Chapter 1: About This Manual
Who is this for?
This guide is intended for AKM users who encounter errors on the AKM server. Error codes can be found in the akmerror.log file accessed via the web interface. See the AKM Server Management Guide for information on accessing the akmerror.log file.
This guide contains a list of common error codes and their resolutions. If you encounter other error codes, please contact Townsend Security Support.
Client applications and SDKs
Townsend Security provides the following applications and SDKs to assist with client-side key retrieval or remote encryption:
- Key Connection for SQL Server: Microsoft Extensible Key Management Provider for Transparent Data Encryption (TDE) and cell level encryption
- Windows SDK for .NET applications
- SQL Server UDF for all editions of SQL Server
- Key Connection for Drupal
- Key Connection for Encryptionizer
In addition to these offerings, Townsend Security provides software libraries and code samples to assist with custom implementations. Visit this page https://info.townsendsecurity.com/alliance-key-manager-evaluation for a current list of client applications, software libraries, and code samples.
Notices
This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.
Change log
The following table provides information on the changes to this documentation:
| Version | Date | Description |
|---|---|---|
| 0.01 | 1/28/09 | Initial draft. |
| 0.02 | 3/2/09 | Updates to error codes for ReadSymKeyInstance. |
| 0.03 | 3/11/09 | Duplicate error codes removed and replaced with new codes. |
| 0.04 | 5/1/09 | The troubleshooting guide has been added to this manual. New error message codes have been added for licensing. |
| 0.05 | 5/12/09 | Update the error codes for the ALLKeyRtv client library. Update the troubleshooting guide. |
| 1.00 | 5/15/09 | Formal release of the documentation corresponding to version 1.0.3 of Alliance Key Manager |
| 1.01 | 5/18/09 | Clean up some error messages that included code fragments. |
| 2.00 | 2/15/2010 | Final version on release of AKM version 2.0.2. |
| 2.1.13.001 | 5/13/2013 | New manual format . |
| 3.0.0.001 | 3/17/2014 | Update for AKM 3.0.0. Removal of uncommon error codes. Resolutions added to common error codes. |
| 3.0.0.002 | 2/9/2015 | Add error codes for the AKM Encryption Service. |
| 4.5.0.001 | 10.19.2016 | Add key client error codes. Add error codes for asymmetric RSA keys. |
| 4.6.1.001 | 11/8/2019 | Updated links and references to technical information. |
| 4.6.2.001 | 2/19/2020 | Added error code 3572 key permissions error. |
Chapter 2: AKM Admin Service Error Codes
The following table provides error messages you may encounter while using key management commands in the AKM Administrative Console or under program control. Error codes and messages are displayed in the Output and Status panes in the AKM Administrative Console and are also logged in the akmerror.log file on the AKM server.
| Error | Message | Resolution |
|---|---|---|
| 3004 | ChangeActivationDate ERR [value] Cannot change activation date on a revoked key | You are trying to change the activation date of a key that has been revoked. The key has to first be re-activated using the “Activate Key” command |
| 3017 | DeleteKeyInstance ERR [value] Cannot delete current instance. Use DeleteKey command. | You can only delete previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to delete the current instance of a key you will need to delete the entire key with the “Delete Key” command.” |
| 3018 | DeleteKeyInstance ERR [value] Unable to delete key which is not deletable | The key has its attributes set to not allow it to be deleted. You will first need to change that attribute with the “Change Deletable” command |
| 3022 | DisplayKeyInstanceList ERR [value] No entry for key name [value] | The key you have defined for the “Display Key Instance List” command does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key. |
| 3025 | DisplayKeyNameList ERR [value] No key names in data base | There are no keys stored in the keydatabase. Use the “Create Symmetric Key” command to create a key. |
| 3031 | DeleteKeyFromUserAccess ERR [value] No entry for KeyName [value] | The key you are trying to delete does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the name of the key. |
| 3032 | EditChangeActivationDate ERR [value] Activation Date [value] is before Current Date [value] | A key cannot be given a past activation date. You will need to set the activation date to either the current date or a future date. |
| 3039 | EditChangeExpirationDate ERR [value] Expiration Date [value] is before Current Date [value] | A key cannot be given a past expiration date. You will need to set the expiration date to either the current date or a future date. |
| 3058 | GetUserListForGroup ERR [value] No records for Group name [value] | Either the Group does not exist, or it has no members added to it. The Group name is case sensitive. Use the “Get Group Member List” command to verify the Group’s name. |
| 3068 | ReadMirrorDefinition ERR [value] No entry for mirror name [value] | The mirror you specified is not defined. Mirror names are case sensitive. Use the “List Mirror Names” command to verify the name of the mirror. |
| 3101 | Rollover ERR [value] Activation Date [value] is after Current Date [value] | You cannot roll a key that has not yet been activated. Use the “Display Symmetric Key Policy” command to verify the key’s activation date or use the “Activate Key” command to activate the key. |
| 3106 | ExportSymKey ERR [value] fopen failed for certificate file [value] | The certificate you defined to export the symmetric key with does not exist. Certificate names are case sensitive. Use the “Get Certificate List” command to verify the name of the certificate. |
| 3113 | GetSymKey ERR [value] Activation Date [value] is after Current Date [value] | The key you are trying to retrieve from AKM has a future activation date. Use the “Display Symmetric Key Policy” command to verify the key’s activation date or use the “Activate Key” command to activate the key. |
| 3115 | GetSymKey ERR [value] Key has been revoked | The key you are trying to retrieve has been revoked. Use the “Activate Key“ command to activate the key. |
| 3119 | ImportSymKey ERR [value] key name already exists in database | The key name you are using to import a symmetric key with is already in use in the key database. Use the “Display Key Name List” command to verify the names of the existing keys, then choose another name for the key you are trying to import to avoid duplicates. |
| 3120 | ImportSymKey ERR [value] fopen failed for file [value] | The key file you are trying to import could not be opened. Verify that it is a valid symmetric key file. |
| 3143 | RevokeKeyInstance ERR [value] Cannot revoke current instance | You can only revoke previous instances of a key. Use the “Display Key Instance List” to view previous instances. If you want to revoke the current instance of a key you will need to revoke the entire key with the “Revoke Key” command. |
| 3145 | Rollover ERR [value] attempted manual roll on key with rollover code [value] | The key you attempted to roll has been configured to automatically roll after a certain number of days. Use the “Display Symmetric Key Policy” command to verify the number of days set for automatic rollover, or use the “Change Rollover“ command to change the rollover policy to manual rollover. |
| 3181 | EditMetadataChars ERR [value] Invalid character <0xvalue> at position [value] in MD[value] | Only printable upper and lower case letters and numbers are allowed in the Metadata fields. |
| 3184 | ValidateDB ERR [value] No key names in data base | There are no keys stored in the key database. Use the “Create Symmetric Key” command to create a key. |
| 3205 | ImportCertificate ERR [value] no overwrite for existing file [value] | You are trying to import a certificate that already exists. Enable the Overwrite Existing Certificate option or import a different certificate. |
| 3223 | DeletePrivateKey ERR [value] remove failed for private key file [value] | The private key you are attempting to export does not exist. Private keys are case sensitive. Use the “Get Private Key List” command to verify the private key’s name. |
| 3230 | RsaTests ERR [value] PEM_read_RSAPrivateKey failed for file [value] | The crypto self-test failed. Contact Townsend Security for recovery procedures. |
| 3275 | ReadSymKeyPolicy ERR [value] No entry for key name [value] instance [value] | Either the key you are attempting to retrieve or the instance for that key do not exist. Use the “Display Key Name List” and “Display Key Instance List” commands to verify the name and instance of the key. |
| 3391 | ReadUserAccess ERR [value] No entry for Key name [value], UserName [value] | The User does not have access to the key. Use the “Set User Access To Key” command to grant the User access. |
| 3440 | ReadKeyAccess ERR [value] No entry for key name [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name. |
| 3457 | RemoveUserFromGroupTable ERR [value] No entry for GroupName [value], UserName [value] | The specified user is not a member of the specified group. |
| 3462 | GetGroupAccessList ERR [value] No records in DB | There are no Groups defined. You can define Groups when you create keys, or you can use the “Add User To Group” command to add an additional Group. |
| 3468 | RemoveUserAccessToKeyTable ERR [value] No entry for KeyName [value], UserName [value] | The key defined does not exist. Key names are case sensitve. Use the “Display Key Name List” command to verify the key’s name. |
| 3471 | DeleteMirrorDefinition ERR [value] No mirror named [value] | The mirror you specified is not defined. Mirror names are case sensitive. Use the List Mirror Names command to verify the Mirror’s name. |
| 3473 | GetUserAccessList ERR [value] No records in DB | There are no Users defined. You can define Users when you create keys, or use the “Add User To Group” command to add an additional User. |
| 3476 | DeleteGroupFromGroupMember ERR [value] No entry for group name [value] | The Group you are trying to delete does not exist. The Group is case sensitive. Use the “Get Group Member List” command to verify the Group’s name. |
| 3479 | RemoveGroupAccessToKeyTable ERR [value] No entry for KeyName [value], GroupName [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name. |
| 3487 | GetKeyAccessList ERR [value] No records in DB | There are no keys stored in the database. Use the “Create Symmetric Key “command to create one. |
| 3489 | RemoveKeyFromKeyAccessTable ERR [value] No entry for KeyName [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name. |
| 3494 | GetGroupListForKey ERR [value] No records for key name [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name. |
| 3498 | GetUserListForKey ERR [value] No records for key name [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name |
| 3501 | GetKeyListForGroup ERR [value] No records for group name [value] | The Group you specified does not exist. The Goup is case sensitive. Use the “Get Group Member List” command to verify the Group’s name. |
| 3504 | GetKeyListForUser ERR [value] No records for user name [value] | The User you have defined has no keys listed. Use the “Set User Access To Key” command to give the User access to the key. |
| 3507 | GetGroupListForUser ERR [value] No records for User name [value] | This User has no groups assigned to it. Use the “Add User To Group” command to add this User to a Group. |
| 3526 | DeleteGroupFromGroupAccess ERR [value] No entry for GroupName [value] | The Group you specified does not exist. The Group is case sensitive. Use the “Get Group Member List” command to verify the Group’s name. |
| 3531 | DeleteUserFromUserAccess ERR [value] No entry for UserName [value] | The User you specified does not exist. The User is case sensitive. Use the “Get User List For Group” or the “Get User List For Key“ commands to verify the User’s name. |
| 3533 | DeleteKeyFromGroupAccess ERR [value] No entry for KeyName [value] | The key you specified does not exist. Key names are case sensitive. Use the “Display Key Name List” command to verify the key’s name. |
| 3557 | CrossEditRollover ERR [value] Automatic rollover specified | One or more keys has been defined with an Automatic Rollover Date. Use the “Change Rollover “command to change it to Manual. |
| 3575 | ExportCertificate ERR [value] fopen failed for certificate file [value] | The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List” to verify the certificate’s name. |
| 3581 | EditCertType ERR [value] Invalid certificate type [value] | Several commands (DeleteCertificate, ExportCertificate, GetCertificateList and ImportCertificate) operate on either a CA Certificate or a Client Certificate. There is a 1-byte code in the request with the value A or C respectively. If a code other than A or C is passed this error is thrown. |
| 3591 | CrossEditDates ERR [value] Activation Date is after the Expiration Date | The activation date you specified comes after the currently set expiration date. Use the “Display Symmetric Key Policy“ command to verify the expiration date or the “Change Expiration Date” to adjust it. |
| 3610 | ReadGroupAccess ERR [value] No entry for Key name [value], GroupName [value] | The Group does not have access to the key. Use the “Set Group Access To Key” command to grant the Group access. |
| 3617 | ImportPrivateKey ERR [value] no overwrite for existing file [value] | You are trying to import a private key that already exists. Enable the Overwrite Existing Private Key option or import a different private key. |
| 3650 | DeleteCertificate ERR [value] remove failed for certificate file [value] | The certificate you specified does not exist. Certificates are case sensitive. Use the “Get Certificate List “to verify the certificate’s name |
| 3777 | EditDeleteSymKey ERR [value] Some key instances not deletable for key name [value] | You are trying to delete a key where some instances of that key are not deletable. Use the “Display Key Instance List” command to display a list of all key instances associated with a given key. Use the “Display Symmetric Key” command to view the attributes of a given key instance. Use the “Change Deletable Command” to make the key instance deletable. |
| 3910 | ForceKeySync ERR [value] Key [value] is not enabled for mirroring | The symmetric key you are trying to mirror has not been enabled for mirroring. Use the “Change Mirror Key “command to enable the key for mirroring. |
| 3942 | SetMirrorAddress ERR [value] Cannot reconfigure mirror with non-zero queue size [value] | There are keys waiting to be mirrored. You need to allow the mirroring operation to complete or use the “Remove Mirror Address” to delete the configured mirror. Then use the “Set Mirror Address” command again to configure the mirror server. |
| 4025 | ExportSymKeyBatch ERR [value] No matching keys | The ExportSymKeyBatch command allows for the exporting of all AES keys meeting certain specified values in metadata fields. Should no keys be found matching the specified values, this error will be thrown. |
| 4072 | AuthAdmin ERR [value] AuthAdmin command not valid. DualKnowledgeRequired not set in conf file. | The DualKnowledgeRequired entry has not been set to Y (Yes) in the AKM configuration file. It is not necessary to authorize a second Crypto Officer before using key management commands. If you would like to authorize a second Crypto Officer for key management commands in order to satisfy requirements for dual control, see the AKM Administrative Console Guide for information on implementing dual control. |
| 4073 | EditAuthAdmin ERR [value] invalid minutes value [value] | The value you have entered is invalid. Use whole minutes. |
| 4074 | AuthAdmin ERR [value] AuthAdmin currently active, cannot reset | A dual control session has been set. This admin instance will be locked out until the other admin instance has logged in and the time period set has expired. |
| 4096 | ValidateAuthAdmin ERR [value] AuthAdmin window has not been set | The command you are trying to use requires that an administrator authorization time window is set. Have another administrator run the “Authorize Administrator” command. |
| 4110 | ChangeActivationDate ERR <%d> Activation date <%s> cannot be after or on expiration date <%s> | The activation date you are trying to set cannot be on or after the expiration date that has been set for this key. Use the “Display Symmetric Key Policy” command to view the current expiration date for that key. |
| 4332 | EditNumeric ERR <%d> non-numeric character <%02x> hex | Many parameters in many commands provide numeric data in ASCII format. For example, the first argument of CreateSymKey is 00584 and is the length of the data that follows. The only values that are valid for these type of fields are [0123456789]. If any other value is present this error is thrown. The most common reason for this error is that the request buffer was not properly formatted. |
| 4491 | InsertEkmKey ERR <%d> sqlite3_step failed | The key <%s> already exists. |
| 4513 | EditHostName ERR <%d> Host name may not be all blanks | You are trying to define a mirror but have left the host name blank. The host name refers to the IP address of the mirror AKM server. |
| 4514 | EditMirrorPort ERR <%d> Mirror port may not be 0 | You are trying to define a mirror but have left the port number blank. The default port number for mirroring is 6003. |
| 4515 | EditHostName ERR <%d> Host name may not be 0.0.0.0 | You are trying to define a mirror but have set the IP to 0.0.0.0. This field needs to have a valid IP. |
| 4541 | DisplayEkmInfoList ERR <%d> No key names in data base | There are no EKM keys defined. Use the “Create EKM Key” command to create a key. |
| 4546 | EKeysSelectByName ERR <%d> No entry for key name <%s> | The DisplayEKeysPolicy command allows the admin to see the policy fields associated with an EKM key. If a KeyName is specified that does not exist, this error is thrown. |
Chapter 3: AKM Encryption Service Error Codes
The following table provides common error messages you may encounter while using the AKM Encryption Service in your application. These error codes are logged in the akmerror.log file on the AKM server.
| Error | Message | Resolution |
|---|---|---|
| 3028 | ParseDecEcbRecContinuationHdr | The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes. |
| 3459 | EditEobFlag | The value for the EndOfRequestFlag must be Y (yes) or N (no). |
| 4133 | ParseDecEcbReqHdr | PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4134 | ParseEncEcbReqHdr | PackedFlag and FinalFlag cannot both be set to Y (yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4135 | EditCipherTextFormat | The CipherTextFormat field value must be BIN, B16, or B64. |
| 4136 | EditFinalFlag | The value for FinalFlag must be Y (yes) or N (no). |
| 4137 | EditMoreBlocksFlag | The value for PackedFlag must be Y (yes) or N (no). |
| 4138 | EditNewKeyFlag | The value for NewKeyFlag must be Y (yes) or N (no). |
| 4139 | EditPaddingFlag | The value for PaddingFlag must be 1 byte: 7 (yes) or N (no). |
| 4140 | EditPaddingFlag | The value for NewKeyFlag must be 7 (yes) or N (no). |
| 4141 | EditPlainTextLen | The PlainTextLength field value must be composed of numeric characters. |
| 4145 | ParseEncEcbReqHdr | You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again. |
| 4146 | ParseEncEcbReqHdr | The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes. |
| 4468 | EditPlainTextFormat | The PlainTextFormat field value must be BIN, B16, or B64. |
| 4469 | ParseDecEcbReqHdr | You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again. |
| 4470 | ParseDecEcbReqHdr | The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes. |
| 4472 | ParseDecEcbReqContinuationHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4473 | EditCipherTextLen | The CipherTextLength cannot be set to 0 bytes. |
| 4474 | ParseEncCbcReqHdr | You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again. |
| 4475 | ParseEncCbcReqHdr | The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes. |
| 4476 | ParseEncCbcReqHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4553 | ParseDecCbcReqHdr | You probably sent your request with the NewKeyFlag set to N (no). The NewKeyFlag is set to N when you send a series of encryption requests that use the same key repeatedly. NewKeyFlag must be set to Y on the first request. Set the flag to Y, specify the key name, and try again. |
| 4554 | ParseDecCbcReqHdr | The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes. |
| 4555 | ParseDecCbcReqHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4556 | ParseDecEcbReqContinuationHdr | The length of the CipherText field is larger than the maximum allowed. For best results, limit the length of ciphertext to 16,272 bytes. |
| 4557 | ParseDecCbcReqContinuationHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4560 | ParseDecEcbReqContinuationHdr | The CipherTextLength cannot be set to 0 bytes. |
| 4561 | ParseDecEcbReqContinuationHdr | The CipherTextLength cannot be set to 0 bytes. |
| 4562 | ParseEncEcbReqHdr | If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding. |
| 4563 | ParseDecCbcReqHdr | The CipherTextLength cannot be set to 0 bytes. |
| 4564 | ParseDecEcbReqHdr | The CipherTextLength cannot be set to 0 bytes. |
| 4565 | ParseEncCbcReqHdr | The CipherTextLength cannot be set to 0 bytes. |
| 4566 | ParseEncEcbReqHdr | The PlainTextLength cannot be set to 0 bytes. |
| 4567 | ParseEncCbcReqHdr | If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding. |
| 4568 | ValidatePadding | The padding value must be in the range of hex 0x01 to 0x10. If you provide padding yourself in your application, make sure to use PKCS #7 padding. |
| 4569 | ValidatePadding | If plaintext is a multiple of 16 and padding is requested, 16 bytes of padding will be added. The minimum length of ciphertext will be 32 bytes. Make sure you have the correct length of ciphertext. |
| 4570 | ValidatePadding | If you provide padding in your application, you must provide PKCS #7 padding. If you provided another form of padding, it will not be recognized as valid. |
| 4598 | ParseEncEcbReqContinuationHdr | The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes. |
| 4599 | ParseEncEcbReqContinuationHdr | The PlainTextLength cannot be set to 0 bytes. |
| 4600 | ParseEncEcbReqContinuationHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4601 | ParseEncEcbReqContinuationHdr | If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding. |
| 4602 | ParseEncCbcReqContinuationHdr | The length of the PlainText field is larger than the maximum allowed. For best results, limit the length of plaintext to 16,272 bytes. |
| 4603 | ParseEncCbcReqContinuationHdr | The PlainTextLength cannot be set to 0 bytes. |
| 4604 | ParseEncCbcReqContinuationHdr | If Padding is set to N on an encryption request, then the PlainTextLength must be a multiple of 16 bytes. If the length of plaintext to be encrypted is not a multiple of 16 bytes, set PaddingFlag to 7 (Yes) and the AKM server will provide PKCS #7 padding. |
| 4605 | ParseEncCbcReqContinuationHdr | PackedFlag and FinalFlag cannot both be set to Y (Yes) in this request. If FinalFlag is set to Y, the server will end the session after the response to this request is sent. If PackedFlag is set to Y, you indicate to the server that it should pack the responses, implying that more requests will be sent. Therefore, the session must remain open. |
| 4606 | EditNewIvFlag | The value for NewIVFlag must be Y or N. |
| 4607 | ParseEncCbcReqHdr | If NewKeyFlag is set to Y, then NewIVFlag must also be set to Y. |
| 4658 | ParseDecEcbReqHdr | The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext. |
| 4659 | ParseDecCbcReqHdr | The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext. |
| 4660 | ParseDecEcbReqContinuaationHdr | The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext. |
| 4661 | ParseDecCbcReqContinuationHdr | The length of ciphertext should be a multiple of 16 bytes. Make sure you are not accidentally truncating or augmenting the ciphertext. |
Chapter 4: AKM Client Error Codes
The following table provides common error messages you may encounter while using the AKM Client Library for Windows or AKM Key Connection for SQL Server. These Key Client errors represent AKM error codes received from the server and reported to the client. Other Key Client errors are possible. The error codes will match error codes found in the akmerror.log file on the AKM server, however, the exception message may be different.
Based on the server error code, one of these client-side exceptions is raised:
-
KeyAccessDeniedException
-
KeyExpiredException
-
KeyNotFoundException
-
KeyRevokedException
-
ServerException
-
ServerFailureException
These errors are reported directly to the Windows client, and indirectly by Key Connection for SQL Server (the message text is logged, but not returned to the SQL application, a SQL Server limitation.)
| Error Code | Exception Class | Exception Message |
|---|---|---|
| 3114 | KeyExpiredException | Key ‘{0}’ instance ‘{1}’ has expired. |
| 3115 | KeyRevokedException | Key ‘{0}’ instance ‘{1}’ is revoked. |
| 3275 | KeyNotFoundException | Key name “{0}” not found on the key server. |
| 3391 | KeyAccessDeniedException | Access to key ‘{0}’ instance ‘{1}’ is denied. |
| 3440 | KeyNotFoundException | Key name “{0}” not found on the key server. |
| 3572 | Key permissions for requested key are not sufficient, often seen with code 3391. | |
| 3610 | KeyAccessDeniedException | Access to key ‘{0}’ instance ‘{1}’ is denied. |
| 3713 | ServerException | Key server is shutting down. Key server error {0}. |
| 3714 | ServerException | Key server is shutting down. Key server error {0}. |
| 3774 | ServerException | Request {0} is not a supported feature for the installed version of the key server. Key server error {1}. |
| 3775 | ServerException | Request {0} is not a supported feature for the installed version of the key server. Key server error {1}. |
| 3993 | ServerException | Crypto Officer certificate is not allowed on key retrieval port. Request id {0}. Key server error {1 }. |
| 4122 | ServerException | Key server is shutting down. Key server error {0}. |
| 4123 | ServerException | Request {0} is not a supported feature for the installed version of the key server. Key server error {1}. |
| 4444 | KeyNotFoundException | Provider key ‘{0}’ not found. Key server error {1}. |
| 4450 | KeyNotFoundException | Provider key not found using key thumbprint 0x{0} ‘{1}’. Key server error {2}. |
| 4505 | KeyNotFoundException | Provider key ‘{0}’ not found. Key server error {1}. |
Chapter 5: RSA Keys Error Codes
The following table provides common error messages you may encounter while working with asymmetric RSA keys. These error codes are logged in the akmerror.log file on the AKM server.
| Error Code | Exception Class | Exception Message |
|---|---|---|
| 4703 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4704 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4705 | Invalid transaction length. | Verify the command you are sending to AKM against the relevant API document. |
| 4706 | Key name and instance cannot both be blank. | Send either a key name or an instance for the command to work. |
| 4707 | Key not yet active. | Use the appropriate “activate key” function to make the key active. |
| 4708 | Key has been revoked. | Use a different key as this key has been revoked by a crypto officer. |
| 4709 | Key has expired. | Use a different key as this key has reached the end of its specified life. |
| 4728 | Key name and instance cannot both be blank. | Send either a key name or an instance for the command to work. |
| 4734 | Key not yet active. | Use the appropriate “activate key” function to make the key active. |
| 4735 | Key has been revoked. | Use a different key as this key has been revoked by a crypto officer. |
| 4736 | Key has expired. | Use a different key as this key has reached the end of its specified life. |
| 4737 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4742 | Key name and instance cannot both be blank. | Send either a key name or an instance for the command to work. |
| 4743 | Cryptographic erorr on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4757 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4758 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4759 | Invalid transaction length. | Verify the command you are sending to AKM against the relevant API document. |
| 4760 | Key name and instance cannot both be blank. | Send either a key name or an instance for the command to work. |
| 4761 | Key not yet active. | Use the appropriate “activate key” function to make the key active. |
| 4762 | Key has been revoked. | Use a different key as this key has been revoked by a crypto officer. |
| 4763 | Key has expired. | Use a different key as this key has reached the end of its specified life. |
| 4878 | Key not yet active. | Use the appropriate “activate key” function to make the key active. |
| 4879 | Key has been revoked. | Use a different key as this key has been revoked by a crypto officer. |
| 4880 | Key has expired. | Use a different key as this key has reached the end of its specified life. |
| 4482 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4883 | Invalid transaction length. | Verify the command you are sending to AKM against the relevant API document. |
| 4884 | Invalid transaction length. | Verify the command you are sending to AKM against the relevant API document. |
| 4892 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4882 | Invalid transaction length. | Verify the command you are sending to AKM against the relevant API document. |
| 4483 | Cryptographic error on AKM. Consult akmerror.log | Contact Townsend Security support for help resolving this error. |
| 4916 | DeleteRsaKeyPairMirrorFlagsDiffer | The mirror flag settings are not the same for both public and private keys in a pair; cannot delete the pair, may delete either Public or Private separately |
| 4917 | RsaKeyInstanceAndTypeMismatch | The Rsa keytype does not match the instance value supplied for DisplayRsaKeyPolicy by instance only |
| Any other non-zero error code | ServerFailureException | Key server response {0} contains an unanticipated error code {1}. Please report this to Townsend Security. |