000024292 - After restoring KCA (with nCipher)  cannot issue a certificate.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024292
Applies ToKeon Certificate Authority 5.7
nCipher Hardware Security Module
IssueAfter restoring KCA (with nCipher), cannot issue a certificate.
When issuing a certificate, the following error shows and the certificate is not issued: PROGRAM ERROR
req-authorize.xuda: Line 515: [XrcNOTFOUND] unable to locate requested member or object.  Unable to sign certificate [unable to locate member or object].
ResolutionThe above error shows up when trying to issue a certificate to be signed by an nCipher based CA, that is the private key of the CA is being protected by nCipher security world.  This error indicates that KCA was unable to access the private key of the CA from nCipher security world.

Make sure that the nCipher security world was restored properly and you can access all the keys protected by the appropriate nCipher's Operator Card Set.  The nCipher commands "nfkminfo", "enquiry", and "slotinfo" can be used to enquire about the status of the security world and the Operator Card Set.  When restoring nCipher's security world to a different box, please make sure that you use "initunit" command to initialize the nCipher HSM first, then copy the "kmdata" directory (containing security world data), and finally run the "sw-rest" command.

Consult the nCipher's documentation for detailed information on how to restore nCipher's security world.
WorkaroundRestored a KCA installation on a new machine.  Since KCA was using nCipher, nCipher's security world was also restored on the new machine prior to restoring KCA.
Legacy Article IDa6828

Attachments

    Outcomes