Troubleshooting

Oracle error messages may sometimes show error symptoms rather than the root cause. If you see an error you have not encountered before, search for further information online before attempting to resolve the error. If you remain unable to resolve the error, contact Oracle support.

If you edit an Oracle configuration file, use a simple text editor running on the host. Do not cut and paste the file contents from another file using a formatting editor, as it may insert hidden characters that are difficult to detect and which can stop the file from working. Entrust also suggests you avoid copying files onto a UNIX host via a Windows intermediary (this includes library files).

An SQL command is run, and there is no output, or an unexpected output or error occurs

  1. Try reconnecting to the database.

  2. If that does not work, try bouncing the database.

After a change to a configuration file, no resultant change in the database behavior is observed

  1. Try reconnecting to the database.

  2. If that does not work, try bouncing the database.

ORA-28367: wallet does not exist

  1. Check that you have correctly installed and configured the Entrust WSOP PKCS#11 library.

  2. Try reconnecting to the database.

  3. Try bouncing the database.

ORA-28367: cannot find PKCS11 library

  1. Ensure that you have correct permissions to use the /opt/oracle/extapi/… directory.

  2. Check that you are using a library for the correct local architecture (32/64).

  3. Check that you are using the appropriate Java version (32/64).

  4. Refer to advice given above about editing Oracle files, or copying them.

  5. Try reconnecting to the database.

  6. Recopy the libpkcs11webservices.so library file to /opt/oracle/extapi/.

ORA-28353: failed to open wallet

  1. Ensure that the HSM wallet pass phrase is correct.

  2. Ensure that the softcard, the name and passphrase are correct and are separated by a | or a :.

  3. If you have migrated from an Oracle wallet to an HSM wallet, you must update the passphrase.

ORA-28407: Hardware Security Module failed with PKCS#11 error CKR_FUNCTION_FAILED (%d)

  1. This may be caused by Oracle defect 23528412. Contact Oracle support in order to obtain a patch for this defect.

  2. Ensure that if a FIPS 140 Level 3 Security World is in use, an OCS card is inserted in the HSM slot. Make sure the WSOP server can see the OCS card.

  3. Check that you are using the correct passphrase/credential to access the HSM.

  4. In the WSOP server, If you are using an nShield Connect, use its front panel to check the Security World is loaded on to the HSM itself and is both Initialized and Usable.

  5. Try restarting the Entrust hardserver in the WSOP server.

Encryption keys do not migrate correctly from a software keystore to an HSM (or vice-versa)

  1. This may be caused by Oracle defect 17409174. Contact Oracle support in order to obtain a patch for this defect.

ORA-00600: internal error code

arguments: [kzthsmgmk: C_GenerateKey], [6], [],[], [], [], [], []

  1. Ensure that you have added the oracle user to the nfast group. In some cases, you may have to re-login with the oracle user for this to take effect.

  2. Ensure that if a FIPS 140 Level 3 Security World is in use, an OCS card is inserted in the HSM slot and visible in the WSOP server.

arguments: [ksqgel:null_parent], [], [],[], [], [], [], []

  1. Sometimes occurs using encrypted tablespaces.

  2. This may be caused by Oracle defect 21080143. Contact Oracle support in order to obtain a patch for this defect.

ORA-28374: Typed master key not found in wallet

  1. Oracle software thinks there is a mismatch between encrypted object(s) and available master key(s). There is more than one possible cause for this and it is usually quite difficult to resolve. Contact Oracle support, or search for a solution online.

  2. If all else fails, try and restore your system from backups.

ORA-12162: TNS: net service name is incorrectly specified

  1. Check that you have correctly set the value for ORACLE_SID in your local environment.