|Applies To||Keon Certificate Authority 6.0.2|
Hardware Security Module
|Issue||RSA Keon server will not start after completing re-indexing|
(ERROR) CA backend initialization:
Error configuring cryptographic session on slot <CA Name>
Error: Startup of Secure Directory Server failed!
|Cause||The order of the CA certificates may change during re-indexing. Normally this should not cause a problem; however, if hardware keystores are used to secure some of the Certificate Authorities, the prompt order for PINs may not allow the server to start correctly. If the KCA System CA is secured by a PIN prompt in an external hardware keystore, KCA should be configured to prompt for this CA before other CA's.|
To ensure a specific order for PIN prompting for CAs protected by an external hardware keystore, use the KCA xudad.conf file directive promptpin. Refer to page 79 of the RSA Keon CA Administrators Guide under the section "Passphrase and PIN Prompting". The promptpin directive forces display of the PIN prompt. In this format, you must specify the card set name and the provider. The format of the command is:
You can configure whether or not the Administrator is prompted to enter the passphrase or PIN to access a CA's private key when the Secure Directory Server is started, by using one of two directives, the setpin or promptpin directive. The usage of the promptpin directive is outlined below.
Passphrase and PIN Prompting
These directives must reside in the caoperations section of the xudad.conf file. This file is located in the /<installed-dir>/Xudad/conf/ directory. The directive is entered once for each software CA or once for each card set or token for hardware CAs.
|Workaround||The Keon Certificate Authority datastore was re-indexed. The re-indexing completed without error, but the server would not start.|
|Legacy Article ID||a23017|