The PRECO password for CloudHSM fails with the error "Deletion or Changing password of a logged in User is denied." How can I change my PRECO password?
Last updated: 2021-01-14
After the initial AWS CloudHSM log in to change the precrypto officer (PRECO) password, I receive an error similar to the following:
aws-cloudhsm>changePswd PRECO admin test1234 *************************CAUTION******************************** This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster. **************************************************************** Do you want to continue(y/n)? y Changing password for admin(PRECO) on 2 nodes changePswd failed: HSM Error: Deletion or Changing password of a logged in User is denied Changing password on node 0(172.31.3.131) failed
Short description
This issue occurs with:
- New CloudHSM clusters, because you can't create additional users or reset your password.
- Misconfigured HSM data after using the Configure Tool (cloudhsm_mgmt_util.cfg).
Note: If the instance was previously set up with a CloudHSM cluster, it can already have a cloudhsm_mgmt_util.cfg file installed.
Running the /opt/cloudhsm/bin/configure -a IP_address command adds the IP address in the file directory instead of removing older entries. This means that the config file has a duplicate IP address, and the cloudhsm_mgmt_util command creates two sessions to the same CloudHSM.
In this example, note the duplicate entry of a misconfigured cloudhsm_mgmt_util.cfg file.
{
"scard": {
"certificate": "cert-sc",
"enable": "no",
"pkey": "pkey-sc",
"port": 2225
},
"servers": [
{
"CAfile": "",
"CApath": "/opt/cloudhsm/etc/certs",
"certificate": "/opt/cloudhsm/etc/client.crt",
"e2e_encryption": {
"enable": "yes",
"owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
},
"enable": "yes",
"hostname": "172.31.3.131",
"name": "172.31.3.131",
"pkey": "/opt/cloudhsm/etc/client.key",
"port": 2225,
"server_ssl": "yes",
"ssl_ciphers": ""
},
{
"CAfile": "",
"CApath": "/opt/cloudhsm/etc/certs",
"certificate": "/opt/cloudhsm/etc/client.crt",
"e2e_encryption": {
"enable": "yes",
"owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
},
"enable": "yes",
"hostname": "172.31.3.131",
"name": "172.31.3.131",
"pkey": "/opt/cloudhsm/etc/client.key",
"port": 2225,
"server_ssl": "yes",
"ssl_ciphers": ""
}
]
}
Note: New instances won't have issues with the cloudhsm_mgmt_util.cfg file.
Resolution
To resolve the issue, delete the extra entry in the cloudhsm_mgmt_util.cfg file. Then, reconnect to the CloudHSM cluster and change the PRECO password.
Related information
Did this article help?
Do you need billing or technical support?