For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Using AWS CloudHSM with F5 BIG-IP

A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys. HSM devices are sold by many vendors for installatio...
Published Jul 22, 2025
Version 1.0
aws
cloud
hsm
Doug_Gallarda's avatar
Doug_Gallarda
Icon for Employee rankEmployee
Jul 31, 2025

You can migrate from SDK 3 to SDK 5 with an existing HSM1 cluster. The customerCA.crt file should already be on your BIG-IP with SDK 3 and can be reused with SDK 5. Here are the migration steps:

 

1) Save a copy of the existing customerCA.crt file, get the IP address of the existing CloudHSM cluster, and stop the SDK 3 client daemon.

cp /opt/cloudhsm/etc/customerCA.crt .
grep hostname /opt/cloudhsm/etc/cloudhsm_client.cfg
service cloudhsm-client stop`

 

2) Determine the names of the SDK 3 RPMs and uninstall (erase) them.

rpm -qa | grep cloudhsm
rpm -ev cloudhsm-client-pkcs11-3.4.4-1.el7.x86_64
rpm -ev cloudhsm-client-3.4.4-1.el7.x86_64

 

3) Download and install CloudHSM SDK 5.

curl -O https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-pkcs11-latest.el7.x86_64.rpm
rpm -ivh cloudhsm-pkcs11-latest.el7.x86_64.rpm

 

4) Copy customerCA.crt back where it belongs and configure SDK 5 with the IP address of the existing CloudHSM cluster.

cp customerCA.crt /opt/cloudhsm/etc
/opt/cloudhsm/bin/configure-pkcs11 -a <HSM Cluster IP>