AWS CloudHSM error seen during key availability check

Problem: An AWS CloudHSM hardware security module (HSM) is returning the following error:


Key <KEY HANDLE> does not meet the availability requirements - The key must be available on at least 2 HSMs before being used.

Cause: Key availability checks look for keys that, under rare but possible conditions, could be lost. This error usually occurs in clusters with only one HSM or in clusters with two HSMs during a period in which one of them is being replaced. In these situations, the following customer operations likely prompted the above error:

A new key was generated using a command like The generate-symmetric category in CloudHSM CLI or The generate-asymmetric-pair category in CloudHSM CLI.
A List keys for a user with CloudHSM CLI operation was started.
A new instance of the SDK was started.

Note
OpenSSL frequently forks new instances of the SDK.

Resolution/recommendation: Choose from the following actions to prevent this error from occurring:

Use the --disable-key-availability-check parameter to set key availability to false in the configure file of your configure tool. For more information, see the AWS CloudHSM Client SDK 5 configuration parameters section of the Configure tool.
If using a cluster with two HSMs, avoid using the operations that prompted the error, except during initialization code.
Increase the amount of HSMs in your cluster to at least three.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Client SDK 5 key replicate failures

Extracting keys using JCE

AWS CloudHSM error seen during key availability check

Note