Error messages and alerts

This section lists the error messages and alerts you might encounter while using the user interface. The default subject of e-mail notifications is: %N DSE %E Notification

In this subject line, %N is the host name of the TSS that sent the message, and %E is one of “Error”, “Alert”, or “Error/Alert”.

If your TSS does not recognize the certificate from the Upper Clock, the body of the message sent contains lines of the form:

ERROR: 05-23-02 22:27.56 > DSNTP: Failure to Validate UC Certificate.
ERROR: 05-23-02 22:27.56 > DSNTP: Failed to process UC’s Cert.

Such errors can be fixed if the Security Officer adds the CA certificate chain for the Upper Clock certificate to the Upper Clock Cert Store. You can get the CA certificate chain from your audit service provider.

If an audit session fails due to a general communication error, the body of the message sent contains a line of the form:

ERROR: 05-02-02 14:01.07 > DSNTP: COMMUNICATION ERROR Failed to read from socket.

Such an error is usually the result of a temporary network failure, possibly due to heavy traffic on the Internet or on your local area network. The best thing to do is initiate a new audit from the TSS, or your service provider may initiate a new audit from the Upper Clock. If this is a persistent problem, work with your audit services provider to identify the network issue.

When you restart the TSS, the body of the message sent contains lines of the form:

ALERT: 05-24-02 19:10.08 > Logging Service has been Enabled.
ALERT: 05-24-02 19:10.38 > TSA Startup: Version: 1.1, Build 1.0
ALERT: 05-24-02 19:10.38 > Logging Service has been Enabled.
ALERT: 05-24-02 19:10.39 > DSNTP: Sent initiate request to upper clock (172.16.33.1:318)

After the first audit and restart, the body of the message sent contains lines of the form:

ALERT: 05-24-02 19:11.16 > Non-Operational TAC has been received: offset = -19.792432, ntpTime = 19:11:16 - May/24/02, expiration = -19:11:16 - May/24/02, leapAction = 0, leapTime = 0.000000, delay = 0.022242
ALERT: 05-24-02 19:11.17 > DSNTP: Sent initiate request to upper clock (172.16.33.1:318)

The first audit after a restart usually results in a non-operational TAC because the offset of the clock is large.

After an audit, the body of the message sent contains a line of the form:

ALERT: 05-24-02 19:11.35 > Operational TAC has been received: offset = 0.002194, ntpTime = 19:11:35 - May/24/02, expiration =
19:11:35 - May/31/02, leapAction = 0, leapTime = 0.000000, delay = 0.022087

When the Network Manager initiates an audit, the body of the message sent contains a line of the form:

ALERT: 05-15-02 20:54.38 > DSNTP: Sent initiate request to upper clock (172.16.33.1:318)

When the Network Manager make changes under Network Configuration, the body of the message sent contains lines of the form:

ALERT: 04-25-02 14:32.01 > TSA: Upper Clock configuration changed.
172.16.33.1:318
ALERT: 04-25-02 14:32.01 > TSA: Lower Clock Public IP.
172.27.20.4:123
ALERT: 04-25-02 14:32.02 > DSNTP: Sent initiate request to upper clock (172.16.33.1:318)

If the Network Manager disables the clock, the body of the message sent contains lines of the form:

ALERT: 04-10-02 18:58.06 > Clock Service has been Disabled.
ALERT: 04-10-02 18:58.06 > Operational TAC has been Invalidated!

If the Network Manager enables the clock, the body of the message sent contains a line of the form:

ALERT: 04-10-02 18:58.32 > Clock Service has been Enabled.

If the Network Manager disables the time-stamping, the body of the message sent contains a line of the form:

ALERT: 04-10-02 18:56.39 > Time Stamping Service has been Disabled.

If the Network Manager enables the time-stamping, the body of the message sent contains a line of the form:

ALERT: 04-10-02 18:57.32 > Time Stamping Service has been Enabled.

When the Security Officer initiates TSA certificate request, the body of the message sent contains a line of the form:

ALERT: 05-23-02 18:38.11 > TSA Certificate generation initiated for DN: C=US\S=Massachusetts\L=Lexington\O=J Scott John\OU=Finance\CN=CompanyABC

When the Security Officer fulfills a TSA certificate request, the body of the message sent contains lines of the form:

ALERT: 05-21-02 20:14.57 > Audit Service has been Disabled.
ALERT: 05-21-02 20:14.57 > Time Stamping Service has been Disabled.
ALERT: 05-21-02 20:14.57 > Clock Service has been Disabled.
ALERT: 05-21-02 20:14.57 > TSA Certificate fulfillment successful for DN: C=US\O=Datum, Inc\OU=Datum Trusted Time StampServer SN:90D00217\CN=<host name>
ALERT: 05-21-02 20:14.57 > Clock Service has been Enabled.
ALERT: 05-21-02 20:14.57 > Time Stamping Service has been Enabled.
ALERT: 05-21-02 20:14.57 > Audit Service has been Enabled.

Audit alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Audit Service has been Disabled.
ALERT: Audit Service has been Enabled.

Certificate alert/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: "Certificate has EXPIRED (<expiredDN>)"

Certificate and key management alerts/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: TSA Certificate fulfillment successful for DN: <name>
ALERT: The TSA Certificate has expired.
ALERT: The TSA Certificate expires in <n> hours, <n> minutes.
ALERT: The TSA Certificate expires in <n> days, <n> hours.
ALERT: The TSA Certificate expires in <n> weeks, <n> days.
ALERT: Certificate added to TSA store.
DN: <name>
ALERT: Certificate added to DI store.
DN: <name>
ALERT: Certificate removed from TSA store.
DN: <name>
ALERT: Certificate removed from DI store.
DN: <name>
ALERT: TSA Certificate generation initiated for DN: <name>
ALERT: TSA Certificate generation has been canceled.
ERROR: CreateCertRequest: DecodeCRI failed <n>
ERROR: CreateCertRequest: GenerateKeyPair failed <n>
ERROR: CreateCertRequest: Unexpected private key cert mech <n>
ERROR: CreateCertRequest: GetHKM0 failed <n>
ERROR: CreateCertRequest: MakeModuleBlob failed <n>
ERROR: CreateCertRequest: ExportRSAPubKey failed <n>
ERROR: CreateCertRequest: EncodeRSAPublicKey failed <n>
ERROR: CreateCertRequest: ExportDSAPubKey failed <n>
ERROR: CreateCertRequest: EncodeDSAPublicKey failed <n>
ERROR: CreateCertRequest: EncodeCertificationRequestInfo failed <n>
ERROR: CreateCertRequest: Sign failed <n>
ERROR: CreateCertRequest: BEncCertificationRequest failed
ERROR: FulfillCertRequest: Failed to find stored key!
ERROR: FulfillCertRequest: DecodeCertificate failed <n>
ERROR: FulfillCertRequest: LoadModuleBlob failed <n>
ERROR: FulfillCertRequest: LoadRSAPubKey failed: <n>
ERROR: FulfillCertRequest: Sign failed <n>
ERROR: FulfillCertRequest: Public key mismatch.
ERROR: FulfillCertRequest: LoadDSAPubKey failed: <n>
ERROR: FulfillCertRequest: Sign failed <n>
ERROR: FulfillCertRequest: Public key mismatch.
ERROR: EncryptKeyStore: GetHKM0 failed <n>
ERROR: EncryptKeyStore: Encrypt failed <n>
ERROR: VerifyCertSignature, LoadRSAPubKey failed: <n>
ERROR: VerifyCertSignature, LoadDSAPubKey failed: <n>
ERROR: Unable to encode issuer or subject.
ERROR: EE Certificate failed validity time check!
ERROR: Failed to locate CA cert subject DN!
ERROR: CA Certificate failed validity time check!
ERROR: EE Cert validity time is not constrained by the CA Cent’s validity time!
ERROR: EE Certificate signature invalid!

Clock alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Clock Service has been Enabled.
ALERT: Clock Service has been Disabled.

DS/NTP errors generate e-mails in which the body of the message sent contains lines of the form:

ERROR: DSNTP: CreateHello, Cryptographic random generation failed, extended error: <n>
ERROR: DSNTP: ProcessUCHello, Hello message is invalid
ERROR: DSNTP: ProcessUCHello, Upper Clock name is too large
ERROR: DSNTP: ProcessUCCertificate, CreateCert returns <n>
ERROR: DSNTP: CreateLCKeyExchange, DH Key Pair generation failed: <n>
ERROR: DSNTP: CreateLCKeyExchange, Export DH pub key failed: <n>
ERROR: DSNTP: CreateLCKeyExchange, Signing function failed: <n>
ERROR: DSNTP: ProcessUCKeyExchange, invalid DSNTP message received
ERROR: DSNTP: ProcessUCKeyExchange, LoadRSAPubKey failed: <n>
ERROR: DSNTP: ProcessUCKeyExchange, LoadDSAPubKey failed: <n>
ERROR: DSNTP: ProcessUCKeyExchange, Unknown key type
ERROR: DSNTP: ProcessUCKeyExchange, DH Key derivation failed: <n>
ERROR: DSNTP: ProcessUCKeyExchange, signature was invalid: <n>
ERROR: DSNTP: AuthenticateFrame, MAC size is invalid
ERROR: DSNTP: AuthenticateFrame, HMAC verification failed, error: <n>
ERROR: DSNTP: ProcessHandshake, handshake length is invalid.
ERROR: DSNTP: ProcessHandshake, not expecting UC Certificate.
ERROR: DSNTP: ProcessHandshake, DSNTP_INVALID_MESSAGE
ERROR: DSNTP: ProcessHandshake, ProcessUCCertificate ERROR
ERROR: DSNTP: Upper clock, CertificateACK message was invalid
ERROR: DSNTP: ProcessHandshake, CreateLCKeyExchange ERROR
ERROR: DSNTP: Upper clock, CertificateACK processing failed
ERROR: DSNTP: Received invalid NTP frame, length < 48 bytes.
ERROR: DSNTP: VerifyTACSignature, signature invalid: <n>
ERROR: DSNTP: VerifyTACSignature, certInfo encode failed
ERROR: DSNTP: TAC Invalid, AttributeCertificate decode failed.
ERROR: DSNTP: Received TAC in unauthenticated state.
ERROR: DSNTP: GetTransportData, HMAC sign failed, <n>

Log alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Logging Service has been Enabled.
ALERT: Logging Service has been Disabled.

Time-stamping alerts/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Operational TAC has been Invalidated.
ALERT: Time Stamping Service has been Enabled.
ALERT: Time Stamping Service has been Disabled.
ERROR: IssueTimestamp: GetTime failed <n>
ERROR: IssueTimestamp: Sign failed: <n>