Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Thycotic Secret Server (TSS)

Appendix

search

Appendix

Troubleshooting

This section describes the how to troubleshoot the issue that you may encounter while integrating CipherTrust KMS with Thycotic Secret Server.

Cannot Create RSA-512, DES, or RC4 Keys on CipherTrust KMS

If your CipherTrust KMS utilizes our high security features, some algorithms supported by the EKM Provider are disallowed by CipherTrust KMS. Requests to create the following keys will result in error code 103:

  • DES

  • RC4

  • RC4_128

  • RSA_512

  • RSA_1024

To resolve this problem, you can either disable the high security feature on CipherTrust KMS or use one of algorithms supported by both the provider and the high security feature:

  • AES_128

  • AES_192

  • AES_256

  • RSA_2048

  • TRIPLE_DES

  • TRIPLE_DES_3KEY

  • Use Hyphen in a Domain Name

If your domain name includes a hyphen, you must enclose the name in brackets.

CREATE LOGIN [<domain-Name>\<loginName>] FROM WINDOWS;

For example, the following statement creates a user in the SFNT-ABBA domain:

Create login [sfnt-abba\bandersson] FROM WINDOWS;

To add a credential to a login, execute the following SQL statement:

Alter login [<domain-Name\<loginName>]
Add credential <credentialName>

Remove a Key from CipherTrust KMS

After using the SQLEKM Provider to create a key on SQL Server and CipherTrust KMS, the following statement will remove the key from SQL Server only:

DROP ASYMMETRIC KEY <key name in database>

Once you execute that statement, you cannot use the provider to remove the key from CADP. You must log into CADP and remove the key there or you can create the SQL key using CREATE_DISPOSITION=OPEN_NEW and then drop the key using DROP ASYMMETRIC KEY REMOVE PROVIDER KEY.

To drop the key from CADP using the provider, execute the following statements: DROP ASYMMETRIC KEY <key name in database> REMOVE PROVIDER KEY

Re-creation of Database Encryption Key (DEK) Using a Different NAE User

When using the MSSQL Server 2008 on Windows 2008 or Windows 2003, if a DEK, which was created using a NAE user, is re-created (that is, dropped and then again created) with a different NAE user, then before executing the following query for Credential creation with a new NAE user using the same SQL login, the SQL Server should be restarted:

CREATE CREDENTIAL TESTEKMCRED
WITH IDENTITY='EKMUSER', SECRET='TEMP123#' FOR CRYPTOGRAPHIC PROVIDER safenetSQLEKM

The reason behind restarting the SQL Server is the presence of obsolete data in the SQL Server cache, which gets cleared only after the SQL Server is restarted

Error message, “Failed to verify Authenticode signature on DLL C:\Program Files\Safenet\SQLEKM\safenetsqlekm.dll”, is being displayed.

This error could appear in SQL logs if the certificate in the signature of DLL cannot be verified because there are no corresponding certificates for this issuer and therefore it is not trusted. Go to https://www.digicert.com/digicert-root-certificates.htm#roots. Here you can download all root certificates. Once downloaded install the certificate and install/import it to Trusted Root Certification Authorities store. This should be done for both of the available options:

  • Current User

  • Local Machine

Error message, “Decryption key is Incorrect” is displayed

This error is displayed when you open a symmetric key that is encrypted by an asymmetric key in SQL Server 2008, SQL Server 2012 or SQL Server 2008 R2 on a computer that is running Windows 8 or Windows Server 2012.

To resolve this issue, download the cumulative update package from the links mentioned below, and apply for SQL Server provided by Microsoft.

On this page