Troubleshooting Encryption License Key operations

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

For troubleshooting information for Device Manager - Storage Navigator, see the System Administrator Guide. For details about HDvM - SN error messages, see Hitachi Device Manager - Storage Navigator Messages.

The following table provides general troubleshooting information for Encryption License Key. If you need technical assistance, contact customer support.

Problem Action
Cannot back up or restore a key. Verify the following:
  • The Encryption License Key software license is valid and installed.
  • You have the Security Administrator (View & Modify) role.
  • If you back up and restore data encryption keys with a key management server, the connection to the key management server is available.
  • If you back up and restore data encryption keys with a key management server, the number of keys that you can back up on the key management server is not exceeded.
  • If you back up and restore data encryption keys with a key management server, a time-out has not occurred due to the increase in the number of keys on the key management server.
  • The latest key is restored (the key will not be updated after a secondary backup has been performed).
  • (VSP E series) When RSA key exchange is disabled on the SVP, the SVP uses the following four cipher suites to communicate:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    Check whether the KMS supports these cipher suites. If not, enable RSA key exchange on the SVP.

Cannot create or delete data encryption keys. Make sure that:
  • The Encryption License Keysoftware license is valid and installed.
  • You have the Security Administrator (View & Modify) role.
  • If you have backed up and restored data encryption keys with a key management server, that the connection to the key management server is available.
  • (VSP E series) When RSA key exchange is disabled on the SVP, the SVP uses the following four cipher suites to communicate:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    Check whether the KMS supports these cipher suites. If not, enable RSA key exchange on the SVP.

Cannot enable encryption for a parity group. Make sure that:
  • The Encryption License Key software license is valid and installed.
  • All LDEVs in the parity group are in the blocked status.
  • The accelerated compression feature is disabled on the parity group.
Cannot disable encryption for a parity group. Make sure that all LDEVs in the parity group are in the blocked status.
Server configuration test failed.
  • Check the following key management server connection settings:
    • Host name
    • Port number
    • Client certificate file
    • Root certificate file
  • If the communication failure is due to the length of time to connect to the server, try changing these settings:
    • Timeout
    • Retry interval
    • Number of retries
  • Check the number of tiers of the certificate chain. The maximum number of tiers is 20 for VSP 5000 series and 5 for VSP E series. Make sure to use a certificate in a certificate chain that has 20 or fewer tiers for VSP 5000 series and 5 or fewer tiers for VSP E series.
  • If this problem occurs again after the actions listed above, retry the registration of the client and root certificates. At that time, do not change the host name or the port number of the KMS. If you change the host name or the port number of the KMS, the data on the storage system might not be decrypted.
  • (VSP E series) When RSA key exchange is disabled on the SVP, the SVP uses the following four cipher suites to communicate:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    Check whether the KMS supports these cipher suites. If not, enable RSA key exchange on the SVP.

The Edit Encryption wizard operation failed, but the status of encryption (enable or disable) has changed. The change of the status succeeds, but the format of the volume fails.

(VSP 5000 series) Confirm the message, remove the error, and format volumes again.

(VSP E series) Confirm the message, remove the error, and recover from the error by formating the parity group.

The operations for encryption keys could not be performed (03005 068905). An error has occurred on the storage system. The encryption keys might not have been obtained from the key management server. If all volumes are blocked and SIM code 661000 or 661001 is returned, complete the following tasks:
  1. Restore the connection to the key management server.
  2. In the Edit Encryption Environmental Settings window, click Check for Server Configuration Test, and make sure that the connection test completes successfully.
  3. Contact customer support to restart the storage system.
  4. After the storage system is restarted, make sure that all blocked volumes are restored.

In other cases, perform the following tasks:

  1. Verify the system status, and then restore the blocked parts if blocked parts exist. If no blocked parts exist, retry the operation for the failed encryption key.
  2. After the blocked parts are restored, retry the operation for the failed encryption key.
Editing encryption environmental settings has failed with the error (00002-058578). If you are performing the initial configuration of the encryption environmental settings and the operation fails, complete the following tasks:
  1. Wait a few minutes, and then click File > Refresh All to reread the configuration information.
  2. Initialize the encryption environmental settings: Open the Edit Encryption Environmental Settings window, and select Initialize Encryption Environmental Settings (in the lower left corner of the window).
  3. Perform the initial configuration of the encryption environmental settings again.

If you are editing the encryption environmental settings (after initial configuration of the settings has been performed) and the operation fails, complete the following tasks:

  1. Wait a few minutes, and then click File > Refresh All to reread the configuration information.
  2. Edit the encryption environmental settings again.

Editing encryption environmental settings has failed with the error (20123-107015).

Perform the following tasks:
  1. Fix the LAN communication error between Device Manager - Storage Navigator, storage, and environmental setting server (such as key management server).
  2. Initialize the encryption environmental settings.
  3. Configure the encryption environmental settings again.
Server configuration test has succeeded, but the following error is displayed:

10126-105022 The connected key management server does not support the required functions.

A required function for the key management server is not supported by the connected key management server. Review the system requirements for Encryption License Key, and update the key management server software to the supported version.
The Edit Encryption operation failed even though a Free key (Encryption key with the Free attribute) exists. The error below is displayed.

03005-108104 There are not enough Free keys.

The Edit Encryption Environmental Settings operation executed prior to the Edit Encryption operation might have failed due to encryption hardware failure. Confirm in the Tasks window that the Edit Encryption Environmental Settings operation failed, remove the cause of error, initialize the encryption environmental settings, and then retry the Edit Encryption Environmental Settings operation and the Edit Encryption operation.
SIM code 660100 or 660200 was returned. The number of Free keys (encryption key with the Free attribute) might be smaller than the threshold for maintenance. Create the maximum number of Free keys.
Failed to initialize the encryption environmental settings. When using Device Manager - Storage Navigator, complete the following tasks:
  1. Check if the encryption hardware (ECTLs or EBEMs) is blocked.
  2. If it is blocked, open the Encryption Keys window, and check the attributes.
  3. If KEK, CEK, or KEK and CEK are listed under the Attribute column, create Free keys up to the maximum number for each attribute.
  4. Contact customer support to restore the blocked hardware (ECTLs or EBEMs).

When using the REST API, complete the following tasks:

  1. Check if the encryption hardware is blocked.
  2. If it is blocked, obtain the number of encryption keys, and then check the attributes.
  3. When KEK, CEK, or KEK and CEK are listed under the Attribute column, the KART40325 error might appear. If the number of encryption keys are obtained and the required keys are created, do not take corrective action for the error.

    If another error occurs, take the corrective action specified in the error messages, and then create encryption keys.

  4. Contact customer support to restore the blocked hardware.
The encryption environmental settings for migrating the KMS to another server cannot be configured. Complete the following tasks:
  1. Verify that the settings of the primary KMS and secondary KMS have been changed in the Edit Encryption Environmental Settings window.
  2. Create a new KEK on the new KMS manually: open the Rekey Key Encryption Keys window, select Create a new key encryption key on the key management server, and click Finish.
  3. Back up the KEK on the new KMS as specified in Backing up the encryption keys manually to a key management server.
The items other than Initialize Encryption cannot be selected in the Edit Encryption Environmental Settings wizard. The encryption environmental settings cannot be made. Verify the problem in the Tasks window, and then take the actions described in the message.