How can I resolve the error "RET_MXN_AUTH_FAILED" with the cloudhsm_mgmt_util command for CloudHSM?
Last updated: 2021-03-05
The cloudhsm_mgmt_util command line tool for my AWS CloudHSM cluster returns an error similar to the following:
How can I resolve this?
This error means that there is no M of N authentication provided. M of N is a quorum-based authentication, meaning that at least two users must sign a token to run a command. This makes sure that a single user can't cause incorrect activity on the CloudHSM cluster. For more information, see Managing quorum authentication (M of N access control).
The listUsers command indicates that the MofnPubKey value is set to NO.
aws-cloudhsm>aws-cloudhsm>listUsers Users on server 0(172.31.21.34): Number of users found:6 User Id User Type User Name MofnPubKey LoginFailureCnt 2FA 1 CO admin NO 0 NO 2 AU app_user NO 0 NO 3 CU cryptouser NO 0 NO 4 CO admin1 NO 0 NO 5 CO palmep NO 0 NO 6 CU user1 NO 0 NO
This indicates that no users have a public key that can sign quorum tokens. CO (crypto officer) users must register the public key using the registerMofnPubKey command for the CloudHSM cluster. For more information, see Create and register a key for signing.
Run the getMValue command on the CloudHSM cluster. Use the parameter 3 to indicate the value for commands under service 3. This operation uses createuser, deleteUser, and changePswd.
aws-cloudhsm>getMValue 3 MValue of service 3[USER_MGMT] on server 0 :  MValue of service 3[USER_MGMT] on server 1 : 
In this example, the value for the HSM servers for the cluster is 2. This value can't be lowered below 2, but the value can be raised. If this value is enabled by accident, you can restore it from an older CloudHSM cluster backup. To resolve this, you must create and register an asymmetric key with the number of users specified in the getMValue. You must then retrieve and sign a quorum token by the number of users specified in the getMValue. For instructions, see Using quorum authentication for crypto officers: first-time setup.