Encryption events
The following table lists the events that are created for the Encryption component.
| Event | Event Type |
Severity | Call Home | Details |
|---|---|---|---|---|
| encryption_configured | INFO_ADD_ENTITY | INFO | no | Message: New encryption provider for {id} is configured. |
| Description: A new encryption provider is configured. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| encryption_removed | INFO_DELETE_ENTITY | INFO | no | Message: An encryption provider for {id} is removed. |
| Description: An encryption provider is removed. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkmconf_backend_err | STATE_CHANGE | ERROR | no | Message: RKM backend server {0} returned an unrecoverable error {1}. |
| Description: The RKM backend server failed. | ||||
| Cause: The RKM backend server encountered an unrecoverable error. | ||||
| User Action: Ensure that the specification of the backend key management server in the RKM instance is correct and the key server is running on the specified host. The event can be manually cleared by using the mmhealth event resolve rkmconf_backend_err <event id> command. | ||||
| rkmconf_backenddown_err | STATE_CHANGE | ERROR | no | Message: The RKM backend server {0} cannot be reached. |
| Description: The RKM backend server cannot be reached. | ||||
| Cause: The RKM backend server is down or unreachable. | ||||
| User Action: Ensure that the specification of the backend key management server in the RKM instance is correct and the key server is running on the specified host. The event can be manually cleared by using the mmhealth event resolve rkmconf_backenddown_err <event id> command. | ||||
| rkmconf_certexp_err | STATE_CHANGE | ERROR | no | Message: Key server certificate error: {0} |
| Description: The RKM client or server certificate expired. | ||||
| Cause: The client or server certificate for the key server expired. | ||||
| User Action: Follow the documented procedure to update the key server and/or RKM configuration with a new client or server certificate. The event can be manually cleared by using the mmhealth event resolve rkmconf_certexp_err command. | ||||
| rkmconf_certexp_ok | STATE_CHANGE | INFO | no | Message: No expired certificates are encountered. |
| Description: Certificates that are related to RKM backend configuration are valid. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkmconf_certexp_warn | TIP | TIP | no | Message: Key server certificate warning: {0} |
| Description: The RKM client or server certificate can expire soon. | ||||
| Cause: The client or server certificate for the key server approaches its expiration time. | ||||
| User Action: Follow the documented procedure to update the key server and/or RKM configuration with a new client or server certificate. The event can be manually cleared by using the mmhealth event resolve rkmconf_ccertexp_warn command. | ||||
| rkmconf_certwarn_ok | STATE_CHANGE | INFO | no | Message: No certificates that are approaching the expiration time are encountered. |
| Description: Certificates that are related to RKM backend configuration are valid. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkmconf_configuration_err | STATE_CHANGE | ERROR | no | Message: RKM configuration error: {0} |
| Description: The content of the RKM configuration file cannot be parsed correctly. | ||||
| Cause: The RKM configuration file contains incorrect data. | ||||
| User Action: Ensure that the content of the RKM configuration file conforms with the documented format (regular setup), or that the arguments that are provided to the mmkeyserv command conform to the documentation (simplified setup). The event can be manually cleared by using the mmhealth event resolve rkmconf_configuration_err command. | ||||
| rkmconf_enckey_ok | STATE_CHANGE | INFO | no | Message: Event for {id} is marked as resolved. |
| Description: The RKM backend configuration for encryption key retrieval is working correctly. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkmconf_filenotfound_err | STATE_CHANGE | ERROR | no | Message: The mmfsd daemon is not able to read the RKM configuration file. |
| Description: Cannot read the RKM configuration file. | ||||
| Cause: The file does not exist or its content is not valid. | ||||
| User Action: Check that either the '/var/mmfs/etc/RKM.conf' exists (regular setup only), or the file system encryption was enabled by using the simplified setup. The event can be manually cleared by using the mmhealth event resolve rkmconf_filenotfound_err command. | ||||
| rkmconf_fileopen_err | STATE_CHANGE | ERROR | no | Message: Cannot open RKM configuration file for reading {0}. |
| Description: Cannot open the RKM configuration file for reading. | ||||
| Cause: The RKM configuration file exists but cannot be opened for reading. | ||||
| User Action: Check that, as root, you can open the RKM configuration file with a text editor. The event can be manually cleared by using the mmhealth event resolve rkmconf_fileopen_err command. | ||||
| rkmconf_fileread_err | STATE_CHANGE | ERROR | no | Message: Cannot read RKM configuration file {0}. |
| Description: Cannot read the RKM configuration file. | ||||
| Cause: The content of the RKM configuration file might be corrupted. | ||||
| User Action: Check that, as root, you can open the RKM configuration file with a text editor. The event can be manually cleared by using the mmhealth event resolve rkmconf_fileread_err command. | ||||
| rkmconf_getkey_err | STATE_CHANGE | ERROR | no | Message: MEK {0} is not available from RKM backend server {1}. |
| Description: Cannot get key from RKM backend server. | ||||
| Cause: Failed to retrieve the MEK from the RKM backend servers. | ||||
| User Action: Ensure that the MEK specified by the UUID provided is available from the RKM specified by using the mmkeyserv key show command. The event can be manually cleared by using the mmhealth event resolve rkmconf_getkey_err <event id> command. | ||||
| rkmconf_instance_err | STATE_CHANGE | ERROR | no | Message: RKM instance error: {0} |
| Description: RKM instance configuration error. | ||||
| Cause: The RKM instance configuration is not correct. One of the attributes is not valid or out of range. | ||||
| User Action: Ensure that the definition of the RKM instance is correct and its attributes conform to their defined format. The event can be manually cleared by using the mmhealth event resolve rkmconf_instance_err command. | ||||
| rkmconf_keystore_err | STATE_CHANGE | ERROR | no | Message: Keystore file error: {0} |
| Description: Keystore file error. | ||||
| Cause: The keystore file for the key management server is not accessible or its content is not valid, or the ownership and/or permissions are too permissive. | ||||
| User Action: Ensure that the content of the keystore file conforms with the documented format and that only root can read and write the file. The event can be manually cleared by using the mmhealth event resolve rkmconf_keystore_err command. | ||||
| rkmconf_ok | STATE_CHANGE | INFO | no | Message: The RKM backend configuration is correct and working as expected. |
| Description: The RKM backend configuration is working correctly. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkmconf_permission_err | STATE_CHANGE | ERROR | no | Message: Incorrect ownership and/or file system permissions for RKM configuration file {0}. |
| Description: The RKM configuration file has incorrect file system permissions. | ||||
| Cause: The RKM configuration file was created with incorrect file system permissions. | ||||
| User Action: Check that the RKM.conf file is owned by root:root, and has read and write permission for owner only. The event can be manually cleared by using the mmhealth event resolve rkmconf_permission_err command. | ||||
 rkm_no_access |
STATE_CHANGE |
ERROR |
no |
Message: Access Failed: {id}. |
| Description: Access Failed. | ||||
| Cause: Access Failed. | ||||
| User Action: Verify that the given client is authorized to access the keys from this keyserver. | ||||
| rkm_duplicate |
STATE_CHANGE |
ERROR |
no |
Message: RKM.conf contains duplicate RKM IDs {id}. |
| Description: RKM.conf contains duplicate RKM IDs. | ||||
| Cause: RKM.conf contains duplicate RKM IDs. | ||||
| User Action: Verify that the rkmid is unique in all the stanzas in all the RKM.conf
files. |
||||
| rkm_cert_expired | STATE_CHANGE | ERROR | no | Message: Key server certificate error: {id}. |
| Description: The RKM client or server certificate expired. | ||||
| Cause: The client or server certificate for the key server expired. | ||||
| User Action: Follow the documented procedure to update the key server and/or RKM configuration with a new client or server certificate. | ||||
| rkm_keyring |
STATE_CHANGE |
ERROR |
no |
Message: Could not open keyring file: {id}. |
| Description: The RKM client is not able to open the keyring file. | ||||
| Cause: The RKM client is not able to open the keyring file. | ||||
| User Action: Ensure that the content of the keystore file conforms with the documented format and that only root can read and write the file. | ||||
| rkm_ok |
STATE_CHANGE |
FAILED |
no |
Message: All checks are OK for {id}. |
| Description: RKM.conf setup is OK. | ||||
| Cause: N/A | ||||
| User Action: N/A | ||||
| rkm_no_label |
STATE_CHANGE |
FAILED |
no |
Message: Key Label not found: {id}. |
| Description: Key Label not found. | ||||
| Cause: Key Label not found. | ||||
| User Action: Verify that a key with the specified label exists in the client keystore. | ||||
| rkm_passphrase |
STATE_CHANGE |
ERROR |
no |
Message: Incorrect passphrase: {id}. |
| Description: Incorrect passphrase. | ||||
| Cause: Incorrect passphrase. | ||||
| User Action: Verify that the passphrase for the client keystore is correct. | ||||
| rkm_warn |
INFO |
WARNING |
no |
Message: Command to retrieve the encryption status did time out. |
| Description: Encryption status data is not available now. | ||||
| Cause: The /usr/lpp/mmfs/bin/tskeyservmon testkeyserver all -Y command does not return data in the allotted time. | ||||
| User Action: Check the RKM config and the output of the /usr/lpp/mmfs/bin/tskeyservmon testkeyserver all command. |