FAQs
This section lists the frequently asked questions and their workaround to solve the problems that may arise when using SafeNet IDPrime Virtual Server and Client.
SafeNet IDPrime Virtual Server FAQs
| Question | Answer |
|---|---|
| Will there be issues, if I have registered multiple partitions in HSM on my SafeNet IDPrime Virtual Server host? | No, because SafeNet IDPrime Virtual Server works with a single partition on the HSM Server. If the HSM is multi-partitioned, the TokenSerial and TokenPin values can be updated manually in the appsettings.yml file. Refer to Configuring Hardware Security Module for IDPrime Virtual Server section. |
Is the SafeNet IDPrime Virtual Server not functioning after setup and logs display the following: “Method C_OpenSession returned CKR_DEVICE_ERROR”? |
This is related to the HSM server. User need to check the network connection to the HSM server. Ensure that the HSM server is up and running, and is reachable from the IDPrime Server. |
Error found in logs:- Method C_GenerateKey returned CKR_PIN_EXPIRED |
It means that either the HSM Pin provided in the appsettings.yml file is expired or the pin is not changed before first use as per HSM policy. |
Error found in logs:- Method C_GenerateKeyPair returned CKR_MECHANISM_INVALID |
It might be because HSM partition is not having export capability. Refer to Partition Level Policies check the partition policies. OR User is giving –k true during tenant create command OR User need to add RSAKeyGenMechRemap=1; under miscellaneous section in the Chrystoki.conf file placed in /var/thales/hsm directory. |
Error found in logs:- Method C_GenerateKey returned 2147483692 |
Reason: Partition is full of objects(keys) Resolution: Run below commands to clear the keys You need to create new tenant once you are done with partition cleaning. lunacmrole login -n co This asks for partition co pinpar contentspar clear |
I have put correct CO pin in appsettings.yml file. Still I get error CKR_PIN_INCORRECT in logs. |
Possibles Reasons: • CO user pin is incorrect in appsettings.yml file.• CO user pin was only initialized and was not changed on first use. • TokenPasscode is given/changed.Resolution: • Input correct pin in appsettings.yml file.• Check if pin is changed on first use if not change pin on first use and then update in appsettings.yml file.Ensure that token passcode is not changed as used first time. |
Error found in logs:- Host 'host-ip-orhostname' is not allowed to connect to this MySQL server. |
Possible Reason: DB User (Or the Machine) configured in appsettings.yml is not having permission to connect the DB.Resolution: Add user in DB for the server machine host or IP. Example for MySQL: CREATE USER 'username-inappsettings.yml'@'host-ip-or-hostname'IDENTIFIED BY 'sql-dbuser-Password-inappsettings.yml';Grant all on database-name-inappsettings.yml.* to username-inappsettings.yml'@'host-ip-or-hostname';<br>flush privileges; |
Error found in logs:- Unable to connect to <DB> |
Possible Reasons: • DB could not be resolved sometimes in case of Kubernetes if you are using dns name of DB server in configuration file appsettings.yml since K8 uses its own DNS and fallbacks to subnet DNS.• DB server is not reachable from IDPV Server. Resolution: Use DB Server IP or add the entry in the fallback DNS. |
| Why it is required to add the IDPV server and IDP certificates in the local machine trusted store of the client machine? | Possible Reasons: Due to the security enhancements, the IDPV client only connects with the IDPV server, whose all certificates are trusted at the client machine. |
SafeNet IDPrime Virtual Client FAQs
| Question | Answer |
|---|---|
| Why cannot I see the SafeNet IDPrime Virtual Client tray icon in the System Tray at the right corner of the screen? | • Click the arrow next to the notification area, and then click Customize. • For SafeNet IDPrime Virtual, select Show icon and notifications. |
| What kind of General check can I do to make sure the Client executes properly? | Check the configuration in the Registry. All parameters must have a value that is the same on the server side (Tenant Configuration). |
| I made changes to the Registry Keys and I am not to see the updates. | The System Tray app and the Service must be restarted after any changes are done in the Registry. |
| I have lost connection to the Server. | • Check connection to the IDPrime Virtual Server through the browser by entering the server URL + /swagger. If the browser still cannot connect, check the proxy configuration in the browser and set it. • You can also try doing a ping to the server address. • Check the computer time – it should be the same as the time on the domain, STA and IDPrime Virtual Server (UTC time). |
| How to update the offline token validity? | The setting is done in the SafeNet IDPrime Virtual server using TokenPolicy.json file. Perform the following steps: 1. Update ValidityDurationInHours parameter value in seconds. 2. Update the tenant using the updated TokenPolicy.json file. 3. Restart the IDPV Server for the settings to take effect. |
Offline Bundle and Connect on Behalf FAQs
| Question | Answer |
|---|---|
| Can an admin download the offline bundle of a user token? | • No, admin cannot download the offline bundle of a user token. • Admin can only work on its token in offline mode but cannot work on user token. |
| Is admin able to perform operation on Connect on behalf tokens if the network disappears while doing Connect on Behalf? | No, admin must go online. |
| Can an admin perform token login to the cards created by the user? | No, admin can only perform the delete operation once the user is logged in to the token. |
