Follow the steps below to restore an HSM from a backup to a new node:

  1. Click on CloudHSM in the Services section of the AWS Console and find the existing cluster for the HSM you want to restore. AWS CloudHSM is only billing if there is an HSM in the active cluster.
  2. Select the link to the cluster that contains the HSM material to restore.
  3. Click Create HSM and step through the wizard to create a new cluster by selecting the Subnet/AZ for the HSM.
  4. Once completed it will take some time for AWS to create the HSM. During this time the state will be "Create in progress".
  5. Once complete the HSM state will be active. Click the refresh button to refresh the status.
  6. Ensure the appropriate security group for the HSM created is assigned to the EJBCA Enterprise Cloud Instance.  For more information, see Assigning the Security Group to the EJBCA Instance.
  7. SSH into your EJBCA instance with your SSH key using the following command syntax:

    # ssh -i ~/Documents/my-ssh.pem ec2-user@ec2-my-public-ec2-ip.compute-1.amazonaws.com
    CODE
  8. Ensure that the certificate that is used to authenticate with the CloudHSM resides at:

    # /opt/cloudhsm/etc/customerCA.crt
    CODE
  9. Stop the CloudHSM client using one of the following commands:

    # sudo stop cloudhsm-client
    or
    # sudo service cloudhsm-client stop
    CODE
  10. Configure the CloudHSM client with the following command replacing 172.16.2.37 with the IP address of your HSMCluster:

    # sudo /opt/cloudhsm/bin/configure -a 172.16.2.37
    CODE

    Step 11 is for EJBCA installations older than EJBCA 7.5.0.  Newer installations of EJBCA use P11NG and no longer have the liquidsec libraries for integration.

  11. Copy any public key certificates used with EJBCA in the past to the following directory (EJBCA will not be able to read any keys in CloudHSM without the matching public certificate that was created with it):

    # /opt/ejbca/.liquidsec/
    CODE
  12. Start the CloudHSM client with the following command:

    # sudo start cloudhsm-client
    or
    # sudo service cloudhsm-client start
    CODE
  13. Update the cloudhsm_mgmt_util Configuration File

    # sudo /opt/cloudhsm/bin/configure -m
    CODE
  14. Start cloudhsm_mgmt_util to ensure you can connect to the HSM

    # /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
    CODE
  15. Restart Wildfly with the following command:

    # sudo systemctl restart wildfly
    or
    # sudo service wildfly restart
    CODE