000015381 - WebSphere fails to restart with no errors in SystemOut.log but shows KMS failing right before loading Luna libraries

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015381
Applies ToRSA Data Protection Manager 3.0.0.2
SafeNet Luna HSM
IBM WebSphere 7.0.0.15 with Virtual Enterprise 6.1.1.3
Linux (32-bit)
IssueWebSphere fails to restart with no errors in SystemOut.log but shows KMS failing right before loading Luna libraries
The same WebSphere instance was working fine earlier with DPM, and no recent changes were made in the environment
If KMS.war (DPM Server) is undeployed, then WebSphere starts up fine
When WebSphere fails to start up, the last few lines in SystemOut.log (and when there's no key-manager.log) are as follows:

[4/5/12 13:44:20:689 EDT] 00000022 DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Provider 12
[4/5/12 13:44:20:691 EDT] 00000022 DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, IBMCMSProvider, Version: 1.2
[4/5/12 13:44:20:693 EDT] 00000022 DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Java 2 Implementation of CMS Key Databases

Whereas a working environment shows more logs even after the above stalled point, for example:

[4/5/12 13:15:08:221 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Provider 12
[4/5/12 13:15:08:222 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, IBMCMSProvider, Version: 1.2
[4/5/12 13:15:08:223 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Java 2 Implementation of CMS Key Databases
[4/5/12 13:15:08:224 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Provider 13
[4/5/12 13:15:08:225 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, LunaJCEProvider, Version: 1.0
[4/5/12 13:15:08:226 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, JCE Service Provider for SafeNet Luna hardware
[4/5/12 13:15:08:227 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Provider 14
[4/5/12 13:15:08:228 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, LunaJCAProvider, Version: 2.0
[4/5/12 13:15:08:229 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, JCA Service Provider for SafeNet Luna hardware
[4/5/12 13:15:08:230 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Provider 15
[4/5/12 13:15:08:231 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, JsafeJCE, Version: 4.1
[4/5/12 13:15:08:232 EDT] 0000001c DefaultSecuri I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Crypto-J 4.1, RSA Security Inc. JsafeJCE Security Provider (implements RSA, DSA, ECDSA, Diffie-Hellman, ECDH, AES, DES, Triple DES, DESX, RC2, RC4, RC5, PBE, MD2, MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512, HMAC-MD5, HMAC-RIPEMD160, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, FIPS186PRNG, ECDRBG, HMACDRBG, SHA1PRNG, MD5PRNG, X.509 CertificateFactory; PKCS12 KeyStore; X.509V1, PKIX, PKIX-SuiteB, PKIX-SuiteBTLS CertPathValidators; X.509V1, PKIX, PKIX-SuiteB, PKIX-SuiteBTLS CertPathBuilders; LDAP, Collection CertStores)
[4/5/12 13:15:08:660 EDT] 0000001c DefaultRandom I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Initialized secure random, algorithm: ECDRBG128, provider: JsafeJCE
[4/5/12 13:15:09:908 EDT] 0000001c DefaultSafene I com.rsa.keymanager.core.util.logging.CommonsLogEngine log Client : Internal, Safenet login successful.
...
CauseSafeNet Luna client logfile "cklog.txt" has grown to 2GB in size which is the maximum file size limit on the host O/S.  This log file is configured in SafeNet Luna client configuration file /etc/Chrystoki.conf. For example:

CkLog2 = {
LibUNIX=/usr/lib/libCryptoki2.so;
Enabled=1;
File=/was_trace/70/cklog.txt;
Error=/was_trace/70/ckerror.txt;
NewFormat=1;
LoggingMask=ALL_FUNC;
}

When cklog.txt file became 2Gb, which is the max size for a file on this OS, the Luna client stopped working. Additionally no error log is being created in this config. There is no max setting defined in the Luna config.  Ideally it should just proceed when a file cannot be loaded or written to, seems like a software defect that needs to be fixed by Safenet.
ResolutionDelete or rename the log file "cklog.txt" and then restart WebSphere.
NotesKMSRV-2227
Legacy Article IDa57852

Attachments

    Outcomes