AES GCM encryption error in Key Manager logs

If you receive the following error in your Key Manager (KM) logs during either a network outage or when there is a connectivity issue between the KM and Hardware Security Module (HSM), an error may have been triggered by a disconnected session (Figure 1):

ERROR [com.symphony.keymanager.web.servlets.KeysMeServlet] (https-jsse-nio-8443-exec-13) Processing error: com.symphony.security.exceptions.SymphonyEncryptionException: Error during AES GCM encryption

Figure 1 Error

 

If you investigate further into logs, you will see the following error indicates the session is invalid or expired (Figure 2):

Caused by: com.safenetinc.jcprov.CKR_Exception: C_DecryptInit rv=0xb3 - CKR_SESSION_HANDLE_INVALID

Figure 2 Error

 

By default, a KM opens 5 sessions to the HSM. When an error occurs, it can be difficult to identify from the logs where the error is located. The cause of the error will likely be one of these 5 sessions, but the KM is unaware of this and therefore retains the connection.

 

Note: HSMs have their own internal logs. One of them retains the information about established and disconnected sessions. Your HSM team may check the logs to obtain more details for internal investigation.

 

If you experience this error, compose an email and send the logs to the Symphony Support team at support@symphony.com

 

Note: If the files are too large to email, inform the Symphony Support team. They can arrange to receive it using a secure file transfer site, Filevault.


Note: On the KM side, recovery could take around 6 hours or alternatively, KM's which are on-prem can be manually restarted to speed up this process.