Troubleshooting Privacera Encryption¶
This section covers common issues and solutions related to Privacera Encryption installation and configuration.
Common Issues¶
Configuration Issues¶
| Issue | Solution |
|---|---|
| Encryption service not starting | Check that the encryption configuration has been properly enabled and that all required parameters are set. After updating encryption configuration, restart the service. |
| Mismatched shared secrets | Ensure that the shared secrets are consistent across all services. Check the PEG_V2_SHARED_SECRET and SCHEME_SERVER_SHARED_SECRET values. |
| Master key storage errors | Verify that the master key storage configuration is correct. Only one type of storage should be configured at a time. |
API Access Issues¶
| Issue | Solution |
|---|---|
| JWT token authentication failure | Verify that the user has been properly set up in both Privacera Portal and Ranger. Ensure the user has the necessary permissions. |
| API access denied | Check scheme policy permissions to ensure users have appropriate access to the required encryption functions. |
| Numeric format errors | For schemes with numeric format type and FPE algorithm, ensure numeric data passed to /protect and /unprotect is provided as a string. |
Encryption and Decryption Issues¶
| Issue | Solution |
|---|---|
| Cannot decrypt data | Ensure the same encryption scheme that encrypted the data is used for decryption. Check that the format, algorithm, and scope settings match. |
| Invalid format errors | Verify that the data being encrypted matches the expected format for the scheme being used. |
| Empty or null results | Check for proper handling of null or empty input in your application. |
Diagnostic Steps¶
- Check Service Status:
For Privacera Platform:
- Verify Configuration:
Review encryption configuration files:
| Bash | |
|---|---|
- Test API Access:
Test API access using a simple curl command:
| Bash | |
|---|---|
- Check Scheme Policy:
Verify scheme policy permissions in the Privacera Portal: Go to Access Management > Scheme Policies > PEG > ACCESS
Additional Resources¶
Troubleshooting¶
Steps to Check if PEG is Enabled
-
Log in to the Privacera portal.
-
On the left side menu bar, check if the "Encryption & Masking" tab is present.
-
If the "Encryption & Masking" tab is visible, then PEG is enabled.
Steps to check PEG Version:
-
Steps to check PEG Server Version Kubernetes Mode Deployment
Bash -
Steps to check Scheme Server Version Kubernetes Mode Deployment
Bash
Steps to do PEG Health Check:
Once the update is successful , we can verify if the installation is successful by checking if the peg and scheme server are running or not.
PEG and SCHEME SERVER EXTERNAL url can be obtained by executing the below command. This url has domain and port details.
- Health Check API for PEG Server {#peg-server-health-check}
| Bash | |
|---|---|
| Bash | |
|---|---|
| Bash | |
|---|---|
Below Response will be seen if the Scheme server is running
| Bash | |
|---|---|
Resolution steps for alerts for PEG Server¶
This guide helps users to identify and resolve API errors by using the HTTP Error Rate panel in Grafana.
Step 1: Identify the Failing Endpoint & Understand Common HTTP Errors
Use the Summary, Method, URI, and Status values from the alert to determine:
- Which endpoint is returning errors (e.g.,
/api/peg/scheme/allschemenames) - The HTTP method and status code involved (e.g.,
GET 400,POST 500)
Common HTTP Errors and Resolutions
| HTTP Code | Possible Cause | Recommended Action | Affected Endpoints |
|---|---|---|---|
| 400 | Invalid token, malformed request, or missing parameters | - Provide a valid token or generate new token refer - Recheck query/path parameters - Validate JSON body - Refer to API docs | /scheme/allschemenames, /v2/protect, /v2/unprotect, /v2/mask, /v2/multi/* |
| 403 | Missing permissions or scheme not found | - Ensure the user has appropriate access rights to protect/unprotect/mask refer - Verify the scheme exists in portal | /v2/protect, /v2/unprotect, /v2/mask, /v2/multi/* |
| 500 | Internal server error | - Check if the scheme server is running by running below command curl -k --location -g --request GET '<PEG_EXTERNAL_URL>/api/peg/healthcheck' | /v2/protect, /v2/unprotect, /v2/mask, /v2/multi/* |
| 503 | PEG server is unavailable | - Verify that the peg server is up and healthy by running below command curl -k --location -g --request GET '<PEG_EXTERNAL_URL>/api/peg/healthcheck' | All endpoints |
/v2/multi/* includes endpoints like /v2/multi/protect, /v2/multi/unprotect,/v2/multi/mask, etc.
Step 2: Escalation Checklist
If the issue cannot be resolved through initial investigation, escalate it to the appropriate team with the following details:
- API endpoint and HTTP method Example: GET /api/crypto/scheme/name/{name}
- Timestamp of the error Include the exact time the alert was triggered
- Grafana alert screenshot Ensure it includes the HTTP Error Rate panel and relevant metrics
- Relevant logs or user actions leading up to the error Include any logs from the API service, client-side actions, or test steps that reproduce the issue
Resolution Steps for Scheme Server Alerts¶
This guide helps users identify and resolve API errors using the HTTP Error Rate panel in Grafana.
Step 1: Identify the Failing Endpoint & Understand Common HTTP Errors
Use the Summary, Method, URI, and Status values from the alert to determine:
- Which API endpoint is returning errors Example: (
/api/crypto/scheme/name/{name}) - Which HTTP method and status code triggered the alert Example: GET 404 (Not Found) or GET 500 (Internal Server Error)
Common HTTP Errors and Resolutions
| HTTP Code | Possible Cause | Recommended Action | Affected Endpoints |
|---|---|---|---|
| 400 | - Missing or invalid query/path parameters - Malformed JSON payload | - Validate all required query/path params like id, name, page, size- Ensure the request body conforms to expected schema (e.g., VScheme, VResponse)- Use tools like Swagger/Postman to test before calling from your app | /api/crypto/scheme, /api/crypto/scheme/{id}, /api/crypto/scheme/name/{name}, /api/crypto/import/schemes |
| 403 | - Missing or expired JWT token - Token lacks required roles or scopes | - Attach a valid Bearer token in Authorization header or generate new token refer - Ensure token has the required permissions and scopes Permission / Role Mapping - Renew the token if expired refer | All endpoints requiring authentication (e.g., /api/crypto/scheme, /api/crypto/create/tenantkeys) |
| 404 | - Endpoint path typo - Scheme ID or name not found - Incorrect environment | - Verify you're calling the correct path - Confirm the resource (scheme name or ID) exists - Ensure you are using the correct environment (e.g., not querying dev from prod) | /api/crypto/scheme/{id}, /api/crypto/scheme/name/{name}, /api/crypto/scheme/bytag, /api/crypto/scheme/allschemenames |
| 500 | - Server-side exception - Null pointer, missing DB record, or config issue | - Check if the response includes a VResponse.messageList or trace ID- Recheck payload and retry - Gather timestamp, request details, and namespace - Contact support | All endpoints (especially POST/PUT/DELETE to /api/crypto/scheme, /api/crypto/import/schemes, /api/crypto/create/system/schemes) |
Step 2: Escalation Checklist
If the issue cannot be resolved through initial investigation, escalate it to the appropriate team with the following details:
- API endpoint and HTTP method Example: GET /api/crypto/scheme/name/{name}
- Timestamp of the error Include the exact time the alert was triggered
- Grafana alert screenshot Ensure it includes the HTTP Error Rate panel and relevant metrics
- Relevant logs or user actions leading up to the error Include any logs from the API service, client-side actions, or test steps that reproduce the issue
- Prev topic: Advanced Configuration