FIPS Troubleshooting

FIPS Installation Troubleshooting

If you encounter a software validation issue during the installation, proceed as follows:

Follow the steps specified in Validating Debian and RPM Packages.

If the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors system is not able to work on your Windows environment, make sure the Thawte Primary Root CA certificate is installed on your server's Local Computer Certificates store. To install the certificate and its chain, follow these steps:

    1. Download Thawte Primary Root CA certificate.
    2. Import it into the "Trusted Root Certification Authorities" store:
      1. Open Manage Computer Certificates Control Panel.
      2. Right-click Certificates in the Trusted Root Certification Authorities section.
      3. Select All Tasks > Import and follow the dialog to import thawte-Root-CA.pem file.
    3. Download Thawte SHA256 Code Signing CA certificate.
    4. Import it into "Intermediate Certification Authorities":
      1. Open Manage Computer Certificates Control Panel.
      2. Right-click Certificates in the Intermediate Certification Authorities section.
      3. Select All Tasks > Import and follow the dialog to import thawte SHA256 Code Signing CA.pem file.

EKM Service Start Troubleshooting

If following the EKMClosedEnterprise Key Management - previous name of the product. server restart, the ucl server test shows unexpected errors, proceed as follows:

  • Starting the EKMClosedEnterprise Key Management - previous name of the product. Service triggers the initialization of the Tomcat web service. We recommend examining its latest log file ( catalina.out) to make sure Tomcat initialization was flawless. See Tomcat Logs for further details.

  • The servers in the triplet interconnect via ports 443, 6603, and 6604.

    Following the orderly EKMClosedEnterprise Key Management - previous name of the product. service start in the triplet's servers, the following network of connections is established among the servers over ports 6603 and 6604

    FIPS ports

    Running the netstat -t -n | grep 660 | grep ESTABLISHED command on EP or Partner servers should reveal a total of 6 one-way connections:

    • 2x2 one-way connections between EP and Partner servers.
    • 2 one-way connections with the Auxiliary server.

    Example:

    netstat -t -n | grep ESTABLISHED | grep 660 tcp 0 0 192.168.0.182:** 192.168.0.242:6603 ESTABLISHED tcp 0 0 192.168.0.182:** 192.168.0.242:6604 ESTABLISHED tcp6 0 0 192.168.0.182:6604 192.168.0.102:** ESTABLISHED tcp6 0 0 192.168.0.182:6604 192.168.0.102:** ESTABLISHED tcp6 0 0 192.168.0.182:6603 192.168.0.102:** ESTABLISHED tcp6 0 0 192.168.0.182:6603 192.168.0.102:** ESTABLISHED