AWP FSS error: key set is not defined. Error: Incorrect registered key set (0x80070643) Incorrect cryptopro key set parameter
The message does not conform to the XML Encryption format.
Contact the developer software on which the data was encrypted.
Provide the following information: Missing EncryptedData class element ru.ibs.cryptopro.jcp.crypt.CryptoException
The reasons:
Incorrect settings of AWP LPU in terms of signing;
Incorrect crypto provider settings;
Expiration of the certificate, private key or CryptoPro CSP license.
What to do:
1. Set up AWP LPU
Attention! Support for the GOST 2012 algorithm in the AWP LPU was added in version 2.0.21. If you have an older version, update it to the latest one.
In the menu Administration - Setting up signatures for services, set the "Encrypt message" flag. After that, you need to specify the FSS Certificate Name and Container Type. This certificate can be downloaded at https://lk.fss.ru/eln.html (if you are setting up services for testing, then you need to download the FSS TEST certificate). After downloading, install it on your computer.
Please note that MO Certificates (must have a private key) and FSS must be installed in the "Personal" storage, respectively, the container type is "Personal". The entire chain of higher certificates to the "Trusted Root Certification Authorities" folder. All certificates must be current and not revoked.
2. Check your crypto provider settings
When using a cryptographic provider Vipnet CSP working version is 4.4.
When using a cryptographic provider CryptoPro CSP the working version is 4.0 and above. Build 4.0.9963 is recommended.
Through the "Control Panel" in CryptoPro CSP, go to the "Service" tab, click the "Delete remembered passwords ..." button. In the "Delete remembered passwords" window, select "Delete all remembered passwords of private keys: User".
If GOST 2012 signing certificates are used, check the settings on the "Algorithms" tab. Select GOST R 34.10-2012 from the "Select CSP type" dropdown list. The following parameters must be set:
Below is a sample of settings in CryptoPro CSP 5.0
If you cannot change the parameters on the "Algorithms" tab (even by running CryptoPro CSP as an administrator), you must do the following:
AT Windows registry open the key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters and change the EnableOIDModify value to 1. Then you need to reboot.
After changing the settings of the crypto provider, it is necessary to restart the workstation of the LPU.
3. Check certificates and licenses
Using the certmgr.msc system utility (Start button - Run (Search programs and files)) open your certificate. The validity period of the certificate must not be expired.
Launch CryptoPro CSP. On the "General" tab, check the expiration date of the crypto provider's license.
Open the "Service" tab and click the "Test" button. Select your certificate's private key container. In the testing window that opens, there should be no errors, messages about the expiration of the key, etc.
2. ORA-20015: Failed to determine the state of the ELN:
To switch to the "Extended" status, you must add a period of incapacity for work;
To switch to the "Closed" status, you must fill in the fields: "Start work from: date" or "Other: code";
To switch to the status "Referral to ITU", you must fill in the field "Date of referral to the ITU bureau"
Cause:
1. There is an ELN in the system with the same number and the same data that you send (data duplication);
2. The data sent to the ELN does not correspond to the stage of registration (filling in) of the ELN:
- insufficient data to determine the state of the ELP;
- the entered data relate to different stages of registration (filling in) of the ELN.
What to do:
3. ORA-20013: Failed to update data. Updated record is no longer relevant
Cause:
You are trying to change the ELN, which has already been changed by someone.
What to do:
1. Request the current status of the ELN from the system, thereby eliminating the re-sending of the same data;
2. Perform the necessary further operation with the ELN in accordance with the order 624n:
- extension (add a new period of incapacity for work);
- closing (add information about closing);
- direction to ITU (add information about direction to ITU).
4. ORA-20001: Access to ELN with No. _________, SNILS _________, status _________ - restricted
Cause:
You are trying to get the data of the ELN, which is in a status that restricts your access. For example, the insured is trying to obtain data from an ELS that has not yet been closed by a medical organization. According to process model, the policyholder can receive ELS data for editing only on status 030 - Closed. Another example - the ITU bureau cannot receive ELP data that is not sent to the ITU bureau (status 040 - Referral to ITU)
What to do:
1. Make sure that the ELS number whose data you want to receive is entered correctly.
2. Wait for the transition of ELS to a status that will allow you to receive ELS data.
5. Error calling the data transfer/receive service. Failed to decrypt message.
It is possible that the message was encrypted with a key different from the key of the authorized person of the FSS.
Check the correctness and relevance of the key of the authorized person of the FSS.
The reasons:
In the settings for signing and encryption in the software used by the user, the field "Certificate of an authorized person of the FSS" contains an incorrect certificate;
The cryptographic provider Vipnet CSP of a certain assembly is used.
What to do:
Specify the correct certificate of the authorized person of the FSS:
- Determine the direction of sending requests - test or production;
- Download the certificate of the authorized person of the FSS in the section ELN on the Foundation's website;
The certificate for test sending is published on the site https://lk-test.fss.ru/cert.html
The certificate for the product is published on the site https://lk.fss.ru/cert.html; - Close the software you are using. Delete the installed FSS certificates from the "Personal" storage using the certmgr.msc system utility (Start - Run button (Search programs and files)). Install the downloaded certificate on the computer in the "Personal" store for the current user;
- Specify this certificate in the corresponding settings of the software used.
When using the cryptographic provider Vipnet CSP - the working version is 4.4.
6. Failed to call the data transfer/receive service.
Message encryption error for recipient. Client received SOAP Fault from server: Fault occurred while processing. Please see the log to find more detail regarding exact cause of the failure.null
Cause:
You specified the wrong certificate for encrypting the message in the "MO Certificate Name" field: the specified certificate can only be used for signing, not encryption.
What to do:
Order and install a certificate that supports not only the signing operation, but also the encryption operation.
7. Error installing AWP LPU: Unable to build entity manager factory.
An error occurred while trying to load data from the database. Provide the administrator with the following information:
Unable to build entity manager factory.
Cause:
- The application was installed incorrectly (the database was installed incorrectly);
- The application database is installed but not available.
What to do:
1. Run the installation with administrator rights;
2. Install the program according to the steps of the instruction (the path where the instruction is located: http://lk.fss.ru/eln.html).
If the application was installed according to the instructions, but the error persists, you need to check:
- The postgresql-9.5 service is disabled on the machine. Right click on the icon "My Computer" - Management - Services and Applications - Services, postgresql-9.5 should be started, start - automatically. To set up startup and operation windows services contact your system administrator;
- The database connection settings specified the wrong password for user fss. Check that this password has not changed in the database, the default password is fss;
- Check PostgreSQL database installation directory, default is C:\postgresql\;
- Connection to the PostgreSQL database is made by default on port 5432. This port must be open and available. Check with your system administrator;
- The application on the client machine cannot contact the server because some network restriction is set. Check the settings of antiviruses, firewalls, other network software, for the client machine, permissions to connect to the server on port 5432 must be registered.
8. Error when trying to load data from the database.
An error occurred while trying to load data from the database.
Provide the following information: org.hibernate.exception.SQLGrammarException: could not extract ResultSet.
Cause:
AWP LPU application cannot get data from the database PostgreSQL data. This error occurs most often after installing an update, when the application is up to date and the PostgreSQL database is not up to date for some reason.
What to do:
- If the application is installed on the user's computer and the PostgreSQL database is on the server. It is necessary to start updating the application not only on the client, but also on the server machine;
- If both the application and the PostgreSQL database are installed on the same machine. Check the application's installation directory. By default, the AWP LPU application is placed in the C:\FssTools directory, and the PostgreSQL database is placed in the C:\postgresql directory. If at initial installation another directory was selected for installing the application, then you must specify this directory when updating.
9. Error when trying to enter the signature settings in the ARM LPU software.
When trying to enter the signature settings in the AWP LPU software, an error occurs "Internal error. Reason: java.lang.ExceptionInInitializerError" or
"Internal Error. Reason: java.lang.NoClassDefFoundError: Could not initialize class ru.ibs.fss.common.security.signature.COMCryptoAPIClient"
Cause:
The application was installed incorrectly (GostCryptography.dll library not registered).
What to do:
1. You need to make sure that the bitness of the OS matches the bitness of the application installer.
2. Check if Microsoft.Net components are installed in the system Framework version 4 and higher (by default, these components are installed in C:\Windows\Microsoft.NET\Framework). These components can be downloaded from microsoft.com.
3. Check that the folder where the application is installed contains the GostCryptography.dll file (by default, this file is installed in C:\FssTools). If a given file no, try reinstalling the app.
4. If everything is correct, in command line execute:
Cd C:\FssTools -- go to the folder where the GostCryptography.dll file is located
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /registered GostCryptography.dll -- with your Microsoft .NET components installation address
5. Restart the application.
10. Error calling the data transmission/reception service. Invalid element in ru.ibs.fss.eln.ws.FileOperationsLn_wsdl.ROW - SERV1_DT1.
Error: "Error calling data transfer/receiving service. Invalid element in ru.ibs.fss.eln.ws.FileOperationsLn_wsdl.ROW - SERV1_DT1"
Cause:
The field "SERV1_DT1" was excluded in the new specification 1.1 (version 14 and higher of AWS LPU), the connection string was changed.
What to do:
Change the connection string in the settings.
In the menu Administration - FSS service settings - Connection string, specify the following service address:
- To work https://docs.fss.ru/WSLnCryptoV11/FileOperationsLnPort?WSDL
- For testing:
- In the settings of the Signing and Encryption workstation, check that the specified cryptographic provider corresponds to the one actually installed by the user;
- In the settings of the Signing and Encryption workstation, check that the GOSTs of the signing certificate and the FSS certificate are the same and correspond to the selected crypto provider;
- If an ES certificate is used in accordance with GOST 2012, open the certificate, the “Composition” tab, the “Tool electronic signature».
It is necessary to check that the ES tool corresponds to the cryptographic provider installed by the user; - If you use an ES certificate according to GOST 2012 and CryptoPro cryptographic provider, check the settings on the "Algorithms" tab. Select GOST R 34.10-2012 (256) from the "Select CSP type" dropdown list. The following parameters must be set:
"Parameters of the encryption algorithm" - GOST 28147-89, parameters of the encryption algorithm TK26 Z
"Parameters of the signature algorithm" - GOST 34.10-2001, default parameters
"Parameters of the Diffie-Hellman algorithm" - GOST 34.10-2001, default exchange parameters
- The certificate does not contain a private key. Using the certmgr.msc system utility, open the certificate, on the "General" tab it should say "There is a private key for this certificate";
- The crypto provider does not see the private key container for this certificate. In CryptoPro CSP, go to the "Service" tab and click "Delete remembered passwords" - for the user;
- The container may have been corrupted by third-party software. Reinstall the certificate again, with the obligatory indication of the container;
- Reinstall the crypto provider.
- Disconnect the token from the computer (at the moment of disconnection, the LED on the token should not blink).
- Open Start Menu > Control Panel > Add/Remove Programs (for operating systems Windows Vista and Windows Seven "Start" > "Control Panel" > "Programs and Features".
- In the list, find the item "Rutoken Support Modules", "Rutoken Drivers" (or "Rutoken Drivers") and select "Delete".
- To restart a computer.
- Install new drivers and support module, as well as perform all other recommended actions using the diagnostic service.
- TIN and KPP of the organization;
- screenshot of the error that occurs;
- diagnostic number;
- If a floppy disk or flash card is used, then report which files and folders are contained in the root of the media.
- If the key carrier is ruToken or ruToken Lite, then a screenshot of the ruToken properties window;
13. AWP for preparing calculations for the FSS, the error "Key set is not defined"
Cause:
The GOST of the FSS certificate does not match the crypto provider selected in the settings, or the crypto provider cannot get the private key from the private key container for the selected certificate.
What to do:
To resolve this issue, follow these steps:
1. Select menu "Start" > "Control Panel" > "CryptoPro CSP". Go to the "Service" tab and click on the "Delete remembered passwords" button. Mark the "User" item and click on the "OK" button.
2. In the "Select a key container" window, select the "Unique names" switch and repeat the container selection.
3. If the key medium is a floppy disk or flash card, you need to view its contents. At the root of the media, there should be a folder with six files with the .key extension.
4. If the key carrier is ruToken or ruToken Lite, then you should reinstall the drivers and the support module. For this you need:
5. Make a copy of the key container and install the certificate from the duplicate (see How to copy a container with a certificate to another medium?).
If the proposed solution does not help to resolve the error, then you need to contact the service technical support by the address [email protected] by providing the following information:
It is necessary to re-enter the diagnostic portal at https://help.kontur.ru, click on the "Start Diagnostics" button. Once the verification process is completed, the diagnostic number will be displayed on the screen. Specify the assigned reference number in the letter.
To open this window, go to the menu "Start" > "Control Panel" > "Crypto Pro CSP" > "Hardware" > "Configure Media Types", select "Rutoken" (or "Rutoken lite") > "Properties" > "Information".
Creation of an electronic signature on the 1C platform using the CIPF CryptoPro CSP can be performed both on the server side and on the client side. In both cases, a rather nasty error can appear:
Invalid key set parameter.
unpleasant given error the fact that it has many causes, and in order to correct it, you need to carry out a whole range of measures.
Formulation of the problem
Let's say there is an infobase with which the 1C platform works in a client-server version. We will create an electronic signature on the server side, in this case it is recommended to use certificates and keys located in the storage local computer, as they will be available to any Windows user. And there is also an installed certificate in the local computer storage in the Personal section (see Figure 1) with a binding to a private key (see Figure 2).When creating an ES, an exceptional error occurs, reporting an incorrect key set parameter.
Solution
Creating an ES on the server side means that this operation will be executed on behalf of the 1C server user (USR1CV82 or USR1CV83, depending on the platform version). One of the reasons for the incorrect key set parameter error is that the user does not have access to the private (secret) key of the certificate.To give the user the necessary rights to work with the private key of the certificate, open the snap-in Certificates(connected automatically when installing CryptoPro CSP) and find the certificate that is used to create the ES. Right click on it and select item All Tasks -> Management private keys
(See Figure 3).
In the window that opens, add a user and set full access to the private key.
The error should disappear.
Good afternoon Dear friends! Today we will consider the problem with the ARM FSS program, namely "error: keyset not defined." You will most likely encounter this error when loading ELN. Let's manage! Go!
AWP FSS error: key set is not defined
If you can't decide on your own this problem, then you can go to the section and our specialists will help you.
I encountered this problem just when loading an electronic sick leave. Let's update first. How to update AWP FSS read here.
Now let's go to the menu section " Accounting work" and select "Workstation of signing and encryption".
Now let's be careful! We need to put down the correct keys. That is, choose our certificates correctly.
What certificates to put when loading sick leave in the FSS workstation
Go to the section "Personal certificate ELN. Insured". This is the certificate of our organization! Select it by clicking on the button with the open folder.
Go to the personal section and select our certificate.
STOP! No certificate? It's already weird!
Certificates are not displayed in AWP FSS, what should I do?
Since 2019, we are switching to a new GOST for electronic signature. It is called GOST 2012. Until 2019, we used certificates issued under GOST 2001. It turns out that 2019 is a transitional year between the two GOSTs. Now it is allowed to use a certificate of both 2001 GOST and 2012. If you reissued or issued a new certificate in 2019, then with a 99% probability you already have a new GOST 2012. If you issued a certificate in 2018, then most likely 2001. This is the whole problem . Now let's find our certificates!
Please note that a switch to different GOSTs has appeared in the new versions.
switching this mode, You will see your certificates. Try first to put GOST 2001, if the certificates are not displayed, put GOST 2012. I'm sure you will find your certificate.
That's it, we found our hidden certificate, now let's move on!
Installing manager certificates
Personal certificate ELN. Supervisor. You expose the director's certificate, as a rule, it coincides with the organization's certificate.
Installing the right crypto provider
Now we need to decide on . It sounds scary and complicated, but now everything will be clear!
We rise above and look at the certificate of which GOST we chose. If you have a GOST 2001 certificate, then in the line "Cryptoprovider" select the item "Crypto-Pro GOST R 34.10-2001 Cryptographic Service Provider". If your certificate is 2012 GOST, then choose "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider".
Everything is very simple here. Firstly, I already have an article on this topic, everything is described in detail there, so I won’t write again. You can read it here.
I’ll just say that for a successful installation, you need to press 2 buttons: “Install the certificate of an authorized person of the FSS ELN” and “Install a certificate of an authorized person of the FSS”.
RESOLVED!
Friends! If suddenly the error has not disappeared for you, experiment with certificates and GOSTs, with the line Cryptoprovider. The whole mistake lies precisely in this!If you still can’t set it up yourself, then go to the “” section, and I will help you!
If you need professional help system administrator, to solve this or any other issue, go to the section, and our employees will help you.
That's all! Now you know what to do if you have an error in the programAWP FSS error: key set is not defined.
If you have any questions ask them in the comments! Good luck and good luck to everyone!
To be the first to receive all the news from our site!
