Troubleshooting
Oracle error messages may sometimes show error symptoms rather than the root cause. If you see an error you have not encountered before, search for further information online before attempting to resolve the error. If you remain unable to resolve the error, contact Oracle support.
If you edit an Oracle configuration file, use a simple text editor running on the host. Do not cut and paste the file contents from another file using a formatting editor, as it may insert hidden characters that are difficult to detect and which can stop the file from working. Entrust also suggests you avoid copying files onto a UNIX host via a Windows intermediary (this includes library files).
An SQL command is run, and there is no output, or an unexpected output or error occurs
-
Try reconnecting to the database.
-
If that does not work, try bouncing the database.
After a change to a configuration file, no resultant change in the database behavior is observed
-
Try reconnecting to the database.
-
If that does not work, try bouncing the database.
ORA-28367: wallet does not exist
-
Check that you have correctly installed and configured the Entrust PKCS#11 library.
-
Try reconnecting to the database.
-
Try bouncing the database.
-
Try restarting the Entrust hardserver.
ORA-28367: cannot find PKCS11 library
-
Ensure that you have correct permissions to use the
/opt/oracle/extapi/…directory. -
Check that you are using a library for the correct local architecture (32/64).
-
Check that you are using the appropriate Java version (32/64).
-
Refer to advice given above about editing Oracle files, or copying them.
-
Try reconnecting to the database.
-
Recopy the
libcknfast.solibrary file to/opt/oracle/extapi/. -
In the
ORACLE_BASE/extapidirectory, create a link namedlibcknfast.soto the actualNFAST_HOME/toolkits/pkcs11/libcknfast.sofile.
ORA-28353: failed to open wallet
-
Check that you have set up your
cknfastrcfile with the correct contents. -
Ensure that the HSM wallet pass phrase is correct.
-
Ensure that if OCS/Softcard key protection is used, the name and passphrase are correct and are separated by a | or a :.
-
If you have migrated from an Oracle wallet to an HSM wallet, you must update the passphrase.
ORA-28407: Hardware Security Module failed with PKCS#11 error CKR_FUNCTION_FAILED (%d)
-
This may be caused by Oracle defect 23528412. Contact Oracle support in order to obtain a patch for this defect.
-
Ensure that if a FIPS 140 Level 3 Security World is in use, an OCS card is inserted in the HSM slot.
-
Check that you are using the correct passphrase/credential to access the HSM.
-
If you are using an nShield Connect, use its front panel to check the Security World is loaded on to the HSM itself and is both Initialized and Usable.
-
Try restarting the Entrust hardserver.
Encryption keys do not migrate correctly from a software keystore to an HSM (or vice-versa)
-
This may be caused by Oracle defect 17409174. Contact Oracle support in order to obtain a patch for this defect.
When you are using persistent OCS cards, the persistent authorization is lost
-
This may be caused by Oracle defect 23528412. Contact Oracle support in order to obtain a patch for this defect.
-
Ensure that, as the required OS user, you can access both the Entrust and Oracle functionality. If necessary, adjust user group membership to permit this, but check your security policy first.
ORA-00600: internal error code
arguments: [kzthsmgmk: C_GenerateKey], [6], [],[], [], [], [], []
-
Ensure that you have added the
oracleuser to thenfastgroup. In some cases, you may have to re-login with theoracleuser for this to take effect. -
Ensure that if a FIPS 140 Level 3 Security World is in use, an OCS card is inserted in the HSM slot.
ORA-28374: Typed master key not found in wallet
-
Oracle software thinks there is a mismatch between encrypted object(s) and available master key(s). There is more than one possible cause for this and it is usually quite difficult to resolve. Contact Oracle support, or search for a solution online.
-
If all else fails, try and restore your system from backups.