How can I resolve the error "RET_MXN_AUTH_FAILED" with the cloudhsm_mgmt_util command for CloudHSM?

Last updated: 2019-09-06

The cloudhsm_mgmt_util command line tool for my AWS CloudHSM cluster returns an error similar to the following:

RET_MXN_AUTH_FAILED

How can I resolve this?

Short Description

This error means that there is no M of N authentication provided. M of N is a quorum-based authentication, meaning that at least 2 users must sign a token to run a command. This makes sure that a single user can't cause incorrect activity on the CloudHSM cluster. For more information, see Enforcing Quorum Authentication (M of N Access Control).

The listUsers command indicates that the MofnPubKey value is set to NO.

aws-cloudhsm>aws-cloudhsm>listUsers
Users on server 0(172.31.21.34):
Number of users found:6
    User Id        User Type    User Name     MofnPubKey    LoginFailureCnt     2FA
         1            CO        admin           NO               0               NO
         2            AU        app_user        NO               0               NO
         3            CU        cryptouser      NO               0               NO
         4            CO        admin1          NO               0               NO
         5            CO        palmep          NO               0               NO
         6            CU        user1           NO               0               NO

This indicates that no users have a public key that can sign quorum tokens. CO (crypto officer) users must register the public key using the registerMofnPubKey command for the CloudHSM cluster. For more information, see Create and Register a Key for Signing.

Resolution

Run the getMValue command on the CloudHSM cluster. Use the parameter 3 to indicate the value for commands under service 3. This operation uses createuser, deleteUser, and changePswd.

aws-cloudhsm>getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]

In this example, the value for the HSM servers for the cluster is 2. This value can't be lowered below 2, but the value can be raised. If this value is enabled by accident, you can restore it from an older CloudHSM cluster backup. To resolve this, you must create and register an asymmetric key with the number of users specified in the getMValue. You must then retrieve and sign a quorum token by the number of users specified in the getMValue. For instructions, see Using Quorum Authentication for Crypto Officers: First Time Setup.


Did this article help you?

Anything we could improve?


Need more help?