C.10 Server and Node Issues
Review these troubleshooting tips for common server and node related errors when working with Oracle Key Vault.
- SSL Client Error Message
 The alert and trace log display the SSL client error message when the Server Domain Name does not contain the expected Security Identifier (SID) name.
- Incorrect Value Returned for Custom Attributes of Integer Type
 In certain scenarios, an invalid value is returned for an integer type custom attribute.
- Not Receiving Email Alerts
 Even after configuring SMTP successfully, administrators are not receiving email alerts from the Oracle Key Vault server.
- Oracle Key Vault Server and NTP Server Date and Time Not Synchronized
 Learn two methods to resolve Oracle Key Vault date and time unsynchronized issue.
- Failed To Enable FIPS mode
 Enabling FIPS fails with an error on the Oracle Key Vault management console
Parent topic: Troubleshooting Oracle Key Vault
C.10.1 SSL Client Error Message
The alert and trace log display the SSL client error message when the Server Domain Name does not contain the expected Security Identifier (SID) name.
Alert log from Oracle Key Vault Server shows the following error message.
SSL Client: Server DN does not contain expected SID nameProbable Cause
These messages are from earlier SSL configurations.
Solution
Ignore these messages.
Parent topic: Server and Node Issues
C.10.2 Incorrect Value Returned for Custom Attributes of Integer Type
In certain scenarios, an invalid value is returned for an integer type custom attribute.
This problem scenario applies to values that were created from an Oracle Key Vault version 21.2.0.0.0 or earlier. Retrieving an integer type custom attribute created by RESTful services utility using C or Java SDK may return an invalid value. It is also possible that a custom attribute results in an invalid value.
Probable Cause
In Oracle Key Vault versions 21.2.0.0.0 or earlier, when an integer type custom attribute is added or modified using RESTful services utility, the attribute value is stored in a representation that is different from the representation that is used by other interfaces, for example, C or JAVA SDK, and KMIP.
This means that a value created or modified using the RESTful service utility cannot be retrieved correctly with C or JAVA SDK and KMIP interfaces. Likewise, a value created or modified using C or JAVA SDK and KMIP interfaces could not be retrieved correctly using RESTful service utility and the Oracle Key Vault management console.
Note:
The values that are created or modified using Oracle Key Vault 21.3.0.0.0 or later are always returned correctly.- The value was created from an Oracle Key Vault version 21.2.0.0.0 or earlier and the value has never been modified after upgrade to Oracle Key Vault 21.3.0.0.0 or later.
- The value was created or modified using RESTful services utility, but the value is retrieved using C/ or JAVA SDK or KMIP clients including PKCS#11 library.
- The value was created or modified using C or JAVA SDK or KMIP client, but the value is retrieved using REST CLI or the Oracle Key Vault management console.
The correct value is returned when the value is created and retrieved using the same interface.
In a multi-master cluster, Oracle Key Vault version in this section refers to the cluster version of the deployment.
Solution
To identify the values that are suspect and establish a correct value for them use the following procedure after the upgrade to Oracle Key Vault version 21.3.0.0.0 or later. A value for the custom attribute of integer type is considered suspect for cross utility use if it was created prior to Oracle Key Vault 21.3.0.0.0. This includes the values that may already be stored using the correct representation. Because from the value itself, it is not feasible to determine the representation, all such values are considered suspect and must be corrected.
- Identify suspect values for the custom attributes of integer
                        type:
                           - Log in to the Oracle Key Vault server through SSH as user
                            support, then switch user su to
                            root.ssh support@okv_server_IP_address su - root
- Run the script to generate a report with the suspected
                                values:/usr/bin/su - okv -c /usr/local/okv/bin/gen_custom_attr_suspect_valuesA report with the list of suspected values is generated:/tmp/suspect_values_for_custom_attribute_integer_type.txtFor each entry in the report, following values are shown: - Creating Endpoint: Endpoint that created the value.
- Unique ID of Object: Unique ID (UUID) of the object.
- Custom Attribute Name: Name of the custom attribute.
- Index: Index of the value.
- SDK Value: Value as retrieved by the C/JAVA SDK interfaces.
- REST Value: Value as retrieved by the RESTful services utility.
 Between SDK and REST values, one of the values will be the correct value. 
 
- Log in to the Oracle Key Vault server through SSH as user
                            support, then switch user su to
                            root.
- Update the suspect value with the chosen correct value.
                           For each suspect entry:- Review the SDK and REST values.
- Determine the correct value of the custom attribute from the two
                                possible values. One of the values will be the correct value of the
                                custom attribute. 
                                    In some cases, a ‘-‘ may be shown for one of the values. In such cases, the correct value would be the one that is shown as the integer value. 
- Update the custom attribute with the chosen correct value. You can
                                use any interface to update this value.
                                    You must update the custom attribute value even when one of the value is shown as ‘-‘. This step may require the coordination between the root user and the Oracle Key Vault users who can update the suspect values. A user who has the Key Administrator role can update all suspect values. In addition, a user or an endpoint who has read-write access on an object can modify the suspect custom attribute value for that object. You can determine such users using the endpoint information shown under ‘Creating Endpoint’. 
 
It is recommended to complete this procedure by establishing the correct value for all suspect values in one iteration. However, in case if it becomes necessary, above procedure could be repeated and then it will include only the remaining suspect values in the report.
It is recommended to verify the completion of this procedure by executing Step 1 again and ensuring that the generated report does not contain any suspect value entries.
Parent topic: Server and Node Issues
C.10.3 Not Receiving Email Alerts
Even after configuring SMTP successfully, administrators are not receiving email alerts from the Oracle Key Vault server.
Probable Cause
Requires restart of tomcat service
Solution
- Login to the Oracle Key Vault server or node through ssh and switch user to root.
- Restart tomcat
                    service.$service tomcat status $service tomcat stop $service tomcat start
- Verify if the tomcat service is up and
                    running.$service tomcat status ps -eaf | grep tomcat
- Send a test email and see if the email is received.
Parent topic: Server and Node Issues
C.10.4 Oracle Key Vault Server and NTP Server Date and Time Not Synchronized
Learn two methods to resolve Oracle Key Vault date and time unsynchronized issue.
Probable Cause
The time on the Oracle Key Vault server does not match with the time on the NTP server.
Solution
Perform the following steps to synchronize the time on the NTP and Oracle Key Vault server:
- Log in to the Oracle Key Vault management console as a system administrator role.
- Select the System tab, then Settings from the left navigation side bar.
- In the Network Services area, Select NTP to display the System Time page.
- Click Apply Server to perform a re-synchronization of the clock on the Oracle Key Vault server with the NTP server.
- Log in to the Oracle Key Vault server through SSH as user
                        support, then switch usersutoroot.ssh support@okv_server_IP_address su - root
- Run the following command to perform a re-synchronization of the
                    Oracle Key Vault server
                    clock:/bin/chronyc makestep
Parent topic: Server and Node Issues
C.10.5 Failed To Enable FIPS mode
Enabling FIPS fails with an error on the Oracle Key Vault management console
Example
Failed to enable FIPS mode error seen on the Oracle key vault management console while enabling FIPS.
Probable Cause
The Oracle Key Vault server was upgraded from release 21.5 or previous releases and the FIPS was disabled before the upgrade.
Solution
- As the support user, log in to the Oracle Key Vault server using
                    SSH, and then switch user sutoroot.ssh support@okv_server_IP_address su - root
- Run the following
                    command:/usr/local/okv/bin/okv_fps_disable
- Restart the Oracle Key Vault server using the
                        rebootcommand.
- As the sysadminuser, log in to the Oracle Key Vault management console to re-enable FIPS.
Parent topic: Server and Node Issues