Troubleshooting Steps for Key Rotation Service (KRS) (Web API component)

The Key Rotation Service (KRS) is not working properly and is unable to provide the key. The main causes of this issue include access rights of the certificate, IIS configuration problems, and padding errors. Troubleshooting steps involve checking access rights, configuring IIS properly, and checking the log files for errors.

KRS is unable to provide the key due to Handler Issue

Table 1. Table 23 - Key Rotation Service (KRS): Scenario 2
Issue Description

KRS is not working as its unable to provide the key

Figure 1. Figure 21 - KRS is not working
Modules Impacted Product along with all the components
Probable Root Cause Issue with access rights of the certificate

Steps to resolve

  1. 1. Press Win+R, then type MMC and click OK.
Figure 2. Figure 22 - KRS Application Error (cont.)
  1. 2. Click File  Add Remove Snap-in.
Figure 3. Figure 23 - KRS Application Error (cont.)
  1. Select Certificates and click Add.
    Figure 4. Figure 24 - KRS Application Error (cont.)
  2. Select Computer Account and click Next.
    Figure 5. Figure 25 - KRS Application Error (cont.)
  3. Click Finish.
    Figure 6. Figure 26 - KRS Application Error (cont.)
  4. Click OK. Expand Certificates  Personal. Double-click on certificates inside Personal folder.
    Figure 7. Figure 27 - KRS Application Error (cont.)
  5. Right-click on the certificate used in Product, for e.g. HCL.iAutomate and select All Tasks  Manage Private Keys.
    Figure 8. Figure 28 - KRS Application Error (cont.)
  6. Click Add.
    Figure 9. Figure 29 - KRS Application Error (cont.)
    C:\Users\mishra_as\Pictures\1.png
  7. Enter Everyone in the space provided and click Check Names.
    Figure 10. Figure 30 - KRS Application Error (cont.)
  8. Everyone is added to the Group / User Name and click OK.
    Figure 11. Figure 31 - KRS Application Error (cont.)
    C:\Users\mishra_as\Pictures\1.png
  9. Copy the certificate and paste it into Trusted People folder.
Figure 12. Figure 32 - KRS Application Error (cont.)

KRS is unable to provide the key due to IIS configuration issue

Table 2. Table 24 - Key Rotation Service (KRS): Scenario 3
Issue Description

KRS is not working as its unable to provide the key

Figure 13. Figure 33 - KRS is not working
Modules Impacted BigFix Runbook AI along with all the components
Probable Root Cause MIME Type Error – IIS has not been configured properly

Steps to resolve

  1. Go to Control Panel and turn on Windows Features.
  1. Click on Next until user finds .Net Framework 4.6 Features (Installed).
  2. Expand it and find WCF Services.
  3. Expand WCF Services and enable HTTP Activation.
Figure 14. Figure 34 - KRS is not working (cont.)
  1. Install and check for WSDL again.

KRS is unable to provide the key due to IIS issue

Table 3. Table 25 - Key Rotation Service (KRS): Scenario 4
Issue Description KRS is not working as its unable to provide the key
Modules Impacted BigFix Runbook AI along with all the components
Probable Root Cause Issue with IIS

Steps to resolve

If the steps mentioned in Scenario 2 and 3 are performed and still WSDL of KRS is not loading successfully, it implies that issues are with IIS.

  1. Press Win+R, type inetmgr and click OK.
  1. Go to IIS and see if KRS is running. If there is any issue in IIS, try hosting KRS on different port and they try running the WSDL. If WSDL loads successfully, it implies that issue is with IIS.
  2. Contact the System Administrator.

KRS is unable to provide the key due to Padding issue

Table 4. Table 26 - Key Rotation Service (KRS): Scenario 5
Issue Description KRS is not working as its unable to provide the key
Modules Impacted BigFix Runbook AI along with all the components
Probable Root Cause Padding is invalid and can’t be removed due to discrepancy in generated keys

Steps to resolve

  1. Check the log file of KRS. But first, the logger state needs to be set to 1 in the config file of KRS. Perform the following steps.
  1. Press Win+R and type inetmgr.
  2. Click OK to open IIS.
Figure 15. Figure 35 - KRS is not working
  1. Expand Sites and click HCLiAutomateWEBAPI.
  2. Expand HCLiAutomateWEBAPI, then right-click KRS and click Explore.
Figure 16. Figure 36 - KRS is not working (cont.)
C:\Users\mishra_as\Pictures\a1.png
  1. Find Web.config file and open it in Notepad.
Figure 17. Figure 37 - KRS is not working (cont.)
  1. Find the key Logger and change its value from 0 to 1.

<add key="Logger" value="1" />

  1. To open the log file of KRS, perform the following steps:
  1. Press Win+R and type inetmgr.
  1. Click OK to open IIS.
Figure 18. Figure 38 - KRS is not working (cont.)
  1. Expand Sites and click HCLiAutomateWEBAPI.
  2. Expand HCLiAutomateWEBAPI and right-click KRS.
  3. Click Explore.
Figure 19. Figure 39 - KRS is not working (cont.)
C:\Users\mishra_as\Pictures\a1.png
  1. Find the folder ‘bin’ and open it.
  2. Find Web.config file and open it in Notepad.
Figure 20. Figure 40 - KRS is not working (cont.)
  1. Find folder ‘KRSLog’ and open it.
  2. If KRSLog folder is missing, it implies that KRS is not getting hit by the components. It also implies that the KRS URL is not correctly mentioned in the config file of all components. Correct URL should be http://<website IP>:<port of webAPI>/KRS/KeyManagement.svc
  3. Find the file ‘KeyManagementServiceLog’ and open it in Notepad.
  4. Read the log file. If the error message reads ‘padding is invalid and cannot be removed’, it is due to the discrepancy in keys. Check the rotation key being generated in database (SELECT * FROM RotationKeyDetails) and the key generated in log. Both should be same. If they are different, it results in padding error. Also, the encrypted key which KRS is generating should be the same encrypted key which listener is giving to all the components.
  5. If there is no padding error, refer to the log file for more information about the issue and proceed accordingly.