Change the quorum minimum value for AWS CloudHSM using CloudHSM CLI

After you set the quorum minimum value so AWS CloudHSM admins can use quorum authentication, you might want to change the quorum minimum value. The HSM allows you to change the quorum minimum value only when the number of approvers is the same or higher than the current quorum minimum value. For example, if the quorum minimum value is two (2), at least two (2) admins must approve to change the quorum minimum value.

Note

The quorum value of the user service must always be less than the quorum value of the quorum service. For information on service names, like quorum service and user service, see Supported AWS CloudHSM service names and types for quorum authentication with CloudHSM CLI.

To get quorum approval to change the quorum minimum value, you need a quorum token for the quorum service using the quorum token-sign set-quorum-value command. To generate a quorum token for the for the quorum service using the quorum token-sign set-quorum-value command, the quorum service must be higher than one (1). This means that before you can change the quorum minimum value for user service, you might need to change the quorum minimum value for quorum service.

To change the quorum minimum value for admins

Use the following command to start CloudHSM CLI interactive mode.

Use the login command and log in to the cluster as the admin.
```
aws-cloudhsm>login --username <admin> --role admin
```
Use the quorum token-sign list-quorum-values command to get the quorum minimum values for all service names. For more information, see the example below.
If the quorum minimum value for quorum service is lower than the value for user service, use the quorum token-sign set-quorum-value command to change the value for quorum service. Change the value for quorum service to one (1) that is the same or higher than the value for user service. For more information, see the following example.
Generate a quorum token, taking care to specify quorum service as the service for which you can use the token.
Get approvals (signatures) from other admins.
Approve the token on the AWS CloudHSM cluster and execute a user management operation..
Use the quorum token-sign set-quorum-value command to change quorum minimum value for user service.

Example – Get quorum minimum values and change the value for quorum service

The following example command shows that the quorum minimum value for user service is currently two (2).


aws-cloudhsm > quorum token-sign list-quorum-values{
  "error_code": 0,
  "data": {
    "user": 2,
    "quorum": 1
  }
}

To change the quorum minimum value for quorum service, use the quorum token-sign set-quorum-value command, setting a value that is the same or higher than the value for user service. The following example sets the quorum minimum value for quorum service to two (2), the same value that is set for user service.


aws-cloudhsm > quorum token-sign set-quorum-value --service quorum --value 2{
  "error_code": 0,
  "data": "Set quorum value successful"
}

The following command shows that the quorum minimum value is now two (2) for user service and quorum service.


aws-cloudhsm > quorum token-sign list-quorum-values{
  "error_code": 0,
  "data": {
    "user": 2,
    "quorum": 2
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

User management with quorum (M of N)

User management with CMU