DocuSign HSM Appliance (formerly PrivateServer HSM) Installation Troubleshooting FAQs

Notice: The PrivateServer product is being renamed to HSM Appliance. You will see our documentation and marketing materials take on the new name. Rest assured that they are one and the same product and that support continues as before.

HSM Appliance is the leading high-security (FIPS 140-2 Level 3), high-capacity, network–attached multi-user HSM.

How can I create a new set of INIT and STARTUP cards?
 
Sometimes, INIT and STARTUP cards get broken, corrupted or lost. What do you do when that happens? You can create new cards that will continue to work in your environment just like your old cards. The process is not difficult and takes only a couple of minutes. The Converting INIT and STARTUP Cards guide explains how to recreate these cards properly.  

I just received a “Key media is locked” message and my HSM Appliance won’t work. Help!
 
When a “Key media is locked” error message appears, it means that a wrong password was entered more than 10 times. Key media can be a .PRI file or a SmartCard. In both cases, there is a hard-wired expiration date on the password.

This type of security error is very common in automated systems as they are not monitored, and, quite often, the password-change window is ignored. The HSM Appliance media password expires every 889 days.

Expiration is an internal process that is not visible to users. You will receive the error message and be prompted to change the password on the day of expiration. This feature is not changeable.

Dormant media files or SmartCards that have not been used for a long period of time, even years, will necessitate a password change when they are next used.

Not to worry! The resolution is simple and takes only a minute or two. Have a look at the Resolution of ‘Key Media is Locked’ guide for instructions.  

How do I load a module into HSM Appliance (formerly PrivateServer)?

 

  1. Open HSM Appliance management application.
  2. Connect to the required server.
  3. Select Server ->Load/Remove File. The following dialog appears:
User-added image
  1. Select the operation to perform: Load File.
  2. Enter the path and name of the DLM file or files you wish to load, or use the Browse button to browse to their location.
  3. Click Perform. When the operation ends successfully, a success message appears.
  4. Restart the HSM Appliance for the changes to take effect.
Why do I get this error after adding another smartcard reader to the workstation: “Media error. Could be that media is personalized (0xa028)”?
 
This reader must be set manually. Please add the following registry entry to the workstation and reboot.[HKEY_CURRENT_USER\Software\ARL\ARCryptoKit\Manager] "PCSCREaderName"="SCM Microsystems Inc. SCR33x USB Smart Card Reader 0"
 
Why do I get an error on startup or error 163 when restoring my backup file?
 
The error may be caused if you are using a STARTUP card which is from a different pair than the INIT card. Starting with HSM Appliance (formerly PrivateServer) version 4.2 and later, the method in which the SVMK is calculated was changed due to FIPS demands, so that only the same set of cards will provide a valid SVMK. If you have two sets of cards (set A and set B), set A INIT + set A STARTUP, the resulting SVMK will be equal to set B INIT + set B STARTUP’s SVMK. However, it will not be equal to set A INIT + set B STARTUP, nor will it be equal to set B INIT + set A STARTUP (each such mix will give you a completely different SVMK).
 

How do I reload the DLM’s to the CryptoSafe reader?

Sometimes, the CryptoSafe reader doesn't work with PrivateCards but only with MCOS smartcards, or you may get some sort of error or inconsistent behavior from the reader. In most cases these problems are solved by reloading the CryptoSafe's DLMs. To reload the CryptoSafe’s DLMs:
  1. Reload the DLM's with the Screset.bat utility.
  2. Verify that they are indeed loaded (Step 1).
  3. If they have not loaded successfully, try replacing the CryptoSafe reader.
What do Errors 10054 and 10038 mean?

 

These are general TCP-IP errors, they are not HSM Appliance specific. Error 10054 means that an existing connection was forcibly closed by the remote host. Error 10038 means that an operation was attempted on something that is not a socket.

For more information: open CMD, enter  "net helpmsg" and the number of the error, then press Enter.
User-added image
 

The appliance is not working, and there are no INIT or STARTUP cards. I have an alternate appliance. How should I proceed?

When creating the STARTUP and INIT cards using the PSVGenCards.exe utility you should write down (and keep in a safe) the two parts of the SVMK (one part is requested when creating the INIT card, and the other part when creating the STARTUP card). This will create a new set of STARTUP and INIT cards that will be used for initializing and restoring a backup for a different HSM Appliance in case of a damaged server and/or loss of the original cards. Note: When generating the INIT and STARTUP cards using a HSM Appliance client version 4.0 and up, you can generate a backup for them. Please note that the SVMK of the server that created the backup file must be identical to the SVMK of the target HSM Appliance. The name of the target HSM Appliance should be the same as the name of the original HSM Appliance. You must have the original root card to certify; otherwise, the restoration process will fail. In order to create the cards you need to run the utility PSVGenCards and do the following:
  • You can skip the Root card creation if you already have one.
  • In the INIT section it is important to enter the exact SVMK part that was entered when creating the original INIT card.
  • In the STARTUP section it is important to enter the exact SVMK part that was entered when creating the original cards.
  • Enter the details of a user who will be permitted to connect to the server without a card following the initialization process.

Have an issue? To send us an email, please submit this form.