4 Troubleshooting
This section contains information on issues you may come across when setting up or using UniCERT with MyID.
-
Invalid certificate policy for archival
If you have not set up your certificate policies with data encipherment and/or key encipherment, and attempt to archive certificates, the MyID log events may contain an error similar to:
<Error>
<Code>-2147195611</Code>
<Function>DoCertRequest</Function>
<Message>Failure in UPI during certificate request submission Error generating the key pair for keyproperties with index com.cybertrust.unicert.upi.client.UPIException: Error generating the key pair for keyproperties with index:0 at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147) Caused by: java.lang.IllegalArgumentException: Policies with archival required must specify an encipherment key usage. ... 2 more
</Message>
<StackTrace>com.cybertrust.unicert.upi.client.UPIException: Error generating the key pair for keyproperties with index:0 at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147) Caused by: java.lang.IllegalArgumentException: Policies with archival required must specify an encipherment key usage. ... 2 more
</StackTrace>
</Error>
Make sure your certificate policies have been set up correctly.
-
KAS not available
If you do not have the optional KAS UniCERT module, and attempt to issue archived certificates, an error similar to the following appears:
<Error>
<Code>-2147195611</Code>
<Function>DoCertRequest</Function>
<Message>Failure in UPI during certificate request submission No KAS certificate was found during the encryption/decryption operation. com.cybertrust.unicert.upi.client.ConfigurationException: upi.config.kascert.missing at com.cybertrust.unicert.upi.client.CertificateRequestForm.addPrivateKeyForArchive(Unknown Source) at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147)
</Message>
<StackTrace>com.cybertrust.unicert.upi.client.ConfigurationException: upi.config.kascert.missing at com.cybertrust.unicert.upi.client.CertificateRequestForm.addPrivateKeyForArchive(Unknown Source) at com.cybertrust.unicert.upi.client.SoftwareEEIdentity.generateKeyPair(Unknown Source) at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:147)
</StackTrace>
</Error>
-
I/O error on SSL communications
If the SSL chain is not trusted or added to the Java cacerts/trusted certs store, or if the end RRO certificate is ECC-based, an I/O error similar to the following appears:
<Error>
<Code>-2147195610</Code>
<Function>DownloadPolicies</Function>
<Message>UPIException An Input/Output error has occurred whilst performing the current operation. com.cybertrust.unicert.upi.client.UPIException: An Input/Output error has occurred whilst performing the current operation.</Message>
</Error>
-
Error when the HSM seeding configuration file is not found
If MyID cannot locate the HSM seeding configuration file (for example, if you have mistyped the location in the Cfg File Path field – see section 3.1.1, Using an HSM for key generation seeding) an error similar to the following appears:
Failure in UPI during certificate request submission java.security.InvalidParameterException: Error configuring SunPKCS11 provider
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:117)
at com.intercede.cybertrust.CertRequester.loadHWProvider(CertRequester.java:1171)
at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:180)
Caused by: java.io.FileNotFoundException: c:\logs\pkcs11.cfg (The system cannot find the file specified)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:206)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
... 2 more -
Error when the JCryptoki.dll and keytoolspkcs11utils_57u.dll files cannot be found
If you have not copied the JCryptoki.dll and keytoolspkcs11utils_57u.dll files as specified in section 3.1.1, Using an HSM for key generation seeding, an error similar to the following appears:
2019-07-24 08:33:23.068 [7488.3924] UniCERTUPI Connector::CheckJniException - Exception string: com.cybertrust.unicert.upi.client.UPIException: <Error><Code>-2147195611</Code><Function>DoCertRequest</Function><Message>Failure in UPI during certificate request submission An general PKCS#11 error occurred. com.cybertrust.unicert.upi.client.SmartcardException: upi.pkcs11.general
at com.cybertrust.unicert.upi.client.Reader.<init>(Reader.java:53)
at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:187)
Caused by: com.baltimore.pkcs11.exception.PKCS11Exception: JCryptoki exception occurred: The JCryptoki JNI library (JCryptoki) was not found
at com.baltimore.pkcs11.exception.PKCS11Exception.getTypedException(PKCS11Exception.java:279)
... 2 more
</Message><StackTrace>com.cybertrust.unicert.upi.client.SmartcardException: upi.pkcs11.general
at com.cybertrust.unicert.upi.client.Reader.<init>(Reader.java:53)
at com.intercede.cybertrust.CertRequester.DoCertRequest(CertRequester.java:187)
Caused by: com.baltimore.pkcs11.exception.PKCS11Exception: JCryptoki exception occurred: The JCryptoki JNI library (JCryptoki) was not found
at com.baltimore.pkcs11.exception.PKCS11Exception.getTypedException(PKCS11Exception.java:279)
... 2 more
</StackTrace></Error> -
Certificates take a long time to issue
If you are using an HSM for seeding, the combination of using an external CA and an external HSM may increase the time taken to issue a certificate significantly. You may want to increase the Certificate Refresh Threshold option (on the Certificates page of the Operation Settings workflow) to a larger value; for example, 120 seconds.
-
Error when the CA Path or Service Point is incorrect
If there is a mistake in the CA Path or Service Point setting for the CA, you may see an error similar to:
java.io.FileNotFoundException: http://iot-secure-poc.verizon.com:80/icaupi-beta/servlet/WebRAOServlet/servlet/GetPolicyList
Make sure that the settings in the Certificate Authorities workflow are correct, and try again.