Troubleshooting Encryption License Key operations

Encryption License Key User Guide for VSP One Block

Version
10.2.x
Audience
anonymous
Part Number
MK-23VSP1B010-00

The following table provides general troubleshooting information for Encryption License Key. If you need technical assistance, please contact customer support.

Problem Actions
The encryption key operation (backup/restore) failed.
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are restoring a key, make sure the key has not changed since the last secondary backup.
  • If you are restoring a key, make sure you are using the most recent encryption key.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Make sure the maximum number of keys that the KMS can back up has not been exceeded.
    • Check to see if timeouts are occurring, possibly due to an increase in the number of keys in the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After confirming the above, perform the encryption key operation (backup/restore) again.

The create encryption key operation failed.
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After checking the above, get the list of encryption keys and check whether an encryption key has been created. For instructions, see the REST API Reference Guide.

  • If an encryption key was created, the creation of the encryption key was successful. Perform an external backup of the encryption key.
  • If no encryption key was created, try creating the encryption key again. If you are not using a KMS, after the encryption key has been successfully created, manually back it up as a file on the management client.
Encryption key deletion failed.
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After checking the above, get the list of encryption keys and check whether the encryption key has been deleted. For instructions, see the REST API Reference Guide.

  • If the encryption key was deleted, no action is required.
  • If the encryption key was not deleted, try deleting the encryption key again.
Test communication failed.
  • Check the following items to make sure that the connection settings with the key management server are correct:
    • Host name
    • Port number
    • Client certificate file
    • Root certificate file
  • If the test communication is taking a long time, you can adjust the following items to make the communication successful:
    • Timeout
    • Retry interval
    • Number of retries
  • Check whether the time matches between the storage system and the KMS.
  • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.
Encryption preference failed (encryption disabled to enabled).
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Make sure the maximum number of keys that the KMS can back up has not been exceeded.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After checking the above, initialize the encryption environment settings. Confirm that the initialization of the encryption environment settings completed successfully, and then run the encryption environment setting again.

Encryption configuration failed (change whether to use a KMS with encryption enabled)
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Make sure the maximum number of keys that the KMS can back up has not been exceeded.
    • Check whether the time matches between the storage system and the KMS.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After checking the above, see if the encryption configuration settings have changed.

  • If the encryption configuration settings have changed, the operation was successful. Perform an external backup of the encryption keys.
  • If the encryption configuration settings have not changed, try configuring the encryption settings again. After the encryption environment setting is successful, perform an external backup of the encryption keys.
The encryption key operation failed with one of the following error codes:
  • 36162-00204208
  • 36162-00204209
  • 36162-00204224
If all volumes are blocked and SIM code 661000, 661001 is reported:
  1. Check the connection with the KMS and confirm that the connection test completes successfully.
  2. Contact customer support and ask them to restart the storage system.
  3. After the storage system has restarted, make sure that all blocked volumes are recovered.

In other cases:

  1. Check the status of the storage system and recover any blocked volumes.
  2. After recovering the blocked volumes, perform the encryption key operation again.
Test communication succeeded, but error code 36162-00204225 was displayed. The functions required to configure a KMS are not supported by the KMS to which you are connected. Review KMS requirements and update the KMS software as needed.
SIM code 660100 or 660200 was returned. The number of unused keys (encryption key with the Free attribute) might be lower than the number required for maintenance. Create the maximum number of Free keys.
Failed to initialize the encryption environmental settings.
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

After confirming the above, initialize the encryption environment settings again.

Key management server migration failed.
  • Make sure the Encryption License Key software on the storage system is valid and has not expired.
  • Make sure the Security Manager (View & Modify) role is assigned.
  • If you are using a KMS:
    • Check the connection to the KMS.
    • Check whether the time matches between the storage system and the KMS.
    • Make sure the maximum number of keys that the KMS can back up has not been exceeded.
    • Check whether SSL/TLS communication and certificate requirements between the storage system and the KMS are met. For details, see the System Administrator Guide.

If the KMS settings have been updated, return to the settings before the KMS migration (KMS migration flag isMigration=false ), and then perform the KMS migration again.

If the KMS settings have not been updated, perform the KMS migration again.