Transcription of AWS CloudHSM - User Guide
1 AWS CloudHSMUser GuideAWS CloudHSM user GuideAWS CloudHSM : user GuideCopyright 2019 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored CloudHSM user GuideTable of ContentsWhat Is AWS CloudHSM ?
2 1 Use 1 Offload the SSL/TLS Processing for Web Servers .. 1 Protect the Private Keys for an Issuing Certificate Authority (CA) .. 2 Enable Transparent Data Encryption (TDE) for Oracle Databases .. 2 Cluster Architecture .. 3 Cluster Synchronization .. 4 Cluster High Availability and load balancing .. 6 Overview of Backups .. 6 Security of Backups .. 7 Durability of Backups .. 8 Frequency of Backups .. 8 Client Tools and Libraries .. 8 AWS CloudHSM Client .. 9 AWS CloudHSM Command Line Tools .. 10 AWS CloudHSM Software Libraries.
3 10 HSM 10 Precrypto Officer (PRECO) .. 11 Crypto Officer (CO) .. 11 Crypto user (CU) .. 11 Appliance user (AU) .. 11 HSM user Permissions Table .. 11 Compliance .. 13 Regions .. 13 Getting Started .. 15 Create IAM Administrators .. 15 Create an IAM user and Administrator Group .. 16 Restrict user Permissions to What's Necessary for AWS CloudHSM .. 17 Understanding Service-Linked Roles .. 19 Create a VPC .. 20 Create a Private Subnet .. 21 Create a Cluster .. 21 Configure a Security Group .. 23 Launch an EC2 Client.
4 23 Launch an EC2 Client .. 24 Create an HSM .. 25 Verify HSM Identity (Optional) .. 26 Overview .. 26 Get Certificates from the HSM .. 28 Get the Root Certificates .. 29 Verify Certificate Chains .. 29 Extract and Compare Public Keys .. 30 AWS CloudHSM Root Certificate .. 31 Initialize the Cluster .. 32 Get the Cluster 32 Sign the 33 Initialize the Cluster .. 35 Install the Client (Linux).. 36 Install the AWS CloudHSM Client and Command Line Tools .. 36 Edit the Client Configuration .. 37iiiAWS CloudHSM user GuideInstall the Client (Windows).
5 38 Activate the Cluster .. 39 Reconfigure SSL (Optional) .. 41 Managing 43 Adding or Removing HSMs .. 43 Adding an HSM .. 43 Removing an HSM .. 45 Copying a Backup Across Regions .. 46 Creating a Cluster From a Backup .. 47 Deleting and Restoring a Backup .. 48 Deleting a 49 Tagging Resources .. 50 Adding or Updating Tags .. 51 Listing Tags .. 52 Removing Tags .. 53 Managing HSM Users and Keys .. 54 Managing HSM 54 Create Users .. 54 List 55 Change a user 's Password .. 56 Delete 56 Managing Keys .. 57 Generate Keys.
6 57 Import Keys .. 58 Export Keys .. 60 Delete Keys .. 61 Share and Unshare Keys .. 61 Quorum Authentication (M of N).. 62 Overview of Quorum Authentication .. 62 Additional Details about Quorum Authentication .. 63 First Time Setup for Crypto Officers .. 63 Quorum Authentication for Crypto Officers .. 67 Change the Quorum Value for Crypto Officers .. 73 Command Line Tools .. 75 Getting Started .. 76 Reference .. 82key_mgmt_util .. 119 Getting Started .. 119 Reference .. 122 Configure Tool .. 201 Syntax .. 201 Parameters.
7 205 Related Topics .. 206 Using the Software Libraries .. 207 PKCS #11 Library .. 207 Installing the PKCS #11 Library .. 207 Authenticating to PKCS #11 .. 212 Supported PKCS #11 Key Types .. 213 Supported PKCS #11 Mechanisms .. 213 Supported PKCS #11 API operations .. 214 OpenSSL Dynamic Engine .. 216 Installing the OpenSSL Dynamic Engine .. 216 Java Library .. 218 Installing the Java Library .. 219 Supported Mechanisms .. 223ivAWS CloudHSM user GuideSample Prerequisites .. 226 Java Samples .. 227 KSP and CNG Providers.
8 227 Install the Providers .. 227 Prerequisites .. 229 Code 229 Integrating Third-Party Applications .. 234 SSL/TLS Offload .. 234 How It Works .. 234 SSL/TLS Offload on Linux .. 235 SSL/TLS Offload on Windows .. 250 Windows Server CA .. 262 Set Up Prerequisites .. 262 Create Windows Server CA .. 263 Sign a 264 Oracle Database Encryption .. 265 Set Up Prerequisites .. 266 Configure the Database .. 267 Monitoring 270 Getting Client Logs .. 270 Logging AWS CloudHSM API Calls with AWS CloudTrail .. 271 AWS CloudHSM Information in CloudTrail.
9 272 Understanding AWS CloudHSM Log File Entries .. 272 Monitoring Audit 273 How Audit Logging Works .. 274 Viewing Audit Logs in CloudWatch Logs .. 274 Interpreting HSM Audit Logs .. 277 Audit Log Reference .. 287 Getting Metrics .. 289 Getting CloudWatch Metrics .. 289 Troubleshooting .. 290 Known Issues .. 290 Known Issues for all HSM instances .. 290 Known Issues for Amazon EC2 Instances Running Amazon Linux 2 .. 292 Known Issues for the PKCS #11 SDK .. 292 Known Issues for the JCE SDK .. 294 Known Issues for the OpenSSL SDK.
10 294 Lost Connection .. 295 Keep HSM Users In Sync .. 297 Verify Performance .. 297 Resolving Cluster Creation Failures .. 301 Add the Missing Permission .. 301 Create the Service-Linked Role Manually .. 301 Use a Nonfederated 301 Missing AWS CloudHSM Audit Logs in CloudWatch .. 302 Client and Software Information .. 303 Version History .. 303 Current Version: .. 303 Version: .. 305 Version: .. 308 Version: .. 310 Version .. 312 Version .. 313 Version .. 313 Version .. 314 Version .. 314 Version.
