Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6276
Views
5
Helpful
32
Replies

KMS exceptions

dschimmer
Level 1
Level 1

‎05-25-2016 06:50 AM

Hi All,

New to ContextService, and ran into an issue.

I was able to register, and get the connection data, using the credentials provided to me.

However when taking one of the samples and trying to run them, I encounter exceptions when the client is trying access the KMS to retrieve encryption keys.

I see this exception thrown by the background threads.

ApiError with errorType: kmsError.failedRequest, errorData: , errorMessage: No response found for KMS request

  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.getApiException(ApiExceptionFactory.java:78)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:113)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:95)

  at com.cisco.thunderhead.kms.KmsSecureChannel.processResponsePayload(KmsSecureChannel.java:378)

  at com.cisco.thunderhead.kms.KmsSecureChannel.transmitRequest(KmsSecureChannel.java:289)

  at com.cisco.thunderhead.kms.KmsSecureChannel.submitRequest(KmsSecureChannel.java:235)

  at com.cisco.thunderhead.kms.KmsActor.getKey(KmsActor.java:203)

  at com.cisco.thunderhead.kms.KmsManager.loadSaltValue(KmsManager.java:320)

  at com.cisco.thunderhead.kms.KmsManager.tryInitialize(KmsManager.java:290)

  at com.cisco.thunderhead.kms.KmsManager$InitializeCache.run(KmsManager.java:272)

  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

  at java.util.concurrent.FutureTask.run(FutureTask.java:266)

  at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)

  at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)

  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

  at java.lang.Thread.run(Thread.java:745)

I also then see this warning

main WARN  kms.KmsManager - After 20000 milliseconds, kmsManager is still not initialized!

And in some cases when I would issue a create customer request:

main WARN  kms.KmsManager - Unable to retrieve hashing salt because KmsManager is still not initialized yet.

main ERROR client.ContextServiceClientImpl - ApiError with errorType: kmsError.failedRequest, errorData: , errorMessage: Unable to access KMS in order to load SCR encryption keys.

  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.getApiException(ApiExceptionFactory.java:78)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:113)

  at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:95)

  at com.cisco.thunderhead.kms.KmsManager.getHashingSalt(KmsManager.java:570)

  at com.cisco.thunderhead.client.ContextServiceEncryptionClient.computeFieldValueHashes(ContextServiceEncryptionClient.java:499)

  at com.cisco.thunderhead.client.ContextServiceEncryptionClient.computeHashesForAllSearchableFields(ContextServiceEncryptionClient.java:451)

  at com.cisco.thunderhead.client.ContextServiceEncryptionClient.inspectAndEncrypt(ContextServiceEncryptionClient.java:423)

  at com.cisco.thunderhead.client.ContextServiceEncryptionClient.encryptBean(ContextServiceEncryptionClient.java:118)

  at com.cisco.thunderhead.client.BaseEncryptionService.encryptAndCreate(BaseEncryptionService.java:135)

  at com.cisco.thunderhead.client.ContextServiceClientImpl.create(ContextServiceClientImpl.java:339)

  at com.cisco.thunderhead.client.ContextServiceClientImpl.create(ContextServiceClientImpl.java:319)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

  at java.lang.reflect.Method.invoke(Method.java:498)

  at com.cisco.thunderhead.plugin.ConnectorProxyInvocationHandler.invoke(ConnectorProxyInvocationHandler.java:110)

  at com.sun.proxy.$Proxy11.create(Unknown Source)

  at addCustomerTest.main(addCustomerTest.java:70)

So what i'm trying to figure out is if anybody else has encountered an error, or perhaps the account credentials I was supplied might be on account that has not been provisioned?

I've attached a log, from the program that is based on the simple connection program in the QuickStart.

I've also ensure that the following are not blocked.

*.webex.com

*.wbx2.com

*.ciscoccservice.com

I downloaded the 1.0.7 sdk from the website, which did an auto update of the extension sdk to 1.0.8

Thank You,

Daniel

Labels:
out.log.zip
5 KB
0 Helpful
32 Replies 32

ankparik
Cisco Employee
Cisco Employee

‎05-25-2016 06:59 AM

Hi Daniel,

Context Service team is looking into the issue and will get back to you with more details.

Thank you

Ankit Parikh

ankparik
Cisco Employee
Cisco Employee

‎05-25-2016 11:45 AM

Hi Daniel,

We found the root cause of your issue. Your org does not contain KMS role. Because of that, you cannot initialize KMS services. I am working with Common Identity team to address this. Once they have assigned proper KMS role to your org, I will get back to you with further steps.

Thank you

Ankit Parikh

ankparik
Cisco Employee
Cisco Employee

‎05-26-2016 04:09 AM

Hi Daniel,

We have resolution on request with Common Identity. They have updated your org to add KMS role.

This is what you would have to do to get back to working state:

=> Remove hard coded connection data from your test program

=> De-Register from Context Service and then Re-Register to get new connection data

=> Use newly obtained connection data in your test program

=> Try Context Service API operations again

Note: If you had created objects using your test program prior to this, they will not be searchable (or may have already been deleted).

Please let us know if this solves your issue.

Thank you

Ankit Parikh

dschimmer
Level 1
Level 1
In response to ankparik

‎05-26-2016 08:44 AM

Hi Ankit,

Thank you for the help!

I tried those steps.

However I seem to be given back the same connection data, each time I do the register.  Is there something i'm missing?

Thank you again.

Daniel

0 Helpful

dschimmer
Level 1
Level 1
In response to ankparik

‎05-31-2016 12:07 PM

Hi Ankit,

Thank you for the help!

I tried those steps you provided.

However, I seem to be given back the same connection data, each time I do

the register. Is there something i'm missing? I have tried this several

times, but always end up with the same connection data.

Thank you.

Daniel

0 Helpful

dschimmer
Level 1
Level 1
In response to ankparik

‎05-31-2016 02:43 PM

Hi There,

Another update. I was finally able to get a new connection data string,

uptil this point i kept getting the same one back.

However I am still seeing the exception about the KMS not being able to get

a key.

I have attached a new log file.

Thank You,

Daniel

On Tue, May 31, 2016 at 3:07 PM, Daniel Schimmer <

out2.log.zip
0 Helpful

ankparik
Cisco Employee
Cisco Employee
In response to dschimmer

‎06-01-2016 06:50 AM

Hi Daniel,

We are looking into the issue and will get back with resolution.

Thank you

Ankit Parikh

0 Helpful

ankparik
Cisco Employee
Cisco Employee
In response to dschimmer

‎06-01-2016 08:22 AM

Hi Daniel,

We checked your org details and everything seems fine. We believe that you may not have proper connectivity (or it is being blocked) to encryption endpoint that that is why you are not able to make requests.

If you are using Linux based machine or mac where you are running the java program to use Context Service, can you please run the following command in terminal and check the http response code that is returned?

curl -o /dev/null --silent --write-out '%{http_code}' https://encryption-a.wbx2.com/encryption/api/v1/ping

If you are using Windows, please download and install cURL (https://curl.haxx.se/download.html) and try similar command.

You may also try:

curl https://encryption-a.wbx2.com/encryption/api/v1/ping

and expect to get valid jSon response back.

Please let me know.

Thank you

Ankit Parikh

bimcdona
Cisco Employee
Cisco Employee
In response to ankparik

‎06-01-2016 05:18 PM

Ankit,

I have the exact same issue in CVP I am using the out of the box customer lookup and receive the same KMS Exception error.  I have CVP 11.0 with ES8 and ES16 applied and just registered it with Context Service.  I have a custom application using the SDK that works great.  I registered the custom app and CVP and Finesse using the same credentials.  One thing I noticed is the connection string is different between CVP and the custom app, is that expected?  Also, I de-registered CVP and re-registered CVP, restarted CVP and still have the issue.

198.18.133.13.1464826662057.2.Super4GSpeech,06/01/2016 20:17:43.571, The error was: A built-in element encountered an exception of type com.cisco.thunderhead.errors.UnknownApiException. The root cause was: com.cisco.thunderhead.errors.UnknownApiException: null: ApiError with errorType: kmsError.failedRequest errorData:  errorMessage: Unable to access KMS in order to load SCR encryption keys.

com.audium.server.AudiumException: A built-in element encountered an exception of type com.cisco.thunderhead.errors.UnknownApiException.

    at com.audium.server.voiceElement.ActionElementBase.service(ActionElementBase.java:416)

    at com.audium.server.controller.Controller.goToAction(Controller.java:3981)

    at com.audium.server.controller.Controller.goToElement(Controller.java:3617)

    at com.audium.server.controller.Controller.continueCall(Controller.java:3312)

    at com.audium.server.controller.Controller.doPost(Controller.java:898)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)

    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1600)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at java.lang.Thread.run(Thread.java:744)

Caused by: ApiError with errorType: kmsError.failedRequest errorData:  errorMessage: Unable to access KMS in order to load SCR encryption keys.

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)

    at com.cisco.thunderhead.errors.ApiExceptionFactory.getApiException(ApiExceptionFactory.java:78)

    at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:113)

    at com.cisco.thunderhead.errors.ApiExceptionFactory.generateApiException(ApiExceptionFactory.java:95)

    at com.cisco.thunderhead.kms.KmsManager.getHashingSalt(KmsManager.java:570)

    at com.cisco.thunderhead.client.ContextEncryptionService.convertSearchParams(ContextEncryptionService.java:191)

    at com.cisco.thunderhead.client.ContextEncryptionService.searchAndDecrypt(ContextEncryptionService.java:126)

    at com.cisco.thunderhead.client.ContextServiceClientImpl.search(ContextServiceClientImpl.java:584)

    at com.cisco.thunderhead.client.ContextServiceClientImpl.search(ContextServiceClientImpl.java:550)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:606)

    at com.cisco.thunderhead.plugin.ConnectorProxyInvocationHandler.invoke(ConnectorProxyInvocationHandler.java:110)

    at com.sun.proxy.$Proxy0.search(Unknown Source)

    at com.audium.server.action.contextservice.util.CustomerLookupUtil.fetchCustomers(CustomerLookupUtil.java:66)

    at com.audium.server.action.contextservice.util.CustomerLookupUtil.sendRequestToContextService(CustomerLookupUtil.java:92)

    at com.audium.server.action.contextservice.util.BaseUtil.handleContextService(BaseUtil.java:40)

    at com.audium.server.action.contextservice.util.BaseUtil.service(BaseUtil.java:55)

    at com.audium.server.action.contextservice.CustomerLookUpAction.doAction(CustomerLookUpAction.java:145)

    at com.audium.server.voiceElement.ActionElementBase.service(ActionElementBase.java:390)

    ... 21 more

I did the test of https://encryption-a.wbx2.com/encryption/api/v1/ping via a browser on my CVP and I receive back JSON.


my Org ID is: de58cf91-6f51-428b-95ee-50c8e7f8e1e5


Bill McDonald

0 Helpful

ankparik
Cisco Employee
Cisco Employee
In response to bimcdona

‎06-01-2016 05:50 PM

Bill,

We'll look into this and get back to you.

Thank you

Ankit Parikh

0 Helpful

ankparik
Cisco Employee
Cisco Employee
In response to bimcdona

‎06-02-2016 10:22 AM

Bill,

Your org has KMS role, however, your org admin account is missing spark entitlement. We're working with CI team to resolve that. I'll get back to you with more details once we have resolution from CI team.

Thank you

Ankit Parikh

0 Helpful

ankparik
Cisco Employee
Cisco Employee
In response to bimcdona

‎06-03-2016 05:57 AM

Bill,

Verifying connectivity using browser is not correct approach. Browser may have proxy configured so the connection would work. However when you use command line utility like cURL, you can check if the JVM has proper connection to the endpoint or not. That is what we want to verify.

On a side note, we have added all required entitlement to your org admin account. This is what you would have to do to get back in working state (assuming you have proper connectivity to Context endpoints)

=> Remove hard coded connection data from your test program

=> De-Register from Context Service and then Re-Register to get new connection data

=> Use newly obtained connection data in your test program

=> Try Context Service API operations again

Thank you

Ankit Parikh

dybrisco
Cisco Employee
Cisco Employee
In response to bimcdona

‎06-08-2016 11:49 AM

Bill

Has this been resolved?  I am getting the exact same issue when I try the CVP Studio elements

Thanks

Dylan

0 Helpful

dschimmer
Level 1
Level 1
In response to ankparik

‎06-02-2016 07:48 AM

Hi Ankit,

I have tried that out, and get a 200 OK, and valid JSON back.

Also I see this url,

https://encryption-a.wbx2.com/encryption/api/v1/keys/ab474ea8-0b30-4511-8799-b200b1534704,

in the log.  When I click it, it says it requires http authentication,

obviously i'm not supplying that by just clicking the link, but it shows

that it's responsive.

Any other ideas?

Thanks,

Daniel

Additional (incident number CS-39)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents