Errors reported in IBM Security Guardium Key Lifecycle Manager

IBM Security Guardium Key Lifecycle Manager reports error messages that are returned in the drive sense data. The error messages are typically called fault symptom codes or FSCs and are stored in the IBM Security Guardium Key Lifecycle Manager audit log.

Table 1. Errors that are reported by IBM Security Guardium Key Lifecycle Manager
Error Number Description Action
EE02 Encryption Read Message Failure, DriverErrorNotifyParameterError, Bad ASC & ASCQ received. ASC & ASCQ does not match with either of Key Creation/Key Translation or Key Acquisition operation. The tape drive requested an unsupported action.
EE0F Encryption logic error, Internal error, Unexpected error, Internal programming error.  
EE23 Encryption Read Message Failure: Internal error, Unexpected error. The message received from the drive or proxy server cannot be parsed because of a general error.
EE25 Encryption Configuration Problem, Errors that are related to the drive table occurred. Verify the contents of the IBM Security Guardium Key Lifecycle Manager drive table by using the key management panels on the IBM Security Guardium Key Lifecycle Manager graphical user interface, or by running the Device List REST Service to verify whether the drive is correctly configured. For example, verify that the drive serial number, alias, and certificates are correct.
EE29 Encryption Read Message Failure: Invalid signature The message received from the drive or proxy server does not match the signature on it.
EE2B Encryption Read Message Failure, Internal error, Either no signature in DSK or the signature in DSK cannot be verified.  
EE2C Encryption Read Message Failure, QueryDSKParameterError, Error parsing a QueryDSKMessage from a device. Unexpected dsk count or unexpected payload. The tape drive requested an unsupported function.
EE2D Encryption Read Message Failure, Invalid Message Type The Guardium Key Lifecycle Manager server received a message out of sequence or received a message that it does not know how to handle.
EE2E Encryption Read Message Failure, Internal error, Invalid signature type The message received from the drive or proxy server does not have a valid signature type.
EE31 Encryption Configuration Problem, Errors that are related to the keystore occurred. Check the key labels that you are trying to use or that are configured for the defaults. You can list the certificates that are available to IBM Security Guardium Key Lifecycle Manager by using the List Key REST Service. If you know that you are trying to use the defaults, then run the Device List REST Service on the Guardium Key Lifecycle Manager server to verify whether the drive is correctly configured (for example, the drive serial number, and associated aliases/key labels are correct).

If the drive without associated aliases or key labels, check the values of the drive.default.alias1 and drive.default.alias2 table entry for the device group in the IBM Security Guardium Key Lifecycle Manager database. Use the Device Group Attribute List REST Service and Device Group Attribute Update REST Service to view and change the table value.

Note: For DS5000 storage servers, IBM Security Guardium Key Lifecycle Manager erroneously returns an error code of EE31 when a key group runs out of keys and the stopRoundRobinKeyGrps property is enabled. The error can also occur for an LTO device group.

The event is not a keystore error. To correct the problem, add more keys to the key group that is documented in the audit event.

EE32 IBM Security Guardium Key Lifecycle Manager was unable to locate the key that is requested on a key for a read request by an LTO device. Use the LTO management panel or List Key REST Service to verify the existence of the requested key.
EE34 The key group that is configured as the system default or is assigned as a device default is run out of keys. This error can also occur if:
  • A device requests for a key that the device does not have permission to receive.
  • The requested key is assigned to a different device group. For example, an LTO device requests a key from a key group that is assigned to a user-defined LTO device group or to the DS5000 device family.
IBM Security Guardium Key Lifecycle Manager is configured to not reuse keys in key groups and one of the key groups is run out of keys. Use the LTO management panel to add more keys to this group.
EE35 This error can occur if you do not make a backup after keys or certificates are created. See the reference topic on the backup.keycert.before.serving property. Back up newly created keys or certificates.
EEE1 Encryption logic error, Internal error, Unexpected error: EK/EEDK flags conflict with subpage.  
EF01 Encryption Configuration Problem, Drive not configured. The drive that is trying to communicate with the Guardium Key Lifecycle Manager server is not present in the drive table. Run the Device List REST Service to check whether the drive is in the list. If not, configure the drive manually by using the Device Add REST Service with the correct drive information or set the device.AutoPendingAutoDiscovery attribute to an appropriate value by using the Device Group Attribute Update REST Service.