AWS CloudHSM configuration requirements

Trust Protection Platform supports key storage on AWS CloudHSM for use with CodeSign Protect. Trust Protection Platform also supports database encryption for the Trust Protection Platform SQL database.

NOTE Advanced Key Protect is required to connect Trust Protection Platform to an HSM.

Configure the AWS CloudHSM cluster-id

To ensure seamless failover between HSM devices in your cluster, it is best to identify the HSM Cluster using the cluster-id. Using the cluster-id ensures the client is aware of all HSMs in the cluster. Currently, you need to manually edit the cloudhsm-pkcs11.cfg configuration file to handle the cluster-id option.

Open C:\programdata\amazon\cloudhsm\data\cloudhsm-pkcs11.cfg in a text editor.
Add this line before servers:

"cluster_id":"cluster-fly6hbn7zog"

using your cluster-id number.

IMPORTANT Because the configure-pkcs11.exe command does not handle the –cluster-id option, any other changes made by configure-pkcs11.exe will remove the above line.

By default, the client will not allow a key to be used unless there are two or more HSMs in the cluster. If you want to run only one HSM for testing, then run the following command:

configure-pkcs11.exe –-disable-key-availability-check

Keep in mind the important note above.

What's Next?

To set up CodeSign Protect to use keys stored on AWS CloudHSM, follow the steps in Setting up CodeSign Protect to use HSM keys.
See the AWS CloudHSM PKCS #11 documentation for more information on AWS CloudHSM.