Troubleshooting error messages

4.1 Troubleshooting error messages

CA reporting error -142

This error, which presents as "INI file mismatch", may be caused by DNS lookup problems. Make sure that all servers have fully resolvable addresses and do not have DNS issues.

CA reporting error -162

You must make sure that the FIPS value in the entrust.ini file is set to 0. Failure to do this will usually result in an Entrust error = -162 being reported when you try to test the connection.
CA reporting error -2187

This error may be caused by incorrect mapping in the certificate attributes; for example, if you have mapped the FASC-N attribute to FASC-N (ASCII) instead of FASC-N (Hex).

CA reporting error -2921

This CA error – THE SIGNING/ENCRYPTION EXPIRATION DATE EXCEEDS THE LONGEST ALLOWED CERTIFICATE LIFETIME – may occur if you have configured MyID to request a date that the CA cannot honor; that is, the CA's own certificate expires before the user certificate end date that you have requested.

If you see an error with this code, you must reduce the credential profile or certificate lifetime to within a range that your CA can support. See your CA administrator for details of your CA's limits.

CA reporting error "The variable Interim Indicator: (interim indicator) does not have a value defined."

If you are working in a PIV environment, and your CA reports an error similar to:

The variable Interim Indicator: (interim indicator) does not have a value defined.

you may need to update your certspec to remove the rule for interim_indicator.

This error may also be caused (on a customized MyID system that passes Entrust user roles to the CA when requesting a certificate) by a mismatch between the user roles listed on the MyID system and in the Entrust CA. Make sure that the lists on the CA match the lists in MyID. Check the Entrust logs for more information on what might be causing this error.

CA reporting error -32712

This CA error – GIVEN TIME VALUE IS NOT VALID – relates to invalid time values that have previously occurred in situations relating to an overflow in the epoch calculation. If you see an error with this code, contact Intercede customer support, providing as much logging detail as possible.

CA reporting error -01055

This CA error – UNABLE TO LOCK THE PROFILE FOR UPDATING – relates to problems loading the Entrust EPF. If you see this error in your Entrust logs, try giving the MyID COM+ user local administrator privileges.
CA reporting error "Elliptic Curve keys (EC keys) are not supported by the CardMS API (168005)"

You have attempted to issue certificates using ECC keys and escrow; the Entrust Authority Security Toolkit for the Java Platform (ETJava) version 9 does not support ECC keys for escrow.
MyID reporting "Card Server Error During Process"

After upgrading MyID, if you see an error similar to:

Card Server Error During Process

when attempting to issue a certificate, with details similar to:

BOL COM catch handler Function : ProcessAPDUCommand, catch handler. Error : Unspecified error An error occurred inside PivCardServer::ProcessCommand Error: 0x80004005 Unspecified error Unable to locate java method GetArchCert Unable to locate java method GetArchCert ------------------------- Exception raised in function: JavaEnvironment::GetMethodID In file JavaEnvironment.cpp at line 132 ------------------------- Exception raised in function: JavaAccessor::getArchivedCertificate In file JavaAccessor.cpp at line 67 In object EntrustJTKConnector.KeyStore.1

this may have been caused by an issue during the upgrade installation process that prevented the EntrustJTKConnector.jar file from being replaced. As a workaround, you can copy the EntrustJTKConnector.jar file from another system, or you can raise a support case with Intercede to identify the cause – to do so, you must provide the TestReports folder from the MyID Installation Assistant and quote reference SUP-376.
The JASTK credential does not have the Admin Services User Management certificate type

If you see an error similar to:

INFO: com.entrust.adminservices.toolkit.internal.xap.XAPException: (AtkXap.XAP.1003) A required policy oid is missing from the certificate. The XAP Server profile and the client profile should be created with the correct certificate types. The missing oid was 2.16.840.1.114027.10.4

This may be caused by the JASTK credential not having the Admin Services User Management certificate type.

Note: If you are using an HSM, this issue may present as an error similar to:

Aug 15, 2024 1:35:06 PM com.intercede.pki.entrust.jastk.Utility getHSMProfileReader
INFO: Found SerialNumber (1393032467824) Slot (0) SlotID (3)
Aug 15, 2024 1:35:11 PM com.intercede.pki.entrust.jastk.Utility getThrowable
WARNING: Root com.entrust.toolkit.exceptions.UserFatalException: The 'Keys' section has been tampered
Defining an extension for a policy that is not configured for the policy type

If you see errors similar to:

Sept 02, 2024 3:25:47 PM com.intercede.pki.entrust.jastk.CertificateRequest submit

WARNING: com.entrust.adminservices.toolkit.internal.xap.XAPException: (AtkApi.main.3008) Unable to modify the properties of user cn=Alise Rice,ou=Department of Education,ou=PIV,dc=domain25,dc=local. Caused by: com.entrust.adminservices.toolkit.internal.xap.XAPException: (AtkApi.main.1046) The variable id_vettingdate_var is not a valid variable for the certificate type ent_desktop.

Sept 02, 2024 3:25:47 PM com.intercede.pki.entrust.jastk.Utility getStackTrace

INFO: com.entrust.adminservices.toolkit.internal.xap.XAPException: (AtkApi.main.3008) Unable to modify the properties of user cn=Alise Rice,ou=Department of Education,ou=PIV,dc=domain25,dc=local. Caused by: com.entrust.adminservices.toolkit.internal.xap.XAPException: (AtkApi.main.1046) The variable id_vettingdate_var is not a valid variable for the certificate type ent_desktop.

This may be caused by defining an extension for a certificate policy that is not configured for the policy type. Make sure that you have defined the correct extensions for the policy.