Troubleshooting external key vaults
- Updated: 2023/06/19
Troubleshooting external key vaults
You can use the keyvault.properties file and application log files to review configuration and integration information for external key vaults.
Use the keyvault.properties file
You can use the keyvault.properties file to review configuration attributes for these external key vaults:
- CyberArk Password Vault
- AWS Secrets Manager
- Azure Key Vault
- HashiCorp Vault
The following keyvault.properties file shows an example with the CyberArk Password Vault:
To review the AWS Secrets Manager keyvault.properties file, enter these AWS attributes (for example):
- keyvault.type=AWS_SECRETS_MANAGER
- keyvault.aws.region=us-west-2
- The certificate passphrase attribute contains the encrypted Control Room certificate file passphrase. Do not modify the certificate passphrase attribute directly; instead, you should use the key vault utility.
- You can modify the keyvault.properties file. However, any modifications will require a service restart. So we recommend that you always use the key vault utility to make modifications.
For HashiCorp Vault, Vault servers are configured using a file that is in HashiCorp configuration language (HCL) or JSON format. For information about using the file, see Vault Configuration.
Use the application log files
You can use these application log files to review external key vault integration information:
- WebCR_CredentialVaultlog
- WebCR_RestException
You can use these log messages to troubleshoot external key vault integration or configuration issues:
| Log message description | Cause or reason |
|---|---|
| Unable to send an email Unable to connect to SMTP server because either your SMTP username or password is incorrect |
Retrieved SMTP credential is incorrect. |
| Logs indicate failure connecting to LDAP | Failure to authenticate through Active Directory. |
| WebCR.log file shows database connectivity error, and the Control Room fails to boot up correctly | Retrieved database password is incorrect. |
| Either your username or your password is incorrect | Retrieved auto-login credential is incorrect for the user (correlates to the bot deployment log for user ID). |
| Logs indicate connection failure to CyberArk | A possible certificate expiry issue exists if failure occurs after a period of proper functioning for (3, 6, or 12) months. |
| Unable to retrieve secret, and detail exception will have cause | A non-existent credential identifier (safe name, object name, or secret name) is in use. Might also indicate the credential identifier was removed from the external key vault (if it was previously working properly). |
| Might also indicate that the key vault connection is down or unreachable. Or, connection details (API URL, AppID, certificate, region name, AWS keys) are incorrect, have been changed on the key vault, or expired. |