- 최신
- 최다 투표
- 가장 많은 댓글
Hi JordiCJ,
Reading the user guides to manage keys, I see it is possible to create keys that can only be used > following the M of N Access Control (e.g. in https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-genRSAKeyPair.html). However, it seems the generation and provision of the token with the signatures of all the users required is only done via the key management client application.
That's true, the initial configuration of a new CloudHSM Cluster must be done using the CLI tools, but it's generally only ever done once per cluster, so we don't currently provide a mechanism to do this programmatically. That said, you can certainly script the process (note the 'singleCommand' directive in the Key Management Utility) but be careful about how you manage sensitive parameters. We don't recommend this generally.
Is this correct? Is there any other possibility that does not involve the interactive console based key management client? Looking into the Java library provided I don't see any class/method to manage the keys that includes anything about the M of N Access Control.
Unfortunately, neither the standard Java JCA interface nor the PKCS#11 standard provide a reasonable way to manage quorum (MofN) operations. While it's possible for us to provide a utility library that could offer this functionality, feedback from customers has been that managing and using MofN keys is a predominantly "human" activity, thereby making the CLI the most natural tool for it. We recognize that some more sophisticated customers may want to build quorum functionality into custom applications directly, and we are working on some great new capabilities that, among other things, would allow customers to do exactly this. Keep an eye out for future announcements!
Thanks,
the CloudHSM team
Thank you for your response!
We are probably one of these sophisticated users you mentioned. In our case we really need to have a utility library to do these operations, because the users of our product need to do (and some of them observe for auditing purposes) these operations in an easy and understandable manner (both during the generation of the keys and the usage of them).
Thanks for writing - we want to explore your requirements in depth. Please send your contact information via a support case (you can open one through your AWS console), and we'll set up a call with you.
Sincerely,
Avni Rambhia
Product Manager, AWS CloudHSM
Hello,
I am sorry to tell you despite having tried several times to contact the customer service via a case, they do not want to send you my contact information in order to set up the call you would like to do to better understand our requirements.
Best,
Jordi.
