User type

All. Login is not required.

listUsers (p. 134) Gets the users in each of the HSMs, their user type and ID, and other attributes.

All. Login is not required.

loginHSM and

logoutHSM (p. 136) Log in and log out of an HSM. All.

quit (p. 145) Quits cloudhsm_mgmt_util. All. Login is not required.

server (p. 140) Enters and exits server mode on

an HSM. All.

registerQuorumPubKey (p. 138) Associates an HSM user with an asymmetric RSA-2048 key pair. CO setAttribute (p. 142) Changes the values of the label,

encrypt, decrypt, wrap, and unwrap attributes of an existing key.

shareKey (p. 145) Shares an existing key with other

users. CU

syncKey (p. 148) Syncs a key across cloned AWS

CloudHSM clusters. CU, CO

syncUser (p. 149) Syncs a user across cloned AWS

CloudHSM clusters. CO

changePswd

The changePswd command in cloudhsm_mgmt_util changes the password of an existing user on the HSMs in the cluster.

Any user can change their own password. In addition, Crypto oﬃcers (COs and PCOs) can change the password of another CO or crypto user (CU). You do not need to enter the current password to make the change.

Note

You cannot change the password of a user who is currently logged into the AWS CloudHSM client or key_mgmt_util.

To troubleshoot changePswd

Before you run any CMU command, you must start CMU and log in to the HSM. Be sure that you log in with the user account type that can run the commands you plan to use.

If you add or delete HSMs, update the conﬁguration ﬁles for CMU. Otherwise, the changes that you make might not be eﬀective for all HSMs in the cluster.

The following users can run this command.

Reference

• Crypto oﬃcers (CO)

• Crypto users (CU)

Syntax

Enter the arguments in the order speciﬁed in the syntax diagram. Use the -hpswd parameter to mask your password. To enable two-factor authentication (2FA) for a CO user, use the -2fa parameter and include a ﬁle path. For more information, see the section called “Arguments” (p. 114).

changePswd <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]

Examples

The following examples show how to use changePassword to reset the password for the current user or any other user in your HSMs.

Example : Change your password

Any user on the HSMs can use changePswd to change their own password. Before you change the password, use info (p. 132) to get information about each of the HSMs in the cluster, including the username and the user type of the logged in user.

The following output shows that Bob is currently logged in as a crypto user(CU).

aws-cloudhsm> info server 0

Id Name Hostname Port State Partition LoginState

0 10.1.9.193 10.1.9.193 2225 Connected hsm-jqici4covtv Logged in as 'bob(CU)'

aws-cloudhsm> info server 1

Id Name Hostname Port State Partition LoginState

1 10.1.10.7 10.1.10.7 2225 Connected hsm-ogi3sywxbqx Logged in as 'bob(CU)'

To change password, Bob runs changePswd followed with the user type, username, and a new password.

aws-cloudhsm> changePswd CU bob newPassword

*************************CAUTION********************************

This is a CRITICAL operation, should be done on all nodes in the cluster. AWS does NOT synchronize these changes automatically with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster.

****************************************************************

Do you want to continue(y/n)?y

Changing password for bob(CU) on 2 nodes

Reference

Example : Change the password of another user

You must be a CO or PCO to change the password of another CO, or CU on the HSMs. Before you change the password for another user, use the info (p. 132) command to conﬁrm that your user type is either CO or PCO.

The following output conﬁrms that Alice, who is a CO, is currently logged in.

aws-cloudhsm>info server 0

Alice wants to reset the password of another user, John. Before she changes the password, she uses the listUsers (p. 134) command to verify John's user type.

The following output lists John as a CO user.

aws-cloudhsm> listUsers

Reference

To change the password, Alice runs changePswd followed with John's user type, username, and a new password.

aws-cloudhsm>changePswd CO john newPassword

*************************CAUTION********************************

****************************************************************

Do you want to continue(y/n)?y

Changing password for john(CO) on 2 nodes

Arguments

Enter the arguments in the order speciﬁed in the syntax diagram. Use the -hpswd parameter to mask your password. To enable 2FA for a CO user, use the -2fa parameter and include a ﬁle path. For more information about working with 2FA, see Managing 2FA (p. 70)

changePswd <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]

<user-type>

Speciﬁes the current type of the user whose password you are changing. You cannot use changePswd to change the user type.

Valid values are CO, CU, PCO, and PRECO.

To get the user type, use listUsers (p. 134). For detailed information about the user types on an HSM, see Understanding HSM users (p. 59).

Required: Yes

<user-name>

Speciﬁes the user's friendly name. This parameter is not case-sensitive. You cannot use changePswd to change the user name.

Required: Yes

<password | -hpswd >

Speciﬁes a new password for the user. Enter a string of 7 to 32 characters. This value is case sensitive. The password appears in plaintext when you type it. To hide your password, use the -hpswd parameter in place of the password and follow the prompts.

Required: Yes

[-2fa </path/to/authdata>]

Speciﬁes enabling 2FA for this CO user. To get the data necessary for setting up 2FA, include a path to a location in the ﬁle system with a ﬁle name after the -2fa parameter. For more information about working with 2FA, see Managing 2FA (p. 70).

Required: No

createUser

The createUser command in cloudhsm_mgmt_util creates a user on the HSMs. Only crypto oﬃcers (COs and PCOs) can run this command. When the command succeeds, it creates the user in all HSMs in the cluster.

To troubleshoot createUser

If your HSM conﬁguration is inaccurate, the user might not be created on all HSMs. To add the user to any HSMs in which it is missing, use the syncUser (p. 149) or createUser (p. 115) command only on the HSMs that are missing that user. To prevent conﬁguration errors, run the conﬁgure (p. 238) tool with the -m option.

Before you run any CMU command, you must start CMU and log in to the HSM. Be sure that you log in with the user account type that can run the commands you plan to use.

If you add or delete HSMs, update the conﬁguration ﬁles for CMU. Otherwise, the changes that you make might not be eﬀective for all HSMs in the cluster.

User type

The following types of users can run this command.

• Crypto oﬃcers (CO, PCO)

Syntax

Enter the arguments in the order speciﬁed in the syntax diagram. Use the -hpswd parameter to mask your password. To create a CO user with two-factor authentication (2FA), use the -2fa parameter and include a ﬁle path. For more information, see the section called “Arguments” (p. 117).

createUser <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]

Examples

These examples show how to use createUser to create new users in your HSMs.

Example : Create a crypto oﬃcer

This example creates a crypto oﬃcer (CO) on the HSMs in a cluster. The ﬁrst command uses loginHSM (p. 136) to log in to the HSM as a crypto oﬃcer.

aws-cloudhsm> loginHSM CO admin 735782961 loginHSM success on server 0(10.0.0.1) loginHSM success on server 1(10.0.0.2) loginHSM success on server 1(10.0.0.3)

The second command uses the createUser command to create alice, a new crypto oﬃcer on the HSM.

The caution message explains that the command creates users on all of the HSMs in the cluster. But, if the command fails on any HSMs, the user will not exist on those HSMs. To continue, type y.

Reference

The output shows that the new user was created on all three HSMs in the cluster.

aws-cloudhsm> createUser CO alice 391019314

*************************CAUTION********************************

****************************************************************

Do you want to continue(y/n)?Invalid option, please type 'y' or 'n' Do you want to continue(y/n)?y

Creating User alice(CO) on 3 nodes

When the command completes, alice has the same permissions on the HSM as the admin CO user, including changing the password of any user on the HSMs.

The ﬁnal command uses the listUsers (p. 134) command to verify that alice exists on all three HSMs on the cluster. The output also shows that alice is assigned user ID 3.. You use the user ID to identify alice in other commands, such as ﬁndAllKeys (p. 120).

aws-cloudhsm> listUsers

Example : Create a crypto user

This example creates a crypto user (CU), bob, on the HSM. Crypto users can create and manage keys, but they cannot manage users.

Reference

After you type y to respond to the caution message, the output shows that bob was created on all three HSMs in the cluster. The new CU can log in to the HSM to create and manage keys.

The command used a password value of defaultPassword. Later, bob or any CO can use the changePswd (p. 111) command to change his password.

aws-cloudhsm> createUser CU bob defaultPassword

*************************CAUTION********************************

****************************************************************

Do you want to continue(y/n)?Invalid option, please type 'y' or 'n' Do you want to continue(y/n)?y

Creating User bob(CU) on 3 nodes

Arguments

Enter the arguments in the order speciﬁed in the syntax diagram. Use the -hpswd parameter to mask your password. To create a CO user with 2FA enabled, use the -2fa parameter and include a ﬁle path.

For more information about 2FA, see Managing 2FA (p. 70).

createUser <user-type> <user-name> <password |-hpswd> [-2fa </path/to/authdata>]

<user-type>

Speciﬁes the type of user. This parameter is required.

For detailed information about the user types on an HSM, see Understanding HSM users (p. 59).

Valid values:

• CO: Crypto oﬃcers can manage users, but they cannot manage keys.

• CU: Crypto users can create an manage keys and use keys in cryptographic operations.

PCO, PRECO, and preCO are also valid values, but they are rarely used. A PCO is functionally identical to a CO user. A PRECO user is a temporary type that is created automatically on each HSM. The PRECO is converted to a PCO when you assign a password during HSM activation (p. 31).

Required: Yes

<user-name>

Speciﬁes a friendly name for the user. The maximum length is 31 characters. The only special character permitted is an underscore ( _ ).

You cannot change the name of a user after it is created. In cloudhsm_mgmt_util commands, the user type and password are case-sensitive, but the user name is not.

Required: Yes

<password | -hpswd >

Speciﬁes a password for the user. Enter a string of 7 to 32 characters. This value is case-sensitive.

The password appears in plaintext when you type it. To hide your password, use the -hpswd parameter in place of the password and follow the prompts.

Reference

To change a user password, use changePswd (p. 111). Any HSM user can change their own password, but CO users can change the password of any user (of any type) on the HSMs.

Required: Yes

[-2fa </path/to/authdata>]

Speciﬁes the creation of a CO user with 2FA enabled. To get the data necessary for setting up 2FA authentication, include a path to a location in the ﬁle system with a ﬁle name after the -2fa parameter. For more information about setting up and working with 2FA, see Managing 2FA (p. 70).

Required: No

deleteUser

The deleteUser command in cloudhsm_mgmt_util deletes a user from the hardware security modules (HSM). Only crypto oﬃcers (CO) can run this command. You cannot delete a user who is currently logged into a HSM. For more information about deleting users, see How to Delete HSM Users (p. 69).

Tip

You can't delete crypto users (CU) that own keys.

User type

The following types of users can run this command.

• CO

Syntax

Because this command does not have named parameters, you must enter the arguments in the order speciﬁed in the syntax diagram.

deleteUser <user-type> <user-name>

Example

This example deletes a crypto oﬃcer (CO) from the HSMs in a cluster. The ﬁrst command uses listUsers (p. 134) to list all users on the HSMs.

The output shows that user 3, alice, is a CO on the HSMs.

aws-cloudhsm> listUsers Users on server 0(10.0.0.1):

Number of users found:3

User Id User Type User Name MofnPubKey LoginFailureCnt 2FA

Reference

The second command uses the deleteUser command to delete alice from the HSMs.

The output shows that the command succeeded on all three HSMs in the cluster.

aws-cloudhsm> deleteUser CO alice Deleting user alice(CO) on 3 nodes deleteUser success on server 0(10.0.0.1) deleteUser success on server 0(10.0.0.2) deleteUser success on server 0(10.0.0.3)

The ﬁnal command uses the listUsers command to verify that alice is deleted from all three of the HSMs on the cluster.

Reference

Number of users found:2

User Id User Type User Name MofnPubKey LoginFailureCnt 2FA

1 PCO admin YES 0 NO

2 AU app_user NO 0 NO

Arguments

Because this command does not have named parameters, you must enter the arguments in the order speciﬁed in the syntax diagram.

deleteUser <user-type> <user-name>

<user-type>

Speciﬁes the type of user. This parameter is required.

Tip

You can't delete crypto users (CU) that own keys.

Valid values are CO, CU.

To get the user type, use listUsers (p. 134). For detailed information about the user types on an HSM, see Understanding HSM users (p. 59).

Required: Yes

<user-name>

Speciﬁes a friendly name for the user. The maximum length is 31 characters. The only special character permitted is an underscore ( _ ).

You cannot change the name of a user after it is created. In cloudhsm_mgmt_util commands, the user type and password are case-sensitive, but the user name is not.

Required: Yes

ﬁndAllKeys

The ﬁndAllKeys command in cloudhsm_mgmt_util gets the keys that a speciﬁed crypto user (CU) owns or shares. It also returns a hash of the user data on each of the HSMs. You can use the hash to determine at a glance whether the users, key ownership, and key sharing data are the same on all HSMs in the cluster. In the output, the keys owned by the user are annotated by (o) and shared keys are annotated by (s).

ﬁndAllKeys returns public keys only when the speciﬁed CU owns the key, even though all CUs on the HSM can use any public key. This behavior is diﬀerent from ﬁndKey (p. 171) in key_mgmt_util, which returns public keys for all CU users.

Reference

Only crypto oﬃcers (COs and PCOs) and appliance users (AUs) can run this command. Crypto users (CUs) can run the following commands:

• listUsers (p. 134) to ﬁnd all users

• ﬁndKey (p. 171) in key_mgmt_util to ﬁnd the keys that they can use

• getKeyInfo (p. 200) in key_mgmt_util to ﬁnd the owner and shared users of a particular key they own or share

Before you run any CMU command, you must start CMU and log in to the HSM. Be sure that you log in with the user account type that can run the commands you plan to use.

If you add or delete HSMs, update the conﬁguration ﬁles for CMU. Otherwise, the changes that you make might not be eﬀective for all HSMs in the cluster.

User type

The following users can run this command.

• Crypto oﬃcers (CO, PCO)

• Appliance users (AU)

Syntax

Because this command does not have named parameters, you must enter the arguments in the order speciﬁed in the syntax diagram.

findAllKeys <user id> <key hash (0/1)> [<output file>]

Examples

These examples show how to use findAllKeys to ﬁnd all keys for a user and get a hash of key user information on each of the HSMs.

Example : Find the keys for a CU

This example uses ﬁndAllKeys to ﬁnd the keys in the HSMs that user 4 owns and shares. The command uses a value of 0 for the second argument to suppress the hash value. Because it omits the optional ﬁle name, the command writes to stdout (standard output).

The output shows that user 4 can use 6 keys: 8, 9, 17, 262162, 19, and 31. The output uses an (s) to indicate keys that are explicitly shared by the user. The keys that the user owns are indicated by an (o) and include symmetric and private keys that the user does not share, and public keys that are available to all crypto users.

aws-cloudhsm> findAllKeys 4 0 Keys on server 0(10.0.0.1):

Number of keys found 6

number of keys matched from start index 0::6 8(s),9(s),17,262162(s),19(o),31(o)

findAllKeys success on server 0(10.0.0.1) Keys on server 1(10.0.0.2):

Number of keys found 6

number of keys matched from start index 0::6 8(s),9(s),17,262162(s),19(o),31(o)

findAllKeys success on server 1(10.0.0.2)

Reference

Keys on server 1(10.0.0.3):

Number of keys found 6

number of keys matched from start index 0::6 8(s),9(s),17,262162(s),19(o),31(o)

findAllKeys success on server 1(10.0.0.3)

Example : Verify that user data is synchronized

This example uses ﬁndAllKeys to verify that all of the HSMs in the cluster contain the same users, key ownership, and key sharing values. To do this, it gets a hash of the key user data on each HSM and compares the hash values.

To get the key hash, the command uses a value of 1 in the second argument. The optional ﬁle name is omitted, so the command writes the key hash to stdout.

The example speciﬁes user 6, but the hash value will be the same for any user that owns or shares any of the keys on the HSMs. If the speciﬁed user does not own or share any keys, such as a CO, the command does not return a hash value.

The output shows that the key hash is identical to both of the HSMs in the cluster. If one of the HSM had diﬀerent users, diﬀerent key owners, or diﬀerent shared users, the key hash values would not be equal.

aws-cloudhsm> findAllKeys 6 1 Keys on server 0(10.0.0.1):

Number of keys found 3

number of keys matched from start index 0::3 8(s),9(s),11,17(s)

number of keys matched from start index 0::3 8(s),9(s),11(o),17(s)

Key Hash:

55655676c95547fd4e82189a072ee1100eccfca6f10509077a0d6936a976bd49 findAllKeys success on server 1(10.0.0.2)

This command demonstrates that the hash value represents the user data for all keys on the HSM. The command uses the ﬁndAllKeys for user 3. Unlike user 6, who owns or shares just 3 keys, user 3 own or

在文檔中 AWS CloudHSM (頁 117-142)

User type

changePswd

Note

User type

Syntax

Examples

Example : Change your password

Example : Change the password of another user

Arguments

Related topics

createUser

User type

Syntax

Examples

Example : Create a crypto oﬃcer

Example : Create a crypto user

Arguments

Related topics

deleteUser

Tip

User type

Syntax

Example

Arguments

Tip

Related topics

ﬁndAllKeys

User type

Syntax

Examples

Example : Find the keys for a CU

Example : Verify that user data is synchronized