <daily | weekly>

Specifies the frequency with which the system rotates logs. For more information, see Client SDK 5 Logging.

Required: No

--log-file <file name with path>

Specifies where the system will write the log file. For more information, see Client SDK 5 Logging.

Required: No

--log-type <term | file>

Specifies whether the system will write the log to a file or terminal. For more information, see Client SDK 5 Logging.

Required: No

-h | --help

Displays help.

Required: No

-v | --version

Displays version.

Required: No

--disable-key-availability-check

Flag to disable key availability quorum. Use this flag to indicate AWS CloudHSM should disable key availability quorum and you can use keys that exist on only one HSM in the cluster. For more information about using this flag to set key availability quorum, see Managing client key durability settings.

Required: No

--enable-key-availability-check

Flag to enable key availability quorum. Use this flag to indicate AWS CloudHSM should use key availability quorum and not allow you to use keys until those keys exist on two HSMs in the cluster. For more information about using this flag to set key availability quorum, see Managing client key durability settings.

Enabled by default.

Required: No

--disable-validate-key-at-init

Improves performance by specifying that you can skip an initialization call to verify permissions on a key for subsequent calls. Use with caution.

Background: Some mechanisms in the PKCS #11 library support multi-part operations where an initialization call verifies if you can use the key for subsequent calls. This requires a verification call to the HSM, which adds latency to the overall operation. This option enables you to disable the subsequent call and potentially improve performance.

Required: No

--enable-validate-key-at-init

Specifies that you should use an initialization call to verify permissions on a key for subsequent calls. This is the default option. Use enable-validate-key-at-init to resume these initialization calls after you use disable-validate-key-at-init to suspend them.

Required: No

Related topics