Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

7 Operator Operations

This chapter describes the operations that a user who has been given an Operator role can perform. If you have been assigned multiple roles, refer to the appropriate chapter for instructions on performing the specific role.

Operator Role

As the Operator, you are responsible for managing the day-to-day operations of the system.

Surrounding text describes op_role.jpg.

Key Groups Menu

The Key Groups menu allows you to:

  • View a list of Key Groups

  • View Agent to Key Group Assignments

  • View Transfer Partner to Key Group Assignments.

Surrounding text describes key_groups_menu_op.jpg.

Key Group List

The Key Group List menu option gives you the ability to manage your Key Group. For procedures, refer to "Key Group List Menu".

Agent Assignment to Key Groups

The Agent Assignment to Key Groups menu option gives you the ability to view Agents to Key Groups. For procedures, refer to "Agent Assignment to Key Groups Menu".

Transfer Partner Assignment to Key Groups

The Transfer Partner Assignment to Key Groups option allows you to view a Key Transfer Partner to the set of Key Transfer Partners that are allowed access to a specific Key Group. For procedures, refer to "Transfer Partner Assignment to Key Groups Menu".

Agent List Menu

The Agent List menu option allows you to:

  • View Agents

  • Create Agents

  • View/Modify an Agent

  • Delete existing Agents.

Surrounding text describes agent_list_menu.jpg.

Viewing the Agent List

The Agent List menu option allows you to view all Agents associated with a specific Key Group.

To view this screen:

  1. From the Agents menu, select Agent List. The Agent List screen is displayed.

  2. Click the down-arrow beside the Key Group field and select a Key Group. The Agents that are associated with the Key Group are displayed.

Surrounding text describes agent_list_screen.jpg.

You can also scroll through the lists and filter the Agents lists by any of the following keys:

  • Agent ID

  • Description

  • Site

  • Default Key Group

  • Enabled

  • Failed Login Attempts

  • Enrolled

  • One Time Passphrase.

The Use button applies the filter to the displayed list for the Agent.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Agent ID

  • Description

  • Site

  • Default Key Group

  • Enabled

  • Failed Login Attempts

  • Enrolled.

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty.

Filter Value text box:

Type a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Click the plus button to add additional filters.

Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.

Use:

Click this button to apply the selected filters to the displayed list and go to the first page.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Agent ID

Displays the user-specified unique identifier that distinguishes each Agent.

Description

Describes the Agent.

Site

Displays a unique identifier that indicates the Site to which the Agent belongs.

Default Key Group

The Key Group associated with all keys created by this agent if the agent does not explicitly specify a different Key Group.

Enabled

Indicates the status of the Agent. Possible values are True or False. If this field is False, the Agent cannot establish a session with the KMA.

Failed Login Attempts

Displays the number of times that an attempted logon has failed

Enrolled

Indicates whether the Agent has enrolled successfully with the OKM Cluster. Possible values are True or False. This field is False if the Agent is the first created or if the Agent's passphrase is changed.

Creating an Agent

To create an Agent:

  1. From the Agents List screen, click the Create button. The Create Agent dialog box is displayed with the General tab open.

    Surrounding text describes agent_list_create_screen.jpg.
  2. Complete the following parameters:

    Agent ID

    Type a value that uniquely identifies the Agent. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that describes the Agent. This value can be between 1 and 64 (inclusive) characters.

    Site ID

    Click the down-arrow and highlight the Site to which the Agent belongs. This field is optional.

    Flags

    Select One Time Passphrase so that the Agent cannot retrieve its X.509 certificate without resetting its passphrase and re-enrolling with its agent ID and new passphrase. This is the default.

    If you do not select One Time Passphrase, then the Agent can retrieve its X.509 certificate at any time, use CA and certificate services, and successfully authenticate through its agent ID and passphrase.

    Tape drive agents should specify the default value. PKCS#11-type Agents will find this setting to be more convenient, especially in cluster configurations where users may authenticate to the OKM from multiple nodes.

    Default Key Group ID

    If you also have Compliance Officer privileges, click the down-arrow and highlight the default Key Group.

  3. Open the Passphrase tab.

    Surrounding text describes creating_an_agent2.jpg.
  4. Complete the following parameters:

    Passphrase

    Type the passphrase for this user. The minimum value is 8 characters; the maximum value is 64 characters. The default value is 8.

    Passphrase requirements:

    • A passphrase must not contain the user's Agent ID.

    • A passphrase must contain three of the four character classes: uppercase, lowercase, numeric, or special characters.

    • The following special characters are allowed:

      ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ' ” < > , . / ?

    • Control characters, including tabs and linefeeds, are not allowed.


    Note:

    To modify the minimum length requirement for passphrases, see "Modifying the Security Parameters".

    Confirm Passphrase

    Type the same value that you entered in the Enter Passphrase field.

    An example of a completed Create Agent dialog box is shown below.

    Surrounding text describes creating_an_agent3.jpg.
  5. Click the Save button. The Agent record is added to the database and is displayed in the Agent List screen.

  6. Complete the agent-specific enrollment procedure using the agent-specific interface. For example, for StorageTek drives, the VOP (Virtual Operator Panel) must be used to complete the enrollment procedure.

    Surrounding text describes creating_an_agent4.jpg.

Viewing/Modifying an Agent

To modify an Agent's details:

  1. From the Agents List screen, double-click an Agent entry for which you want more information or highlight an Agent entry and click the Details button. The Agents Details dialog box is displayed.

    Surrounding text describes agent_details_general_1.jpg.
  2. Open the General tab and modify the following fields, as required:

    • Description

    • Site ID

    • Flags

      • Enabled - Select this check box if you want to allow this Agent to communicate with the Cluster.

      • Enrolled - Indicates whether the Agent has successfully enrolled with the Cluster. This field is read-only.

      • One Time Passphrase - Select this check box so that the Agent cannot retrieve its X.509 certificate without resetting its passphrase and re-enrolling with its agent ID and new passphrase. This is the default.

    • If you do not select One Time Passphrase, then the Agent can retrieve its X.509 certificate at any time, use CA and certificate services, and successfully authenticate through its agent ID and passphrase.

    • Tape drive agents should specify the default value. PKCS#11-type Agents find this setting to be more convenient, especially in cluster configurations where users may authenticate to the OKM from multiple nodes.

    • Default Key Group ID - If you also have Compliance Officer privileges, click the down-arrow and highlight the default Key Group.

  3. When you are finished, click the Save button. The changes are made to the OKM Manager database and you are returned to the Agents List screen.


    Note:

    You should only change the Agent's passphrase if you believe that the passphrase has been compromised. For procedures, refer to "Setting an Agent's Passphrase".

Setting an Agent's Passphrase

When you set an Agent's passphrase, you are effectively revoking the Agent certificate that enables the Agent to authenticate itself with the KMA. As the Operator, you may want to set an Agent's passphrase certificate if you believe that the Agent certificate and/or passphrase has been compromised.

To set an Agent's passphrase:

  1. From the Agents List screen, double-click the Agent entry whose passphrase you want to set or highlight the Agent entry and click the Details button. The Agent Details dialog box is displayed. Open the Passphrase tab.

    Surrounding text describes agent_details.jpg.
  2. Modify the following fields and click the Save button:

    • Enter Passphrase

    • Confirm Passphrase.

  3. The changes are made to the database and you are returned to the Agents List screen.

  4. Re-enroll the Agent using the agent-specific procedure. For example, for StorageTek tape drives, the VOP (Virtual Operator Panel) must be used to re-enroll the Agent with the OKM Cluster. After changing an Agent's passphrase, the Agent is not able to make requests to the OKM Cluster until it is re-enrolled.

Deleting Agents

To delete an Agent:

  1. From the Agents List screen, highlight the Agent you want to delete. The following dialog box is displayed, prompting you to confirm that you want to delete the selected Agent.

    Surrounding text describes aysdeleteagent.jpg.
  2. Click the Yes button to delete the Agent. The Agent is removed from the database and you are returned to the Agents List screen, where the deleted Agent is no longer listed.

Key Group Assignment to Agents Menu

The Key Group Assignment to Agents menu option allows you to view Key Groups assigned to Agents. For procedures, refer to "Key Group Assignment to Agents Menu".

Surrounding text describes key_group_assgn_to_agents.jpg.

Agent Performance List Menu

This menu option allows you to query agent performance information.

This panel displays performance information about the create key, retrieve key, and register key-wrapping-key requests that have been issued by each Agent. This information includes rate or count values and processing times. Import key requests are not included in these values.


Note:

HP and IBM LTO tape drives do not issue create key requests. They issue retrieve key requests instead.

Rate values represent the rate at which this Agent issued these requests within the selected time period. They are expressed as the average rate of these requests extrapolated over the selected rate display interval unit of time (for example, extrapolated average number of Create Key requests per day). If you set the rate display interval to "entire time period," then this panel instead displays the count of requests this Agent issued within the selected time period.

Processing times represent the average time in milliseconds taken to process the requests that this Agent has issued within the selected time period. These processing times are from the perspective of the KMA and describe the amount of time required to process requests internally. They do not include transmission times over the network or the amount of time required to establish an SSL connection.

The OKM cluster must use replication version 15 or later before request processing times are available.

Surrounding text describes agent_performance_menu.jpg.

To query agent performance:

  1. From the Agents menu, select Agent Performance List.

    Surrounding text describes agent_performance.jpg.
  2. To display more information about an agent, select an agent and click the Details button (or double-click on an agent). The Agent Performance Details dialog is displayed.

    Surrounding text describes agent_performance_details.jpg.

Import Keys Menu

This menu option imports keys and data units into a OKM Cluster. The keys and data unit information are contained in a key transfer file received from a Key Transfer Partner.


Note:

Use this screen to upload and import keys to the OKM Cluster. These keys are exported from another OKM Cluster.

To import keys:

  1. From the Transfer Partners menu, select Import Keys. The Import Keys screen is displayed.

    Surrounding text describes import_keys_transpart.jpg.
  2. Complete the following parameters:

    Destination Key Group:

    Select the Destination Key Group into which these keys will be imported.

    The ”Allow Imports” flag for this Key Group's key policy must be selected. This Key Group must be an allowed Key Group for the selected sending Transfer Partner.

    Sending Transfer Partner:

    Select the Sending Transfer Partner which exported these keys.

    Key Transfer File:

    Type the name of the Key Transfer file. You can also click Browse to select a destination path.

  3. Click the Start button to begin the upload and key import process. Messages are displayed, indicating when the file is uploaded and applied.

Data Units

Data Units are logical storage devices, such as disks, tapes, objects. Data Units are secured by valid Key Policies that are associated with their Key Groups. Agent must have access to the selected Data Unit.


Note:

An Operator can perform all functions, except modify a Data Unit's Key Group. Only a Compliance Officer can modify a Data Unit's Key Group.

Data Unit List Menu

The Data Unit List menu allows you to:

  • View Data Units

  • View/Modify Data Unit details

  • View the activity history for a Data Unit

  • Destroy post-operational keys for a Data Unit

  • View key counts.

Surrounding text describes data_unit_list_menu.jpg.

Viewing Data Units

To view Data Units, from the Data Units menu, select Data Unit List. The Data Unit List screen is displayed.

Surrounding text describes data_unit_list_keycnts.jpg.

You can also scroll through the database and filter the Data Unit list by any of the following keys:

  • Data Unit ID

  • External Unique ID

  • Description

  • External Tag

  • Created Date

  • Exported

  • Imported

  • State.

The Use button applies the filter to the displayed list for the Data Unit.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Data Unit ID

  • External Unique ID

  • Description

  • External Tag

  • Created Date

  • Imported

  • Exported

  • State.

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty.

Show Data Units in Any Key Group. Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Data Unit ID

Displays a system-generated unique identifier that distinguishes each Data Unit.

External Unique ID

Displays a unique external identifier for the Data Unit.

This value is sent to the OKM by the Agent and may not be externally visible to an end user. For LTO Gen 4 and Gen 5 tapes, this is the cartridge serial number burned into the cartridge when it is manufactured. Do not confuse this value with a volser on an optical barcode or in an ANSI tape label. This value is not used for StorageTek tape drives.

Description

Describes the Data Unit.

External Tag

Describes a unique external tag for the Data Unit.

For tapes that are in a StorageTek tape library, or tapes that have ANSI standard labels, this field is the volser. If the tape is in a library and has an ANSI label, the library volser (i.e., optical bar code) is used if it differs from the volser contained in the ANSI label. For tapes written in stand-alone drives without ANSI labels, this field is blank.


Note:

For Data Units written by LTO Gen 4 and Gen 5 tape drives, this field is padded on the right with blanks to fill in 32 characters. It may be more convenient for you to use the ”Starts With ~” filter operator instead of the ”Equals =” filter operator, so that you do not have to add the blanks to pad the External Tag. For example, if you use the ”Starts With” filter, you could enter: ”External Tag” ~ ”ABCDEF”. If you use the ”Equals” filter for the same example, you would need to enter: ”External Tag” = ”ABCDEF ” (padded to fill 32 characters)

Created Date

Indicates the date and time when the Data Unit was created/registered.

Exported

Indicates whether the keys associated with this Data Unit have been exported.

Imported

Indicates whether the keys associated with this Data Unit have been imported.

State

Indicates the state of the Data Unit. Possible values are:

  • No Key: Set when the Data Unit has been created, but has not yet had any keys created.

  • Readable: Set when the Data Unit has keys that allow at least some parts of the Data Unit to be decrypted (read).

  • Normal: Set when the Data Unit has keys that allow at least some parts of the Data Unit to be decrypted (read). In addition, the Data Unit has at least one protect-and-process state key that can be used to encrypt data. The Data Unit is therefore writable.

  • Needs Re-key: Set when the Data Unit does not have at least one protect-and-process state key. Data should not be encrypted and written to this Data Unit until the Data Unit is rekeyed and a new, active key is assigned to it. It is the responsibility of the agent to avoid using a key that is not in protect-and-process state for encryption. The data unit may have keys that are in process only, deactivated, or compromised state. A key in any of these three states can be used for decryption.

  • Shredded: Set when all of the keys for this Data Unit are destroyed. The Data Unit cannot be read or written. However, a new key can be created for this Data Unit, moving its state back to Normal.

Viewing/Modifying Data Unit Details


Note:

If you are not an Operator, when you view a Data Unit's detailed information, all fields, including the Save button, are disabled. If you are a Compliance Officer, the Key Group field is enabled. Under the Key List tab, the Compromise button is enabled if you are a Compliance Officer; otherwise, it is disabled.

To modify a Data Unit's information:

  1. From the Data Unit List screen, select the Data Unit you want to modify and click the Details button. The Data Unit Details dialog box is displayed.

    Surrounding text describes data_unit_details.jpg.
  2. You can modify the following parameters:

    Description

    Type a new value. The original information is provided by the Software Encryption Driver during registration. This value can be between 1 and 64 (inclusive) characters or blank.

    Important – If the Description field contains the string ”PKCS#11v2.20,” this represents a special key used for Oracle Database Transparent Data Encryption (TDE). Do not change this field. Doing so can alter the way OKM interacts with TDE.

    External Tag

    Type a unique external identifier for the Data Unit. This value can be between 1 and 64 (inclusive) characters or blank. This field typically contains the label or barcode of the tape cartridge.

  3. Click the Save button to save your changes.

The following are non-editable fields:

General Tab

Data Unit ID

External Unique ID

Created Date

State

Flags Imported/Exported

Key List Tab

Surrounding text describes data_unit_key_list_revoked.jpg.

Data Unit ID

Uniquely identifies the Data Unit.

Data Unit Description

Describes the Data Unit.

Key ID

Displays the key information for the Data Unit.

Key Type

Indicates the type of encryption algorithm that this key uses. The only possible value is AES-256.

Created Date

Displays the date and time when the key was created.

Activation Date

Displays the date and time when the key was activated. This is the date and time when the key was first given to an Agent. It is the starting date and time for the key's encryption period and cryptoperiod.

Destroyed Date

Displays the date when the key was destroyed. If the field is blank, then the key is not destroyed.

Destruction Comment

Displays any user-supplied information about the destruction of the key. If the field is blank, then the key is not destroyed.

Exported

Indicates whether the Data Unit has been exported.

Imported

Indicates whether the Data Unit has been imported.

Derived

Indicates whether the Key has been derived from a Master Key generated by the Master Key Provider. Refer to the OKM-ICSF Integration Guide for detailed information.

Revoked

Indicates whether the key(s) associated with the Data Unit has been revoked by an Agent. See "Viewing/Modifying a Key Policy".

If the KMA to which the OKM GUI is connected runs OKM 2.5.2 or greater but the OKM cluster currently uses Replication Version 13 or earlier, then this attribute is shown as ”(Unknown).”

Key Group

Displays the Key Group associated with the Data Unit.

Encryption End Date

Displays the date and time when the key will no longer be used or was stopped from being used for encrypting data.

Deactivation Date

Displays the date and time when the key will be or was deactivated.

Compromised Date

Displays the date when the key was compromised. If the field is blank, then the key is not compromised.

Compromised Comment

Displays any user-supplied information about compromising the key. If the field is blank, then the key is not compromised.

Key State

Indicates the Data Unit's key state. Possible values are:

Generated

Set when the Key has been created on one KMA in a OKM Cluster. It remains generated until it has been replicated to at least one other KMA in a multi-OKM Cluster. In a Cluster with only a single KMA, the Key remains generated until it has been recorded in at least one backup.

Ready

Set when the Key has been protected against loss by replication or a backup. A ready Key is available for assignment.

Protect and Process

Set when the Key has been assigned when an encryption agent requests a new key be created. A Key in this state can be used for both encryption and decryption.

Process Only

Set when the Key has been assigned but its encryption period has expired. A Key in this state can be used for decryption but not for encryption.

Deactivated

Set when the Key has passed its cryptoperiod but may still be needed to process (decrypt) information.

Compromised

Set when the Key has been released to or discovered by an unauthorized entity. A Key in this state can be used for decryption but not for encryption.

Incompletely Destroyed

Set when the Key has been destroyed but it still appears in at least one backup.

Completely Destroyed

Set when all of the backups in which the destroyed Key appears have been destroyed.

Compromised and Incompletely Destroyed

Set when the compromised Key still appears in at least one backup.

Compromised and Completely Destroyed

Set when all of the backups in which the compromised Key appears have been destroyed.

Recovery Activated

Indicates whether the Key has been linked to the data unit by a recovery action. This condition occurs when a Key is used for a Data Unit by one KMA in a OKM Cluster and then, due to a failure, the Key is later requested for the Data Unit from a different KMA. If the failure (such as a network outage) has prevented the allocation of the Key to the data from being propagated to the second KMA, the second KMA creates the linkage to the data unit. Such a Key is ”recovery activated,” and an administrator may want to evaluate the system for KMA or network outages. Possible values are True and False.

Data Unit Key Details

From the Data Unit Details screen, select the key you want to display details for and click the Details button. The following screen appears.

Surrounding text describes dataunit_keydets_inuse.jpg.

In Use By Data Unit

If the Replication Version is at least 14, the Operator can change the In Use By Data Unit check box that indicates the relationship between this key and its associated data unit. Selecting this check box can help when a key policy that is used by tape drive agents is inadvertently updated to enable its Allow Agents To Revoke Keys attribute. See "Viewing Key Policies" for a description of this attribute.

Backups with Destroyed Keys List Tab

Surrounding text describes dataunit_dets_bkup_destrky.jpg.

A Data Unit cannot be considered ”completely destroyed” until all Backups containing the Data Unit Key(s) have been destroyed.

The Backups with Destroyed Keys List tab of the Data Unit Details dialog helps you identify those Backups that contain Data Unit Key(s) for the selected Data Unit and the destruction status of those Backups.

The logic for determining if a Backup does contain a particular Data Unit Key is as follows:

A Backup contains a Data Unit Key if the Backup was created after the Data Unit Key was created and the Data Unit Key has not been destroyed, or if it has been destroyed and its destruction took place after the Backup was created.

However, the date-time comparison needs to take into consideration that the clocks of the various KMAs in a Cluster might not be synchronized automatically (if an NTP server is not specified) and hence may be reporting different times. To account for the possibility of time discrepancies among KMAs, a Backup Time Window is used in the comparison. The Backup Time Window is fixed at five minutes. Using the Backup Time Window, the comparison check behaves as follows:

A Backup contains a Data Unit Key if the Backup was created within five minutes of the backup creation or later and the Data Unit Key was destroyed within five minutes of the Backup creation or later.

The Backup Time Window is used to minimize the likelihood of falsely reporting that a Data Unit does not exist in a particular backup when in fact it does. Such a case is known as a ”false negative” and seriously undermines compliance requirements for data destruction. Utilization of the Backup Time Window does, however, increase the likelihood of falsely reporting that a Data Unit Key does belong in a Backup when in fact it does not. Unlike ”false negatives,” ”false positives” do not undermine compliance requirements for data destruction.

Data Unit ID

Uniquely identifies the Data Unit.

Data Unit Description

Describes the Data Unit.

Data Unit Destruction Status

Indicates the Destruction status of the Data Unit.

Backup ID

Identifies the backup.

Created Date

Displays when the date and time when the backup file was created (that is, when the backup started).

Destroyed Date

Displays the date and time when the backup file was destroyed.

Pending:

Indicates whether the backup is still pending. Possible values are True or False.

Completed Date:

Displays the date and time when the backup file was completed.

Downloaded Date:

Displays the date and time when the backup file was downloaded.

  1. Click the Save button to save your changes.

Destroying Post-operational Keys

To destroy post-operational keys associated with a data unit:

  1. From the Data Unit List screen, highlight the Data Unit you want to destroy and click the Destroy Keys button.

  2. The following dialog box is displayed, prompting you to specify the keys to destroy.

    Surrounding text describes destroy_post_op_keys.jpg.

    Deactivated keys

    Select this checkbox if you want to destroy the keys that have passed their cryptoperiod but still may be needed to process (decrypt) data information.

    Compromised keys

    Select this checkbox if you want to destroy the keys that have been released to or discovered by an unauthorized entity.

    Type a comment about the destruction of these keys.

    Destruction Comment

  3. If you click the Destroy button, another dialog box is displayed confirming the destruction of these keys.

  4. Click the Yes button. Another dialog box is displayed showing the number of Keys that have been destroyed.

Viewing Key Counts

You can list data units that have associated keys and the number of keys associated with each data unit. To view key counts:

  1. From the Data Unit List screen, click the Key Counts button.

  2. The following dialog box is displayed.

    Surrounding text describes data_unit_keycnts_dets.jpg.

Software Upgrade Menu

The Software Upgrade menu option allows the Operator to perform the first phase of the software upgrade process:

  • Uploading a software upgrade file to the KMA

  • Immediately applying the upgrade.


    Note:

    The second phase of the process, activating a software version, must be done by the Security Officer. See "Software Upgrade" for detailed information.

Software updates are signed by Oracle and verified by the KMA before they are applied.

Surrounding text describes software_upgrd_men_top_lvl.jpg.

Guidelines for Implementing Software Upgrades

  • Before you execute this function, back up your system. For procedures, refer to "Creating a Backup".

  • Use an OKM Manager GUI release that matches the upgrade version you want to load on the KMA(s).

  • KMAs running KMS 2.1 or earlier must be upgraded to KMS 2.2 before they can be upgraded to OKM 2.3 and later.

  • The upload and apply process can be lengthy if the OKM Manager is remotely connected to the KMA or if the connection between the OKM Manager and KMA is slow. To mitigate this, the software upgrade file can be downloaded to a laptop or workstation that has the OKM Manager installed and the laptop or workstation connected to the same subnet as the KMA. The presence of a router between the OKM Manager and the KMA may slow down the upgrade process.

  • The upload and apply processes, with a good connection between the OKM Manager and the KMA, optimally take about 30 minutes. The activate process optimally takes about 5 to 15 minutes. If the uploading process is very slow, try connecting to the same subnet as the KMA.

  • Upload and apply the software upgrade file on each KMA one at a time (to help to spread out the network load), and then activate the software upgrade on each KMA one at a time (to minimize the number of KMAs that are offline concurrently).

  • If any of the upgrade processes fail (upload, verify, apply, activate, switch replication version), the OKM Manager generates audit messages describing the reason for the failure and a suggested solution.

  • The Technical Support account is disabled on the upgraded KMAs, and the accounts must be re-enabled if needed.

Uploading and Applying Software Upgrades

The first phase of the software upgrade process is to upload and apply the software upgrade file.

  1. Download the software upgrade file to your PC or workstation from the delivery location. The version is visible in the file name.


    Note:

    Save the file to a location where you can navigate from the OKM Manager GUI.

  2. From the Local Configuration menu, select Software Upgrade. The Software Upgrade screen is displayed.

    The active version of the software is highlighted, the Active column is set to True, and an inactive version is shown.

    Surrounding text describes software_upgrade_op.jpg.

    The buttons appearing on this screen include:

    Activate

    The Security Officer can select an inactive software version and then click this button to activate the selected software version. Messages are displayed, indicating when this software version is activated and the KMA reboots.

    Switch Replication Version

    The Security Officer can select the active software version and then click this button to switch the current replication version.

    Software Upgrade File Name

    Type the name of the software upgrade file.

    Browse

    Click this button to locate the software upgrade file on your local system.

    Upload and Apply

    Click this button to begin the upload and apply process. Messages are displayed, indicating when the software upgrade file is uploaded and applied.

  3. In the Software Upgrade File Name field, type the name of the software upgrade file. You can also select the Browse button to locate the file. Click the Upload and Apply button.

    The OKM starts the upload, verify, and apply process and displays a progress indicator showing which step the process is at.


    Note:

    Since the upload process adds some traffic to the network, you may not want to upload KMAs simultaneously in a busy Cluster.

Activating a Software Version

The second phase of the software upgrade process is to activate the inactive software version you uploaded and applied. The Security Officer must implement this, refer to "Software Upgrade" for detailed information.

Other Functions

An Operator can also access the following menus: