Skip Headers
Oracle® Key Manager 3 Systems Assurance Guide
Release 3.0
E48394-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

Glossary

This glossary defines terms and abbreviations used in this publication.

Advanced Encryption Standard (AES)

A FIPS-approved NIST cryptographic standard used to protect electronic data.

Agent

Various types of encryption agents can be created to interact with the OKM for creating and obtaining keying material. The StorageTek T10000 models A-D, T9840D, and the HP LTO4-6 tape drives are types of encryption agents when enabled for encrypting.

Agent Library

The Agent Library is used by an Agent to retrieve key material from an Oracle Key Manager (OKM).

Audit Log

The OKM Cluster maintains a log of all auditable event occurring throughout the system. Agents may contribute entries to this log for auditable events.

Auditor

A user role that can view system audit trails (Audit List events and KMA security parameters).

Autonomous Unlock

When autonomous unlock is enabled a quorum of Security Officers is required to unlock a locked KMA. When disabled, the KMA can be unlocked by any Security Officer.

Backup File

The file created during the backup process that contains all the information needed to restore a KMA. Encrypted with a key generated specifically for the backup. The key is contained in the corresponding backup key file.

Backup Key File

A file generated during the backup process containing the key used to encrypt the backup file. This file is encrypted using the system master key. The master key is extracted from the core security backup file using a quorum of the key split credentials.

Backup Operator

A user role that is responsible for securing and storing data and keys.

BOT

Beginning of Tape.

Certificate

A Certificate is a digitally-signed document that serves to validate the holder's authorization and name.

Certificate Authority (CA)

A Certificate Authority registers end-users, issues their certificates, and can also create CAs below them. Within he Oracle Key Manager, the KMAs themselves act as the certificate authority to issue certificates to users, agents, and other KMAs.

Cluster

A Cluster is a set of Key Management Appliances that are grouped together into a single system to enhance fault tolerance, availability, and scalability.

Compliance Officer

A user role that manages the flow of data through your organization and can define and deploy data contexts (Key Groups) and rules that determine how data is protected and ultimately destroyed (Key Policies).

Crypto-Accelerator

A Crypto-Accelerator is a hardware device (a card) that can be used to increase the rate of data encryption/decryption, thereby improving system performance in high demand conditions.

Crypto-active

An encryption-capable tape drive that has had the encryption feature turned on.

Crypto-ready

A tape drive that has the ability to turn on device-encryption and become encryption-capable.

Cryptography

The art of protecting information by transforming it (encrypting) into an unreadable format, called cipher text. Only those who possess a special key can decipher (decrypt) the message into its original form.

Cryptoperiods

The length of time in which a key can be used for encryption. It starts when the key is first assigned to the drive.

Data Policy

A data policy defines a set of encryption related parameters, such as the encryption and decryption "crypto-periods" for keys.

Data Unit

Data units are abstract entities within the OKM that represent storage objects associated with OKM policies and encryption keys. For tape drives, a data unit is a tape cartridge.

Encryption

The translation of data into a secret code. Encryption is one of the most effective ways to achieve data security. To read an encrypted file, you must have access to a special key or password that enables you to decipher it.

FIPS

Federal Information Processions Standards. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration and Laboratories, which develops and promotes standards and technology, including:

  • Computer Security Division and Resource Center (CSRC)

  • Federal Information Processing Standards (FIPS)

  • For more information visit: http://www.nist.gov/

GUI

Graphical User Interface.

Hash Message Authentication Code (HMAC)

In cryptography, a keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key.

Intelligent Platform Management Interface (IPMI)

IPMI defines a set of common interfaces to a computer system that system administrators can use to monitor system health and manage the system.

Internet Protocol (IP)

A protocol used to route data from its source to its destination in an Internet environment.

Internet Protocol address IPv4

A four-byte value that identifies a device and makes it accessible through a network. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be from 0 to 255. For example, 129.80.145.23 could be an IP address. Also known as TCP/IP address.

IPv6

The next generation uses a 128-bit value written as eight groups of four hexadecimal characters separated by colons. For example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Key

A key in this context is a symmetric data encryption key. Agents can request new key material for encrypting data corresponding to one or more Data Units.

A key belongs to a single Key Group so that only Agents associated with the Key Group can access the key.

Keys have encryption and decryption cryptoperiods that are dictated by the Key Policy associated with the Key Group of the particular key. The type of key (that is, its length and algorithm) is specified by the Encryption Agent.

A random string of bits generated by the key management system, entered from the keyboard, or purchased.

Key Group

Key Groups are used for organizing keys and associating them with a Key Policy. Key Groups are also used to enforce access to the key material by the Encryption Agents.

Key Management Appliance (KMA)

A Netra SPARC T4-1, SunFire X2100 M2, X2200 M2, or X4170 M2 server preloaded with the OKM software. The appliance delivers policy-based key management and key provisioning services.

Key Management System (KMS)

A system providing key management. The StorageTek system has a component providing key management on behalf of encryption agents. Now known as the Oracle Key Manager or OKM.

Key Policy

A Key Policy provides settings for the cryptoperiods to be applied to keys. Each Key Group has a Key Policy, and a Key Policy may apply to zero or more Key Groups. The encryption and decryption cryptoperiods specified on the policy limit the usage of keys and trigger key life cycle events, such as the deactivation or destructions of keys.

Linear Tape-Open (LTO)

A magnetic tape data storage technology. The standard form-factor of LTO technology goes by the name Ultrium, the "high capacity" implementation of LTO technology.

LTO Ultrium technology is an "open format" technology, which means users have multiple sources of product and media. The open nature of LTO technology also provides a means of enabling compatibility between different vendors' offerings.

Media key

Encrypts and decrypts customer data on a tape cartridge.

network

An arrangement of nodes and branches that connects data processing devices to one another through software and hardware links to facilitate information interchange.

NIST

National Institute of Standards and Technology.

Operator

A user role responsible for managing the day-to-day operations of the system.

OKM Cluster

A set of one or more interconnected KMAs. All the KMAs in a Cluster should have identical information. This will not be the case only when an KMA is down, or when a newly created piece of information has not yet propagated through all KMAs in the OKM Cluster. An action taken on any KMA in the Cluster will eventually propagate to all KMAs in the OKM Cluster.

PKCS

Refers to a group of public-key cryptography standards devised and published by RSA Security; as in PKCS#11 which defines a platform-independent API to cryptographic tokens

Read key

This is a media key that is used when reading data from a tape.

Rijndael algorithm

An algorithm selected by the U.S. National Institute of Standards and Technology (NIST) for the Advanced Encryption Standard (AES). Pronounced "rain-dahl," the algorithm was designed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen, whose surnames are reflected in the cipher's name.

RSA

In cryptography, RSA is an algorithm for public-key cryptography created by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. The letters RSA are the initials of their surnames.

Secure Hash Algorithms (SHA)

Secure Hash Algorithms are cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.

Security Officer

A user role that manages security settings, users, sites, and Transfer Partners.

Security Policy

A rigorous statement of the sensitivity of organizational data, various subjects that can potentially access that data, and the rules under which that access is managed and controlled.

Site

A site is an attribute of each OKM and Encryption Agent that indicates network proximity, or locality. When Encryption Agents connect to the OKM Cluster there is a bias towards establishing communication with KMAs in the same site as the Encryption Agent.

T10000 tape drive

The T10000 tape drive is a small, modular, high-performance tape drive designed for high-capacity storage of data. T10000A stores up to 500 gigabytes (GB) of uncompressed data, T10000B 1 terabyte, T10000C 5 terabytes, and T10000D 8 terabytes.

T9840D tape drive

The T9840D tape drive is a small, modular, is a small, high-performance, access-centric tape drive that has an average access time of just 8 seconds.

This drive obtains its high-performance by using a unique dual-hub cartridge design with midpoint load technology. This enables fast access and reduces latency by positioning the read/write head in the middle of the tape.

Transparent Data Encryption (TDE)

A technology employed by Oracle to encrypt database content. TDE offers encryption at a column, table, and tablespace level.

Transport Layer Security (TLS)

A cryptographic protocol that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

Zeroize

To erase electronically stored data, cryptographic keys, and Critical Security Parameters by altering or deleting the contents of the data storage to prevent recovery of the data.