AWS CloudHSM Client SDK 5 configuration parameters

Adds the specified IP address to Client SDK 5 configuration files. Enter any ENI IP address of an HSM from the cluster. For more information about how to use this option, see Bootstrap Client SDK 5.

Required: Yes

Path to the directory storing the certificate authority (CA) certificate use to connect EC2 client instances to the cluster. You create this file when you initialize the cluster. By default, the system looks for this file in the following location:

Linux

/opt/cloudhsm/etc/customerCA.crt

Windows

C:\ProgramData\Amazon\CloudHSM\customerCA.crt

For more information about initializing the cluster or placing the certificate, see Place the issuing certificate on each EC2 instance and Initialize the cluster in AWS CloudHSM.

Required: No

Makes a DescribeClusters call to find all of the HSM elastic network interface (ENI) IP addresses in the cluster associated with the cluster ID. The system adds the ENI IP addresses to the AWS CloudHSM configuration files.

Required: No

Specify the AWS CloudHSM API endpoint used for making the DescribeClusters call. You must set this option in combination with --cluster-id.

Required: No

Specify the region of your cluster. You must set this option in combination with --cluster-id.

If you don’t supply the --region parameter, the system chooses the region by attempting to read the AWS_DEFAULT_REGION or AWS_REGION environment variables. If those variables aren’t set, then the system checks the region associated with your profile in your AWS config file (typically ~/.aws/config) unless you specified a different file in the AWS_CONFIG_FILE environment variable. If none of the above are set, the system defaults to the us-east-1 region.

Required: No

Path to the client certificate used for TLS client-server mutual authentication.

Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-key-file.

Required: No

Path to the client key used for TLS client-server mutual authentication.

Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-cert-file.

Required: No

Path to the client certificate used for TLS client-HSM mutual authentication.

Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with --client-key-hsm-tls-file.

Required: No

Path to the client key used for TLS client-HSM mutual authentication.

Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with --client-cert-hsm-tls-file.

Required: No

Specifies the minimum logging level the system should write to the log file. Each level includes the previous levels, with error as the minimum level and trace the maximum level. This means that if you specify errors, the system only writes errors to the log. If you specify trace, the system writes errors, warnings, informational (info) and debug messages to the log. For more information, see Client SDK 5 Logging.

Required: No

Specifies the frequency with which the system rotates logs. For more information, see Client SDK 5 Logging.

Required: No

Specifies where the system will write the log file. For more information, see Client SDK 5 Logging.

Required: No

Specifies whether the system will write the log to a file or terminal. For more information, see Client SDK 5 Logging.

Required: No

Displays help.

Required: No

Displays version.

Required: No

Flag to disable key availability quorum. Use this flag to indicate AWS CloudHSM should disable key availability quorum and you can use keys that exist on only one HSM in the cluster. For more information about using this flag to set key availability quorum, see Managing client key durability settings.

Required: No

Flag to enable key availability quorum. Use this flag to indicate AWS CloudHSM should use key availability quorum and not allow you to use keys until those keys exist on two HSMs in the cluster. For more information about using this flag to set key availability quorum, see Managing client key durability settings.

Enabled by default.

Required: No

Improves performance by specifying that you can skip an initialization call to verify permissions on a key for subsequent calls. Use with caution.

Background: Some mechanisms in the PKCS #11 library support multi-part operations where an initialization call verifies if you can use the key for subsequent calls. This requires a verification call to the HSM, which adds latency to the overall operation. This option enables you to disable the subsequent call and potentially improve performance.

Required: No

Specifies that you should use an initialization call to verify permissions on a key for subsequent calls. This is the default option. Use enable-validate-key-at-init to resume these initialization calls after you use disable-validate-key-at-init to suspend them.

Required: No