Configure and run the Windows AWS CloudHSM client Checking the KSP and CNG providers

Verifying the KSP and CNG Providers for Windows

The KSP and CNG providers are installed when you install the Windows AWS CloudHSM client. You can install the client by following the steps at Install the client (Windows).

Configure and run the Windows AWS CloudHSM client

To start the Windows CloudHSM client, you must first satisfy the Prerequisites. Then, update the configuration files that the providers use and start the client by completing the steps below.. You need to do these steps the first time you use the KSP and CNG providers and after you add or remove HSMs in your cluster. This way, AWS CloudHSM is able to synchronize data and maintain consistency across all HSMs in the cluster.

Step 1: Stop the AWS CloudHSM client

Before you update the configuration files that the providers use, stop the AWS CloudHSM client. If the client is already stopped, running the stop command has no effect.

For Windows client 1.1.2+:


C:\Program Files\Amazon\CloudHSM>net.exe stop AWSCloudHSMClient

For Windows clients 1.1.1 and older:

Use Ctrl+C in the command window where you started the AWS CloudHSM client.

Step 2: Update the AWS CloudHSM configuration files

This step uses the -a parameter of the Configure tool to add the elastic network interface (ENI) IP address of one of the HSMs in the cluster to the configuration file.


C:\Program Files\Amazon\CloudHSM configure.exe -a <HSM ENI IP>

To get the ENI IP address of an HSM in your cluster, navigate to the AWS CloudHSM console, choose clusters, and select the desired cluster. You can also use the DescribeClusters operation, the describe-clusters command, or the Get-HSM2Cluster PowerShell cmdlet. Type only one ENI IP address. It does not matter which ENI IP address you use.

Step 3: Start the AWS CloudHSM client

Next, start or restart the AWS CloudHSM client. When the AWS CloudHSM client starts, it uses the ENI IP address in its configuration file to query the cluster. Then it adds the ENI IP addresses of all HSMs in the cluster to the cluster information file.

For Windows client 1.1.2+:


C:\Program Files\Amazon\CloudHSM>net.exe start AWSCloudHSMClient

For Windows clients 1.1.1 and older:


C:\Program Files\Amazon\CloudHSM>start "cloudhsm_client" cloudhsm_client.exe C:\ProgramData\Amazon\CloudHSM\data\cloudhsm_client.cfg

Checking the KSP and CNG providers

You can use either of the following commands to determine which providers are installed on your system. The commands list the registered KSP and CNG providers. The AWS CloudHSM client does not need to be running.


C:\Program Files\Amazon\CloudHSM>ksp_config.exe -enum


C:\Program Files\Amazon\CloudHSM>cng_config.exe -enum

To verify that the KSP and CNG providers are installed on your Windows Server EC2 instance, you should see the following entries in the list:


Cavium CNG Provider
Cavium Key Storage Provider

If the CNG provider is missing, run the following command.


C:\Program Files\Amazon\CloudHSM>cng_config.exe -register

If the KSP provider is missing, run the following command.


C:\Program Files\Amazon\CloudHSM>ksp_config.exe -register

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

KSP and CNG providers

Prerequisites