Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Intermittent issue when running multiple instances of PGP CommandLine

Created: 09 May 2011 | 13 comments

Hi,

We are currently v. 9.6, build 180, which was supposed to have addressed issues with running multiple instances of PGP command line at the same time on the same server.

We have around 125 batch FTP jobs/scripts that incorporate PGP encryption/decryption commands and have started recently running into issues where files weren't being encrypted/decrypted successfully or generating zero byte (empty) PGP files.

I don't know if this is an issue with PGP commandline or an issue accessing the PGP keyring too many times in a period of time.

Since the issue is intermittent, I'm wondering if this is a known issue with v. 9.6 build 180 and/or has it been addressed in a later version?

 

Please advise.

- Shannon

Comments 13 CommentsJump to latest comment

dfinkelstein's picture

Are you seeing any particular error?  What platform are you running on?

There was one issue that was fixed in version 9.9.0 that could look like this problem.

--------

David Finkelstein

Symantec R&D

triadpc's picture

No particular error message, it's just that the PGP encryption/decryption command doesn't execute.

The issue seems to be appear when there are multiple batch jobs running that are invoking their own instance of PGP commandline.  Sometimes the PGP service (PGPserv.exe) will shut down/terminate around the same time we've had these issues.

Sample from one of our scripts:

pgp --encrypt TSHRCI.DOB.TRRI.Rh3449.D101222.T095752    -r "Medco Health Solutions, Inc."

Simple --encrypt statement, but sometimes the file doesn't get encrypted.

We're running Windows Server 2003 Enterprise where PGP commandline is installed.

What version is PGP Commandline currently up to?  We are in the process of renewing our license, since it expires in about 45 days.

Can you point me to any documentation for v.9.9 or higher, including enhancement and/or bug fixes included?

 

Thanks.

- Shannon

dfinkelstein's picture

The current version of PGP Command Line is 10.1.1.

You can download the release notes and related information here:

https://pgp.custhelp.com/app/docs/  (Under "Select Your Product", click on "PGP Command Line")

--------

David Finkelstein

Symantec R&D

triadpc's picture

Both the release notes and user guide PDFs are not available as I'm getting an HTTP 404 error when attempting to access both of these links.

Also, what known issues are there in version 9.6 that you believe I have that are addressed in an updated release?

Tom Mc's picture

I think this link will work better for you.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

dfinkelstein's picture

There was an issue, 17383, "Random Command Line Crashes in PGP SDK modules with 2712 Error", that was fixed in 9.9.

--------

David Finkelstein

Symantec R&D

triadpc's picture

Here's the error we usually get leading up to our PGP encryption/decryption issues:

Faulting application PGPserv.exe, version 3.8.0.180, faulting module kernel32.dll, version 5.2.3790.4480, fault address 0x00021fa4.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

We usually just end up restarting the PGP service and things start working again.

dfinkelstein's picture

No issue that I see exactly matches that error.

If all you are doing is encryption and decryption operations, something else you could consider is to run PGP Command Line in local mode (with the "--local-mode" option).  It would be safest if you had each process use its own copy of the keyring files so you don't have to worry about keyring arbitration.

--------

David Finkelstein

Symantec R&D

triadpc's picture

What does running PGP command line iwith the "--local-mode" switch offer us?  Like I mentioned before, we are embedding PGP --encrypt and --decrypt commands in our FTP batch jobs to perform these encryption/decryption file operations.

Also, when you say to have each process use its own copy of the keyring files, are you saying that we need to create 125 new folders with the keys for every trading partner inside them for each of our 125 batch jobs?

I'm not sure what you're saying here or how to even set this up, but it sounds like an administrative nightmare (especially when adding or removing keys from the keyring and trying to keep all of these folders in sync).

Please advise.

dfinkelstein's picture

When you run in "--local-mode" then PGP Command Line does not utilize the SDK Service.  The service provides two primary benefits:

1.  Passphrase caching, and

2.  Keyring arbitration

If you are not using cached passphrases, and your FTP batch jobs only perform encryption and decryption, then you should be safe to use "--local-mode" with the same set of keyrings (since you are only reading the keyring contents and not modifying them).  However if you need to modify the keyrings, you should have only one process do that, and it should be the only PGP Command Line process running.

--------

David Finkelstein

Symantec R&D

triadpc's picture

So, is this as simple as adding this "--local-mode" parameter at the end of my PGP --encrypt or --decrypt statements?

Are you referring to keyring arbitration in that there's no contention accessing the keyring when multiple PGP instances are running in our FTP batch jobs? i.e. when I have mutiple batch FTP jobs calling the PGP command line for encryption and decryption purposes?

DealerTrack's picture

Hi, we are having the same problem decrypting multiple files at the same time. Did adding the the "--local-mode" worked? Our files are in our FTP server as well but we are our running the decrypting batch on another server, does this cause any issue?

dfinkelstein's picture

You can enable local mode two different ways:

1.  Simply add the "--local-mode" option to any invocation

2.  Set PGP_LOCAL_MODE=1 as an environment variable

Yes, by keyring contention, I mean exactly that -- multiple processes trying to read from the same set of keyrings at the same time.  The SDK service will arbitrate access and updates between multiple processes.  But if all your processes are only reading the keyrings, then you shouldn't have an issue.

--------

David Finkelstein

Symantec R&D