Change the quorum minimum value for AWS CloudHSM using CloudHSM CLI

After setting the quorum minimum value for CloudHSM admins, you might need to adjust the quorum minimum value. The HSM allows changes to the quorum minimum value only when the number of approvers meets or exceeds the current value. For example, with a quorum minimum value of two (2), at least two (2) admins must approve any changes.

Note

The quorum value of the user service must always be less than the quorum value of the quorum service. For information on service names, see Supported AWS CloudHSM service names and types for quorum authentication with CloudHSM CLI.

To get quorum approval to change the quorum minimum value, you need a quorum token for the quorum service using the quorum token-sign set-quorum-value command. To generate a quorum token for the for the quorum service using the quorum token-sign set-quorum-value command, the quorum service must be higher than one (1). This means that before you can change the quorum minimum value for user service, you might need to change the quorum minimum value for quorum service.

Steps to change the quorum minimum value for admins

Start the CloudHSM CLI interactive mode.


aws-cloudhsm>login --username <admin> --role admin

Check current quorum minimum values:


aws-cloudhsm>quorum token-sign list-quorum-values

If the quorum minimum value for the quorum service is lower than the value for the user service, change the quorum service value:
```
aws-cloudhsm>quorum token-sign set-quorum-value --service quorum --value 3
```
Generate a quorum token for the quorum service.
Get approvals (signatures) from other admins.
Approve the token on the CloudHSM cluster and execute a user management operation..
Change the quorum minimum value for the user service:
```
aws-cloudhsm>quorum token-sign set-quorum-value
```

Example Adjusting quorum service minimum values

Check current values. The example shows that the quorum minimum value for user service is currently two (2).


aws-cloudhsm > quorum token-sign list-quorum-values
{
  "error_code": 0,
  "data": {
    "user": 2,
    "quorum": 1
  }
}

Change quorum service value. Set the quorum minimum value for quorum service to a value that is the same or higher than the value for user service. This example sets the quorum minimum value for quorum service to two (2), the same value that was set for user service in the previous example.
```
aws-cloudhsm > quorum token-sign set-quorum-value --service quorum --value 2
{
  "error_code": 0,
  "data": "Set quorum value successful"
}
```

Verify the changes. This example shows that the quorum minimum value is now two (2) for user service and quorum service.


aws-cloudhsm > quorum token-sign list-quorum-values
{
  "error_code": 0,
  "data": {
    "user": 2,
    "quorum": 2
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

User management with quorum (M of N)

User management with CMU