X.509 system
| Name | Severity | ID | Description | Action |
|---|---|---|---|---|
| algorithm_type_incompatible | error | 12 | The certificate has a key type that's incompatible with the signature algorithm. | |
| algorithm_type_unsupported | error | 13 | Signed object uses an unsupported signature algorithm. | |
| bad_decode_sig | error | 124 | %1 could not decode the signature. | None. |
| bad_encode | error | 120 | %1: couldn't encode the operation to sign it | None. |
| bit_string_error | error | 71 | An internal error occured. | See other log entries for details. |
| build_time | error | 69 | An internal error occured. | See other log entries for details. |
| cert_usage | error | 42 | Digitally signed bind arguments and responses must have a certificate that permits that usage: the certificate should have the keyUsage extension, with at least the digitalSignature bit set. | |
| cert_verify_fail | error | 9 | Validation of a certificate failed. | |
| certificate_issuer | detail | 59 | The DN of the CA which issued the Certificate | Information only |
| certpath_encode_fail | error | 152 | CertificationPath did not encode. | None |
| certs | information | 3 | The number of certificates loaded from the x509 directory. | |
| client_session | detail | 64 | Information Only. An X509 client session is being established using this DN. | None. |
| client_session_ok | detail | 65 | Information Only. An X509 client session has been successfully established using this DN. | None. |
| CML_error | error | 26 | A CML function returned an error code. | |
| cml_init_failure | error | 111 | Initializing CML failed. | Check other events for details. |
| config_parse_fail | error | 102 | There was some error in reading the X.509 config file. This file can contain blank lines, comments (lines beginning with #), and lines beginning "ldap_host ", "ldap_port ", "check_crl ". ldap_host has to be followed by a host name (or IP address), ldap_port by a number, and check_crl by "yes" or "no". (That description uses double quotes to indicate literal text, no double quotes should appear in the file.) | |
| cpath_error | error | 74 | An error occured while constructing the certificae path to put into the strong credentials. | See other log entries for details. |
| create_pubkey_fail | error | 10 | We failed to create a public key object. | |
| crl_off | warning | 105 | Certificates (received in strong authentication or signed operations) will not be checked against current CRLs. So certificates that have been revoked may be regarded as still valid. | |
| crl_on | information | 104 | Certificates (received in strong authentication or signed operations) will be checked against current CRLs. | |
| crls_off | warning | 99 | Information Only. CRL checking is enabled in the CML library. | |
| crls_on | information | 98 | Information Only. CRL checking is enabled in the CML library. | |
| disabled | error | 19 | Source release was built with the X.509 functionality disabled. | |
| DLOpenFail | warning | 1 | X.509 shared object failed to load. | |
| dn_match_error | error | 85 | The DN in the StrongCredentials does not match the DN in the Certificate. | Configure the remote end to use the Certificate to create correct Strong Credentials. |
| dn_match_ok | detail | 93 | The DN in the strong bind and the DN of the MTA must match. This message logs the fact that they do. | None. |
| dn_match_op | detail | 86 | The DN in the StrongCredentials matches the DN in the Certificate. | None. |
| do_check_strong | detail | 77 | Information only. | None. |
| do_strong | detail | 75 | Information only. | None. |
| done_check_strong | detail | 78 | Information only. | None. |
| done_strong | detail | 76 | Information only. | None. |
| dsa_sig_decode_fail | error | 47 | DSA signatures have a particular format: they're BER (usually DER) encoded SEQUENCE {INTEGER, INTEGER}, where each INTEGER is 20 octets long. One was received which failed to decode. | |
| dsa_sig_encode_fail | error | 48 | Failure while encoding DSA signature (probably out of memory). | |
| dsapverify | information | 15 | Verification succeeded. | |
| dsp_missing_sig | error | 125 | %1 was called with the DSP operation missing a mandatory signature. | None. |
| dump_gen_sig_pe | debug | 61 | Describes the directory into which the generated signature is written. | Debug Information only. This can be compared with the signature from the MOAC |
| dump_sig_pe | debug | 60 | Describes the directory into which the MOAC signature is written. | Debug Information only. This can be compared with the generated signature |
| enc_atb | error | 72 | AN internal error occurred. | See other log entries for details. |
| enc_error | error | 73 | An internal error occured while encoding a PE. | See other log entries for details. |
| entropy | error | 32 | RAND_status returned an error, which probably indicates insufficient entropy. On Unix, this is likely to happen because /dev/urandom is not present or readable. | |
| function_not_found | warning | 45 | A required function is missing from shared library. | |
| function_unavailable | warning | 20 | X.509 functionality is not available because initialization of it failed, and a function requiring it was called. | |
| functions_not_implemented | error | 44 | A shared object library was found, but it does not contain implementations of X.509 functions. | |
| gdi | detail | 87 | An Global Domain Identifier was found in the Strong Credentials. | This value is ignored in this release. |
| gdi_in_token | error | 146 | A GDI was supplied in the token to check against the locally configured value for our GDI, however the check was not carried out. | This may indicate interworking problems with the remote MTA. |
| gen_sig_ok | detail | 53 | The MOAC for this message was successfully generated. | Information only |
| id_ok | detail | 68 | Information Only. A trusted certificate for the ID has been found in the file name reported. | None. |
| id_rej | detail | 67 | Information Only. A trusted certificate for the ID has been found in the file name reported but cannot be used. | None. |
| identities | information | 4 | the number of identities loaded. | |
| identity_chosen | error | 41 | The application attempted to choose an identity (either default, or for a specific connection), but the identity has already been selected. | |
| identity_found | information | 6 | An identity was found for this DN. | |
| identity_notfound | error | 7 | An identity for this DN was requested, and none was found. | |
| init_mismatch | error | 142 | x509_init_security is passed a directory. It can be called more than once, but only with the same directory each time (subsequent calls have no effect). | Application error. |
| init_security | detail | 62 | Information Only. The X509 security environment is being established using this ID. The ID is a filesystem directory in which a subdirectory named x509 contains the Digital Identities as a set of pkcs11 files. | None. |
| init_security_ok | detail | 63 | Information Only. The X509 security environment has been established using this ID. The ID is a filesystem directory in which a subdirectory named x509 contains the Digital Identities as a set of pkcs11 files. The number of Digital Identities found is also reported. | None. |
| init_subject | information | 83 | The StrongCredentials contained a Certificate and the Subject DN is reported. | None. |
| initialization_fail | notice | 46 | X.509 isn't available; this event message gives the reason. | |
| inv_token | error | 94 | The OID in the token of a strong P1 bind must be 2.6.3.6.0. | Check configuration and presentation addresses |
| isode_error | error | 28 | Some internal isode function was called, which returned an error. | |
| missing_nonce_type | error | 128 | %1 : The nonce type within the x509context is not set. | None. |
| missing_security | error | 126 | %1 was called without any SecurityParameters | None. |
| missing_security_path | error | 127 | %1 : The SecurityParameters provided don't contain a certificate path | None. |
| missing_sig | error | 123 | %1 was called with the operation missing a signature | None. |
| moac_tbs_bs_gen_fail | error | 50 | Failure while generate byte stream for MOAC TBS (probably out of memory). | See other log entries for details. |
| moac_tbs_encode_fail | error | 49 | Failure while encoding MOAC TBS (probably out of memory). | See other log entries for details. |
| MTA_AsymmetricTokenBody_W | pdu | 113 | P1 Bind with Strong Auth | No Operator Action |
| mta_name_match_ok | detail | 91 | Our MTA name in token. This value successfully checked against the value in the Strong Credentials. | None. |
| mta_name_mismatch | error | 90 | Our MTA name was found in the Strong Credentials. This value is checked against the local value. The two must match but did not match. | Check configuration of both ends. |
| no | error | 97 | The OID in the token of a strong P1 bind must be set to 2.6.3.6.0. | Check configuration and presentation addresses |
| no_aet | error | 109 | Cannot determine the name of the remote MTA. | Contact Isode support. |
| no_aet_check | detail | 148 | No AET was provided to check against the value in the token. | The MTA has been configured not to check DN of the subject of the Certificate against the AET in the bind. This is configured in the X.400 channel using EMMA. |
| no_aet_error | error | 81 | They did not provide an AET therefore we cannot accept their strong bind. | Check the configuration of the remote end. Ensure it is connecting to the expected protocal server. |
| no_certificate_sent | error | 11 | We (currently) require a certificate with a bind, and none was sent. | |
| no_config | debug | 140 | Attempting to open the config file %s for the security environment. | None - this is not an error. |
| no_current_identity | warning | 8 | Application asked for the current identity, and there isn't one. | |
| no_gdi | detail | 144 | This release is not checking whether the GDI in the token, matches the locally configured value for our GDI. | None. |
| no_gdi_in_token | detail | 145 | No GDI was supplied in the token to check against the locally configured value for our GDI. | None. |
| no_id | error | 136 | No Digital IDs found in the security environment can be used for this client session. | Check that your have configured either a password for the application, or that a pass-phrase file has been created in the same directory as the P12 file, with the same name as the P12 file, with a .pphr suffix. Alternatively, you can set the private key in the P12 file so that it is not protected by a pass-phrase. For security reasons, this is not recommended. |
| no_identities | warning | 5 | No identities were loaded, so no strong authentication will be possible. | |
| no_mta_name | error | 88 | No MTA name was found in the token. | This value is mandatory. Check the configuration of the remote MTA. |
| no_mta_name_check | detail | 147 | No MTAName was provided to check against the value in the token. | This may indicate interworking problems with the remote MTA. This is an internal error which should be reported to Isode support. |
| no_orig_cert | error | 57 | No Originator certificate found in the message envelope with which to verify the signature. | Check the message as received in the Queue. Ensure that the sender constructed the message and signature correctly |
| no_peer_dn | error | 30 | Attempting to construct a strong bind argument, but the argument lacks the dba_dn field, which should contain the DN of the entity we're attempting to connect to. | |
| no_PKCS11_lib | error | 156 | This may be because no library was specified in x509/config, or that the library failed to load. | Contact Isode support |
| no_pphr | debug | 138 | The attempt to open the passphrase for this Digital ID has failed. | None. |
| no_pub_key | error | 84 | The Certificate supplied does not contain a public key and cannot therefore be used for a strong bind. | Configure the remote end to use a suitable Certificate. |
| no_public_key_in_orig_certificate | error | 58 | Although an originator certificate is present in the message envelope, there is no public key available to use to verify the signature | Check the message as received in the Queue. Ensure that the sender constructed the message and signature correctly |
| no_secenv | error | 143 | x509_init_security must be passed a directory. | Internal error. |
| no_token | error | 95 | The OID in the token of a strong P1 bind must be set to 2.6.3.6.0. | Check configuration and presentation addresses |
| noidentity | error | 22 | Some functions require a session with an identity, and this one was called with a session without an identity. | |
| nonce_badlen | error | 33 | We require that a bind argument has 80 bits in random1, and that a bind response has 160 bits: the concatenation of the bind argument and a fresh 80 bit nonce. | |
| nonce_mismatch | error | 34 | We require that a bind response contain random1 which begins with the same bits as the original bind argument. This message failed that test. | |
| nonce_replay | error | 40 | An attempt was made to bind using a nonce which has already been used in a previous session. | |
| nonce_unchecked | error | 37 | We can't check nonces yet. This log is to warn that code needs to be filled in. | |
| nosession | error | 21 | Some functions require a session, and this one was called with the session set to NULL. | |
| not_using_ldap | warning | 101 | LDAP certificate/CRL retrieval has been disabled. | |
| null_nonce_checker | error | 39 | We failed to initialise a nonce checker; this is fatal (for X.509), and no X.509 services will be available. | |
| oid_err | error | 96 | An internal error occurred performing str2oid(). | Check other log messages. |
| oid_mismatch | error | 151 | Some kinds of signed ASN.1 have the signature algorithm both inside the signed part, and outside. These two must match, and in this case they do not, so verification fails. | Identify origin of the mismatched OIDs and report error |
| opensslinit_fail | warning | 2 | SSL_library_init returned a fail code | |
| our_mta_name | detail | 92 | Our MTA name. This value is checked againt the value in the Strong Credentials. | None. |
| pe_decode_error | error | 80 | The PE could not be decoded. | See other log entries for details. |
| pe_error | error | 70 | An internal error occured. | See other log entries for details. |
| PKCS11_error | error | 25 | A PKCS#11 function returned an error code. | |
| read_cert | detail | 66 | Information Only. A certificate for the ID has been found in the file name reported. | None. |
| read_config | debug | 139 | Attempting to open the config file %s for the security environment. | None. |
| read_config_ok | detail | 141 | Successfully read the config file %s for the security environment. | None. |
| read_pphr | detail | 112 | The passphrase for the private key has been read from the passphrase file. The passphrase filename has the form p12filename.pphr. | None. |
| require_signed_ops | information | 117 | The named connection is configured (probably using authcon) with the given settings for signed operations. Signed operations may be required for modification operations, and for non-modifying operations. | None. |
| response_dn | error | 36 | x509_dsapverify attempted to verify a bind response, but the response was signed by a key from a different entity. | |
| set_sign_op_called | information | 134 | This log message shows that set_sign_op is called, and logs it's arguments | None |
| shouldnt_sign_verify | error | 119 | %1 called however the x509_context specifies no signing or verification should take place | None. |
| sign_fail | error | 51 | Failure while generating a signature for the message. | See error code and other log entries for details. |
| Sign_fail | error | 18 | C_Sign returned an error code. | |
| sign_good | detail | 129 | %1 : Generated signature for this operation ok | None. |
| sign_op | information | 130 | Indicates if an operation is to be signed. | None |
| sign_op_unsupported | error | 133 | Indicates if signing an operation is unsupported. | None |
| SignInit_fail | error | 17 | C_SignInit returned an error code. | |
| slotcount | error | 24 | For the moment, the slot count must be 1. | |
| SRL_DB_error | error | 135 | The error probably indicates the directory isn't writable. Or the files "srl_cert_cache.db" and/or "srl_crl_cache.db" are of some unrecognised format. | Check (and change) directory permissions |
| SRL_error | error | 29 | An SRL function was called, which returned an error. | |
| srl_init_failed | warning | 103 | Initializing SRL with the LDAP port and host given in the configuration file failed. So LDAP is disabled. (The application may reenable it.) | |
| srl_init_total_failure | error | 110 | Initializing SRL with no LDAP port and host failed. | Check other events for details. |
| SRL_LDAP | warning | 114 | SRL attempted an LDAP bind on initialisation, and it returned this error code. | |
| their_aet | detail | 82 | Informative: their AET. | None. |
| timestamp_from_token | detail | 106 | Report the timestamp from the strong bind. This value to be checked against the current time, and if too old will cause the bind to be rejected. | None. |
| token_age_new_ok | detail | 116 | The token timestamp is less recent than the limit set. | None. |
| token_age_old_ok | detail | 108 | The token timestamp is more recent than the limit set. | None. |
| token_decode_fail | detail | 14 | Signed token couldn't be decoded. | |
| token_encode_fail | detail | 16 | Token couldn't be encoded. | |
| token_expired | error | 31 | A bind token was received that seems to have expired. This may be an attempt at replaying a bind token, or (probably more likely) indicates unacceptable clock skew between machines. | |
| token_life_too_long | error | 38 | A bind token was received that wants to live too long (its expiry time is more than 40 minutes in the future). This isn't permitted (if unintentional, this may be due to clock skew). | |
| token_mta_name | detail | 89 | Our MTA name. This value is checked against the value of the mta name. | None. |
| token_null_utc | error | 35 | While trying to check a bind token or response for expiry, the expiry time couldn't be converted to UTC, preventing a check. | |
| token_too_new | error | 115 | The strong bind is rejected as the token timestamp is too far in the future. | Ensure that the clocks on the two systems are set correctly. They need to be synchronised within 5 minutes of each other |
| token_too_old | error | 107 | The strong bind is rejected as the token timestamp is older than the limit set. | Ensure that the clocks on the two systems are set correctly. They need to be synchronised within 5 minutes of each other |
| trace_func | debug | 131 | This log message shows which x509 functions have been called | None |
| trusted_cert | information | 154 | Adding the certificate as a trust anchor. | None |
| trusted_cert_error | error | 43 | While adding the trust anchors, an error was found for this certificate. | |
| try_pphr | debug | 137 | Attempting to open the passphrase for this Digital ID. The passphrase filename has the form p12filename.pphr. | None. |
| unexpected_oid | error | 79 | An invalid OID was in the token. | Check the configuration of the remote end. Ensure it is connecting to the expected protocal server. |
| unknown_cert_oid | error | 27 | We received a bind argument or response | |
| unknown_key_type | error | 153 | Some internal error occurred. | Contact Isode support |
| unknown_op | error | 121 | %1 was asked to sign an unknown operation | None. |
| untrusted_cert | detail | 155 | Adding the certificate to the database, for use in verifying certificates. | None |
| use_signed_ops_before_init | error | 118 | %1 called with operation or context as NULL | None. |
| using_ldap | notice | 100 | Using LDAP for certificate and CRL retrieval, with the logged host and port. | |
| verify_detail | error | 150 | Gives extended information about failure of certificate verification. | Depends on the specific error. |
| verify_fail | error | 55 | Failure while verifying the signature in the message. | See error code and other log entries for details. |
| verify_failure | error | 149 | The CML function to verify a certificate returned an error code. This may indicate an error in the PKI (a certificate or CRL not present, or expired), configuration (if something could not be retrieved), or some system failure (if it is a memory error). More information is likely to be available at higher logging levels (detail). | Depends on the specific error. |
| verify_init_fail | error | 54 | Failure while verifying the signature in the message. | See error code and other log entries for details. |
| verify_ok | detail | 56 | Verified the signature in the message / operation. | Information only |
| verify_op | information | 132 | Indicates if an operation is to being verified. | None |
| zero_len_sig_gen | error | 52 | Failure while generating a signature for the message. | See other log entries for details. |