AWS cloudhsm documentation change
Summary
Restructured configuration syntax documentation for multiple tools (PKCS #11, OpenSSL, KSP, JCE, CloudHSM CLI) with expanded parameter descriptions, added new options like certificate storage controls, retry modes, and SDK3 compatibility flags
Security assessment
Added documentation for security-related parameters including TLS mutual authentication (--client-cert-hsm-tls-file, --client-key-hsm-tls-file), certificate storage controls, and key validation flags. However, there is no explicit mention of addressing a specific vulnerability or security incident - these appear to be general documentation improvements for existing security features.
Diff
diff --git a/cloudhsm/latest/userguide/configure-tool-syntax5.md b/cloudhsm/latest/userguide/configure-tool-syntax5.md index 85f438e74..2e7cba8ba 100644 --- a//cloudhsm/latest/userguide/configure-tool-syntax5.md +++ b//cloudhsm/latest/userguide/configure-tool-syntax5.md @@ -7 +7 @@ -The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 5. +The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 5. For more information about the parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](./configure-tool-params5.html). @@ -13,24 +13,41 @@ PKCS #11 - configure-pkcs11[ .exe ] - -a <ENI IP address> - [--hsm-ca-cert <customerCA certificate file path>] - [--cluster-id <cluster ID>] - [--endpoint <endpoint>] - [--region <region>] - [--client-cert-hsm-tls-file <client certificate hsm tls path>] - [--client-key-hsm-tls-file <client key hsm tls path>] - [--log-level <error | warn | info | debug | trace>] - Default is <info> - [--log-rotation <daily | weekly>] - Default is <daily> - [--log-file <file name with path>] - Default is </opt/cloudhsm/run/cloudhsm-pkcs11.log> - Default for Windows is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-pkcs11.log> - [--log-type <file | term>] - Default is <file> - [-h | --help] - [-V | --version] - [--disable-key-availability-check] - [--enable-key-availability-check] - [--disable-validate-key-at-init] - [--enable-validate-key-at-init] - This is the default for PKCS #11 + Usage: configure-pkcs11[ .exe ] [OPTIONS] + + Options: + --disable-certificate-storage + Disables Certificate Storage + --enable-certificate-storage + Enables Certificate Storage + -a <HSM ENI IP>... + The address of the HSM instance + --cluster-id <CLUSTER ID> + The id of the cluster containing the HSM instance(s) + --disable-key-availability-check + Disables key availability check during key use + --enable-key-availability-check + Enables key availability check during key use + --disable-validate-key-at-init + Disables parameter validation during initialization of crypto operations + --enable-validate-key-at-init + Enables parameter validation during initialization of crypto operations + --endpoint <ENDPOINT> + Specify the AWS CloudHSM API Endpoint + --region <REGION> + The region of the cluster + --hsm-ca-cert <HSM CA CERTIFICATE FILE> + The HSM CA certificate file + --log-type <LOG TYPE> + The log type [possible values: term, file] + --log-file <LOG FILE> + The log file + --log-level <LOG LEVEL> + The logging level [possible values: error, warn, info, debug, trace] + --log-rotation <LOG ROTATION> + The log rotation interval [possible values: never, hourly, daily] + --default-retry-mode <RETRY MODE> + The default method of retry to use for certain non-terminal failures [possible values: off, standard] + --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE> + The client certificate used for TLS client-hsm mutual authentication + --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE> + The client private key used for TLS client-hsm mutual authentication + -h, --help + Print help @@ -42,19 +59,37 @@ OpenSSL - configure-dyn[ .exe ] - -a <ENI IP address> - [--hsm-ca-cert <customerCA certificate file path>] - [--cluster-id <cluster ID>] - [--endpoint <endpoint>] - [--region <region>] - [--client-cert-hsm-tls-file <client certificate hsm tls path>] - [--client-key-hsm-tls-file <client key hsm tls path>] - [--log-level <error | warn | info | debug | trace>] - Default is <error> - [--log-type <file | term>] - Default is <term> - [-h | --help] - [-V | --version] - [--disable-key-availability-check] - [--enable-key-availability-check] - [--disable-validate-key-at-init] - This is the default for OpenSSL - [--enable-validate-key-at-init] + Usage: configure-dyn[ .exe ] [OPTIONS] + + Options: + -a <HSM ENI IP>... + The address of the HSM instance + --cluster-id <CLUSTER ID> + The id of the cluster containing the HSM instance(s) + --disable-key-availability-check + Disables key availability check during key use + --enable-key-availability-check + Enables key availability check during key use + --disable-validate-key-at-init + Disables parameter validation during initialization of crypto operations + --enable-validate-key-at-init + Enables parameter validation during initialization of crypto operations + --endpoint <ENDPOINT> + Specify the AWS CloudHSM API Endpoint + --region <REGION> + The region of the cluster + --hsm-ca-cert <HSM CA CERTIFICATE FILE> + The HSM CA certificate file + --log-type <LOG TYPE> + The log type [possible values: term, file] + --log-file <LOG FILE> + The log file + --log-level <LOG LEVEL> + The logging level [possible values: error, warn, info, debug, trace] + --log-rotation <LOG ROTATION> + The log rotation interval [possible values: never, hourly, daily] + --default-retry-mode <RETRY MODE> + The default method of retry to use for certain non-terminal failures [possible values: off, standard] + --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE> + The client certificate used for TLS client-hsm mutual authentication + --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE> + The client private key used for TLS client-hsm mutual authentication + -h, --help + Print help @@ -66,23 +101,45 @@ KSP - configure-ksp[ .exe ] - -a <ENI IP address> - [--hsm-ca-cert <customerCA certificate file path>] - [--cluster-id <cluster ID>] - [--endpoint <endpoint>] - [--region <region>] - [--client-cert-hsm-tls-file <client certificate hsm tls path>] - [--client-key-hsm-tls-file <client key hsm tls path>] - [--log-level <error | warn | info | debug | trace>] - Default is <info> - [--log-rotation <daily | weekly>] - Default is <daily> - [--log-file <file name with path>] - Default is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-ksp.log> - [--log-type <file | term>] - Default is <file> - [-h | --help] - [-V | --version] - [--disable-key-availability-check] - [--enable-key-availability-check] - [--disable-validate-key-at-init] - This is the default for KSP - [--enable-validate-key-at-init] + Usage: configure-ksp.exe [OPTIONS] + + Options: + -a <HSM ENI IP>... + The address of the HSM instance + --server-client-cert-file <CLIENT CERTIFICATE FILE> + The client certificate used for TLS client-server mutual authentication + --server-client-key-file <CLIENT KEY FILE> + The client private key used for TLS client-server mutual authentication + --cluster-id <CLUSTER ID> + The id of the cluster containing the HSM instance(s) + --disable-key-availability-check + Disables key availability check during key use + --enable-key-availability-check + Enables key availability check during key use + --disable-validate-key-at-init + Disables parameter validation during initialization of crypto operations + --enable-validate-key-at-init + Enables parameter validation during initialization of crypto operations + --endpoint <ENDPOINT> + Specify the AWS CloudHSM API Endpoint + --region <REGION> + The region of the cluster + --hsm-ca-cert <HSM CA CERTIFICATE FILE> + The HSM CA certificate file + --log-type <LOG TYPE> + The log type [possible values: term, file] + --log-file <LOG FILE> + The log file + --log-level <LOG LEVEL> + The logging level [possible values: error, warn, info, debug, trace] + --log-rotation <LOG ROTATION> + The log rotation interval [possible values: never, hourly, daily] + --default-retry-mode <RETRY MODE> + The default method of retry to use for certain non-terminal failures [possible values: off, standard] + --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE> + The client certificate used for TLS client-hsm mutual authentication + --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE> + The client private key used for TLS client-hsm mutual authentication + --enable-sdk3-compatibility-mode + Enables key file usage for KSP + --disable-sdk3-compatibility-mode + Disables key file usage for KSP + -h, --help + Print help @@ -94,24 +151,37 @@ JCE