Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

2 Getting Started

This chapter describes the following topics:

Accessing the KMA Through the Service Processor

The Embedded Lights Out Manager (ELOM) and Integrated Lights Out Manager (ILOM) contain a separate Service Processor from the main server. These Service Processors provide a remote connection to the KMA, allowing you to perform server functions, such as the QuickStart program.


Note:

KMAs that are Sun Fire X2100 M2 or X2200 M2 servers use an ELOM as the Service Processor, whereas KMAs that are Sun Fire X4170 M2 servers employ an ILOM as their service processor.

Refer to the Embedded Lights Out Manager Administration Guide or the Integrated Lights Out Manager Web Interface Procedures Guide for configuration information.


Connecting to the KMA through the ELOM/ILOM

Connect to the KMA through the ELOM or ILOM using either:

  • The network connection, LAN 1 NET MGT ELOM or ILOM interface (suggested), or

  • The keyboard and monitor attached to the KMAs.


    Note:

    Popup blockers prevent Windows from launching in the following procedures. Disable the popup blockers before beginning. If the window appears, but a console window does not, the Web browser or Java version is incompatible with the Service Processor. Upgrade to the latest versions of the browser and Java. See Table 2-1 for a list of compatible versions.

Table 2-1 Supported ELOM Compatible Web Browsers and Java Versions

Client OS Supports These Web Browsers Java Runtime Environment Including Java Web Start
  • Microsoft Windows XP

  • Microsoft Windows 2003

  • Microsoft Windows Vista

  • Internet Explorer 6.0 and later Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0

JRE 1.5

(Java 5.0 Update 7 or later)

  • Red Hat Linux 3.0 and 4.0

  • Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0

  • Solaris 9

  • Solaris 10

  • Solaris Sparc

  • SUSE Linux 9.2

  • Mozilla 1.7.5

You can download the Java 1.5 runtime environment at: http://java.com

The current version of the ELOM guide is available at:

http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6588-14/819-6588-14.pdf


Table 2-2 Supported ILOM Compatible Web Browsers and Java Versions

Client OS

Supports These Web Browsers

Java Runtime Environment Including Java Web Start

  • Microsoft Windows 98

  • Microsoft Windows 2000

  • Microsoft Windows XP

  • Microsoft Windows Vista

  • Internet Explorer 6.0 and later

  • Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0 or later

  • Opera 6.x or later

JRE 1.5

(Java 5.0 Update 7 or later)

  • Linux (Red Hat, SuSE, Ubuntu)

  • Mozilla 1.7.5 or later

  • Mozilla Firefox 1.0 or later

  • Opera 6.x or later

  • Solaris 9

  • Solaris 10

  • Mozilla 1.7.5 or later

  • Firefox 1.0 or later

You can download the Java 1.5 runtime environment at: http://java.com

The current version of the ILOM guide is available at:

http://download.oracle.com/docs/cd/E19860-01/index.html


Using a Network Connection - ELOM

  1. Using another workstation on the network, launch a Web browser.

  2. Connect to the KMA ELOM using the IP Address or hostname of LAN 1 (NET MGT), which is the address just configured.


    Note:

    Because the certificate in the ELOM will not match the assigned name or IP, you will receive one or more warnings from your web browser.

  3. Click OK or Yes to bypass these warnings.

    Once past the warnings, you receive the ELOM login prompt.

    Surrounding text describes t105_082.jpg.
  4. Log in using:

      Userid = root

      Password = changeme

    The next screen is the Manager Screen. If the server has just been connected to power, and it has not been powered on, it will not have completed a system boot.

    KMAs are configured to boot up automatically when initially powered on and should boot up to the QuickStart prompt within a few minutes of being powered on.

  5. Check the power status by clicking on the System Monitoring tab.

    If the Power Status shows ”power off,” click the Remote Control tab to the far right of the upper row of tabs.

  6. Click the Remote Power Control tab in the second row of tabs.

  7. In the Select Action drop-down, choose Power On and click the Save button.

  8. The KMA begins powering up. This takes a few minutes; however, you can continue with the KMA configuration.

    Surrounding text describes t105_083.jpg.
  9. Click the Remote Control tab in the first row of tabs.

  10. Click the Redirection tab in the second row of tabs.

  11. Click the Launch Redirection button.

    A java applet is downloaded before starting the remote console window.

    Surrounding text describes t105_084.jpg.

    This launches the remote console screen in a new window.

  12. Save the javaRKVM.jnlp file when requested, then open it to start the remote console. Click past any warnings that may be displayed.

  13. Go to "Launching the OKM Console" for the next steps in the process.

Using a Network Connection - ILOM

  1. Using another workstation on the network, launch a Web browser.

  2. Connect to the KMA ILOM using the IP Address or hostname of LAN 1 (NET MGT), which is the address just configured.


    Note:

    Because the certificate in the ILOM does not match the assigned name or IP, you receive one or more warnings from your web browser.

  3. Click OK or Yes to bypass these warnings.

    Once past the warnings, you receive the ILOM login prompt.

    Surrounding text describes t105_085.jpg.
  4. Log in using:

      Userid = root

      Password = changeme

    The next screen is the Manager Screen. If the server has just been connected to power, and it has not been powered on, it will not have completed a system boot.

    KMAs are configured to boot up automatically when initially powered on and should boot up to the QuickStart prompt within a few minutes of being powered on.

  5. Check the power status shown next to Host Power.

    Surrounding text describes t105_086.jpg.
  6. If Host Power shows that the power is off, click the Change drop-down.

  7. In the Select Action drop-down, choose Power On and click the Save button.

    The KMA begins powering up. This will take a few minutes; however, you can continue with the KMA configuration.

  8. Click the Remote Control tab in the first row of tabs.

  9. Click the Redirection tab in the second row of tabs.

    Surrounding text describes t105_087.jpg.
  10. Click the Launch Remote Console button.

    A java applet is downloaded before starting the remote console window. This launches the remote console screen in a new window.

  11. Save the javaRKVM.jnlp file when requested, then open it to start the remote console. Click past any warnings that may be displayed.

  12. Go to "Launching the OKM Console" for the next steps in the process.

Launching the OKM Console

  1. Press any key and press <Enter> to continue. The KMA checks the SCA 6000 card and reports its status.

    Surrounding text describes t105_088.jpg.

    After a reboot, reset, or initial installation, a new message is displayed if the SCA 6000 card is being initialized or upgrading its firmware. The console is disabled until it is complete.

    Console unavailable while KMA Maintenance is in progress...
    
  2. Press <Enter>.

    You now proceed to the QuickStart program prompt described in "Starting QuickStart".

Additional Service Processor Procedures

See Appendix D "Service Processor Procedures" for procedures to configure and upgrade the ELOM and ILOM.

Running the QuickStart Program

When a KMA in the factory default state is powered on, a special mode of the KMA Configuration Menu called QuickStart is automatically executed. QuickStart collects the minimal configuration information required for initializing the KMA. Once the QuickStart program has been successfully completed, it cannot be re-executed. The only way to access the QuickStart program again is to reset the KMA to its factory default state (refer to "Resetting the KMA to the Factory Default".)


Note:

In the following screen examples, entries in bold represent areas where you respond.

Starting QuickStart

To run the QuickStart Program:

  1. Power on the KMA. When you power up the KMA for the first time, QuickStart is executed, and the Welcome to QuickStart! screen is displayed.

    KMAs perform initial configuration steps after they are first booted. These steps can take a few minutes to complete. KMAs display messages that indicate the initial configuration is occurring.

If you press Ctrl-c, the QuickStart program resets and the Welcome to QuickStart! screen is redisplayed.

Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle Key Manager Version 3.0.0 (build2020) SO on Strathclyde
----------------------------------------------------------
Welcome to QuickStart!

Authorized users only. All activity may be monitored and reported.

Performing initial configuration of this KMA - Please waitInitial configuration of this KMA completed

The QuickStart program will guide you through 
the necessary steps for configuring the KMA.
You may enter Ctrl-c at any time to abort; however, it is necessary to successfully complete all steps in this 
initialization program to enable the KMA.

Press Enter to continue:

Set Keyboard Layout
__________________________________________________________

Press Ctrl-c to abort.

You may change the keyboard layout here.

Available keyboard layouts:

( 1) Arabic             ( 2) Belgian           ( 3) Brazilian 
( 4) Canadian-Bilingual ( 5) Canadian-French   ( 6) Danish  
( 7) Dutch              ( 8) Dvorak            ( 9) Finnish 
(10) French             (11) German            (12) Italian 
(13) Japanese-type6     (14) Japanese          (15) Korean 
(16) Latin-American     (17) Norwegian         (18) Portuguese 
(19) Russian            (20) Spanish           (21) Swedish
(22) Swiss-French       (23) Swiss-German      (24) Traditional-Chinese
(25) TurkishQ           (26) UK-English        (27) US-English

The current layout is US-English 
Please enter the number for the keyboard layout [27] : 
The keyboard layout has been applied successfully.
Press Enter to continue

Specifying the Network Configuration

The following procedures allow you to establish the network configuration.

Setting the KMA Management IP Addresses

To set the KMA Management IP addresses:

  1. Press <Enter> to continue. The following information is displayed.

    Set KMA Management IP Addresses
    -------------------------------------------------------
    Press Ctrl-c to abort.
    An IP Address configuration must be defined in order for the
    KMA to communicate with other KMAs or Users in your system.
    Do you want to configure the Management Network interface to have an IPv6 address? [y/n]: 
    Do you want to use DHCP to configure the Management Network IPv4 interface? [y/n]: 
    Please enter the Management Network IP Address [10.172.180.39]:
    Please enter the Management Network Subnet Mask [255.255.254.0]:
    
  2. At the Please enter your choice: prompt on the main menu, type 3 and press <Enter>.

  3. Type either n or y at the Do you want to configure the Management Network interface to have an IPv6 address prompt.

  4. Type either n or y at the Do you want to use DHCP to configure the Management Network IPv4 interface prompt. If you type n, go to Step 5. If you type y, you go to the procedure "Setting the KMA Service IP Addresses".


    Note:

    If you elect to use DHCP, any hostname information provided by the DHCP server is ignored. Any DNS information provided by the DHCP server is presented in "Specifying the DNS Settings".

  5. At the prompt, type the Management Network IP address and press <Enter>.

  6. At the Please enter the Management Network Subnet Mask: prompt, type the subnet mask address, (for example 255.255.254.0) and press <Enter>.

Enabling the Technical Support Account

To enable the Technical Support account:

  1. Press <Enter> to continue. The following information is displayed.

    To assist in troubleshooting your network configuration,
    you might want to enable the technical support account for the
    network configuration steps of the QuickStart process.
    Do you want to enable this support account for the network
    configuration steps of the QuickStart process? [y/n]: y
    Press Enter to continue:
    
  2. If you want to enable the technical support account in QuickStart, type y at the Do you want to enable this support account for the network configuration steps of the QuickStart process? prompt. Otherwise, type n, and you proceed to Step 3.


    Note:

    If you type y, you see the same prompts that are described in "Enabling the Technical Support Account". After answering these prompts, you move to Step 3.

  3. Press <Enter> to continue.

    If you have enabled the Technical Support account, QuickStart disables it after you complete the "Specifying the DNS Settings" process. The following screen is displayed.

    The support account is now being disabled.
    Technical Support configuration changes have been completed.
    Press Enter to continue:
    

Setting the KMA Service IP Addresses

To set the KMA Service IP addresses:

  1. Press <Enter> to continue. The following information is displayed.

    Set KMA Service IP Addresses
    -------------------------------------------------------
    Press Ctrl-c to abort.
    An IP Address configuration must be defined in order for the
    KMA to communicate with other Agents in your system.
    Do you want to configure the Service Network interface to have an IPv6 address?
    [y/n]: y 
    Do you want to use DHCP to configure the Service Network IPv4 interface? [y/n]: n 
    Please enter the Service Network IP Address [192.168.1.39]:
    Please enter the Service Network Subnet Mask [255.255.255.0]:
    
  2. At the Please enter your choice: prompt on the main menu, type 4 and press <Enter>.

  3. Type either n or y at the Do you want to configure the Service Network interface to have an IPv6 address prompt.

  4. Type either n or y at the Do you want to use DHCP to configure the Service Network IPv4 interface prompt. If you type n, go to Step 5. If you type y, you go to the procedure "Viewing/Adding/Deleting Gateways".

  5. At the prompt, type the Service Network IP address and press <Enter>.

  6. At the Please enter the Service Network Subnet Mask: prompt, type the subnet mask address, (for example 255.255.255.0) and press <Enter>.

Viewing/Adding/Deleting Gateways

This menu option shows the current gateway settings (five to a page) on the Management (M) and Service (S) interfaces.

  1. Press <Enter> to continue. The following information is displayed, indicating that you can add a gateway, remove a gateway, or accept the current gateway configuration.

    Modify Gateway Settings
    ------------------------------------------------------------
    Press Ctrl-c to abort.
    Gateways that are configured automatically are not modifiable, and are
    indicated with an asterisk (*). Management routes are indicated with an 'M',
    and service routes with an 'S'.
       # Destination       Gateway          Netmask            IF
    ---- ----------------- ---------------- -------------------- --
       1 default           10.172.181.254   0.0.0.0             M
       2 default           10.172.181.21    0.0.0.0             M
       3 default           192.168.1.119    0.0.0.0             S
       4 10.0.0.0          10.172.180.25    255.255.254.0       M
    *  5 10.172.180.0      10.172.180.39    255.255.254.0       M
    Press Enter to continue:
    Modify Gateway Settings
    ------------------------------------------------------------
    Press Ctrl-c to abort.
    Gateways that are configured automatically are not modifiable, and are
    indicated with an asterisk (*). Management routes are indicated with an 'M',
    and service routes with an 'S'.
     #   Destination          Gateway          Netmask         IF
    ---- -------------------- ----------------- ---------------- --
    *  6 192.168.1.0          192.168.1.39     255.255.255.0    S
       7 192.168.25.0         10.172.180.25    255.255.255.0    M
       8 192.168.26.0         10.172.180.25    255.255.255.0    M
    *  9 127.0.0.1            127.0.0.1        255.255.255.255   
    * 10 fe80::               2001:db8::/32    10               M
    (1) Continue
    (2) Back
     1
    
    
    Modify Gateway Settings
    ------------------------------------------------------------
    Press Ctrl-c to abort.
    Gateways that are configured automatically are not modifiable, and are
    indicated with an asterisk (*). Management routes are indicated with an 'M',and 
    service routes with an 'S'.
       # Destination  Gateway                   Netmask       IF
    ---- ------------ ------------------------  ------------- --
     
    * 11 fe80::       fe80::216:36ff:feca:15b9  10          S
    You can add a route, delete a route, or exit the gateway configuration.
    Please choose one of the following:
    (1)  Add a gateway
    (2)  Remove a configured gateway (only if modifiable)
    (3)  Exit gateway configuration
    (4)  Display again
    3
    
  2. At the Please enter your choice: prompt on the main menu, type 5 and press <Enter>.

  3. At the (1) Continue (2) Back prompt, type 1 to display the next gateway setting or 2 to return to the previous gateway setting.

  4. At the Please choose one of the following: prompt, type 1, 2, 3, or 4 and press <Enter>.


    Note:

    If at any time you press Ctrl+c, no changes are saved and you are returned to the main menu.

Specifying the DNS Settings

This menu option shows the DNS settings, and prompts you for a new DNS domain (if you want to configure one) and the DNS server IP addresses.


Note:

If you chose to use DHCP on the management network in "Setting the KMA Management IP Addresses", the KMA displays any DNS settings from a DHCP server on the management network. You can enter information to override these DNS settings.

  1. Press <Enter> to continue. The following information is displayed.

    Set DNS Configuration
    -------------------------------------------------------
    Press Ctrl-c to abort.
    DNS configuration is optional, but necessary if this KMA will be configured using hostnames instead of IP addresses.
    
    Current DNS configuration:
    Domain: 
    Nameservers: 
    
    Please enter the DNS Domain (blank to unconfigure DNS): example.com
    
    Up to 3 DNS Name Servers can be entered. Enter each name server separately, and enter a blank name to finish.
    Please enter DNS Server IP Address #1: 10.172.0.5
    Please enter DNS Server IP Address #2:
    
  2. At the Please enter your choice: prompt on the main menu, type 6 and press <Enter>.

  3. Enter the DNS domain name at the Please enter the DNS Domain (blank to unconfigure DNS): prompt.

  4. Enter the DNS server IP address at the Please enter DNS Server IP address prompt. You can enter up to three IP addresses.

  5. Press <Enter>, without specifying an IP address, to finish.

Initializing the KMA

  1. Press <Enter> to continue. The following information is displayed.

    The KMA Name is a unique identifier for your KMA. This name should not be
    the same as the KMA Name for any other KMA in your cluster. It also should
    not be the same as any User Names or Agent IDs in your system. 
    
    Please enter the KMA Name: KMA-1 
    Press Enter to continue: 
    
  2. At the prompt, type a unique identifier for the KMA.


Note:

A KMA Name cannot be altered once it is set using the QuickStart program. It can only be changed by resetting the KMA to the factory default and running QuickStart again.

This KMA name is used as the hostname for the KMA.


Configuring the Cluster

  1. At the prompt, press <Enter>. The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.

    You can now use this KMA to create a new Cluster, or you can have this KMA
    join an existing Cluster. You can also restore a backup to this KMA or 
    change the KMA version.
    Please choose one of the following: 
    (1)  Create New Cluster  
    (2)  Join Existing Cluster  
    (3)  Restore Cluster from Backup 
    Please enter your choice: 1
    Create New Cluster 
    
  2. At the prompt, type 1, 2, or 3 and press <Enter>.

    If you type 1, go to "Entering Key Split Credentials".

    If you type 2, go to "Joining an Existing Cluster".

    If you type 3, go to "Restoring a Cluster From a Backup".

Entering Key Split Credentials

Key Split Credentials user IDs and passphrases should be entered by the individual who owns that user ID and passphrase. Using one person to collect and enter this information defeats the purpose of having the Key Split Credentials.

If it is impractical for all members of the Key Split Credentials to enter this information at this time, enter a simple set of credentials now, and then enter the full credentials later in the OKM Manager.

However, doing this creates a security risk. If a Core Security backup is created with simple Key Split Credentials, it can then be used to restore a backup.

  1. At the Please enter your choice: prompt, type 1. The following information is displayed.

    The Key Split credentials are used to wrap splits of the Core Security Key
    Material which protects Data Unit Keys.
    
    When Autonomous Unlocking is not enabled, a quorum of Key Splits must be
    entered in order to unlock the KMA and allow access to Data Unit Keys.
    
    A Key Split credential, consisting of a unique User Name and Passphrase, is required for each Key Split. 
    
    The Key Split Size is the total number of splits that will be generated. 
    This number must be greater than 0 and can be at most 10. 
    
    Please enter the Key Split Size: 2  
    
    The Key Split Threshold is the number of Key Splits required to obtain a quorum. 
    
    Please enter the Key Split Threshold: 1  
    Please enter the Key Split User Name #1: user1  
    Passphrases must be at least 8 characters and at most 64 characters in length. 
    Passphrases must not contain the User's User Name. 
    Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other). 
    Please enter Key Split Passphrase #1: ******** 
    Please re-enter Key Split Passphrase #1: ******** 
    Press Enter to continue: 
    Press Ctrl-c to abort. 
    

    Note:

    The Key Split Size and Key Split Threshold can be changed using "Modifying the Key Split Configuration". The Key Split Threshold must be less than or equal to the Key Split Size.

    User IDs and passphrases should be entered only by an authorized user to keep them secure. These items also can be changed after running the QuickStart program.


  2. At the Please enter the Key Split Size: prompt, type the number of key splits to be generated and press <Enter>.

  3. At the Please enter the Key Split Threshold: prompt, type the number of required keys splits to obtain a quorum and press <Enter>.

  4. At the Please enter the Key Split User Name #1: prompt, type the user name for the first Key Split user and press <Enter>.

  5. At the Please enter Key Split Passphrase #1: prompt, type the passphrase for the first Key Split user and press <Enter>.

  6. At the Please re-enter Key Split Passphrase #1: prompt, type the same passphrase that you previously entered and press <Enter>.

  7. Repeat Steps 4 through 6 until all user names and passphrases have been entered for the selected Key Split size.


    Note:

    The Key Split user names and passphrases are independent of other user accounts that are established for KMA administration. Oracle recommends that key split user names be different from KMA user names.

Entering Initial Security Officer User Credentials

  1. At the Press Enter to continue: prompt, press <Enter>. The following information is displayed.

    The initial Security Officer User is the first User that can connect to the
    KMA via the Oracle Key Manager GUI. This User can subsequently create
    additional Users and administer the system.
    
    Please enter a Security Officer User Name: SecOfficer 
    
    A Passphrase is used to authenticate to the KMA when a connection is made via the Oracle Key Manager GUI.
    
    Passphrases must be at least 8 characters and at most 64 characters in length.
    Passphrases must not contain the User's User Name. 
    Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other).  
    
    Please enter the Security Officer Passphrase: ******** 
    Please re-enter the Security Officer Passphrase: ******** 
    Press Enter to continue:  
    Press Ctrl-c to abort.
    

    Note:

    This initial Security Officer user account is used to logon to the KMA using the OKM Manager.

  2. At the prompt, type the Security Officer's user name and press <Enter>. The following information is displayed.

  3. At the prompt, type the Security Officer's passphrase and press <Enter>.

  4. At the Please re-enter the Security Officer Passphrase: prompt, re-type the same passphrase and press <Enter>.

    Important – All KMAs have their own passphrases that are independent of passphrases assigned to users and Agents. The first KMA in a Cluster is assigned a random passphrase. If this KMA's certificate expires, and you want to retrieve its entity certificate from another KMA in the Cluster, you would have to use the OKM Manager to set the passphrase to a known value. For procedures, refer to "Setting a KMA Passphrase".

Specifying the Autonomous Unlocking Preference


Caution:

While it is more convenient and increases the availability of the OKM Cluster, enabling autonomous unlocking creates security risks. When autonomous unlocking is enabled, a powered-off KMA must retain sufficient information to boot up fully and begin decrypting stored keys.

This means a stolen KMA can be powered up, and an attacker can begin extracting keys for the KMA. While it is not easy to extract keys, a knowledgeable attacker will be able to dump all keys off the KMA. No cryptographic attacks are needed.

If autonomous unlocking is disabled, cryptographic attacks are required to extract keys from a stolen KMA.

You should carefully consider potential attacks and security concerns before choosing to enable autonomous unlocking.


  1. At the Press Enter to continue: prompt, press <Enter>. The following information is displayed.

    When Autonomous Unlocking is DISABLED, it is necessary to UNLOCK the KMA using
    a quorum of Key Split Credentials EACH TIME the KMA starts before normal
    operation of the system can continue.  Agents may NOT register Data Units with
    or retrieve Data Unit Keys from a locked KMA.
    
    When Autonomous Unlocking is ENABLED, the KMA will
    automatically enter the UNLOCKED state each time the
    KMA starts, allowing it to immediately service Agent requests.
    Do you wish to enable Autonomous Unlocking? [y/n]: y
    

    Note:

    The Autonomous Unlocking feature allows the KMA to enter a fully operational state after a hard or soft reset without requiring the entry of a quorum of passphrases using the OKM Manager. You can change this option from the OKM Manager at a later time.

  2. At the prompt, type y or n and press <Enter>.

Setting the Key Pool Size

  1. At the Press Enter to continue: prompt, press <Enter>. The following information is displayed.

    Enter Key Pool Size
    -------------------------------------------------------
    Press Ctrl-c to abort.
    
    Each KMA pre-generates and maintains a pool of keys. These pre-operational keys
    must be backed up or replicated before a KMA will provide them to an Agent for
    use in protecting data. This helps to ensure that a key will never be
    permanently lost, even in disaster scenarios.
    A smaller key pool size prevents unnecessary initial database (and backup)
    size, but requires frequent backups or a reliable network to ensure that
    activation-ready keys are always available. Conversely, a large key pool size
    is more tolerant of infrequent backups or unreliable network connections
    between KMAs, but the large number of pre-generated keys causes the database
    (and backups) to be quite large.
    
    Please select the key pool size (1000 - 200000):
    
  2. At the prompt, enter the key pool size. The value entered determines the initial size that the new KMA generates and maintains.

Synchronizing KMA Time

KMAs in a Cluster must keep their clocks synchronized. Internally, all KMAs use UTC time (Coordinated Universal Time).

You can also use the OKM Manager to adjust date and time settings to local time.

KMAs in a Cluster must keep their clocks synchronized. Specify an NTP server if
one is available in your network. Otherwise, specify the date and time to which
the local clock should be set.

Please enter the NTP Server Hostname or IP Address (optional): ntp.example.com 

Press Enter to continue:

Initializing new cluster...

New cluster has been created.

Press Enter to continue:
Oracle Key Manager Version 3.0.0 (Build2020) 
__________________________________________________________
KMA initialization complete!
You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration.

Press Enter to exit: 

Copyright (c) 2007, 2013, Oracle and/or its futilities. All rights reserved.
Oracle Key Manager Version 3.0.0 (Build2020)
__________________________________________________________

Please enter your User Name: 
  1. If an NTP server is available in your network environment, at the Please enter the NTP Server Hostname or IP Address (optional): prompt, enter the NTP server hostname or IP address.


    Note:

    You can provide an IPv6 address for this NTP server. This IPv6 address must not include square brackets or a prefix length.

  2. If an NTP server is not available, press <Enter>. Then, at the Please enter the date and time for this KMA prompt, enter the date and time in one of the specified formats, or press <Enter> to use the displayed date and time.

  3. At the prompt, press <Enter>. KMA initialization is complete.

  4. Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Logging into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.

  5. Your next step is to use the OKM Manager to connect to the Cluster. For procedures, refer to "Connecting to the Cluster".

Joining an Existing Cluster

Important

  • Before performing this task, the Security Officer must first log into the OKM Cluster using the OKM Manager and create a KMA.

    See "Creating a KMA". The KMA Name specified in the KMA initialization process (see "Initializing the KMA") must match the KMA name you enter when you create the KMA.

  • When you add a new KMA to an existing OKM Cluster, the OKM Cluster begins to propagate Cluster information to the new KMA. It takes time for the Cluster to finish circulating this information to the new KMA, and as a result, the Cluster becomes busy during this time period.

    Add KMAs to the Cluster during times of light loads so that this propagation activity does not interfere with normal operations. To avoid problems caused by Agents attempting to use the new KMA during the synchronization period, the KMA remains locked after it has been added to the Cluster. Wait until the KMA has been synchronized (that is, until it has ”caught up” with other KMAs in the Cluster) before you unlock it.

  • In earlier KMS releases, if the release running on a new KMA was different from an existing KMA in the Cluster, then the new KMA was automatically upgraded or downgraded to the release of the existing KMA when the new KMA joined the Cluster. For OKM 2.3 and later, if the new KMA runs OKM 2.3 and later and the existing KMA runs an earlier KMS release, then the new KMA can join the Cluster without downgrading to the earlier release.

  • If you are running OKM 2.3 or later, before you add a KMA to the Cluster, the replication version must be set to the highest value supported by all KMAs in the Cluster. Refer to "Switching the Replication Version".

To join a new KMA to an existing Cluster:

  1. When you complete the KMA initialization process (see "Initializing the KMA"), at the prompt, press <Enter>.

    The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.

    You can now use this KMA to create a new Cluster, or you can have this KMA join
    an existing Cluster.  You can also restore a backup to this KMA or change the
    KMA Version.
    
    Please choose one of the following:
    (1)  Create New Cluster 
    (2)  Join Existing Cluster 
    (3)  Restore Cluster from Backup
    Please enter your choice: 2
    Join Existing Cluster
    
  2. At the Please enter your choice: prompt, type 2. The following information is displayed.

    Join Existing Cluster
    -------------------------------------------------------
    Press Ctrl-c to abort.
    In order to join a Cluster, the KMA must contact another KMA which is already in the Cluster.
    Please enter the Management Network IP Address or Host Name of an existing KMA in the cluster: 10.172.60.172
    Please enter this KMA's Passphrase:********
    Press Enter to continue:
    This command requires authorization by a quorum of Key Split Users. Enter
    sufficient Key Split credentials to form a quorum. Enter a blank name to
    finish.
    Press Ctrl-c to abort.
    Please enter Key Split User Name #1: user1 
    Please enter Key Split Passphrase #1: ******** 
    Press Enter to continue:
    Joining cluster...
    This KMA has joined the Cluster.
    Press Enter to continue:
    Oracle Key Manager Version 2.3 (Build1036)
    -------------------------------------------------------
    KMA initialization complete!
    You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration.
    Press Enter to exit:
    

    Note:

    Before this new KMA can communicate with an existing KMA in the Cluster, you must use the OKM Manager to create an entry for this KMA in the existing KMA's database. For procedures, refer to "Creating a KMA".

  3. At the prompt, type the network address of one KMA in the existing Cluster and press <Enter>.

  4. At the prompt, type the passphrase for the KMA and press <Enter>.

  5. Enter the first Key Split user name for the first KMA.

  6. Type the passphrase for the Key Split user, and press <Enter>.

    Important – Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.

  7. Repeat Steps 5 and 6 until you have entered a sufficient number of Key Split user names and passphrases to form a quorum.

  8. At the next Please enter Key Split User Name prompt, press <Enter>. Enter a blank name to finish.

    The initialization is complete.

    At the end of a successful Join Cluster session, QuickStart displays the following prompt if the Cluster's replication version is at least 12.

    It might take some time for this KMA to be updated with information from other
    KMAs in the Cluster.  This amount of time can be greater in Clusters that have
    more KMAs or when the KMAs have been online for a long time.
    To accelerate these initial updates (that is, to catch up now), you can choose
    now to download a backup from another KMA in the Cluster and then restore from
    it.  There will not be an opportunity to accelerate these updates later.
    Catch up now? [y/n]: 
    
  9. Type y to accelerate initial updates. Otherwise, type n to go to Step 10.


    Note:

    Before you type y at the above prompt, create a backup on a peer KMA after you have switched the Cluster's replication version to 12. Also, ensure that the peer KMA on which you created a backup is currently responding on the network. These steps help the new KMA find a cached backup to download and apply.

    The KMA you specified identifies another KMA that has the largest cached backup in this Cluster, downloads that backup, and then applies it to its local database. This process is equivalent to replicating the data but at a much faster rate. Informational messages appear during this process.

    For example:

    Waiting 10 seconds for the join to propagate to Peer KMAs...
    Querying Peer KMAs to find the active ones...
    Querying active Peer KMAs to find cached backup sizes...
    Peer KMA at IP Address 10.172.180.39 has a cached backup size of 729136 bytes.
    Downloading the cached backup from this Peer KMA...
    Downloaded the cached backup from this Peer KMA.
    Initialized the Key Store.
    Performed maintenance on the Key Store.
    Applying the cached backup to the local database...
    .......................................................
    .......................................................
    .......................................................
    .......................................................
    .......................................................
    .......................................................
    .......................................................
    Applied the cached backup to the local database.
    Successfully accelerated initial updates on this KMA.
    

    Later, the newly joined KMA automatically replicates any data that is not in the backup.

    If an error occurs during this process, QuickStart displays the above prompt again (in case the error is due to a temporary condition). QuickStart also displays the above prompt again if the KMA cannot find a peer KMA that has a cached backup.

    However, if more than 5 minutes has elapsed since the first time the above prompt was displayed, then QuickStart displays the following message and no longer displays the above prompt:

    Failed to accelerate initial updates on this KMA after 300 seconds.
    This KMA will gradually be updated with information from other KMAs.
    

    Regardless of whether you typed y or n at Step 9, or even if the process timed out, these messages appear:

    This KMA has joined the Cluster.
    Press Enter to continue:
    
  10. Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Logging into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.

  11. Your next step is to use the OKM Manager to connect to the Cluster. For procedures, refer to "Connecting to the Cluster".

  12. The OKM Cluster begins to propagate information to the newly added KMA. This causes the new KMA to be very busy until it has caught up with the existing KMAs in the Cluster. The other KMAs are also busy. You can observe this activity from the OKM Manager by viewing the KMAs as described by "Viewing KMAs".

  13. Observe the Replication Lag Size value of the new KMA. Initially, this value is high. Periodically refresh the information displayed in this panel by pulling down the View menu and selecting Refresh or by pressing the F5 key. Once the Replication Lag Size value of this KMA drops to a similar value of other KMAs in the Cluster, then you can unlock the KMA as described by "Unlocking the KMA".

Restoring a Cluster From a Backup

This option allows you to create a Security Officer account that can be used to restore the Backup image to the KMA using the OKM Manager. You can use a Backup to restore a KMA's configuration in the event a KMA experiences a failure (for example, hard disk damage). This, however, is not typically required since a KMA that is restored to the factory default state can readily join an existing Cluster and build up its database by receiving replication updates from Cluster peers. Restoring a KMA from a Backup is still useful in the event that all KMAs in a Cluster have failed.


Note:

You first must create a Backup. For procedures on creating Backups using the OKM Manager, refer to "Creating a Backup".

Oracle recommends you specify a new Security Officer name that did not exist in the OKM Cluster when the last backup was performed.

If you specify an existing Security Officer name and provide a different passphrase, the old passphrase is overwritten. If you specify an existing Security Officer name and other roles were added to that user before the last backup was performed, these other roles are no longer assigned to this User.


To restore the backup image:

  1. When you complete the KMA initialization process (see "Initializing the KMA"), at the prompt, press <Enter>.

    The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.

    You can now use this KMA to create a new Cluster, or you can have this KMA join
    an existing Cluster.  You can also restore a backup to this KMA or change the
    KMA Version.
    Please choose one of the following:
    (1)  Create New Cluster 
    (2)  Join Existing Cluster 
    (3)  Restore Cluster from Backup
    Please enter your choice: 3
    Restore Cluster from Backup
    
  2. At the Please enter your choice: prompt, type 3. The following information is displayed.

    Initial Restore Cluster From Backup
    Enter Initial Security Officer User Credentials
    -------------------------------------------------------
    Press Ctrl-c to abort.
    The initial Security Officer User is the first User that can connect to the KMA
    via the Oracle Key Manager GUI. This User can subsequently create additional
    Users and administer the system.Please enter a Security Officer User ID: SO1A
    Passphrase is used to authenticate to the KMA when a connection is made via the
    KMS Manager.
    Passphrases must be at least 8 characters and at most 64 characters in length.
    
  3. At the prompt, type the Security Officer's user name and press <Enter>.

    Best Practice: Enter a temporary restore Security Officer user ID (for example, RestoreSO) instead of the Security Officer user ID that existed prior to the restore.

  4. At the prompt, type the Security Officer's passphrase and press <Enter>.

    Steps 5 through 7 are optional.

    If you choose to define initial quorum user credentials in QuickStart, you can enter a quorum login name and passphrase at this time so that the restore operation from the OKM Manager GUI (Step 13) is pended.

    Quorum members can then use this login and passphrase later to log in to the OKM Manager GUI and enter their credentials to approve the restore (see "Restoring a Backup").

    If you do not enter a quorum login user ID here, the only user that exists at the end of QuickStart is the Security Officer created in Step 3. In this case, all Key Split Credentials must be entered at once for the restore to occur ().

    The following information is displayed:

    Enter Initial Quorum Login User Credentials
    -------------------------------------------------------
    Press Ctrl-c to abort.
    The initial Quorum Login User is an optional user that will allow the restore
    operation to be pended until quorum members can connect to the KMA via the
    Oracle Key Manager GUI and enter their credentials.  If this user is not
    created here, then a quorum of credentials must be entered at the time the
    restore operation is requested.
    Please enter a Quorum Login User ID (optional): Q 
    Passphrases must be at least 8 characters and at most 64 characters in length.
    Passphrases must not contain the User's User ID.
    Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other).
    Please enter the Quorum Login Passphrase:
    Please re-enter the Quorum Login Passphrase:
    
  5. At the prompt, either press <Enter> or type the quorum login user ID and press <Enter>.

  6. At the prompt, either press <Enter> or type the quorum login passphrase and press <Enter>.

  7. At the Please re-enter the Quorum Login Passphrase: prompt, either press <Enter> or re-type the same passphrase and press <Enter>.

  8. At the Please re-enter the Security Officer's Passphrase: prompt, retype the passphrase you entered in Step 4 and press <Enter>.

    Set Time Information
    -------------------------------------------------------
    Press Ctrl-c to abort.
    KMAs in a Cluster must keep their clocks synchronized. Specify an NTP server if
    one is available in your network. Otherwise, specify the date and time to which
    the local clock should be set.
    Please enter the NTP Server Hostname or IP Address (optional): 
    The date and time for this KMA must be specified in ISO 8601 format including a
    time zone.  Here are some valid ISO 8601 format patterns:
        YYYY-MM-DDThh:mm:ssZ
        YYYY-MM-DD hh:mm:ssZ
        YYYY-MM-DDThh:mm:ss-0600
        YYYY-MM-DD hh:mm:ss-0600
        YYYY-MM-DDThh:mm:ss+02:00
        YYYY-MM-DD hh:mm:ss+02:00
    Please enter the date and time for this KMA [2007-09-17 22:32:53.698Z]: 2007-09-17 22:33:00-0600
    Press Enter to continue:
    The KMA is now ready to be restored.
    Press Enter to continue:
    
  9. If an NTP server is available in your network environment, at the Please enter the NTP Server Hostname or IP Address (optional): prompt, enter the NTP server hostname or IP address.

  10. If an NTP server is not available, press <Enter>. Then, at the Please enter the date and time for this KMA prompt, enter the date and time in one of the specified formats, or press <Enter> to use the displayed date and time.

    Ensure the date and time are accurate. Key lifecycles are based on time intervals, and the original creation times for the keys are contained in the backup. An accurate time setting on the replacement KMA is essential to preserve the expected key lifecycles.

  11. At the prompt, press <Enter>. The following information is displayed, indicating that initialization is complete.

    Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde
    Serial Number 1251BD0E48   
    
    OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46
    -------------------------------------------------------
    KMA initialization complete!
    You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration.
    Press Enter to exit: 
    
  12. Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed.

    Best Practice: Log in to the OKM Manager GUI as the temporary restore Security Officer user ID you established in Step 3.

  13. Login as the Security Officer on the OKM Manager and select Backup List. From the Backup List screen, click the Restore button to upload and restore the backup to the KMA.

    Surrounding text describes quickstart_backup_list1.jpg.
  14. To complete the restore operation, the OKM Manager prompts for a Backup File that corresponds to the Backup Key file, a Backup Key file, and a Core Security backup file.

    The Backup Key file and Backup file must match, but any Core Security Backup file can be used.

    Surrounding text describes restore_backup.jpg.
  15. The OKM Manager then prompts for a quorum of Key Split users. These must be Key Split Credential users that were in effect when the Core Security Backup was performed.

    Surrounding text describes key_split_quorum_auth.jpg.

    Once the restore is complete, the Key Split Credentials that were in effect when the backup (not the Core Security Backup) was completed, will be restored.

    Important – Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.

  16. When the restore process is completed, a new Cluster is created.

    Best Practice: Log in to the OKM Manager GUI using the original Security Officer user ID (the one that existed prior to the restore), and delete the temporary restore Security Officer user ID as a cleanup step. Refer to "Deleting Users".

Adding Agents and Enrolling Tape Drives

After you set up the KMA, you can add agents and enroll tape drives to use that KMA:

  1. Log into the OKM Manager GUI as an Operator and create an agent (refer to "Creating an Agent").

  2. Using the Virtual Operator Panel (VOP), perform the following operations. Refer to the VOP documentation if you do not know how to connect to and use the VOP.

    1. Ask the service representative to license the tape drive(s) (refer to ”License the Tape Drives” in chapter 3 of the OKM Installation and Service Manual). Use the Virtual Operator Panel (VOP) to perform this function.

    2. With guidance from the service representative, enroll the tape drive(s) (refer to ”Enroll the Tape Drives” in chapter 3 of the OKM Installation and Service Manual).

      You must supply this information:

    • Is the drive going to use a permanently encrypting tape drive?

    • What is the agent ID, passphrase, and OKM IP address of the appliance?

  3. Log into the OKM Manager GUI as a Compliance Officer, create at least one Key Group (refer to "Creating a Key Group"), and assign the tape drives (agents) to this Key Group (refer to "Assigning a Key Group to an Agent" and to ”Enroll the Tape Drives” in the OKM Installation and Service Manual).

    You must assign this Key Group as the default or the drive cannot write. If you do not specify a default, the drive is read-only for the assigned group(s).