A Troubleshooting Oracle Key Vault

Oracle provides troubleshooting advice for common errors that may arise.

Topics:

• How Do I Find and Troubleshoot Errors?

• How Do I Handle the Error: Cannot Open Keystore Message?

• How Do I Handle General KMIP Errors?

• How Do I Handle WARNING: Could Not Store Private Key Errors?

• How Do I Handle Errors After Upgrading Oracle Key Vault?

See Also:

The following sections for additional advice on using Oracle Key Vault:

• "Recommendations for Uploading and Downloading Oracle Wallets"

• "Recommendations for Uploading and Downloading JKS and JCEKS Keystores"

• "Recommendations for Uploading and Downloading Credential Files"

How Do I Find and Troubleshoot Errors?

You can find and troubleshoot errors by referring to the Oracle Key Vault log files.

You can check the log files, which are located in the /var/log/messages file. These log files record information such as (items they record). To check for log file errors, as root, do the following:

root# vi /var/log/messages

How Do I Handle the Error: Cannot Open Keystore Message?

The Cannot Open Keystore error can appear when you try to upload a Java keystore to the Oracle Key Vault server.

You can try the following solutions:

• Ensure that the PATH environment variable has been correctly set.

• Check where the keytool and Java are pointing to, by entering the following commands in a shell:

  which keytool
  which java
  

  Ensure that you are using Oracle Java.

How Do I Handle General KMIP Errors?

General KMIP errors can occur when you are trying to upload Oracle wallets to virtual wallets on multiple endpoints.

The General KMIP error occurs when you try the following sequence of actions:

1. You configure two or more endpoints (for example, Endpoint A and Endpoint B) to share a wallet (Oracle Wallet C), and hence also share the wallet keys.

2. You register Endpoints A and B with Oracle Key Vault.

3. You create a default wallet (Virtual Wallet A) for Endpoint A and then a default wallet (Virtual Wallet B) for Endpoint B. Each virtual wallet is accessible only to the corresponding endpoint. For example, Endpoint B has no access to Virtual Wallet A.

4. You upload Oracle Wallet C into Virtual Wallet A on Endpoint A.

5. You attempt to upload Oracle Wallet C from Endpoint B into Virtual Wallet B Endpoint B.

The KMIP error occurs because there are two copies of the same key being created and Endpoint B does not have visibility for both. If Endpoint A tries to upload the first key again, Oracle Key Vault detects this action and accounts for it. But because in Step 5, Endpoint B is not allowed to see the first key, Oracle Key Vault is unable to perform the necessary harmonization for the two Oracle wallets.

This is expected behavior. Instead, create an endpoint group so that you can share the wallet with multiple endpoints. See "Managing Endpoint Groups" for more information.

Note:

The KMIP error can occur for other scenarios, but this scenario is the most common.

How Do I Handle WARNING: Could Not Store Private Key Errors?

If you upload two keystores with the same file name but with different contents, a WARNING: Could not store private key error is generated.

This occurs if you use the same alias (-alias slserver) in each okvutil upload command. When you download two such keystores that have the same alias, the okvutil download process ignores the second one because the JKS aliases must be unique. Download the second keystore using a unique alias.

See Also:

"Downloading JKS or JCEKS Keystores"

How Do I Handle Errors After Upgrading Oracle Key Vault?

After you perform an upgrade of Oracle Key Vault on an standalone server, ORA-1109, ORA-00313, and ORA-00312 error messages may appear in the /var/log/messages log file.

You can safely ignore these messages. Error messages also appear in the /var/log/debug file.