This chapter gives detailed instructions for connecting to the KMA using the OKM Manager. It also gives instructions for using the other options on the System menu.
Important – Before connecting to a KMA, at least one Cluster profile must exist and a user must be created and enabled on the KMA.
This section gives procedures for connecting to the KMA using the OKM Manager. If this is the first time that you are connecting to the KMA, you must first define a Cluster profile. On subsequent occasions, you can connect to the KMA using the Cluster profile that you created. The OKM Manager uses the Cluster profile information to initiate communications with a Cluster (the KMA IP address).
To create a Cluster profile:
From the System menu, select Connect or from the Tool bar, click the Connect button. The Connect to Cluster dialog box is displayed. If you have pre-existing profile, the Cluster profile name and its IP address is displayed in the Cluster Name and IP Address fields respectively.
Click the New Cluster Profile button. The Create Cluster Profile dialog box is displayed.
Complete the following parameters:
Cluster Name
Type a value that uniquely identifies the Cluster profile name.
Initial IP Address or Host Name
Type the Service Network IP address or Host Name of the initial KMA in this Cluster to connect to. The choice of which network to connect to depends on what network the computer system where the OKM Manager is running is connected to.
Note: You only have to create a single Cluster profile because covers the entire Cluster and can be used by any user (of the Agent). The only reason that you would want to create another Cluster profile is if you want to establish a second Cluster or you have changed the IP addresses of all KMAs in the current Cluster. |
Click the OK button. The Connect to Cluster dialog box is displayed with the Cluster profile information you created.
Complete the following parameters and click the Connect button:
User ID
Type the name of the user who will connect to specified KMA, or if this is the first time that you are connecting to the KMA after performing the initial QuickStart process, type the name of the Security Officer created during the QuickStart.
Passphrase
Type the passphrase for the selected user.
Cluster Name
Select the Cluster to connect to.
Member KMAs
Select the KMA to connect to within that Cluster.
IP Preference
Select the Internet Protocol version you want, IPv4 only, IPv6 only, or IPv6 preferred.
If a KMA has joined the Cluster after you have connected to that Cluster, that KMA does not appear in the Member KMAs list. To update the list, enter the user name and passphrase, choose a Cluster profile, and click the Refresh KMAs button.
Important – The KMA authenticates the user ID and passphrase. The returned list of KMA IP addresses is used to populate the Cluster profile and is stored on the host. The next time you connect to the KMA, you can enter the user name and passphrase, choose a Cluster profile, and select a KMA.
If the connection is successful, the Status bar of the OKM Manager GUI displays the user name and alias, the KMA's connection status (Connected), the KMA's IP address.
You can now use the OKM Manager to perform various operations. See Chapter 5 through Chapter 9 for the operations that various user roles can perform.
Note: Depending on the role assignment, the tasks in the KMA Management Operations Tree pane differ. |
To delete a Cluster profile:
From the Connect to Cluster dialog box, click the down-arrow beside the Cluster Name field, highlight the Cluster profile that you want to delete and click the Delete Cluster Profile button. The Delete Cluster Profile dialog box is displayed, prompting you to confirm that you want to delete the selected Cluster profile.
Click the Yes button to delete the Profile. The Cluster Profile is deleted and you are returned to the Connect to Cluster dialog box.
To disconnect from the KMA:
From the System menu, select Disconnect or from the Tool bar, click Disconnect. You are immediately disconnected from the KMA and the OKM Cluster. The session Audit Log pane indicates the date and time when you disconnected from the KMA.
Note: This menu option is only enabled if you are connected to a KMA using a profile. |
This function allows users to change their own passphrases. This function does not invalidate a user's current certificate.
To change a connected user's passphrase:
From the System menu, select Change Passphrase.... The Change Passphrase dialog box is displayed.
Complete the following parameters and click the OK button:
Old Passphrase
Type the user's old passphrase.
New Passphrase
Type the user's new passphrase.
Confirm New Passphrase
Retype the same passphrase.
The following message is displayed in the session Audit Log pane, indicating the date and time when you changed the user's passphrase.
This function allows you to export certificates that can be used by the OKM Command Line utility (refer to "OKM Command Line Utility").
The Root CA Certificate is a public certificate saved in PEM format and can be used for Command Line Interface (CLI) operations as a PEM file.
The Client Certificate can be saved in either PEM format or PKCS#12 format. The PEM format contains the certificate and the unencrypted private key. A Client Certificate saved in this format can be used for CLI operations as a PEM file.
The PKCS#12 format is encrypted. A Client Certificate saved in this format must be converted to PEM format before being used for CLI operations (see "Converting PKCS#12 Format to PEM Format"). A password to use for encryption is required to save a Client Certificate in PKCS#12 format. This password must contain at least 8 characters.
Note: You should store these certificate files in a secure location with sufficient permissions to restrict access by other users. If you save the Client Certificate in PKCS#12 format, then you must retain the password. |
To save the certificates:
From the System menu, select Save Certificates.
Note: The Save Certificates menu option is enabled only if the user is connected to a KMA. |
The Save Certificates dialog is displayed, with automatically-generated filenames for the Root CA Certificate and the Client Certificates.
You can edit these filenames directly or click Browse to select a different destination path or edit the filenames.
In the Format field, select the format that the Client Certificate should be in when it is exported.
If you selected the PKCS#12 format, type a passphrase in the Passphrase field and retype this passphrase in the Confirm Passphrase field.
Click OK to export these certificates. When these certificates have been exported, a message is displayed, indicating the locations of these files.
Click Cancel to close this dialog and return to the previous screen.
If you saved the Client Certificate in PKCS#12 format, then you must convert it to PEM format before you can use it with the OKM Command Line utility. Use the openssl
utility to convert it.
The openssl
utility appears in the OpenSSL directory under the directory where the OKM Manager GUI and the OKM Command Line utility are installed.
The syntax is:
openssl pkcs12 -in PKCS12file -out PEMfile -nodes
For example:
openssl pkcs12 -in KeyTransferOperator.p12 \ -out KeyTransferOperator.pem -nodes Enter Import Password:
The -nodes argument is necessary to export the private key. Since the private key is not password protected, you should appropriately manage this file.
Note: The Import Password can optionally be specified on the command line using the -passin parameter, if required. |
To specify the configuration settings:
From the System menu, select Options.... The Options dialog box is displayed, showing the current configuration settings.
Note: The options selected are stored in the Windows Registry or in ”~/.KMS Manager ” for other platforms (where ~ is the user's home directory). The Windows Registry key for these values is ”My Computer\HKEY_CURRENT_USER\Software\Sun Microsystems\KMS Manager .” |
Modify the following parameters, as required and click the Save button:
Communication Timeout
Type a timeout period (in seconds) for communications with the connected KMA. If the KMA does not respond within the timeout value, the OKM Manager gives up on the communication. The minimum value is 1; the maximum value is 60. The default is 15.
Query Page Size
Type the maximum number of items to display on a screen, dialog, or tab on a dialog that displays a list of items. Paging can be used to view a list longer than this limit. The minimum value is 1; the maximum value is 1000. The default is 20.
Display Dates in Local Time Zone
Select this check box to display all dates and times in the local machine's time zone (i.e., where the OKM Manager is running), rather than UTC. The default is selected. The following confirmation message is displayed.
Display Tool Tips on List Panels
Select this check box if you want to see a tool tip when you position the cursor over an item. This is the default.
Zone ID
If your KMAs are configured to have IPv6 addresses and if you want to connect to one of them using an IPv6 link-local address (that is, one that begins with "fe80"), then select a Zone ID to use when connecting to that link-local address.
See "IPv6 Addresses with Zone IDs" for more information.
For Windows system users, the OKM Manager GUI and the Backup and OKM Command Line utilities (see "Command Line Utilities") allow you to enter link-local IPv6 addresses, however, you must perform some initial setup first.
Note: You must enter a Zone ID whenever you specify a link-local address (that is, an IPv6 address that begins with ”fe80”). You can specify a Zone ID by appending it to the end of an IPv6 address, following a percent sign (%). |
Display a command prompt window and determine which Zone IDs are available on your Windows system.
netsh interface ipv6 show interface
The Zone IDs appear in the Idx column in the output of this command. Look for entries that show a State of ”Connected.”
Use the ping command to confirm network connectivity using one of these Zone IDs. For example:
ping fe80::216:36ff:fed5:fba2%4
Before you bring up the Connect dialog in the OKM Manager GUI, display the Options dialog and select the appropriate Zone ID.
Click the Save button.