# AWS CloudHSM configure tool
AWS CloudHSM automatically synchronizes data among all hardware security modules (HSM) in a cluster. The **configure** tool updates the HSM data in the configuration files that the synchronization mechanisms use. Use **configure** to refresh the HSM data before you use the command line tools, especially when the HSMs in the cluster have changed.
AWS CloudHSM includes two major Client SDK versions:
+ Client SDK 5: This is our latest and default Client SDK. For information on the benefits and advantages it provides, see [Benefits of AWS CloudHSM Client SDK 5](client-sdk-5-benefits.md).
+ Client SDK 3: This is our older Client SDK. It includes a full set of components for platform and language-based applications compatibility and management tools.
For instructions on migrating from Client SDK 3 to Client SDK 5, see [Migrating from AWS CloudHSM Client SDK 3 to Client SDK 5](client-sdk-migration.md).
**Topics**
+ [Client SDK 5 configure tool](configure-sdk-5.md)
+ [Client SDK 3 configure tool](configure-sdk-3.md)
# AWS CloudHSM Client SDK 5 configure tool
Use the AWS CloudHSM Client SDK 5 configure tool to update client-side configuration files.
Each component in Client SDK 5 includes a configure tool with a designator of the component in the file name of the configure tool. For example, the PKCS \$111 library for Client SDK 5 includes a configure tool named `configure-pkcs11` on Linux or `configure-pkcs11.exe` on Windows.
**Topics**
+ [Syntax](configure-tool-syntax5.md)
+ [Parameters](configure-tool-params5.md)
+ [Examples](configure-tool-examples5.md)
+ [Bootstrap OpenSSL Provider](configure-openssl-provider.md)
+ [Advanced configurations](configure-sdk5-advanced-configs.md)
+ [Related topics](configure-tool-seealso5.md)
# AWS CloudHSM Client SDK 5 configuration syntax
The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 5. For more information about the parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
------
#### [ PKCS \$111 ]
```
Usage: configure-pkcs11[ .exe ] [OPTIONS]
Options:
--disable-certificate-storage
Disables Certificate Storage
--enable-certificate-storage
Enables Certificate Storage
-a ...
The address of the HSM instance
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
-h, --help
Print help
```
------
#### [ OpenSSL ]
```
Usage: configure-dyn[ .exe ] [OPTIONS]
Options:
-a ...
The address of the HSM instance
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
-h, --help
Print help
```
------
#### [ KSP ]
```
Usage: configure-ksp.exe [OPTIONS]
Options:
-a ...
The address of the HSM instance
--server-client-cert-file
The client certificate used for TLS client-server mutual authentication
--server-client-key-file
The client private key used for TLS client-server mutual authentication
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
--enable-sdk3-compatibility-mode
Enables key file usage for KSP
--disable-sdk3-compatibility-mode
Disables key file usage for KSP
-h, --help
Print help
```
------
#### [ JCE ]
```
Usage: configure-jce[ .exe ] [OPTIONS]
Options:
-a ...
The address of the HSM instance
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
-h, --help
Print help
```
------
#### [ CloudHSM CLI ]
```
Usage: configure-cli[ .exe ] [OPTIONS]
Options:
-a ...
The address of the HSM instance
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
-h, --help
Print help
```
------
#### [ OpenSSL Provider ]
```
Usage: configure-openssl-provider[ .exe ] [OPTIONS]
Options:
-a ...
The address of the HSM instance
--cluster-id
The id of the cluster containing the HSM instance(s)
--disable-key-availability-check
Disables key availability check during key use
--enable-key-availability-check
Enables key availability check during key use
--disable-validate-key-at-init
Disables parameter validation during initialization of crypto operations
--enable-validate-key-at-init
Enables parameter validation during initialization of crypto operations
--endpoint
Specify the AWS CloudHSM API Endpoint
--region
The region of the cluster
--hsm-ca-cert
The HSM CA certificate file
--log-type
The log type [possible values: term, file]
--log-file
The log file
--log-level
The logging level [possible values: error, warn, info, debug, trace]
--log-rotation
The log rotation interval [possible values: never, hourly, daily]
--default-retry-mode
The default method of retry to use for certain non-terminal failures [possible values: off, standard]
--client-cert-hsm-tls-file
The client certificate used for TLS client-hsm mutual authentication
--client-key-hsm-tls-file
The client private key used for TLS client-hsm mutual authentication
-h, --help
Print help
```
------
# AWS CloudHSM Client SDK 5 configuration parameters
The following is a list of parameters to configure AWS CloudHSM Client SDK 5.
**-a ****
Adds the specified IP address to Client SDK 5 configuration files. Enter any ENI IP address of an HSM from the cluster. For more information about how to use this option, see [Bootstrap Client SDK 5](cluster-connect.md#sdk8-connect).
Required: Yes
**--hsm-ca-cert ****
Path to the directory storing the certificate authority (CA) certificate use to connect EC2 client instances to the cluster. You create this file when you initialize the cluster. By default, the system looks for this file in the following location:
Linux
```
/opt/cloudhsm/etc/customerCA.crt
```
Windows
```
C:\ProgramData\Amazon\CloudHSM\customerCA.crt
```
For more information about initializing the cluster or placing the certificate, see [Place the issuing certificate on each EC2 instance](cluster-connect.md#place-hsm-cert) and [Initialize the cluster in AWS CloudHSM](initialize-cluster.md).
Required: No
**--cluster-id ****
Makes a `DescribeClusters` call to find all of the HSM elastic network interface (ENI) IP addresses in the cluster associated with the cluster ID. The system adds the ENI IP addresses to the AWS CloudHSM configuration files.
If you use the `--cluster-id` parameter from an EC2 instance within a VPC that does not have access to the public internet, then you must create an interface VPC endpoint to connect with AWS CloudHSM. For more information about VPC endpoints, see [AWS CloudHSM and VPC endpoints](cloudhsm-vpc-endpoint.md).
Required: No
**--endpoint ****
Specify the AWS CloudHSM API endpoint used for making the `DescribeClusters` call. You must set this option in combination with `--cluster-id`.
Required: No
**--region ****
Specify the region of your cluster. You must set this option in combination with `--cluster-id`.
If you don’t supply the `--region` parameter, the system chooses the region by attempting to read the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variables. If those variables aren’t set, then the system checks the region associated with your profile in your AWS config file (typically `~/.aws/config`) unless you specified a different file in the `AWS_CONFIG_FILE` environment variable. If none of the above are set, the system defaults to the `us-east-1` region.
Required: No
**--client-cert-hsm-tls-file ****
Path to the client certificate used for TLS client-HSM mutual authentication.
Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-key-hsm-tls-file`.
Required: No
**--client-key-hsm-tls-file ****
Path to the client key used for TLS client-HSM mutual authentication.
Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-cert-hsm-tls-file`.
Required: No
**--log-level ****
Specifies the minimum logging level the system should write to the log file. Each level includes the previous levels, with error as the minimum level and trace the maximum level. This means that if you specify errors, the system only writes errors to the log. If you specify trace, the system writes errors, warnings, informational (info) and debug messages to the log. For more information, see [Client SDK 5 Logging](hsm-client-logs.md#sdk5-logging).
Required: No
**--log-rotation ****
Specifies the frequency with which the system rotates logs. For more information, see [Client SDK 5 Logging](hsm-client-logs.md#sdk5-logging).
Required: No
**--log-file ****
Specifies where the system will write the log file. For more information, see [Client SDK 5 Logging](hsm-client-logs.md#sdk5-logging).
Required: No
**--log-type ****
Specifies whether the system will write the log to a file or terminal. For more information, see [Client SDK 5 Logging](hsm-client-logs.md#sdk5-logging).
Required: No
**-h \$1 --help**
Displays help.
Required: No
**--disable-key-availability-check **
Flag to disable key availability quorum. Use this flag to indicate AWS CloudHSM should disable key availability quorum and you can use keys that exist on only one HSM in the cluster. For more information about using this flag to set key availability quorum, see [Managing client key durability settings](working-client-sync.md#setting-file-sdk8).
Required: No
**--enable-key-availability-check **
Flag to enable key availability quorum. Use this flag to indicate AWS CloudHSM should use key availability quorum and not allow you to use keys until those keys exist on two HSMs in the cluster. For more information about using this flag to set key availability quorum, see [Managing client key durability settings](working-client-sync.md#setting-file-sdk8).
Enabled by default.
Required: No
**--disable-validate-key-at-init **
Improves performance by specifying that you can skip an initialization call to verify permissions on a key for subsequent calls. Use with caution.
Background: Some mechanisms in the PKCS \$111 library support multi-part operations where an initialization call verifies if you can use the key for subsequent calls. This requires a verification call to the HSM, which adds latency to the overall operation. This option enables you to disable the subsequent call and potentially improve performance.
Required: No
**--enable-validate-key-at-init **
Specifies that you should use an initialization call to verify permissions on a key for subsequent calls. This is the default option. Use `enable-validate-key-at-init` to resume these initialization calls after you use `disable-validate-key-at-init` to suspend them.
Required: No
# AWS CloudHSM Client SDK 5 configuration examples
These examples show how to use the configure tool for AWS CloudHSM Client SDK 5.
## Bootstrap Client SDK 5
**Example**
This example uses the `-a` parameter to update the HSM data for Client SDK 5. To use the `-a` parameter, you must have the IP address for one of the HSMs in your cluster.
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 -a
```
**To bootstrap a Windows EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" -a
```
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-dyn -a
```
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider -a
```
**To bootstrap a Windows EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" -a
```
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-jce -a
```
**To bootstrap a Windows EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" -a
```
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of the HSM(s) in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-cli -a
```
**To bootstrap a Windows EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of the HSM(s) in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" -a
```
you can use the `–-cluster-id` parameter in place of `-a `. To see requirements for using `–-cluster-id`, see [AWS CloudHSM Client SDK 5 configure tool](configure-sdk-5.md).
For more information about the `-a` parameter, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Specify cluster, region, and endpoint for Client SDK 5
**Example**
This example uses the `cluster-id` parameter to bootstrap Client SDK 5 by making a `DescribeClusters` call.
**To bootstrap a Linux EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --cluster-id
```
**To bootstrap a Windows EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" --cluster-id
```
**To bootstrap a Linux EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-dyn --cluster-id
```
**To bootstrap a Windows EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --cluster-id
```
**To bootstrap a Linux EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-jce --cluster-id
```
**To bootstrap a Windows EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" --cluster-id
```
**To bootstrap a Linux EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-cli --cluster-id
```
**To bootstrap a Windows EC2 instance for Client SDK 5 with `cluster-id`**
+ Use the cluster ID `cluster-1234567` to specify the IP address of an HSM in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --cluster-id
```
You can use the `--region` and `--endpoint` parameters in combination with the `cluster-id` parameter to specify how the system makes the `DescribeClusters` call. For instance, if the region of the cluster is different than the one configured as your AWS CLI default, you should use the `--region` parameter to use that region. Additionally, you have the ability to specify the AWS CloudHSM API endpoint to use for the call, which might be necessary for various network setups, such as using VPC interface endpoints that don’t use the default DNS hostname for AWS CloudHSM.
**To bootstrap a Linux EC2 instance with a custom endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --cluster-id --region --endpoint
```
**To bootstrap a Windows EC2 instance with a endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" --cluster-id --region --endpoint
```
**To bootstrap a Linux EC2 instance with a custom endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
$ sudo /opt/cloudhsm/bin/configure-dyn --cluster-id --region --endpoint
```
**To bootstrap a Windows EC2 instance with a endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --cluster-id --region --endpoint
```
**To bootstrap a Linux EC2 instance with a custom endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
$ sudo /opt/cloudhsm/bin/configure-jce --cluster-id --region --endpoint
```
**To bootstrap a Windows EC2 instance with a endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" --cluster-id --region --endpoint
```
**To bootstrap a Linux EC2 instance with a custom endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
$ sudo /opt/cloudhsm/bin/configure-cli --cluster-id --region --endpoint
```
**To bootstrap a Windows EC2 instance with a endpoint and region**
+ Use the configure tool to specify the IP address of an HSM in your cluster with a custom region and endpoint.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --cluster-id --region --endpoint
```
For more information about the `--cluster-id`, `--region`, and `--endpoint` parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Update client certificate and key for TLS client-HSM mutual authentication
**Example**
This examples shows how to use the `--client-cert-hsm-tls-file` and `--client-key-hsm-tls-file` parameters to reconfigure SSL by specifying a custom key and SSL certificate for AWS CloudHSM
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux**
1. Copy your key and certificate to the appropriate directory.
```
$ sudo cp ssl-client.pem
$ sudo cp ssl-client.key
```
1. Use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 \
--client-cert-hsm-tls-file \
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows**
1. Copy your key and certificate to the appropriate directory.
```
cp ssl-client.pem
cp ssl-client.key
```
1. With a PowerShell interpreter, use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" `
--client-cert-hsm-tls-file `
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux**
1. Copy your key and certificate to the appropriate directory.
```
$ sudo cp ssl-client.pem
sudo cp ssl-client.key
```
1. Use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
$ sudo /opt/cloudhsm/bin/configure-dyn \
--client-cert-hsm-tls-file \
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows**
1. Copy your key and certificate to the appropriate directory.
```
cp ssl-client.pem
cp ssl-client.key
```
1. With a PowerShell interpreter, use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" `
--client-cert-hsm-tls-file `
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux**
1. Copy your key and certificate to the appropriate directory.
```
$ sudo cp ssl-client.pem
sudo cp ssl-client.key
```
1. Use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
$ sudo /opt/cloudhsm/bin/configure-jce \
--client-cert-hsm-tls-file \
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows**
1. Copy your key and certificate to the appropriate directory.
```
cp ssl-client.pem
cp ssl-client.key
```
1. With a PowerShell interpreter, use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" `
--client-cert-hsm-tls-file `
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Linux**
1. Copy your key and certificate to the appropriate directory.
```
$ sudo cp ssl-client.pem
sudo cp ssl-client.key
```
1. Use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
$ sudo /opt/cloudhsm/bin/configure-cli \
--client-cert-hsm-tls-file \
--client-key-hsm-tls-file
```
**To use a custom certificate and key for TLS client-HSM mutual authentication with Client SDK 5 on Windows**
1. Copy your key and certificate to the appropriate directory.
```
cp ssl-client.pem
cp ssl-client.key
```
1. With a PowerShell interpreter, use the configure tool to specify `ssl-client.pem` and `ssl-client.key`.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" `
--client-cert-hsm-tls-file `
--client-key-hsm-tls-file
```
For more information about the `--client-cert-hsm-tls-file` and `--client-key-hsm-tls-file` parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Disable client key durability settings
**Example**
This example uses the `--disable-key-availability-check` parameter to disable client key durability settings. To run a cluster with a single HSM, you must disable client key durability settings.
**To disable client key durability for Client SDK 5 on Linux**
+ Use the configure tool to disable client key durability settings.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Windows**
+ Use the configure tool to disable client key durability settings.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Linux**
+ Use the configure tool to disable client key durability settings.
```
$ sudo /opt/cloudhsm/bin/configure-dyn --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Linux**
+ Use the configure tool to disable client key durability settings.
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Windows**
+ Use the configure tool to disable client key durability settings.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Linux**
+ Use the configure tool to disable client key durability settings.
```
$ sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Windows**
+ Use the configure tool to disable client key durability settings.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Linux**
+ Use the configure tool to disable client key durability settings.
```
$ sudo /opt/cloudhsm/bin/configure-cli --disable-key-availability-check
```
**To disable client key durability for Client SDK 5 on Windows**
+ Use the configure tool to disable client key durability settings.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --disable-key-availability-check
```
For more information about the `--disable-key-availability-check` parameter, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Manage logging options
**Example**
Client SDK 5 uses the `log-file`, `log-level`, `log-rotation`, and `log-type` parameters to manage logging.
To configure your SDK for serverless environments such as AWS Fargate or AWS Lambda, we recommend you configure your AWS CloudHSM log type to `term`. The client logs will be output to `stderr` and captured in the CloudWatch Logs log group configured for that environment.
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Linux
```
/opt/cloudhsm/run/cloudhsm-pkcs11.log
```
Windows
```
C:\Program Files\Amazon\CloudHSM\cloudhsm-pkcs11.log
```
**To configure the logging level and leave other logging options set to default**
+
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-level info
```
**To configure file logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --log-type term --log-level info
```
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Linux
```
stderr
```
**To configure the logging level and leave other logging options set to default**
+
```
$ sudo /opt/cloudhsm/bin/configure-dyn --log-level info
```
**To configure file logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-dyn --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-dyn --log-type term --log-level info
```
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Linux
```
stderr
```
**To configure the logging level and leave other logging options set to default**
+
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider --log-level info
```
**To configure file logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider --log-type term --log-level info
```
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Windows
```
C:\Program Files\Amazon\CloudHSM\cloudhsm-ksp.log
```
**To configure the logging level and leave other logging options set to default**
+
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --log-level info
```
**To configure file logging options**
+
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --log-type term --log-level info
```
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Linux
```
/opt/cloudhsm/run/cloudhsm-jce.log
```
Windows
```
C:\Program Files\Amazon\CloudHSM\cloudhsm-jce.log
```
**To configure the logging level and leave other logging options set to default**
+
```
$ sudo /opt/cloudhsm/bin/configure-jce --log-level info
```
**To configure file logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-jce --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-jce --log-type term --log-level info
```
**Default logging location**
+ If you do not specify a location for the file, the system writes logs to the following default location:
Linux
```
/opt/cloudhsm/run/cloudhsm-cli.log
```
Windows
```
C:\Program Files\Amazon\CloudHSM\cloudhsm-cli.log
```
**To configure the logging level and leave other logging options set to default**
+
```
$ sudo /opt/cloudhsm/bin/configure-cli --log-level info
```
**To configure file logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-cli --log-type file --log-file --log-rotation daily --log-level info
```
**To configure terminal logging options**
+
```
$ sudo /opt/cloudhsm/bin/configure-cli --log-type term --log-level info
```
For more information about the `log-file`, `log-level`, `log-rotation`,and `log-type` parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Place the issuing certificate for Client SDK 5
**Example**
This example uses the `--hsm-ca-cert` parameter to update the location of the issuing certificate for Client SDK 5.
**To place the issuing certificate on Linux for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
$ sudo /opt/cloudhsm/bin/configure-pkcs11 --hsm-ca-cert
```
**To place the issuing certificate on Windows for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" --hsm-ca-cert
```
**To place the issuing certificate on Linux for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
$ sudo /opt/cloudhsm/bin/configure-dyn --hsm-ca-cert
```
**To place the issuing certificate on Linux for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider --hsm-ca-cert
```
**To place the issuing certificate on Windows for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-ksp.exe" --hsm-ca-cert
```
**To place the issuing certificate on Linux for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
$ sudo /opt/cloudhsm/bin/configure-jce --hsm-ca-cert
```
**To place the issuing certificate on Windows for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe" --hsm-ca-cert
```
**To place the issuing certificate on Linux for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
$ sudo /opt/cloudhsm/bin/configure-cli --hsm-ca-cert
```
**To place the issuing certificate on Windows for Client SDK 5**
+ Use the configure tool to specify a location for the issuing certificate.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --hsm-ca-cert
```
For more information about the `--hsm-ca-cert` parameter, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
# Bootstrap OpenSSL Provider
Use the configure-openssl-provider tool to bootstrap your OpenSSL Provider installation and connect it to your AWS CloudHSM cluster.
**To bootstrap the OpenSSL Provider**
1. Run the configure-openssl-provider command with the IP address of an HSM in your cluster:
```
$ sudo /opt/cloudhsm/bin/configure-openssl-provider -a
```
Replace ** with the IP address of any HSM in your cluster.
1. Verify the configuration by checking that the OpenSSL Provider can connect to your cluster:
```
$ openssl list -providers -provider-path /opt/cloudhsm/lib -provider cloudhsm
```
For more information about the configuration parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
# Advanced configurations for the Client SDK 5 configure tool
The AWS CloudHSM Client SDK 5 configure tool includes advanced configurations that are not part of the general features most customers utilize. Advanced configurations provide additional capabilities.
**Important**
After making any changes to your configuration, you need to restart your application for the changes to take effect.
+ Advanced configurations for PKCS \$111
+ [Multiple slot configuration with PKCS \$111 library for AWS CloudHSM](pkcs11-library-configs-multi-slot.md)
+ [Retry commands for PKCS \$111 library for AWS CloudHSM](pkcs11-library-configs-retry.md)
+ Advanced configurations for OpenSSL
+ [Retry commands for OpenSSL for AWS CloudHSM](openssl-library-configs-retry.md)
+ Advanced configurations for KSP
+ [SDK3 compatibility mode for Key Storage Provider (KSP) for AWS CloudHSM](ksp-library-configs-sdk3-compatibility-mode.md)
+ Advanced configurations for JCE
+ [Connecting to multiple AWS CloudHSM clusters with the JCE provider](java-lib-configs-multi.md)
+ [Retry commands for JCE for AWS CloudHSM](java-lib-configs-retry.md)
+ [Key extraction using JCE for AWS CloudHSM](java-lib-configs-getencoded.md)
+ Advanced configurations for AWS CloudHSM Command Line Interface (CLI)
+ [Connecting to multiple clusters with CloudHSM CLI](cloudhsm_cli-configs-multi-cluster.md)
# AWS CloudHSM Client SDK 5 related topics
See the following related topics to learn more about the AWS CloudHSM Client SDK 5.
+ [DescribeClusters](https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) API operation
+ [describe-clusters](https://docs.aws.amazon.com/cli/latest/reference/cloudhsmv2/describe-clusters.html) AWS CLI
+ [Get-HSM2Cluster](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-HSM2Cluster.html) PowerShell cmdlet
+ [Bootstrap Client SDK 5](cluster-connect.md#sdk8-connect)
+ [Bootstrap OpenSSL Provider](configure-openssl-provider.md)
+ [AWS CloudHSM VPC endpoints](cloudhsm-vpc-endpoint.md)
+ [Managing Client SDK 5 Key Durability Settings](working-client-sync.md#setting-file-sdk8)
+ [Client SDK 5 Logging](hsm-client-logs.md#sdk5-logging)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# AWS CloudHSM Client SDK 3 configure tool
Use the AWS CloudHSM Client SDK 3 configure tool to bootstrap the client daemon and configure CloudHSM Management Utility (CMU).
**Topics**
+ [Syntax](configure-tool-syntax.md)
+ [Parameters](configure-tool-params.md)
+ [Examples](configure-tool-examples.md)
+ [Related topics](configure-tool-seealso.md)
# AWS CloudHSM Client SDK 3 configuration syntax
The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 3.
```
configure -h | --help
-a
-m [-i ]
--ssl --pkey --cert
--cmu
```
# AWS CloudHSM Client SDK 3 configuration parameters
The following is a list of parameters to configure AWS CloudHSM Client SDK 3.
**-h \$1 --help**
Displays command syntax.
Required: Yes
**-a ****
Adds the specified HSM elastic network interface (ENI) IP address to AWS CloudHSM configuration files. Enter the ENI IP address of any one of the HSMs in the cluster. It does not matter which one you select.
To get the ENI IP addresses of the HSMs in your cluster, use the [DescribeClusters](https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation, the [describe-clusters](https://docs.aws.amazon.com/cli/latest/reference/cloudhsmv2/describe-clusters.html) AWS CLI command, or the [Get-HSM2Cluster](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-HSM2Cluster.html) PowerShell cmdlet.
Before running the ` -a` **configure** command, stop the AWS CloudHSM client. Then, when the `-a` command completes, restart the AWS CloudHSM client. For details, [see the examples](configure-tool-examples.md).
This parameter edits the following configuration files:
+ `/opt/cloudhsm/etc/cloudhsm_client.cfg`: Used by AWS CloudHSM client and [key\$1mgmt\$1util](key_mgmt_util.md).
+ `/opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg`: Used by [cloudhsm\$1mgmt\$1util](cloudhsm_mgmt_util.md).
When the AWS CloudHSM client starts, it uses the ENI IP address in its configuration file to query the cluster and update the `cluster.info` file (`/opt/cloudhsm/daemon/1/cluster.info`) with the correct ENI IP addresses for all HSMs in the cluster.
Required: Yes
**-m**
Updates the HSM ENI IP addresses in the configuration file that CMU uses.
The `-m` parameter is for use with CMU from Client SDK 3.2.1 and earlier. For CMU from Client SDK 3.3.0 and later, see `--cmu` parameter, which simplifies the process of updating HSM data for CMU.
When you update the `-a` parameter of **configure** and then start the AWS CloudHSM client, the client daemon queries the cluster and updates the `cluster.info` files with the correct HSM IP addresses for all HSMs in the cluster. Running the `-m` **configure** command completes the update by copying the HSM IP addresses from the `cluster.info` to the `cloudhsm_mgmt_util.cfg` configuration file that cloudhsm\$1mgmt\$1util uses.
Be sure to run `-a` **configure** command and restart the AWS CloudHSM client before running the `-m` command. This ensures that the data copied into `cloudhsm_mgmt_util.cfg` from `cluster.info` is complete and accurate.
Required: Yes
**-i**
Specifies an alternate client daemon. The default value represents the AWS CloudHSM client.
Default: `1`
Required: No
**--ssl**
Replaces the SSL key and certificate for the cluster with the specified private key and certificate. When you use this parameter, the `--pkey` and `--cert` parameters are required.
Required: No
**--pkey**
Specifies the new private key. Enter the path and file name of the file that contains the private key.
Required: Yes if **--ssl** is specified. Otherwise, this should not be used.
**--cert**
Specifies the new certificate. Enter the path and file name of the file that contains the certificate. The certificate should chain up to the `customerCA.crt` certificate, the self-signed certificate used to initialize the cluster. For more information, see [Initialize the Cluster](https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr).
Required: Yes if **--ssl** is specified. Otherwise, this should not be used.
**--cmu ****
Combines the `-a` and `-m` parameters into one parameter. Adds the specified HSM elastic network interface (ENI) IP address to AWS CloudHSM configuration files and then updates the CMU configuration file. Enter an IP address from any HSM in the cluster. For Client SDK 3.2.1 and earlier, see [Using CMU with Client SDK 3.2.1 and Earlier](understand-users.md#downlevel-cmu).
Required: Yes
# AWS CloudHSM Client SDK 3 configuration examples
These examples show how to use the **configure** tool for AWS CloudHSM Client SDK 3.
**Example : Update the HSM data for the AWS CloudHSM client and key\$1mgmt\$1util**
This example uses the `-a` parameter of **configure** to update the HSM data for the AWS CloudHSM client and key\$1mgmt\$1util. To use the `-a` parameter, you must have the IP address for one of the HSMs in your cluster. Use either the console or the AWS CLI to get the IP address.
**To get an IP address for an HSM (console)**
1. Open the AWS CloudHSM console at [https://console.aws.amazon.com/cloudhsm/home](https://console.aws.amazon.com/cloudhsm/home).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. To open the cluster detail page, in the cluster table, choose the cluster ID.
1. To get the IP address, go to the HSMs tab. For IPv4 clusters, choose an address listed under **ENI IPv4 address**. For dual-stack clusters use either the ENI IPv4 or the **ENI IPv6 address**.
**To get an IP address for an HSM (AWS CLI)**
+ Get the IP address of an HSM by using the **[describe-clusters](https://docs.aws.amazon.com/cli/latest/reference/cloudhsmv2/describe-clusters.html)** command from the AWS CLI. In the output from the command, the IP address of the HSMs are the values of `EniIp` and `EniIpV6` (if it is a dual-stack cluster).
```
$ aws cloudhsmv2 describe-clusters
{
"Clusters": [
{ ... }
"Hsms": [
{
...
"EniIp": "10.0.0.9",
...
},
{
...
"EniIp": "10.0.1.6",
"EniIpV6": "2600:113f:404:be09:310e:ed34:3412:f733",
...
```
**To update the HSM data**
1. Before updating the `-a` parameter, stop the AWS CloudHSM client. This prevents conflicts that might occur while **configure** edits the client's configuration file. If the client is already stopped, this command has no effect, so you can use it in a script.
------
#### [ Amazon Linux ]
```
$ sudo stop cloudhsm-client
```
------
#### [ Amazon Linux 2 ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ CentOS 7 ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ CentOS 8 ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ RHEL 7 ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ RHEL 8 ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ Ubuntu 16.04 LTS ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ Ubuntu 18.04 LTS ]
```
$ sudo service cloudhsm-client stop
```
------
#### [ Windows ]
+ For Windows client 1.1.2\$1:
```
C:\Program Files\Amazon\CloudHSM>net.exe stop AWSCloudHSMClient
```
+ For Windows clients 1.1.1 and older:
Use **Ctrl**\$1**C** in the command window where you started the AWS CloudHSM client.
------
1. This step uses the `-a` parameter of **configure** to add the `10.0.0.9` ENI IP address to the configurations files.
------
#### [ Amazon Linux ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ Amazon Linux 2 ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ CentOS 7 ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ CentOS 8 ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ RHEL 7 ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ RHEL 8 ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ Ubuntu 16.04 LTS ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ Ubuntu 18.04 LTS ]
```
$ sudo /opt/cloudhsm/bin/configure -a 10.0.0.9
```
------
#### [ Windows ]
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\configure.exe" -a 10.0.0.9
```
------
1. Next, restart the AWS CloudHSM client. When the client starts, it uses the ENI IP address in its configuration file to query the cluster. Then, it writes the ENI IP addresses of all HSMs in the cluster to the `cluster.info` file.
------
#### [ Amazon Linux ]
```
$ sudo start cloudhsm-client
```
------
#### [ Amazon Linux 2 ]
```
$ sudo service cloudhsm-client start
```
------
#### [ CentOS 7 ]
```
$ sudo service cloudhsm-client start
```
------
#### [ CentOS 8 ]
```
$ sudo service cloudhsm-client start
```
------
#### [ RHEL 7 ]
```
$ sudo service cloudhsm-client start
```
------
#### [ RHEL 8 ]
```
$ sudo service cloudhsm-client start
```
------
#### [ Ubuntu 16.04 LTS ]
```
$ sudo service cloudhsm-client start
```
------
#### [ Ubuntu 18.04 LTS ]
```
$ sudo service cloudhsm-client start
```
------
#### [ Windows ]
+ For Windows client 1.1.2\$1:
```
C:\Program Files\Amazon\CloudHSM>net.exe start AWSCloudHSMClient
```
+ For Windows clients 1.1.1 and older:
```
C:\Program Files\Amazon\CloudHSM>start "cloudhsm_client" cloudhsm_client.exe C:\ProgramData\Amazon\CloudHSM\data\cloudhsm_client.cfg
```
------
When the command completes, the HSM data that the AWS CloudHSM client and key\$1mgmt\$1util use is complete and accurate.
**Example : Update the HSM Data for CMU from client SDK 3.2.1 and earlier**
This example uses the `-m` **configure** command to copy the updated HSM data from the `cluster.info` file to the `cloudhsm_mgmt_util.cfg` file that cloudhsm\$1mgmt\$1util uses. Use this with CMU that ships with Client SDK 3.2.1 and earlier.
+ Before running the `-m`, stop the AWS CloudHSM client, run the `-a` command, and then restart the AWS CloudHSM client, as shown in the [previous example](#configure-tool-examples). This ensures that the data copied into the `cloudhsm_mgmt_util.cfg` file from the `cluster.info` file is complete and accurate.
------
#### [ Linux ]
```
$ sudo /opt/cloudhsm/bin/configure -m
```
------
#### [ Windows ]
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\configure.exe" -m
```
------
**Example : Update the HSM Data for CMU from client SDK 3.3.0 and later**
This example uses the `--cmu` parameter of the **configure** command to update HSM data for CMU. Use this with CMU that ships with Client SDK 3.3.0 and later. For more information about using CMU, see [Using CloudHSM Management Utility (CMU) to Manage Users](manage-hsm-users-cmu.md) and [Using CMU with Client SDK 3.2.1 and Earlier](understand-users.md#downlevel-cmu).
+ Use the `--cmu` parameter to pass the IP address of an HSM in your cluster.
------
#### [ Linux ]
```
$ sudo /opt/cloudhsm/bin/configure --cmu
```
------
#### [ Windows ]
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\configure.exe" --cmu
```
------
# AWS CloudHSM Client SDK 3 configuration related topics
See the following related topics to learn more about the AWS CloudHSM Client SDK 3.
+ [Set up AWS CloudHSM key\$1mgmt\$1util](key_mgmt_util-setup.md)