CloudHSM 的 PRECO 密码失败,并显示错误“删除或更改已登录用户的密码被拒绝。” 如何更改我的 PRECO 密码?

上次更新时间:2019 年 10 月 10 日

初次登录 AWS CloudHSM 更改预加密管理者 (PRECO) 密码后,您收到类似于以下内容的错误:

aws-cloudhsm>changePswd PRECO admin test1234
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. Cav server does NOT synchronize these changes with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************

Do you want to continue(y/n)? y
Changing password for admin(PRECO) on 2 nodes
changePswd failed: HSM Error: Deletion or Changing password of a logged in User is denied
Changing password on node 0(172.31.3.131) failed

简短描述

此问题发生于:

  • 新的 CloudHSM 集群,因为您无法创建其他用户或重置您的密码。
  • 使用配置工具 (cloudhsm_mgmt_util.cfg) 后,错误配置了 HSM 数据。

注意:如果实例先前使用 CloudHSM 集群进行了设置,则它可能已经安装了 cloudhsm_mgmt_util.cfg 文件。

运行 /opt/cloudhsm/bin/configure -a IP_address 命令会在文件目录中添加 IP 地址,而不是删除旧的条目。这表示,配置文件有一个重复的 IP 地址,且 cloudhsm_mgmt_util 命令会对同一个 CloudHSM 创建两个会话。

在本示例中,请注意错误配置的 cloudhsm_mgmt_util.cfg 文件的重复条目。

{
    "scard": {
        "certificate": "cert-sc",
        "enable": "no",
        "pkey": "pkey-sc",
        "port": 2225
    },
    "servers": [
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        },
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        }
    ]
}

注意:新实例不会产生 cloudhsm_mgmt_util.cfg 文件问题。

解决方法

要解决此问题,请删除 cloudhsm_mgmt_util.cfg 文件中的额外条目。然后,重新连接到 CloudHSM 集群并更改 PRECO 密码。


这篇文章对您有帮助吗?

我们可以改进什么?


需要更多帮助吗?