Appendix A - Restoring an HSM Backup to a New Instance

Follow the steps below to restore an HSM from a backup to a new node:

  1. Click on CloudHSM in the Services section of the AWS Console and find the existing cluster for the HSM you want to restore. AWS CloudHSM is only billing if there is an HSM in the active cluster.
  2. Select the link to the cluster that contains the HSM material to restore.
  3. Click Create HSM and step through the wizard to create a new cluster by selecting the Subnet/AZ for the HSM.
  4. Once completed it will take some time for AWS to create the HSM. During this time the state will be "Create in progress".
  5. Once complete the HSM state will be active. Click the refresh button to refresh the status.
  6. Ensure the appropriate security group for the HSM created is assigned to the EJBCA Enterprise Cloud Instance.  For more information, see Assigning the Security Group to the EJBCA Instance.
  7. SSH into your EJBCA instance with your SSH key using the following command syntax:
    # ssh -i ~/Documents/my-ssh.pem ec2-user@ec2-my-public-ec2-ip.compute-1.amazonaws.com
  8. Ensure that the certificate that is used to authenticate with the CloudHSM resides at:
    # /opt/cloudhsm/etc/customerCA.crt
  9. Stop the CloudHSM client using one of the following commands:
    # sudo stop cloudhsm-client
    or
    # sudo service cloudhsm-client stop
  10. Configure the CloudHSM client with the following command replacing 172.16.2.37 with the IP address of your HSMCluster:
    # sudo /opt/cloudhsm/bin/configure -a 172.16.2.37
  11. Copy any public key certificates used with EJBCA in the past to the following directory (EJBCA will not be able to read any keys in CloudHSM without the matching public certificate that was created with it):
    # /opt/ejbca/.liquidsec/
  12. Start the CloudHSM client with the following command:
    # sudo start cloudhsm-client
    or
    # sudo service cloudhsm-client start
  13. Update the cloudhsm_mgmt_util Configuration File
    # sudo /opt/cloudhsm/bin/configure -m
  14. Start cloudhsm_mgmt_util to ensure you can connect to the HSM
    # /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
  15. Restart Wildfly with the following command:
    # sudo systemctl restart wildfly
    or
    # sudo service wildfly restart