Troubleshooting

(-8973) Could not connect to the Entrust Certificate Authority service. Certificate Authority service may not be running

The Entrust service is not running in the Entrust Authority Master Control shell (entsh$).

Resolution:

  1. Open the Master Control shell (entsh$).

  2. Log in with Master1.

  3. Run Service Start.

./config_authority.sh fails to detect the PKCS11 library

Script is checking if there is execute permissions on libcknfast.so.

Resolution:

  1. Give execute permissions to /opt/nfast/toolkits/pkcs11/libcknfast.so:

    % chmod +x /opt/nfast/toolkits/pkcs11/libcknfast.so

Error encountered querying CA hardware

When you are configuring Certificate Authority, you see the following message:

Are you using a hardware device for the CA keys (y/n) ? [n] y

Enter the pathname for the CryptokiLibrary.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >

Error encountered querying CA hardware.

Resolution:

  1. Make sure you have an OCS card in the HSM. If a card is already inserted, take it out and insert it again.

  2. After the card is in place, the script should be able to see the HSM.

(-77) Problem reported with crypto hardware

When initializing Entrust SM, you see the following message:

Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit

Resolution:

  1. Ensure the /opt/nfast/cnkfastrc is as defined in Configure the Entrust Certificate Authority.

Cannot initialize: Current Unix user does not have proper group membership to access Certificate Authority

When initializing Entrust SM, you see the following message:

Starting first time initialization...
!StartMgrProc(es): (1) Operation not permitted @ src/manager/mush/Mush.cpp.351
cannot initialize: Current Unix user does not have proper group membership to access Certificate Authority.
(1) Operation not permitted
Press return to exit

Resolution:

  1. Make sure the Master1 primary group is easm_entrust_pg:

    sudo usermod -g easm_entrust_pg Master1

HSM logs show missing algorithms errors that are not configured by Certificate Authority during startup

Certificate Authority performs a FIPS self-test. This includes many algorithms and functions beyond those explicitly configured to be used once operational. These tests are required by FIPS 140 conformance.

Resolution:

  1. Certificate Authority treats any algorithm that is not available during self-test as for information only.

  2. FIPS Self Tests HSM log errors do not stop the Certificate Authority startup.

No Hardware Device Found

During the configuration of Certificate Authority, the message No Hardware Device Found appears every time, even if the correct library is selected.

Resolution:

  1. Make sure that entconfig.ini and entrust.ini both have the correct PKCS #11 library setting.

  2. Ensure that any HSM service is running.

(-2684) General hardware error

HSM Service is not available.

Resolution:

  1. Ensure that any HSM service is running and responding.

Database backup failed during the Entrust Certificate Authority configuration

Another symptom is "walfile failed to appear". Refer to technote https://trustedcare.entrust.com/articles/en_US/Technote/DB-Backup-Fails.

Resolution:

  1. Edit the archive_command parameter in the following files as described above:

    • /var/pgsql/easm_entrust_pg_data_11/postgresql.conf

    • /opt/entrust/easm_postgresql_11.7/etc/postgresql.conf

  2. Ensure the correct ownership of these files:

    # chown easm_entrust_pg:easm_entrust_pg /var/pgsql/easm_entrust_pg_data_11/postgresql.conf

# chown easm_entrust_pg:easm_entrust_pg /opt/entrust/easm_postgresql_11.7/etc/postgresql.conf

Certificate Authority configuration fails

This procedure also applies when switching HSMs.

  1. Stop the Entrust Certificate Authority service.

    # sudo /opt/entrust/authority/bin/startstop.sh stop

# sudo ps -ef | grep entsh
...
Master1    75611       1  0 15:09 ?        00:00:36 entmon mon -sepsocket=3 -ashsocket=5 -cmpsocket=15 -xapsocket=17
...

# sudo kill 75611

  2. Removed older configuration data.

    # sudo rm -rf /opt/entrust/authdata

  3. Uninstall the PostgreSQL database.

    # sudo /root/postgres/SM_PostgreSQL_11_7_RH8_installer/uninstall_postgres.sh
Uninstall log file is /tmp/pg_uninstall.log
Checking current PostgreSQL database version...
...
Uninstall-PostgreSQL: Completed successfully.

  4. Reinstall the PostgreSQL database as described in Install the Entrust Authority database. After reinstalling, make sure to delete all three users, user home directories, and entrust group, before recreating them.

  5. Reinstall the Entrust Certificate Authority as described in Install the Entrust Certificate Authority.

  6. Configure the Entrust Certificate Authority as described in Configure the Entrust Certificate Authority.

nShield Edge Cluster Status

Ensure that the entMgr.ini file is as defined in nShield Edge pre-configuration.

The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. When checking the cluster status after initial set-up, you may encounter services with a "down" status or an "unknown" cluster status. To ensure proper initialization of the cluster and services, Entrust recommends allowing a few minutes for the system to complete the process. After sufficient time has passed, the services and cluster should display the correct status.

In some cases you will need to start the cluster manually. For example:

entsh$ cluster status
ca_wide_entry   disabled
localhost       enabled	    quiescent **LOCAL**

entsh$ cluster start
Starting cluster...

entsh$ cluster status
ca_wide_entry   enabled
localhost       enabled	    quiescent **LOCAL*
For more information regarding the cluster status, refer to Certificate Authority 10.0 Cluster Management Guide Issue 4.0, which is available on the Entrust TrustedCare Portal.