> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Test and verify the integration

> Validate the Hitachi VSP and CryptoHub KMIP integration using Storage Navigator connection tests, key verification, and audit logs.

Verify the integration using Storage Navigator connection tests, CryptoHub key verification, and audit log review.

## Verify the KMIP connection

The primary verification tool is the **Server Configuration Test** within Storage Navigator.

<Steps>
  <Step>
    In Storage Navigator, navigate to **Administration** > **Encryption Keys**.
  </Step>

  <Step>
    Select **Edit Encryption Environmental Settings**.
  </Step>

  <Step>
    Under **Server Configuration Test**, select the **Check** button. This performs a live TLS handshake and KMIP protocol negotiation with both the primary and secondary servers.
  </Step>

  <Step>
    A successful test confirms that the network path, certificates, and KMIP protocol are all working correctly. If the test fails, the error message identifies the specific problem (certificate mismatch, network unreachable, authentication failure, etc.).
  </Step>
</Steps>

## Verify encryption keys on the CryptoHub

<Steps>
  <Step>
    Log in to the CryptoHub web UI.
  </Step>

  <Step>
    Navigate to the **Key Management** section and select **Key Database**.
  </Step>

  <Step>
    Verify that new symmetric key objects have been created by the Hitachi VSP.
  </Step>

  <Step>
    Check the CryptoHub's KMIP activity logs for **Create**, **Get**, and **Activate** operations originating from the SVP IP address.
  </Step>
</Steps>

## Check the audit log

<Steps>
  <Step>
    In Storage Navigator, access the **Audit Log** to review all interactions between the VSP and the CryptoHub.
  </Step>

  <Step>
    Confirm that key generation events, backup operations, and KEK retrievals are being recorded successfully.
  </Step>
</Steps>

## Troubleshooting

If the connection test or encryption operations fail, check the following:

| Symptom                              | Probable cause                                | Resolution                                                                                                                                                       |
| ------------------------------------ | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Certificate silently rejected        | Client certificate missing x509v3 extensions  | Re-generate the client certificate with a configuration file that includes `req_extensions` and `x509_extensions` sections. Re-export as PKCS #12 and re-import. |
| Connection test fails with TLS error | TLS version mismatch or inspection proxy      | Ensure the CryptoHub's KMIP listener has TLS 1.2 enabled. Exempt CryptoHub traffic from TLS inspection.                                                          |
| Connection timeout                   | Network connectivity issue                    | Confirm TCP port 5696 is open between the SVP and the CryptoHub. Test with `telnet <CryptoHub-IP> 5696` from the SVP.                                            |
| DNS resolution failure               | Hostname used but DNS not configured on SVP   | Configure DNS on the SVP's OS network settings, or use the CryptoHub IP address instead.                                                                         |
| Self-signed certificate rejected     | VSP does not support self-signed certificates | Ensure all certificates are signed by a trusted CA.                                                                                                              |
| Certificate expired                  | Client certificate past its validity period   | Generate a new client certificate, convert to PKCS #12, and re-import into Storage Navigator. Back up encryption keys immediately after the certificate change.  |
