Collect Logs for Troubleshooting HSM and SSM Issues in FAN Networks

Introduction

This document describes the troubleshooting logs needed from HSM and SSM components of the Field Area Network (FAN) solution.

Hardware Security Module (HSM)

Hardware Security Modules (HSM) are available in three forms: appliance, PCI card, and cloud offering. Most deployments opt for the appliance version.

Software Security Modules (SSM)

Software Security Modules (SSM), on the other hand, are software packages that serve a similar purpose to HSM. They are bundled with FND software and provide a simple alternative to the appliance.

It is important to note that both HSM and SSM are optional components in FND deployments and are not mandatory.

Required logs for HSM issues

1. Output of the following:
1. /usr/safenet/lunaclient/bin/vtl verify
2. /usr/safenet/lunaclient/bin/vtl listServers
3. /usr/safenet/lunaclient/bin/vtl listSlots
4. /usr/safenet/lunaclient/bin/vtl supportInfo (This generates a file called c_supportInfo.txt, in the same directory /usr/safenet/lunaclient/bin/)
5. /usr/safenet/lunaclient/bin/cmu list (it asks for a password; the password is the same as the password for the partition)
6. rpm -qa | grep -i luna
7. /etc/Chrystoki.conf file
2. Navigate to Admin -> Certificates in the FND GUI to validate if the CSMP certificate is present. Capture an image (screenshot) of this page.
3. Server.log file located at /opt/cgms/server/cgms/log, There is no need to turn on any specific debug for logging or the entire logs bundle.
4. Enable cklog by using /usr/safenet/lunaclient/bin/vtl cklogsupport enable, then issue some command like /usr/safenet/lunaclient/bin/vtl/ verify . A file is generated in the/tmp location. Copy of this file. /tmp/cklog.txt
5. Output of the following:

ls -al /usr/safenet/lunaclient/jsp/lib/ | grep -e libLunaAPI.so -e LunaProvider.jar
ls -al /opt/cgms/jre/lib/ext/ | grep -e libLunaAPI.so -e LunaProvider.jar
ls -al /opt/cgms-tools/jre/lib/ext | grep -e libLunaAPI.so -e LunaProvider.jar
ls -al /opt/cgms/safenet | grep -e libLunaAPI.so -e LunaProvider.jar
ls -al /opt/cgms-tools/safenet | grep -e libLunaAPI.so -e LunaProvider.jar

6. Output of

service cgms status

Required logs for SSM issues

1. Is SSM running on the FND server or as a separate standalone server?
2. The output of /opt/cgms-ssm/log/ssm.log (log of the SSM service)
3. Output of /opt/cgms-ssm/log/ssm-setup.log (log of the ssm_setup.sh script)
4. /opt/cgms-ssm/log/ssm.out : Log all SSL transactions when DEBUG_SSL=true option is set in /opt/cgms-ssm/bin/ssm.conf file. Useful to troubleshoot the HTTPS session between FND and SSM.
5. The output of Admin → Certificate for CSMP screenshot
6. Output of cgms.properties at /opt/cgms/server/cgms/conf directory