Question: Need clarifications AWS Cloud HSM architecture

[arjunballa]

I am not sure if this is the right forum.

My apologies for the long post.

I read on AWS docs that, when keys are generated using java keytool, the certificates are stored in a local store file and the actual private key material is stored in Cloud HSM.

Generate keypair with a certificate without store file

keytool -genkeypair -alias alias1 "CN=alias1.example.com, OU=Research, O=Acme, L=XYZ, ST=CA, C=US" -storepass password -keyalg rsa -keysize 2048 -sigalg sha512withrsa -validity 360 -storetype CLOUDHSM -dname  -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib

Is there a default location where the default local store file is created?

When I execute the list command using java keytool, I am getting all the keys I added, and some how it is able to access the default store file.

Listing all alias without store file

keytool -list  -v -storetype CLOUDHSM -storepass password -keystore -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib/

If I generate keys passing keystore option then the certificate is getting stored in the store file as expected.

Generate keypair with a certificate with store file

keytool -genkeypair -alias alias1  -keystore /home/user/my_cloudhsm/my-cloudhsm.store "CN=alias1.example.com, OU=Research, O=Acme, L=XYZ, ST=CA, C=US" -storetype CLOUDHSM  -storepass password -keyalg rsa -keysize 2048 -sigalg sha512withrsa -validity 360  -dname  -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib

Listing all alias without store file

keytool -list  -keystore /home/user/akana_cloudhsm/eap-cloudhsm.store -v -storetype CLOUDHSM -storepass password  -J-classpath '-J/opt/cloudhsm/java/*' -J-Djava.library.path=/opt/cloudhsm/lib/

But when I execute the list command with the keystore option it is returning all the aliases from all the keystores. I am expecting keys only from my-cloudhsm.store.

Why is this happening?

I downloaded my-cloudhsm.store and opened it in keystore explorer and I see symmetric keys, trusted certs and public-private keys pairs all in that store file. As per documentation I should see only certificates corresponding to keypairs and any imported trusted certificates.

I am also able to export the private key from the store file, but as expected the private key is not complete.

Symmetric keys, Trusted certs and public-private keys pairs

Exporting private key

Private key is not complete

My understanding is, CloudHSM maintains a local store file and has references to all the items added, including asymmetric keypairs, and symmetric keys but the actual key material is stored in Cloud HSM.

If this is correct, then if I have 3 applications running on 3 different machines accessing Cloud HSM then this local file needs to be synced on all 3 machines or copy the store file to an external file system and mount that onto all 3 machines?

Questions

1. Why/how list returns all aliases from all the store files even when a particular file is passed?
2. Java integration with Cloud HSM work with only store file (some input stream). I can not have different applications read directly from Cloud HSM without syncing the store file.
3. Is there an inbuilt mechanism to sync the store file on all machines?
4. Is it an idea to have a dedicated machine to manage keys(generate, delete) and sync the store file to all the applications?

[tstiemerling]

Is there any reason you need a key store? CloudHSM really only designed to use key store for integration with server TLS.