Chapter 1: About This Manual

Who is this for?

This guide is intended for AKM users who encounter errors on the AKM server. Error codes can be found in the akmerror.log file accessed via the web interface. See the AKM Server Management Guide for information on accessing the akmerror.log file.

This guide contains a list of common error codes and their resolutions. If you encounter other error codes, please contact Townsend Security Support.

Client applications and SDKs

Townsend Security provides the following applications and SDKs to assist with client-side key retrieval or remote encryption:

  • Key Connection for SQL Server: Microsoft Extensible Key Management Provider for Transparent Data Encryption (TDE) and cell level encryption
  • Windows SDK for .NET applications
  • SQL Server UDF for all editions of SQL Server
  • Key Connection for Drupal
  • Key Connection for Encryptionizer

In addition to these offerings, Townsend Security provides software libraries and code samples to assist with custom implementations. Visit this page https://info.townsendsecurity.com/alliance-key-manager-evaluation for a current list of client applications, software libraries, and code samples.

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change log

The following table provides information on the changes to this documentation:

Version Date Description
0.01 1/28/09 Initial draft.
0.02 3/2/09 Updates to error codes for ReadSymKeyInstance.
0.03 3/11/09 Duplicate error codes removed and replaced with new codes.
0.04 5/1/09 The troubleshooting guide has been added to this manual. New error message codes have been added for licensing.
0.05 5/12/09 Update the error codes for the ALLKeyRtv client library. Update the troubleshooting guide.
1.00 5/15/09 Formal release of the documentation corresponding to version 1.0.3 of Alliance Key Manager
1.01 5/18/09 Clean up some error messages that included code fragments.
2.00 2/15/2010 Final version on release of AKM version 2.0.2.
2.1.13.001 5/13/2013 New manual format .
3.0.0.001 3/17/2014 Update for AKM 3.0.0. Removal of uncommon error codes. Resolutions added to common error codes.
3.0.0.002 2/9/2015 Add error codes for the AKM Encryption Service.
4.5.0.001 10.19.2016 Add key client error codes. Add error codes for asymmetric RSA keys.
4.6.1.001 11/8/2019 Updated links and references to technical information.

Chapter 2: AKM Admin Service Error Codes

The following table provides error messages you may encounter while using key management commands in the AKM Administrative Console or under program control. Error codes and messages are displayed in the Output and Status panes in the AKM Administrative Console and are also logged in the akmerror.log file on the AKM server.

Error Message Resolution
3004 ChangeActivationDate ERR [value] Cannot change activation date on a revoked key You are trying to change the activation date of a key that has been revoked. The key has to first be re-activated using the “Activate Key” command
3017 DeleteKeyInstance ERR [value] Cannot delete current instance. Use DeleteKey command. You can only delete previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to delete the current instance of a key you will need to delete the entire key with the “Delete Key” command.”
3018 DeleteKeyInstance ERR [value] Unable to delete key which is not deletable The key has its attributes set to not allow it to be deleted. You will first need to change that attribute with the “Change Deletable” command
3022 DisplayKeyInstanceList ERR [value] No entry for key name [value] The key you have defined for the “Display Key Instance List” command does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key.
3025 DisplayKeyNameList ERR [value] No key names in data base There are no keys stored in the keydatabase. Use the “Create Symmetric Key” command to create a key.
3031 DeleteKeyFromUserAccess ERR [value] No entry for KeyName [value] The key you are trying to delete does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key.
3032 EditChangeActivationDate ERR [value] Activation Date [value] is before Current Date [value] A key cannot be given a past activation date. You will need to set the activation date to either the current date or a future date.
3039 EditChangeExpirationDate ERR [value] Expiration Date [value] is before Current Date [value] A key cannot be given a past expiration date. You will need to set the expiration date to either the current date or a future date.
3058 GetUserListForGroup ERR [value] No records for Group name [value] Either the Group does not exist, or it has no members added to it. The Group name is case sensitive. Use the “Get Group Member List” command to verify the Group’s name.
3068 ReadMirrorDefinition ERR [value] No entry for mirror name [value] The mirror you specified is not defined. Mirror names are case sensitive. Use the “List Mirror Names” command to verify the name of the mirror.
3101 Rollover ERR [value] Activation Date [value] is after Current Date [value] You cannot roll a key that has not yet been activated. Use the “Display Symmetric Key Policy” command to verify the key’s activation date or use the “Activate Key” command to activate the key.
3106 ExportSymKey ERR [value] fopen failed for certificate file [value] The certificate you defined to export the symmetric key with does not exist. Certificate names are case sensitive. Use the “Get Certificate List” command to verify the name of the certificate.
3113 GetSymKey ERR [value] Activation Date [value] is after Current Date [value] The key you are trying to retrieve from AKM has a future activation date. Use the “Display Symmetric Key Policy” command to verify the key’s activation date or use the “Activate Key” command to activate the key.
3115 GetSymKey ERR [value] Key has been revoked The key you are trying to retrieve has been revoked. Use the “Activate Key“ command to activate the key.
3119 ImportSymKey ERR [value] key name already exists in database The key name you are using to import a symmetric key with is already in use in the key database. Use the “Display Key Name List” command to verify the names of the existing keys, then choose another name for the key you are trying to import to avoid duplicates.
3120 ImportSymKey ERR [value] fopen failed for file [value] The key file you are trying to import could not be opened. Verify that it is a valid symmetric key file.
3143 RevokeKeyInstance ERR [value] Cannot revoke current instance You can only revoke previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to revoke the current instance of a key you will need to revoke the entire key with the “Revoke Key” command.
3145 Rollover ERR [value] attempted manual roll on key with rollover code [value] The key you attempted to roll has been configured to automatically roll after a certain number of days. Use the “Display Symmetric Key Policy” command to verify the number of days set for automatic rollover, or use the “Change Rollover“ command to change the rollover policy to manual rollover.
3181 EditMetadataChars ERR [value] Invalid character <0xvalue> at position [value] in MD[value] Only printable upper and lower case letters and numbers are allowed in the Metadata fields.
3184 ValidateDB ERR [value] No key names in data base There are no keys stored in the key database. Use the “Create Symmetric Key” command to create a key.
3205 ImportCertificate ERR [value] no overwrite for existing file [value] You are trying to import a certificate that already exists. Enable the Overwrite Existing Certificate option or import a different certificate.
3223 DeletePrivateKey ERR [value] remove failed for private key file [value] The private key you are attempting to export does not exist. Private keys are case sensitive. Use the “Get Private Key List” command to verify the private key’s name.
3230 RsaTests ERR [value] PEM_read_RSAPrivateKey failed for file [value] The crypto self-test failed. Contact Townsend Security for recovery procedures.
3275 ReadSymKeyPolicy ERR [value] No entry for key name [value] instance [value] Either the key you are attempting to retrieve or the instance for that key do not exist. Use the “Display Key Name List” and “Display Key Instance List” commands to verify the name and instance of the key.
3391 ReadUserAccess ERR [value] No entry for Key name [value], UserName [value] The User does not have access to the key. Use the “Set User Access To Key” command to grant the User access.
3440 ReadKeyAccess ERR [value] No entry for key name [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name.
3457 RemoveUserFromGroupTable ERR [value] No entry for GroupName [value], UserName [value] The specified user is not a member of the specified group.
3462 GetGroupAccessList ERR [value] No records in DB There are no Groups defined. You can define Groups when you create keys, or you can use the “Add User To Group” command to add an additional Group.
3468 RemoveUserAccessToKeyTable ERR [value] No entry for KeyName [value], UserName [value] The key defined does not exist. Key names are case sensitve. Use the “Display Key Name List” command to verify the key’s name.
3471 DeleteMirrorDefinition ERR [value] No mirror named [value] The mirror you specified is not defined. Mirror names are case sensitive. Use the List Mirror Names command to verify the Mirror’s name.
3473 GetUserAccessList ERR [value] No records in DB There are no Users defined. You can define Users when you create keys, or use the “Add User To Group” command to add an additional User.
3476 DeleteGroupFromGroupMember ERR [value] No entry for group name [value] The Group you are trying to delete does not exist. The Group is case sensitive. Use the “Get Group Member List” command to verify the Group’s name.
3479 RemoveGroupAccessToKeyTable ERR [value] No entry for KeyName [value], GroupName [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name.
3487 GetKeyAccessList ERR [value] No records in DB There are no keys stored in the database. Use the “Create Symmetric Key “command to create one.
3489 RemoveKeyFromKeyAccessTable ERR [value] No entry for KeyName [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name.
3494 GetGroupListForKey ERR [value] No records for key name [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name.
3498 GetUserListForKey ERR [value] No records for key name [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name
3501 GetKeyListForGroup ERR [value] No records for group name [value] The Group you specified does not exist. The Goup is case sensitive. Use the “Get Group Member List” command to verify the Group’s name.
3504 GetKeyListForUser ERR [value] No records for user name [value] The User you have defined has no keys listed. Use the “Set User Access To Key” command to give the User access to the key.
3507 GetGroupListForUser ERR [value] No records for User name [value] This User has no groups assigned to it. Use the “Add User To Group” command to add this User to a Group.
3526 DeleteGroupFromGroupAccess ERR [value] No entry for GroupName [value] The Group you specified does not exist. The Group is case sensitive. Use the “Get Group Member List” command to verify the Group’s name.
3531 DeleteUserFromUserAccess ERR [value] No entry for UserName [value] The User you specified does not exist. The User is case sensitive. Use the “Get User List For Group” or the “Get User List For Key“ commands to verify the User’s name.
3533 DeleteKeyFromGroupAccess ERR [value] No entry for KeyName [value] The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name.
3557 CrossEditRollover ERR [value] Automatic rollover specified One or more keys has been defined with an Automatic Rollover Date. Use the “Change Rollover “command to change it to Manual.
3575 ExportCertificate ERR [value] fopen failed for certificate file [value] The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List” to verify the certificate’s name.
3581 EditCertType ERR [value] Invalid certificate type [value] Several commands (DeleteCertificate, ExportCertificate, GetCertificateList and ImportCertificate) operate on either a CA Certificate or a Client Certificate. There is a 1-byte code in the request with the value A or C respectively. If a code other than A or C is passed this error is thrown.
3591 CrossEditDates ERR [value] Activation Date is after the Expiration Date The activation date you specified comes after the currently set expiration date. Use the “Display Symmetric Key Policy“ command to verify the expiration date or the “Change Expiration Date” to adjust it.
3610 ReadGroupAccess ERR [value] No entry for Key name [value], GroupName [value] The Group does not have access to the key. Use the “Set Group Access To Key” command to grant the Group access.
3617 ImportPrivateKey ERR [value] no overwrite for existing file [value] You are trying to import a private key that already exists. Enable the Overwrite Existing Private Key option or import a different private key.
3650 DeleteCertificate ERR [value] remove failed for certificate file [value] The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List “to verify the certificate’s name
3777 EditDeleteSymKey ERR [value] Some key instances not deletable for key name [value] You are trying to delete a key where some instances of that key are not deletable. Use the “Display Key Instance List” command to display a list of all key instances associated with a given key. Use the “Display Symmetric Key” command to view the attributes of a given key instance. Use the “Change Deletable Command” to make the key instance deletable.
3910 ForceKeySync ERR [value] Key [value] is not enabled for mirroring The symmetric key you are trying to mirror has not been enabled for mirroring. Use the “Change Mirror Key “command to enable the key for mirroring.
3942 SetMirrorAddress ERR [value] Cannot reconfigure mirror with non-zero queue size [value] There are keys waiting to be mirrored. You need to allow the mirroring operation to complete or use the “Remove Mirror Address” to delete the configured mirror. Then use the “Set Mirror Address” command again to configure the mirror server.
4025 ExportSymKeyBatch ERR [value] No matching keys The ExportSymKeyBatch command allows for the exporting of all AES keys meeting certain specified values in metadata fields. Should no keys be found matching the specified values, this error will be thrown.
4072 AuthAdmin ERR [value] AuthAdmin command not valid. DualKnowledgeRequired not set in conf file. The DualKnowledgeRequired entry has not been set to Y (Yes) in the AKM configuration file. It is not necessary to authorize a second Crypto Officer before using key management commands. If you would like to authorize a second Crypto Officer for key management commands in order to satisfy requirements for dual control, see the AKM Administrative Console Guide for information on implementing dual control.
4073 EditAuthAdmin ERR [value] invalid minutes value [value] The value you have entered is invalid. Use whole minutes.
4074 AuthAdmin ERR [value] AuthAdmin currently active, cannot reset A dual control session has been set. This admin instance will be locked out until the other admin instance has logged in and the time period set has expired.
4096 ValidateAuthAdmin ERR [value] AuthAdmin window has not been set The command you are trying to use requires that an administrator authorization time window is set. Have another administrator run the “Authorize Administrator” command.
4110 ChangeActivationDate ERR <%d> Activation date <%s> cannot be after or on expiration date <%s> The activation date you are trying to set cannot be on or after the expiration date that has been set for this key. Use the “Display Symmetric Key Policy” command to view the current expiration date for that key.
4332 EditNumeric ERR <%d> non-numeric character <%02x> hex Many parameters in many commands provide numeric data in ASCII format. For example, the first argument of CreateSymKey is 00584 and is the length of the data that follows. The only values that are valid for these type of fields are [0123456789]. If any other value is present this error is thrown. The most common reason for this error is that the request buffer was not properly formatted.
4491 InsertEkmKey ERR <%d> sqlite3_step failed The key <%s> already exists.
4513 EditHostName ERR <%d> Host name may not be all blanks You are trying to define a mirror but have left the host name blank. The host name refers to the IP address of the mirror AKM server.
4514 EditMirrorPort ERR <%d> Mirror port may not be 0 You are trying to define a mirror but have left the port number blank. The default port number for mirroring is 6003.
4515 EditHostName ERR <%d> Host name may not be 0.0.0.0 You are trying to define a mirror but have set the IP to 0.0.0.0. This field needs to have a valid IP.
4541 DisplayEkmInfoList ERR <%d> No key names in data base There are no EKM keys defined. Use the “Create EKM Key” command to create a key.
4546 EKeysSelectByName ERR <%d> No entry for key name <%s> The DisplayEKeysPolicy command allows the admin to see the policy fields associated with an EKM key. If a KeyName is specified that does not exist, this error is thrown.

Chapter 3: AKM Encryption Service Error Codes

The following table provides common error messages you may encounter while using the AKM Encryption Service in your application. These error codes are logged in the akmerror.log file on the AKM server.

Error Message Resolution
3028 ParseDecEcbRecContinuationHdr The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.
3459 EditEobFlag The value for the EndOfRequestFlag must be Y (yes) or N (no).
4133 ParseDecEcbReqHdr PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4134 ParseEncEcbReqHdr PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4135 EditCipherTextFormat The CipherTextFormat field value must be BIN, B16, or B64.
4136 EditFinalFlag The value for FinalFlag must be Y (yes) or N (no).
4137 EditMoreBlocksFlag The value for PackedFlag must be Y (yes) or N (no).
4138 EditNewKeyFlag The value for NewKeyFlag must be Y (yes) or N (no).
4139 EditPaddingFlag The value for PaddingFlag must be 1 byte: 7 (yes) or N (no).
4140 EditPaddingFlag The value for NewKeyFlag must be 7 (yes) or N (no).
4141 EditPlainTextLen The PlainTextLength field value must be composed of numeric characters.
4145 ParseEncEcbReqHdr You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.
4146 ParseEncEcbReqHdr The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.
4468 EditPlainTextFormat The PlainTextFormat field value must be BIN, B16, or B64.
4469 ParseDecEcbReqHdr You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.
4470 ParseDecEcbReqHdr The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.
4472 ParseDecEcbReqContinuationHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4473 EditCipherTextLen The CipherTextLength cannot be set to 0 bytes.
4474 ParseEncCbcReqHdr You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.
4475 ParseEncCbcReqHdr The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.
4476 ParseEncCbcReqHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4553 ParseDecCbcReqHdr You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again.
4554 ParseDecCbcReqHdr The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.
4555 ParseDecCbcReqHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4556 ParseDecEcbReqContinuationHdr The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes.
4557 ParseDecCbcReqContinuationHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4560 ParseDecEcbReqContinuationHdr The CipherTextLength cannot be set to 0 bytes.
4561 ParseDecEcbReqContinuationHdr The CipherTextLength cannot be set to 0 bytes.
4562 ParseEncEcbReqHdr If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.
4563 ParseDecCbcReqHdr The CipherTextLength cannot be set to 0 bytes.
4564 ParseDecEcbReqHdr The CipherTextLength cannot be set to 0 bytes.
4565 ParseEncCbcReqHdr The CipherTextLength cannot be set to 0 bytes.
4566 ParseEncEcbReqHdr The PlainTextLength cannot be set to 0 bytes.
4567 ParseEncCbcReqHdr If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.
4568 ValidatePadding The padding value must be in the range of hex 0x01 to 0x10. If you provide padding yourself in your application, make sure to use PKCS #7 padding.
4569 ValidatePadding If plaintext is a multiple of 16 and padding is requested, 16 bytes of padding will be added. The minimum length of ciphertext will be 32 bytes. Make sure you have the correct length of ciphertext.
4570 ValidatePadding If you provide padding in your application, you must provide PKCS #7 padding. If you provided another form of padding, it will not be recognized as valid.
4598 ParseEncEcbReqContinuationHdr The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.
4599 ParseEncEcbReqContinuationHdr The PlainTextLength cannot be set to 0 bytes.
4600 ParseEncEcbReqContinuationHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4601 ParseEncEcbReqContinuationHdr If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.
4602 ParseEncCbcReqContinuationHdr The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes.
4603 ParseEncCbcReqContinuationHdr The PlainTextLength cannot be set to 0 bytes.
4604 ParseEncCbcReqContinuationHdr If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding.
4605 ParseEncCbcReqContinuationHdr PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open.
4606 EditNewIvFlag The value for NewIVFlag must be Y or N.
4607 ParseEncCbcReqHdr If NewKeyFlag is set to Y, then NewIVFlag must also be set to Y.
4658 ParseDecEcbReqHdr The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.
4659 ParseDecCbcReqHdr The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.
4660 ParseDecEcbReqContinuaationHdr The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.
4661 ParseDecCbcReqContinuationHdr The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext.

Chapter 4: AKM Client Error Codes

The following table provides common error messages you may encounter while using the AKM Client Library for Windows or AKM Key Connection for SQL Server. These Key Client errors represent AKM error codes received from the server and reported to the client. Other Key Client errors are possible. The error codes will match error codes found in the akmerror.log file on the AKM server, however, the exception message may be different.

Based on the server error code, one of these client-side exceptions is raised:

  • KeyAccessDeniedException

  • KeyExpiredException

  • KeyNotFoundException

  • KeyRevokedException

  • ServerException

  • ServerFailureException

These errors are reported directly to the Windows client, and indirectly by Key Connection for SQL Server (the message text is logged, but not returned to the SQL application, a SQL Server limitation.)

Error Code Exception Class Exception Message
3114 KeyExpiredException Key ‘{0}’ instance ‘{1}’ has expired.
3115 KeyRevokedException Key ‘{0}’ instance ‘{1}’ is revoked.
3275 KeyNotFoundException Key name “{0}” not found on the key server.
3391 KeyAccessDeniedException Access to key ‘{0}’ instance ‘{1}’ is denied.
3440 KeyNotFoundException Key name “{0}” not found on the key server.
3610 KeyAccessDeniedException Access to key ‘{0}’ instance ‘{1}’ is denied.
3713 ServerException Key server is shutting down. Key server error {0}.
3714 ServerException Key server is shutting down. Key server error {0}.
3774 ServerException Request {0} is not a supported feature for the installed version of the key server. Key server error {1}.
3775 ServerException Request {0} is not a supported feature for the installed version of the key server. Key server error {1}.
3993 ServerException Crypto Officer certificate is not allowed on key retrieval port. Request id {0}. Key server error {1 }.
4122 ServerException Key server is shutting down. Key server error {0}.
4123 ServerException Request {0} is not a supported feature for the installed version of the key server. Key server error {1}.
4444 KeyNotFoundException Provider key ‘{0}’ not found. Key server error {1}.
4450 KeyNotFoundException Provider key not found using key thumbprint 0x{0} ‘{1}’. Key server error {2}.
4505 KeyNotFoundException Provider key ‘{0}’ not found. Key server error {1}.

Chapter 5: RSA Keys Error Codes

The following table provides common error messages you may encounter while working with asymmetric RSA keys. These error codes are logged in the akmerror.log file on the AKM server.

Error Code Exception Class Exception Message
4703 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4704 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4705 Invalid transaction length. Verify the command you are sending to AKM against the relevant API document.
4706 Key name and instance cannot both be blank. Send either a key name or an instance for the command to work.
4707 Key not yet active. Use the appropriate “activate key” function to make the key active.
4708 Key has been revoked. Use a different key as this key has been revoked by a crypto officer.
4709 Key has expired. Use a different key as this key has reached the end of its specified life.
4728 Key name and instance cannot both be blank. Send either a key name or an instance for the command to work.
4734 Key not yet active. Use the appropriate “activate key” function to make the key active.
4735 Key has been revoked. Use a different key as this key has been revoked by a crypto officer.
4736 Key has expired. Use a different key as this key has reached the end of its specified life.
4737 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4742 Key name and instance cannot both be blank. Send either a key name or an instance for the command to work.
4743 Cryptographic erorr on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4757 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4758 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4759 Invalid transaction length. Verify the command you are sending to AKM against the relevant API document.
4760 Key name and instance cannot both be blank. Send either a key name or an instance for the command to work.
4761 Key not yet active. Use the appropriate “activate key” function to make the key active.
4762 Key has been revoked. Use a different key as this key has been revoked by a crypto officer.
4763 Key has expired. Use a different key as this key has reached the end of its specified life.
4878 Key not yet active. Use the appropriate “activate key” function to make the key active.
4879 Key has been revoked. Use a different key as this key has been revoked by a crypto officer.
4880 Key has expired. Use a different key as this key has reached the end of its specified life.
4482 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4883 Invalid transaction length. Verify the command you are sending to AKM against the relevant API document.
4884 Invalid transaction length. Verify the command you are sending to AKM against the relevant API document.
4892 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4882 Invalid transaction length. Verify the command you are sending to AKM against the relevant API document.
4483 Cryptographic error on AKM. Consult akmerror.log Contact Townsend Security support for help resolving this error.
4916 DeleteRsaKeyPairMirrorFlagsDiffer The mirror flag settings are not the same for both public and private keys in a pair; cannot delete the pair, may delete either Public or Private separately
4917 RsaKeyInstanceAndTypeMismatch The Rsa keytype does not match the instance value supplied for DisplayRsaKeyPolicy by instance only
Any other non-zero error code ServerFailureException Key server response {0} contains an unanticipated error code {1}. Please report this to Townsend Security.