---
title: "Fortanix DSM with AWS CloudHSM"
slug: "fortanix-dsm-with-aws-cloudhsm"
updated: 2026-04-10T12:00:39Z
published: 2026-04-10T12:00:39Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with AWS CloudHSM

## 1.0 Introduction

This article explains how to set up Amazon Web Service (AWS) Cloud Hardware Security Module (CloudHSM) and integrate it with Fortanix Data Security Manager (DSM) using Fortanix HSM Gateway.

## 2.0 Prerequisites

Ensure the following:

- EC2 instance for Fortanix HSM Gateway configuration.
- A Fortanix DSM cluster service URL.
- Deploy Fortanix HSM Gateway and AWS Cloud HSM on the same network.

## 3.0 Port Requirements

The following table lists the port requirements for AWS CloudHSM and Fortanix HSM Gateway:

| **Protocol** | **Inbound Port Number** | **Outbound Port Number** | **Purpose** |
| --- | --- | --- | --- |
| Custom TCP | 2223-2225 | 2223-2225 | For AWS ClousHSM connectivity from Fortanix HSM Gateway virtual machine (VM) |
| SSH | 22 | - | To access Fortanix HSM Gateway VM |
| Custom TCP | 4442 | 4442 | For Fortanix HSM Gateway connectivity from Fortanix DSM |

> [!NOTE]
> NOTE
> 
> A single security group is used for both AWS CloudHSM and Fortanix HSM Gateway. Therefore, custom TCP port **4442**is reserved for Fortanix HSM Gateway.

## 4.0 Product Version Tested

The following product versions were tested:

- Fortanix DSM - 5.0.2815-312
- AWS CloudHSM - LS2-FW-10.02-1102
- AWS PKCS#11 - cloudhsm-pkcs11-5.16.1-1.el9.x86_64
- AWS command line (CLI) - cloudhsm-cli-5.16.1-1.amzn2023.x86_64
- HSM GW EC2 instance running RHEL 9.2
- Fortanix HSM Gateway - fortanix-hsm-gateway-5.2.2852.3165.8-0.x86_64

## 5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

## 6.0 Create VPC and a Subnet

Perform the following steps to create a Virtual Private Cloud (VPC) and a subnet:

1. Log in to the AWS Console.
2. Navigate to **VPC**dashboard.
3. Click **Create VPC**and then create a subnet.

> [!NOTE]
> **NOTE**
> 
> Use default VPC and subnet settings unless your deployment requires customization.

## 7.0 Create AWS CloudHSM Cluster

Perform the following steps to create the AWS CloudHSM cluster:

1. In the AWS Console, search for **CloudHSM**and go to **CloudHSM**dashboard, and click **Create Cluster**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2200)(1).png)

**Figure 2: Creating an AWS CloudHSM cluster**
2. Select the **Cluster Type**such as **FIPS**or **non-FIPS** to configure the cluster.
3. Select the **VPC**and **subnet** from the drop down menu.
4. Click **Next**.
5. Set the **Backup retention period (in days)** to define how long backups are retained.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2201).png)

**Figure 3: Selecting backup retention configuration**
6. Click **Next**.
7. Review the cluster configuration and click **Create cluster**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2202)(1).png)

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2203)(2).png)

**Figure 4: Reviewing the cluster configuration**

> [!NOTE]
> NOTE
> 
> Use the security group created by the AWS CloudHSM cluster for Fortanix HSM Gateway EC2 instance.

## 8.0 Initialize the AWS CloudHSM Cluster

Perform the following steps to initialize the AWS CloudHSM cluster:

1. In the AWS **CloudHSM**cluster, click **Initialize**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2204).png)

**Figure 5: Initialize the AWS CloudHSM cluster**
2. On the **Create an HSM in the cluster** page, select the **Availability Zone** from the drop down menu and the click **Create**to create this AWS CloudHSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2205).png)

**Figure 6: Selecting availability zone and subnet for the HSM**
3. On the **Download certificate signing request**page, download the `cluster.csr file` from the cluster.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2206).png)

**Figure 7: Download the CSR file**
4. Use your Certificate Authority (CA) to:

*For more information on how to sign the Certificate Signing Request (CSR), refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr)*.*
  - Sign the `cluster.csr`.
  - Generate the cluster certificate and the customer certificate authority (CA) certificate.
5. On the **Upload certificate** page, upload the following signed certificates:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2207).png)

**Figure 8: Initialize cluster and CA certificates**
  - **Cluster certificate**: `cluster-certificate.crt`
  - **Issuing certificate**: `customerCA.crt`
6. Once the certificates are uploaded, click **Upload and initialize**.

## 9.0 Activate the AWS CloudHSM Cluster

Perform the following steps to activate the AWS CloudHSM cluster:

1. Log in to the **Fortanix HSM Gateway EC2 instance** with network access to the AWS CloudHSM cluster.
2. Run the following command to download the AWS CloudHSM CLI:

```bash
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-5.16.1-1.amzn2023.x86_64.rpm
```
3. Run the following command to update the permission of the AWS CloudHSM CLI:

```bash
chmod +x cloudhsm-cli-5.16.1-1.amzn2023.x86_64.rpm
```
4. Run the following command to install the AWS CloudHSM CLI package:

```bash
yum install ./cloudhsm-cli-5.16.1-1.amzn2023.x86_64.rpm
```
5. Run the following command to configure the AWS CloudHSM CLI with the CloudHSM internet protocol (IP) address:

```bash
cd /opt/cloud/hsm/bin
./configure-cli -a <IP_ADDRESS_OF_AWS_CLOUD_HSM>
```
6. Run the following command to add the customer CA certificate as created in *Step 5 of*[*Section 8.0: Initialize the AWS CloudHSM Cluster*](/v1/docs/aws-cloudhsm#80-initialize-the-cloudhsm-cluster):

```bash
sudo cp customerCA.crt /opt/cloudhsm/etc/
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2208).png)

**Figure 9: Configuring the CloudHSM CLI with IP address**
7. Run the following command to connect to the AWS CloudHSM cluster:

```bash
/opt/cloudhsm/bin/cloudhsm-cli interactive
```

After connecting, you can manage users and keys within the cluster.
8. Run the following command to activate the AWS CloudHSM cluster:

```bash
aws-cloudhsm> cluster activate
```

When prompted, enter and confirm the password.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2209).png)

**Figure 10: Activating the CloudHSM cluster**
9. Run the following command to add the IP address of the AWS CloudHSM in configuration:

```plaintext
./configure-cli -a <IP_ADDRESS_OF_HSM1> <IP_ADDRESS_OF_HSM2>
```

> [!NOTE]
> NOTE
> 
> An AWS CloudHSM cluster requires a minimum of 2 HSMs to manage the keys with high availability.
10. Run the following command to verify the `cloudhsm-cli.cfg` file:

```bash
cat /opt/cloudhsm/etc/cloudhsm-cli.cfg
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2210).png)

**Figure 11: Verifying the AWS CloudHSM CLI configuration file**
11. Run the following commands to create the user in AWS CloudHSM:

```bash
aws-cloudhsm> login --username admin --role admin
aws-cloudhsm> user create --username cryptouser --role crypto-user
```
12. (Optional) Log in as a user (`crypto-user: role`) and run the following commands to create the keys:

```bash
aws-cloudhsm>login --username crypto-user --role crypto-user
aws-cloudhsm>key generate-symmetric aes --label test-key --key-length-bytes 32
aws-cloudhsm>key list
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2211).png)

**Figure 12: Creating users and keys in CloudHSM**

## 10.0 Install the AWS CloudHSM PKCS#11 Package

Perform the following steps to download and install the AWS CloudHSM PKCS#11 package:

1. Run the following command to download the AWS CloudHSM PKCS#11 package:

```bash
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL9/cloudhsm-pkcs11-5.16.1-1.el9.x86_64.rpm
```
2. Run the following command to update the permissions of the AWS CloudHSM PKCS#11 file:

```bash
 chmod +x cloudhsm-pkcs11-5.16.1-1.el9.x86_64.rpm
```
3. Run the following command to install the AWS CloudHSM PKCS#11 package:

```bash
yum install ./cloudhsm-pkcs11-5.16.1-1.el9.x86_64.rpm
```
4. Run the following command to configure AWS CloudHSM PKCS#11 with HSM IP address:

```bash
./configure-pkcs11 -a <HSM1_IP_ADDRESS> <HSM2_IP_ADDRESS>
```

Once PKCS#11 is configured with AWS CloudHSM, the `cloudhsm-pkcs11.cfg` configuration file is created in the `/opt/cloudhsm/etc` directory.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2212).png)

**Figure 13: AWS CloudHSM CLI configuration file created**

The PKCS#11 library allows applications to securely interact with AWS CloudHSM and perform cryptographic operations such as key generation, encryption, and signing using PKCS#11 interface.

## 11.0 Set Up Fortanix HSM Gateway for AWS CloudHSM

Perform the following steps to install and configure Fortanix HSM Gateway in EC2 instance:

1. Run the following command to download the Fortanix HSM Gateway package:

```bash
wget https://download.fortanix.com/clients/5.2.2852/fortanix-hsm-gateway-5.2.2852.3165.8-0.x86_64.rpm
```
2. Run the following command to update the permission of the Fortanix HSM Gateway file:

```bash
chmod +x fortanix-hsm-gateway-5.2.2852.3165.8-0.x86_64.rpm
```
3. Run the following command to install the Fortanix HSM Gateway package:

```bash
 yum install ./fortanix-hsm-gateway-5.2.2852.3165.8-0.x86_64.rpm
```
4. Run the following command to edit and verify the `ftx-hmg` configuration file:

```bash
cat /etc/default/ftx-hmg
# This file contains configuration for the Fortanix HSM Gateway service
# Path to the pkcs12 cert. This package provides path /etc/fortanix/pki/
CERT_FILE=/etc/fortanix/pki/cert.p12

# Path to the pem ca cert (to authenticate client cert). Set only if you want to run in mutual TLS mode.
# CA_FILE=/etc/fortanix/pki/ca.pem

# The network port for the HSM Gateway to listen on. Default is 4442
HMG_TOKEN_LABEL=hsm1
HMG_SLOT_ID=0
HMG_TOKEN_PIN=cryptouser:password
HMG_LISTEN_PORT=4442

CKNFAST_OVERRIDE_SECURITY_ASSURANCES="tokenkeys;explicitness"

CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# Enables verbose logging for application failures
RUST_BACKTRACE=full

# Default ncipher path = /opt/nfast/toolkits/pkcs11/libcknfast.so
# Default luna path = /usr/safenet/lunaclient/lib/libCryptoki2_64.so
PKCS11_LIB_PATH=/opt/cloudhsm/lib/libcloudhsm_pkcs11.so
```

> [!NOTE]
> NOTE
> 
> - Ensure that the necessary parameters such as HSM IP addresses, certificates, and logging options are correctly set.
> - Ensure to generate the PKCS#12 certificate (`cert.p12`) with OpenSSL before configuring the Fortanix HSM Gateway. *For more information, refer to*[*Section 11.1: Generating a PKCS#12 Certificate*](/v1/docs/aws-cloudhsm#101-generating-a-pkcs12-certificate)*.*
5. Run the following command to install the Open Smart Card (OpenSC) dependency:

```bash
yum install opensc
```

### 11.1 Generating a PKCS#12 Certificate

Perform the following steps to generate a PKCS#12 certificate for standard mode connectivity from Fortanix DSM to HSM Gateway:

1. Run the following command to generate a self-signed certificate:

```bash
openssl req -x509 -newkey rsa:4096 -keyout /path/to/cert/dir/key.pem -out /path/to/cert/dir/cert.pem -days 365 -nodes
```
2. Run the following command to export the certificate and private key into a PKCS#12 file:

> [!NOTE]
> NOTE
> 
> When prompted, press Enter without entering a password.

```bash
openssl pkcs12 -export -out /path/to/cert/dir/cert.p12 -inkey /path/to/cert/dir/key.pem -in /path/to/cert/dir/cert.pem
```

> [!NOTE]
> NOTE
> 
> The PKCS#12 certificate (`cert.p12`) is required in the Fortanix HSM Gateway configuration file (`/etc/default/ftx-hmg`).
3. Run the following command to copy `cert.p12` file to `/etc/fortanix/pki` directory to define the location of the certificate file in Fortanix HSM Gateway service:

```bash
cp cert.p12 /etc/fortanix/pki
```

## 12.0 Start the Fortanix HSM Gateway Service

Perform the following steps to start the Fortanix HSM Gateway service:

1. Run the following command to start the Fortanix HSM Gateway service:

```bash
systemctl start ftx-hmg
```
2. Run the following command to verify the service status:

```bash
systemctl status ftx-hmg
```

The output may resemble as follows:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2213).png)

**Figure 14: Verifying Fortanix HSM Gateway service status**
3. Run the following command to list the available slots in AWS CloudHSM:

```bash
pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -L
```

The output may resemble as follows:

```bash
Available slots:
Slot 0 (0x2000000000000001): hsm1
  token label        : hsm1
  token manufacturer : Marvell Semiconductors, Inc.
  token model        : LS2
  token flags        : login required, rng, token initialized
  hardware version   : 66.48
  firmware version   : 10.2
  serial num         : 
  pin min/max        : 8/32
  uri                : pkcs11:model=LS2;manufacturer=Marvell%20Semiconductors%2c%20Inc.;serial=;token=hsm1
```

## 13.0 Integrate AWS CloudHSM with Fortanix DSM

Perform the following steps to integrate AWS CloudHSM with Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.
2. On the **Adding new group** page:
  1. **Title**: Enter a title for your group.
  2. **Description**(optional): Enter a short description for the group.
  3. In the **Configure as HSM/External KMS group** section, click **LINK HSM/EXTERNAL KMS**and select the HSM type as**AWS CloudHSM**, so that Fortanix DSM can connect to it.
  4. In the **Authentication**section,

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2215)(1).png)

**Figure 16: Testing Fortanix DSM connection to AWS CloudHSM**
    1. **HMG IP Address**: Enter the IP address of the Fortanix HSM Gateway.
    2. **Port**: The default port value is `4442`.
    3. **Slot**: Use the slot number obtained using the following `pkcs11-tool` command:

```bash
pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -L
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2214).png)

**Figure 15: Slot ID decimal**

*For more information to convert the slot ID from hexadecimal to decimal format, refer to*[*Section 14.0: Slot ID Conversion*](/v1/docs/aws-cloudhsm#140-slot-id-conversion)*.*
    4. **PIN**: Use the format `username:password`. For example, **cryptouser:password**.
    5. To configure **TLS configuration** for standard mode, enter the output of `cert.pem` file in the **CA certificate** option as created in *Step 1 of*[*Section 11.1: Generating a PKCS#12 Certificate*](/v1/docs/aws-cloudhsm#101-generating-a-pkcs12-certificate).
    6. Click **TEST CONNECTION**.
3. Click **SAVE**to create the group.

## 14.0 Slot ID Conversion

AWS CloudHSM generates slot IDs in hexadecimal, but Fortanix DSM requires the slot ID in decimal format.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2216).png)

**Figure 17: Patching Fortanix DSM group with slot ID**

Perform the following steps to configure the slot ID in Fortanix DSM:

1. Enter placeholder values for the slot ID in the Fortanix DSM user interface (UI) and save.
2. Open the browser developer tools, go to the **Network**tab, and capture the **PATCH API** call.
3. Use Postman to re-send the PATCH API request with the slot number in **decimal**format.

The following is an example for API Payload:

```bash
PATCH https://<DSM_URL>/sys/v1/groups/<GROUP_ID>
```

The following is the response body of the API:

```bash
{
  "group_id": "2b5663a3-eea9-4821-bb7b-98e1ad003717",
  "hmg_redundancy": "PriorityFailover",
  "mod_hmg": {
    "<HMG_ID>": {
      "kind": "AWSCLOUDHSM",
      "url": "13.50.107.118:4442",
      "tls": {
        "mode": "required",
        "validate_hostname": false,
        "ca": { "pinned": ["<CA_CERT_BASE64>"] },
        "client_key": "<CLIENT_KEY_BASE64>",
        "client_cert": "<CLIENT_CERT_BASE64>"
      },
      "slot": 2305843009213693953,
      "hsm_order": 1,
      "id": "<HMG_ID>",
      "credentials": [""],
      "pin": "cryptouser:password"
    }
  }
}
```

## 15.0 Verification

Perform the following steps to verify the integration between AWS CloudHSM and Fortanix DSM:

1. Test the connection. A successful message indicates that the configuration is correct.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2217)(1).png)

**Figure 18: Successful connection test**
2. Create a key with the **Export**permission in the AWS CloudHSM group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AWSCloudHSM-SO(1).png)

**Figure 19: Creating a key with export permission**
3. Verify that the created key is virtually available in Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AWSCloudHSM-SO-Detail.png)

**Figure 20: Viewing key in Fortanix DSM**
4. Log in to the AWS CloudHSM console to confirm that the key is present in AWS.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2220).png)

**Figure 21: Verifying key in AWS CloudHSM console**
5. Verify the Fortanix HSM Gateway logs to ensure successful key creation and synchronization.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (2221).png)

**Figure 22: Checking Fortanix HSM Gateway logs**