This chapter describes the operations that a user who has been given a Compliance Officer role can perform. If you have been assigned multiple roles, refer to the appropriate chapter for instructions on performing the specific role.
The Compliance Officer manages the flow of data through your organization and has the ability to define and deploy data contexts (Key Groups) and rules that determine how data is protected and ultimately destroyed (Key Policies). The menus that provide these functions are shown below.
Key Policies provide guidance for managing data. The OKM Manager uses Key Policies to determine how data is protected and destroyed. Key Policies must be created before keys can be created and delivered to agents.
Only a Compliance Officer can create and modify Key Policies. This ensures that the data complies with a policy throughout the data's lifetime.
The Key Policies List menu allows you to manage the Key Policies in your organizations.
The Key Policy List menu option gives you the ability to:
View Key Policies
View/Modify a Key Policy's Details
Create a Key Policy
Delete existing Key Policies.
To view Key Policies:
From the Secure Information Management menu, select Key Policy List. The Key Policy List screen is displayed.
You can also scroll through the database and filter the Key Policy list by any of the following keys:
Key Policy ID
Description
Key Type
Encryption Period
Cryptoperiod
Allow Export From
Allow Import To
Allow Agents To Revoke Keys.
The Use button applies the filter to the displayed list for the Key Policy.
The fields and their descriptions are given below:
Filter:
Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:
Key Policy ID
Description
Key Type
Encryption Period
Cryptoperiod
Allow Export From
Allow Import To
Filter Operator box:
Click the down-arrow and select the filter operation you want. Possible values are:
Equals =
Not equal <>
Greater than >
Less than <
Greater than or equals >=
Less than or equals <=
Starts with ~
Empty
Not empty
Filter Value text box:
Type a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.
Filter Value combo box:
Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.
Click the plus button to add additional filters.
Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.
Use:
Click this button to apply the selected filters to the displayed list and go to the first page.
Refresh:
Click this button to refresh the list.
Reset:
Click this button to remove all filters and reset the displayed list to the first page.
Click this button to go to the first page of the list.
Click this button to go to the previous page.
Click this button to go to the next page.
Results in Page:
Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.
Key Policy ID
Displays the unique identifier that distinguishes each Key Policy. This value can be between 1 and 64 (inclusive) characters. Key Policy IDs cannot be changed once they are created.
Description
Describes the Key Policy. This value can be between 1 and 64 (inclusive) characters.
Key Type
Indicates the type of encryption algorithm that Keys associated with this Key Policy use. The only possible value is AES-256.
Note: Encryption Period and Cryptoperiod begin when the key is first given to an Agent. Encryption period and Cryptoperiod cannot be changed for a policy. This is to avoid a change in the Key Policy from affecting large numbers of keys. |
Encryption Period
Displays how long keys associated with this Key Policy can be used to encrypt or decrypt data. The time interval units are: minutes, hours, days, week, months, or years.
Cryptoperiod
Displays how long keys associated with this Key Policy can be used to decrypt (but not encrypt) data. The time interval units are: minutes, hours, days, week, months, or years.
Allow Export From
Indicates whether Data Unit keys associated with this Key Policy can be exported. Possible values are True or False.
Allow Import To
Indicates whether Data Unit keys associated with this Key Policy can be imported. Possible values are True or False.
If you want to create a Key Policy, click the Create button. For more information, refer to "Creating a Key Policy".
If you want to view / modify a Key Policy, highlight the Key Policy and click the Details button. For more information, refer to "Viewing/Modifying a Key Policy".
If you want to delete a Key Policy, click the Delete button. For more information, refer to "Deleting a Key Policy".
Allow Agents To Revoke Keys
Allows agents using a Key Group that specifies this key policy to deactivate (revoke) the keys associated with them, even if the keys are in an operational state such as protect-and-process.
Select the Allow Agents To Revoke Keys check box to set the attribute to True (deactivate). Deselect the check box to set the attribute to False, disallowing agents from revoking keys that are in an operational state. False is the default.
The OKM Cluster must use Replication Version 14 or later before this attribute can be set to True.
Tape drive agents should use the default value (False).
Applications using a pkcs11_kms provider (see "OKM's PKCS#11 Provider") should be configured to use an agent with a default key policy set to True if they want to call to revoke a key they will no longer use, such as in a re-key operation. ZFS encryption is an example of a pkcs11_kms application.
To create a Key Policy:
From the Key Policy List screen, click the Create button. The Create Key Policy dialog box is displayed.
Complete the following parameters:
Key Policy ID
Type a value that identifies the policy. This value can be between 1 and 64 (inclusive) characters.
Description
Type a value that describes the policy. This value can be between 1 and 64 (inclusive) characters. This field can be blank.
Encryption Period
Displays how long keys associated with this Key Policy can be used to encrypt or decrypt data. The time interval units are: minutes, hours, days, week, months, or years.
Cryptoperiod
Displays how long keys associated with this Key Policy can be used to decrypt (but not encrypt) data. The time interval units are: minutes, hours, days, week, months, or years.
Flags
Allow Export From
Indicates whether Data Unit keys associated with this Key Policy can be exported. Possible values are True or False.
Allow Import To
Indicates whether Data Unit keys associated with this Key Policy can be imported. Possible values are True or False.
Allow Agents To Revoke Keys
Allows agents using a Key Group that specifies this key policy to deactivate (revoke) or activate the keys associated with them, even if the keys are in an operational state such as protect-and-process.
Select the Allow Agents To Revoke Keys check box to set the attribute to True (deactivate). Deselect the check box to set the attribute to False (activate). False is the default.
Click the Save button to save the Key Policy. The new Key Policy is displayed in the Key Policy List screen. It can now be used by Key Groups.
Note: Only a Compliance Officer can view a Key Policy's detailed information. |
To modify a Key Policy's details:
From the Key Policy List screen, double-click a Key Policy for which you want more information or highlight a Key Policy and click the Details button. The Key Policy Details dialog box is displayed.
You can change the Description, Allow Export From, Allow Import To, and Allow Agents To Revoke Keys check boxes, as required. When you are finished, click the Save button to save the changes. After the system verifies and validates the new Key Policy, the Key Group is associated with the new Key Policy.
If you click the Cancel button, your changes are not saved and the dialog box closes.
A key policy can only be deleted if it is not used by any Key Group or key.
To delete a Key Policy:
From the Key Policy List screen, highlight the Key Policy you want to delete and click the Delete button. The following dialog box is displayed, prompting you to confirm that you want to delete the specific Key Policy.
Click the Yes button to delete the Key Policy. The Key Policy is removed from the database. You are returned to the Key Policy List screen, where the Key Policy is removed from the list.
A Key Group represents a data context that determines the Key Policy to which it applies and the Agents that can access it. When a Key is assigned to an agent and is first used for a Data Unit, it is associated with a Key Group. When you create a Key Group, you must select a Key Policy. The selected Key Policy is applied to Keys in that Key Group.
Agents are associated with Key Groups. An Agent has one or more keys groups that it is allowed to access. An Agent can only retrieve keys belonging to Key Groups it is allowed to access. An Agent may also have a default Key Group. When an agent allocates a new key, the key is placed in the agents default Key Group. An agent can only allocate new keys if it has a default Key Group.
Figure 6-1 shows the relationship between Key Groups, Key Polices, Agents, and Data Units.
The Key Groups menu includes the Key Group List menu option, which allows the Compliance Officer to manage Key Groups.
The Key Group List menu option gives you the ability to:
View Key Groups
Create a Key Group
Modify existing Key Groups
Delete existing Key Groups.
To view all Key Groups:
From the Key Groups menu, select Key Group List. The Key Group List screen is displayed.
You can scroll through the database and filter through the Key Group list by any of the following keys:
Key Group ID
Description
Key Policy ID.
The Use button applies the filter to the displayed list for the Key Group.
The fields and their descriptions are given below:
Filter:
Select filter options to filter the displayed list of Key Groups. Only Key Groups that satisfy all filters are displayed.
Filter Attribute combo box:
Click the down-arrow and select an attribute to filter by. Possible values are:
Key Group ID
Description
Key Policy ID.
Filter Operator box:
Click the down-arrow and select the filter operation to apply to the selected attribute. Possible values are:
Equals =
Not equal <>
Greater than >
Less than <
Greater than or equals >=
Less than or equals <=
Starts with ~
Empty
Not empty.
Filter Value text box:
Type a value to filter the selected attribute by.
Filter Value combo box:
Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.
Click the plus button to add additional filters.
Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.
Use:
Click this button to apply the selected filters to the displayed list and go to the first page.
Refresh:
Click this button to refresh the displayed list. This does not apply filters selected since the last Use or Reset, and does not change the page of the list.
Reset:
Click this button to remove all filters and reset the displayed list to the first page.
Click this button to go to the first page of the list.
Click this button to go to the previous page.
Click this button to go to the next page.
Results in Page:
Displays the number of items that can be displayed on the current page. Appends ”(last page)” to the number of items if you are at the end of the list. The maximum number of items displayed on a page is defined by the Query Page Size value on the Options dialog.
Key Group ID
Displays the unique identifier that distinguishes each Key Group. This value can be between 1 and 64 (inclusive) characters. The Key Group ID cannot be changed once it is defined.
Description
Describes the Key Group. This value can be between 1 and 64 (inclusive) characters.
Key Policy ID
Displays a unique identifier for an existing Key Policy that applies for every Data Unit in the Key Group.
The Key Policy ID for an existing Key Group cannot be changed. This is to avoid a change affecting a large number of keys.
If you want to create a Key Group, click the Create button. For more information, refer to "Creating a Key Group".
If you want to view/modify a Key Group, highlight the Key Group and click the Details button. For more information, refer to "Viewing/Modifying a Key Group's Details".
If you want to delete a Key Group, click the Delete button. For more information, refer to "Deleting a Key Group".
To create a new Key Group:
From the Key Group List screen, click the Create button. The Create Key Group dialog box is displayed.
Complete the following parameters:
Key Group ID
Type a value that identifies the Key Group. This value can be between 1 and 64 (inclusive) characters.
Description
Type a value that describes the Key Group. This value can be between 1 and 64 (inclusive) characters.
Key Policy ID
Click the down-arrow and select the Key Policy with which you want to associate this Key Group. When creating a new Key Group, existing Key Policies are displayed.
Click the Save button. The new Key Group is created and saved in the database and is displayed in the Key Group List screen. It can now be used by Data Units, Agents, and so forth.
Note: If you are not a Compliance Officer, when you view a Key Group's detailed information, all fields, including the Save button are disabled. |
To modify a Key Group:
From the Key Group List screen, double-click a Key Group entry for which you want more information or highlight a Key Group entry and click the Details button. The Key Group Details dialog box is displayed.
The following parameters are displayed:
Key Group ID:
Uniquely identifies the Key Group. This field is read-only.
Description:
Type a value that describes the Key Group. This value can be between 1 and 64 (inclusive) characters. This field can be blank.
Key Policy ID:
Displays a unique identifier for an existing Key Policy that is associated with the Key Group and all the Keys in the Key Group. This field is read-only.
The Description field is the only field that can be modified. When you are finished, click the Save button to save the changes. You are returned to the Key Group List screen.
Note: You cannot delete a Key Group if it is active, that is, to which Agents or Data Units are assigned. |
To delete a Key Group:
From the Key Groups List screen, highlight the Key Group you want to delete and click the Delete button.The following Confirmation dialog box is displayed, prompting you to confirm that you want to delete the selected Key Group.
A Key Group can only be deleted if it is not used by any key and is not associated with any Agent.
Click the Yes button to delete the Key Group. The Key Group and its associated entries are deleted from the database. You are returned to the Key Groups List screen, where the Key Group is no longer listed.
The Agent Assignment to Key Groups menu option gives you the ability to assign Agents to Key Groups. When you assign Agents to Key Groups, it determines the storage devices that the Agent can access. It is the converse of the Key Group Assignment menu option under the Agents menu, both accomplishing the same result.
Important – You must set a default Key Group for an Agent before that Agent can allocate keys.
To view Agents assignments, from the Key Groups menu, select Agent Assignment to Key Groups. The Agent Assignment to Key Groups screen is displayed.
The Key Groups column lists the Key Groups. The Agents Allowed Access column lists the Agents that are assigned to the selected Key Group(s). The Agents Not Allowed Access column lists the Agents that are not assigned to the selected Key Group(s).
To assign an Agent to a Key Group:
In the Key Groups column, highlight the Key Group you want. In the Agents Not Allowed Access column, highlight the Agent you want to add and click the Move to back-arrow button.
The selected Agent is moved to the Agents Allowed Access column, indicating that the Agent is successfully added to the selected Key Group's Agent list.
To assign Agents to a Key Group and set the Default Key Group:
From the Agent Assignment to Key Groups screen, select the Key Group you want in the Key Groups list.
In the Agents Not Allowed Access list, select one or more Agents you want to add and set the Default Key Group for.
Click the Default Key Group for Agent button. The selected Agents are moved to the Agents Allowed Access list and their Default Key Group is set to the Key Group. The Agents are now allowed access to the Key Group.
To set the Default Key Group for already assigned Agents:
From the Agent Assignment to Key Groups screen, select the Key Group you want in the Key Groups list.
In the Agents Allowed Access list, select one or more Agents that do not have the selected Key Group as their Default Key Group.
Click the Default Key Group for Agent button. The selected Agents' Default Key Group is set to the Key Group.
To remove an Agent from a Key Group's Agent list:
In the Key Groups column, highlight the Key Group you want. In the Agents Allowed Access column, highlight the Agent you want to remove, and click the Move from forward-arrow button.
The selected entry is removed from the Agents Allowed Access column and is listed in the Agents Not Allowed Access column. It is no longer assigned to the selected Key Group.
The Key Group Assignment to Agents menu option allows you to assign Key Groups to Agents. It is the converse of the Agent Assignment to Key Groups menu option, both accomplishing the same result.
To view the Key Groups:
From the Agents menu, select Key Group Assignment. The Key Group Assignment to Agents screen is displayed.
The Agents column lists the Agents in the database. The Allowed Key Groups column lists the Key Groups which the Agent can access. The Disallowed Key Groups column lists the Key Groups which the Agent cannot access.
Clicking an Agent entry displays the Key Group that are members or non-members of the selected Agent.
To assign a Key Group to an Agent:
From the Key Group Assignment to Agents screen, in the Agents column, highlight the Agent you want. In the Disallowed Key Groups column, highlight the Key Group you want to add and click the Move to back-arrow button.
The selected entry is moved to the Allowed Key Groups column and the Key Group is successfully added to the selected Agent.
To assign a Key Group to an Agent as the Default Key Group:
From the Key Group Assignment to Agents screen, select the Agent you want in the Agents list.
In the Disallowed Key Groups list, select one Key Group you want to add and set the Default Key Group for.
Click the Default Key Group button. The selected Key Group is moved to the Allowed Key Groups list and is set as the Default Key Group for the Agent. The Agent is now allowed access to the Key Group.
To set an already assigned Key Group to the Default Key Group:
From the Key Group Assignment to Agents screen, select the Agent you want in the Agents list.
In the Allowed Key Groups list, select one Key Group that is not the Default Key Group for the Agent.
Click the Default Key Group button. The Agent's Default Key Group is set to the selected Key Group.
To remove a Key Group to an Agent:
From the Key Group Assignment to Agents screen, in the Agents column, highlight the Agent you want. In the Allowed Key Groups column, highlight the Key Group you want to remove and click the Move from forward-arrow button.
The selected entry is removed from the Allowed Key Groups column to the Non-member of Info. Groups column and is no longer assigned to the Agent.
The Key Group Assignment to Transfer Partners menu option allows you to assign Key Groups to Transfer Partners.
To view Key Group assignments, from the Transfer Partners menu, select Key Group Assignment to Transfer Partners. The following screen is displayed.
The screen shows the Key Groups that can access a Transfer Partner. The Allowed Key Groups column lists the Key Groups assigned to the selected Transfer Partner. The Disallowed Key Groups column displays the Key Groups not assigned to the Transfer Partner.
To add a Key Group to a Transfer Partner list:
In the Transfer Partners column, highlight the Transfer Partner you want to affect. In the Disallowed Key Groups column, highlight the Key Group you want to add and click the Move to back-arrow button.
The selected Key Group is moved to the Allowed Key Groups column, indicating that the Transfer Partner can now access that Key Group.
To remove a Key Group list from a Transfer Partner:
In the Transfer Partners column, highlight the Transfer Partner you want to affect. In the Allowed Key Groups column, highlight the Key Group you want to remove and click the Move from forward-arrow button.
The selected Key Group is moved to the Disallowed Key Groups column, indicating that the Transfer Partner cannot access that Key Group.
The Transfer Partner Assignment to Key Groups menu allows you to add a key Transfer Partner to the set of Key Transfer Partners that are permitted access to a specific Key Group.
To view Transfer Group assignments, from the Key Groups menu, select Transfer Partner Assignment to Key Groups. The following screen is displayed.
The screen shows the Transfer Partners that can access a Key Group. The Transfer Partners Allowed Access column lists the Transfer Partners assigned to the Key Group. The Transfer Partners Not Allowed Access column displays the Transfer Partners not assigned to the Key Group.
To add a Transfer Partner to a Key Group:
In the Key Groups column, highlight the Key Group you want to affect. In the Transfer Partners Allowed Access column, highlight the Key Group you want to add and click the Move to back-arrow button.
The selected Transfer Partner is moved to the Transfer Partners Allowed Access column, indicating that the Key Group can now access that Transfer Partner.
To remove a Transfer Partner from a Key Group:
In the Key Groups column, highlight the Key Group you want to affect. In the Transfer Partners Allowed Access column, highlight the Transfer Partner you want to remove and click the Move from forward-arrow button.
The selected Transfer Partner is moved to the Transfer Partners Not Allowed Access column, indicating that the Key Group cannot access that Transfer Partner.
To import a KMS 1.0 Key Export file to the KMA and to create a new Key for each Key in this file:
Go to the KMS 1.2 system and export the keys into a file. Only keys exported from KMS 1.2 systems can be imported. KMS 1.0 and 1.1 systems must be upgraded to 1.2 before exporting keys.
From the Secure Information Management menu, select Import 1.0 Keys.
Complete the following parameters:
Destination Key Group
Select the Destination Key Group into which these keys will be imported.
KMS 1.0 Key Export File Name
Type the name of the KMS 1.0 Key Export file.
Browse
Click this button to locate the file.
Start
Click this button to begin to upload the KMS 1.0 keys file to the KMA, and a new Key is created for each Key it contains. Each new Key is associated with the Key Group you selected. Messages are displayed indicating when the file is uploaded and applied.
The Audit Event List menu gives you the ability to view the Audit Log events.
To view the Audit Log events:
From the System Management menu, select Audit Event List. The Audit Event List screen is displayed.
You can also scroll through the database and filter the Audit Event list by any of the following keys:
Created Date
Operation
Severity
Condition
Entity ID
Entity Network Address
KMA ID
KMA Name
Class
Retention Term
Audit Log ID.
The Use button applies the filter to the displayed list for the Audit Log.
The fields and their descriptions are given below:
Filter:
Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:
Created Date
Operation
Severity
Condition
Entity ID
Entity Network Address
KMA Name
Class
Retention Term
Audit Log ID.
Filter Operator box:
Click the down-arrow and select the filter operation you want. Possible values are:
Empty
Not empty
Filter Value 1 box:
If you selected the Date filter, click Set Date to specify start date and time. The value appears as a starting value of the filter key range. If you selected any other filter, type a value in this field.
Filter Value 2 box:
If you selected the Date filter, click Set Date to select an end date and time. The value appears as a ending value of the filter key range.
Filter Value 3 box:
Click the down-arrow and select one of the following filters:
Don't Show Short Term
Show All Retentions.
Created Date
Displays the date and time that the Audit Event was created.
Operation
Displays the operation that resulted in the creation of the Audit Event record.
Severity
Indicates the severity of the condition if the operation was not successful. Possible values are Success (no error), Warning, or Error.
Note: If the Severity value is Error, the KMA that generated the event also issues an SNMP inform message with the event details. |
Condition
Indicates whether the operation was successful or not.
Note: Errors are highlighted in red; Warnings are highlighted in yellow. If you hover the cursor over an error message, a more detailed description of the error is displayed.If the Condition value is Server Busy, the KMA that generated the event also issues an SNMP inform message with the event details. |
Event Message
Displays detailed information of the Audit Event entry.
Entity ID
If this Audit Event is generated in response to an operation requested by a user, Agent, or peer KMA, then this field displays the user-specified identifier of that entity. Otherwise, this field is blank.
Entity Network Address
If this Audit Event is generated in response to an operation requested by a user, Agent, or peer KMA, then this field displays the network address of that entity. Otherwise, this field is blank.
KMA ID
Displays the name of the KMA that generated this audit event. This KMA name is the user-supplied identifier that distinguishes each KMA in a Cluster.
KMA Name
Displays the user-supplied identifier that distinguishes each Appliance in a Cluster.
Class
Identifies the class of operations to which the Audit Event entry belongs.
Note: If the Class value is Security Violation, the KMA that generated the event also issues an SNMP inform message with the event details. |
Possible values are:
Agent Access Control Management Operations
Agent Client Generated Audits
Agent Management Operations
Appliance Management Operations
Audit Log Agent Operations
Audit Log Management Operations
Audit Log Operations
Backup Management Operations
CA Operations
Cluster Client Communication
Cluster Operations
Communication and Authentication
Console Security Management Operations
Data Unit Agent Operations
Data Unit Management Operations
Discovery Operations
Key Group Agent Operations
Key Group Management Operations
Key Policy Management Operations
License Key Management Operations
Local Management Operations
Management Client Generated Audits
Passphrase Agent Operations
Replication Operations
Retrieve Certificate Operations
Role Management Operations
SNMP Management Operations
Security Management Operations
Security Parameter Management Operations
Security Violation
Site Management Operations
System Messages
User Management Operations.
Retention Term
Displays the defined length of time that the Audit Event record is retained. Possible values are Long Term, Medium Term, and Short Term.
Long Term
Event records that must be stored for a lengthy period of time.
Medium Term
Event records that must be stored for a medium length period of time.
Short Term
Event records that must be stored for a short period of time.
Audit Log Entry ID
Displays a system-generated unique identifier that distinguishes each type of Audit Event entry.
Audit Log ID
Displays a system-generated unique identifier that distinguishes each Audit Event entry.
If you want more detailed information on an Audit Log, highlight the Audit Log and click the Details button. For more information, refer to "Viewing Audit Log Details" below.
Click the Export button to export the Audit Log. For more information, refer to "Exporting an Audit Log".
To view Audit Log details:
From the Audit Event List screen, select the Audit Log entry on which you want more information and click the Details button or double-click the entry. The Audit Event Details dialog box is displayed, where all fields are disabled, except for the Previous, Close, and Next buttons.
Click the Previous or Next buttons to access the previous or next Audit Event, or the Close button to return to the Audit Event List screen.
The Export function allows you to export all or specific Audit Log entries to a text file on your workstation. You can then bring up the file in a spreadsheet application.
To export an Audit Log:
From the Audit Event List screen, either select Save Report... from the View menu or press Ctrl-S.
When you are finished, click the Start button to initiate the export process. If you have filtered the entries in the Audit Event List screen, only those entries are exported. Otherwise, all audit events are exported.
When the export process is completed, the number of Audit Logs that have been exported is shown at the bottom of the dialog box.
Click the Close button to close this dialog box and return to the Audit Event List screen.
The Data Unit List menu allows you to:
View Data Units
View/Modify Data Unit details
View the activity history for a Data Unit
Destroy post-operational keys for a Data Unit.
For procedures on using the Data Units menu, refer to "Data Unit List Menu".
Compliance Officers are authorized to compromise keys.
From the Data Unit List screen, select the Data Unit you want to modify and click the Details button. The Data Unit Details dialog box is displayed.
Click the Key List tab to view the key(s) associated with this Data Unit.
Select the key(s) you want to compromise and click the Compromise button. A dialog box is displayed confirming the compromise of the key(s).
Click the Yes button. The following dialog box is displayed, prompting you to enter a comment.
Type a comment about the compromise of the selected key(s). If you click the Compromise button, another dialog box is displayed confirming the compromise of the key(s).
Click the Yes button. A dialog box is displayed showing the number of keys that have been compromised.
The Key List menu allows you to:
query keys directly without having to query data units
query the keys associated with a particular data unit.
To query keys directly:
From the System Management menu, select Key List. The Key List screen is displayed.
Click the Details button (or double-click on a key) to display more information about that key. The Key Details dialog appears.
A Compliance Officer can change the key group this key is associated with. An Operator can change the In Use By Data Unit flag, which indicates whether or not this key is associated with a data unit.
Click the Data Unit Info tab to display information about the data unit that is associated with this key (if any).
A Compliance Officer can also:
View the Audit Event List
View the System Time
Lock/Unlock KMA status
Access the KMA List screen.
Query KMA performance information about KMAs in this OKM cluster.
Query load information about the KMA the GUI is connected to.
Query agent performance information.
Query data unit list key counts.
For procedures on viewing the these functions, refer to Chapter 5, "Security Officer Operations".