mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-10 08:37:00 +02:00
Code Issues Projects Releases Wiki Activity
04e75372fb
vault/website/content/docs/platform/mssql/troubleshooting.mdx
Yoko Hyakuna 1390176427
[DOCS] Match the page_title with H1 header (#29204) 
* Match the page_title with H1 header

* Fix typos: rote --> rotate
2024-12-16 17:31:29 -08:00

67 lines
3.0 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Troubleshoot the Vault EKM provider
description: Troubleshooting steps for the Vault EKM provider for Microsoft SQL Server.
---
# Troubleshoot the Vault EKM provider
## Check windows event logs
Logs from the Vault EKM provider will appear in Windows Event Viewer under
"Windows Logs" > "Application" with source "Transit Vault EKM Provider".
### Enable trace logging
If the logs in the Event Viewer don't give enough information to help debug
your issue, you can [enable trace logging](/vault/docs/platform/mssql/configuration#enabletrace).
Restart SQL Server for the config change to take effect, and you should see more
detailed logs in the same section of Windows Event Viewer.
## Check SQL server error logs
If the Vault EKM provider is not generating event logs, you may find some
information in the SQL Server's error logs. Check for an event with ID
17111 from "MSSQLSERVER" which details the file location of the error logs,
for example "Logging SQL Server messages in file
'C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG'."
## Authenticode error
When running the `CREATE CRYPTOGRAPHIC PROVIDER` SQL query, if you get an error
"Cannot load library", you may see "Failed to verify Authenticode signature on
DLL" in the error logs. This can normally be remediated by updating the CA trust
store to include the latest Digicert certificates. Run the following to import
the required certificates into the Root trust store:
```powershell
New-Item -ItemType Directory -Path certs
certutil -syncwithWU .\certs\
extrac32 -L .\certs\ .\certs\authrootstl.cab
certutil -f -ent -AddStore Root .\certs\authroot.stl
certutil -f -ent -AddStore Root .\certs\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.crt
certutil -f -ent -AddStore Root .\certs\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4.crt
Remove-Item -Recurse .\certs\
```
## Error codes
During installation, the EKM provider registers a manifest of coded event logs to aid debugging. You may see the following error codes during operation.
### 2050 license error
The EKM provider was unable to verify that Vault has the correct license features. This
could be due to:
- An incompatible Vault Enterprise license - see the installation [prerequisites](/vault/docs/platform/mssql/installation#prerequisites) for the required license feature.
- Lack of network connectivity - Check Vault's audit logs to see if any requests are made to
authenticate via AppRole or query the `/sys/license/status` API.
- Misconfigured AppRole auth - Ensure you provided the correct Role ID and Secret ID when
configuring the SQL Server `CREDENTIAL`. See the
[installation instructions](/vault/docs/platform/mssql/installation) for an end-to-end working example.
- Incorrect policy permissions - The EKM provider requires the `read` capability
on the path `sys/license/status`. See the `tde-policy` created in the
[installation instructions](/vault/docs/platform/mssql/installation#configuring-vault)
for an example of a working policy.
Reference in New Issue View Git Blame Copy Permalink