Troubleshooting external key vaults

You can use the keyvault.properties file and application log files to review configuration and integration information for external key vaults.

Use the keyvault.properties file

You can use the keyvault.properties file to review configuration attributes for these external key vaults:

The following keyvault.properties file shows an example with the CyberArk Password Vault:

CyberArk keyvault.properties file for troubleshooting

To review the AWS Secrets Manager keyvault.properties file, enter these AWS attributes (for example):

Note:

The certificate passphrase attribute contains the encrypted Control Room certificate file passphrase. Do not modify the certificate passphrase attribute directly; instead, you should use the key vault utility.
You can modify the keyvault.properties file. However, any modifications will require a service restart. So we recommend that you always use the key vault utility to make modifications.

You can use these application log files to review external key vault integration information:

You can use these log messages to troubleshoot external key vault integration or configuration issues:


Log message description	Cause or reason
Unable to send an email Unable to connect to SMTP server because either your SMTP username or password is incorrect	Retrieved SMTP credential is incorrect.
Logs indicate failure connecting to LDAP	Failure to authenticate through Active Directory.
WebCR.log file shows database connectivity error, and the Control Room fails to boot up correctly	Retrieved database password is incorrect.
Either your username or your password is incorrect	Retrieved auto-login credential is incorrect for the user (correlates to the bot deployment log for user ID).
Logs indicate connection failure to CyberArk	A possible certificate expiry issue exists if failure occurs after a period of proper functioning for (3, 6, or 12) months.
Unable to retrieve secret, and detail exception will have cause	A non-existent credential identifier (safe name, object name, or secret name) is in use. Might also indicate the credential identifier was removed from the external key vault (if it was previously working properly).
	Might also indicate that the key vault connection is down or unreachable. Or, connection details (API URL, AppID, certificate, region name, AWS keys) are incorrect, have been changed on the key vault, or expired.