I'm having trouble with my AWS CloudHSM client or appliance. How do I collect CloudHSM logs, so I can troubleshoot these issues? 

Logs can help you troubleshoot issues with CloudHSM Classic, and they're especially helpful when working with AWS Support on an existing issue. Use these steps to collect the CloudHSM client "c_supportInfo.txt", CloudHSM appliance "supportInfo.txt" file, and syslogs. 

Collect CloudHSM supportInfo.txt files

1.    Create the supportInfo.txt file on each CloudHSM client device by running the following command:

$ vtl supportinfo

Example outcome: 'vtl supportInfo' completed. File "c_supportInfo.txt".

2.    After the "c_supportInfo.txt" file has been generated on the CloudHSM client, connect to each CloudHSM appliance and generate the "supportInfo.txt" by running the following command:

$ ssh 10.0.1.10
lunash:>hsm supportInfo

Example outcome: 'hsm supportInfo' successful.

3.    After you have generated the supportInfo.txt, use SCP from a client machine to get the file name, such as supportInfo.txt, by running the following command:

$ scp manager@<IP-ADDRESS-HSM1>:supportInfo.txt ~/supportInfo-HSM1.txt
$ scp manager@<IP-ADDRESS-HSM2>:supportInfo.txt ~/supportInfo-HSM2.txt

4.    Provide each support file to AWS Support for further assistance. Here is some of the information provided in the "c_supportInfo.txt" and "supportInfo.txt" files.

Contents of c_supportInfo.txt file.

Retrieved from the HSM client.

Contents of supportInfo.txt file.

Retrieved from the HSM appliance.

  • CLIENT INFORMATION and DATE/TIME
  • CLIENT CHRYSTOKI CONFIGURATION FILE
  • CLIENT FILE CHECKS
  • CLIENT CERTIFICATE
  • REGISTERED SERVER CERTIFICATES
  • LOOKUP and PING HOST and REGISTERED SERVERS
  • INSTALLED LUNA SA CLIENT PACKAGES
  • HSM DUALPORT
  • BACKUP TOKEN DUALPORT
  • BACKUP TOKEN INFO AND POLICIES 
  • HOST INFORMATION and DATE/TIME 
  • HSM Details: HSM Label, Serial #, Firmware, Hardware Model, etc.
  • Partitions created on HSM
  • FIPS 140-2 Operation Status
  • HSM Storage Information (Bytes): Maximum HSM Storage Space, Space In Use, Free Space Left
  • HSM POLICIES, HSM PARTITIONS, AND PARTITION POLICIES
  • HSM LICENSES / HSM CAPABILITY LICENSES
  • HSM APPLIANCE CPU USAGE, NETSTAT, SYSLOG SETTINGS, DISK, MEMORY, NETWORK INFORMATION, RESOLV FILE, PACKAGES, CERT, NTLS BIND INFORMATION
  • HSM ISSUE (build) FILE
  • HSM Update Path
  • HSM APPLIANCE PROCESSES
  • LOADED CLIENT CERTS
  • CLIENT AUTHENTICATION DATABASE
  • Client Authenticate Configuration File

Collect syslogs from your CloudHSM appliance

The HSM appliance generates logs that can be exported via syslog. Syslogs can be used to audit security events, review appliance hardware events, and error logging. When troubleshooting an issue on your HSM appliance AWS Support might request a copy of your appliance's syslogs to review. You can use the steps provided here to extract the HSM appliance's syslogs to provide to AWS Support.

1.    Connect to each CloudHSM appliance, and run the following command to generate the syslogs:

$ ssh <IP-ADDRESS-HSM>
lunash:> syslog tarlogs

2.    Use the following command to generate tar files that contain logs:  

scp as filename 'logs.tgz'.

3.    From the CloudHSM client, use SCP to copy the logs.tgz files from each CloudHSM appliance to the CloudHSM client. You can gather these files by running commands similar to the following:

$ scp manager@<IP-ADDRESS-HSM1>:logs.tgz ~/logs-HSM1.tgz
$ scp manager@<IP-ADDRESS-HSM2>:logs.tgz ~/logs-HSM2.tgz

4.    From your workstation, use SCP to copy the syslogs logs.tgz files from the HSM client to your workstation in order to provide the logs to AWS Support for review. You can gather these files by running commands similar to the following:

$ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM1.tgz ~/logs-HSM1.tgz
$ scp -i "privatekeyfile.pem" ec2-user@<CLIENT-PUBLIC-IP>:logs-HSM2.tgz ~/logs-HSM2.tgz

Following these steps will allow you to generate and retrieve the CloudHSM client's "c_supportInfo.txt" file, the HSM appliance's "supportInfo.txt" file, and syslogs, which you can provide to AWS Support for further assistance.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-09-06