1785: A problem occurred with the Key Server

Explanation

The meaning of the error code depends on the associated event code. All of these errors involve the key server validation process, which can be triggered by the mkkeyserver, chkeyserver, or testkeyserver commands, or by the regular validation timer.

086006 Key Server reported KMIP error

While key server validation was running, the server reported a nonzero KMIP error code. Because the key server can report a wide range of KMIP error codes, the sense data includes the following additional information about the error:
  • KMIP Error Code
  • KMIP Result Status
  • KMIP Result Reason
  • An error string that contains the KMIP Result Message

086007 Key Server reported vendor information error

While key server validation was running, the server reported one of the following conditions:
  • Unsupported type of key server
  • Unsupported code level on the key server
Draft comment: lshiner
Consider adding a link to KC page with the supported versions and types when available

086008 Failed to connect to Key Server

While key server validation was running, the node was unable to connect to the key server.

086009 Key Server reported misconfigured primary

An SKLM key server reported a server type that conflicted with the value defined on the system. The key server reported it is not the primary, but the server is defined to be the primary on the system.

User Response

For event code 086006:
  1. The key server reported a server-side problem. The sense data of this event includes more details to help pinpoint the problem on the key server. Run the testkeyserver command to determine whether the problem is fixed. The testkeyserver command either automatically fixes the error, or raises the event again.
  2. Check that the cluster certificate was accepted on the key server. For more information, search your product documentation for "Certificates that are used for key servers".
  3. Ensure that ISKLM has been configured to use TLS v1.2. Failure to do so can cause an SSL connection error.
For event code 086007:
  1. The key server reported that it is running an unsupported software version. Verify that you are using the correct key server and that the IP address, port address, and other characteristics are all correct. If not, use the chkeyserver command to change this information. The chkeyserver command automatically starts the validation process to confirm that the error is fixed, and either auto-fixes this event or raises it again.
  2. Verify that you are using a supported key server type and version. A list of supported key servers is provided in the documentation. The sense data of this event includes the version information reported by the key server.
    • The minimum supported version of Key Management Interoperability Protocol (KMIP) is 1.3.
    • The supported key server type is ISKLM only.
    • The supported versions of ISKLM are 2.6.0.0 and later.
For event code 086008:
  1. Check that a service IP address is configured for all nodes in the cluster (IPv4 if you use IPv4 key servers, IPv6 if you use IPv6 key servers). If not, configure these IP addresses and run the testkeyserver command. If the testkeyserver command is successful, the event is automatically fixed.
  2. Confirm that all nodes in the cluster have their Ethernet cable plugged in correctly. If not, plug them in and run the testkeyserver command. If the testkeyserver command is successful, the event is automatically fixed.
  3. Confirm that the IP address and IP port of the key server object is correct. If not, change the key server details by using the chkeyserver command. The chkeyserver command automatically starts the validation process to confirm that the error is fixed, and either auto-fixes this event or raises it again.
  4. Confirm that any SSL certificates for the key server are valid. Certificates must have correct start and end dates and must be in the PEM format.
For event code 086009:
  1. Run the lskeyserver command to show the current status of the key servers. One of these servers has the primary field incorrectly set to yes.
  2. Determine which server should correctly be designated as primary. Do this on the server side by identifying the IP address and port that points to the real primary server. The primary server has the role of "MASTER" in the replication relationship in SKLM. For more information about this process, refer to your SKLM documentation. If the primary server in the lskeyserver command appears to be correct, contact your service support representative.
  3. Otherwise, run the following command:
    chkeyserver -primary server_id

    where server_id is the ID of the correct primary server.

  4. The chkeyserver command automatically validates the new primary key server. To fix the event, complete one of the following actions:
    • Manually mark the event as fixed by using the cheventlog -fix command
    • Wait for the periodic validation of the old primary key server
    • Manually validate the old server by using the testkeyserver command
    If the problem persists, contact your service support representative.
Parent topic: Error event IDs and error codes