How can I resolve connection issues between the CloudHSM client and the CloudHSM cluster?

Last updated: 2019-11-08

I want to troubleshoot and resolve connection issues between my AWS CloudHSM cluster and HSM client.

Resolution

Verify that the CloudHSM client package installed

CloudHSM clients must have the CloudHSM client software installed to communicate with the HSM. Verify that the CloudHSM client package is installed using one of the following commands:

Red Hat Enterprise Linux (RHEL) and Amazon Linux:

rpm -qa | grep cloudhsm

Ubuntu:

dpkg --list | grep cloudhsm

Windows PowerShell:

Get-Service -Name AWSCloudHSMClient

If the CloudHSM client software isn't installed, follow the instructions to install it. For Linux distributions, see Install and Configure the AWS CloudHSM Client (Linux). For Windows, see Install and Configure the AWS CloudHSM Client (Windows).

Verify the CloudHSM security group is associated with the CloudHSM client instance

When you create a cluster, CloudHSM automatically creates a security group named cloudhsm-cluster-clusterID-sg, and then associates it with the cluster. Client instances must be associated with this cluster security group to access the HSM.

1.    Open the CloudHSM console, and choose Clusters.

2.    Choose the Cluster ID.

3.    In General configuration under Security group, note the cloudhsm-cluster-clusterID-sg security group ID.

4.    Open the Amazon EC2 console, and then choose Instances.

5.    Choose your Instance ID, and then choose the Description tab.

6.    Check the Security groups associated with the instance.

7.    If the cloudhsm-cluster-clusterID-sg security group ID isn't associated with the EC2 instance, follow the instructions to Connect the Amazon EC2 Instance to the AWS CloudHSM Cluster.

Verify the CloudHSM client daemon is running

If the CloudHSM client daemon is not running, then application hosts can't connect to HSMs. Verify the CloudHSM client daemon is running using one of the following commands:

Amazon Linux 2, CentOS 7, RHEL 7, and Ubuntu 16.04 LTS:

sudo systemctl is-active cloudhsm-client

CentOS 6, Amazon Linux, and RHEL 6:

sudo status cloudhsm-client

Windows PowerShell:

Get-Service -Name AWSCloudHSMClient | Format-Table DisplayName,Status -AutoSize

If the output shows the CloudHSM client daemon status as stopped, then follow the instructions to Start the AWS CloudHSM Client.

Update the configuration file for the CloudHSM client ENI IP address

1.    Open the CloudHSM console, and then choose Clusters.

2.    Choose Cluster ID.

3.    Choose the HSMs tab, and then note ENI IP address.
Note: You can also use the AWS Command Line Interface (AWS CLI) describe-clusters command.

4.    For instructions to update the client's configuration file with the ENI IP address from step 3, see Lost Connection to the Cluster.

For more information, see Troubleshooting AWS CloudHSM.