# Multiple slot configuration with PKCS \$111 library for AWS CloudHSM A single slot in Client SDK 5 PKCS \$111 library represents a single connection to a cluster in AWS CloudHSM. With Client SDK 5, you can configure your PKCS11 library to allow multiple slots to connect users to multiple CloudHSM clusters from a single PKCS\$111 application. Use the instructions in this topic to make your application use multi-slot functionality to connect with multiple clusters. **Topics** + [Multi-slot prerequisites for PKCS \$111 library for AWS CloudHSM](#pkcs11-multi-slot-prereqs) + [Configure the PKCS \$111 library for multi-slot functionality for AWS CloudHSM](pkcs11-multi-slot-config-run.md) + [Add a cluster with multi-slot functionality for AWS CloudHSM](pkcs11-multi-slot-add-cluster.md) + [Remove a cluster with multi-slot functionality for AWS CloudHSM](pkcs11-multi-slot-remove-cluster.md) ## Multi-slot prerequisites for PKCS \$111 library for AWS CloudHSM Before configuring for multiple slots for PKCS \$111 library for AWS CloudHSM, complete the following prerequisites. + Two or more AWS CloudHSM clusters to which you’d like to connect to, along with their cluster certificates. + An EC2 instance with Security Groups correctly configured to connect to all of the clusters above. For more information about how to set up a cluster and the client instance, refer to [Getting started with AWS CloudHSM](getting-started.md). + To set up multi-slot functionality, you must have already downloaded and installed the PKCS \$111 library. If you have not already done this, refer to the instructions in [Install the PKCS \$111 library for AWS CloudHSM Client SDK 5](pkcs11-library-install.md). # Configure the PKCS \$111 library for multi-slot functionality for AWS CloudHSM To configure your PKCS \$111 library for multi-slot functionality for AWS CloudHSM, follow these steps: 1. Identify the clusters you want to connect to using multi-slot functionality. 1. Add these clusters to your PKCS \$111 configuration by following the instructions in [Add a cluster with multi-slot functionality for AWS CloudHSM](pkcs11-multi-slot-add-cluster.md) 1. The next time your PKCS\$111 application runs, it will have multi-slot functionality. # Add a cluster with multi-slot functionality for AWS CloudHSM When [connecting to multiple slots with PKCS \$111](pkcs11-library-configs-multi-slot.md) for AWS CloudHSM, use the **configure-pkcs11 add-cluster** command to add a cluster to your configuration. ## Syntax ``` configure-pkcs11 add-cluster [OPTIONS] --cluster-id [--region ] [--endpoint ] [--hsm-ca-cert ] [--client-cert-hsm-tls-file ] [--client-key-hsm-tls-file ] [-h, --help] ``` ## Examples ### Add a cluster using the `cluster-id` parameter **Example** Use the **configure-pkcs11 add-cluster** along with the `cluster-id` parameter to add a cluster (with the ID of `cluster-1234567`) to your configuration. ``` $ sudo /opt/cloudhsm/bin/configure-pkcs11 add-cluster --cluster-id ``` ``` PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" add-cluster --cluster-id ``` **Tip** If using **configure-pkcs11 add-cluster** with the `cluster-id` parameter doesn't result in the cluster being added, refer to the following example for a longer version of this command that also requires `--region` and `--endpoint` parameters to identify the cluster being added. If, for example, the region of the cluster is different than the one configured as your AWS CLI default, you should use the `--region` parameter to use the correct region. Additionally, you have the ability to specify the AWS CloudHSM API endpoint to use for the call, which may be necessary for various network setups, such as using VPC interface endpoints that don’t use the default DNS hostname for AWS CloudHSM. ### Add a cluster using `cluster-id`, `endpoint`, and `region` parameters **Example** Use the **configure-pkcs11 add-cluster** along with the `cluster-id`, `endpoint`, and `region` parameters to add a cluster (with the ID of `cluster-1234567`) to your configuration. ``` $ sudo /opt/cloudhsm/bin/configure-pkcs11 add-cluster --cluster-id --region --endpoint ``` ``` PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" add-cluster --cluster-id --region --endpoint ``` For more information about the `--cluster-id`, `--region`, and `--endpoint` parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md). ## Parameters **--cluster-id **** Makes a `DescribeClusters` call to find all of the HSM elastic network interface (ENI) IP addresses in the cluster associated with the cluster ID. The system adds the ENI IP addresses to the AWS CloudHSM configuration files. If you use the `--cluster-id` parameter from an EC2 instance within a VPC that does not have access to the public internet, then you must create an interface VPC endpoint to connect with AWS CloudHSM. For more information about VPC endpoints, see [AWS CloudHSM and VPC endpoints](cloudhsm-vpc-endpoint.md). Required: Yes **--endpoint **** Specify the AWS CloudHSM API endpoint used for making the `DescribeClusters` call. You must set this option in combination with `--cluster-id`. Required: No **--hsm-ca-cert **** Specifies the filepath to the HSM CA certificate. Required: No **--region **** Specify the region of your cluster. You must set this option in combination with `--cluster-id`. If you don’t supply the `--region` parameter, the system chooses the region by attempting to read the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variables. If those variables aren’t set, then the system checks the region associated with your profile in your AWS config file (typically `~/.aws/config`) unless you specified a different file in the `AWS_CONFIG_FILE` environment variable. If none of the above are set, the system defaults to the `us-east-1` region. Required: No **--client-cert-hsm-tls-file **** Path to the client certificate used for TLS client-HSM mutual authentication. Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-key-hsm-tls-file`. Required: No **--client-key-hsm-tls-file **** Path to the client key used for TLS client-HSM mutual authentication. Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-cert-hsm-tls-file`. Required: No # Remove a cluster with multi-slot functionality for AWS CloudHSM When [connecting to multiple slots with PKCS\$111](pkcs11-library-configs-multi-slot.md), use the **configure-pkcs11 remove-cluster** command to remove a cluster from available PKCS \$111 slots. ## Syntax ``` configure-pkcs11 remove-cluster [OPTIONS] --cluster-id [-h, --help] ``` ## Examples ### Remove a cluster using the `cluster-id` parameter **Example** Use the **configure-pkcs11 remove-cluster** along with the `cluster-id` parameter to remove a cluster (with the ID of `cluster-1234567`) from your configuration. ``` $ sudo /opt/cloudhsm/bin/configure-pkcs11 remove-cluster --cluster-id ``` ``` PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-pkcs11.exe" remove-cluster --cluster-id ``` For more information about the `--cluster-id` parameter, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md). ## Parameter **--cluster-id **** The ID of the cluster to remove from the configuration Required: Yes