Known Issues
This section describes some of the known issues that can occur due to incorrect configuration or usage of the SafeNet ProtectToolkit-M product. Should you encounter any difficulties not discussed in this section, please see Support Contacts.
Session Exists Error
This error may occur during an attempt to allocate additional keyset space or during a delete keyset operation.
Problem: Error message during keyset delete or during space allocation / de-allocation.
Cause: There are applications that have open sessions to SafeNet ProtectToolkit-M. Certain administrative operations require exclusive use of the system as a security measure; these include keyset sensitive tasks such as space allocation and keyset deletion.
Solution: Close or temporarily stop any applications or services that may be using SafeNet ProtectToolkit-M such as Certificate Services, IIS etc.
To check if an application has any open sessions to SafeNet ProtectToolkit-M, check the value shown next to Application Count in the System section of the administration utility. This will need to be “1”, and the Total Session Count must be “0” in order for the chosen action to succeed.
If this error persists, try re-booting your machine and check for any self- or auto-starting applications which may open sessions to SafeNet ProtectToolkit-M.
The Certification Authority service: CertSvc is one application that may be using SafeNet ProtectToolkit-M. If after reboot, the application count is still > 1, try disabling the service, performing the Admin operation and then re-enabling the service.
Also try the following if applicable:
>Stop the CA
>Deactivate Directory Security (IIS)
>Reboot machine
>Run the E8KRESET utility (PCIe HSM only).
NOTE If the value of Application Count is shown as “UNAVAILABLE”, your HSM firmware doesn’t support live application counting. In such a case, it is advisable to upgrade the HSM firmware to the latest version. Please refer to Checking and Upgrading HSM Firmware.
Duplicate Container or Key Instances
It is possible that following a key restore operation, there may be more than one instance of the same container or key within a particular keyset.
Problem: Duplicate key or container instance showing in keyset management utility (see Duplicate Container Error).
Figure 1: Duplicate Container Error
Cause: This is caused by performing a key restore whilst the same keys are already in existence on the selected keyset. SafeNet ProtectToolkit-M does not replace existing keys during a key restore. Multiple instances of the same key will cause the keyset management utility to show the keyset as being invalid.
Solution: Close any applications that are using SafeNet ProtectToolkit-M.
There are two methods which can be employed to address this problem:
First: It is possible to use the CTKMU utility to manually delete one of the duplicate keys or containers.
To delete a duplicate key object:
1.Ascertain the slot on which the duplicate object resides by performing the following command:
ctkmu l
2.List the contents of the slot. For example:
ctkmu l –s<slot> Answer Yes to view private <user> objects.
3.Note the name of the object which appears twice
4.Delete one of the duplicate objects. For example:
ctkmu d –s<slot> –n<object name>
The above command shows a list of objects. The only method of determining which to delete will be to look at the date of creation.
Second: An alternative to the above is to delete the affected keyset using the administration utility.
NOTE This can only be performed by the device administrator and destroys all containers and key pairs on the selected keyset. Following deletion of the keyset, it must be recreated, and key containers may then be restored from a backup.
Application Error
Problem: An application which was functioning correctly prior to SafeNet ProtectToolkit-M installation is now not working.
Cause: This may be caused by the replacement of the default “RSA SChannel” provider. During installation, SafeNet ProtectToolkit-M changes the default provider to be the “Safenet RSA SChannel” provider. In some cases this provider is incompatible with certain applications.
Solution: Restore the default previous provider. To ascertain which provider was used prior to SafeNet ProtectToolkit-M installation, open the file “uninst.ini”, found in your SafeNet ProtectToolkit-M installation directory. The last line of the file will detail the name of the provider prior to the installation.
You must edit your registry and change the required value. Do not perform this if you are uncertain on how to alter the Windows registry. Obtain advice from your system administrator, or alternatively uninstall the SafeNet ProtectToolkit-M product to see if this fixes the problem.