Primus HSM - Troubleshooting
This chapter should help you to troubleshoot any problem you may encounter. If you cannot solve your problem with the given information, search the Securosys Support Portal Knowledge Base for further information. If you are still unable to resolve your issue, please open a support ticket on the Securosys Support Portal.
General troubleshooting includes:
- Exporting and reviewing logs
- Diagnostic review
- Verifying LED state
- API provider troubleshooting
Export Logs
Logs are essential for troubleshooting an HSM because they provide detailed records of system events, configuration changes, and error messages that help identify the root cause of issues. They allow administrators to trace operational behavior, detect anomalies, and verify whether security policies and processes are functioning correctly and troubleshoot if functioning incorrectly.
In support cases, logs are required for in depth troubleshooting. Please provide the most recent exported logs when submitting a support request.
The Primus HSM allows to export all logs onto a USB storage device, WebDAV server, or to a syslog server (audit functionality), see Logging Configuration for more information.
Exporting logs requires SO authentication. In cases of device tampering logs still remain on the device and can be exported by the Genesis Role.
Partition specific logs, if enabled, can also be retrieved through the Client API or Decanus Terminal using Partition Administration or Audit.
PSO or PAU role is required to export Partition specific logs through the Decanus Terminal.
Diagnostics
Diagnostics provide insights into the HSM's health, helping detect hardware faults, performance issues, or misconfigurations early, ensuring quicker resolution and minimized downtime. The HSM provides built-in diagnostic tools that display various system states, with SO role access required for security-sensitive data.
Console output of diagnostics might contain more details than the UI via front panel display or Decanus Terminal.
For a full list of diagnostic functions and details view Primus HSM User Guide chapter 7.1 Diagnostics.
Hardware Diagnostics
Hardware Diagnostics provide real-time information about the physical and operational health of the device. This includes the current system status, the configured authentication mode, internal temperature readings from various components, and fan speed metrics, enabling monitoring of hardware conditions and ensuring the device is operating within safe parameters.
Network diagnostics
Network Diagnostics offer an overview of the device’s current network configuration and operational status. It displays key information such as configured IP addresses, interface states (up/down), link speed, and duplex mode, along with the number of active connections per enabled service (e.g., SSH, API, syslog), enabling administrators to monitor connectivity and troubleshoot potential network-related issues effectively.
Firmware diagnostics
Firmware Diagnostics display the currently active HSM and it's features (API, Management, HA, ...) and firmware versions along with the available rollback version.
License diagnostics
License Diagnostics provide an overview of the currently active license, including details on licensed users, enabled APIs, cryptographic modules, and available features. It also indicates whether license upgrades or downgrades are supported, and displays the license revision number, which increases with each issued update to help track changes over time. See Primus HSM Licenses for more information on Primus HSM licenses.
High availability diagnostics
The HA Cluster diagnostics displays all active cluster members, including their identities, roles, health status, and synchronization state, allowing administrators to verify that all nodes are properly connected and functioning as expected within the redundant setup.
Decanus diagnostics
Decanus Diagnostics in the Primus HSM display all currently paired Decanus devices along with their connection status. Helping to verify which terminals are linked to the HSM and monitor their availability.
Front panel LEDs
All Primus HSMs are equipped with 4 LEDs on the front panel, providing visual indicators of the device's operational status and potential hardware or system issues. Different LED colors and blinking patterns correspond to specific LED error codes, such as power failures, temperature warnings or initialization problems.
The front panel LEDs help quick identification and response to faults without needing immediate management access.
| State | STATUS LED | MGMT LED | ACCESS LED | LINK LED |
|---|---|---|---|---|
| Factory Delivery or factory reset | blue | blue | blue | blue |
| no SOs created | dark | blue | blue | blue |
| no User created | dark | dark | blue | blue |
| Startup, Selftest Operation impossible | red steady See LED Error Codes | |||
| boot, selftest | All LEDs blue cycling down & up (animation) | |||
| Normal operation | amber steady HSM operation has not started | |||
| white blinking: FIPS green blinking: normal | amber steady: SO activated | amber steady: At minimum one user configured but not logged in amber blinking: + Decanus connected | amber steady: Network interface configured but not connected amber blinking: Clone cannot reach the Master | |
| white steady: FIPS green steady: normal Secure operation | green steady: SO not activated | green steady At minimum 1 user logged in green blinking: + Decanus connected | green steady Network connected/up | |
| red steady: New alert to acknowledge | amber steady: Log near full, API blocked | |||
| red blinking: License expires soon red steady: License expired |
LED Error Codes
If the STATUS LED is "red steady”, a severe error has occurred. The cause of the error is encoded with the other three LEDs according to the following table:
| MGMT | ACCESS | LINK | Possible reason | Solution |
|---|---|---|---|---|
| red | red | red | Tamper error or zeroization | The security log has not been erased yet. Analyze it to find out what happened. Afterwards, perform a factory reset and re-initialize with the initial Wizard. Afterwards, you will be able to restore your user data or import the user data from a Master. |
| All LEDs red cycling down and up | Tamper error and boot loop | Contact Securosys Support | ||
| amber | amber | amber | Authentication error | Firmware update or rollback |
| dark | amber | amber | Startup error | Failed to start system processes Solution: Check device configuration |
| amber | dark | amber | Selftest error | Reboot or if error remains: contact Securosys Support |
| amber | dark | dark | Wrong state error | Reboot |
| dark | dark | dark | Runtime error | Reboot or if error remains: Contact Securosys Support |
API Provider Troubleshooting
API providers in the Primus HSM environment offer targeted tools for troubleshooting integration and communication between applications and the HSM. These tools are designed to help administrators and developers diagnose issues related to specific API interfaces, such as PKCS#11, JCE, or MS CNG.
Troubleshooting features typically include:
- API-specific logging, which records detailed events and errors encountered during cryptographic operations, helping pinpoint issues in API calls or configuration.
- Connectivity tests, which verify whether the application can establish a secure and functional connection with the HSM, ensuring network and credential settings are correctly applied.
- Performance monitoring, which identifies bottlenecks or delays during cryptographic processes to optimize application and HSM interaction.
- Configuration validation, ensuring the API settings are properly aligned with the HSM environment and security policies.
- Individual cryptographic function tests such as key generation or digital signing to isolate issues within specific operations.
For more API specific troubleshooting refer to our online APIs and integration documentation.