Troubleshooting AES GCM encryption errors in key manager logs

If you begin to receive the following error in your Key Manager logs during either a network outage or when there is a connectivity issue between the Key Manager and Hardware Security Module (HSM), an error may have been triggered by a session disconnected by the HSM:

 

ERROR [com.symphony.keymanager.web.servlets.KeysMeServlet] (https-jsse-nio-8443-exec-13) Processing error: com.symphony.security.exceptions.SymphonyEncryptionException: Error during AES GCM encryption

 

If you investigate further into logs, you will see the following error indicates the session is invalid or expired.

 

Caused by: com.safenetinc.jcprov.CKR_Exception: C_DecryptInit rv=0xb3 - CKR_SESSION_HANDLE_INVALID

 

By default, a KM opens 5 sessions to the HSM. When an error occurs, it can be difficult to identify from the logs where the error is located. The cause of the error will be one of these 5 sessions has been disconnected by the HSM, but the KM is unaware of this and therefore retains the connection.

 

If you experience this issue and need to raise a Service Request to resolve it, providing the Support team with information you can obtain from the logs will help resolve this issue much faster.


Note: HSMs have their own internal logs. One of them retains the information about established and disconnected sessions. Your HSM team may check the logs to obtain more details


Note: On the KM side, recovery could take around 6 hours or alternatively, KM's which are on prem can be manually restarted to speed up this process