Skip to content

Commit 844cab9

Browse files
committed
Revisions
1 parent 533670e commit 844cab9

File tree

1 file changed

+11
-12
lines changed

1 file changed

+11
-12
lines changed

articles/dedicated-hsm/troubleshoot.md

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -97,13 +97,14 @@ When initializing the HSM, securely store credentials. Shell and HSM credentials
9797

9898
### Failed Logins
9999

100-
Providing incorrect credentials to HSMs can have destructive consequences. The following are default behaviors for HSM Roles.
100+
Providing incorrect credentials to HSMs can have destructive consequences. The following are default behaviors for HSM Roles.
101+
101102
| Role | Threshold (# of tries) | Result of too many bad login attempts | Recovery |
102103
|--|--|--|--|
103-
| HSM SO | 3 | HSM is zeroized (all HSM objects identities, and all partitions are gone) | HSM must be reinitialized. Contents can be restored from backup(s). |
104-
| Partition SO | 10 | Partition is zeroized. | Partition must be reinitialized. Contents can be restored from backup. |
105-
| Audit | 10 | Lockout | Unlocked automatically after 10 minutes. |
106-
| Crypto Officer | 10 (can be decreased) | If HSM policy 15: Enable SO reset of partition PIN is set to 1 (enabled), the CO and CU roles are locked out.<br>If HSM policy 15: Enable SO reset of partition PIN is set to 0 (disabled), the CO and CU roles are permanently locked out and the partition contents are no longer accessible. This is the default setting. | CO role must be unlocked and the credential reset by the Partition SO, using `role resetpw -name co`.<br>The partition must be re-initialized, and key material restored from a backup device. |
104+
| HSM SO | 3 | HSM is zeroized (all HSM objects identities, and all partitions are gone) | HSM must be reinitialized. Contents can be restored from backup(s). |
105+
| Partition SO | 10 | Partition is zeroized. | Partition must be reinitialized. Contents can be restored from backup. |
106+
| Audit | 10 | Lockout | Unlocked automatically after 10 minutes. |
107+
| Crypto Officer | 10 (can be decreased) | If HSM policy 15: Enable SO reset of partition PIN is set to 1 (enabled), the CO and CU roles are locked out.<br>If HSM policy 15: Enable SO reset of partition PIN is set to 0 (disabled), the CO and CU roles are permanently locked out and the partition contents are no longer accessible. This is the default setting. | CO role must be unlocked and the credential reset by the Partition SO, using `role resetpw -name co`.<br>The partition must be re-initialized, and key material restored from a backup device. |
107108

108109
## HSM Configuration
109110

@@ -124,13 +125,11 @@ Some configuration changes require the HSM to be power cycled or rebooted. Micro
124125
A client may lose connectivity to an HSM when a certificate expires or has been overwritten through configuration updates. The certificate exchange client configuration should be reapplied with each HSM.
125126
Example NTLS logging with invalid certificate:
126127

127-
```console
128-
NTLS[8508]: info : 0 : Incoming connection request... : 192.168.50.2/59415
129-
NTLS[8508]: Error message from SSLAccept is : error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
130-
NTLS[8508]: Error during SSL accept ( RC_SSL_ERROR )
131-
NTLS[8508]: info : 0xc0000711 : Fail to establish a secure channel with client : 192.168.50.2/59415 : RC_SSL_FAILED_HANDSHAKE
132-
NTLS[8508]: info : 0 : NTLS Client "Unknown host name" Connection instance removed : 192.168.50.2/59415
133-
```
128+
> NTLS[8508]: info : 0 : Incoming connection request... : 192.168.50.2/59415
129+
> NTLS[8508]: Error message from SSLAccept is : error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
130+
> NTLS[8508]: Error during SSL accept ( RC_SSL_ERROR )
131+
> NTLS[8508]: info : 0xc0000711 : Fail to establish a secure channel with client : 192.168.50.2/59415 : RC_SSL_FAILED_HANDSHAKE
132+
> NTLS[8508]: info : 0 : NTLS Client "Unknown host name" Connection instance removed : 192.168.50.2/59415
134133
135134
### Failed TCP Communication
136135

0 commit comments

Comments
 (0)