000021370 - RSA Keon server will not start after completing re-indexing

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021370
Applies ToKeon Certificate Authority 6.0.2
Hardware Security Module
IssueRSA Keon server will not start after completing re-indexing
(ERROR) CA backend initialization:
Error configuring cryptographic session on slot <CA Name>
Error: Startup of Secure Directory Server failed!
CauseThe order of the CA certificates may change during re-indexing. Normally this should not cause a problem; however, if hardware keystores are used to secure some of the Certificate Authorities, the prompt order for PINs may not allow the server to start correctly. If the KCA System CA is secured by a PIN prompt in an external hardware keystore, KCA should be configured to prompt for this CA before other CA's.
Resolution

To ensure a specific order for PIN prompting for CAs protected by an external hardware keystore, use the KCA xudad.conf file directive promptpin. Refer to page 79 of the RSA Keon CA Administrators Guide under the section "Passphrase and PIN Prompting". The promptpin directive forces display of the PIN prompt. In this format, you must specify the card set name and the provider. The format of the command is:

    promptpin cardset="MofN" provider="XCSP nCipher Native"

You can configure whether or not the Administrator is prompted to enter the passphrase or PIN to access a CA's private key when the Secure Directory Server is started, by using one of two directives, the setpin or promptpin directive. The usage of the promptpin directive is outlined below.

Passphrase and PIN Prompting

These directives must reside in the caoperations section of the xudad.conf file. This file is located in the /<installed-dir>/Xudad/conf/ directory. The directive is entered once for each software CA or once for each card set or token for hardware CAs.

WorkaroundThe Keon Certificate Authority datastore was re-indexed. The re-indexing completed without error, but the server would not start.
Legacy Article IDa23017

Attachments

    Outcomes