Explanation
The meaning of the error code depends on the associated event code. All of these errors involve
the key server validation process, which can be triggered by the mkkeyserver,
chkeyserver, or testkeyserver commands, or by the regular
validation timer.
086006 Key Server reported KMIP error
While key server validation was running, the server reported a nonzero KMIP error code. Because
the key server can report a wide range of KMIP error codes, the sense data includes the following
additional information about the error:
- KMIP Error Code
- KMIP Result Status
- KMIP Result Reason
- An error string that contains the KMIP Result Message
086007 Key Server reported vendor information error
While key server validation was running, the server reported one of the following conditions:
- Unsupported type of key server
- Unsupported code level on the key server
086008 Failed to connect to Key Server
While key server validation was running, the node was unable to connect to the key server.
086009 Key Server reported misconfigured primary
An SKLM key server reported a server type that conflicted with the value
defined on the system. The key server reported it is not the primary, but the server is defined to
be the primary on the system.
User Response
For event code 086006:
- The key server reported a server-side problem. The sense data of this event includes more
details to help pinpoint the problem on the key server. Run the testkeyserver
command to determine whether the problem is fixed. The testkeyserver command
either automatically fixes the error, or raises the event again.
- Check that the cluster certificate was accepted on the key server. For more information, search
your product documentation for "Certificates that are used for key servers".
- Ensure that ISKLM has been configured to use TLS v1.2. Failure to do so can cause an SSL
connection error.
For event code 086007:
- The key server reported that it is running an unsupported software version. Verify that you are
using the correct key server and that the IP address, port address, and other characteristics are
all correct. If not, use the chkeyserver command to change this information. The
chkeyserver command automatically starts the validation process to confirm that
the error is fixed, and either auto-fixes this event or raises it again.
- Verify that you are using a supported key server type and version. A list of supported key
servers is provided in the documentation. The sense data of this event includes the version
information reported by the key server.
- The minimum supported version of Key Management Interoperability Protocol (KMIP) is 1.3.
- The supported key server type is ISKLM only.
- The supported versions of ISKLM are 2.6.0.0 and later.
For event code 086008:
- Check that a service IP address is configured for all nodes in the cluster (IPv4 if you use
IPv4 key servers, IPv6 if you use IPv6 key servers). If not, configure these IP addresses and run
the testkeyserver command. If the testkeyserver command is
successful, the event is automatically fixed.
- Confirm that all nodes in the cluster have their Ethernet cable plugged in correctly. If not,
plug them in and run the testkeyserver command. If the
testkeyserver command is successful, the event is automatically fixed.
- Confirm that the IP address and IP port of the key server object is correct. If not, change the
key server details by using the chkeyserver command. The
chkeyserver command automatically starts the validation process to confirm that
the error is fixed, and either auto-fixes this event or raises it again.
- Confirm that any SSL certificates for the key server are valid. Certificates must have correct
start and end dates and must be in the PEM format.
For event code 086009:
- Run the lskeyserver command to show the current status of the key servers.
One of these servers has the primary field incorrectly set to
yes.
- Determine which server should correctly be designated as primary. Do this on the server side by
identifying the IP address and port that points to the real primary server. The primary server has
the role of "MASTER" in the replication relationship in SKLM. For more information about this
process, refer to your SKLM documentation. If the primary server in the
lskeyserver command appears to be correct, contact your service support
representative.
- Otherwise, run the following
command:
chkeyserver -primary server_id
where
server_id is the ID of the correct primary server.
- The chkeyserver command automatically validates the new primary key server.
To fix the event, complete one of the following actions:
- Manually mark the event as fixed by using the cheventlog -fix command
- Wait for the periodic validation of the old primary key server
- Manually validate the old server by using the testkeyserver command
If the problem persists, contact your service support representative.
Consider adding a link to KC page with the supported versions and types when available