Troubleshooting
The following are error messages that might appear during the procedures described in this guide.
(-8973) Could not connect to the Entrust Authority Security Manager service. Security Manager service may not be running
The Entrust service is not running in the Entrust Authority Master Control shell (entsh$
).
Resolution:
-
Open the Master Control shell (
entsh$
). -
Log in with
Master1
. -
Run
Service Start
.
Error encountered querying CA hardware
When you are configuring Security Manager, you see the following message:
Are you using a hardware device for the CA keys (y/n) ? [n] y
Enter the pathname for the CryptokiLibrary.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >
Error encountered querying CA hardware.
Resolution:
-
Make sure you have an operator card set in the HSM.
-
Once that is in place, the script should be able to see the HSM.
(-77) Problem reported with crypto hardware
When you are initializing Security Manager, you see the following message:
Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit
Resolution:
-
Make sure that the following variable in the
cnkfastrc
file is set to1
.CKNFAST_LOADSHARING=1
(-2229) An error occurred. Check the service status and manager logs for details
This is a timeout issue.
Resolution:
-
Log in to
entsh$
. -
Run
service status
. -
If the service is shown as
down
, start it by runningservice start
.
If you are using an nShield Edge, see configure-security-manager.adoc#nshield-edge-preconfig.
HSM logs show missing algorithms errors that are not configured by Security Manager during startup
Security Manager performs a FIPS Self-Test where many algorithms and functions beyond those explicitly configured to be used once operational. These tests are required by FIPS 140 conformance.
Resolution:
-
Security Manager treats any algorithm not being available during self-test as informational only.
-
FIPS Self Tests HSM log errors do NOT stop Security Manager startup.
No Hardware Device Found
During the configuration of Entrust Security Manager, the message "No Hardware Device Found" pops up every time, even if the right library is selected.
Resolution:
-
Make sure the
entconfig.ini
andentrust.ini
both have the correct PKCS#11 library setting. -
Ensure that any HSM service is running.
(-2684) General hardware error
HSM Service is not available.
Resolution: Ensure that any HSM service is running and responding.
nShield Edge Cluster Status
Ensure that the entMgr.ini
file is as defined in configure-security-manager.adoc#nshield-edge-preconfig.
The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. When checking the cluster status after initial set-up, you may encounter services with a "down" status or an "unknown" cluster status. To ensure proper initialization of the cluster and services, Entrust recommends allowing a few minutes for the system to complete the process. After sufficient time has passed, the services and cluster should display the correct status.
In some cases you will need to start the cluster manually. For example:
entsh$ cluster status
ca_wide_entry disabled
localhost enabled quiescent **LOCAL**
entsh$ cluster start
Starting cluster...
entsh$ cluster status
ca_wide_entry enabled
localhost enabled quiescent **LOCAL*
For more information regarding the cluster status, refer to Security Manager 10.0 Cluster Management Guide Issue 4.0, which is available on the Entrust TrustedCare Portal. |