1785 A problem occurred with the Key Server
Explanation
The meaning of the error code depends on the associated event code. All of these errors involve the key server validation process, which can be triggered by the mkkeyserver, chkeyserver, or testkeyserver commands, or by the regular validation timer.
086006 Key Server reported KMIP error
- KMIP Error Code
- KMIP Result Status
- KMIP Result Reason
- An error string that contains the KMIP Result Message
086007 Key Server reported vendor information error
- Unsupported type of key server
- Unsupported code level on the key server
086008 Failed to connect to Key Server
While key server validation was running, the node was unable to connect to the key server.
086009 Key Server reported misconfigured primary
An SKLM key server reported a server type that conflicted with the value defined on the system. The key server reported it is not the primary, but the server is defined to be the primary on the system.
User response
- The key server reported a server-side problem. The sense data of this event includes more details to help pinpoint the problem on the key server. Run the testkeyserver command to determine whether the problem is fixed. The testkeyserver command either automatically fixes the error, or raises the event again.
- Check that the cluster certificate was accepted on the key server. For more information, search your product documentation for "Certificates that are used for key servers".
- Ensure that ISKLM supports the TLS version that is configured in the system (TLS 1.2 or TLS 1.3). Failure to do so can cause an SSL connection error.
- The key server reported that it is running an unsupported software version. Verify that you are using the correct key server and that the IP address, port address, and other characteristics are all correct. If not, use the chkeyserver command to change this information. The chkeyserver command automatically starts the validation process to confirm that the error is fixed, and either auto-fixes this event or raises it again.
- Verify that you are using a supported key server type and version. A list of supported key
servers is provided in the documentation. The sense data of this event includes the version
information reported by the key server.
- The minimum supported version of Key Management Interoperability Protocol (KMIP) is 1.3.
- The supported key server type is ISKLM only.
- The supported versions of ISKLM are 2.6.0.0 and later.
- Check that a service IP address is configured for all nodes in the cluster (IPv4 if you use IPv4 key servers, IPv6 if you use IPv6 key servers). If not, configure these IP addresses and run the testkeyserver command. If the testkeyserver command is successful, the event is automatically fixed.
- Confirm that all nodes in the cluster have their Ethernet cable plugged in correctly. If not, plug them in and run the testkeyserver command. If the testkeyserver command is successful, the event is automatically fixed.
- Confirm that the IP address and IP port of the key server object is correct. If not, change the key server details by using the chkeyserver command. The chkeyserver command automatically starts the validation process to confirm that the error is fixed, and either auto-fixes this event or raises it again.
- Confirm that any SSL certificates for the key server are valid. Certificates must have correct start and end dates and must be in the PEM format.
- Run the lskeyserver command to show the current status of the key servers. One of these servers has the primary field incorrectly set to yes.
- Determine which server should correctly be designated as primary. Do this on the server side by identifying the IP address and port that points to the real primary server. The primary server has the role of "MASTER" in the replication relationship in SKLM. For more information about this process, refer to your SKLM documentation. If the primary server in the lskeyserver command appears to be correct, contact your service support representative.
- Otherwise, run the following
command:
chkeyserver -primary server_id
where server_id is the ID of the correct primary server.
- The chkeyserver command automatically validates the new primary key server.
To fix the event, complete one of the following actions:
- Manually mark the event as fixed by using the cheventlog -fix command
- Wait for the periodic validation of the old primary key server
- Manually validate the old server by using the testkeyserver command