The cloudhsm_mgmt_util command line tool for my AWS CloudHSM cluster returns an error similar to the following:

RET_MXN_AUTH_FAILED

How can I resolve this?

This error means that there is no M of N authentication provided. M of N is a quorum-based authentication, meaning that at least 2 users must sign a token to run a command. This ensures that a single user can't cause incorrect activity on the CloudHSM cluster. For more information, see Enforcing Quorum Authentication (M of N Access Control).

The listUsers command indicates that the MofnPubKey value is set to NO.  

aws-cloudhsm>aws-cloudhsm>listUsers
Users on server 0(172.31.21.34):
Number of users found:6
    User Id        User Type    User Name     MofnPubKey    LoginFailureCnt     2FA
         1            CO        admin           NO               0               NO
         2            AU        app_user        NO               0               NO
         3            CU        cryptouser      NO               0               NO
         4            CO        admin1          NO               0               NO
         5            CO        palmep          NO               0               NO
         6            CU        user1           NO               0               NO

This indicates that no users have a public key that can sign quorum tokens. CO (crypto officer) users must register the public key using the registerMofnPubKey command for the CloudHSM cluster. For more information, see Create and Register a Key for Signing.

Run the getMValue command on the CloudHSM cluster. Use the parameter 3 to indicate the value for commands under service 3. This operation uses createuser, deleteUser, and changePswd.

aws-cloudhsm>getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]

In this example, the value for the HSM servers for the cluster is 2. This value can't be lowered below 2, but the value can be raised. If this value is enabled by accident, you can restore it from an older CloudHSM cluster backup. To resolve this, you must create and register an asymmetric key with the number of users specified in the getMValue. You must then retrieve and sign a quorum token by the number of users specified in the getMValue. For instructions, see Using Quorum Authentication for Crypto Officers: First Time Setup.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-08-31