Known issues and limitations

This topic lists some of the known issues and limitations of Crypto Express Network API for Secure Execution Enclaves.

  1. Status code 409 during image installation

    Before you install the downloaded image, check the integrity of the downloaded image by following these instructions, or you might see the following error message:

    "msg": "Unexpected HTTP status code 409 (expected 202) with reason code 0 from SSC API PUT https://192.168.70.101/api/com.ibm.zaci.system/sw-appliances/select. Message: /dev/sda1 not found"

  2. Crypto Express Network API for Secure Execution Enclaves monitoring service doesn't work.

    After configuring Crypto Express Network API for Secure Execution Enclaves monitoring service via /api/com.ibm.crypto/camonitor:POST, it's possible that the monitoring service doesn't work and you might see error messages from the configured Rsyslog server. You must ensure that you have opened port 9100 for the monitoring service. You can check whether the monitoring service has started successfully by running the following command:

    curl -k -u ${username}:${password} https://<server-ip>:9100/metrics

  3. Device busy error message in the logs.

    You might find zcryptstats: File '/dev/chsc:' Device or resource busy in the logs. This is expected, and will be automatically resolved.

    As the monitoring service requires access to the Hardware Security Module (HSM) card to gather information such as utilization rate, time out issues or device busy issues might occur in the monitoring log due to device I/O, especially when there is a heavy workload on the HSM device.

  4. The grep11-server stops service during the start-up phase.

    The grep11-server might stop service during start-up when calling m_add_module, which is expected. Such issue might occur in the following situations:

    • The client is not authorized, and the following error message is seen:
      [c16client][error] C16ClientStub::DoRequest: Failed with error: 16: Current client [ ipv4:9.30.108.227:36628 ] hasn't been authorized to access [ 01.0046 ] in crypto service, please request administrator to authorize the client firstly.
    • The server is not reachable.
    • The server is not ready for service.
    • Certificates verification failure between the server and client.

    Recommended solutions:

    • Ensure that the client certificate is bound with a specific domain by following these instructions
    • Ensure that the network between the client and server is reachable, and the server IP address is correctly configured in the client configuration file.
    • Ensure that the server is correctly configured and is already in service by following these instructions
    • Ensure that the certificates of the client and server are generated correctly by following these instructions

    After you check all the steps mentioned above, you must reboot the grep11-server.