Answers to frequently asked questions about managing Key Management Service (KMS) instances.
Why is a KMS instance stuck in the Enabling state?
Enabling a KMS instance takes approximately 30 minutes.
Wait 30 minutes, then refresh the page. If the status changes to Enabled, the instance is ready. If the instance is still not enabled after 30 minutes, contact technical support. For details, see Contact us.
For more information, see Enable a KMS instanceandConfigure mutual TLSTLS authentication.
Why does "Failed to Connect" appear when I enable a hardware key management instance?
Check the validity of the access credential of the hardware security module (HSM) connected to the instance and make sure it is valid.
For details, see Enable a KMS instance and .
What do I do if an error occurs when I enable a software key management instance?
| Error message | Cause | Solution |
|---|---|---|
Your VSwitches don't have enough ip address create dedicate kms instance. |
The vSwitch associated with the KMS instance has no available IP addresses. Each private connection to a cloud service or application uses one IP address from the vSwitch. | Change to a different vSwitch with at least 1 available IP address. To check available IPs, log on to the VPC console, click vSwitch in the left-side navigation pane, then click the vSwitch ID. |
500:Internal Failure |
Alibaba Cloud DNS PrivateZone is not activated. KMS activates it automatically in most cases, but manual activation is required if: your China site (aliyun.com) account purchases a software key management instance outside the Chinese mainland, or your International site (alibabacloud.com) account purchases a software key management instance in the Chinese mainland. | Manually activate Alibaba Cloud DNS PrivateZone. For details, see Activate Alibaba Cloud DNS PrivateZone. Domain name resolution fees are billed to KMS — no payment is needed on the Alibaba Cloud DNS PrivateZone side. |
What do I do if an error occurs when I enable a hardware key management instance?
| Error message | Cause | Solution |
|---|---|---|
Your VSwitches don't have enough ip address create dedicate kms instance. |
The vSwitch associated with the KMS instance has too few available IP addresses. Each private connection uses one IP address, and KMS creates 2 to 4 elastic network interfaces (ENIs) to communicate with the HSM cluster, each using one IP address. | Change to a different vSwitch with at least 5 available IP addresses. To check available IPs, log on to the VPC console, click vSwitch in the left-side navigation pane, then click the vSwitch ID. |
500:Internal Failure |
Alibaba Cloud DNS PrivateZone is not activated. KMS activates it automatically in most cases, but manual activation is required if: your China site (aliyun.com) account purchases a hardware key management instance outside the Chinese mainland, or your International site (alibabacloud.com) account purchases a hardware key management instance in the Chinese mainland. | Manually activate Alibaba Cloud DNS PrivateZone. For details, see Activate Alibaba Cloud DNS PrivateZone. Domain name resolution fees are billed to KMS — no payment is needed on the Alibaba Cloud DNS PrivateZone side. |
How do I configure the HSM cluster for a hardware key management instance?
Hardware key management instances store keys in an HSM cluster, which enables centralized key management and cryptographic operations. Configure the HSM cluster before using the instance.
For step-by-step instructions, see Configure an HSM cluster for a KMS instance of the hardware key management type.
Can applications access KMS instances across regions?
Yes. You need to purchase a software key management instance or hardware key management instance as needed. Then, set up connectivity between multiple VPCs across regions, and use PrivateZone to configure DNS resolution for the KMS instance and associate it with the VPCs. This enables your KMS instance to be integrated with applications deployed in other regions.
Before implementing this solution, you should evaluate constraints such as the costs of inter-VPC connections and PrivateZone services, Service Level Agreements (SLAs), bandwidth capacity, and effective time. Additionally, you need to develop system and network architectures, O&M management plans, and emergency response plans for deploying applications across multiple regions. For more information, see Accessing a KMS instance from an application in a different region.
How do I release a KMS instance?
Releasing a KMS instance is done through a refund request. When the refund is processed, the instance is released.
Back up the instance before releasing it if you may need to access its keys or secrets later.