Troubleshooting
(-8973) Could not connect to the Entrust Certificate Authority service. Certificate Authority service may not be running
The Entrust service is not running in the Entrust Authority Master Control shell (entsh$
).
Resolution:
-
Open the Master Control shell (
entsh$
). -
Log in with
Master1
. -
Run
Service Start
.
Error encountered querying CA hardware
When you are configuring Certificate Authority, you see the following message:
Are you using a hardware device for the CA keys (y/n) ? [n] y
Enter the pathname for the CryptokiLibrary.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >
Error encountered querying CA hardware.
Resolution:
-
Make sure you have an operator card set in the HSM.
-
Once that is in place, the script should be able to see the HSM.
(-77) Problem reported with crypto hardware
When you are initializing Certificate Authority, you see the following message:
Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit
Resolution:
-
Make sure that the following variable in the
cnkfastrc
file is set to1
.CKNFAST_LOADSHARING=1
(-2229) An error occurred. Check the service status and manager logs for details
This is a timeout issue.
Resolution:
-
Log in to
entsh$
. -
Run
service status
. -
If the service is shown as
down
, start it by runningservice start
.
If you are using an nShield Edge, see configure-certificate-authority.adoc#nshield-edge-preconfig.
HSM logs show missing algorithms errors that are not configured by Certificate Authority during startup
Certificate Authority performs a FIPS Self-Test where many algorithms and functions beyond those explicitly configured to be used once operational. These tests are required by FIPS 140 conformance.
Resolution:
-
If algorithms are not available during self-test, Certificate Authority treats this as informational only.
-
FIPS Self Tests HSM log errors do NOT stop Certificate Authority startup.
No Hardware Device Found
During the configuration of Entrust Certificate Authority, the message "No Hardware Device Found" pops up every time, even if the right library is selected.
Resolution:
-
Make sure the
entconfig.ini
andentrust.ini
both have the correct PKCS#11 library setting. -
Ensure that any HSM service is running.
(-2684) General hardware error
HSM Service is not available.
Resolution: Ensure that any HSM service is running and responding.
nShield Edge Cluster Status
Ensure that the entMgr.ini
file is as defined in configure-certificate-authority.adoc#nshield-edge-preconfig.
The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. When checking the cluster status after initial set-up, you may encounter services with a "down" status or an "unknown" cluster status. To ensure proper initialization of the cluster and services, Entrust recommends allowing a few minutes for the system to complete the process. After sufficient time has passed, the services and cluster should display the correct status.
In some cases you will need to start the cluster manually. For example:
entsh$ cluster status
ca_wide_entry disabled
localhost enabled quiescent **LOCAL**
entsh$ cluster start
Starting cluster...
entsh$ cluster status
ca_wide_entry enabled
localhost enabled quiescent **LOCAL*
For more information regarding the cluster status, refer to s 10.0 Cluster Management Guide Issue 4.0, which is available on the Entrust TrustedCare Portal. |