In AWS CloudHSM we are currently forced to only generate keys using clientToolBox, as it will not work when generating in the GUI.
This is due to that on Cavium CKA_ID/CKA_LABEL can not be set after key generation, and since the GUI is long running we can not customize the attributes file for each key generation. The result is that keys generated will be possible to use within the session (because Sun P11 maps it on generation), but after restart it will all be gone becuase there is no mapping between the certificate and the private key.
The quick solution for customers, to avoid them getting into some real trouble, is to disable the "generate key" button on crypto tokens in the GUI.
If this button is enabled or disabled should be configured per driver, as drivers are configured in web.properties.