This chapter describes the options in the OKM Console.
The OKM Console is a terminal text-based interface that allows you to configure basic functions of the KMA. It is accessed by physically connecting a video monitor and keyboard to the KMA or by the ”remote console” function in the ELOM web browser interface (see "Accessing the KMA Through the Service Processor").
The OKM Console is automatically launched by the operating system when the KMA boots up and cannot be terminated by a user. Depending on the roles that a user is assigned, the options in the OKM Console differ.
Before you can login to the OKM Console, the user accounts must be created in the OKM Manager. You must use the same user name/passphrase that was used for authentication in the OKM to login to the OKM Console.
Note: Only the first Security Officer account is created when the QuickStart program is launched. |
After the KMA boots up, the following information is displayed.
Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved. Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ Please enter your User ID:
At the prompt, type your user name and press <Enter>.
At the Please enter your Passphrase:
prompt, type your passphrase and press <Enter>. Depending on the role(s) the user is assigned, the options on the OKM Console differ. The menu shows the version of the KMA and the logged on user.
User role operations are discussed on the following pages. They include:
Operator (see "Operator Role Functions")
Security Officer (see "Security Officer Role Functions")
Other Roles (see "Other Role Functions").
The following menu illustrates the options for an Operator role.
Oracle Key Manager Version 3.0.0 (build2020) -- OP on Strathclyde ------------------------------------------------------------ Please enter your User ID: OP Please enter your Passphrase: Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ------------------------------------------------------------ (1) Reboot KMA (2) Shutdown KMA (3) Technical Support (4) Primary Administrator (5) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
The following menu illustrates the options for an Security Officer role.
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ Please enter your User ID: SO Please enter your Passphrase: Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ------------------------------------------------------------ (1) Log KMA Back into Cluster (2) Set User's Passphrase (3) Set KMA Management IP Addresses (4) Set KMA Service IP Addresses (5) Modify Gateway Settings (6) Set DNS Settings (7) Reset to Factory Default State (8) Technical Support (9) Primary Administrator (10) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
Note: If the user has been assigned both Operator and Security roles, then the menu options are combined as follows: |
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ Please enter your User ID: SO Please enter your Passphrase: Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ------------------------------------------------------------ (1) Log KMA Back into Cluster (2) Set User's Passphrase (3) Set KMA Management IP Addresses (4) Set KMA Service IP Addresses (5) Modify Gateway Settings (6) Set DNS Settings (7) Reset to Factory Default State (8) Technical Support (9) Primary Administrator (10) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
For all other roles, that is, Backup Operator, Compliance Officer, Auditor, and Quorum Member, a menu that is similar to the following is displayed. The only options available are to logout from the KMA and to set the keyboard layout.
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ (1) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
This section describes the functions that an Operator can perform. They are:
Rebooting the KMA ("Rebooting the KMA")
Shutting down the KMA ("Shutting Down the KMA")
Disabling Technical Support ("Disabling the Technical Support Account")
Disabling the Primary Administrator ("Disabling the Primary Administrator")
Setting the keyboard layout ("Setting the Keyboard Layout")
Logging out of the KMA ("Logging Out").
The Operator's menu is shown below.
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ Please enter your User ID: SO Please enter your Passphrase: Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 --------------------------------------------------------- (1) Reboot KMA (2) Shutdown KMA (3) Technical Support (4) Primary Administrator (5) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
Note: The Technical Support and Primary Administrator menu items appear only when their settings are currently enabled. |
The Reboot KMA menu option allows an operator to stop and restart the KMA and reboot the operating system. This function is for troubleshooting purposes only.
To reboot the KMA:
At the Please enter your choice:
prompt on the main menu, type 1 and press <Enter>. The following information is displayed, indicating that the support account is enabled.
Reboot KMA
-------------------------------------------------------
Press Ctrl-c to abort.
Are you sure that you want to reboot the KMA? [y/n]: y
At the prompt, type y and press <Enter>. The current OKM Console session terminates as the KMA starts to reboot. After the KMA reboots, the OKM Console login prompt is displayed.
This option allows you to terminate (shut down) all services on the KMA and to physically shut down the KMA itself.
Note: If the KMA has been shut down for at least a few hours and the Autonomous Unlock option is enabled, lock the KMA before rebooting the KMA. After recent updates have been propagated to this KMA, as shown by the Replication Lag Size in the KMA List panel, unlock the KMA. Refer to the following topics for detailed information: "Autonomous Unlock Option", "Lock/Unlock KMA", and "KMA List Menu". |
To shut down the KMA:
At the Please enter your choice:
prompt on the main menu, type 2 and press <Enter>. The following information is displayed, indicating that the support account is enabled.
Shutdown KMA
-------------------------------------------------------
Press Ctrl-c to abort
Are you sure that you want to shut down the KMA? [y/n]: y
At the prompt, type y and press <Enter>. The following information is displayed, indicating that the system is shutting down.
Shutting down...
The shutdown sequence is displayed. When it is finished, the following information is displayed.
Power down
The KMA is now powered off. The KMA can be powered on using either the power button or the ELOM remote power control function.
Note: This task can be enabled only by the Security Officer; it can be disabled by either an Operator or a Security Officer. |
To disable the Technical Support account:
At the Please enter your choice:
prompt on the main menu, type 3 and press <Enter>. The following information is displayed, indicating that the support account is enabled.
Technical Support
-------------------------------------------------------
Press Ctrl-c to abort.
The support account is currently ENABLED.
Would you like to DISABLE the support account? [y/n]: y
At the prompt, type y to disable the account and press <Enter>.
The following information is displayed, prompting you to confirm the change.
Are you sure that you want to DISABLE the support account?
[y/n]:
At the prompt, type y and press <Enter>. The SSH service automatically stops.
The Primary Administrator menu option allows you to enable/disable Primary Administrator access on the KMA.
Note: This task can be enabled only by the Security Officer; it can be disabled by either an Operator or a Security Officer. |
Disabling Primary Administrator access takes place immediately. If someone is connected as a Primary Administrator, and then this access is disabled, the next command they attempt fails.
To disable Primary Administrator access:
At the Please enter your choice:
prompt on the main menu, type 4 and press <Enter>. The following information is displayed, indicating that the access is enabled.
Primary Administrator ------------------------------------------------------- Press Ctrl-c to abort. The Primary Administrator role is currently ENABLED. Would you like to DISABLE Primary Administrator privileges for the support account? [y/n]: y Are you sure that you want to DISABLE these privileges for the support account? [y/n]: y Primary Administrator configuration changes have been completed. Press Enter to continue:
At the prompt, type y to disable the account and press <Enter>.
The following information is displayed, prompting you to confirm the change.
Are you sure that you want to DISABLE these privileges for the support account? [y/n]:
At the prompt, type y and press <Enter>. The Primary Administrator access has been disabled.
This option allows you to change the keyboard layout from English to a variety of languages.
Note: The keyboard layout should be set to match the layout of the keyboard attached to the KMA in order for the KMA to correctly interpret key presses. |
To set the keyboard layout:
At the Please enter your choice:
prompt on the main menu, type 5 and press <Enter>. The following keyboard layouts are displayed.
Set Keyboard Layout ------------------------------------------------------- Press Ctrl-c to abort. You may change the keyboard layout here. Available keyboard layouts: ( 1) Arabic ( 2) Belgian ( 3) Brazilian ( 4) Canadian-Bilingual ( 5) Canadian-French ( 6) Danish ( 7) Dutch ( 8) Dvorak ( 9) Finnish (10) French (11) German (12) Italian (13) Japanese-type6 (14) Japanese (15) Korean (16) Latin-American (17) Norwegian (18) Portuguese (19) Russian (20) Spanish (21) Swedish (22) Swiss-French (23) Swiss-German (24) Traditional-Chinese (25) TurkishQ (26) UK-English (27) US-English The current layout is US-English Please enter the number for the keyboard layout [27] : The keyboard layout has been applied successfully. Press Enter to continue:
At the Please enter the number for the keyboard layout:
prompt, enter the number you want to change the keyboard layout to. The new keyboard layout is applied.
The following information is displayed. Press <Enter> to continue.
This section describes the functions that a Security Officer can perform. They are:
Logging the KMA into the Cluster ("Logging the KMA Back into the Cluster")
Setting a User's Passphrase ("Setting a User's Passphrase")
Setting the KMA Management IP addresses ("Setting the KMA Management IP Address")
Setting the KMA Service IP addresses ("Setting the KMA Service IP Addresses")
Modifying the Gateway settings ("Viewing/Adding/Deleting Gateways")
Specifying the DNS settings ("Specifying the DNS Settings")
Resetting the KMA to the Factory Default State ("Resetting the KMA to the Factory Default")
Enabling/Disabling Technical Support ("Enabling the Technical Support Account")
Enabling/Disabling the Primary Administrator ("Enabling the Primary Administrator")
Setting the keyboard layout ("Setting the Keyboard Layout")
Logging out of the KMA ("Logging Out").
The Security Officer's menu is shown below.
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde ------------------------------------------------------------ Please enter your User ID: SO Please enter your Passphrase: Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ------------------------------------------------------------ (1) Log KMA Back into Cluster (2) Set User's Passphrase (3) Set KMA Management IP Addresses (4) Set KMA Service IP Addresses (5) Modify Gateway Settings (6) Set DNS Settings (7) Reset to Factory Default State (8) Technical Support (9) Primary Administrator (10) Set Keyboard Layout (0) Logout ------------------------------------------------------------ Please enter your choice:
This menu option allows a Security Officer to log the KMA back into the Cluster after its passphrase has been changed.
Note: If the KMA has been logged out of the cluster for at least a few hours, then lock the KMA before logging the KMA back into the cluster. After recent updates have been propagated to this KMA, as shown by the Replication Lag Size in the KMA List panel, unlock the KMA. Refer to the following topics for detailed information: "Lock/Unlock KMA", and "KMA List Menu". |
Before you can perform this task:
Bring up the OKM Manager.
Log in to an existing KMA as a Security Officer.
Navigate to the KMA List panel.
Create a KMA entry.
To log the KMA into the Cluster:
At the Please enter your choice:
prompt on the main menu, type 1 and press <Enter>. The following information is displayed.
Log KMA Back into Cluster ------------------------------------------------------- Press Ctrl-c to abort. Please enter the Management Network IP Address of an existing KMA in the cluster: The KMA Passphrase is a Passphrase that you have previously configured for this KMA to join a Cluster. Please enter this KMA's Passphrase:
Log in to an existing KMA as a Security Officer.
At the prompt, type the passphrase that was originally configured for the KMA, to join the Cluster and press <Enter>.
This command requires authorization by a quorum of Key Split Users. Enter sufficient Key Split credentials to form a quorum. Enter a blank name to finish. Press Ctrl-c to abort. Please enter Key Split User Name #1: Please enter Key Split Passphrase #1: Press Enter to continue:
Enter the first Key Split user name established during QuickStart for the first KMA in the OKM Manager Modify Key Split Credentials function (refer to "Modifying the Key Split Configuration").
Note: The Security Officer needs to know how many Key Split users to enter, that is, what the Key Split Threshold is. In this example, the Key Split Threshold is 2. |
Type the passphrase for the Key Split user, and press <Enter>.
This command requires authorization by a quorum of Key Split Users. Enter sufficient Key Split credentials to form a quorum. Enter a blank name to finish. Press Ctrl-c to abort. Please enter Key Split User Name #2: Please enter Key Split Passphrase #2: Press Enter to continue:
Enter the second Key Split user name.
Type the passphrase for the Key Split user, and press <Enter>.
This command requires authorization by a quorum of Key Split Users.
Enter sufficient Key Split credentials to form a quorum.
Enter a blank name to finish.
Press Ctrl-c to abort.
Please enter Key Split User Name #3:
Are you sure that you want to log the KMA back into the Cluster?
[y/n]: n
Press Enter to continue:
Press <Enter> next to Key Split User Name #3 to end Key Split user authorization.
Type n, and press <Enter>.
This menu option allows a Security Officer to set the passphrase for any user, including the Security Officer.
To set a user's passphrase:
At the Please enter your choice:
prompt on the main menu, type 2 and press <Enter>. The following information is displayed.
Set User's Passphrase ------------------------------------------------------- Press Ctrl-c to abort. Please enter the User Name:
At the prompt, type the name of the user and press <Enter>. The following information is displayed.
Passphrases must be at least 8 characters and at most 64 characters in length. Passphrases must not contain the User's User Name. Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other). Please enter the desired Passphrase: Please re-enter the desired Passphrase: Press Enter to continue:
At the prompt, type the passphrase and press <Enter>.
At the Please re-enter the desired Passphrase:
prompt, type the same passphrase and press <Enter>. The following information is displayed, indicating that the passphrase is set.
Press Enter to continue:
If you tried to change the passphrase of another user, the following information is displayed:
This command requires authorization by a quorum of Key Split Users. Enter sufficient Key Split credentials to form a quorum. Enter a blank name to finish. ------------------------------------------------------- Press Ctrl-c to abort. Please enter Key Split User Name #1:
Enter the first Key Split user name and press <Enter>.
Please enter Key Split Passphrase #1: Press Enter to continue:
Enter the first Key Split passphrase and press <Enter>.
Repeat Step 5 and Step 6 until you have entered a sufficient number of Key Split user names to form a quorum.
Press <Enter> next to the Key Split User Name
prompt to end Key Split user authorization.
Note: If you do not enter a sufficient quorum of Key Split credentials, the Setting a User's Passphrase process becomes a pending quorum operation. See "Pending Quorum Operation List Menu" for more information. |
Press <Enter> to return to the main menu.
This option modifies the Management address settings for the KMA. Initially, this information is set in the QuickStart program (see "Specifying the Network Configuration"), and can be changed here.
In a large, multi-site Cluster, drives can connect only to a subset of all the KMAs in the Cluster. The following caution applies to the set of KMAs the drive can connect to.
Caution: This function should be used carefully. If you change the information for one KMA, all the other KMAs receive the updates immediately, assuming they are connected. If the KMA is disconnected, it updates the other KMAs when it is able to reconnect. However, if for example you have two KMAs that are not connected to each other (network outage), and you change both IP addresses, they will not be able to reconnect when the network is repaired. In this case, you must use the procedure for "Logging the KMA Back into the Cluster" on one KMA to reconnect it with the other, and the Passphrase must be updated first. For example, if KMAs A and B are disconnected, and you change both IP addresses, then you must log into A and change B's passphrase. Then log into B's console and use the procedure for "Logging the KMA Back into the Cluster" to re-attach it to A. Care must also be taken with tape drives. Tape drives do not automatically receive the updated IP information; they only get updated IP information when a tape is mounted. Thus, if you are in a typical environment where tape jobs only run at night, and you change all the KMA's IP addresses during the day, the drives will not be able to communicate with any KMA. If this happens, the drives must be re-enrolled with the OKM Cluster. To avoid this, change KMA IP addresses one at a time, wait for all drives to receive the change, then change the next. |
To set the KMA Management IP addresses:
At the Please enter your choice:
prompt on the main menu, type 3 and press <Enter>.
The current KMA Management IP address settings are displayed. The IPv6 address fields are blank when the KMA is not configured to use IPv6 addresses.
Set KMA Management IP Addresses ------------------------------------------------------- Press Ctrl-c to abort. An IP Address configuration must be defined in order for the KMA to communicate with other KMAs or Users in your system. Current settings: Management Configuration : Static Management IP Address : 10.172.180.39 Management Subnet Mask : 255.255.254.0 Management IPv6 Addresses: 2001:DB8::/32 Do you want to configure the Management Network interface to have an IPv6 address? [y/n]: Do you want to use DHCP to configure the Management Network IPv4 interface? [y/n]: Please enter the Management Network IP Address [10.172.180.39]: Please enter the Management Network Subnet Mask [255.255.254.0]: Are you sure that you want to commit these changes? [y/n]: y
Type either n or y at the Do you want to configure the Management Network interface to have an IPv6 address
prompt.
Type either n or y at the Do you want to use DHCP to configure the Management Network IPv4 interface
prompt. If you type n, go to Step 4. If you type y, go to Step 6.
At the prompt, type the Management Network IP address and press <Enter>.
At the Please enter the Management Network Subnet Mask:
prompt, type the subnet mask address, (for example 255.255.254.0) and press <Enter>.
Type y at the Are you sure that you want to commit these changes? [y/n]:
prompt.
This option modifies the Service address settings for the KMA. Initially, this information is set in the QuickStart program (see "Specifying the Network Configuration"), and can be changed here.
In a large, multi-site Cluster, drives may only have connections to a subset of all the KMAs in the Cluster. This caution applies to the set of KMAs the drive can connect to.
Caution: This function should be used carefully. If you change the information for one KMA, all the other KMAs receive the updates immediately, assuming they are connected. If the KMA is disconnected, it updates the other KMAs when it is able to reconnect. However, if for example you have two KMAs that are not connected to each other (network outage), and you change both IP addresses, they will not be able to reconnect when the network is repaired. In this case, you must use the procedure for "Logging the KMA Back into the Cluster" on one KMA to reconnect it with the other, and the Passphrase must be updated first. For example, if KMAs A and B are disconnected, and you change both IP addresses, then you must log into A and change B's passphrase. Then log into B's console and use the procedure for "Logging the KMA Back into the Cluster" to re-attach it to A. Care must also be taken with tape drives. Tape drives do not automatically receive the updated IP information; they only get updated IP information when a tape is mounted. Thus, if you are in a typical environment where tape jobs only run at night, and you change all the KMA's IP addresses during the day, the drives will not be able to communicate with any KMA. If this happens, the drives must be re-enrolled with the OKM Cluster. To avoid this, change KMA IP addresses one at a time, wait for all drives to receive the change, then change the next. |
The current KMA Service IP address settings are displayed. The IPv6 address fields are blank when the KMA is not configured to use IPv6 addresses.
Set KMA Service IP Addresses
------------------------------------------------------------
Press Ctrl-c to abort.
An IP Address configuration must be defined in order for the
KMA to communicate with other Agents in your system.
Current settings:
Service Configuration : Static
Service IP Address : 192.168.1.39
Service Subnet Mask : 255.255.255.0
Service IPv6 Addresses: 2001:DB8::/32
Do you want to configure the Service Network interface to have an IPv6 address?
[y/n]:
Do you want to use DHCP to configure the Service Network IPv4 interface? [y/n]:
Please enter the Service Network IP Address [192.168.1.39]:
Please enter the Service Network Subnet Mask [255.255.255.0]:
Are you sure that you want to commit these changes? [y/n]: y
At the Please enter your choice:
prompt on the main menu, type 4 and press <Enter>.
Type either n or y at the Do you want to configure the Service Network interface to have an IPv6 address
prompt.
Type either n or y at the Do you want to use DHCP to configure the Service Network IPv4 interface
prompt. If you type n, go to Step 4. If you type y, go to Step 6.
At the prompt, type the Service Network IP address and press <Enter>.
At the Please enter the Service Network Subnet Mask:
prompt, type the subnet mask address, (for example 255.255.255.0) and press <Enter>.
Type y at the Are you sure that you want to commit these changes? [y/n]:
prompt.
This menu option shows the current gateway settings (five gateways to a page) on the Management (M) and Service (S) network interfaces and asks the user to add a gateway, remove a gateway, or accept the current gateway configuration.
Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M', and service routes with an 'S'. # Destination Gateway Netmask IF ---- ---------------- ---------------- --------------------- -- 1 default 10.172.181.254 0.0.0.0 M 2 default 10.172.181.21 0.0.0.0 M 3 default 192.168.1.119 0.0.0.0 S 4 10.0.0.0 10.172.180.25 255.255.254.0 M * 5 10.80.180.0 10.172.180.39 255.255.254.0 M Press Enter to continue: Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M', and service routes with an 'S'. # Destination Gateway Netmask IF ---- ---------------- ----------------- ------------------- -- * 6 192.168.1.0 192.168.1.39 255.255.255.0 S 7 192.168.25.0 10.172.180.25 255.255.255.0 M 8 192.168.26.0 10.172.180.25 255.255.255.0 M * 9 127.0.0.1 127.0.0.1 255.255.255.255 * 10 fe80:: 2001:db8::/32 10 M (1) Continue (2) Back 1 Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M', and service routes with an 'S'. # Destination Gateway Netmask IF ---- --------------------------- --------------------------- --------------- -- * 11 fe80:: fe80::216:36ff:feca:15b9 10 S You can add a route, delete a route, or exit the gateway configuration. Please choose one of the following: (1) Add a gateway (2) Remove a configured gateway (only if modifiable) (3) Exit gateway configuration (4) Display again 3
At the Please enter your choice:
prompt on the main menu, type 5 and press <Enter>.
At the (1)Continue (2)Back
prompt, type 1 to display the next few gateways or 2 to display the previous few gateways.
When the last gateways are displayed, at the Please choose one of the following:
prompt, type 1, 2, 3, or 4 and press <Enter>.
Note: If at any time the user presses Ctrl+c, no changes are saved and the user is returned to the main menu. |
This menu option shows the DNS settings, and prompts the user for a new DNS domain (if you want to configure one) and the DNS server IP addresses.
Set DNS Configuration ------------------------------------------------------------ Press Ctrl-c to abort. DNS configuration is optional, but necessary if this KMA will be configured using hostnames instead of IP addresses. Current DNS configuration: Domain: example.com Nameservers: 10.172.0.5 Please enter the DNS Domain (blank to unconfigure DNS): example.com Up to 3 DNS Name Servers can be entered. Enter each name server separately, and enter a blank name to finish. Please enter DNS Server IP Address #1: 10.172.0.5 Please enter DNS Server IP Address #2:
At the Please enter your choice:
prompt on the main menu, type 6 and press <Enter>.
Enter the DNS domain name at the Please enter the DNS Domain (blank to unconfigure DNS):
prompt.
Enter the DNS server IP address at the Please enter DNS Server IP address
prompt. You can enter up to three IP addresses.
Press <Enter>,
without specifying an IP address, to finish.
This menu option allows a Security Officer to reset the KMA to its factory default state.
WARNING: The reset is not recoverable; the information on the KMA is gone. |
This is a destructive process that results in the loss of all data that is stored on the hard disk. The system is forced to reboot and the file systems are reformatted and prepared to use the new encryption keys.
To reset the KMA to the factory default:
At the Please enter your choice:
prompt on the main menu, type 7 and press <Enter>. The following information is displayed.
Reset to Factory Default State ------------------------------------------------------------ Press Ctrl-c to abort. WARNING: All information stored on this KMA will be destroyed! Access to all protected data will be lost unless a backup of the Cluster data has been created or Cluster Peer KMAs are present. Please consult the OKM Administration Guide before proceeding with this operation.The system will be rebooted after the KMA is reset. Are you sure that you want to reset the KMA to the Factory Default State? Type RESET to confirm:
At the Type RESET to confirm
prompt, type RESET and press <Enter>. The following information is displayed, indicating that the KMA is resetting.
Resetting...
Once the authentication is completed, you are returned to QuickStart. See "Running the QuickStart Program".
The Technical Support menu option allows an operator to enable/disable the Operating System's support account and SSH access for that account. By default, both the Technical Support account and SSH access are disabled. Since an operator defines the passphrase for the support account, enabling the support account grants the OKM Console user limited access to the KMA.
To enable the Technical Support account:
At the Please enter your choice:
prompt on the main menu, type 8 and press <Enter>. The following information is displayed, indicating that the support account is disabled.
Technical Support
-------------------------------------------------------
Press Ctrl-c to abort.
The support account is currently DISABLED.
************************* WARNING *********************
Enabling the support account and SSH access is a SECURITY RISK.
These settings should not be left enabled unless required for
troubleshooting purposes.
Ensure that this account is disabled when not required.
*******************************************************
Would you like to ENABLE the support account? [y/n]: y
At the Are you sure that you want to ENABLE the support account and assume this security risk? [y/n]
prompt, type y to enable the account and press <Enter>. Enabling SSH access allows Technical Support to diagnose a problem remotely.
At the prompt, type y and press <Enter>. The following information is displayed, indicating the purpose of SSH Host keys.
When a Technical Support representative connects to the KMA using SSH, SSH host keys must be verified via an alternative secure communication channel in order to detect a potential ”man-in-the-middle” attack. Please record and store these SSH host keys securely. SSH host keys are generated when SSH is enabled for the first time. They may be subsequently regenerated to invalidate the existing SSH host keys.
The following screen asks you to regenerate the SSH keys and provide a passphrase for the support account.
Ensure that this account is disabled when not required. ************************************************************ Would you like to ENABLE the support account? [y/n]: y Are you sure that you want to ENABLE the support account andassume this security risk? [y/n]: y When someone connects to the KMA using SSH, the KMA verifies SSH host keys via an alternative secure communication channel in order to detect a potential "man-in-the-middle" attack. SSH host keys are generated the first time you enable the support account. They may be regenerated later in order to invalidate the existing SSH host keys. Would you like to regenerate the SSH host keys? [y/n]: y A Passphrase for the support account must be at least 8characters and at most 64 characters in length. It must have at least 2 alphanumeric characters (1 upperand 1 lower) and at least 1 non-alphanumeric characters. A Passphrase may contain white space. Passwords must be unique within the last 10 settings, and may not contain the account name (support). Please enter a Passphrase for the support account: The maximum age of the Passphrase of the support account is the maximum number of days that this Passphrase is valid. When this age has been reached, then the support account is disabled. This number must be greater than 0 and no more than 7. Please enter the maximum age of this Passphrase: 2
At the Would you like to regenerate the SSH host keys?
prompt, type y and press <Enter>.
Enter a passphrase at the Please enter a Passphrase for the support account:
prompt.
Note: The passphrase must be at least as long as the passphrase minimum length security parameter. This value is set to 8 during the QuickStart program, but you can change it later in the OKM Manager GUI. See "Modifying the Security Parameters". |
Enter the maximum number of days the passphrase is valid.
Press <Enter> to return to the main menu.
Press Enter to continue:
Note: This task can be enabled only by the Security Officer; it can be disabled by either an Operator or a Security Officer. |
To disable the Technical Support account:
At the Please enter your choice:
prompt on the main menu, type 8 and press <Enter>. The following information is displayed, indicating that the support account is enabled.
Technical Support
-------------------------------------------------------
Press Ctrl-c to abort.
The support account is currently ENABLED.
Would you like to DISABLE the support account? [y/n]: y
At the prompt, type y to disable the account and press <Enter>.
The following information is displayed, prompting you to confirm the change.
Are you sure that you want to DISABLE the support account? [y/n]:
At the prompt, type y and press <Enter>. The SSH service automatically stops.
The Primary Administrator menu option allows you to enable/disable Primary Administrator access on the KMA.
To enable Primary Administrator access, you must first enable Technical Support (option 8).
This task can be enabled only by the Security Officer; it can be disabled by either an Operator or a Security Officer.
Caution: The Primary Administrator function allows someone logged in as Technical Support to gain Primary Administrator access, equivalent to root access. Since the passphrase for the Primary Administrator is known only by Oracle Support, only someone from Oracle Support can gain Primary Administrator access. While dangerous, this may be necessary in some situations to recover the system from a problem, however, you may need direct guidance from back line support or engineering. |
To enable Primary Administrator access:
At the Please enter your choice:
prompt on the main menu, type 9 and press <Enter>. The following information is displayed, indicating that the access is disabled.
Primary Administrator ------------------------------------------------------- Press Ctrl-c to abort. The Primary Administrator role is currently DISABLED. ************************** WARNING ******************** Providing the support account with Primary Administrator privileges is a SECURITY RISK. This setting should not be left enabled unless required for troubleshooting purposes. Ensure that these privileges are disabled when not required. ******************************************************* Would you like to ENABLE Primary Administrator privileges for the support account? [y/n]: y Are you sure that you want to ENABLE these privileges for the support account, assuming this security risk? [y/n]: y Primary Administrator configuration changes have been completed. Press Enter to continue:
At the prompt, type y to enable the account and press <Enter>.
The following information is displayed, prompting you to confirm the change.
Are you sure that you want to ENABLE these privileges for the support account, assuming this security risk? [y/n]:
At the prompt, type y and press <Enter>. The Primary Administrator access has been enabled.
The Primary Administrator menu option allows you to enable/disable Primary Administrator access on the KMA.
Note: This task can be enabled only by the Security Officer; it can be disabled by either an Operator or a Security Officer. |
Disabling Primary Administrator access takes place immediately. If someone is connected as a Primary Administrator, and then this access is disabled, the next command attempted fails.
To disable Primary Administrator access:
At the Please enter your choice:
prompt on the main menu, type 9 and press <Enter>. The following information is displayed, indicating that the access is enabled.
Primary Administrator ------------------------------------------------------- Press Ctrl-c to abort. The Primary Administrator role is currently ENABLED. Would you like to DISABLE Primary Administrator privileges for the support account? [y/n]: y Are you sure that you want to DISABLE these privileges for the support account? [y/n]: y Primary Administrator configuration changes have been completed. Press Enter to continue:
At the prompt, type y to disable the account and press <Enter>.
The following information is displayed, prompting you to confirm the change.
Are you sure that you want to DISABLE these privileges for the support account? [y/n]:
At the prompt, type y and press <Enter>. The Primary Administrator access has been disabled.
This option allows you to change the keyboard layout from English to a variety of languages.
Note: The keyboard layout should be set to match the layout of the keyboard attached to the KMA in order for the KMA to correctly interpret key presses. |
To set the keyboard layout:
At the Please enter your choice:
prompt on the main menu, type 7 and press <Enter>. The following keyboard layouts are displayed.
Set Keyboard Layout ------------------------------------------------------- Press Ctrl-c to abort. You may change the keyboard layout here. Available keyboard layouts: ( 1) Arabic ( 2) Belgian ( 3) Brazilian ( 4) Canadian-Bilingual ( 5) Canadian-French ( 6) Danish ( 7) Dutch ( 8) Dvorak ( 9) Finnish (10) French (11) German (12) Italian (13) Japanese-type6 (14) Japanese (15) Korean (16) Latin-American (17) Norwegian (18) Portuguese (19) Russian (20) Spanish (21) Swedish (22) Swiss-French (23) Swiss-German (24) Traditional-Chinese (25) TurkishQ (26) UK-English (27) US-English The current layout is US-English Please enter the number for the keyboard layout [27] : The keyboard layout has been applied successfully. Press Enter to continue:
At the Please enter the keyboard layout [US-English]:
prompt, enter the language to want to change the keyboard layout to.
At the prompt, type y and press <Enter>. The following information is displayed, indicating that the change has been made. Press <Enter> to return to the main menu.
The keyboard layout has been applied successfully.
Press Enter to continue:
This section describes the functions the other roles (Compliance Officer, Backup Operator, Auditor, Quorum Member) can perform. They are:
Setting the keyboard layout ("Setting the Keyboard Layout")
Logging out of the KMA ("Logging Out").
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ---------------------------------------------------------- (1) Set Keyboard Layout (0) Logout ---------------------------------------------------------- Please enter your choice:
This option allows you to change the keyboard layout from English to a variety of languages.
Note: The keyboard layout should be set to match the layout of the keyboard attached to the KMA in order for the KMA to correctly interpret key presses. |
To set the keyboard layout:
At the Please enter your choice:
prompt on the main menu, type 1 and press <Enter>. The following keyboard layouts are displayed.
Set Keyboard Layout ------------------------------------------------------- Press Ctrl-c to abort. You may change the keyboard layout here. Available keyboard layouts: ( 1) Arabic ( 2) Belgian ( 3) Brazilian ( 4) Canadian-Bilingual ( 5) Canadian-French ( 6) Danish ( 7) Dutch ( 8) Dvorak ( 9) Finnish (10) French (11) German (12) Italian (13) Japanese-type6 (14) Japanese (15) Korean (16) Latin-American (17) Norwegian (18) Portuguese (19) Russian (20) Spanish (21) Swedish (22) Swiss-French (23) Swiss-German (24) Traditional-Chinese (25) TurkishQ (26) UK-English (27) US-English The current layout is US-English Please enter the number for the keyboard layout [27] : The keyboard layout has been applied successfully. Press Enter to continue:
At the Please enter the keyboard layout [US-English]:
prompt, enter the language to want to change the keyboard layout to.
At the prompt, type y and press <Enter>. The following information is displayed, indicating that the change has been made. Press <Enter> to return to the main menu.
The keyboard layout has been applied successfully.
Press Enter to continue: