← Back to Knowledge Base

KB #240148: Testing EKM Server to EKM Client connectivity

⏱️ 6 min read

Type:

Information

Summary:

You have a service or application secured with an encryption key that is retrieved from the Encryptionizer Key Manager server but the key does not appear to be delivered when the service or application starts up resulting in inaccessible encrypted data. Or your EKM server does not “see” the client machine as active. This article reviews some troubleshooting steps you can take to determine whether there is proper connectivity between the EKM Server and the EKM client

Additional Information:

Inaccessible encrypted data can be caused by different reasons. Review this KnowledgeBase article to see the other reasons your encrypted data might not be accessible.
KB #240102: Encrypted Databases not accessible

If you have not see it already, you should also review this KnowledgeBase article on other troubleshooting steps regarding the EKM client
KB #240147: EKM client not retrieving key

The EKM Server and client communicate via SSL on specialized ports.  Typically “pinging” alone may not be enough to test connectivity. Here is some tests that you can perform to determine what the issue may be:

Are important services running on the EKM client machine?

  • Test that the Encryptionizer Key Management Service is running: sc query nlcbtask
  • Test that the Encryptionizer Key Manager Client Service is running: sc query nlmclient

The results should all return Status: RUNNING

Are important services running on the EKM Server?

  • Test that the Encryptionizer Key Management service is running: sc query nlcbtask
  • Test that the EKM Server Database instance is running: sc query mssql$eem01
  • Test that the Encryptionizer Key Manager Server service is running: sc query nlmserver

The results should all return Status: RUNNING

Testing EKM Client communicating with the EKM Server – Test 1

  • If you have determined that all services are up and running, the next step is to check if the Client service can “see” the EKM Server
  • Note: A regular ping is insufficient as they communicate on a specific port
  • Download this special EKM Client diagnostic
  • Copy this file to the EEM folder of the Encryptionizer install folder on the client machine (default: C:Program Files (x86)NetLibSECSQLEEM)
  • From a Command Window, navigate to the EEM folder as described above
  • Run the following command: EKMClientDiag /PING
  • This diagnostic will test the connections to the EKM Server, and Backup EKM server if configured, as well as the Activation status of this machine on the EKM Server reached first. It will return the results which may look like this:

    Running diagnostic utility.

    Primary server: https://192.999.999.999:19032/
    Response returned: 200, OK.Connection: Success

    Backup server: https://192.999.999.999:19032/
    Exception returned: The operation has timed out. Connection: Failed

    Client=NetLibManagerCommunication.Host
    Checking activation on: https://192.999.999.999:19032/
    Client: Activated

    Diagnostic utility finished.

  • In our example above, the primary server was reachable and the client could connect to it. The Backup server was down and therefore not reachable

Testing EKM Client communicating with the EKM Server – Test 2

  • If you are getting Connection: Failed in Test 1, then next we can use a browser to test if you are able to reach the machine via the specified port at all.
  • You need to determine the IP address and port that is being used by the client machine to communication with the EKM Server
  • You would find the values in NLMCLIENT.INI (in C:Program Files (x86)NetLibSECSQLEEM)
  • From your client machine, open a web browser and use the IP address and port from NLMCLIENT.INI, for example https://192.168.99.999:19032/  (19032 is the default value on the server side – you may have changed it)
  • If the server is accessible from the client, you should get to a safety warning screen. Click the Advanced button and then continue to the site…. with the resulting screen header saying “Server Service”
  • If you have configured a Backup EKM server when you installed the EKM client, you will find this information as well in the INI file, and you can test that connection similarly.

Testing EKM Client communicating with the EKM Server – Test 3

  • If you found that you were failing with Test 1 and succeeding on Test 2, you might have an issue with TLS settings. Please view the EKM-INSTALL.PDF document that was installed with your EKM Server and see Appendix 1.  If your system is restricted to only use TLS 1.2, you must perform a post installation step on the EKM Server and the EKM client.

Testing EKM Server communicating with the EKM client – Test 4

  • If you have not configured the EKM client so that you can control the client from the EKM server, then you cannot continue with this test.
  • If you have configured the EKM client so that you can control the client from the EKM server, you will see a value in the DNS column under the Explore Clients option from the Main Menu. If you have not been able to get the Client machine to even appear on the list in the first place, you can determine the client address and port by viewing the NLMCLIENT.INI from the client machine and make note of the entry for BaseAddress2 (Note: Do not change any values in the INI file. They are generated automatically by the configuration step)
  • If there is a value in that DNS column (or you have found BaseAddress2), open a web browser on the EKM server, and enter the address from the 3rd column for the machine, for instance: https://192.168.36.152:19033/
  • If the IP address and port is accessible, the machine will respond with a warning screen that your connection is not private, from which you can click the Advanced button at the bottom of the screen and then Continue to (IP address)
  • You will then see a screen with some code on with the banner header: Client Service.
  • If the client is not reachable, you would get a message that the site could not be reached.

If you have trouble with either of these, there is possibly a networking problem outside of Encryptionizer.

Also – look on the backup EKM server if the same issue exists where the Client appears to be offline (marked with !) in the Manage Client screens. A situation where the machine appears properly on one server but not the other also usually indicates a networking issue.

Related Topics:

KB #240102: Encrypted Databases not accessible
KB #240147: EKM client not retrieving key

Was this article helpful?

Related Articles

KB #240152: SQL 2022 and LDF instant file initialization

Type: Known Issue Summary: Microsoft SQL 2022 introduced a different method of file space initialization…

KB #240155: Returning to a clean state

Type: Info Summary: This article provides some extra steps if there are issues with uninstall…

Still need help?

Our support team is here to assist you.

Contact Support 📞 1-877-367-1177
NetLib Security
AI Assistant · Online
Hi! I'm the NetLib Security assistant. I can answer questions about our encryption solutions, HIPAA compliance, Encryptionizer, and more. How can I help you today?