1. Administrator's Guide
  2. Troubleshooting Oracle Key Vault
  3. Server and Node Issues

C.10 Server and Node Issues

Review these troubleshooting tips for common server and node related errors when working with Oracle Key Vault.

Parent topic: Troubleshooting Oracle Key Vault

C.10.1 SSL Client Error Message

The alert and trace log display the SSL client error message when the Server Domain Name does not contain the expected Security Identifier (SID) name.

Alert log from Oracle Key Vault Server shows the below error message.

SSL Client: Server DN does not contain expected SID name

Probable Cause

These messages are from earlier SSL configurations.

Solution

Ignore these messages.

Parent topic: Server and Node Issues

C.10.2 Incorrect Value Returned for Custom Attributes of Integer Type

In certain scenarios, an invalid value is returned for an integer type custom attribute.

This problem scenario applies to values that were created from an Oracle Key Vault version 21.2.0.0.0 or earlier. Retrieving an integer type custom attribute created by RESTful services utility using C or Java SDK may return an invalid value. It is also possible that a custom attribute results in an invalid value.

Probable Cause

In Oracle Key Vault versions 21.2.0.0.0 or earlier, when an integer type custom attribute is added or modified using RESTful services utility, the attribute value is stored in a representation that is different from the representation that is used by other interfaces, for example, C or JAVA SDK, and KMIP.

This means that a value created or modified using the RESTful service utility cannot be retrieved correctly with C or JAVA SDK and KMIP interfaces. Likewise, a value created or modified using C or JAVA SDK and KMIP interfaces could not be retrieved correctly using RESTful service utility and the Oracle Key Vault management console.

Note:

The values that are created or modified using Oracle Key Vault 21.3.0.0.0 or later are always returned correctly.
The invalid values for a custom attribute of integer types are returned in these cases:
  • The value was created from an Oracle Key Vault version 21.2.0.0.0 or earlier and the value has never been modified after upgrade to Oracle Key Vault 21.3.0.0.0 or later.
  • The value was created or modified using RESTful services utility, but the value is retrieved using C/ or JAVA SDK or KMIP clients including PKCS#11 library.
  • The value was created or modified using C or JAVA SDK or KMIP client, but the value is retrieved using REST CLI or the Oracle Key Vault management console.

The correct value is returned when the value is created and retrieved using the same interface.

In a multi-master cluster, Oracle Key Vault version in this section refers to the cluster version of the deployment.

Solution

To identify the values that are suspect and establish a correct value for them use the following procedure after the upgrade to Oracle Key Vault version 21.3.0.0.0 or later. A value for the custom attribute of integer type is considered suspect for cross utility use if it was created prior to Oracle Key Vault 21.3.0.0.0. This includes the values that may already be stored using the correct representation. Because from the value itself, it is not feasible to determine the representation, all such values are considered suspect and must be corrected.

  1. Identify suspect values for the custom attributes of integer type:
    1. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
      ssh support@okv_server_IP_address 
su - root
    2. Run the script to generate a report with the suspected values:
      /usr/bin/su - okv -c
      /usr/local/okv/bin/gen_custom_attr_suspect_values
      A report with the list of suspected values is generated:
      /tmp/suspect_values_for_custom_attribute_integer_type.txt

      For each entry in the report, following values are shown:

      • Creating Endpoint: Endpoint that created the value.
      • Unique ID of Object: Unique ID (UUID) of the object.
      • Custom Attribute Name: Name of the custom attribute.
      • Index: Index of the value.
      • SDK Value: Value as retrieved by the C/JAVA SDK interfaces.
      • REST Value: Value as retrieved by the RESTful services utility.

      Between SDK and REST values, one of the values will be the correct value.

  2. Update the suspect value with the chosen correct value.
    For each suspect entry:
    1. Review the SDK and REST values.
    2. Determine the correct value of the custom attribute from the two possible values. One of the values will be the correct value of the custom attribute.

      In some cases, a ‘-‘ may be shown for one of the values. In such cases, the correct value would be the one that is shown as the integer value.

    3. Update the custom attribute with the chosen correct value. You can use any interface to update this value.

      You must update the custom attribute value even when one of the value is shown as ‘-‘.

      This step may require the coordination between the root user and the Oracle Key Vault users who can update the suspect values. A user who has the Key Administrator role can update all suspect values. In addition, a user or an endpoint who has read-write access on an object can modify the suspect custom attribute value for that object. You can determine such users using the endpoint information shown under ‘Creating Endpoint’.

It is recommended to complete this procedure by establishing the correct value for all suspect values in one iteration. However, in case if it becomes necessary, above procedure could be repeated and then it will include only the remaining suspect values in the report.

It is recommended to verify the completion of this procedure by executing Step 1 again and ensuring that the generated report does not contain any suspect value entries.

Parent topic: Server and Node Issues

C.10.3 Not Receiving Email Alerts

Even after configuring SMTP successfully, administrators are not receiving email alerts from the Oracle Key Vault server.

Probable Cause

Requires restart of tomcat service

Solution

  1. Login to the Oracle Key Vault server or node through ssh and switch user to root.
  2. Restart tomcat service.
    $service tomcat status 
$service tomcat stop 
$service tomcat start
  3. Verify if the tomcat service is up and running.
    $service tomcat status
ps -eaf | grep tomcat
  4. Send a test email and see if the email is received.

Parent topic: Server and Node Issues