ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajctroubleshooting.htm

156 lines
10 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Troubleshoot the Cryptographic Coprocessor" />
<meta name="abstract" content="Use these troubleshooting methods to tackle some of the basic problems that may occur with your Cryptographic Coprocessor. If the troubleshooting information does not address your problem, contact your service representative." />
<meta name="description" content="Use these troubleshooting methods to tackle some of the basic problems that may occur with your Cryptographic Coprocessor. If the troubleshooting information does not address your problem, contact your service representative." />
<meta name="DC.Relation" scheme="URI" content="rzajcoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcreinitializing.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajchardware.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="troubleshooting" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot the Cryptographic Coprocessor</title>
</head>
<body id="troubleshooting"><a name="troubleshooting"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot the Cryptographic Coprocessor</h1>
<div><p>Use these troubleshooting methods to tackle some of the basic problems
that may occur with your Cryptographic Coprocessor. If the troubleshooting
information does not address your problem, contact your service representative.</p>
<p>Always assure that you have applied all current PTFs for the relevant products
and programs. </p>
<div class="section"><h4 class="sectiontitle">Using return codes</h4><div class="p">The primary method for detecting
and troubleshooting problems is by monitoring return codes and reason codes. <ul><li><strong>A return code of 0</strong> indicates successful completion. To provide
some additional information, the Cryptographic Coprocessor associates some
non-zero reason codes with this return code.</li>
<li><strong>A return code of 4</strong> indicates that the application programming interface
(API) has completed processing, but an unusual event occurred. It could be
related to a problem created by the application program, or it could be a
normal occurrence based on data that is supplied to the API.</li>
<li><strong>A return code of 8</strong> indicates that the API did not complete successfully.
An application programming error most likely caused this.</li>
<li><strong>A return code of 12</strong> normally indicates some type of problem in
the setup or configuration of your Coprocessor. This code means that the processing
of the API did not complete successfully.</li>
<li><strong>A return code of 16</strong> normally indicates a severe error in Common
Cryptographic Architecture Cryptographic Service Provider (CCA CSP), system
licensed internal code, or the Cryptographic Coprocessor licensed internal
code. For these types of errors, you should contact your service representative.</li>
</ul>
</div>
<p>You can also troubleshoot problems by analyzing the messages that
appear in the job log or in the system operator (QSYSOPR) queue. Generally,
any event that sends a message to the job log also returns an associated return
code and a reason code to the calling programming. Messages sent to the system
operator message, if reporting a severe problem, will normally point to a
source of additional information about the problem. Such information is intended
for IBM<sup>®</sup> service,
and therefore you may not necessarily find them useful for problem determination.</p>
</div>
<div class="section"><h4 class="sectiontitle">Common errors</h4><div class="p">You should watch out for these common
errors: <ul><li><strong>Did you vary on the device?</strong> You cannot send any requests to your
Cryptographic Coprocessor until you vary on the device. <p></p>
</li>
<li><strong>Is the CCA finding a device?</strong> If you do not explicitly use the Cryptographic_Resource_Allocate
API, you must name the cryptographic device CRP01. If you do not name it that,
the CCA cannot select any device. Either name the device CRP01 or change your
program to use the Cryptographic_Resource_Allocate CCA API to select the device. <p></p>
</li>
<li><strong>Are you selecting the correct device?</strong> If you have a default device
(for example, a device named CRP01) and an additional device, the Cryptographic
Coprocessor will select the default device, unless you use Cryptographic_Resource_Allocate. <p></p>
</li>
<li><strong>Is the Cryptographic Coprocessor finding a key store file?</strong> If you
do not explicitly use the Key_Store_Designate SAPI, the CCA CSP support will
attempt to use the files named on the device description. If you have named
no files on the device description, the Cryptographic Coprocessor will not
find any files. <p></p>
</li>
<li><strong>Have you loaded and set a master key?</strong> The Cryptographic Coprocessor
will not complete any cryptographic requests other than those for configuring
your Cryptographic Coprocessor, unless you load a master key. <p></p>
</li>
<li><strong>Does the Old master key register contain a key?</strong> The Cryptographic
Coprocessor cannot re-encrypt keys under the Current<sup>®</sup> master key unless the Old master
key register contains a value. <p></p>
</li>
<li><strong>Does your default role have authority to use a given hardware command?</strong> If
not, you will need to log on by using a profile that uses a role that has
the correct authority. <p></p>
</li>
<li><strong>Does any role have authority to use a given hardware command?</strong> If
your Cryptographic Coprocessor requires the hardware command and you have
not authorized a role to use that command, you must reinitialize your Cryptographic
Coprocessor. Do this by using either the Cryptographic_Facility_Control API
or the Hardware Service Manager that is found in System Service Tools. Using
the Cryptographic_Facilty_Control API requires that you authorize a role to
the hardware command that reinitializes the Cryptographic Coprocessor. If
no such role exists, you must use the Hardware Service Manager. <p></p>
</li>
<li><strong>Is a function control vector loaded?</strong> Your Cryptographic Coprocessor
cannot run any cryptographic operations other than configuration until you
load a function control vector. <p></p>
</li>
<li><strong>If you are loading a master key, did you begin by clearing out the
new master key register?</strong> If your Cryptographic Coprocessor has a partially
loaded new master key register, you cannot load the first part of a master
key. <p></p>
</li>
<li><strong>Did you remember to set the clock in your Coprocessor before removing
the authority to do so from the DEFAULT role?</strong> If not, you must reinitialize
your Cryptographic Coprocessor by using either the Cryptographic_Facility_Control
API or the Hardware Service Manager found in System Service Tools. Using the
Cryptographic_Facilty_Control API requires that you authorize a role to the
hardware command that reinitializes the Cryptographic Coprocessor. If no such
role exists, you must use the Hardware Service Manager. <p></p>
</li>
<li><strong>Did you set the EID before trying to generate public-private key pairs?</strong> You
must set the EID before you can generate RSA keys. <p></p>
</li>
<li><strong>Did you correctly initialize the first byte of a null key token to
binary 0?</strong> If not, the CCA support may try to use it as a key label. CCA
Support will either report it as a bad label format or report that it could
find the key record. <p></p>
</li>
<li><strong>Do you use the same name for a label in a PKA key store file and a
retained PKA key?</strong> If so, your Cryptographic Coprocessor will never find
the retained key because the Cryptographic Coprocessor always searches the
key store file first. <p></p>
</li>
<li><strong>Do you have EBCDIC data in any fields in a skeleton PKA key token?</strong> The
Cryptographic Coprocessor specifically checks for ASCII data in a number of
the fields and will return an error if it finds EBCDIC data.</li>
</ul>
</div>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzajcreinitializing.htm">Reinitialize the Cryptographic Coprocessor</a></strong><br />
If you set up your Cryptographic Coprocessor incorrectly, you can end up with an unusable configuration with which you cannot perform any cryptographic functions and cannot use any of the APIs to recover. For example, you can configure it such that you have no role authorized to set the master key and no role authorized to change or create new roles or profiles. You can call the hardware command for reinitializing the card by using the Cryptographic_Facility_Control (CSUACFC) SAPI.</li>
<li class="ulchildlink"><strong><a href="rzajchardware.htm">Use the Hardware Service Manager</a></strong><br />
Hardware service manager is a tool for displaying and working with system hardware from both a logical and a packaging viewpoint, an aid for debugging Input/Output (I/O) processors and devices, and is also used to reinitialize the Cryptographic Coprocessor (set it back to an un-initialized state).</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcoverview.htm" title="IBM offers cryptography solutions for customers who require a high level of security.">Cryptography</a></div>
</div>
</div>
</body>
</html>