Recommendations and troubleshooting
IISRESET use cases
Following are a few cases, where IISRESET operation is highly recommended.
-
When an HSM (with which the SAS solution is communicating), is turned off, and then subsequently turned on, an IISRESET is recommended to re-enable the SAS to start communicating with the HSM.
-
Whenever there is a change in Registry Settings, or an Environment Variable, an IISRESET operation is recommended.
Normal mode setup
HSM PSEv3 can have some trouble while configuring in normal mode. Check
if the Windows/System32 has cryptoki.dll file. If not, copy it
from the PSE install location to the following the path
\ProtectToolkit 7\C SDK\bin\sw and try again.
Set up Environment Variables
If you are unable to select an Adapter during Slot Creation and Initialization, follow the steps to configure environment variables:
-
Click Control Panel > System.
-
From the left pane, click Advanced System Settings.
-
The System Properties dialog box with Advanced tab selected, is displayed.
-
To configure, click Environment Variables.
Verify Key Checksum Value in Replicated Slots
To verify if KCV of the key in both slots is the same, follow the steps:
-
Execute the
KMU HSM.batbatch file available at the following path:C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin -
Select Slot 0 of device 0 and provide User PIN to login.
-
Right-click the key and select View KCV.
Note down the KCV value for Slot 0 of device 0.
-
Select replicated slot from device 1 and login as User PIN of Slot 0 of device 0.
-
Right-click the key and select View KCV.
The value of KCV for this key should be the same as noted from Slot 0 of device 0.
Update User PIN in SAS
An Administrator may require changing the User PIN of HSM. After
changing User PIN of an HSM slot, the
same User PIN must also be updated in the SAS solution, otherwise, the
SAS solution does not allow the Administrator to create users, and
perform related activities. Following are the steps, to achieve the
same:
-
Login to SAS Administrator console using username and password.
-
Navigate to System > HSM Database Encryption.
-
Update the new User PIN in the HSM PIN of Slot 0 field, and click Apply. The appropriate messages, as shown in the screenshot, are displayed.
-
The server on which the SAS solution is installed now needs to be restarted, to ensure that a new session is created between the SAS and HSM.
Unresponsive failover server
If the failover server is not responding, ensure that the below steps were followed. If they were not, perform the steps that were missed:
-
Install SAS.
-
Install PTKC 5.2.0 (
PTKnethsm.msiandPTKcpsdk.msi) packages. -
Provide only one IP for HSM device 0 while installing
PTKnethsm.msi. -
Restart the server to reflect changes.
-
Create a slot in HSM (if not already available).
-
Enable HSM in SAS (in Normal mode).
-
Create users in SAS.
-
Stop HSM device.
-
Try to open the created user. If the Created User page is accessible, perform an IISRESET operation. If the Created User page is inaccessible, continue following the steps.
-
Start HSM and open created user. The user detail page is displayed.
-
Update
ET_HSM_NETCLIENT_SERVERLISTin registry and environment variable. Add IP of the second HSM (device 1). -
Perform IISRESET operation.
-
Open command line and execute
hsmstateandctkmu lcommands.
State of both HSMs, and slot details of both HSMs should be displayed. -
Create a new slot in HSM device 1 (second HSM device). Replicate the newly created slot with Slot 0 of HSM device 0.
After successful replication, verify that the KCV of keys in both slots are the same.
-
Change
ET_PTKC_GENERAL_LIBRARY_MODEto HA andET_PTKC_WLD_SLOT_0to<Slot label>in the registry. -
Add key
ET_PTKC_HA_LOG_FILEin the registry, available at the following path:HKEY_LOCAL_MACHINE/SOFTWARE/Safenet/PTKC/HA, and set its value to NULL. -
Perform IISRESET operation.
-
Execute
ctkmu lcommand. Only Slot 0 should be visible. -
Open SAS, and open the created user.
-
Test the failover server without performing an IISRESET operation.
