Error key set does not exist. Incorrect key set parameter when creating ep on the server side. Certificates are not displayed in the FSS automated workplace, what to do?

Good afternoon dear friends! Today we will consider the problem with the FSS automated workplace program, namely "error: keyset not defined." You will most likely encounter this error when loading ELN. We will cope! Let's go!

AWS FSS error: key set is not defined

If you are unable to decide on your own this problem, then you can go to the section and our specialists will help you.

I encountered this problem just when downloading an electronic sick leave. Let's update first. Read here how to update the FSS automated workstation.

Now let’s go to the “Accounting Work” menu section and select “Signing and Encryption Workstation”.

Now let's be careful! We need to enter the correct keys. That is, choose our certificates correctly.

What certificates to put when loading sick leave into the FSS automated workplace

Go to the section " Personal certificate ELN. Policyholder." This is a certificate from our organization! Select it by clicking on the button with the open folder.

Go to the personal section and select our certificate.

STOP! No certificate? This is already strange!

Certificates are not displayed in the FSS automated workplace, what should I do?

From 2019, we are moving to new GOST By electronic signature. It is called GOST 2012. Until 2019, we used certificates issued under GOST 2001. It turns out that 2019 is a transitional year between the two GOSTs. Now it is allowed to use the certificate of both 2001 GOST and 2012. If you re-issued or issued new certificate in 2019, then with a 99% probability you already have a new GOST 2012. If you issued a certificate in 2018, then most likely it’s still 2001. That’s the whole problem. Now let's find our certificates!

Please note that in new versions there is a switch for different GOSTs.

By switching this mode, you will see your certificates. Try installing GOST 2001 first; if the certificates are not displayed, install GOST 2012. I am sure you will find your certificate.

That's it, we found our hidden certificate, now let's move on!

Installing manager certificates

Personal certificate ELN. Supervisor. When you issue a director's certificate, it usually coincides with the organization's certificate.

Installing the right crypto provider

Now we need to decide on . It sounds scary and complicated, but now everything will be clear!

We go higher and look at which GOST certificate we chose. If you have a GOST 2001 certificate, then in the “Cryptographic Provider” line, select the “Crypto-Pro GOST R 34.10-2001 Cryptographic Service Provider” item. If your certificate is 2012 GOST, then select “Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider”.

Everything is very simple here. Firstly, I already have an article on this topic, everything is described in detail there, so I won’t write it again. You can read it here.

I’ll just say that for a successful installation you need to click 2 buttons: “Install a certificate of an authorized person of the FSS ELN” and “Install a certificate of an authorized person of the FSS.”

SOLVED!

Friends! If suddenly the error persists for you, experiment with certificates and GOSTs, with the line Cryptoprovider. The whole mistake lies precisely in this!If you still can’t configure it yourself, then go to the “” section and I will help you!

If you need professional help system administrator, to resolve this or any other issue, go to the section and our employees will help you.

That's all! Now you know what to do if you have an error in the programAWS FSS error: key set is not defined.

If you have any questions, ask them in the comments! Good luck and good luck to everyone!

To be the first to receive all the news from our website!

To resolve this issue, follow these steps:

1. Select the “Start” menu > “Control Panel” > “ CryptoPro CSP" Go to the “Service” tab and click on the “Remove remembered passwords” button. Select the “User” item and click the “OK” button.

2. In the “Select” window key container» select the “Unique names” radio button and repeat the container selection.

3. If key carrier- floppy disk or flash card, you need to view its contents. At the root of the media there should be a folder with six files with the extension .key.

4. If the key carrier is ruToken or ruToken Lite, then you should reinstall the drivers and support module. To do this you need:

• Disconnect the token from the computer (at the moment of disconnection, the LED on the token should not blink).
• Open the Start menu > Control Panel > Add or Remove Programs (for operating systems Windows systems Vista and Windows Seven Start > Control Panel > Programs and Features.
• In the list, find the element “Rutoken Support Modules”, “Rutoken Drivers” (or “Rutoken Drivers”) and select “Delete”.
• Restart your computer.
• Install new drivers and support module, as well as perform all other recommended actions using the diagnostic service.

5. Make a copy of the key container and install the certificate from the duplicate (see How to copy a container with a certificate to another medium?).

If the proposed solution does not help resolve the error, then you need to contact the service technical support at the address [email protected], indicating the following information:

• TIN and checkpoint of the organization;
• screenshot of the error that occurs;
• diagnostic number;

You must re-enter the diagnostic portal at https://help.kontur.ru and click on the “Start diagnostics” button. As soon as the verification process is completed, the diagnostic number will be displayed on the screen. Please indicate the assigned request number in the letter.

• If a floppy disk or flash card is used, then indicate which files and folders are contained in the root of the media.
• If the key carrier is ruToken or ruToken Lite, then a screenshot of the ruToken properties window;

To open this window, go to the “Start” menu > “Control Panel” > “Crypto Pro CSP” > “Hardware” > “Configure media types”, select “Rutoken” (or “Rutoken lite”) > “Properties” > "Information".

Creating an electronic signature on the 1C platform using CIPF CryptoPro CSP can be performed both on the server side and on the client side. In both cases, a rather nasty error may appear:
Invalid parameter set of keys.

Unpleasant this error because it has many causes, and in order to correct it, you need to carry out a whole range of measures.

Statement of the problem

Solving the problem

What to give the user necessary rights To work with the certificate's private key, open the snap-in Certificates(connects automatically when installing CryptoPro CSP) and find the certificate that is used to create the electronic signature. Right-click on it and select All tasks -> Manage private keys(see Figure 3).
In the window that opens, add a user and set full access to the private key.
The error should disappear.

Message does not match XML format Encryption.
Contact the developer software, on which the data was encrypted.
Report the following information: Missing element EncryptedData class ru.ibs.cryptopro.jcp.crypt.CryptoException

Reasons:

Incorrect settings of the automated workplace of health care facilities regarding signing;

Incorrect crypto provider settings;

Certificate expiration, private key or CryptoPro CSP license.

What to do:

1. Configure the automated workplace of the healthcare facility

Attention! Support for the GOST 2012 algorithm in the automated workplace of health care facilities was added in version 2.0.21. If you have more early version, update it to the current one.
In the Administration menu – Configuring signatures for services, set the “Encrypt message” flag. After this, you need to specify the FSS Certificate Name and Container Type. This certificate can be downloaded from the website https://lk.fss.ru/eln.html (if you are setting up services for testing, then you need to download the FSS TEST certificate). After downloading, install it on your computer.
Please note that MO Certificates (must have a private key) and FSS must be installed in the “Personal” storage, respectively, the container type is selected “Personal”. The entire chain of higher-level certificates into the “Trusted Root Certification Authorities” folder. All certificates must be current and not revoked.

2. Check your crypto provider settings

When using a crypto provider Vipnet CSP working version is 4.4.
When using a crypto provider CryptoPro CSP The working version is 4.0 and higher. Build 4.0.9963 is recommended.
Through the “Control Panel” in CryptoPro CSP, go to the “Service” tab, click the “Delete remembered passwords...” button. In the “Remove remembered passwords” window, select “Delete all remembered private key passwords: User”.
If signing certificates according to GOST 2012 are used, check the settings on the "Algorithms" tab. In the "Select CSP type" drop-down list, select GOST R 34.10-2012. The following parameters must be set:

Below is a sample of settings in CryptoPro CSP 5.0

If you cannot change the settings on the "Algorithms" tab (even by running CryptoPro CSP as an administrator), you need to do the following:
IN Windows registry open the key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters and change the EnableOIDModify value to 1. Then you need to reboot.

After changing the settings of the crypto provider, you need to restart the automated workplace of the healthcare facility.

3. Check certificates and licenses

Using the certmgr.msc system utility (Start button - Run (Search programs and files)) open your certificate. The certificate must not be expired.
Launch CryptoPro CSP. On the "General" tab, check the validity period of the crypto provider's license.
Open the "Service" tab and click the "Test" button. Select your certificate's private key container. The testing window that opens should not contain errors, messages about the key expiration, etc.

2. ORA-20015: Failed to determine the state of the electronic device:

To switch to the "Extended" status, you must add a period of incapacity;
To switch to the “Closed” status, you must fill in the following fields: “Start working from: date” or “Other: code”;
To switch to the “Referral to ITU” status, you must fill in the field “Date of referral to the ITU Bureau”

Cause:

1. There is an electronic registration number in the system with the same number and the same data that you send (data duplication);

2. The data sent to the ENL does not correspond to the stage of registration (filling out) of the ENL:

• there is insufficient data to determine the condition of the ELN;
• The entered data relates to different stages of registration (filling out) of the electronic tax record.

What to do:

3. ORA-20013: Data update failed. The entry being updated is no longer relevant

Cause:

You are trying to change an EPN that has already been changed by someone else.

What to do:

1. Request the current status of the e-mail from the system, thereby preventing repeated sending of the same data;

2. Perform the necessary further operation with ELN in accordance with procedure 624n:

• extension (add a new period of incapacity);
• closure (add closure information);
• referral to ITU (add information about referral to ITU).

4. ORA-20001: Access to ELN with No._________, SNILS_________, status _________ - limited

Cause:

You are trying to obtain data from an email account that is in a status that restricts your access. For example, the policyholder is trying to obtain data on an electronic insurance policy that has not yet been closed medical organization. According to the process model, the policyholder can receive ELP data for editing only with status 030 - Closed. Another example is that the ITU bureau cannot receive data from an electronic information source that has not been sent to the ITU bureau (status 040 - Sent to the ITU)

What to do:

1. Make sure that the ELN number whose data you want to receive is entered correctly.

2. Wait for the ELN to transition to a status that will allow you to receive the ELN data.

5. Error calling data transfer/receive service. The message could not be decrypted.

It is possible that the message was encrypted with a key different from the key of the FSS authorized person.

Check that the key of the authorized person of the FSS is correct and up-to-date.

Reasons:

In the signing and encryption settings in the software used by the user, an incorrect certificate is specified in the “FSS Authorized Person Certificate” field;

The crypto provider Vipnet CSP of a certain build is used.

What to do:

Please indicate the correct FSS authorized person certificate:

• Determine the direction of sending requests - test or productive;
• Download the certificate of an authorized person of the FSS in the ELN section on the Foundation’s website;
  The certificate for test sending is published on the website https://lk-test.fss.ru/cert.html
  The certificate for the product is published on the website https://lk.fss.ru/cert.html;
• Close the software you are using. Remove "Personal" from storage installed certificates FSS using the certmgr.msc system utility (Start button - Run (Find programs and files)). Install the downloaded certificate on your computer in the “Personal” storage for the current user;
• Specify this certificate in the appropriate settings of the software you are using.

When using the Vipnet CSP crypto provider, the working version is 4.4.

6. Error calling data transfer/reception service.

Error encrypting message for recipient. Client received SOAP Fault from server: Fault occurred while processing. Please see the log to find more detail regarding the exact cause of the failure.null

Cause:

You specified an incorrect certificate for message encryption in the MO Certificate Name field: the specified certificate can only be used for signing, not encryption.

What to do:

Order and install a certificate that supports not only the signing operation, but also the encryption operation.

7. Error when installing automated workplace of health care facility: Unable to build entity manager factory.

An error occurred while trying to load data from the database. Provide the administrator with the following information:

Unable to build entity manager factory.

Cause:

• The application was installed incorrectly (the database was installed incorrectly);
• The application database is installed but not accessible.

What to do:

1. Run the installation with administrator rights;

2. Install the program according to the steps of the instructions (path where the instructions are: http://lk.fss.ru/eln.html).

If you installed the application according to the instructions, but the error persists, you need to check:

• The postgresql-9.5 service is disabled on the computer. Right-click on the "My Computer" icon - Manage - Services and Applications - Services, postgresql-9.5 should be launched, start automatically. To configure startup and operation Windows services contact your system administrator;
• In the database connection settings it is specified wrong password for user fss. Check that this password has not been changed in the database, the default password is fss;
• Check the PostgreSQL database installation directory, default is C:\postgresql\;
• Connection to the PostgreSQL database is carried out by default on port 5432. This port must be open and accessible. To check, contact your system administrator;
• The application on the client machine cannot contact the server because Some network restriction has been set. Check the settings of antiviruses, firewalls, and other network software for client machine permissions to connect to the server on port 5432 must be specified.

8. Error when trying to load data from the database.

An error occurred while trying to load data from the database.

Report the following information: org.hibernate.exception.SQLGrammarException: could not extract ResultSet.

Cause:

The automated workplace health care facility application cannot obtain data from the PostgreSQL database. This error occurs most often after installing an update, when the application is updated, but the PostgreSQL database is not updated for some reason.

What to do:

• If the application is installed on the user's computer and the PostgreSQL database is installed on the server. It is necessary to run the update application not only on the client, but also on the server machine;
• If both the application and the PostgreSQL database are installed on the same machine. Check the application installation directory. By default, the automated workplace health care facility application is placed in the C:\FssTools directory, and the PostgreSQL database in the C:\postgresql directory. If at initial installation If you selected a different directory to install the application, then when updating you must specify this exact directory.

9. Error when trying to enter the signature settings in the automated medical facility software.

When you try to enter the signature settings in the automated medical facility software, the error "Internal error. Reason: java.lang.ExceptionInInitializerError" or

"Internal Error. Reason: java.lang.NoClassDefFoundError: Could not initialize class ru.ibs.fss.common.security.signature.COMCryptoAPIClient"

Cause:

The application was installed incorrectly (the GostCryptography.dll library was not registered).

What to do:

1. You must make sure that the bit depth of the OS matches the bitness of the application installer.

2. Check if Microsoft.Net components are installed on the system Framework versions 4 and higher (by default, these components are installed in C:\Windows\Microsoft.NET\Framework). These components can be downloaded from microsoft.com.

3. Check that the folder where the application is installed contains the GostCryptography.dll file (by default, this file is installed in C:\FssTools). If this file no, try reinstalling the application.

4. If everything is correct, in command line execute:

Cd C:\FssTools -- go to the folder where the GostCryptography.dll file is located

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /registered GostCryptography.dll -- indicating your installation address for Microsoft.NET components

5. Restart the application.

10. Error calling the data transmission/reception service. Invalid element in ru.ibs.fss.eln.ws.FileOperationsLn_wsdl.ROW - SERV1_DT1.

Error: "Error calling the data transfer/reception service. Invalid element in ru.ibs.fss.eln.ws.FileOperationsLn_wsdl.ROW - SERV1_DT1"

Cause:

The "SERV1_DT1" field was excluded in the new specification 1.1 (version 14 and higher automated workplace of health care facilities), the connection string was changed.

What to do:

Change the connection string in the settings.

In the Administration menu – FSS service settings – Connection string, specify the following service address:

• To work https://docs.fss.ru/WSLnCryptoV11/FileOperationsLnPort?WSDL
• For testing:

13. Workstation for preparing calculations for the Social Insurance Fund, error “The set of keys is not defined”

Cause:

The GOST of the FSS certificate does not correspond to the crypto provider selected in the settings, or the crypto provider cannot obtain the private key from the private key container for the selected certificate.

What to do:

• In the Signing and Encryption workstation settings, check that the specified crypto provider matches the one actually installed by the user;


• In the Signing and Encryption workstation settings, check that the GOST standards for the signing certificate and the FSS certificate are the same and correspond to the selected crypto provider;


• If you are using an electronic signature certificate in accordance with GOST 2012, open the certificate, the “Composition” tab, the “Electronic signature tool” parameter.
  It is necessary to check that the electronic signature corresponds to the crypto provider installed on the user;


• If you are using an electronic signature certificate in accordance with GOST 2012 and the cryptoprovider CryptoPro, check the settings on the “Algorithms” tab. In the "Select CSP type" drop-down list, select GOST R 34.10-2012 (256). The following parameters must be set:

  "Encryption algorithm parameters" - GOST 28147-89, parameters of the TK26 Z encryption algorithm

  "Signature algorithm parameters" - GOST 34.10-2001, default parameters

  "Parameters of the Diffie-Hellman algorithm" - GOST 34.10-2001, default exchange parameters



• The certificate is missing a private key. Using the certmgr.msc system utility, open the certificate, on the “General” tab it should say “There is a private key for this certificate”;


• The crypto provider does not see the private key container for this certificate. In the cryptoprovider CryptoPro CSP, go to the "Service" tab and click "Delete remembered passwords" - for the user;


• The container may be damaged by third-party software. Reinstall the certificate again, with the obligatory indication of the container;


• Reinstall your crypto provider.