Troubleshooting

Restoring STC After HSM Zeroization

The STC client identities are not backed up with the HSM configuration and you must re-register them manually after HSM zeroization. See Restoring STC After HSM Zeroization for an outline of this process.

Restoring STC After Regenerating the HSM Server Certificate on the SafeNet Luna Network HSM Appliance

If you regenerate the HSM Server Certificate on the appliance (using the command sysconf regencert in the LunaSH Command Reference Guide), you must complete the following steps to restore any STC links to the appliance:

HSM SO:

1.Using LunaSH, restart the NTLS and STC services.

lunash:>service restart ntls

lunash:>service restart stc

2.Provide the new HSM Server Certificate (server.pem) to each client by scp, pscp, or other secure means.

Clients:

1.Delete the original server identity from the client using the vtl utility.

>vtl deleteserver -n <server_IP_or_hostname>

2.Register the new HSM Server Certificate you received from the HSM SO.

>vtl addserver -n <server_IP_or_hostname> -c <server_certificate_filename>

3.Run LunaCM, find the new Server ID, and enable STC for the server.

lunacm:>clientconfig listservers

lunacm:>stc enable -id <server_ID>

SAlogin Error

The salogin utility is compatible with NTLS-enabled slots only. If you attempt to use the salogin utility with an STC-enabled slot, you will get an error similar to the following. See salogin in the Utilities Reference Guide for more information:

# ./salogin -o -s 0 -i 1:1 -p userpin
CA_OpenApplicationID: failed to open application id. err 0x8000003

token not present or app id already open?