Appendix A - Restoring an HSM Backup to a New Instance
Follow the steps below to restore an HSM from a backup to a new node:
Click on CloudHSM in the Services section of the AWS Console and find the existing cluster for the HSM you want to restore. AWS CloudHSM is only billing if there is an HSM in the active cluster.
Select the link to the cluster that contains the HSM material to restore.
Click Create HSM and step through the wizard to create a new cluster by selecting the Subnet/AZ for the HSM.
Once completed it will take some time for AWS to create the HSM. During this time the state will be "Create in progress".
Once complete the HSM state will be active. Click the refresh button to refresh the status.
Ensure that the certificate that is used to authenticate with the CloudHSM resides at:
# /opt/cloudhsm/etc/customerCA.crt
CODE
Stop the CloudHSM client using one of the following commands:
# sudo stop cloudhsm-client
or
# sudo service cloudhsm-client stop
CODE
Configure the CloudHSM client with the following command replacing 172.16.2.37 with the IP address of your HSMCluster:
# sudo /opt/cloudhsm/bin/configure -a 172.16.2.37
CODE
Step 11 is for EJBCA installations older than EJBCA 7.5.0. Newer installations of EJBCA use P11NG and no longer have the liquidsec libraries for integration.
Copy any public key certificates used with EJBCA in the past to the following directory (EJBCA will not be able to read any keys in CloudHSM without the matching public certificate that was created with it):
# /opt/ejbca/.liquidsec/
CODE
Start the CloudHSM client with the following command:
# sudo start cloudhsm-client
or
# sudo service cloudhsm-client start
CODE
Update the cloudhsm_mgmt_util Configuration File
# sudo /opt/cloudhsm/bin/configure -m
CODE
Start cloudhsm_mgmt_util to ensure you can connect to the HSM
