Understanding AWS CloudHSM Cluster Synchronization
AWS CloudHSM provides fully managed, single-tenant hardware security modules (HSMs) in the AWS cloud. A CloudHSM cluster contains either one or multiple HSMs. Multiple HSMs support higher throughput levels for cryptographic operations and provide redundancy. For clusters with multiple HSMs, the CloudHSM service supports server-side automated synchronization of keys and policies. Users, however, are synchronized from the client-side and the synchronization is driven by configuration files which
In this blog post, I’ll provide a general overview of a CloudHSM architecture, discuss the cluster synchronization process, build a CloudHSM environment, show how the cluster users can become unsynchronized, and then restore user synchronization to bring your cluster back to a consistent state to meet your needs for consistency and redundancy.
CloudHSM Architectural Overview
When you provision an HSM instance in CloudHSM, the HSM instance provides an elastic network interface (ENI) in your Amazon VPC while the HSM itself resides in a separate VPC managed by AWS CloudHSM. Your applications use the CloudHSM cluster ID to add or remove HSMs from the cluster and the ENI(s) of the HSM instance(s) to access the HSM instances.
You configure your cluster and its HSM instances using CloudHSM client software you deploy on Amazon EC2 instances in your VPC. You only need one such EC2 instance to manage a CloudHSM cluster, but it’s common to deploy additional EC2 instances in other availability zones to provide for client redundancy. Your applications communicate with the HSM instances using the client daemon. You manage and configure the cluster with command line tools including cloudhsm_mgmt_util, key_mgmt_util, and configure. An example of a CloudHSM architecture appears below.
The diagram shows a three-node CloudHSM cluster deployed in the us-west-2 (Oregon) region with three Amazon EC2 instances with the CloudHSM software. The client in Availability Zone 2 is communicating with the cluster through the elastic network interfaces in each availability zone.
CloudHSM Synchronization Process
Having discussed the architecture of AWS CloudHSM, let’s turn our attention to the matter of cluster synchronization. There are three events that require synchronization: cluster expansion, key management operations, and user management operations. Let’s look at each of these in more detail.
Cluster Expansion
When you add an HSM to an existing cluster, AWS CloudHSM clones all users, keys, and policies from another HSM in the cluster. No additional steps are required on your part.
Key Management Operations
Key management with the key_mgmt_util tool uses the CloudHSM client to communicate with the HSM cluster. Additionally, a fallback, HSM-based synchronization protocol keeps keys in sync.
User Management
You perform user management tasks, such as adding users or changing passwords, using the cloudhsm_mgmt_util tool. This tool communicates directly with the HSMs, bypassing the client daemon. cloudhsm_mgmt_util uses its own configuration files to determine the HSMs that it should connect to within the cluster. These configuration files aren’t updated dynamically when HSM instances are added. To prevent user synchronization errors, you must update the configuration files before running cloudhsm_mgmt_util. You must also not add new HSM instances to the cluster while you’re using the tool. This helps ensure that no HSM instances are accidentally left out of user updates that would in turn result in user synchronization problems.
Again, these safeguards are only necessary when using cloudhsm_mgmt_util. For all other applications and utilities using CloudHSM, the client daemon automatically reconfigures itself as you add and remove HSM instances from your cluster. In the remainder of this post, I will build a CloudHSM infrastructure as shown in the above diagram. I’ll then show you how users on your CloudHSM instances can become unsynchronized, and how to restore proper synchronization.
Prerequisites and Assumptions
- You’ll need to have an AWS account that allows you to provision Amazon VPCs, Amazon EC2 instances, and CloudHSMs.
- I’ll use the us-west-2 (Oregon) region, but you can use any region that offers CloudHSM.
- You’ll need an Amazon EC2 key pair in the region.
- You should have a working knowledge of the services I’ve mentioned.
Important: You’ll incur charges for the resources used in this example. You can find the cost of each service on that service’s pricing page.
Building a CloudHSM Infrastructure
- Create an Amazon VPC with subnets in the us-west-2a, us-west-2b, and us-east-2c availability zones. I’ll use the Amazon VPC Architecture Quick Start, which is an AWS CloudFormation template that will do this on your behalf. Make sure you select the correct region after you load the Quick Start. Select the following parameters:
Parameter Value Availability Zones us-west-2a, us-west-2b, us-west-2c Number of Availability Zones 3 Create private subnets False Create additional private subnets with dedicated network ACLs False Key pair name The name of your Amazon EC2 key pair Accept the default values for all other parameters.
- Follow these instructions to create a CloudHSM cluster in your new VPC in the us-west-2a, us-west-2b and us-west-2c availability zones. Note that the cluster will not have any HSMs after it’s created.
- Follow these instructions to initialize the cluster with an HSM in the us-west-2a availability zone. After the cluster is initialized, note the ENI IP address from the cluster details section in the console as shown here:
- Launch an Amazon Linux or Ubuntu EC2 instance. From the instance dashboard, note the public IP of the instance as shown below.
- Install the client software on the EC2 instance you launched in step 4.
- Add the IP of the EC2 instance that you identified in step 4 to the security group you identified in step 3.
- Activate the cluster. The activation instructions will guide you through connecting to the EC2 instance you launched in step 4. Remain logged into the EC2 instance following the activation of the cluster for the steps below.
- While you are still logged into the EC2 instance you just launched, follow the steps below to add a crypto user named example_user to the cluster:
- Ensure the CloudHSM daemon is stopped:
$ sudo stop cloudhsm-client
- Configure the IP address of the initial HSM using the ENI IP address from step 3:
$ sudo /opt/cloudhsm/bin/configure –a 10.0.129.209
Note: the configure tool updates two configuration files: one for the CloudHSM client, and the other for the cloudhsm_mgmt_util program that is used to administer users.
- Start the CloudHSM client:
$ sudo start cloudhsm-client
- Ensure the cloudhsm_mgmt_util configuration file is up to date. We need to do this to ensure cloudhsm_mgmt_util is aware of all the HSM instances in the cluster:
$ sudo /opt/cloudhsm/bin/configure –m
- Connect to the HSM instances, enable end-to-end encryption, and log in to the HSM instances. Enabling end-to-end encryption encrypts the communication between cloudhsm_mgmt_util and the HSM to prevent interception of sensitive information such as passwords:
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfgaws-cloudhsm> enable_e2e
aws-cloudhsm> loginHSM CO admin
Note: The connection or log in is automatically executed on every HSM instance that cloudhsm_mgmt_util is aware of. Note also that for each of the commands that you enter, the cloudhsm_mgmt_util program identifies the IP address of the HSM to which it is communicating.
- Add the user example_user and then confirm the addition by listing the users in the HSM:
aws-cloudhsm> createUser CU example_user yourpasswordaws-cloudhsm> listUsers
- Use the quit command to log out and exit the program:
aws-cloudhsm> quit
- Ensure the CloudHSM daemon is stopped:
- Now that we’ve added a user to the CloudHSM, let’s add a key so we can see how users and keys are synchronized as the cluster changes.
- Start the key_mgmt_util program:
$ /opt/cloudhsm/bin/key_mgmt_util
- Log in to the HSM:
Command: loginHSM –u CU –s example_user
- Now, generate the key:
Command: genSymKey –t 31 –s 32 –l aes256
- Display the keys in the cluster:
Command: findKey
Notice that key_mgmt_util displays the node id to which it is communicating.
- Use the exit command to leave the program:
exit
- Start the key_mgmt_util program:
- Add another HSM to the cluster in the us-west-2b availability zone and note the ENI IP address from the cluster details section in the console, as shown here:
- Update the cluster configuration files and use cloud_mgmt_util to examine the user configuration:
$ sudo stop cloudhsm-client
$ sudo /opt/cloudhsm/bin/configure –a 10.0.129.209
$ sudo start cloudhsm-client
$ sudo /opt/cloudhsm/bin/configure –m
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
aws-cloudhsm> enable_e2e
aws-cloudhsm> loginHSM CO admin
Note that cloudhsm_mgmt_util now sends commands to both of the HSMs in the cluster. You can see the same thing when we list the users in the cluster.
- Now, use key_mgmt_util to examine the keys:
Command: findKeyThis command confirms that when we added the second HSM, CloudHSM used cluster-initiated synchronization to load the users and keys into the new HSM.
The CloudHSM Cluster Users Become Unsynchronized
- Start cloudhsm_mgmt_util and enable end-to-end encryption:
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfgaws-cloudhsm> enable_e2e
- While cloudhsm_mgmt_util is left running, add a third HSM in us-west-2c through the console and note the ENI IP address, as shown here:
- Going back to cloudhsm_mgmt_util, let’s add a user named newest_user to our cluster. Note that we have not exited cloudhsm_mgmt_util and refreshed its configuration file. So it’s still connected only to the first two HSM instances.
aws-cloudhsm> enable_e2eaws-cloudhsm> loginHSM CO admin yourpassword
aws-cloudhsm> createUser CU newest_user yourpassword
The cloudhsm_mgmt_util command adds the user to the two HSMs it already knows about and had connected to. It doesn’t communicate with the newly added HSM.
- Let’s fix this by exiting cloudhsm_mgmt_util. Refresh the configuration, and then run the management utility again.
$sudo stop cloudhsm-client$sudo /opt/cloudhsm/bin/configure –a 10.0.129.209
$sudo start cloudhsm-client
$sudo /opt/cloudhsm/bin/configure –m
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfgaws-cloudhsm> enable_e2e
aws-cloudhsm> loginHSM CO admin
You can now see cloudhsm_mgmt_util is communicating with all of the cluster nodes.
- Let’s see what happens when we list the users:
aws-cloudhsm> listUsersYou can see from the results that one of the HSMs (server 1) is missing the user named newest_user. The reason this happened is that cloudhsm_mgmt_util was unaware of the HSM instance that was added while it was running (recall that cloudhsm_mgmt_util doesn’t use the cloudhsm_client daemon and, therefore, doesn’t get automatic cluster configuration updates).
Restoring User Synchronization to the CloudHSM Cluster
We now want to add the user newest_user to the single HSM (server 1) that is out of sync. Normally, cloudhsm_mgmt_util works in cluster mode and applies your commands to all HSMs in the cluster. Since we want to work on a single HSM, we’re going to enter the server command to tell cloudhsm_mgmt_util to work in server mode and apply our commands just to that one HSM.
- In the server command below, we specify the number of the HSM that we want to change based on the figure above. In the createUser command, you must use the same password that you used in step 3 (in the section titled “The CloudHSM Cluster Users Become Unsynchronized”) on the other HSMs in the cluster so that all HSMs in the cluster have identical user names and passwords. After we make this change, we use the exit command to transition from server mode back to cluster mode.
aws-cloudhsm> server 1server1> createUser CU newest_user yourpassword
exit
- Now that we have transitioned back to cluster mode, let’s confirm that the HSM user tables are now synchronized by listing the users:
aws-cloudhsm> listUsers - Let’s take a look at the keys using key_mgmt_util:
Command: loginHSM –u CU –s example_user –p yourpasswordCommand: findKey
You can see that CloudHSM kept the keys in sync because key synchronization is cluster-initiated. No additional actions are required on our part.
Conclusion
AWS CloudHSM provides the ability to create scalable clusters of HSM instances to support the high volumes of cryptographic operations and provide resiliency by supporting multiple availability zones. As mentioned, it’s important to be aware of the various modes of synchronization used in CloudHSM so that each HSM can provide consistent service. In particular, users are synchronized only by the client. Since cloudhsm_mgmt_util doesn’t rely on the client daemon to talk to HSM instances in your cluster, it doesn’t automatically update its configuration. By following the steps above and refreshing the configuration information before changing users or passwords, CloudHSM will keep users and passwords synchronized within the cluster and provide consistent responses to cryptographic operations if the level of redundancy within the HSM cluster changes.
If you have feedback about this blog post, submit comments in the Comments section below. If you have questions about this blog post, start a new thread on the Amazon CloudHSM forum or contact AWS Support.
Want more AWS Security news? Follow us on Twitter.
相關推薦
Understanding AWS CloudHSM Cluster Synchronization
AWS CloudHSM provides fully managed, single-tenant hardware security modules (HSMs) in the AWS cloud. A CloudHSM cluster contains either one or mu
AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive & Regulated Workloads
Our customers run an incredible variety of mission-critical workloads on AWS, many of which process and store sensitive data. As detailed in our O
AWS CloudHSM FAQs
Q: What is AWS CloudHSM? The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data
【問題追查】記海外aws上redis-cluster單實例抖動問題追查
node same pan 使用 command rename exe png about 【背景】 公司在海外的業務沒有自建機房,而是使用了aws的服務,型號是r4.4xlarge。 但是,部署在aws上的redis集群,經常遇到某個實例耗
Dynatrace Managed Cluster on AWS
This Quick Start deploys a Dynatrace Managed cluster on the Amazon Web Services (AWS) Cloud in about 30 minutes. Dynatrace Managed is an a
Running FaaS on a Kubernetes Cluster on AWS using Kubeless
Serverless computing allows you to build and run applications and services without provisioning, scaling, or managing any servers. FaaS (
AWS Marketplace: Parallel Universe with Cluster GPU Amazon Linux
Product Overview Parallel Universe is the industry's only SQL server to featur
AWS Marketplace: Exasol Analytic Database (Single Node and Cluster, Community Support)
Product Overview Exasol is the world's fastest in-memory, MPP database designe
Understanding the AWS IoT Security Model
According to Gartner, the Internet of Things (IoT) has enormous potential for data generation across the roughly 21 billion endpoints expected to
AWS Marketplace: Solodev Web Experience Platform (HA Cluster)
AWS Marketplace is hiring! Amazon Web Services (AWS) is a dynamic, growing business unit within Am
ActiveMQ集群Master-Slave + Broker Cluster模式
網絡 解決方案 message 一、簡介Master-Slave集群:由至少3個節點組成,一個Master節點,其他為Slave節點。只有Master節點對外提供服務,Slave節點處於等待狀態。當主節點宕機後,從節點會推舉出一個節點出來成為新的Master節點,繼續提供服務。優點是可以解決多服務
Mariadb Galera Cluster 部署
數據庫不同於標準的MySQL服務器和MySQL集群,MySQL / MariaDB Galera集群在啟動方式上有一些細小的區別。Galera需要在集群啟動一個節點作為參考點,剩余的節點才能加入形成集群。這個過程被稱為集群引導。引導是一個初始步驟,引導數據庫節點作為主節點,其它節點將主節點作為參考點同步數據。
redis-cluster的安裝管理
redis-cluster redis redis集群部署 redis-cluster的安裝管理 聲明:本文只允許用於個人學習交流使用,如有錯誤之處請多多指正。文檔版本:Version 1.0修改記錄:2015-10-30環境介紹系統環境:RedHat Enterprise Linux Serve
Aws Dynamodb數據導出到S3
com 結構 tables create amr 成功 mon nag htm 本節將描寫敘述怎樣從一個或多個DynamoDB的表導出數據到S3的bucket中。在運行導出之前你須要提前創建好S3的bucket。 註意 假設你還沒有使用過AWS Data Pipelin
ceph 集群報 mds cluster is degraded 故障排查
ceph 故障排查 mds degraded ceph 集群報 mds cluster is degraded 故障排查ceph 集群版本:ceph -vceph version 10.2.7 (50e863e0f4bc8f4b9e31156de690d765af245185)ceph -w
RabbitMQ cluster
rabbitmq cluster環境準備 主機版本Linux control-ha-3 4.4.0-45-generic #66-Ubuntu SMP Wed Oct19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/LinuxErlang版本號Erlang/OTP
redis3.0 cluster功能介紹
jpeg 標識符 rms 代理 更新數據 bitmap 查詢 c51 想要 edis從3.0開始支持集群功能。redis集群采用無中心節點方式實現,無需proxy代理,客戶端直接與redis集群的每個節點連接,根據同樣的hash算法計算出key對應的slot,然後直接在sl
Linux服務器通過aws命令行上傳文件至S3
aws linux s3 上傳文件目的Linux服務器通過AWS命令行上傳文件至S3配置打開你的AWS控制臺;連接你的Linux服務器,按照以下步驟操作;# 安裝pip yum -y install python-pip # 安裝awscli pip install awscli # 初始化配置 aw
centos7搭建ELK Cluster日誌分析平臺(一)
場景 git centos7 beat images 下載地址 install posit src 應用場景:ELK實際上是三個工具的集合,ElasticSearch + Logstash + Kibana,這三個工具組合形成了一套實用、易用的監控架構, 很多公司
centos7搭建ELK Cluster集群日誌分析平臺(四):簡單測試
-1 簡單測試 logs ima .tar.gz 分析 -c cluster images 續之前安裝好的ELK集群 各主機:es-1 ~ es-3 :192.168.1.21/22/23 logstash: 192.168.1.24 ki