After the initial AWS CloudHSM log in to change the precrypto officer (PRECO) password, you might receive an error similar to the following:

aws-cloudhsm>changePswd PRECO admin test1234
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. Cav server does NOT synchronize these changes with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************

Do you want to continue(y/n)? y
Changing password for admin(PRECO) on 2 nodes
changePswd failed: HSM Error: Deletion or Changing password of a logged in User is denied
Changing password on node 0(172.31.3.131) failed

This issue might occur with:

  • New CloudHSM clusters, because you can't create additional users or reset your password.
  • Misconfigured HSM data after using the Configure Tool (cloudhsm_mgmt_util.cfg).

Note: If the instance was previously set up with a CloudHSM cluster, it might already have a cloudhsm_mgmt_util.cfg file installed.

Running the /opt/cloudhsm/bin/configure -a <IP_address> command adds the IP in the file directory instead of removing older entries. This means the config file has a duplicate IP, and the cloudhsm_mgmt_util creates 2 sessions to the same CloudHSM.

Note the duplicate entry in this example of a misconfigured cloudhsm_mgmt_util.cfg file.

{
    "scard": {
        "certificate": "cert-sc",
        "enable": "no",
        "pkey": "pkey-sc",
        "port": 2225
    },
    "servers": [
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        },
        {
            "CAfile": "",
            "CApath": "/opt/cloudhsm/etc/certs",
            "certificate": "/opt/cloudhsm/etc/client.crt",
            "e2e_encryption": {
                "enable": "yes",
                "owner_cert_path": "/opt/cloudhsm/etc/customerCA.crt"
            },
            "enable": "yes",
            "hostname": "172.31.3.131",
            "name": "172.31.3.131",
            "pkey": "/opt/cloudhsm/etc/client.key",
            "port": 2225,
            "server_ssl": "yes",
            "ssl_ciphers": ""
        }
    ]
}

Note: New instances shouldn't have issues with the cloudhsm_mgmt_util.cfg file.

To resolve the issue, delete the extra entry in the cloudhsm_mgmt_util.cfg file. You should now be able to reconnect and change the PRECO password.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-10-29