Troubleshooting

The following includes troubleshooting tips for your work with the EJBCA Hardware Appliance eIDAS edition.

Problem: HSM Audit Log is full

Do NOT reboot the EJBCA Hardware Appliance eIDAS edition when the HSM Audit Log is full.

There is a known issue: If you reboot the EJBCA Hardware Appliance eIDAS edition when the HSM Audit Log is full, usage of the HSM Audit Log will be prevented. This will require an external erase and can result in data loss.

When the HSM Audit Log is full proceed as follows:

  1. Create the remote connection to the Hardware Appliance and use ssh to enter vhsm.
  2. Get current HSM Audit Log from the HSM. Use an Admin user for this action. You will need to enter the card.
  3. Delete the HSM Audit Log on the HSM. Use an Admin user for this action. You will need to enter the card.
  4. Check if the HSM Audit Log has been cleared by running the GetAuditLog command again.

These are the commands for the steps described above:

* ssh vhsm
* CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2 logonsign=ADMIN1,:cs2:auto:USB0 getauditlog
* CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2 logonsign=ADMIN1,:cs2:auto:USB0 clearauditlog

In the command line, replace ADMIN1 with ADMIN2 if using the smart card and PIN for ADMIN2.

Problem: External erase has been triggered with a full HSM Audit Log

If you reboot the EJBCA Hardware Appliance eIDAS edition when the HSM Audit Log is full, usage of the HSM Audit Log will be prevented and an external erase will be required. This is a known issue.

In such a case, perform the following steps:

  1. Create the remote connection to the Hardware Appliance and use ssh to enter vhsm.
  2. Resolve the alarm.
  3. Get a new HSM Auth Key.
  4. Get the current HSM Audit Log.
  5. Clear the HSM Audit Log.

The EJBCA Hardware Appliance eIDAS edition is now in Factory Reset state. You can start a new installation or restore a backup.

These are the commands for the steps described above:

* ssh vhsm
* /usr/bin/hsm_init01_ClearDefault.sh
* /usr/bin/hsm_init02_cp5_ResetAlarm.sh 
* /opt/utimaco/csadmcp5 dev=/dev/cs2 gethsmauthkey > /etc/hsm/HsmAuth.key
* CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2 LogOnSign=ADMIN,/opt/utimaco/ADMINCP5.key GetAuditLog
* CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2 LogOnSign=ADMIN,/opt/utimaco/ADMINCP5.key clearauditlog

Problem: Slot or Admin user is blocked by HSM

The eIDAS HSM blocks the access of slots and/or Admin users under the following circumstances:

  • Admin users: If the incorrect smart card is used 5 times the user will be blocked.
  • Slots: If the incorrect PIN is used 5 times during slot activation the slot will be blocked.

To unblock a slot and/or Admin user you will need at least one Admin user with smart card.

To unblock the exemplary slot 1 with the smart card of ADMIN1 proceed as follows:

  1. Execute the following command:
    CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2
    LogonSign=ADMIN1,:cs2:auto:USB0 UnblockUser=USR_0001
  2. Enter the smart card for ADMIN1.
  3. Enter the PIN for that smart card.

To unblock the exemplary ADMIN2 proceed as follows:

  1. Execute the following command:
    CS_AUTH_KEYS=/etc/hsm/HsmAuth.key /opt/utimaco/csadmcp5 dev=/dev/cs2
    LogonSign=ADMIN1,:cs2:auto:USB0 UnblockUser=ADMIN2
  2. Enter the smart card for ADMIN1
  3. Enter the PIN for that smart card.

Command line for unblocking slots:
Replace ADMIN1 with ADMIN2 if using the smart card and PIN for ADMIN2. Replace USR_0001 with USR_0002 if unblocking slot 2.

Command line for unblocking Admin user:
Replace ADMIN2 with ADMIN1 if unblocking ADMIN1.