Configuring HSM in Amazon

AWS CloudHSM offers the advantages of the AWS cloud combined with the security provided by hardware security modules (HSMs). An HSM is a computing device that performs cryptographic operations and offers secure storage for cryptographic keys. With AWS CloudHSM, you have full control over highly available HSMs in the AWS Cloud, with low-latency access and a secure root of trust that automates HSM management, including backups, provisioning, configuration, and maintenance.

When setting up an AWS CloudHSM in a cluster, you must have at least two HSMs. If your configuration includes only one HSM, you must disable the key availability check to proceed.

To do this:

  1. Open a Command Prompt as Administrator.

  2. Run the following commands:

    Copy 
    cd "C:\Program Files\Amazon\CloudHSM\bin"
    configure-pkcs11.exe --disable-key-availability-check

This command disables the key availability check and allows operation even with a single HSM, bypassing the requirement for two HSMs in the cluster.

To view or edit the cloudhsm-pkcs11.cfg configuration file, navigate to C:\ProgramData\Amazon\CloudHSM\data

For more information about the key availability check error in AWS CloudHSM, including causes, scenarios that trigger it, and resolution options refer to the AWS CloudHSM Troubleshooting Documentation.

Preventing Startup Errors When Using AWS CloudHSM

When rebooting a Secret Server instance, you may encounter startup errors if the web application attempts to start before establishing a connection with AWS CloudHSM. This can prevent Secret Server from loading properly.

To delay the startup of Internet Information Services (IIS) by adjusting the settings for the World Wide Web Publishing Service:

  1. Open the Services application (services.msc).

  2. Double-click on the World Wide Web Publishing Service.

  3. Change the Startup Type to Automatic (Delayed Start).

  4. Select Apply and then select Ok.

By following these steps, you can ensure that the CloudHSM connection is established before Secret Server starts.

For more information on how to configure HSM in Amazon, click here.