WAAS Failed to Fetch Encryption Key from Central Manager

Problem: Devices are unable to access the secure store.

#########

2012 Jan 24 10:39:23 WAV01 java: %WAAS-CMS-4-700001: CESecureStoreFacade(main): Failed to retrieve key from key manager.Can’t retrieve key from CM
2012 Jan 24 10:39:23 WAV01 ss_init: %WAAS-CMS-2-700001 Failed to fetch encryption key from Central Manager to open secure store, try 163
2012 Jan 24 10:39:43 WAV01 java: %WAAS-CMS-4-700001: ce(DataFeedPoll): Error processing configuration updates: SecureStoreNotReadyException@com.cisco.unicorn.director.DataFeedAgent.encryptData (DataFeedAge
nt.java:3616) UserConfig_14729:Secure store is initialized but not open. Please open secure store. Failed to encrypt data . Rejecting updates from CM.
2012 Jan 24 10:39:54 WAV01 java: %WAAS-CMS-4-700001: CESecureStoreFacade(main): Failed to retrieve key from key manager.Can’t retrieve key from CM
2012 Jan 24 10:39:54 WAV01 ss_init: %WAAS-CMS-2-700001 Failed to fetch encryption key from Central Manager to open secure store, try 164

#########

This error will show up in the GUI of your central manager as well.

Solution: There are two ways to fix this.

1.(Preferred) Reset the crypto keys and re-initialize the secure store on the device with the error message. The warnings you will get will differ than what I have listed below. You will want to type ‘yes’ to all responses. If the secure store doesn’t initialize, try again. I had a few warnings that I had entered the commands to quickly (seriously.)

#########

WAV01#crypto pki managed-store initialize
Managed store key is set successfully, no need to re-init. Are you sure you want to continue(yes/no)? [no]:yes
All certificate/private keys in SSL managed store will be deleted and optimized SSL traffic will be interrupted. Are you sure you want to continue(yes/no)? [no]:yes

WAV01#cms secure-store init

#########

2. This solution should be tried at your own risk. This is the nuke option. You will need to de-register and then re-register the device with the central manger. This should only be done as a last resort.

####WARNING!#####

WAV01#cms deregister

WAV01#config t
WAV01(config)#cms enable

####WARNING!#####

This is like registering the device as brand new. Any location information will be lost, etc.

 

Verification: Verify the accelerator and the secure store.

#########

WAV01#sh accelerator
Accelerator     Licensed        Config State    Operational State
———–     ——–        ————    —————–
cifs            Yes             Enabled         Running
epm             Yes             Enabled         Running
http            Yes             Enabled         Running
mapi            Yes             Enabled         Running
nfs             Yes             Enabled         Running
ssl             Yes             Enabled         Running
video           No              Enabled         Shutdown

WAV01#sh cms secure-store
Secure-store is initialized and open.

 

Scroll to Top