Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

5 Security Officer Operations

A Security Officer manages security settings, users, sites, and Transfer Partners. This chapter describes the following:

Security Officer Role

As a Security Officer, you can manage the entities (KMAs, users, sites, Transfer Partners) as well as various security aspects of the system.

Surrounding text describes so_role1.jpg.

KMA List Menu

The KMA List menu option allows you to:

  • View KMAs

  • Create a KMA

  • Modify a KMA's information

  • Delete a KMA

  • Modify a Key Pool size (refer to "Modifying a Key Pool Size"). This is a Backup Operator function.


    Note:

    All six roles can now access the KMA List panel and view the key pool size.

Surrounding text describes kma_list_menu.jpg.

Viewing KMAs

To view KMAs:

From the System Management menu, select KMA List. The KMA List screen is displayed.

This is the KMA List menu.

You can also scroll through the database and filter the KMA list by any of the following keys:

  • KMA Name

  • Description

  • Site ID

  • Management Network Address

  • Service Network Address

  • Management Network Address (IPv6)

  • Service Network Address (IPv6)

  • Version

  • Failed Login Attempts

  • Enrolled

The Use button applies the filter to the displayed list for the KMA.

The fields and their descriptions are as follows:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • KMA Name

  • Description

  • Site ID

  • Management Network Address

  • Service Network Address

  • Management Network Address (IPv6)

  • Service Network Address (IPv6)

  • Version

  • Failed Login Attempts

  • Enrolled

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty

Filter Value 1 box:

If you selected one of the date filters, click Set Date to specify start date and time. The value appears as a starting value of the filter key range. If you selected any other filter, type a value in this field.

Filter Value 2 box:

If you selected one of the date filters, click Set Date to select an end date and time. The value appears as an ending value of the filter key range.

Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Click this button to go to the next page.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

KMA Name

Displays the user-supplied identifier that distinguishes each KMA in a Cluster.

KMA ID

Displays a system-generated unique identifier that identifies the KMA.

Description

Describes the KMA.

Site ID

Describes the site to which the KMA belongs.

Management Network Address

Displays the IP address of the KMA on the management network.

Service Network Address

Displays the IP address of the KMA on the service network.

Management Network Address (IPv6)

Displays the IPv6 address (if any) of the KMA on the management network.

Service Network Address (IPv6)

Displays the IPv6 address (if any) of the KMA on the service network.

Version

Displays the version number of the KMA software. For OKM 3.0 KMAs, the version string shows the following format: <OKM release>-5.11-<OKM build>. For example, 3.0.0-5.11-2012.

Failed Login Attempts

Displays the number of times that an attempted logon has failed.

Responding

Indicates whether the KMA is running. Possible values are True or False.

  • True indicates that the KMA is responding to requests from the KMA to which this OKM is connected (that is, the local KMA). While this status applies between every pair of KMAs in the Cluster, the values shown indicate whether each of the KMAs listed (that is, the remote KMAs) are responding to requests from the local KMA.

  • False indicates that the remote KMA is not responding to requests, perhaps because the remote KMA is down or the communications link to the remote KMA is down.

Responding on Service Network

Indicates whether or not the KMA is responding on the service network. Possible values are ”Responding,” ”Not Responding,” or ”Not Accessible.”

  • Responding indicates the KMA is responding to requests from the KMA this OKM is connected to (that is, the local KMA). While this status applies between every pair of KMAs in the Cluster, the values shown indicate whether each of the KMAs listed (that is, the remote KMAs) are responding to requests from the local KMA.

  • Not Responding indicates the remote KMA is not responding to requests, perhaps because the remote KMA is down or the communications link to the remote KMA is down.

  • Not Accessible indicates the remote KMA is not accessible to the local KMA, perhaps because the service network configuration does not provide a default or static route to that KMA.


    Note:

    If the local KMA has configured a default route, then it is considered to have a route to remote KMAs. Other KMAs are shown as ”Not Responding” if they do not respond on the service network.

    If a default or static route is not defined, then other KMAs may be shown as ”Not Accessible.” Older KMAs (OKM 2.3.x or earlier) are shown as ”Responding.”


Response Time

Displays the time (in milliseconds) that the KMA takes to respond to a request on its management network. This value is typically a few hundred milliseconds. It can be larger if a WAN connection exists between the local KMA and a remote KMA. It can also be larger if the communications link between KMAs is busy.

Replication Lag Size

Displays the number of updates before replication takes place. This number should be zero or a small value. Larger values indicate that replications are not getting completed in a timely manner, the communications link between KMAs is down or busy, or a remote KMA is down. This value will also be very large when a new KMA has just been added to the Cluster.

Key Pool Ready

Displays the percentage of unallocated keys that are ready.

Key Pool Backed Up

Displays the percentage of the Key Pool that has been backed up.


Note:

N/A indicates that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower Replication Version.

Locked

Indicates whether or not the KMA is locked.


Note:

N/A indicates that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower Replication Version.

Enrolled

Indicates whether the KMA has been added or logged into the Cluster successfully. Possible values are True or False.

True indicates that the KMA has successfully been added or logged into the Cluster.

This value is False when the KMA is first created and will change to True once the KMA has logged into the Cluster. It can also be False when the KMA's passphrase is changed. Once a KMA has logged in, the passphrase used to log in can no longer be used. The passphrase must be changed before the KMA can log into the Cluster again.

HSM Status

Indicates the status of the Hardware Security Module (HSM). Possible values are Unknown, Inactive, Software, Hardware, SW Error, HW Error, or Not Present.

Unknown

The KMA is running a software release older than KMS 2.2.

Inactive

The KMA currently does not need to use the HSM, typically because the KMA is locked.

Software

The HSM is not functional, and the KMA is using the software provider to generate Keys.

Hardware

The HSM is functional, and the KMA is using it to generate Keys.

SW Error/HW Error

The KMA encountered an error when it tried to query the status of the software provider (SW Error) or the HSM (HW Error).


Note:

Normally, the HSM is functional (Hardware). However, if the HSM becomes non-functional (Software) and the FIPS Mode Only security parameter is set to Off (see "Retrieving the Security Parameters"), then the KMA switches to using the software provider to generate Keys.

If the HSM becomes non-functional and the FIPS Mode Only security parameter is set to On, then the KMA cannot generate Keys or return AES wrapped key material to Agents.

If the value is Software, SW Error, or HW Error, check the Sun Crypto Accelerator (SCA) 6000 card on this KMA (see "Checking the SCA 6000 Card").

Not Present

The HSM is not present and the KMA is using the software provider to generate keys.

Checking the SCA 6000 Card

It is possible that an existing KMA in a Cluster may contain a failed SCA 6000 card. To identify a failed card, examine the rear of the KMA server and check the LEDs on the card.

A functional SCA 6000 card on a KMS 2.1, 2.2, or OKM 2.3 and later KMA that has been initialized through the QuickStart program displays a flashing green Status LED (identified with an S) and solid green FIPS (F) and Initialized (I) LEDs.

If the Status LED is not flashing green and the FIPS and Initialized LEDs are not solid green, then the KMA has a faulty SCA 6000 card, and the KMA must be replaced if FIPS mode is required.

See the SCA 6000 User Guide for a description of the LEDs on an SCA 6000 card.

If you want to create a KMA, click the Create button. For more information, refer to "Creating a KMA" below.

If you want to view / modify a KMA's details, highlight the KMA and click the Details button. For more information, refer to "Viewing/Modifying a KMA's Details".

If you want to delete a KMA, click the Delete button. For more information, refer to "Deleting a KMA".

Creating a KMA

To create a KMA:

  1. From the KMA List screen, click the Create button. The Create KMA dialog box is displayed, with the General tab active.

    Surrounding text describes create_kma_general.jpg.
  2. Complete the following parameters:

    On the General tab, supply the following information if required:

    KMA Name

    Type a value that uniquely identifies the KMA in a Cluster. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that uniquely describes the KMA. This value can be between 1 and 64 (inclusive) characters.

    Site ID

    Click the down-arrow and select the site to which the KMA belongs. This field is optional.

  3. Open the Passphrase tab.

    Surrounding text describes create_kma_passphrase.jpg.
  4. Complete the following parameters and click the Save button.

    Enter Passphrase

    Type the passphrase for this user. The minimum value is 8 characters; the maximum value is 64 characters. The default value is 8.

    Passphrase requirements:

    • A passphrase must not contain the user's KMA Name.

    • A passphrase must contain three of the four character classes: uppercase, lowercase, numeric, or special characters.

    • The following special characters are allowed:

      ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ' ” < > , . / ?

    • Control characters, including tabs and linefeeds, are not allowed.


    Note:

    To modify the minimum length requirement for passphrases, see "Modifying the Security Parameters".

    Confirm Passphrase

    Type the same value that you entered in the Enter Passphrase field.

  5. The KMA record is added to the database and the entry is displayed in the KMA List screen.

    Surrounding text describes creating_kma_exp.jpg.
  6. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


  7. You must now run the QuickStart program on the KMA(s) you created so that they can join the Cluster. For procedures on joining a Cluster, refer to "Joining an Existing Cluster".

Viewing/Modifying a KMA's Details


Note:

If you are not a Security Officer, when you view a KMA's detailed information, all fields, including the Save button are disabled.

To modify a KMA's details:

  1. From the KMAs List screen, double-click a KMA entry for which you want more detailed information or highlight a KMA entry and click the Details button. The KMA Details dialog box is displayed.

    This is a screen shot of KMA details.
  2. On the General tab, change the following fields:

    • Description

    • Site ID.

  3. On the Network Configuration tab, change the following fields:

    • Management Network Address

    • Service Network Address.

    Surrounding text describes agent_details_netwk_conf.jpg.
  4. On the Key Pool Info tab, the following display-only fields appear:

    Ready Keys

    Displays the number of Keys that have been generated on this KMA and that have been backed up (for a single-node Cluster) or replicated to other KMAs (for a multi-node Cluster), but have not yet been given out to Agents for encryption.

    Backup-Up Ready Keys

    Displays the number of Ready Keys in the Key Pool that have been backed up. N/A means that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower replication version.

    Generated Keys

    Displays the number of Keys that have been generated on this KMA but have not been backed up (for a single-node Cluster) or replicated to other KMAs (for a multi-node Cluster).

    Key Pool Ready

    Displays the percentage of Keys in the Key Pool that are ready to be used.

    Key Pool Backed Up

    Displays the percentage of Ready Keys in the Key Pool that have been backed up. N/A means that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower replication version.

    Surrounding text describes agent_details_key_pool_info.jpg.
  5. Open the Passphrase tab and modify the following parameters:

    • Passphrase

    • Confirm Passphrase (retype the same passphrase).

  6. When you are finished, click the Save button. The KMA record in the database is modified.

  7. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Setting a KMA Passphrase


Note:

You can change a KMA's passphrase, provided you are not connected to it.

When you are creating a new Cluster, a random passphrase is automatically assigned to the KMA that is used to create the new Cluster. If the KMA wants to retrieve an entity's certificate from another KMA in the Cluster because its certificate has expired, then you would have to use this function to set the passphrase to a known value.

To set a KMA's passphrase:

  1. From the KMA List screen, double-click the KMA entry or highlight a KMA entry and click the Details button. The KMA Details dialog box is displayed, with the General tab active.

  2. Open the Passphrase tab and modify the following parameters:

    • Passphrase

    • Confirm Passphrase (retype the same passphrase).

  3. Click the Save button to save the changes. The database entry for the KMA is changed.

  4. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Using the Console, on the KMA where the passphrase has been changed, select the function to log the KMA into the Cluster. The KMA is not able to communicate with the Cluster until it is logged back in.


Note:

If the KMA has been logged out of the cluster for at least a few hours, then lock the KMA before logging the KMA back into the cluster. After recent updates have been propagated to this KMA, as shown by the Replication Lag Size in the KMA List panel, unlock the KMA.

Refer to the following topics for detailed information:


Deleting a KMA

Important – Before you delete a KMA, you should take it off-line using the Console ”Shutdown KMA” function. If you fail to do this, the KMA continues to function outside of the Cluster and sends ”stale information” to Agents and users.

Normally, this command is only used to delete a failed KMA from the Cluster. However, it may also be used to remove a KMA that is being decommissioned.

If you want a deleted KMA to rejoin a Cluster, you must reset the KMA to the factory default and select option 2 from the QuickStart program.

This option gives the Security Officer the ability to delete a KMA that is no longer in service.

To delete a KMA:

  1. From the KMAs List screen, highlight the KMA you want to delete and click the Delete button. The following dialog box is displayed, prompting you to confirm that you want to delete the selected KMA.

    Surrounding text describes aysdeletekma.jpg.
  2. Click the Yes button to delete the KMA. The currently selected KMA is deleted and you are returned to the KMAs List screen. The system also removes any entries that are associated with the KMA and not used by any other entity.

KMA Performance List Menu

The KMA Performance List menu allows users with any role to query KMA performance information about KMAs in this OKM cluster.

This panel displays performance information about the key requests, replication requests, user requests, and Server Busy conditions that have been issued by each KMA. This information includes rate or count values and processing times.

Rate values represent the rate at which this KMA processed these requests within the selected time period. They are expressed as the average rate of these requests extrapolated over the selected rate display interval unit of time (for example, extrapolated average number of key requests per day). If you set the rate display interval to "entire time period," then the panel instead displays the count of requests this KMA processed within the selected time period.

Processing times represent the average time in milliseconds this KMA has taken to process the requests issued within the selected time period. These processing times are from the perspective of the KMA and describe the amount of time required to process requests internally. They do not include transmission times over the network or the amount of time required to establish an SSL connection.

This panel displays information about Server Busy conditions that the local KMA encountered within the selected time period. This condition indicates that other OKM threads are currently accessing OKM information in a local database and can occur during long-running OKM operations (such as OKM backups).

The OKM cluster must use replication version 15 or later before request processing times are available.

Surrounding text describes kma_performance_menu.jpg.

Querying a KMA

  1. From the System Management menu, select KMA Performance. The following panel is displayed.

    Surrounding text describes kma_performance.jpg.
  2. Click the Details button (or double-click on a KMA) to display more information about that KMA. A KMA Performance Details dialog appears.

    Surrounding text describes kma_performance_details.jpg.

User List Menu

The User List menu option allows you to:

  • View users

  • Create a user

  • Modify existing user information

  • Delete an existing user.

Surrounding text describes users_list_menu.jpg.

Viewing Users

To view users:

From the System Management menu, select User List. The User List screen is displayed.

Surrounding text describes users_list.jpg.

You can also scroll through the database and filter the User list by any of the following keys:

  • User ID

  • Description

  • Roles

  • Enabled

  • Failed Login Attempts.

The Use button applies the filter to the displayed list for the user.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • User ID

  • Description

  • Enabled

  • Failed Login Attempts

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not Empty

Filter Value 1 box:

Type a value in this field.

Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

User ID

Displays a unique identifier, commonly referred to as ”User Name” that distinguishes each user in a Cluster.

Description

Describes the user.

Roles

Displays the list of security roles for a user. The roles allow the user to perform various operations.

Enabled

Indicates the status of the user. Possible values are True or False.

Failed Login Attempts

Indicates the number of failed login attempts.

If you want to create a user, click the Create button. For more information, refer to "Creating a User".

If you want to modify a user's details, highlight the user and click the Details button. For more information, refer to "Viewing/Modifying a User's Details".

If you want to delete a user, click the Delete button. For more information, refer to "Deleting Users".

A Security Officer can set a user's passphrase if the user's passphrase and/or certificate has been compromised. For procedures on setting a user's passphrase, refer to "Setting a User's Passphrase".

Users can also change their own passphrase. For procedures, refer to "Changing the Passphrase".

Creating a User

To create a user:

  1. From the User List screen, click the Create button. The Create User dialog box is displayed, with the General tab open.

    Surrounding text describes create_user.jpg.
  2. Complete the following parameters:

    On the General tab:

    User ID

    Type a value that uniquely identifies the user. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that describes the user. This value can be between 1 and 64 (inclusive) characters.

    Roles

    Select the check boxes beside the roles you want the user to perform.


    Note:

    The Quorum Member check box is disabled (grayed out) if the KMA currently runs KMS software version 2.1 or earlier or if the replication version of the OKM Cluster is currently set to 10 or lower.

    On the Passphrase tab:

  3. Open the Passphrase tab.

    Surrounding text describes create_user_passphrase.jpg.
  4. Complete the following parameters:

    Passphrase

    Type the passphrase for this user. The minimum value is 8 characters; the maximum value is 64 characters. The default value is 8.

    Passphrase requirements:

    • A passphrase must not contain the user's User ID.

    • A passphrase must contain three of the four character classes: uppercase, lowercase, numeric, or special characters.

    • The following special characters are allowed:

      ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ' ” < > , . / ?

    • Control characters, including tabs and linefeeds, are not allowed.


    Note:

    To modify the minimum length requirement for passphrases, see "Modifying the Security Parameters".

    Confirm Passphrase

    Type the same value that you entered in the Enter Passphrase field.

  5. Click the Save button. The user record is added to the database. The new user is displayed in the User List.

  6. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Viewing/Modifying a User's Details


Note:

The currently logged-in Security Officers cannot modify their records.

To modify user information:

  1. From the Users List screen, double-click a user for which you want more information or highlight a user record and click the Details button. The User Details dialog box is displayed, where all fields, including the Save button, are disabled.

    Surrounding text describes create_user_details.jpg.
  2. On the General tab, modify the following parameters:

    • Description

    • Roles

    • Flags - Enabled.

    The Failed Login Attempts field displays the number of times that a login attempt has failed.

  3. On the Passphrase tab, if you want to set the user's passphrase, see "Setting a User's Passphrase".

  4. When you are finished, click the Save button.

  5. If user roles have been added, the Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.


    Note:

    If user roles have not been added, user information is updated in the OKM Cluster after you click the Save button, and the Key Split Quorum Authentication dialog box is not displayed.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Setting a User's Passphrase

As the Security Officer, you can set a user's passphrase if you believe that the user's passphrase and/or certificate has been compromised. A new certificate is generated when the user uses the new passphrase to logon to the KMA.

To set a user's passphrase:

  1. From the User List screen, double-click the user whose passphrase you want to select or highlight the user and click the Details button.

  2. The User Details dialog box is displayed. Open the Passphrase tab.

    Surrounding text describes create_user_dets_passphr.jpg.
  3. In the Enter Passphrase field, type the passphrase that was assigned by the Security Officer when the user account was created.

  4. In the Confirm Passphrase field, type the same value you entered in the previous step. The new passphrase for the user record is saved.

  5. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Deleting Users

Users cannot delete themselves.

To delete a user:

  1. From the Users List screen, select the user you want to delete and click the Delete button. The following dialog box is displayed, prompting you to confirm that you want to delete the selected user.

    Surrounding text describes aysdeleteuser.jpg.
  2. Click the Yes button to delete the user. The currently selected user is deleted and you are returned to the User List screen, where the deleted user is no longer in the User List.

Role List Menu

The Role List menu option allows gives you the ability to view user roles. Roles are fixed logical groupings of various system operations that a user can perform. A user can have more than one role.

Surrounding text describes role_list_menu_top_level.jpg.

Viewing Roles

To view roles:

From the System Management menu, select Role List. The Role List screen is displayed.

Surrounding text describes role_list_menu1.jpg.

You can also scroll through the database and filter the Roles list by either of the following keys:

  • Role ID

  • Description.

The Use button applies the filter to the displayed list.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Role ID

  • Description

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Empty

  • Not Empty

Filter Value 1 box:

Type a value in this field.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Role ID

Displays the unique identifier that distinguishes each security role.

Description

Describes the role.

If you want more detailed information on a role, highlight a role entry and click the Details button. For more information, refer to "Viewing Operations for a Role".

Viewing Operations for a Role

The Role Operations dialog box allows the you to view a role and its permitted operations.

To view the operations for a specific role:

  1. From the Role List screen, highlight a role and click the Details button. The Role Operations dialog box is displayed, indicating the operations for the selected role.

    Surrounding text describes role_operations.jpg.
  2. Click the Close button to close this dialog box. You are returned to the Role List screen.

Site List Menu

A Site is a physical location with at least one KMA, to which several Agents (Hosts and OKM Cluster) connect. Sites allows Agents to respond to KMA failures or load balancing more effectively by connecting to another KMA in the local Site rather than a remote one

The Site List menu option gives you the ability to:

  • View sites

  • Create a site

  • Modify an site's information

  • Delete a site.


    Note:

    An Operator can view sites only. A Security Officer can manage the sites.

Surrounding text describes site_list_menu.jpg.

Viewing Sites

To view sites:

From the System Management menu, select Site List. The Site List screen is displayed.

Surrounding text describes site_list.jpg.

You can also scroll through the database and filter the Sites list by any of the following keys:

  • Site ID

  • Description.

The Use button applies the filter to the displayed list for the Site.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Site ID

  • Description

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

Filter Value 1 box:

Type a value in this field.

Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Site ID

Uniquely identifies the site.

Description

Describes the site.

Click the Create button to create a Site. For more information, refer to "Creating a Site".

If you want to view / modify a Site's detailed information, highlight the Site and click the Details button. For more information, refer to "Viewing/Modifying a Site's Details".

Click the Delete button to delete a selected Site. For more information, refer to "Deleting a Site".

Creating a Site

To create a site:

  1. From the Site List screen, click the Create button. The Create Site dialog box is displayed.

    Surrounding text describes create_site.jpg.
  2. Complete the following parameters:

    Site ID

    Type a value that uniquely identifies the site. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that uniquely describes the site. This value can be between 1 and 64 (inclusive) characters.

    An example of a completed dialog box is shown below.

    Surrounding text describes site_list_example.jpg.
  3. Click the Save button. The new Site is saved and stored in the database and is displayed in the Site List.

    Surrounding text describes create_site_added_site.jpg.

Viewing/Modifying a Site's Details


Note:

If you are not a Security Officer, when you view a site's detailed information, all fields, including the Save button are disabled.

To modify a Site's details:

  1. From the Site List screen, click the Details button. The Site Details dialog box is displayed.

    Surrounding text describes site_list_details.jpg.
  2. Change the Description field and click the Save button. The Site details are modified and stored in the database.

Deleting a Site


Note:

If the site is in use, that is, agents or KMAs are specified to be at the site, they must first be deleted or changed to a different site before you can delete it.

To delete a site:

  1. From the Site List screen, highlight the Site you want to delete and click the Delete button. The following dialog box is displayed, prompting you to confirm your actions

    Surrounding text describes aysdeletesite.jpg.
  2. Click the Yes button to delete the Site. The currently selected Site is deleted and you are returned to the Site List screen.

SNMP Manager List Menu

The following menus discuss viewing, creating, and modifying SNMP Managers.

Additionally, SNMP information is generated for users who have configured an SNMP Agent in their network and defined SNMP Managers in the OKM Manager GUI. When at least one SNMP Manager is defined in the OKM Manager GUI, the KMAs sends SNMP Informs to the IP address of that SNMP Manager(s).

You can provide an IPv6 address when creating or modifying an SNMP Manager.

Refer to Appendix A, "SNMP Management Information Base (MIB) Data" for more details about the information that KMAs send in their SNMP Inform packets.

Surrounding text describes snmp_manager_list_menu.jpg.

Viewing a KMA's SNMP Managers

To view the SNMP Managers:

From the System Management menu, select SNMP Manager List. The SNMP Manager List screen is displayed.

Surrounding text describes snmp_mgr_list_proto_vers.jpg.

You can also scroll through the database and filter the SNMP Manager List by any of the following keys:

  • SNMP Manager ID

  • Description

  • Network Address

  • Enabled

  • User Name.

The Use button applies the filter to the displayed list for the SNMP Manager.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • SNMP Manager ID

  • Description

  • Network Address

  • Enabled

  • User Name.

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty

Filter Value 1 box:

Type a value in this field.

Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

SNMP Manager ID

Displays the user-defined unique identifier for the SNMP Manager.

Description

Displays a description for the SNMP Manager. This field is optional.

Network Address

Displays the network address that is used when sending an SNMP trap.

Enabled

Indicates whether this SNMP Manager is enabled or not.

User Name

Displays the user name that was used to establish a secure, trusted SNMPv3 connection to this SNMP Manager.

Protocol Version

Indicates the SNMP protocol version, either SNMPv3 (Version 3) or SNMPv2 (Version 2).

SNMP protocol Version 3 (SNMPv3) supports authentication, using user names and passphrases. SNMP protocol Version 2 (SNMPv2) does not support authentication and does not use user names and passphrases. You can configure an SNMP Manager to use either SNMPv3 or SNMPv2. KMAs do not send SNMP informs to SNMP Managers configured to use SNMPv2 if the replication version of the OKM Cluster is currently set to 10 or lower.

Click the Create button to create a new SNMP Manager. For more information, refer to "Creating a New SNMP Manager"below.

If you want to view/modify a SNMP Manager detailed information, highlight the entry and click the Details button. For more information, refer to "Viewing/Modifying an SNMP Manager's Details".

Click the Delete button to delete the selected SNMP Manager. For more information, refer to "Deleting an SNMP Manager".

Creating a New SNMP Manager

If your SNMP agent is configured to use SNMP protocol Version 3, ensure that you have created an SNMP protocol Version 3 user before you create an SNMP manager in your OKM Cluster. This SNMP user should use SHA (not MD5) as the authentication protocol and DES as the privacy protocol. Refer to your SNMP Agent documentation for more information about creating SNMP Version 3 users.

Also, if the SNMP user has a passphrase, then the KMA uses this passphrase for both the Authentication Passphrase and the Encryption Passphrase for that SNMP user. Thus, these passphrases must have the same value for this SNMP user in the SNMP Agent. If the SNMP user does not have a passphrase, then the KMA uses a security level of ”noAuthNoPriv” when it sends SNMP informs to the SNMP Agent.

If your SNMP agent is configured to use SNMP protocol Version 2, then you do not need to configure an authentication protocol or create an SNMP user. Currently, OKM supports only the ”public” community for Version 2.

Consult your SNMP Agent documentation for more information about creating SNMP Users. For example, refer to the Solaris System Management Agent Administration Guide (http://docs.oracle.com/cd/E19253-01/817-3000/index.html) for more information about configuring the System Management Agent on a Solaris system. Also, refer to http://www.net-snmp.org/FAQ.html for more general information about Net-SNMP.

  1. From the SNMP Managers List screen, click the Create button.

    The Create SNMP Manager dialog box is displayed.

    Surrounding text describes snmp_manager_create.jpg.
  2. Complete the following parameters:

    SNMP Manager ID

    Type a value that uniquely identifies the SNMP Manager. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that describes the SNMP Manager. This value can be between 1 and 64 (inclusive) characters.

    Network Address

    Type the SNMP Manager's network address.

    Flags - Enabled

    Select this check box to indicate whether SNMP is enabled or not.

    User Name

    Type the user name that is used to authenticate the SNMP Manager.

    Passphrase

    Type the passphrase that is used to authenticate the SNMP Manager.

    Confirm Passphrase

    Type the same passphrase that was entered in the Passphrase field.

    Protocol Version

    Select the SNMP protocol version that this SNMP Manager should use. A value of SNMPV3 means that it is using SNMP protocol Version 3. A value of SNMPV2 means that it is using SNMP protocol Version 2.

    SNMP protocol Version 3 (SNMPv3) supports authentication, using user names and passphrases. SNMP protocol Version 2 (SNMPv2) does not support authentication and does not use user names and passphrases. You can configure an SNMP Manager to use either SNMPv3 or SNMPv2. KMAs do not send SNMP informs to SNMP Managers configured to use SNMPv2 if the replication version of the OKM Cluster is currently set to 10 or lower.

  3. When you are finished, click the Save button to save the information. The new SNMP Manager entry and its associated profile is stored in the database.

Viewing/Modifying an SNMP Manager's Details

To view/modify an SNMP Manager's details:

  1. From the SNMP Managers List screen, double-click an SNMP Manager entry for which you want more information and click the Details button. The SNMP Manager Details dialog box is displayed.

    Surrounding text describes snmp_mgr_dets_proto_vers.jpg.
  2. Change the parameters, as required.

  3. When you are finished, click the Save button to save the changes.


    Note:

    Every time you modify a SNMP Manager's details, you have to re-specify the passphrase.

Deleting an SNMP Manager

To delete an SNMP Manager:

  1. From the SNMP Managers List screen, highlight the SNMP Manager you want to delete and click the Delete button. The SNMP Manager Confirm Delete dialog box is displayed.

    Surrounding text describes aysdeletesnmpmanager.jpg.
  2. Click the Yes button to delete the SNMP Manager. The currently selected SNMP Manager is deleted and you are returned to the SNMP Managers List screen.

Key Transfer

Key Transfer, also called Key Sharing, allows keys and associated data units to be securely exchanged between Partners and is required to exchange encrypted media. This process requires each party in the transfer establish a public/private key pair and then provide the public key to the other party.

Each party enters the other party's public key into their own OKM Cluster. Once this initial configuration is complete, the sending party uses Export Keys to generate a transfer file, which is sent from the sending party to the receiving party. The receiving party then uses Import Keys to import the keys and their associated data units into their OKM Cluster.

The transfer file is signed using the sending party's private key and encrypted using the receiving party's public key. This allows only the receiving party to decrypt the transfer file using their own private key. The receiving party can verify the file was in fact produced by the expected sender by using the sender's public key.

Key Transfer Partners Feature

The Key Transfer Partners feature allows keys to be moved from one OKM Cluster to another. Typically, this feature can be used to exchange tapes between companies or within a company if multiple Clusters are configured to deal with large numbers of sites.

The Key Transfer process involves these steps:

  • Each OKM Cluster configures the other Cluster as a Transfer Partner. This is usually done once.

  • The user exports keys from one OKM Cluster and imports them into the other. This step can be done many times.

Key Transfer Process

Within the OKM, you must perform a number of tasks in a specific order. Since these tasks involve more than one user role, the actual procedures reside in different chapters in this document.

Configuring Key Transfer Partners

To move keys, you must configure a key transfer partner for both OKM Clusters participating in key movement.

In the following procedure, ”C1” refers to the first OKM Cluster, ”C2” to the second.

Administrator (Security Officer role):

C1 Administrator (Security Officer Role):

  1. Acquire the Public Key information for C1 (your Cluster). To do this, go to the Key Transfer Public Key List Menu. See "Viewing the Key Transfer Public Key List" and "Viewing the Key Transfer Public Key Details".

  2. Cut and paste the Public Key ID and Public Key into an e-mail or other agreed-upon form of communication. Send this information to the C2 administrator.


    Note:

    The exact communication method should be sufficiently secure that when C2 receives the information, it can be confident it actually came from C1. There is a mechanism, the fingerprint, to prevent modification of this information in transit.

C2 Administrator (Security Officer role):

  1. C2 Administrator: Enter the Public Key information from C1 into the OKM Cluster by accessing the Transfer Partner List menu. See "Key Transfer Public Key List Menu".

  2. Click the Create... button. Fill in a name for the Transfer Partner, a description, and contact information. Determine what you want to do with this Partner. See "Creating a Transfer Partner".

  3. Select the Public Keys tab. Fill in the Public Key ID and Public Key from the information supplied by C1.

    As the Public Key is entered, the system computes the fingerprint. The C1 and C2 administrators should be communicating with each other using a different mechanism than was used for the transfer of the key itself.

    Both administrators should look at their OKM and verify the fingerprint matches. A mismatch indicates the key has been damaged or modified during the transfer.

  4. If the fingerprint is correct, click Save. The system prompts for a quorum. This is because the key export operations that are enabled by this step could be used to extract valid keys from a OKM Cluster. C1 is now configured as a Transfer Partner in the C2 OKM Cluster.

C2 Administrator (Security Officer role):

  1. Repeat Step 1 and Step 2, this time for the C2 OKM Cluster.

C1 Administrator (Security Officer role):

  1. Repeat Step 1 through Step 4 to add C2's Public Key to C1.

C1 Administrator (Compliance Officer Role):

  1. C1 must configure Key Groups that can be sent to C2. See "Viewing Key Group Assignments".

C2 Administrator (Compliance Officer Role):

  1. C2 must configure Key Groups that can receive keys from C1. See "Viewing Key Group Assignments".

  2. Select the desired Transfer Partner.

  3. Select one or more disallowed Key Groups, and click the Move to back-arrow button to add them to the Key Group list. See "Adding a Key Group to a Transfer Partner".

Exporting/Importing Keys

Before you export keys, keys must meet all of the following criteria. Keys that do not are not exported when an Operator issues an Export Keys request.

To set the flag, refer to "Viewing/Modifying a Key Policy".

To set the flag, refer to "Viewing/Modifying a Key Policy".

In addition, the Export Format setting of the destination transfer partner (see "Transfer Partner List") must match:

Table 5-1 summarizes the relationship between these settings.

Table 5-1 Export Format Settings

Software Version - Importing KMA FIPS Mode Only - Exporting OKM Cluster FIPS Mode Only - Importing OKM Cluster Export Format

2.0.2 or lower

Off

N/A

v2.0 or Default

2.0.2 or lower

On

N/A

v2.0

2.1 or higher

Off

Off

v2.0 or Default

2.1 or higher

On

Off

v2.0

2.1 or higher

Off

On

v2.1 (FIPS)

2.1 or higher

On

On

v2.1 (FIPS)

or Default


The following procedure is used to export keys from one OKM Cluster and import them into another. This can be done many times.

In this procedure, ”C1” refers to the first OKM Cluster, ”C2” to the second. These instructions are written to allow C2 to export keys that are then imported into C1.

C2 Administrator (Operator Role):

  1. To exchange keys, go to the Data Unit List screen. See "Viewing Data Units".

  2. Select one or more Data Units (tapes) to be sent from C2 to C1. The External Tag is the barcode on the tapes.

    Keys associated with the selected Data Units must belong to Key Groups associated with Key Policies that have their Allow Export From flag set to ”True.” These keys must also be activated (their Activation Date is not empty) and not destroyed (their Destroyed Date is empty). See "Viewing/Modifying Data Unit Details".

  3. Click the Export Keys button to display the dialog box.

  4. Select the destination Transfer Partner, select the Export Keys file name if necessary, and click Start. The Transfer File is created.

    Only the Keys belonging to the Key Groups that are allowed to be exported to C1 are exported.

    The selected destination Transfer Partner must be assigned to the Key Group to which these keys belong. See "Transfer Partner Assignment to Key Groups Menu".

  5. Send the Transfer File to the C1 administrator by email or another agreed-upon form of communication or mechanism to move files.

C1 Administrator (Operator Role):

  1. Select the Import Keys screen. See "Import Keys Menu".

  2. Supply the Destination Key Group the keys are to be imported to, the Sending Transfer Partner (C2, in this case) that exported these keys, and the Key Transfer file name. The selected Key Group must be a Key Group that is configured to receive keys from C2.

    That is, the Key Policy associated with the selected Key Group must have its Allow Import To flag set to ”True.” Also, the selected Transfer Partner must have its Enabled and Allow Import From flags set to ”True,” and its Export Format value set as described above. The selected Transfer Partner must be assigned to the selected Key Group. See "Transfer Partner Assignment to Key Groups Menu".

  3. Click Start.

Transfer Partners Menu

The Key Transfer Partners feature allows keys to be moved from one OKM Cluster to another.

Surrounding text describes transfer_partners_menu.jpg.

Transfer Partner List

From the Secure Information Management menu, select Transfer Partner List.

Surrounding text describes transfer_partner_list.jpg.

You can also scroll through the database and filter the Transfer Partner list by any of the following keys:

  • Transfer Partner ID

  • Description

  • Contact Information

  • Enabled

  • Allow Export To

  • Allow Import From

The Use button applies the filter to the displayed list for the Transfer Partner.

The fields and their descriptions are given below:

Filter:

Select filter options to filter the displayed list of Transfer Partners. Only Transfer Partners that satisfy all filters are displayed.

Filter Attribute combo box:

Click the down-arrow and select an attribute to filter by. Possible values are:

  • Transfer Partner ID

  • Description

  • Contact Information

  • Enabled

  • Allow Export To

  • Allow Import From

Filter Operator combo box:

Click the down-arrow and select the filter operation to apply to the selected attribute. This filter option is not displayed for all filter attributes. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty

Filter Value text box:

Type a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Click the plus button to add additional filters.

Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.

Use:

Click this button to apply the selected filters to the displayed list and go to the first page.

Refresh:

Click this button to refresh the displayed list. This does not apply filters selected since the last Use or Reset, and does not change the page of the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of items that can be displayed on the current page. Appends ”(last page)” to the number of items if you are at the end of the list. The maximum number of items displayed on a page is defined by the Query Page Size value on the Options dialog.

Transfer Partner ID:

Displays the unique identifier that distinguishes each Transfer Partner. This value can be between 1 and 64 (inclusive) characters. Click this Column Name to sort by this attribute.

Description:

Describes the Transfer Partner. This value can be between 1 and 64 (inclusive) characters. Click this Column Name to sort by this attribute.

Contact Information:

Displays contact information about the Transfer Partner. Click this Column Name to sort by this attribute.

Enabled:

Indicates whether the Transfer Partner is allowed to share keys. Possible values are True or False. If this field is False, the Transfer Partner cannot share keys. Click this Column Name to sort by this attribute.

Allow Export To:

Indicates whether the Transfer Partner is allowed to export keys. Possible values are True or False. If this field is False, the Transfer Partner cannot export keys. Click this Column Name to sort by this attribute.

Allow Import From:

Indicates whether keys can be imported from this Transfer Partner. Possible values are True or False. If this field is False, keys cannot be imported from this Transfer Partner. Click this Column Name to sort by this attribute.

Export Format:

Indicates whether keys can be wrapped (wrap keys encrypt the media key on the LAN and the token.)

In the Export Format column, a ”v2.0” value means that this Transfer Partner does not wrap keys when it exports them.

A ”v2.1 (FIPS)” value means that this Transfer Partner wraps keys when it exports them.

An ”N/A” value signifies that the connected KMA runs 2.0.x OKM software, and thus does not allow the user to select this setting.


Note:

To exchange keys with a Cluster running KMS 2.0, the Security Officer should create a Transfer Partner that has an Export Format value of ”v2.0.”

Refer to the FIPS Mode Only parameter in "Retrieving the Security Parameters" for more information.

Public Key ID

Displays the unique identifier that distinguishes each Public Key. This value can be between 1 and 64 (inclusive) characters. Click this Column Name to sort by this attribute.

Public Key Fingerprint

Shows the fingerprint, or hash value, of the Public Key.

Entry Date

Displays the date the Public Key was entered into the OKM Cluster.

Creating a Transfer Partner

To create a Transfer Partner:

  1. From the Transfer Partner List screen, click the Create button. The Create Transfer Partner dialog box is displayed, with the General tab active.

    Surrounding text describes creating_transfer_partner.jpg.
  2. Complete the following parameters:

    On the General tab:

    Transfer Partner ID

    Uniquely identifies the Transfer Partner.

    Description

    Type a value that uniquely describes the Transfer Partner. This value can be between 1 and 64 (inclusive) characters. This field can be left blank.

    Contact Information

    Type a value that identifies contact information about the Transfer Partner. This field can be left blank.

    Export Format

    Select either the default, v2.0, or v2.1 (FIPS) to determine the export format.

    A ”v2.0” value means this Transfer Partner does not wrap keys when it exports them.

    A ”v2.1 (FIPS)” value means this Transfer Partner wraps keys when it exports them.

    A ”Default” value means when you are exporting a key transfer file for this Transfer Partner, the format depends on the setting of the FIPS Mode Only security parameter (see "Retrieving the Security Parameters").

    If FIPS Mode Only is ”Off,” the format is v2.0. If FIPS Mode Only is ”On,” the format is v2.1 (FIPS).


    Note:

    An advantage of setting a Transfer Partner's Export Format to ”Default” is that it allows you to alter the format of the Transfer Partner's transfer files simply by changing the FIPS Mode Only security parameter, instead of editing the Transfer Partner's Export Format setting directly, which requires a quorum to authenticate the change.

    Flags - Enabled

    Select this box to allow this Transfer Partner to share keys. If the field is not selected, the Transfer Partner cannot share keys.

    Allow Export To

    Select this box to allow keys to be exported to the Transfer Partner. If this field is not selected, the Transfer Partner will not be available for the export keys operation.

    Allow Import From

    Select this box to indicate whether keys can be imported from this Transfer Partner. If this field is not selected, keys cannot be imported from this Transfer Partner.

  3. Open the Public Keys tab.

    Surrounding text describes creating_transfer_part_pub.jpg.

    On the Public Keys tab, you can enter the following information:

    New Public Key ID

    Enter the Public Key ID provided to you by the Transfer Partner.

    New Public Key

    Enter the Public Key provided to you by the Transfer Partner.

    New Public Key Fingerprint

    This read-only field shows the fingerprint, or hash value, of the new Public Key. Verify this fingerprint with the Partner to ensure the Public Key has not been tampered with, accidentally or deliberately, during transmission.

  4. When you are finished, click the Save button.

  5. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Viewing/Modifying Transfer Partner Details

The Transfer Partner Details dialog box allows you to view detailed information about a specific Transfer Partner.

To view these details:

  1. From the Transfer Partner List screen, highlight a Transfer Partner ID and click the Details button. The Transfer Partner Details dialog box is displayed.

    Surrounding text describes transfer_partner_details.jpg.
  2. On the General tab, you can change the following fields:

    • Description

    • Contact Information

    • Export Format

    • Flags Enabled

    • AllowExport To

    • Allow Import From

    The Transfer Partner ID field is read-only.

  3. When you are finished, click the Save button. The Transfer Partners record in the database is modified.

  4. Open the Public Keys tab.

    Surrounding text describes transfer_part_list_dets_pub.jpg.
  5. On the Public Keys tabs, you can change the following fields:

    New Public Key ID

    Enter the new Public Key ID provided to you by the Transfer Partner.

    New Public Key

    Enter the new Public Key provided to you by the Transfer Partner.

    New Public Key Fingerprint

    This read-only field shows the fingerprint, or hash value, of the new Public Key. Verify this key with the sending Transfer Partner.

    Existing Public Keys

    This list displays Public Keys associated with this Transfer Partner.

  6. When you are finished, click the Save button.

  7. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Deleting a Transfer Partner

This option gives the Security Officer the ability to delete a Transfer Partner.

To delete a Transfer Partner:

  1. From the Transfer Partner List screen, highlight the Transfer Partner ID you want to delete and click the Delete button. The Transfer Partner Confirm Delete dialog box is displayed.

    Surrounding text describes aysdeletetransferpartner.jpg.
  2. Click the Yes button to delete the Transfer Partner. The currently selected Transfer Partner is deleted, and you are returned to the Transfer Partner List screen.

Key Transfer Public Key List Menu

To share keys between Transfer Partners, Security Officers first must access Public Key information for their OKM Cluster. This menu provides public key information. The Public Key and Public Key ID displayed by this command must be sent to the Transfer Partner.

Surrounding text describes key_trans_pub_keylst_men.jpg.

Viewing the Key Transfer Public Key List

To view the Key Transfer Public Key List:

  1. From the System Management menu, select Key Transfer Public Key List.

Surrounding text describes key_trans_pub_keylst.jpg.

You can also scroll through the database and filter the Key Transfer Public Key List by any of the following keys:

  • Public Key ID

  • Created Date

  • Public Key

The Use button applies the filter to the displayed list for the Key Transfer Public Key List.

The fields and their descriptions are given below:

Filter:

Select filter options to filter the displayed list of Public Keys. Only Public Keys that satisfy all filters are displayed.

Filter Attribute combo box:

Click the down-arrow and select an attribute to filter by. Possible values are:

  • Public Key ID

  • Created Date

  • Public Key

Filter Operator combo box:

Click the down-arrow and select the filter operation to apply to the selected attribute. This filter option is not displayed for all filter attributes. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty

Filter Value text box:

Type a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Click the plus button to add additional filters.

Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.

Use:

Click this button to apply the selected filters to the displayed list and go to the first page.

Refresh:

Click this button to refresh the displayed list. This does not apply filters selected since the last Use or Reset, and does not change the page of the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of items that can be displayed on the current page. Appends ”(last page)” to the number of items if you are at the end of the list. The maximum number of items displayed on a page is defined by the Query Page Size value on the Options dialog.

Public Key ID:

Displays the unique identifier that distinguishes each Public Key. This value can be between 1 and 64 (inclusive) characters. Click this Column Name to sort by this attribute.

Created Date:

Displays the date and time when this Public Key was created. Click this Column Name to sort by this attribute.

The private key corresponding to the most recently created public key is used to sign all exported Key Transfer files.

Public Key:

Displays the Public Key used to perform key transfers between Transfer partners. This value is shown in base 64. Click this Column Name to sort by this attribute.

Public Key Fingerprint:

The hash of the Public Key. This value is used to verify the Public Key is correctly transmitted, and it is shown in base 64.

Viewing the Key Transfer Public Key Details

To view the Key Transfer Public Key details screen:

  1. Select a Public Key and click the Details button.

    The Key Transfer Public Key Details dialog box is displayed.

Surrounding text describes key_trans_pub_keylst_dets.jpg.

Creating a Key Transfer Public Key

To create a Key Transfer Public Key:

  1. Click the Create button.

  2. Provide the new key to all existing Transfer Partners.

    Since any Key Transfer files created after the new Key Transfer Public Key is created are signed with the new Key Transfer Public Key, partners must be provided with the new Key Transfer Public Key before they can import the new Key Transfer files.

Surrounding text describes key_trans_pub_keylst_creat.jpg.

Backup List Menu

The Backups List menu option allows the Security Officer to:

  • View the history of the Backups

  • View details of a Backup file

  • Restore Backups.

Surrounding text describes backup_list.jpg.

Viewing Backup Files History

To view Backup files history:

From the Secure Information Management menu, select Backup List. The Backup List screen is displayed.

Surrounding text describes backup_files_history.jpg.

You can also scroll through the database and filter the Backup Files by any of the following keys:

  • Backup ID

  • KMA ID

  • Created Date

  • Destroyed Date

  • Destruction Status

  • Destruction Comment.

The + button applies the filter to the displayed list for the Backup file.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Backup ID

  • Created Date

  • Destroyed Date

  • Destruction Status

  • Destruction Comment.

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

Filter Value 1 box:

If you selected a date filter, click Set Date to specify start date and time. The value appears as a starting value of the filter key range. If you selected any other filter, type a value in this field.

Filter Value 2 box:

If you selected a date filter, click Set Date to select an end date and time. The value appears as a ending value of the filter key range.

Use:

Click this button to apply the filter to the displayed list.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Backup ID

Displays a system-generated unique identifier that distinguishes each Backup file.

KMA ID

Displays the KMA for which the Backup file was generated.

Created Date

Displays the date when the backup was created.

Destroyed Date

Displays the date that the Backup file was marked as being manually destroyed.

Destruction Status

Indicates the status of the backup with respect to its destruction. Possible values are:

NONE

The Backup file has not been destroyed and does not contain Data Unit keys that have been destroyed.

PENDING

The Backup file has not yet been manually destroyed and contains copies of Data Unit keys that have been destroyed.

DESTROYED

The Backup file has been manually destroyed.

Destruction Comment

Displays user-supplied information on the Backup file's destruction.

Details:

Click this button to view more detailed information on a Backup.

Create Backup:

Click this button to create a Backup. This button is not enabled if you are a Security Officer.

Restore:

Click this button to restore a Backup.

Confirm Destruction:

Click this button to confirm the destruction of a Backup. This button is not enabled if you are a Security Officer.

If you want more detailed information on a backup, highlight the backup and click the Details button. For more information, refer to "Viewing Backup Details".

Click the Restore button to restore the currently selected backup. For more information, refer to "Restoring a Backup".

Viewing Backup Details

The Backup Details dialog box is used to view the details of a Backup file.


Note:

Backup files are created and restored on the KMA.

To view the details of a Backup file:

  1. From the Backups List screen, double-click the Backup entry for which you want more information or highlight the Backup entry and click the Details button. The Backup Details dialog box is displayed, with all fields read-only.

    Surrounding text describes backup_details.jpg.
  2. The fields and their descriptions are given below:

    Backup ID

    Displays a system-generated unique identifier that distinguishes each Backup file.

    KMA ID

    Displays the KMA on which this Backup file is generated.

    Created Date

    Displays the date and time when the Backup file was created.

    Completed Date

    Displays the date and time when the Backup file was completed.

    Downloaded Date

    Displays the date and time when the Backup file was downloaded.

    Destroyed Date

    Displays the date when the Backup file was destroyed.

    Destruction Status

    Indicates the status of the backup with respect to its destruction.

    Destruction Comment

    Displays user-supplied information on the Backup file's destruction.

  3. Click the Close button to close this dialog box.

Restoring a Backup

This function gives you the ability to upload and restore a backup that consists of a Backup file and a Backup key file to the KMA. Before you restore a Backup file to a KMA, ensure that you have the quorum for authentication.

Important – Before you start this procedure, you must perform the procedure "Restoring a Cluster From a Backup".

To restore a backup:

  1. From the Backup List screen, highlight the Backup you want to restore and click the Restore button. The Restore Backup dialog box is displayed.

  2. Select the desired Core Security backup, backup key file, and backup file. The backup key file and the backup must match, that is, they must have been created at the same time. The Core Security backup can be older or newer than the backup key file and backup file. Any Core Security backup file can be used with any backup key file and backup file.

  3. Click the Start button.

    Surrounding text describes restore_backup.jpg.
  4. When the upload process is completed, it is indicated on the Restore Backup dialog box and the Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    Note:

    The Security Officer must provide a sufficient quorum of Key Split Credentials. You initially set the Key Split Threshold value, which determines the quorum size, through the process shown in "Entering Key Split Credentials". The quorum value can be changed as discussed in "Modifying the Key Split Configuration".

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


  5. The Restore Backup dialog box is displayed, indicating the status of the restore process.

  6. The fields and their descriptions are given below:

    Backup File Name

    Name of the backup file.

    Backup Wrapping Key File Name

    Displays the name of the Backup Key File.

    Core Security Backup File Name

    Name of the backup file containing Core Security Key material.

  7. When the restore is completed, a message indicating this is displayed. Click the Close button to close this dialog box. The database and the Secure Key Store are restored to the KMA.


Note:

After you successfully restore a backup, you need to update the IP address settings for the KMA. Network settings are not backed up, and thus are not restored. Refer to "Setting the KMA Management IP Address" and "Setting the KMA Service IP Addresses".

System Dump Menu

The System Dump menu creates a system dump for problem resolution and downloads it to a compressed file on the system where the OKM Manager is running. The downloaded file is in a format that can be opened with compression utilities.


Note:

The dump does not include any key material or information from which keys can be inferred.

Surrounding text describes system_dump_menu_top_level.jpg.

Creating a System Dump

  1. To create a system dump, from the System Management menu, select System Dump. The screen is displayed and shows an automatically-generated *.tar.Z file. If desired, you can click Browse to select a destination path.

  2. Click the Start button to begin the download. The system displays messages indicating the amount of system dump information that is being downloaded in real-time and tells you when the process is complete.

  3. Go to the destination path and open the *.tar.Z file to view the system dump information.

Surrounding text describes system_dump_menu.jpg.

The fields and their descriptions are given below:

File Name:

Displays an automatically-generated *.tar.gz file.

Browse:

Click this button to specify a location for this file.

Start:

Click this button to initiate the download process.

Security Parameters Menu

The Security menu gives the Security Officer the ability to view and modify the KMA's security parameters.

Surrounding text describes sec_params_menu_top_lvl.jpg.

Retrieving the Security Parameters


Note:

The Master Key Provider button is used only if you want the OKM Cluster to obtain master keys from an IBM mainframe. The button is enabled only when the replication version of the OKM Cluster is currently set to 11 or higher and the FIPS Mode Only value is ”Off.”

See the OKM-ICSF Integration Guide for details.


To retrieve the security parameters:

From the Security menu, select Security Parameters. The Security Parameters screen is displayed in read-only mode.

Surrounding text describes sec_params.jpg.

The fields and their descriptions are given below:


Note:

For the following six Retention-related fields, there is just one audit log, and it resides in the largest file system in the KMA.

The main reason for adjusting these parameters is to control how many audit log entries are returned in queries you issue from the Audit Event List menu (see "Viewing Audit Logs").

Entries in the audit log can show a short, medium, or long retention term. The KMA truncates (removes) old audit log entries based on the limit and lifetime of their retention term.

For example, Short Term Audit Log entries are typically truncated more frequently than Medium Term Audit Log entries; Medium Term Audit Log entries are truncated more frequently than Long Term Audit Log entries.

The Security Officer can define these retention term limits and lifetimes to control how frequently old audit log entries are removed.


Short Term Retention Audit Log Size Limit

Displays the number of Short Term Audit Log entries that are retained before they are truncated. The default is 10,000. The minimum value is 1000; maximum value is 1,000,000.

Short Term Retention Audit Log Lifetime

Displays the amount of time (in days) that Short Term Audit Log entries are retained before they are truncated. The default is 7 days. The minimum value is 7 days; maximum value is 25,185 days (approximately 69 years).

Medium Term Retention Audit Log Size Limit

Displays the number of Medium Term Audit Log entries that are retained before they are truncated. The default is 100,000. The minimum value is 1000; maximum value is 1,000,000.

Medium Term Retention Audit Log Lifetime

Displays the amount of time (in days) that Medium Term Audit Log entries are retained before they are truncated. The default is 90 days. The minimum value is 7 days; maximum value is 25,185 days.

Long Term Retention Audit Log Size Limit

Displays the number of Long Term Audit Log entries that are retained before they are truncated. The default is 1,000,000. The minimum value is 1000; maximum value is 1,000,000.

Long Term Retention Audit Log Lifetime

Displays the amount of time (in days) that Long Term Audit Log entries are retained before they are truncated. The default is 730 days. The minimum value is 7 days; maximum value is 25,185 days.

Login Attempt Limit

Indicates the number of failed login attempts before an entity is disabled. The default is 5. The minimum value is 1; maximum value is 1000.

Passphrase Minimum Length

Displays the minimum length of the passphrase. The default is 8 characters. The minimum value is 8 characters; the maximum value is 64 characters.

Management Session Inactivity Timeout

Displays the maximum length of time (in minutes) a OKM Manager or Console login session can be left idle before being automatically logged out. Changing this value has no effect on sessions that are already in progress. The default is 15 minutes. The minimum value is 0, meaning no time is used; the maximum value is 60 minutes.

FIPS Mode Only

Displays the import key and format transfer file settings.

An "Off" value specifies that KMAs wrap keys whenever communicating with agents that support AES key wrap. Most customers should be running tape drive firmware that supports AES key wrap with the OKM agent service.

All PKCS#11 providers that support OKM include support for AES key wrap. You can confirm this by viewing the OKM audit log and noting that agents are using the agent service operations listed below. Specify an audit filter for Operation and choose any of the following specific operations from the pull down list:

  • Create Key v2

  • Retrieve key v2

  • Retrieve Keys v2

  • Retrieve Protect and Process Key v2

Any audit events in the resulting list confirm that the specified agent is using AES key wrap with OKM.

An ”On” value specifies that KMAs in this Cluster wrap Keys with an Advanced Encryption Standard (AES) wrapping key before sending them to Agents (tape drives). The KMA cannot import 1.0 keys and allows export and import of v2.1 (FIPS) format transfer files only.

The ”On” value can be set only if the current Replication Version is at least 10.

See the Export Format parameter in "Transfer Partner List" for more information.

Pending Operation Credentials Lifetime:

The amount of time (in days) that Key Split Credentials are retained as having approved a pending quorum operation. If an insufficient number of Key Split Credentials approve the pending quorum operation before this lifetime is reached, then these credentials expire. After they expire, Quorum Members must reapprove the pending quorum operation. The default is 2 days. This value is used only when the Replication Version is at least 11.

If you want to change the Security Parameters, click the Modify button. For more information, refer to "Modifying the Security Parameters".

Modifying the Security Parameters

To modify security parameters:

  1. From the Security Parameters List screen, click the Modify button. The Modify Security Parameters screen is displayed.

    Surrounding text describes sec_params_mod.jpg.

    The fields are described in "Short Term Retention Audit Log Size Limit".

  2. Modify the security parameters, as required. When you are finished, click the Save button. The changes are saved in the KMA database.

Core Security

The primary element of the Core Security component is the Root Key Material. It is key material that is generated when a Cluster is initialized. The Root Key Material protects the Master Key. The Master Key is a symmetric key that protects the Data Unit Keys stored on the KMA.

Core Security is protected with a key split scheme that requires a quorum of users defined in the Key Split Credentials to provide their user names and passphrases to unwrap the Root Key Material.

This security mechanism enables two operational states for the KMA: locked and unlocked.

A KMA in the locked state is not able to unwrap the Root Key Material, and thus is unable to access the Data Unit Keys. As a result, the KMA is unable to service Agent requests to register new Data Units or retrieve Data Unit Keys for existing Data Units.

A KMA in the unlocked state is able to use the Root Key Material to access the Data Unit Keys and service Agent requests for Data Unit Keys.

Core Security Management Menu

The Core Security menu contains the following menu options:

Surrounding text describes core_sec_mgmt_menu.jpg.

It allows the Security Officer to:

  • Create a Core Security backup

  • View/Modify Key Split Credentials

  • Enable/Disable the Autonomous Unlock Option.

Backup Core Security

The Backup Core Security option allows the Security Officer to back up Core Security Key material and download it to a file on the local system.


Caution:

Core security backup files should be carefully protected. Because any Core Security backup file can be used with any backup file/backup key file pair, even old Core Security backup files remain useful.

Creating a Core Security Backup

A new core security backup needs to be performed after the Key Split Credentials are modified.

Important – The Security Officer must back up Core Security Key material before the Backup Officer can create a backup. See "Creating a Backup".

  1. From the Core Security menu, select Backup Core Security. The Backup Core Security dialog box is displayed.


    Note:

    The Core Security Backup File names are automatically generated. However, you can edit the names, and you can also click the Browse button to select a destination path.

    Surrounding text describes backup_core_security.jpg.
  2. Click the Start button to create the Core Security Backup file and download it to the user-specified destination.

  3. When the backup is completed, a message is displayed. Click the Close button to close this dialog box

  4. You are returned to the Backup Core Security screen.

Key Split Configuration

The Key Split Configuration menu option gives the Security Officer the ability to view and modify the Key Split Credentials for the KMA.

Viewing the Key Split Configuration

To view the Key Split Configuration:

  1. From the Core Security menu, select Key Split Configuration. The Key Split Configuration dialog box is displayed.

    Surrounding text describes key_split_configuration.jpg.

The fields and their descriptions are given below:

Key Split Number

Displays the number of key splits. The maximum is 10.

Threshold Number

Displays the number of users that are necessary to authenticate a quorum.

Split User (1-10)

Displays the user names of the existing split.

If you want to modify the Key Split user names, passphrases, and threshold number, click the Modify button. For more information, refer to "Modifying the Key Split Configuration".

Modifying the Key Split Configuration

To modify the Key Split configuration:

  1. From the Key Split Configuration screen, click the Modify button. The Modify Key Split Configuration dialog box is displayed.

    Surrounding text describes modify_key_split_config.jpg.
  2. Complete the following parameters and click the OK button:

    Key Split Number

    Type a new value for the number of key splits. The maximum number is 10.

    Threshold Number

    Type a new value for the number of users that are required to form a quorum.

    Split User x

    Type the new user name. For each Split User, complete its associated Passphrase and Confirm Passphrase fields.


    Note:

    The number of Split User fields that are enabled is dependent on the value that you entered in the Key Split Number field.

  3. Click the Save button after the last user name and passphrase is entered.

  4. The Key Split Quorum Authentication dialog box is displayed after the new Key Split credentials are entered. Type the user name and passphrase for the existing quorum credentials and click the OK button. This is required to set ”new” credentials set in Step 2 and Step 3.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


  5. The system updates the old configuration information with the new configuration in the database. The new configuration is displayed in the Key Split Credentials screen.


    Note:

    The Core Security Key material is re-wrapped using the updated Key Split credentials.

  6. Create a new Core Security backup (see "Creating a Core Security Backup").


    Note:

    Destroy all old Core Security backup files to ensure that the previous Key Split Credentials cannot be used to destroy a backup.

Autonomous Unlock Option

The Autonomous Unlock Option menu option gives the Security Officer the ability to enable or disable the autonomous option for the KMA.

To enable or disable the Autonomous Unlock option:

  1. From the Core Security menu, select Autonomous Unlock Option. The Autonomous Unlock Option screen is displayed, indicating the current autonomous status.

    Surrounding text describes autonomous_unlock_option.jpg.
  2. Depending on the current autonomous boot status, click the Enable Autonomous Unlock to enable this option or click the Disable Autonomous Unlock to disable the option.


    Note:

    The Lock/Unlock button toggles between states and sets the KMA locked state opposite to the current state.

    You must provide a quorum to enable or disable the Autonomous Unlock Option.

  3. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Local Configuration Menu

The Local Configuration menu includes the following options:

  • Lock/Unlock the KMA

  • Upgrade the software (see "Software Upgrade Menu")

  • Network configuration information

  • Auto Service Request.

Surrounding text describes local_config_menu.jpg.

Lock/Unlock KMA

The Lock/Unlock KMA menu option gives the Security Officer the ability to lock and unlock the KMA's Core Security. See "Core Security" for details on Core Security and the behavior of the KMA when Core Security is locked and unlocked.

Locking the KMA

To lock the KMA:

  1. From the Local Configuration menu, select Lock/Unlock KMA. The Lock/Unlock KMA screen is displayed, indicating the state of the KMA. In this example, it is ”Unlocked.”

    Surrounding text describes unlock_kma.jpg.
  2. Click the Lock KMA button to lock the KMA. Once the button is pressed, it changes to Unlock KMA, indicating the new lock state and the allowed operation. The KMA is now locked.


    Note:

    The Lock KMA/Unlock KMA button toggles between states and sets the KMA locked state opposite to the current state. Once a button is pressed, the text label and button label change to indicate the new lock state and the allowed operation.

Unlocking the KMA

To unlock the KMA:

  1. From the Lock/Unlock KMA screen, click the Unlock KMA button.

    Surrounding text describes lock_kma.jpg.
  2. The Key Split Quorum Authentication dialog box is displayed. The quorum must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


  3. If the authentication is successful, the Key Split Quorum Authentication dialog box closes and the KMA is unlocked.

    Surrounding text describes unlock_kma.jpg.

Software Upgrade

The Software Upgrade menu option allows you to apply software upgrades; however, this requires two separate phases:

  • The Operator uploads a software upgrade file to the KMA and immediately applies the upgrade. See "Uploading and Applying Software Upgrades" for detailed information.

  • The Security Officer activates the inactive software version the Operator uploaded and applied.

Surrounding text describes software_upgrd_men_top_lvl.jpg.

Software updates are signed by Oracle and verified by the KMA before they are applied.

Guidelines for Implementing Software Upgrades

  • Before you execute this function, back up your system. For procedures, refer to "Creating a Backup".

  • Use an OKM Manager GUI release that matches the upgrade version you want to load on the KMA(s).

  • KMAs running OKM 3.0 can display up to three software versions in the Software Upgrade screen. OKM 2.x GUIs cannot activate a software version on an OKM 3.0 KMA. Install and use an Oracle Key Manager 3.0 GUI before uploading or activating a software version on an OKM 3.0 KMA.

  • For OKM 3.0 KMAs, the Software Upgrade screen displays software versions in reverse chronological order. That is, the newest version appears at the top of the list. Check the Active column to see which version is active.

  • OKM 2.x KMAs cannot be upgraded to OKM 3.0. Do not attempt to upload and apply an OKM 3.0 upgrade package onto an OKM 2.x KMA.

  • KMAs running KMS 2.1 or earlier must be upgraded to KMS 2.2 before they can be upgraded to OKM 2.3 and later.

  • The upload and apply process can be lengthy if the OKM Manager is remotely connected to the KMA or if the connection between the OKM Manager and KMA is slow. To mitigate this, the software upgrade file can be downloaded to a laptop or workstation that has the OKM Manager installed and the laptop or workstation connected to the same subnet as the KMA. The presence of a router between the OKM Manager and the KMA may slow down the upgrade process.

  • The upload and apply processes, with a good connection between the OKM Manager and the KMA, optimally take about 30 minutes. The activate process optimally takes about 5 to 15 minutes. If the uploading process is very slow, try connecting to the same subnet as the KMA.

  • Upload and apply the software upgrade file on each KMA one at a time (to help to spread out the network load), and then activate the software upgrade on each KMA one at a time (to minimize the number of KMAs that are offline concurrently).

  • If any of the upgrade processes fail (upload, verify, apply, activate, switch replication version), the OKM Manager generates audit messages describing the reason for the failure and a suggested solution.

  • The Technical Support account is disabled on the upgraded KMAs, and the accounts must be re-enabled if needed.

Activating a Software Version

After the Operator uploads and applies the software upgrade, the Security Officer activates the inactive software version that the Operator uploaded and applied.

  1. From the Local Configuration menu, select Software Upgrade. The Software Upgrade screen is displayed.

    The active version of the software is highlighted, and the Active column is set to True. Any inactive versions are also shown. For OKM 3.0 KMAs, the version string has the following format: <OKM release>-5.11-<OKM build>. For example, 3.0.0-5.11-2012.

    Surrounding text describes software_upgrade.jpg.

    The buttons appearing on this screen include:

    Activate

    Select an inactive software version and then click this button to activate the selected software version. Messages are displayed, indicating when this software version is activated and the KMA reboots.

    Switch Replication Version

    Select the active software version and then click this button to switch the current replication version.

    Software Upgrade File Name

    The Operator can type the name of the software upgrade file.

    Browse

    The Operator can click this button to locate the software upgrade file on your local system.

  2. Make sure there is a current backup of the OKM Cluster.

    To activate the upgrade file, select the new version from the list of available versions at the top of the screen and click the Activate button. Until activated, the new version remains inactive on the system.


    Note:

    The KMA reboots as part of the activate process. Since the KMA is offline while it reboots, you may not want to activate KMAs simultaneously in a Cluster.

    Users remain connected until you reboot the KMA. When you access the Software Upgrade screen again, the new uploaded software version is shown as the active version.

  3. The Key Split Quorum Authentication dialog box is displayed. Users who have the quorum role must type their user names and passphrases to authenticate the operation.

    Surrounding text describes key_split_quorum_auth.jpg.

    If you provide a sufficient quorum of Key Split Credentials in the Key Split Quorum Authentication dialog box, then information is updated in the OKM Cluster after you provide a quorum, not when you click the Save button.

    If you do not provide a sufficient quorum in the Key Split Quorum Authentication dialog box, two different outcomes can occur depending on the replication version:

    • The new software version may include new features available only when the OKM Cluster replication version is changed to a higher value.

    • The OKM Cluster must be switched to the new replication version to enable all new features in the new software version.

    Replication Version: Result:
    10 or lower The operation fails and no information is updated in the OKM Cluster.
    11 or higher The operation becomes pending. That is, the system adds the operation to a list of pending quorum operations (see "Pending Quorum Operation List Menu"). A popup message appears when the operation is added to this list.

    No information is updated in the OKM Cluster until users with the Quorum Member role (Quorum Member users) log in and provide a sufficient quorum.


Switching the Replication Version

Some features in the current software version are available only when the OKM Cluster replication version is set to the highest value supported by that software version.

The Security Officer manually sets the Replication Version. It is never changed automatically.

  1. Log in to a KMA that has been activated and navigate to the Software Upgrade screen. If the Supported Replication Versions column includes a higher version than the Current Replication Version column, click the Switch Replication Version button.

    Surrounding text describes replication_version.jpg.
  2. Select a new replication version and click the OK button.

    The Current Replication Version now displays the higher version, and the successful replication switch is sent to all other KMAs in the OKM Cluster.


    Note:

    All KMAs in the Cluster should be responding and all KMAs must run a KMS or OKM version that supports the replication version that the Security Officer wants to set.

Table 5-2 summarizes the features that require a particular replication version (or higher) across the KMS and OKM releases.

Table 5-2 Replication Versions/Features

Replication Version KMS/OKM Version Features Enabled

8

2.0

Everything related to initial release

9

2.0.2

Keys In Backup (ready keys appear in backups)

10

2.1

IPv6 addresses

AES Key Wrap (FIPS Mode)

11

2.2

ICSF integration

Distributed Quorum

SNMP Protocol version 2c

12

2.3

Accelerate initial updates

13

2.4

Agent Roaming

14

2.5.2

Allow Agents to revoke keys

15

3.0

Processing times available in performance reports


Network Configuration Information

The Network Configuration menu option shows network configuration settings for the KMA to which you are currently connected. These settings are established in the configuration screens described in "Using the OKM Console".

Displaying the Network Configuration

To display the network configuration, from the Local Configuration menu, select Network Configuration. The Network Configuration screen is displayed.

Surrounding text describes network_config_30.jpg.

The fields are described below:

Description

Displays whether the related information applies to the Management or Service Network Address.

Interface Name

The Management or Service Network Hostname established in the QuickStart program.

IP Address

The IP address of the Management or Service Network.

Netmask

The Subnet Mask address for the Management or Service Network.

DNS Server(s)

One or more DNS name servers (if any) used by this KMA.

DNS Domain Name

The DNS domain (if any) used by this KMA.

DNS Configured by DHCP

An indication whether these DNS settings were configured implicitly by DHCP.


Note:

When the Oracle Key Manager GUI is connected to an OKM 3.0 KMA, the Network Configuration Panel does not show the DNS Configured by DHCP checkbox. QuickStart displays DNS information acquired by DHCP, but the user must enter static DNS information or disable it entirely, as described in "Specifying the DNS Settings". Thus, the DNS Configured by DHCP checkbox does not appear.

Using DHCP

Indicates whether or not the Management or Service Network uses DHCP.

Destination

The subnet that network traffic goes to from this KMA.

Gateway

The Gateway IP address that network traffic is routed to for the Management or Service Network.

Modifiable

Indicates whether or not the Gateway configuration is modifiable. Gateways that are configured automatically are not modifiable.

Current Load Menu

This menu allows you to query load information about the KMA the GUI is connected to. All user roles can access this information.

Surrounding text describes current_load_menu.jpg.

Displaying Current Load

To display the current load, click Current Load on the Local Configuration menu.

Surrounding text describes current_load.jpg.

System Time Menu

The System Time menu option gives you the ability to set the system clock to which you are connected. To ensure the correct operation of the OKM solution, it is very important to maintain the times reported by each KMA in a Cluster within five minutes of each other. You can provide an IPv6 address for an external NTP server.

Surrounding text describes system_time_menu.jpg.

Retrieving the Local Clock Information

To retrieve the local clock information:

From the System Management menu, select System Time. The System Time screen is displayed.

Surrounding text describes system_time.jpg.

The fields and their descriptions are given below:

Current System Time

Displays the current system time.

System Time Retrieved At

Displays the local Client time when the KMA's system time was retrieved.

Adjust Time

Click this button to modify the system time.

If you want to modify the KMA's clock, click the Adjust Time button. For more information, refer to "Adjusting the KMA's Local Clock" below.

NTP Server

Displays the NTP server that this KMA uses (if any). The Security Officer can provide an IPv6 address for an external NTP server. This IPv6 address must not include square brackets or a prefix length.

Specify NTP Server

Click this button to specify the NTP server to be used by this KMA.

Adjusting the KMA's Local Clock

You can only adjust a KMA's clock once a day by a maximum of plus or minus 5 minutes. A positive (+) adjustment slowly moves the clock forward, whereas a negative (-) slowly moves the clock backward.

To adjust the KMA's local time:

  1. From the System Time menu, click the Adjust Time button. The Adjust System Time dialog box is displayed.

    Surrounding text describes adjust_system_time.jpg.
  2. Select the ”Move System Time Forward (+)” radio button if you want to apply a positive adjustment to the clock. Otherwise, select the ”Move System Time Backward(-)” radio button if you want to apply a negative adjustment to the clock.

  3. In the Offset Minutes text box, select a numeric value.

  4. In the Offset Seconds text box, select a numeric value.


    Note:

    If the specified offset is too large, an Error message is displayed, prompting you to type a smaller value. Click the OK button to close this dialog box and type a new value.

  5. Click the Save button to accept the changes. The System clock is adjusted.