Black Box ET0010A User Manual
ETPM and ETKMS Troubleshooting
250
EncrypTight User Guide
To add a new PEP in a system configured to use strict authentication:
1 In the ETEMS preferences, temporarily disable strict authentication.
2 Add and configure the PEP.
3 Install certificates on the PEP and the re-enable strict authentication in ETEMS.
4 Refresh status.
5 If the status is okay, enable strict authentication on the PEP.
2 Add and configure the PEP.
3 Install certificates on the PEP and the re-enable strict authentication in ETEMS.
4 Refresh status.
5 If the status is okay, enable strict authentication on the PEP.
ETKMS Boot Error
If you entered the wrong password for the keystore when you set up the certificates, you can receive the
error message “keystore was tampered with or password incorrect” when the ETKMS server starts. The
error is recorded in the ETKMS log file. The keystore file on the ETKMS must be secured using the
password specified in the
error message “keystore was tampered with or password incorrect” when the ETKMS server starts. The
error is recorded in the ETKMS log file. The keystore file on the ETKMS must be secured using the
password specified in the
keystorePassword=myPassword
entry in the
kdist.properties
file.
Invalid Certificate Error
You can receive errors regarding invalid certificates if the time settings for the certificates and the
EncrypTight components are significantly different.
If this occurs, check the
EncrypTight components are significantly different.
If this occurs, check the
kdist.log
file on the ETKMS for the text:
Asynchronous invocation failed to (your PEP ip address here):
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake failure.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake failure.
Check the time on your ETPM workstation, ETKMS servers, and PEPs. Compare these times with the
time on the certificates. If the times between the EncrypTight components differ significantly, the
certificate you installed on the PEP may not be valid yet.
time on the certificates. If the times between the EncrypTight components differ significantly, the
certificate you installed on the PEP may not be valid yet.
You can check the validity by typing the following commands.
keytool -printcert -v -file <pep1.pem>
or
keytool -printcert -v -file <pep1.der>
Where “pep1.pem” or “pep1.der” is the name of the certificate file. Depending on the format of your
certificate file, you might also be able to open up the file in a text editor and look for the line that says
“Valid from:”
certificate file, you might also be able to open up the file in a text editor and look for the line that says
“Valid from:”
If your certificate is not valid yet, ensure that the time on the ETPM, ETKMSs, and PEPs is synchronized
with an NTP server. Then either wait until your certificates are valid, or create a new certificate with the
times set correctly.
with an NTP server. Then either wait until your certificates are valid, or create a new certificate with the
times set correctly.
Invalid Parameter in Function Call
Enabling strict authentication on a PEP before you install external certificates can cause communication
issues. If you enable strict authentication on the ETEP before you install certificates, the management
port locks up and rejects all communication from the management workstation and the ETKMSs.
issues. If you enable strict authentication on the ETEP before you install certificates, the management
port locks up and rejects all communication from the management workstation and the ETKMSs.