Appendix

This section describes the following topics:

1. Supported Algorithms and Key Size

2. Troubleshooting

Supported Algorithms and Key Size

Microsoft SQL EKM supports the following algorithm/key size combinations:

Troubleshooting

This section describes how to troubleshoot the issue that you may encounter while integrating the CipherTrust Manager with EKM.

cakm.dll was not able to access the certs/keys placed on the LDAP user desktop

To resolve this issue, move the certs/keys to the CipherTrust folder or a folder to which the user has read/write access.

Cannot Create RSA-512, DES, or RC4 Keys on the CipherTrust Manager

If your CipherTrust Manager utilizes our high security features, some algorithms supported by the EKM Provider are disallowed by the CipherTrust Manager. Requests to create the following keys will result in error code 103:

• DES

• RC4

• RC4_128

• RSA_512

• RSA_1024

To resolve this problem, you can either disable the high security feature on the CipherTrust Manager or use one of algorithms supported by both the provider and the high security feature:

• AES_128

• AES_192

• AES_256

• RSA_2048

• TRIPLE_DES

• TRIPLE_DES_3KEY

Use Hyphen in a Domain Name

If your domain name includes a hyphen, you must enclose the name in brackets.

CREATE LOGIN [<domain-Name>\<login_name>] FROM WINDOWS;

For example, the following statement creates a user in the SFNT-ABBA domain:

Create login [sfnt-abba\bandersson] FROM WINDOWS;

To add a credential to a login, execute the following SQL statement:

Alter login [<domain-Name\<login_name>]
Add credential <credential_name>

Remove a Key from the CipherTrust Manager

After using the SQL EKM Provider to create a key on Microsoft SQL Server and the CipherTrust Manager, the following statement will remove the key from Microsoft SQL Server only:

DROP ASYMMETRIC KEY <key_name_in_cipherTrust_manager>

Once you execute that statement, you cannot use the provider to remove the key from the CipherTrust Manager. You must log on to the CipherTrust Manager and remove the key there or you can create the SQL key using CREATE_DISPOSITION=OPEN_NEW and then drop the key using DROP ASYMMETRIC KEY REMOVE PROVIDER KEY.

To drop the key from EKM using the provider, execute the following statements:

DROP ASYMMETRIC KEY <key_name_in_cipherTrust_manager> REMOVE PROVIDER KEY

Re-creation of Database Encryption Key (DEK) Using a Different NAE User

When using the Microsoft SQL Server 2008 on Windows 2008 or Windows 2003, if a DEK, which was created using a NAE user, is re-created (that is, dropped and then again created) with a different NAE user, then before executing the following query for Credential creation with a new NAE user using the same SQL login, the Microsoft SQL Server should be restarted:

CREATE CREDENTIAL <credential_name>
WITH IDENTITY='<cipherTrust_manager_user>',
SECRET='<cipherTrust_manager_user_password>'
FOR CRYPTOGRAPHIC PROVIDER <provider_name>

The reason behind restarting the Microsoft SQL Server is the presence of obsolete data in the Microsoft SQL Server cache, which gets cleared only after the Microsoft SQL Server is restarted.

Error message, “Failed to verify Authenticode signature on DLL C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.dll”, is being displayed.

This error could appear in SQL logs if the certificate in the signature of DLL cannot be verified because there are no corresponding certificates for this issuer and therefore it is not trusted.

Go to https://www.digicert.com/digicert-root-certificates.htm#roots. Here you can download all root certificates. Once downloaded install the certificate and install/import it to Trusted Root Certification Authorities store. This should be done for both of the available options:

• Current User

• Local Machine

Error message, "Decryption key is Incorrect" is displayed

This error is displayed when you open a symmetric key that is encrypted by an asymmetric key in Microsoft SQL Server 2008, Microsoft SQL Server 2012 or Microsoft SQL Server 2008 R2 on a computer that is running Windows 8 or Windows Server 2012.

To resolve this issue, download the cumulative update package from the link mentioned below, and apply for Microsoft SQL Server provided by Microsoft.

Microsoft SQL Server 2008 SP3 on Windows Server 2012 platform

Error message, "Cannot load library 'C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.dll'. See errorlog for more information."

To resolve this issue, ensure that:

• CAKM Installation directory contains libcrypto-1_1-x64.dll and libssl-1_1-x64.dll

• System environment variable Path contains CAKM Installation directory path eg., C:\Program Files\CipherTrust\CAKM For SQLServerEKM\

• Microsoft SQL Service is restarted after installation or upgradation of CAKM

Error message, "The MSSQLSSQL service terminated unexpectedly" and "Event ID 0 from source OpenSSL cannot be found. OpenSSL Uplink: no OPENSSL_Applink"

This error occurs when either the component that raises this event is not installed on your local computer or the installationis corrupted.

To resolve this issue, ensure that:

• The default CAKM Installation directory path C:\Program Files\CipherTrust\CAKM For SQLServerEKM\ must be placed at the top of the System Environment Variable.

• CAKM Installation directory path C:\Program Files\CipherTrust\CAKM For SQLServerEKM\ must contain libcrypto-1_1-x64.dll and libssl-1_1-x64.dll

Error message, "Cannot load library C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.dll", is displayed

To resolve this issse, ensure that you have a correct version of Microsoft Visual C++ Redistributable Package installed in your machine. Refer to Prerequisites for the details.