PKCS #11 library CloudHSM Management Utility (CMU)Key Management Utility (KMU)JCE provider OpenSSL Dynamic Engine CNG and KSP providers

Compare AWS CloudHSM Client SDK component support

In addition to the command-line tools, Client SDK 3 contains components that enable off-loading cryptographic operations to the HSM from various platform or language-based applications. Client SDK 5 has parity with Client SDK 3, except it does not yet support CNG and KSP providers. The following table compares component availability in Client SDK 3 and Client SDK 5.

Component	Client SDK 5	Client SDK 3
PKCS #11 library	Yes	Yes
JCE provider	Yes	Yes
OpenSSL Dynamic Engine	Yes	Yes
CNG and KSP providers		Yes
CloudHSM Management Utility (CMU)¹	Yes	Yes
Key Management Utility (KMU)¹	Yes	Yes
Configure tool	Yes	Yes

[1] CMU and KMU components are included in CloudHSM CLI with Client SDK 5.

The following sections describe the components.

PKCS #11 library

PKCS #11 is a standard for performing cryptographic operations on hardware security modules (HSMs). AWS CloudHSM offers implementations of the PKCS #11 library that are compliant with PKCS #11 version 2.40.

For Client SDK 3, the PKCS #11 library is a Linux only component that matches Linux base support. For more information, see Linux support for AWS CloudHSM Client SDK 3.
For Client SDK 5, the PKCS #11 library is a cross-platform component that matches Linux and Windows Client SDK 5 base support. For more information, see Linux support for AWS CloudHSM Client SDK 5 and Windows support for AWS CloudHSM Client SDK 5.

CloudHSM Management Utility (CMU)

The CloudHSM Management Utility (CMU) command line tool helps crypto officers manage users in the HSMs. It includes tools that create, delete, and list users, and change user passwords. For more information, see AWS CloudHSM Management Utility (CMU).

Key Management Utility (KMU)

The Key Management Utility (KMU) is a command line tool that helps crypto users (CU) manage keys on the hardware security modules (HSM). For more information, see AWS CloudHSM Key Management Utility (KMU).

JCE provider

The AWS CloudHSM JCE provider is compliant with the Java Cryptographic Architecture (JCA). The provider allows you to perform cryptographic operations on the HSM.

The JCE provider is a Linux only component that matches Linux base support. For more information, see Linux support for AWS CloudHSM Client SDK 3.

For Client SDK 3 requires OpenJDK 1.8

OpenSSL Dynamic Engine

The AWS CloudHSM OpenSSL Dynamic Engine allows you to offload cryptographic operations to your CloudHSM cluster through the OpenSSL API.

For Client SDK 3, the OpenSSL Dynamic Engine is Linux only component that does not match Linux base support. See the exclusions below.
- Requires OpenSSL 1.0.2[f+]
Unsupported platforms:
- CentOS 8
- Red Hat Enterprise Linux (RHEL) 8
- Ubuntu 18.04 LTS
These platforms ship with a version of OpenSSL incompatible with OpenSSL Dynamic Engine for Client SDK 3. AWS CloudHSM supports these platforms with OpenSSL Dynamic Engine for Client SDK 5.
For Client SDK 5, the OpenSSL Dynamic Engine is a Linux only component that requires OpenSSL 1.0.2, 1.1.1, or 3.x.

CNG and KSP providers

The AWS CloudHSM client for Windows includes CNG and KSP providers. Currently, only Client SDK 3 supports CNG and KSP providers.

The CNG and KSP providers is a Windows only component that matches Windows base support. For more information, see Windows support for AWS CloudHSM Client SDK 3.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Check your version

Migrating to the latest SDK