Syslog Reference
This guide provides information about the error messages gathered on the Syslog server. The guide describes errors that occur when performing different operations with their posssible causes and remediation.
Viewing the Errors
To view these error messages in the CipherTrust Manager UI:
- Log on to the CipherTrust Manager GUI.
- Open the Keys & Access Management application.
- Navigate to Records > Server Records.
- Click the Search button. A popup message is displayed.
- Set the Status to Failure and click Search. The page displays error messages, with information related to the error creation date and time, Severity, Action, Source, and Details, etc.
You can also fill other fields in the search box to get more specific results. Error information is specified in the errorMessage attribute in the Details column.
- To view these errors in the Syslog, open the Syslog file in any text editor and search for a record in the Action Column.
- To learn how to configure the Syslog Server on the CipherTrust Manager, refer to Syslogs.
List of Errors
Note
The list of NAE errors is incomplete. The complete list will be available in a future release.
KMIP Errors
KMIP (Key Management Interoperability Protocol) is one of the interfaces that can be used to interact with the CipherTrust Manager. This section lists errors related to the KMIP interface.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Terminating KMIP Connection | Panic while handling NAE KMIP request | High CPU utilization or memory crunch due to large number of memory intensive operations. | Restart the appliance. If the issue persists, contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| RegisterKmipClient | Unable to create KMIP Client | A KMIP client with same name or properties already exists. | Check if there is an existing client with the same name. If not, contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| RegisterKmipClient | Unable to fetch username from certificate | Data field specified by cert_user_field does not exist. Also, the CN does not exist in the certificate. | Validate the certificate. Refer to the KMIP Reference Guide for details. |
| RegisterKmipClient | No profile mapped with | RegToken Registration token was not created using the same profile. | Create a registration token using the current profile. Refer to the KMIP Reference Guide for details. |
| RegisterKmipClient | failed to register client with auth service. | Client Certificate is not in proper format. | Check the format of KMIP certificate. If the issue persists, contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| CreateKmipClient RegistrationToken | record not found | KMIP profile that was used to create the registration token does not exist. | Create a KMIP client profile. Use this newly created profile to create the registration token. |
| CreateKmipClient Profile | kmip profile properties not provided | One or more of the mandatoy properties were not specified while creating the KMIP profile. | Refer to the KMIP Reference Guide for details. |
| CreateKmip ClientProfile | Invalid Certificate user field | The cert_user_field must contain one of the following values: CN, OU, SN, E, UID, E_ND | Refer to the KMIP Reference Guide for details. |
Key Errors
This section lists the key related errors which could occur while using the CipherTrust Manager interfaces: Web, NAE, KMIP, CLI, and API.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Create Key | Invalid password for pkcs12, it should be base64 encoded | The password is not base64 encoded. | Encode the password in base64 format and retry. |
| Use Key | Failed to locate the public key | Possible reasons: • User does not have permission to read the key. • Key has already been deleted. | Ensure that the key exists and user has read access on the key. |
| Delete Key | Key is not deletable | User does not have permission to delete the key. | Check the key properties and ensure that the user has required permissions on the key. |
| Create Key Version | error finding base version of key | User does not have required rights on the base version of the key. | Check the key properties and ensure that the user has required permissions on the key. |
| • Read Key • Use Key | Key usage mask (<VALUE>) is not compatible with actual usage mask | Key is being used for the crypto operation which it is not created for. | Refer to the CCKM API Guide for details and examples of key operations. |
| • Create Key • Find Keys • Find Key • Versions • Read Key • Destroy Key • Update Key | Error updating fingerprint in list of keys | Key is in state Destroyed or Destroyed Compromised state. | Validate the state of the key. |
| Same as above | Failed to decode key material | Possible reasons: • key material could be malformed. • key material is not in hex. | Contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| Same as above | Invalid Key Material | Key data is either invalid or corrupted. | Contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| Same as above | Cannot export key in | Key is in state Destroyed or Destroyed Compromised state. | Validate the state of the key. |
| Read Key | read on target is not authorized: verdict was deny: ReadKey | User is not authorized to perform read key operation. | Ensure that the user has appropriate rights and permissions. |
Certificate
Certificates are electronic documents that serve as identity. The section provides information about certificate validations on the CipherTrust Manager.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Certificate Expiry Check | Following certificates are going to expire in a few days. To avoid a possible interruption of your service, please renew your certificates. | Certificates are about to expire or have already expired. | Renew the certificates. Refer to the CipherTrust Manager Administration Guide for details. |
SNMP Errors
SNMP enables network and system administrators to remotely monitor devices on the network. This section lists errors that could occur while configuring SNMP on the CipherTrust Manager.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Add SNMP Community | Invalid community name | Providing community name is mandatory. Can not use empty name. | Provide a valid community name. |
| • Add SNMP Community • Update SNMP Community • Add SNMP User | Invalid MIB Access | Possible values are standar and enterprise | Refer to the SNMP for details. |
| Add SNMP Management Station | Invalid notification type | Possible values are "inform" and "trap" | Refer to SNMP for details. |
SMTP Errors
SMTP protocol facilitates the flow of emails over the internet. The CipherTrust Manager can be configured to automatically send email notifications for system alarms to a set of email addresses, by configuring an SMTP server. This section lists errors in configuration/usage of the SMTP service.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Add SMTP Server | failed to create new SMTP Config entry to database | Possible reasons: • The database already has an entry with the same values. • Storage crunch. • Memory crunch, causing DB operation to fail. | Restart the appliance. If problem persists, contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
| Test Mail SMTP server | SMTP client failed to send test mail | SMTP server settings could be invaild | Use valid SMTP server settings |
| Update SMTP Server | Failed to update smtp config | Password update failed due to some temporary internal error. | Retry and then restart the appliance. If problem persists, contact Thales Customer Support, and provide them a copy of Syslog for analysis. |
LDAP Errors
The CipherTrust Manager supports external LDAP. The section lists errors that could occur while configuring an external LDAP.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Create Connection | Errors with data provided. | LDAP configuration data not provided. | Provide the madatory LDAP configuration data. |
| Test Connection | socket connection error while opening: [Errno 111] Connection refused | Connection details are not valid. | Ensure that the LDAP configuration settings are valid. |
| Test Connection | Failed to bind to LDAP server | The search criteria specified in bind-dn does not exist or the password is incorrect. | Validate the search criteria for LDAP and also verify the password. |
Authentication Errors
API calls are authenticated with access tokens (API authentication tokens). An access token is a string representing an authorization issued to the client. A client can obtain tokens for local or LDAP users. This section lists errors that could arise while working with the authentication tokens.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Create Token | The user does not have permission to authenticate using a certificate. | Certificate configuration does not allow authentication using certificate | Check if the settings that enable logging in through a certificate are configured. |
| Create Token | error getting client/user: Bad connection. | Possible reasoms: • Failed to fetch user from LDAP. • LDAP connection seems to be not working. | Test your LDAP connection and check if it is working. |
| Create Token | Token has been revoked | The refresh token has been revoked and it can not be used to create a new token. | Create a new token using client credentials. Refer to Tokens for details. |
| Create Token | failed to create refresh token | Possible reasons: • Storage crunch in the system. • High CPU utilization or memory crunch due to large number of memory intensive operations. | Restart the appliance. If problem persists, contact Thales Customer Support. |
| Create Token | Failed to locate domain | Possible reasons: • Domain does not exist. • User does not exist in the specified domain. | Check if the domain exists and if the user has the required permissions on the domain. |
| Create Token | Failed to validate certificate | No local or external CA exists for this certificate. | Validate the certificate and ensure that the CA is registered with system. |
| Revoke Refresh Token | record not found | Either client_id or refresh_token does not exist. | Ensure that the client_id and refresh_token are valid. |
| Revoke Refresh Token | failed to revoke tokens | Possible reasons: • Storage crunch in the system. • High CPU utilization or memory crunch due to large number of memory intensive operations. | Restart the appliance. If problem persists, contact Thales Customer Support. |
General Errors
This section lists the errors related to Alarms, NTP, SSH, and Syslogs etc.
| Action | Error Information | Possible Cause | Remediation |
|---|---|---|---|
| Acknowledge Alarm | Failed clearing alarm | Possible reasons: • Storage crunch in the system. • High CPU utilization or memory crunch due to large number of memory intensive operations. | Restart the appliance. If problem persists, contact Thales Customer Support. |
| Acknowledge Alarm | Failed acknowledging alarm | Same as above | Same as above |
| Trigger Alarm | Failed persisting alarm to database | Same as above | Same as above |
| • List Alarms • Acknowledge Alarm | Failed authorization | Uses does not have the required permissions to list or acknowledge the alarm. | Ensure that the user has rights/permissions to perform the operation. |
| Find Users | policies with conditions applied, but users endpoint does not support conditions | User does not have the rights/permissions on the Users Collection. | Ensure that the user has rights/permissions to perform the operation. |
| Find Groups | policies with conditions applied, but groups endpoint does not support conditions: | User does not have the rights/permissions on the Groups Collection. | Same as above |
| • CreateKey • Find Users • Find Groups • Find Connections | authorization denied: verdict was deny | User does not have permissions to perform the requested operations. | Same as above |
| Get NTP Server | Failed to get NTP server from local Unix socket | High CPU utilization or memory crunch due to large number of memory intensive operations. | Restart system. If problem persists, contact Thales Customer Support. |
| Add NTP Server | Failed to post NTP server to local Unix socket | High CPU utilization or memory crunch due to large number of memory intensive operations. | Same as above |
| Add SSH Key | System is already bootstrapped | This operation is allowed only during system service bootstrap. If there is a non-default SSH public key configured on the system, you cannot add a second SSH key. | For Private Cloud Images (e.g. VMware, Hyper-V), the SSH key must be replaced before the system fully boots. This can be done via the CLI, API, or GUI. Refer to Starting Services After Deployment for more details. |
| Add SSH Key | Invalid SSH public key, key type is not valid | Key type is not supported. | Use the supported key type (ssh-rsa). |
| Download Logs | error creating download package for logs | Possible reasons: • Storage crunch in the system. • High CPU utilization or memory crunch due to large number of memory intensive operations. | Free up space and memory on the system and restart the appliance. If problem persists, contact Thales Customer Support. |
| • Create Syslog Connection • Update Syslog Connection | Invalid Transport | Invalid value passed in the transport field. | Provide correct values for transport. |
| • Create Interface CSR • Update Interface CSR | Write: error writing CSR parameters file | Possible reasons: • Storage crunch in the system. • High CPU utilization or memory crunch due to large number of memory intensive operations. | Free up space and memory on the system and restart the appliance. If problem persists, contact Thales Customer Support. |
• Read Interface CSR • Update Interface CSR | Error reading CSR parameters file | High CPU utilization or memory crunch due to large number of memory intensive operations. | Same as above |
