4 Troubleshooting

• Error when HSM is not available

  If you attempt to activate a card at a time when the HSM is not available (for example, due to network problems) you may see an error similar to the following:

  Applet Error
  Command could not be processed
  The Open Platform keys for this card are missing or incorrect. These need to be corrected before issuance can continue.
  -2147195391CEdeficeBOLException catch handler
  Function : ProcessAPDUCommand, catch handler. Error :
  Error: 0x80046601 : An Error occurred processing APDU commands for the target Device
  Info: Error performing ProtectedKey Crypto operation
  Failure in ProtKeyCrypto Failure in external CryptoProvider module 0x80092004 Caught exception in CLUNAKeyServer::ProtKeyCrypto
  Error: 0x80092004 : Cannot find object or property.
  
  Info: Persisted key could not be found
  -------------------------
  Exception raised in function: AbstractKeys:: P11SymmetricKey::FindPersistedKey
  In file .\abstractkeys\P11SymmetricKey.cpp at line 351
  -------------------------
  Exception raised in file .\ComFunctionObjects.cpp at line 928

  If you experience this problem, contact Intercede customer support, quoting reference SUP-18.

• Key server fails to start in HA mode when password is not cached

  On some MyID systems that were upgraded from MyID 8.0 and use an HSM in HA (cluster) mode when the partition PIN is not stored in the registry, the Key Server may fail to start with a message similar to:

  Error in eKeySrv.SetKey

  For more information, contact customer support, quoting reference SUP-174.

• HSM Firmware 6.2.1 'small data encryption' problem

  A known issue exists in the HSM firmware version 6.2.1 that prevents certain operations involving 3DES/2DES/DES keys from succeeding. AES keys are unaffected by this problem.

  If you are running HSM firmware version 6.2.1, you may experience errors in MyID when 3DES/2DES/DES keys are used.

  When this problem occurs, the MyID workflow will fail, and errors will be logged in the MyID system events which contain the text:

  Error: 0x00000030 : Device error
  Info: Error Encrypting Data

  or:

  Error: 0x00000030 : Device error
  Info: Error Decrypting Data

  For HSM client software version 5.2 onwards, you can work around this problem by editing the crystoki.ini file.

  Installations of HSM client software version 5.4.1 already have this workaround applied.

  To apply the workaround:

  • Edit the crystoki.ini file that is contained in the HSM installation on the MyID application server. Note that if multiple copies of crystoki.ini exist, you must apply the change to all copies.

  • In the [Misc] section of crystoki.ini, ensure the setting PE1746Enabled=0 is present.

  • Reboot the MyID application server after the setting is changed.

  Example crystoki.ini file with the workaround applied:

  

• Error 890493 when issuing a card

  An issue has been observed recovering end-user archived certificates that were issued and archived by the Microsoft CA where the KRA certificate uses the SafeNet CSP when a LUNA T-Series HSM with firmware v7.11 is running in FIPS mode.

  An error similar to the following appears:

  Unable to perform the requested operation
  
  A problem occurred attempting to process your selection.
  
  Please contact your administrator.
  
  Error Number: 890493

  In this situation, you are recommended to use the SafeNet KSP rather than the SafeNet CSP.