# Using CloudHSM Management Utility (CMU) to manage quorum authentication (M of N access control)
The HSMs in your AWS CloudHSM cluster support quorum authentication, which is also known as M of N access control. With quorum authentication, no single user on the HSM can do quorum-controlled operations on the HSM. Instead, a minimum number of HSM users (at least 2) must cooperate to do these operations. With quorum authentication, you can add an extra layer of protection by requiring approvals from more than one HSM user.
Quorum authentication can control the following operations:
+ HSM user management by [crypto officers (COs)](understanding-users-cmu.md#crypto-officer) – Creating and deleting HSM users, and changing a different HSM user's password. For more information, see [User management with quorum authentication enabled for AWS CloudHSM Management Utility](quorum-authentication-crypto-officers.md).
Note the following additional information about using quorum authentication in AWS CloudHSM.
+ An HSM user can sign their own quorum token—that is, the requesting user can provide one of the required approvals for quorum authentication.
+ You choose the minimum number of quorum approvers for quorum-controlled operations. The smallest number you can choose is two (2), and the largest number you can choose is eight (8).
+ The HSM can store up to 1024 quorum tokens. If the HSM already has 1024 tokens when you try to create a new one, the HSM purges one of the expired tokens. By default, tokens expire ten minutes after their creation.
+ The cluster uses the same key for quorum authentication and for two-factor authentication (2FA). For more information about using quorum authentication and 2FA, see [Quorum Authentication and 2FA](quorum-2fa.md).
The following topics provide more information about quorum authentication in AWS CloudHSM.
**Topics**
+ [Quorum authentication process](quorum-authentication-overview.md)
+ [First time setup](quorum-authentication-crypto-officers-first-time-setup.md)
+ [User management with quorum (M of N)](quorum-authentication-crypto-officers.md)
+ [Change the minimum value](quorum-authentication-crypto-officers-change-minimum-value.md)
# Quorum authentication process for AWS CloudHSM Management Utility
The following steps summarize the quorum authentication processes. For the specific steps and tools, see [User management with quorum authentication enabled for AWS CloudHSM Management Utility](quorum-authentication-crypto-officers.md).
1. Each HSM user creates an asymmetric key for signing. They do this outside of the HSM, taking care to protect the key appropriately.
1. Each HSM user logs in to the HSM and registers the public part of their signing key (the public key) with the HSM.
1. When an HSM user wants to do a quorum-controlled operation, each user logs in to the HSM and gets a *quorum token*.
1. The HSM user gives the quorum token to one or more other HSM users and asks for their approval.
1. The other HSM users approve by using their keys to cryptographically sign the quorum token. This occurs outside the HSM.
1. When the HSM user has the required number of approvals, the same user logs in to the HSM and gives the quorum token and approvals (signatures) to the HSM.
1. The HSM uses the registered public keys of each signer to verify the signatures. If the signatures are valid, the HSM approves the token.
1. The HSM user can now do a quorum-controlled operation.
# Set up quorum authentication for AWS CloudHSM crypto officers
The following topics describe the steps that you must complete to configure your hardware security module (HSM) so that AWS CloudHSM [crypto officers (COs)](understanding-users-cmu.md#crypto-officer) can use quorum authentication. You need to do these steps only once when you first configure quorum authentication for COs. After you complete these steps, see [User management with quorum authentication enabled for AWS CloudHSM Management Utility](quorum-authentication-crypto-officers.md).
**Topics**
+ [
## Prerequisites
](#quorum-crypto-officers-prerequisites)
+ [
## Step 1. Create and register a key for signing
](#quorum-crypto-officers-create-and-register-key)
+ [
## Step 2. Set the quorum minimum value on the HSM
](#quorum-crypto-officers-set-quorum-minimum-value)
## Prerequisites
To understand this example, you should be familiar with the [cloudhsm\$1mgmt\$1util (CMU) command line tool](cloudhsm_mgmt_util.md). In this example, the AWS CloudHSM cluster has two HSMs, each with the same COs, as shown in the following output from the **listUsers** command. For more information about creating users, see [HSM users](manage-hsm-users.md).
```
aws-cloudhsm > listUsers
Users on server 0(10.0.2.14):
Number of users found:7
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PRECO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 NO 0 NO
4 CO officer2 NO 0 NO
5 CO officer3 NO 0 NO
6 CO officer4 NO 0 NO
7 CO officer5 NO 0 NO
Users on server 1(10.0.1.4):
Number of users found:7
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PRECO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 NO 0 NO
4 CO officer2 NO 0 NO
5 CO officer3 NO 0 NO
6 CO officer4 NO 0 NO
7 CO officer5 NO 0 NO
```
## Step 1. Create and register a key for signing
To use quorum authentication, each CO must do *all* of the following steps:
**Topics**
+ [
### Create an RSA key pair
](#mofn-key-pair-create)
+ [
### Create and sign a registration token
](#mofn-registration-token)
+ [
### Register the public key with the HSM
](#mofn-register-key)
### Create an RSA key pair
There are many different ways to create and protect a key pair. The following examples show how to do it with [OpenSSL](https://www.openssl.org/).
**Example – Create a private key with OpenSSL**
The following example demonstrates how to use OpenSSL to create a 2048-bit RSA key that is protected by a pass phrase. To use this example, replace *officer1.key* with the name of the file where you want to store the key.
```
$ openssl genrsa -out -aes256 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.+++
e is 65537 (0x10001)
Enter pass phrase for officer1.key:
Verifying - Enter pass phrase for officer1.key:
```
Next, generate the public key using the private key that you just created.
**Example – Create a public key with OpenSSL**
The following example demonstrates how to use OpenSSL to create a public key from the private key you just created.
```
$ openssl rsa -in officer1.key -outform PEM -pubout -out officer1.pub
Enter pass phrase for officer1.key:
writing RSA key
```
### Create and sign a registration token
You create a token and sign it with the private key you just generated in the previous step.
**Example – Create a token**
The registration token is just a file with any random data that doesn't exceed the maximum size of 245 bytes. You sign the token with the private key to demonstrate that you have access to the private key. The following command uses echo to redirect a string to a file.
```
$ echo > officer1.token
```
Sign the token and save it to a signature file. You will need the signed token, the unsigned token, and the public key to register the CO as an MofN user with the HSM.
**Example – Sign the token**
Use OpenSSL and the private key to sign the registration token and create the signature file.
```
$ openssl dgst -sha256 \
-sign officer1.key \
-out officer1.token.sig officer1.token
```
### Register the public key with the HSM
After creating a key, the CO must register the public part of the key (the public key) with the HSM.
**To register a public key with the HSM**
1. Use the following command to start the cloudhsm\$1mgmt\$1util command line tool.
```
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
1. Use the **loginHSM** command to log in to the HSM as a CO. For more information, see [HSM user management with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md).
1. Use the **[registerQuorumPubKey](cloudhsm_mgmt_util-registerQuorumPubKey.md)** command to register the public key. For more information, see the following example or use the **help registerQuorumPubKey** command.
**Example – Register a public key with the HSM**
The following example shows how to use the **registerQuorumPubKey** command in the cloudhsm\$1mgmt\$1util command line tool to register a CO's public key with the HSM. To use this command, the CO must be logged in to the HSM. Replace these values with your own:
```
aws-cloudhsm > registerQuorumPubKey CO
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)? y
registerQuorumPubKey success on server 0(10.0.2.14)
```
****
The path to a file that contains an unsigned registration token. Can have any random data of max file size of 245 bytes.
Required: Yes
****
The path to a file that contains the SHA256\$1PKCS mechanism signed hash of the registration token.
Required: Yes
****
The path to the file that contains the public key of an asymmetric RSA-2048 key pair. Use the private key to sign the registration token.
Required: Yes
After all COs register their public keys, the output from the **listUsers** command shows this in the `MofnPubKey` column, as shown in the following example.
```
aws-cloudhsm > listUsers
Users on server 0(10.0.2.14):
Number of users found:7
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PRECO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 YES 0 NO
4 CO officer2 YES 0 NO
5 CO officer3 YES 0 NO
6 CO officer4 YES 0 NO
7 CO officer5 YES 0 NO
Users on server 1(10.0.1.4):
Number of users found:7
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PRECO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 YES 0 NO
4 CO officer2 YES 0 NO
5 CO officer3 YES 0 NO
6 CO officer4 YES 0 NO
7 CO officer5 YES 0 NO
```
## Step 2. Set the quorum minimum value on the HSM
To use quorum authentication for COs, a CO must log in to the HSM and then set the *quorum minimum value*, also known as the *m value*. This is the minimum number of CO approvals that are required to perform HSM user management operations. Any CO on the HSM can set the quorum minimum value, including COs that have not registered a key for signing. You can change the quorum minimum value at any time; for more information, see [Change the minimum value](quorum-authentication-crypto-officers-change-minimum-value.md).
**To set the quorum minimum value on the HSM**
1. Use the following command to start the cloudhsm\$1mgmt\$1util command line tool.
```
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
1. Use the **loginHSM** command to log in to the HSM as a CO. For more information, see [HSM user management with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md).
1. Use the **setMValue** command to set the quorum minimum value. For more information, see the following example or use the **help setMValue** command.
**Example – Set the quorum minimum value on the HSM**
This example uses a quorum minimum value of two. You can choose any value from two (2) to eight (8), up to the total number of COs on the HSM. In this example, the HSM has six COs, so the maximum possible value is six.
To use the following example command, replace the final number (*2*) with the preferred quorum minimum value.
```
aws-cloudhsm > setMValue 3 <2>
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)? y
Setting M Value(2) for 3 on 2 nodes
```
In the preceding example, the first number (3) identifies the *HSM service* whose quorum minimum value you are setting.
The following table lists the HSM service identifiers along with their names, descriptions, and the commands that are included in the service.
| Service Identifier | Service Name | Service Description | HSM Commands |
| --- | --- | --- | --- |
| 3 | USER\$1MGMT | HSM user management | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/quorum-authentication-crypto-officers-first-time-setup.html) |
| 4 | MISC\$1CO | Miscellaneous CO service | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/quorum-authentication-crypto-officers-first-time-setup.html) |
To get the quorum minimum value for a service, use the **getMValue** command, as in the following example.
```
aws-cloudhsm > getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]
```
The output from the preceding **getMValue** command shows that the quorum minimum value for HSM user management operations (service 3) is now two.
After you complete these steps, see [User management with quorum authentication enabled for AWS CloudHSM Management Utility](quorum-authentication-crypto-officers.md).
# User management with quorum authentication enabled for AWS CloudHSM Management Utility
An AWS CloudHSM [crypto officer (CO)](understanding-users-cmu.md#crypto-officer) on the hardware security module (HSM) can configure quorum authentication for the following operations on the HSM:
+ Creating HSM users
+ Deleting HSM users
+ Changing another HSM user's password
After the HSM is configured for quorum authentication, COs cannot perform HSM user management operations on their own. The following example shows the output when a CO attempts to create a new user on the HSM. The command fails with a `RET_MXN_AUTH_FAILED` error, which indicates that quorum authentication failed.
```
aws-cloudhsm > createUser CU user1 password
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)? y
Creating User user1(CU) on 2 nodes
createUser failed: RET_MXN_AUTH_FAILED
creating user on server 0(10.0.2.14) failed
Retry/Ignore/Abort?(R/I/A): A
```
To perform an HSM user management operation, a CO must complete the following tasks:
1. [Get a *quorum token*](#quorum-crypto-officers-get-token).
1. [Get approvals (signatures) from other COs](#quorum-crypto-officers-get-approval-signatures).
1. [Approve the token on the HSM](#quorum-crypto-officers-approve-token).
1. [Perform the HSM user management operation](#quorum-crypto-officers-use-token).
If you have not yet configured the HSM for quorum authentication for COs, do that now. For more information, see [First time setup](quorum-authentication-crypto-officers-first-time-setup.md).
## Step 1. Get a quorum token
First the CO must use the cloudhsm\$1mgmt\$1util command line tool to request a *quorum token*.
**To get a quorum token**
1. Use the following command to start the cloudhsm\$1mgmt\$1util command line tool.
```
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
1. Use the **loginHSM** command to log in to the HSM as a CO. For more information, see [HSM user management with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md).
1. Use the **getToken** command to get a quorum token. For more information, see the following example or use the **help getToken** command.
**Example – Get a quorum token**
This example gets a quorum token for the CO with user name officer1 and saves the token to a file named `officer1.token`. To use the example command, replace these values with your own:
+ *officer1* – The name of the CO who is getting the token. This must be the same CO who is logged in to the HSM and is running this command.
+ *officer1.token* – The name of the file to use for storing the quorum token.
In the following command, `3` identifies the *service* for which you can use the token that you are getting. In this case, the token is for HSM user management operations (service 3). For more information, see [Step 2. Set the quorum minimum value on the HSM](quorum-authentication-crypto-officers-first-time-setup.md#quorum-crypto-officers-set-quorum-minimum-value).
```
aws-cloudhsm > getToken 3 officer1 officer1.token
getToken success on server 0(10.0.2.14)
Token:
Id:1
Service:3
Node:1
Key Handle:0
User:officer1
getToken success on server 1(10.0.1.4)
Token:
Id:1
Service:3
Node:0
Key Handle:0
User:officer1
```
## Step 2. Get signatures from approving COs
A CO who has a quorum token must get the token approved by other COs. To give their approval, the other COs use their signing key to cryptographically sign the token. They do this outside the HSM.
There are many different ways to sign the token. The following example shows how to do it with [OpenSSL](https://www.openssl.org/). To use a different signing tool, make sure that the tool uses the CO's private key (signing key) to sign a SHA-256 digest of the token.
**Example – Get signatures from approving COs**
In this example, the CO that has the token (officer1) needs at least two approvals. The following example commands show how two COs can use OpenSSL to cryptographically sign the token.
In the first command, officer1 signs his or her own token. To use the following example commands, replace these values with your own:
+ *officer1.key* and *officer2.key* – The name of the file that contains the CO's signing key.
+ *officer1.token.sig1* and *officer1.token.sig2* – The name of the file to use for storing the signature. Make sure to save each signature in a different file.
+ *officer1.token* – The name of the file that contains the token that the CO is signing.
```
$ openssl dgst -sha256 -sign officer1.key -out officer1.token.sig1 officer1.token
Enter pass phrase for officer1.key:
```
In the following command, officer2 signs the same token.
```
$ openssl dgst -sha256 -sign officer2.key -out officer1.token.sig2 officer1.token
Enter pass phrase for officer2.key:
```
## Step 3. Approve the signed token on the HSM
After a CO gets the minimum number of approvals (signatures) from other COs, he or she must approve the signed token on the HSM.
**To approve the signed token on the HSM**
1. Create a token approval file. For more information, see the following example.
1. Use the following command to start the cloudhsm\$1mgmt\$1util command line tool.
```
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
1. Use the **loginHSM** command to log in to the HSM as a CO. For more information, see [HSM user management with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md).
1. Use the **approveToken** command to approve the signed token, passing the token approval file. For more information, see the following example.
**Example – Create a token approval file and approve the signed token on the HSM**
The token approval file is a text file in a particular format that the HSM requires. The file contains information about the token, its approvers, and the approvers' signatures. The following shows an example token approval file.
```
# For "Multi Token File Path", type the path to the file that contains
# the token. You can type the same value for "Token File Path", but
# that's not required. The "Token File Path" line is required in any
# case, regardless of whether you type a value.
Multi Token File Path = officer1.token;
Token File Path = ;
# Total number of approvals
Number of Approvals = 2;
# Approver 1
# Type the approver's type, name, and the path to the file that
# contains the approver's signature.
Approver Type = 2; # 2 for CO, 1 for CU
Approver Name = officer1;
Approval File = officer1.token.sig1;
# Approver 2
# Type the approver's type, name, and the path to the file that
# contains the approver's signature.
Approver Type = 2; # 2 for CO, 1 for CU
Approver Name = officer2;
Approval File = officer1.token.sig2;
```
After creating the token approval file, the CO uses the cloudhsm\$1mgmt\$1util command line tool to log in to the HSM. The CO then uses the **approveToken** command to approve the token, as shown in the following example. Replace *approval.txt* with the name of the token approval file.
```
aws-cloudhsm > approveToken approval.txt
approveToken success on server 0(10.0.2.14)
approveToken success on server 1(10.0.1.4)
```
When this command succeeds, the HSM has approved the quorum token. To check the status of a token, use the **listTokens** command, as shown in the following example. The command's output shows that the token has the required number of approvals.
The token validity time indicates how long the token is guaranteed to persist on the HSM. Even after the token validity time elapses (zero seconds), you can still use the token.
```
aws-cloudhsm > listTokens
=====================
Server 0(10.0.2.14)
=====================
-------- Token - 0 ----------
Token:
Id:1
Service:3
Node:1
Key Handle:0
User:officer1
Token Validity: 506 sec
Required num of approvers : 2
Current num of approvals : 2
Approver-0: officer1
Approver-1: officer2
Num of tokens = 1
=====================
Server 1(10.0.1.4)
=====================
-------- Token - 0 ----------
Token:
Id:1
Service:3
Node:0
Key Handle:0
User:officer1
Token Validity: 506 sec
Required num of approvers : 2
Current num of approvals : 2
Approver-0: officer1
Approver-1: officer2
Num of tokens = 1
listTokens success
```
## Step 4. Use the token for user management operations
After a CO has a token with the required number of approvals, as shown in the previous section, the CO can perform one of the following HSM user management operations:
+ Create an HSM user with the [createUser](cloudhsm_mgmt_util-createUser.md) command
+ Delete an HSM user with the **deleteUser** command
+ Change a different HSM user's password with the **changePswd** command
For more information about using these commands, see [HSM users](manage-hsm-users.md).
The CO can use the token for only one operation. When that operation succeeds, the token is no longer valid. To do another HSM user management operation, the CO must get a new quorum token, get new signatures from approvers, and approve the new token on the HSM.
**Note**
The MofN token is only valid as long as your current login session is open. If you log out of cloudhsm\$1mgmt\$1util or the network connection disconnects, the token is no longer valid. Similarly, an authorized token can only be used within cloudhsm\$1mgmt\$1util, it cannot be used to authenticate in a different application.
In the following example command, the CO creates a new user on the HSM.
```
aws-cloudhsm > createUser CU user1
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)? y
Creating User user1(CU) on 2 nodes
```
After the previous command succeeds, a subsequent **listUsers** command shows the new user.
```
aws-cloudhsm > listUsers
Users on server 0(10.0.2.14):
Number of users found:8
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PCO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 YES 0 NO
4 CO officer2 YES 0 NO
5 CO officer3 YES 0 NO
6 CO officer4 YES 0 NO
7 CO officer5 YES 0 NO
8 CU user1 NO 0 NO
Users on server 1(10.0.1.4):
Number of users found:8
User Id User Type User Name MofnPubKey LoginFailureCnt 2FA
1 PCO admin NO 0 NO
2 AU app_user NO 0 NO
3 CO officer1 YES 0 NO
4 CO officer2 YES 0 NO
5 CO officer3 YES 0 NO
6 CO officer4 YES 0 NO
7 CO officer5 YES 0 NO
8 CU user1 NO 0 NO
```
If the CO tries to perform another HSM user management operation, it fails with a quorum authentication error, as shown in the following example.
```
aws-cloudhsm > deleteUser CU user1
Deleting user user1(CU) on 2 nodes
deleteUser failed: RET_MXN_AUTH_FAILED
deleteUser failed on server 0(10.0.2.14)
Retry/rollBack/Ignore?(R/B/I): I
deleteUser failed: RET_MXN_AUTH_FAILED
deleteUser failed on server 1(10.0.1.4)
Retry/rollBack/Ignore?(R/B/I): I
```
The **listTokens** command shows that the CO has no approved tokens, as shown in the following example. To perform another HSM user management operation, the CO must get a new quorum token, get new signatures from approvers, and approve the new token on the HSM.
```
aws-cloudhsm > listTokens
=====================
Server 0(10.0.2.14)
=====================
Num of tokens = 0
=====================
Server 1(10.0.1.4)
=====================
Num of tokens = 0
listTokens success
```
# Change the quorum minimum value with AWS CloudHSM Management Utility
After you [set the quorum minimum value](quorum-authentication-crypto-officers-first-time-setup.md#quorum-crypto-officers-set-quorum-minimum-value) so that AWS CloudHSM [crypto officers (COs)](understanding-users-cmu.md#crypto-officer) can use quorum authentication, you might want to change the quorum minimum value. The HSM allows you to change the quorum minimum value only when the number of approvers is the same or higher than the current quorum minimum value. For example, if the quorum minimum value is two, at least two COs must approve to change the quorum minimum value.
To get quorum approval to change the quorum minimum value, you need a *quorum token* for the **setMValue** command (service 4). To get a quorum token for the **setMValue** command (service 4), the quorum minimum value for service 4 must be higher than one. This means that before you can change the quorum minimum value for COs (service 3), you might need to change the quorum minimum value for service 4.
The following table lists the HSM service identifiers along with their names, descriptions, and the commands that are included in the service.
| Service Identifier | Service Name | Service Description | HSM Commands |
| --- | --- | --- | --- |
| 3 | USER\$1MGMT | HSM user management | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/quorum-authentication-crypto-officers-change-minimum-value.html) |
| 4 | MISC\$1CO | Miscellaneous CO service | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/quorum-authentication-crypto-officers-change-minimum-value.html) |
**To change the quorum minimum value for crypto officers**
1. Use the following command to start the cloudhsm\$1mgmt\$1util command line tool.
```
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
```
1. Use the **loginHSM** command to log in to the HSM as a CO. For more information, see [HSM user management with CloudHSM Management Utility (CMU)](manage-hsm-users-cmu.md).
1. Use the **getMValue** command to get the quorum minimum value for service 3. For more information, see the following example.
1. Use the **getMValue** command to get the quorum minimum value for service 4. For more information, see the following example.
1. If the quorum minimum value for service 4 is lower than the value for service 3, use the **setMValue** command to change the value for service 4. Change the value for service 4 to one that is the same or higher than the value for service 3. For more information, see the following example.
1. [Get a *quorum token*](quorum-authentication-crypto-officers.md#quorum-crypto-officers-get-token), taking care to specify service 4 as the service for which you can use the token.
1. [Get approvals (signatures) from other COs](quorum-authentication-crypto-officers.md#quorum-crypto-officers-get-approval-signatures).
1. [Approve the token on the HSM](quorum-authentication-crypto-officers.md#quorum-crypto-officers-approve-token).
1. Use the **setMValue** command to change quorum minimum value for service 3 (user management operations performed by COs).
**Example – Get quorum minimum values and change the value for service 4**
The following example command shows that the quorum minimum value for service 3 is currently two.
```
aws-cloudhsm > getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]
```
The following example command shows that the quorum minimum value for service 4 is currently one.
```
aws-cloudhsm > getMValue 4
MValue of service 4[MISC_CO] on server 0 : [1]
MValue of service 4[MISC_CO] on server 1 : [1]
```
To change the quorum minimum value for service 4, use the **setMValue** command, setting a value that is the same or higher than the value for service 3. The following example sets the quorum minimum value for service 4 to two (2), the same value that is set for service 3.
```
aws-cloudhsm > setMValue 4 2
*************************CAUTION********************************
This is a CRITICAL operation, should be done on all nodes in the
cluster. AWS does NOT synchronize these changes automatically with the
nodes on which this operation is not executed or failed, please
ensure this operation is executed on all nodes in the cluster.
****************************************************************
Do you want to continue(y/n)? y
Setting M Value(2) for 4 on 2 nodes
```
The following commands show that the quorum minimum value is now two for service 3 and service 4.
```
aws-cloudhsm > getMValue 3
MValue of service 3[USER_MGMT] on server 0 : [2]
MValue of service 3[USER_MGMT] on server 1 : [2]
```
```
aws-cloudhsm > getMValue 4
MValue of service 4[MISC_CO] on server 0 : [2]
MValue of service 4[MISC_CO] on server 1 : [2]
```