Problem

It looks like VA Server (ves process) was started correctly from the UI or command line, but it does not do anything.

The last message in the server log file is:

VCRT: The PKCS11 library has been loaded

When VA Server stopped again one ves process remains and must be killed.

This issue was observed when VA Server is running on Linux and a Luna HSM is used. The HSM client was installed correctly, and a new hardware key could be created using the VA admin UI.

Analysis

Since a new key could be created the HSM client was installed correctly and the connection to the HSM was also configured correctly. But when VA Server is started it finds and loads the HSM library but cannot initialize it and create the connection to the HSM.

Possible solution

VA server does not have the permissions needed to load the HSM library or access any other file in the HSM client installation – e.g. the log file haErrorLog.txt.

How to troubleshoot this issue

1) Run the HSM command line utilities as the user that will be used to run the VA Server ves process. This is the user that was specified during the installation.

To do this

a) Run the command “su - <USER_NAME>” to become this user.

b) Attempt to run the HSM utility, e.g. “vtl verify”.

This will help to determine that the permissions on the HSM files are configured such that this user’s group can access them.

2) Make sure that the user that the VA server is running as (the one specified during the install) is a member of the group that has ownership of the HSM installation directory.

This also means the permissions for all folders and files in the HSM client installation must be set to the HSM user group, which must be the same group as the VA user’s group.