AWS CloudHSM configuration requirements

Trust Protection Foundation supports key storage on AWS CloudHSM for use with Code Sign Manager - Self-Hosted. Trust Protection Foundation also supports database encryption for the Trust Protection Foundation SQL database.

NOTE Advanced Key Protect is required to connect Trust Protection Foundation to an HSM.

Configure the AWS CloudHSM cluster-id

To ensure seamless failover between HSM devices in your cluster, it is best to identify the HSM Cluster using the cluster-id. Using the cluster-id ensures the client is aware of all HSMs in the cluster. Currently, you need to manually edit the cloudhsm-pkcs11.cfg configuration file to handle the cluster-id option.

Open C:\programdata\amazon\cloudhsm\data\cloudhsm-pkcs11.cfg in a text editor.
Add this line before servers:

"cluster_id":"cluster-fly6hbn7zog"

using your cluster-id number.

IMPORTANT Because the configure-pkcs11.exe command does not handle the –cluster-id option, any other changes made by configure-pkcs11.exe will remove the above line.

By default, the client will not allow a key to be used unless there are two or more HSMs in the cluster. If you want to run only one HSM for testing, then run the following command:

configure-pkcs11.exe –-disable-key-availability-check

Keep in mind the important note above.

What's Next?

To set up Code Sign Manager - Self-Hosted to use keys stored on AWS CloudHSM, follow the steps in Setting up Code Sign Manager - Self-Hosted to use HSM keys.
See the AWS CloudHSM PKCS #11 documentation for more information on AWS CloudHSM.