Using AWS CloudHSM with F5 BIG-IP
A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys. HSM devices are sold by many vendors for installatio...
Published Jul 22, 2025
Version 1.0
Doug_Gallarda
Employee
Employee
Doug_GallardaEmployee
EmployeeYou can migrate from SDK 3 to SDK 5 with an existing HSM1 cluster. The customerCA.crt file should already be on your BIG-IP with SDK 3 and can be reused with SDK 5. Here are the migration steps:
1) Save a copy of the existing customerCA.crt file, get the IP address of the existing CloudHSM cluster, and stop the SDK 3 client daemon.
cp /opt/cloudhsm/etc/customerCA.crt .
grep hostname /opt/cloudhsm/etc/cloudhsm_client.cfg
service cloudhsm-client stop`
2) Determine the names of the SDK 3 RPMs and uninstall (erase) them.
rpm -qa | grep cloudhsm
rpm -ev cloudhsm-client-pkcs11-3.4.4-1.el7.x86_64
rpm -ev cloudhsm-client-3.4.4-1.el7.x86_64
3) Download and install CloudHSM SDK 5.
curl -O https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-pkcs11-latest.el7.x86_64.rpm
rpm -ivh cloudhsm-pkcs11-latest.el7.x86_64.rpm
4) Copy customerCA.crt back where it belongs and configure SDK 5 with the IP address of the existing CloudHSM cluster.
cp customerCA.crt /opt/cloudhsm/etc
/opt/cloudhsm/bin/configure-pkcs11 -a <HSM Cluster IP>