Skip to main content
Skip table of contents

HSM Troubleshooting

This section allows you to rectify HSM problems.

  1. Log in to the Next Generation Hardware Appliance.

  2. Open the Security page.

  3. In the section HSM Troubleshooting click Restart to restart the current HSM driver.

  4. The HSM Driver Status should be RUNNING under normal circumstances.

Troubleshooting for Luna S790 HSM

Exit Secure Transport Mode: Verification strings do not match

If the verification string does not match the verification string sent in the email, you should check the random string you entered for typos.

If there is a typo:

  1. Click the Close button in the Exit Secure Transport Mode window.

  2. Open the Security page if you are not automatically redirected there.

  3. In the section HSM Troubleshooting click Restart

  4. Wait until the Setup in Progress message disappears in the Luna PCI HSM Configuration section.

  5. Restart the Exit Secure Transport Mode process.

  6. Enter the random string correctly.

However, if there are no typos and the verification string does not match, there may be a security problem. In this case, be sure to contact support.

Clean up Slots

An additional function has been set up for Luna HSM users. Initialized slots that are not fully set up will continue to count towards the slot limit. Since the number of partitions supported by the license is limited to 100 slots, non-functional slots can be eliminated. To decommission partitions, a Clean Up button is activated as soon as there are HSM slots that are not functional.

Interaction with the PED is required for the following steps.

The blue PED Key (and for remote connections the orange PED Key) is also required.

  1. Log in to the Next Generation Hardware Appliance.

  2. Open the Security page.

  3. In the section HSM Troubleshooting click Clean Up to start the process.

  4. A new window Slots Cleanup opens.

  5. Check Use Remote PED if applicable. Click Next Step.

  6. A summary opens. Click Start Cleanup to start the process.

  7. Follow the instructions on the PED to continue.

  8. After all non-functional slots have been cleaned from the Luna PCI HSM, click Finalize.

Background Process Cancellation and Timeout Handling

During setup operations the following cancellation constraints apply:

  1. No Immediate Cancellation

    • It is not possible to interrupt an active setup-background process (e.g. while interacting with the PED is ongoing).

    • There is also no cancel/abort option available on the PED itself during interaction.

  2. Cancel After Error

    • The cancel/abort option is only available if an error has occurred in the setup background process.

  3. Recommended User Action
    If a user wants to stop the process during an active PED interaction:

    • Stop the current interaction.

    • Allow the process to time out naturally.

    • After this timeout, the background process is terminated with an HSM Error.

    • As soon as the error occurs, the cancel/abort option becomes available.

Important Notes:

  • Users cannot forcibly interrupt setup operations while PED interaction is ongoing.

  • Timeout is a way to terminate an undesired process.

  • After the timeout, a complete process abort is possible.

Authorization as Security Officer (SO)

Wrong Security Officer PED key during authorization as Security Officer

Using an incorrect SO PED key during Authorize as Security Officer,
the error message Unexpected Error appears.

  • Message: You have only 2 SO login attempts left

  • After 3 failed attempts, a modal dialog box opens.
    You are prompted to enter the following: ENABLE LAST RETRY

  • If an incorrect key is entered again, the HSM is zeroized.

Authorization as Partition Security Officer (PO)

Wrong Partition Security Officer PED key during authorization as Partition Security Officer

Using an incorrect PO PED key during Authorize as Partition Security Officer,
the error message Unexpected Error appears.

  • Message: Caution: You have only 9 PO login attempts left.

  • After 10 failed attempts, a modal dialog box opens.
    You are prompted to enter the following:
    ENABLE LAST RETRY before this final attempt can be activated.

  • If an incorrect key is entered again,

    • the Partition is set to zerozied state

    • PO is locked

Authorization as Crypto Officer (CO)

Wrong Crypto Officer PED key during authorization as Crypto Officer

Using an incorrect Crypto officer PED key during Authorize as Crypto Officer,
the error message Unexpected Error appears.

  • Message: Caution: You have only 9 CO login attempts left.

  • After 10 failed attempts, a modal dialog box opens.
    You are prompted to enter the following:
    ENABLE LAST RETRY before this final attempt can be activated.

  • If an incorrect key is entered again,

    • the Partition is set to zerozied state

    • the CO is locked

    • the slot could be reinitialized.

Slot Backup via Luna PCI HSM Configuration failed

  • Restoring the slot backup with PQC keys

  • Entering the slot PIN on EJBCA to activate the slot

    • the following error message may appear:
      Device not available

  • Restarting the HSM driver will help here.

    • Open the Security page in Webconf.

    • Scroll down to the HSM Troubleshooting section.

    • Click Restart in the HSM Driver Controls table.

  • The slot is activated and the PQC keys are available and functional again.

EJBCA administrator triggers exception with:
Error writing monitoring log to at least one device

Possible scenario:

A net-attached HSM is configured and initialized with signed audit log and crypto tokens

  • Deactivate slot 1,

  • activate the slot 1 with wrong password and abort it

  • initialize more slots, deactivate and reactive the slot

Click Restart in the HSM Driver Controls table will resolve the issue.

Troubleshooting for internal HSMs: u.trust

Clean up KSP

In the section HSM Troubleshooting click Clean Up to start the process.
The cleanup process requires ADMIN cards, after which the KSP uploads are expected to work.
See section u.trust: KSP restore between cluster nodes breaks KSP/backup operations.

Multi HSM: Cluster Node2 is not reachable after KSP upload

Possible scenario:
Node1:

  • Initialize the internal HSM
    with signed audit log + Non-FIPS + SCA on slot 0.

  • Add an external HSM.

  • Upload the license and generate PQC keys in EJBCA (internal HSM).

Node2:

  • Add Node2 on Node1.

  • Synchronize HSM with MBK on Node2.

  • Node2 EJBCA shows the PQC keys created on Node1 (internal HSM).

Create additional PQC keys on Node1 and download KSP
upload the KSP on Node2
access EJBCA Adminweb on Node2

ERROR : Failed to write audit log to at least one device.
Restart of the HSM driver solves the Problem!

Background Process Cancellation and Timeout Handling

During setup operations the following cancellation constraints apply:

  1. No Immediate Cancellation

    • Cancellation is possible during PIN pad interaction using the cancel button on the PIN pad.
      This causes the Abort button to be displayed in webconf.
      Only after pressing the Abort button is the process actually canceled.

  2. Cancel After Error

    • The abort option is only available if an error has occurred or PIN pad interaction was cancelled during the the setup process.
      The abort button becomes available after pressing cancel on PIN pad.

  3. Recommended User Action
    If a user wants to stop the process during an active PIN pad interaction:

    • Stop the current interaction.

    • As soon as the error occurs, the abort option becomes available.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close