Troubleshoot pkcs11_kms Issues

Use these procedures to troubleshoot error conditions that may be encountered when using OKM with pkcs11_kms.

• Cannot Retrieve the Master Key When Using pkcs11_kms
• Loss of the pkcs11_kms Configuration Directory
• No Slots Available Error When Using pkcs11_kms
• CKA_GENERAL_ERROR Error When Using pkcs11_kms
• Could Not Open PKCS#12 File Error

Cannot Retrieve the Master Key When Using pkcs11_kms

Use these steps to correct when the Oracle Database reports the master key cannot be retrieved (error ORA-28362 & ORA-06512).

1. Examine the $ORACLE_BASE/diag/rdbms/$SID/$SID/trace/alert_$SID.log file. This file logs success/fail messages related to "alter" DDL statements used to access the encryption wallet.
2. Examine the KMSAgentLog.log file in the pkcs11_kms configuration directory ($KMSTOKEN_DIR/KMSAgentLog.log).
3. Verify the general status of OKM. Check the following:
   • Are KMAs active?
   • Are KMAs locked?
   • Is the key pool depleted?
   • KMA ILOM faults
   • KMA console messages
4. Verify the status of the pkcs11_kms token as demonstrated earlier.
5. Verify the status of the agent by examining OKM audit events for that agent to ensure that it enrolled and is enabled.
6. Verify network connectivity from the Oracle Database host to OKM nodes.
7. Contact Oracle Technical Support. You may be asked to provide one or more KMA System Dumps.

Loss of the pkcs11_kms Configuration Directory

Use this procedure to recover a lost or corrupted pkcs11_kms token profile.

1. Perform the configuration steps described in Configure Database for TDE.
2. Solaris Only - Repopulate the token's metadata, using the following data unit filter with the OKM: "ExternalTag" begins with "ORACLE.TDE".
3. Solaris Only - Save the results of this listing to a file (for example "du.lst") and then execute the following shell script:

   for label in `awk '{print $2}' < du.lst `
   do
   pktool list token=KMS objtype=key label="${label}"
   done

No Slots Available Error When Using pkcs11_kms

Use this procedure when the client gets "No Slots Available" errors when issuing any PKCS#11 operation.

1. Ensure that the kmscfg utility has run successfully.
2. Ensure that the pkcs11_kms provider has been properly installed and configured.

CKA_GENERAL_ERROR Error When Using pkcs11_kms

Use this procedure when the client gets the CKA_GENERAL_ERROR error when trying to retrieve keys.

1. Verify that the agent has a default key group in the OKM cluster.
2. Review the $KMSTOKEN_DIR/KMSAgentLog.log file for more information.

Could Not Open PKCS#12 File Error

Use this procedure when the "Could not open PKCS#12 file" error appears in the $KMSTOKEN_DIR/KMSAgentLog.log file.

1. Select audit events in the OKM cluster to determine whether the agent passphrase has recently changed.
2. Remove the <profile-name> directory under $KMSTOKEN_DIR.