awscli

echo -n 'Private IPv4 Address: ' && ifconfig enX0 | grep -i mask | awk '{print $2}'| cut -f2 -d: && \

echo -n 'Public IPv4 Address: ' && curl checkip.amazonaws.com

RESULT : 

Private IPv4 Address: 10.0.154.22

Public IPv4 Address: 107.22.111.35

Set up CLI for AWS 

Setup CLI behind proxy

When machines are behind firewall and a corporate proxy 

to work around this set up 2 env variables in your windows/System Properties/Advanced tab - Environment Variable 

HTTP_PROXY=http://<uid>:<pwd>@proxyhost:port

HTTPS_PROXY=http://<uid>:<pwd>@proxyhost:port

example 

HTTP_PROXY=http://ameenasif:password1@192.168.104.200:8080

SSL Certificate validation issue 

The certificate validations failed which happens in cli execution , to work around this 

we have to append --no-verify-ssl at the end of command 

aws s3 sync C:\amroot\txt\ s3://bucketname/projects/somedir/ --profile hac --no-verify-ssl 

Size of s3 Buckets       

This will loop over each item in the bucket, and print out the total number of objects and total size at the end. If you’d like to not have your terminal flooded with every filename in your bucket, you can pass the output to tail:                                                                             

aws s3 ls s3://bucketname --recursive --human-readable --summarize | tail -2     

Total Objects: 913959                                                                                            

   Total Size: 61.3 GiB                                                                                          

aws s3 ls s3://bucket --recursive --human-readable --summarize

aws s3 sync . s3://www.gausiaacademy.org --exclude "._*" --exclude "*/._*" --exclude ".DS_Store" --exclude "*/.DS_Store"  --delete

List All files 

[Amin $]> aws s3 ls s3://effdata/effmsg/zips/ 

2021-05-21 22:35:19     529069 EI-133-2021-03-30-DUB-BOS-10.zip

2021-05-21 23:28:22     529069 EI-133-2021-03-30-DUB-BOS-11.zip

2021-05-24 10:47:24     529069 EI-133-2021-03-30-DUB-BOS-13.zip

2021-08-26 15:52:40     529069 EI-133-2021-03-30-DUB-BOS-14.zip

2021-05-21 19:29:45    1694167 EI-133-2021-03-30-DUB-BOS-3.zip

List all files Starting with EI-177

[Amin $]> aws s3 ls s3://effdata/effmsg/zips/ | grep "EI-177"

2021-09-02 12:27:08     529069 EI-177-2021-03-30-DUB-BOS-1.zip

2021-09-02 12:27:19     529069 EI-177-2021-03-30-DUB-BOS-2.zip

2021-09-02 12:27:33     529069 EI-177-2021-03-30-DUB-BOS-3.zip

List all files starting with EI-133 and ends with -10.zip
Note the . is important 

[Amin $]> aws s3 ls s3://effdata/effmsg/zips/ | grep "EI-133.*-10.zip"

2021-05-21 22:35:19     529069 EI-133-2021-03-30-DUB-BOS-10.zip

Suppress Python warnings 

this might give warnings in outputs, that seems annoying to me at least , to suppress it 

add env variable 

PYTHONWARNINGS=ignore

I want requests from AWS IP addresses to be able to access my Amazon Simple Storage Service (Amazon S3) bucket. How can I find the AWS IP addresses that I should grant access to? How can I grant access to those IP addresses?

Find the AWS IP addresses

Filter the JSON file of AWS IP address ranges for the specific addresses that you want to grant access to. For example, to find IPv4 addresses for Amazon Elastic Compute Cloud (Amazon EC2) in the US East (N. Virginia) Region, you can run this jq command to parse the file:

jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json

The command returns a response similar to the following:

"18.208.0.0/13"

"52.95.245.0/24"

"54.196.0.0/15"

"216.182.224.0/21"

User Data  use IMDSv2 example  

#!/bin/bash

/sbin/chkconfig --levels 235 httpd on

service httpd start

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

aws_instance=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id)

aws_itype=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-type)

aws_ipv4=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-ipv4)

aws_pubip=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-ipv4)

aws_amiid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/ami-id)

region=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')

echo "<!doctype html>

<html lang=\"en\">

  <head>

    <title>Instance Info</title>

  </head>

  <body>

    <h1>$aws_instance running in $region</h1>

     <h2> Instance Type : $aws_itype</h2>

     <h2> Local ip : $aws_ipv4</h2>

     <h2> Public ip : $aws_pubip</h2>

     <h2> AMI ID : $aws_amiid</h2>

  </body>

</html>" | sudo tee /var/www/html/index.html

aws ec2 create-tags --resources "$aws_instance" --tags Key=Name,Value="PROD-$aws_instance" --region "$region"







aws ec2 run-instances --launch-template LaunchTemplateId=lt-036a1cfbc4ac1eb53,Version=$Latest 

aws ec2 run-instances --launch-template LaunchTemplateId=lt-036a1cfbc4ac1eb53,Version=$Latest  --instance-type t




4



.micro

aws ec2 run-instances --launch-template LaunchTemplateId=lt-036a1cfbc4ac1eb53,Version=$Latest --network-interfaces SubnetId=<new-subnet-id>,DeviceIndex=0

Pvsnet AZ1- subnet-0d384a555aa828127

pvent AZ3 - subnet-0bbf65cebdd9814f7

pvnet AZ2 - subnet-0a9d07fd1d279e5e0

aws elasticbeanstalk describe-environments --environment-names company --profile qaenv

aws elasticbeanstalk describe-configuration-settings --environment-name company --application-name emsapps --profile qaenv

aws elasticbeanstalk delete-application-version --version-label config-server.jar --application-name ems-shared-app --region eu-west-1 --profile devenv

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" | head -1

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" -m1

aws s3 cp s3://dev-ems-root s3://dev-ems-root --recursive --profile devenv

aws elb describe-load-balancers --region eu-west-1  --profile qaenv |grep "DNSName"

nslookup loadbalancer int dns name

---------------------------------------    Setup MFA and CLI

File name : config 

location :<user>/.aws/config

[profile devenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile qaenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile prodenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/ReadOnly

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

File name : configcredentials 

location : <user>/.aws/configcredentials  

[AWS-ES]

aws_access_key_id=AKIAIKHKJHD123456789

aws_secret_access_key=aZHsxLaMkNQODiftRqmYLuc+cQwEaZV123456789

[default]

aws_access_key_id = AKIAIKHKJHD123456789

USAGE : 

aws ec2 desribe-security-groups --profile devenv

this will prompt for MFA Token , i use google authenticator  

Last login: Mon Mar 11 19:19:58 on ttys000

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:iam::acc_id:user/ammacbookpro is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:acc_id:parameter/Mule4SecretKey

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:acc_id:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:acc_id:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

{

    "Parameter": {

        "Name": "Mule4SecretKey",

        "Type": "SecureString",

        "Value": "Amin",

        "Version": 1,

        "LastModifiedDate": 1549568337.722,

        "ARN": "arn:aws:ssm:eu-west-1:acc_id:parameter/Mule4SecretKey"

    }

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value

"Amin"

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value --output=text

Amin

KMS Grant CLI  commands 

#Create a new key and make a note of the region you are working in 

aws kms create-key

#Test encrypting plain text using my new key: 

aws kms encrypt --plaintext "hello" --key-id <key_arn>

#Create a new user called Dave and generate access key / secret access key

aws iam create-user --user-name dave

aws iam create-access-key --user-name dave

#Run aws configure using Dave's credentials creating a CLI profile for him

aws configure --profile dave

aws kms encrypt --plaintext "hello" --key-id <key_arn> --profile dave

#Create a grant for user called Dave

aws iam get-user --user-name dave

aws kms create-grant --key-id <key_arn> --grantee-principal <Dave's_arn> --operations "Encrypt"

#Encrypt plain text as user Dave: 

aws kms encrypt --plaintext "hello" --key-id <key_arn> --grant-tokens <grant_token_from_previous_command> --profile dave

#Revoke the grant:

aws kms list-grants --key-id <key_arn>

aws kms revoke-grant --key-id <key_arn> --grant-id <grant_id>

#Check that the revoke was successful:

aws kms encrypt --plaintext "hello" --key-id <key_arn> --profile dave

https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html

query infrastructure

aws ec2 describe-vpcs --vpc-ids vpc-a01106c2

aws ec2 describe-instances --filters "Name=tag-value,Values=mytagavalue" "Name=network-interface.addresses.private-ip-address,Values=10.*" --query 'Reservations[*].Instances[*].{InstanceId:InstanceId,PrivateDnsName:PrivateDnsName,State:State.Name, IP:NetworkInterfaces[0].PrivateIpAddress}'

• shell script example with aws cli to get and decrypt password from SSM *
  
  

password=$(aws ssm get-parameters --region us-east-1 --names MySecureSQLPassword --with-decryption --query Parameters[0].Value) 

--------------------------

aws elasticbeanstalk delete-application-version --version-label config-server.jar --application-name ems-shared-app --region eu-west-1 --profile devenv

aws elasticbeanstalk describe-application-versions --application-name ems-shared-app --region eu-west-1 --profile devenv

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" | head -1

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" -m1

aws s3 cp s3://dev-ems-root s3://dev-ems-root --recursive --profile devenv

aws s3 sync . s3://dev-ems-root --profile devenv

aws s3 sync ./ s3://devops-cloudformation-scripts --profile devenv

aws elb describe-load-balancers --region eu-west-1  --profile qaenv |grep "DNSName"

nslookup internal-awseb-e-t-AWSEBLoa-D4SW9O04703V-1166243352.eu-west-1.elb.amazonaws.com

---------------------------------------    Setup MFA and CLI

File name : config 

location :<user>/.aws/config

[profile devenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile qaenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile prodenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/ReadOnly

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

File name : configcredentials 

location : <user>/.aws/configcredentials  

[AWS-ES]

aws_access_key_id=AKIAIKHKJHD123456789

aws_secret_access_key=aZHsxLaMkNQODiftRqmYLuc+cQwEaZV123456789

[default]

aws_access_key_id = AKIAIKHKJHD123456789

USAGE : 

aws ec2 desribe-security-groups --profile devenv

this will prompt for MFA Token , i use google authenticator  

Last login: Mon Mar 11 19:19:58 on ttys000

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:iam::213855317842:user/ammacbookpro is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:213855317842:parameter/Mule4SecretKey

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

{

    "Parameter": {

        "Name": "Mule4SecretKey",

        "Type": "SecureString",

        "Value": "Amin",

        "Version": 1,

        "LastModifiedDate": 1549568337.722,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/Mule4SecretKey"

    }

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value

"Amin"

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value --output=text

Amin

change vol type, size ,iops

aws ec2 modify-volume --volume-id --size 5000 --volume-type io1 --iops 32000

Can extend filesystem

aws elasticbeanstalk describe-environments --environment-names company --profile qaenv

aws elasticbeanstalk describe-configuration-settings --environment-name company --application-name emsapps --profile qaenv

  aws elasticbeanstalk describe-environment-resources --environment-name company --profile qaenv

aws ec2 describe-instances --instance-ids i-0e60540b5c42d2cfe --profile qaenv

aws elasticbeanstalk delete-application-version --version-label config-server.jar --application-name ems-shared-app --region eu-west-1 --profile devenv

aws elasticbeanstalk describe-application-versions --application-name ems-shared-app --region eu-west-1 --profile devenv

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" | head -1

aws elasticbeanstalk list-available-solution-stacks --region eu-west-1 --profile devenv | grep  "64bit.*Linux.*running Java 8" -m1

aws s3 cp s3://dev-ems-root s3://dev-ems-root --recursive --profile devenv

aws s3 sync . s3://dev-ems-root --profile devenv

aws s3 sync ./ s3://devops-cloudformation-scripts --profile devenv

aws elb describe-load-balancers --region eu-west-1  --profile qaenv |grep "DNSName"

nslookup internal-awseb-e-t-AWSEBLoa-D4SW9O04703V-1166243352.eu-west-1.elb.amazonaws.com

---------------------------------------    Setup MFA and CLI

File name : config 

location :<user>/.aws/config

[profile devenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile qaenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/Developer

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

[profile prodenv]

role_arn = arn:aws:iam::<ACCOUNTNumber>:role/ReadOnly

source_profile = AWS-ES

mfa_serial=arn:aws:iam::<ACCOUNTNumber>:mfa/asifm

region = eu-west-1

File name : configcredentials 

location : <user>/.aws/configcredentials  

[AWS-ES]

aws_access_key_id=AKIAIKHKJHD123456789

aws_secret_access_key=aZHsxLaMkNQODiftRqmYLuc+cQwEaZV123456789

[default]

aws_access_key_id = AKIAIKHKJHD123456789

USAGE : 

aws ec2 desribe-security-groups --profile devenv

this will prompt for MFA Token , i use google authenticator  

Last login: Mon Mar 11 19:19:58 on ttys000

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:iam::213855317842:user/ammacbookpro is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:213855317842:parameter/Mule4SecretKey

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name AMIID

{

    "Parameter": {

        "Name": "AMIID",

        "Type": "String",

        "Value": "ami-06d9f12181bd0f7eb",

        "Version": 1,

        "LastModifiedDate": 1549568206.71,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/AMIID"

    }

}

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption

{

    "Parameter": {

        "Name": "Mule4SecretKey",

        "Type": "SecureString",

        "Value": "Amin",

        "Version": 1,

        "LastModifiedDate": 1549568337.722,

        "ARN": "arn:aws:ssm:eu-west-1:213855317842:parameter/Mule4SecretKey"

    }

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value

"Amin"

ameen >aws ssm get-parameter --name Mule4SecretKey --with-decryption --query Parameter.Value --output=text

Amin

Query infrastructure

aws ec2 describe-vpcs --vpc-ids vpc-a01106c2

aws ec2 describe-instances --filters "Name=tag-value,Values=mytagavalue" "Name=network-interface.addresses.private-ip-address,Values=10.*" --query 'Reservations[*].Instances[*].{InstanceId:InstanceId,PrivateDnsName:PrivateDnsName,State:State.Name, IP:NetworkInterfaces[0].PrivateIpAddress}'

--------------------------

list all vpcs 

aws ec2 describe-vpcs --query 'Vpcs[*].[CidrBlock,VpcId]' --output=text

subnet details

aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-6df57509" --query 'Subnets[*].[SubnetId,CidrBlock,AvailableIpAddressCount,AvailabilityZone]' --output=text

all ips inside a subnet

aws ec2 describe-network-interfaces --filters "Name=subnet-id,Values=subnet-b2492bd6" --query 'NetworkInterfaces[*].PrivateIpAddress' --output=text

ipaddress details 

aws ec2 describe-instances --filters "Name=private-ip-address,Values=ip1,ip2,ip3" --query 'Reservations[*].Instances[*].[InstanceId,ImageId,Tags[?Key==`Application`].Value]' --output=text

aws elbv2 describe-load-balancers

aws elasticbeanstalk describe-environments --environment-names company --profile qaenv

aws elasticbeanstalk describe-applications --profile qaenv

aws elasticbeanstalk describe-configuration-settings --environment-name company --application-name emsapps --profile qaenv

  aws elasticbeanstalk describe-environment-resources --environment-name company --profile qaenv

aws ec2 describe-instances --instance-ids i-0e60540b5c42d2cfe --profile qaenv

change vol type, size ,iops

aws ec2 modify-volume --volume-id --size 5000 --volume-type io1 --iops 32000

##monitor volume

aws ec2 describe-volumes-modification --volume-id <>

Note you can can extend filesystem 

## attach volume 

aws ec2  attach-volume --instance-id <> --volume-id <> --device /dev/xvdf 

## create snapshot 

aws ec2 create-snapshot --volume-id <> -- tag-specifications ' ResourceType=snapshot,Tags=[{ key=CostCentre,Value=115} , {key=IsProd, Value=Yes}  ] '

## vverify workload I/O patterns , (perfmon for windows )

iostat -xm

You can retrieve termination-time as follows. 

if curl -s http://169.254.169.254/latest/meta-data/spot/termination-time | grep -q .*T.*Z; then echo terminated; fi

output example : 2015-01-05T18:02:00Z

KMS  Grants

https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html

#Create a new key and make a note of the region you are working in 

aws kms create-key

#Test encrypting plain text using my new key: 

aws kms encrypt --plaintext "hello" --key-id <key_arn>

#Create a new user called Dave and generate access key / secret access key

aws iam create-user --user-name dave

aws iam create-access-key --user-name dave

#Run aws configure using Dave's credentials creating a CLI profile for him

aws configure --profile dave

aws kms encrypt --plaintext "hello" --key-id <key_arn> --profile dave

#Create a grant for user called Dave

aws iam get-user --user-name dave

aws kms create-grant --key-id <key_arn> --grantee-principal <Dave's_arn> --operations "Encrypt"

#Encrypt plain text as user Dave: 

aws kms encrypt --plaintext "hello" --key-id <key_arn> --grant-tokens <grant_token_from_previous_command> --profile dave

#Revoke the grant:

aws kms list-grants --key-id <key_arn>

aws kms revoke-grant --key-id <key_arn> --grant-id <grant_id>

#Check that the revoke was successful:

aws kms encrypt --plaintext "hello" --key-id <key_arn> --profile dave

https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html

HSM Cluster

openssl genrsa -aes256 -out customerCA.key 2048

openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt

nano <cluster_id>_ClusterCsr.csr

openssl x509 -req -days 3652 -in <cluster_id>_ClusterCsr.csr \

                              -CA customerCA.crt \

                              -CAkey customerCA.key \

                              -CAcreateserial \

                              -out <cluster_id>_CustomerHsmCertificate.crt

wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-client-latest.el7.x86_64.rpm

sudo yum install -y ./cloudhsm-client-latest.el7.x86_64.rpm

cp customerCA.crt /opt/cloudhsm/etc/customerCA.crt

sudo /opt/cloudhsm/bin/configure -a <cluster_IP>

/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg

enable_e2e

listUsers

loginHSM PRECO admin password

changePswd PRECO admin <NewPassword>

listUsers

logoutHSM

loginHSM CO admin acloudguru

createUser CU ryan acloudguru

listUsers

logoutHSM

quit

sudo service cloudhsm-client start

/opt/cloudhsm/bin/key_mgmt_util

loginHSM -u CU -s ryan -p acloudguru

genSymKey -t 31 -s 32 -l aes256

genRSAKeyPair -m 2048 -e 65537 -l rsa2048

genSymKey -t 31 -s 16 -sess -l export-wrapping-key

exSymKey -k <symmetric_key> -out aes256.key.exp -w <wrapping_key>

exportPrivateKey -k <private_key> -out rsa2048.key.exp -w <wrapping_key>

exportPubKey -k 22 -out rsa2048.pub.exp

logoutHSM

exit