Type:
Information
Summary:
You have a service or application secured with an encryption key that is retrieved from the Encryptionizer Key Manager server but the key does not appear to be delivered when the service or application starts up resulting in inaccessible encrypted data. Or your EKM server does not “see” the client machine as active. This article reviews some troubleshooting steps you can take to determine whether there is proper connectivity between the EKM Server and the EKM client
Additional Information:
Inaccessible encrypted data can be caused by different reasons. Review this KnowledgeBase article to see the other reasons your encrypted data might not be accessible.
KB #240102: Encrypted Databases not accessible
If you have not see it already, you should also review this KnowledgeBase article on other troubleshooting steps regarding the EKM client
KB #240147: EKM client not retrieving key
The EKM Server and client communicate via SSL on specialized ports. Typically “pinging” alone may not be enough to test connectivity. Here is some tests that you can perform to determine what the issue may be:
Are important services running on the EKM client machine?
- Test that the Encryptionizer Key Management Service is running:
sc query nlcbtask - Test that the Encryptionizer Key Manager Client Service is running:
sc query nlmclient
The results should all return Status: RUNNING
Are important services running on the EKM Server?
- Test that the Encryptionizer Key Management service is running:
sc query nlcbtask - Test that the EKM Server Database instance is running:
sc query mssql$eem01 - Test that the Encryptionizer Key Manager Server service is running:
sc query nlmserver
The results should all return Status: RUNNING
Testing EKM Client communicating with the EKM Server – Test 1
- If you have determined that all services are up and running, the next step is to check if the Client service can “see” the EKM Server
- Note: A regular ping is insufficient as they communicate on a specific port
- Download this special EKM Client diagnostic
- Copy this file to the EEM folder of the Encryptionizer install folder on the client machine (default: C:Program Files (x86)NetLibSECSQLEEM)
- From a Command Window, navigate to the EEM folder as described above
- Run the following command:
EKMClientDiag /PING - This diagnostic will test the connections to the EKM Server, and Backup EKM server if configured, as well as the Activation status of this machine on the EKM Server reached first. It will return the results which may look like this:
Running diagnostic utility.
Primary server: https://192.999.999.999:19032/
Response returned: 200, OK.Connection: SuccessBackup server: https://192.999.999.999:19032/
Exception returned: The operation has timed out. Connection: FailedClient=NetLibManagerCommunication.Host
Checking activation on: https://192.999.999.999:19032/
Client: ActivatedDiagnostic utility finished.
- In our example above, the primary server was reachable and the client could connect to it. The Backup server was down and therefore not reachable
Testing EKM Client communicating with the EKM Server – Test 2
- If you are getting Connection: Failed in Test 1, then next we can use a browser to test if you are able to reach the machine via the specified port at all.
- You need to determine the IP address and port that is being used by the client machine to communication with the EKM Server
- You would find the values in NLMCLIENT.INI (in C:\Program Files (x86)\NetLib\SECSQL\EEM)
- From your client machine, open a web browser and use the IP address and port from NLMCLIENT.INI, for example https://192.168.99.999:19032/ (19032 is the default value on the server side – you may have changed it)
- If the server is accessible from the client, you should get to a safety warning screen. Click the Advanced button and then continue to the site…. with the resulting screen header saying “Server Service”
- If you have configured a Backup EKM server when you installed the EKM client, you will find this information as well in the INI file, and you can test that connection similarly.
Testing EKM Client communicating with the EKM Server – Test 3
- If you found that you were failing with Test 1 and succeeding on Test 2, you might have an issue with TLS settings. Please view the EKM-INSTALL.PDF document that was installed with your EKM Server and see Appendix 1. If your system is restricted to only use TLS 1.2, you must perform a post installation step on the EKM Server and the EKM client.
Testing EKM Server communicating with the EKM client – Test 4
- If you have not configured the EKM client so that you can control the client from the EKM server, then you cannot continue with this test.
- If you have configured the EKM client so that you can control the client from the EKM server, you will see a value in the DNS column under the Explore Clients option from the Main Menu. If you have not been able to get the Client machine to even appear on the list in the first place, you can determine the client address and port by viewing the NLMCLIENT.INI from the client machine and make note of the entry for BaseAddress2 (Note: Do not change any values in the INI file. They are generated automatically by the configuration step)
- If there is a value in that DNS column (or you have found BaseAddress2), open a web browser on the EKM server, and enter the address from the 3rd column for the machine, for instance: https://192.168.36.152:19033/
- If the IP address and port is accessible, the machine will respond with a warning screen that your connection is not private, from which you can click the Advanced button at the bottom of the screen and then Continue to (IP address)
- You will then see a screen with some code on with the banner header: Client Service.
- If the client is not reachable, you would get a message that the site could not be reached.
If you have trouble with either of these, there is possibly a networking problem outside of Encryptionizer. Also consider if a firewall rule was not added or improperly configured for the IP address and port.
Testing EKM Server connectivity to EKM client – Test 5
- We have a special diagnostic which will examine multiple aspects of the EKM server and its connectivity
- Download this special EKM Server Diagnostic (NLMSERVERSTATUS)
- Copy this file to the EEM folder of the Encryptionizer install folder on the client machine (default: C:\Program Files (x86)\NetLib\SECSQL\EEM)
- From a Command Window with Run as Administrator option, navigate to the EEM folder as described above
- Run the following command:
NLMSERVERSTATUS - This diagnostic will collect the registered clients, test connectivity with the other EKM node if there is one, collect information about the registered clients, test network connectivity and connection to the ekmclient service on the client machines. The results may look like this:
Database Connected.
EKM Server
————————-Function : Primary IP of this server : https://192.999.999.998:19032/ IP of other server : https://192.999.999.999:19032/ Other server status : NOT reachable Replication count : 59,516 History count : 5,614 File Sizes
————————-EEM.mdf Logical: 4,263,936 OnDisk: 4,263,936 EEM_History.mdf Logical: 12,652,544 OnDisk: 12,652,544 EEM_History_log.ldf Logical: 806,912 OnDisk: 806,912 EEM_log.ldf Logical: 806,912 OnDisk: 806,912 EEM_Replicate.mdf Logical: 19,992,576 OnDisk: 19,992,576 EEM_Replicate_log.ldf Logical: 2,953,216 OnDisk: 2,953,216 EEM_Update.mdf Logical: 3,215,360 OnDisk: 3,215,360 EEM_Update_log.ldf Logical: 806,912 OnDisk: 806,912 Clients
————————-Name HostId IPAddress DNS Status more info WINMACHINE1 b9f8247b-16f3-4bf2-b08a-4d875ae3c77d 192.999.999.10 https://192.999.999.10:19034/ 0 … WINMACHINE2 18ded41f-9e76-4933-9b42-7cd6de5d5114 192.999.999.11 https://192.999.999.11:19034/ 1025 … WINMACHINE3 99e5869d-cc0b-4f5e-998a-ca4e791a23bc 192.999.999.12 1025 … Client Connectivity
————————-WINMACHINE1 192.999.999.10 API Connection: unreachable HTTP Connection: The operation has timed out WINMACHINE2 192.999.999.11 API Connection: unreachable HTTP Connection: CONNECTED WINMACHINE3 192.999.999.12 API Connection: No DNS HTTP Connection: No DNS Looking at the Client Connectivity section near the bottom, you can see that for one of the machines, WINMACHINE1, the EKM server could not reach it at all. WINMACHINE2 could be reached with an HTTPS connection but the ekmclient software service could not connect. This could suggest an incompatibility with TLS. See documentation about TLS settings. The third client did not have a DNS IP address defined and so a connection was not attempted.
Also – look on the backup EKM server if the same issue exists where the Client appears to be offline (marked with !) in the Manage Client screens. A situation where the machine appears properly on one server but not the other also usually indicates a networking issue.
Related Topics:
KB #240102: Encrypted Databases not accessible
KB #240147: EKM client not retrieving key