Appendix B - Troubleshooting HSM Issues

If you are getting errors when generating keys use the following to troubleshoot:

  1. As of around EJBCA 6.15 you can get an error that says "Re-enter authentication code and Confirm Save to continue." Re-enter the password and try again. This will generate if the configuration already exists and you are saving an existing entry with an existing HSM slot reference.
  2. As the "wildfly" user, attempt to use the test command to read the keys. If clientToolBox cannot read the keys, EJBCA cannot either:
    # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool test /opt/PrimeKey/cloudhsm/lib/libliquidsec_pkcs11.so 1
  3. Using AWS keytool are the keys that were previously created visible with the CLI? Some AWS commands that might help:
    # Load the key management utility
    /opt/cloudhsm/bin/key_mgmt_util
    loginHSM -u CU -s CRYPTO_USER_NAMNE -p HSM_PASSWORD
    # list all keys in HSM
    findKey
    # If the clientToolBox create key command ran and you are sure it did not work (because the cert locally didn't get created (even if you get an error the key can still create on the HSM) you can delete the key with the following command:
    deleteKey -k HANDLE_NUM
    # To see details about a given key (then exit out of key management utility and read the txt file):
    getAttribute -a 512 -out /tmp/keyattr.txt -o HANDLE_NUM