The PRECO password for CloudHSM fails with the error "Deletion or Changing password of a logged in User is denied." How can I change my PRECO password?

Last updated: 2021-01-14

After the initial AWS CloudHSM log in to change the precrypto officer (PRECO) password, I receive an error similar to the following:

aws-cloudhsm>changePswd PRECO admin test1234
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. Cav server does NOT synchronize these changes with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************

Do you want to continue(y/n)? y
Changing password for admin(PRECO) on 2 nodes
changePswd failed: HSM Error: Deletion or Changing password of a logged in User is denied
Changing password on node 0(172.31.3.131) failed

Short description

This issue occurs with:

New CloudHSM clusters, because you can't create additional users or reset your password.
Misconfigured HSM data after using the Configure Tool (cloudhsm_mgmt_util.cfg).

Note: If the instance was previously set up with a CloudHSM cluster, it can already have a cloudhsm_mgmt_util.cfg file installed.

Running the /opt/cloudhsm/bin/configure -a IP_address command adds the IP address in the file directory instead of removing older entries. This means that the config file has a duplicate IP address, and the cloudhsm_mgmt_util command creates two sessions to the same CloudHSM.

In this example, note the duplicate entry of a misconfigured cloudhsm_mgmt_util.cfg file.

{
    "scard": {
        "certificate": "cert-sc",
        "enable": "no",
        "pkey": "pkey-sc",
        "port": 2225
    },
    "servers": [
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        },
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        }
    ]
}

Note: New instances won't have issues with the cloudhsm_mgmt_util.cfg file.

Resolution

To resolve the issue, delete the extra entry in the cloudhsm_mgmt_util.cfg file. Then, reconnect to the CloudHSM cluster and change the PRECO password.

Related information

Precrypto Officer (PRECO)

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support