Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
Index
Next
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Documentation Accessibility
What's New
Revision 01
Revision 02
1
Introduction
OKM Concepts
OKM Clusters
Agents
Network Connections
Initial Setup - Direct Connection or Remote Console
Initial Setup - QuickStart Program
Key Lifecycle
State Transition
OKM Key States and Transitions
Pre-activation
Active
Deactivated
Compromised
Destroyed/Destroyed Compromised
Users and Role-based Access Control
Allowed Operations for Each Role
Quorum Protection
Data Units, Keys, Key Groups, and Key Policies
TCP/IP Connections and the KMA
OKM in the Network
OKM Manager Software Requirements
Using Online Help
Role-Based Access Control
Role-Based Operations
Setting Up and Managing the Key Management Appliance
2
Getting Started
Accessing the KMA Through the Service Processor
Connecting to the KMA through the ELOM/ILOM
Using a Network Connection - ELOM
Using a Network Connection - ILOM
Launching the OKM Console
Additional Service Processor Procedures
Running the QuickStart Program
Starting QuickStart
Specifying the Network Configuration
Setting the KMA Management IP Addresses
Enabling the Technical Support Account
Setting the KMA Service IP Addresses
Viewing/Adding/Deleting Gateways
Specifying the DNS Settings
Initializing the KMA
Configuring the Cluster
Entering Key Split Credentials
Entering Initial Security Officer User Credentials
Specifying the Autonomous Unlocking Preference
Setting the Key Pool Size
Synchronizing KMA Time
Joining an Existing Cluster
Restoring a Cluster From a Backup
Adding Agents and Enrolling Tape Drives
3
Using the OKM Manager
What is the OKM Manager?
Installing the OKM Manager Software
Starting the OKM Installation
Invoking the OKM Manager
Starting the OKM Manager with Windows
Starting the OKM Manager with Solaris
OKM Manager GUI Overview
System Menu
System Menu Options
View Menu
View Menu Options
Help Menu
Help Menu Options
Toolbar Buttons
Shortcut Keys
Menu Accelerator Keys
Using Online Help
OKM Manager GUI Panes
OKM Management Operations Tree Pane
OKM Management Operation Details Pane
Session Audit Log Pane
Status Bar
Panels
Uninstalling the OKM Manager Software
Invoking the Executable File
Invoking Add/Remove Programs (Windows Only)
Completing the Uninstall Process
4
Using the System Menu
Connecting to the Cluster
Creating a Cluster Profile
Deleting a Cluster Profile
Disconnecting from the KMA
Changing the Passphrase
Saving Certificates
Converting PKCS#12 Format to PEM Format
Specifying the Configuration Settings
IPv6 Addresses with Zone IDs
Exiting from the OKM Manager
5
Security Officer Operations
Security Officer Role
KMA List Menu
Viewing KMAs
Checking the SCA 6000 Card
Creating a KMA
Viewing/Modifying a KMA's Details
Setting a KMA Passphrase
Deleting a KMA
KMA Performance List Menu
Querying a KMA
User List Menu
Viewing Users
Creating a User
Viewing/Modifying a User's Details
Setting a User's Passphrase
Deleting Users
Role List Menu
Viewing Roles
Viewing Operations for a Role
Site List Menu
Viewing Sites
Creating a Site
Viewing/Modifying a Site's Details
Deleting a Site
SNMP Manager List Menu
Viewing a KMA's SNMP Managers
Creating a New SNMP Manager
Viewing/Modifying an SNMP Manager's Details
Deleting an SNMP Manager
Key Transfer
Key Transfer Partners Feature
Key Transfer Process
Configuring Key Transfer Partners
Exporting/Importing Keys
Transfer Partners Menu
Transfer Partner List
Creating a Transfer Partner
Viewing/Modifying Transfer Partner Details
Deleting a Transfer Partner
Key Transfer Public Key List Menu
Viewing the Key Transfer Public Key List
Viewing the Key Transfer Public Key Details
Creating a Key Transfer Public Key
Backup List Menu
Viewing Backup Files History
Viewing Backup Details
Restoring a Backup
System Dump Menu
Creating a System Dump
Security Parameters Menu
Retrieving the Security Parameters
Modifying the Security Parameters
Core Security
Core Security Management Menu
Backup Core Security
Creating a Core Security Backup
Key Split Configuration
Viewing the Key Split Configuration
Modifying the Key Split Configuration
Autonomous Unlock Option
Local Configuration Menu
Lock/Unlock KMA
Locking the KMA
Unlocking the KMA
Software Upgrade
Guidelines for Implementing Software Upgrades
Activating a Software Version
Switching the Replication Version
Network Configuration Information
Displaying the Network Configuration
Current Load Menu
Displaying Current Load
System Time Menu
Retrieving the Local Clock Information
Adjusting the KMA's Local Clock
6
Compliance Officer Operations
Compliance Officer Role
Key Policies
Key Policy List Menu
Viewing Key Policies
Creating a Key Policy
Viewing/Modifying a Key Policy
Deleting a Key Policy
Key Groups
Key Groups Menu
Key Group List Menu
Viewing Key Groups
Creating a Key Group
Viewing/Modifying a Key Group's Details
Deleting a Key Group
Agent Assignment to Key Groups Menu
Assigning an Agent to a Key Group
Removing an Agent from a Key Group
Key Group Assignment to Agents Menu
Assigning a Key Group to an Agent
Removing a Key Group from an Agent
Key Group Assignment to Transfer Partners Menu
Viewing Key Group Assignments
Adding a Key Group to a Transfer Partner
Removing a Key Group from a Transfer Partner
Transfer Partner Assignment to Key Groups Menu
Viewing Transfer Group Assignments
Adding a Transfer Partner to a Key Group
Removing a Transfer Partner from a Key Group
Importing a KMS 1.0 Key Export File
Audit Event List Menu
Viewing Audit Logs
Viewing Audit Log Details
Exporting an Audit Log
Data Unit List Menu
Compromising Keys
Key List Menu
Querying Keys
Other Functions
7
Operator Operations
Operator Role
Key Groups Menu
Key Group List
Agent Assignment to Key Groups
Transfer Partner Assignment to Key Groups
Agent List Menu
Viewing the Agent List
Creating an Agent
Viewing/Modifying an Agent
Setting an Agent's Passphrase
Deleting Agents
Key Group Assignment to Agents Menu
Agent Performance List Menu
Import Keys Menu
Data Units
Data Unit List Menu
Viewing Data Units
Viewing/Modifying Data Unit Details
Data Unit Key Details
Backups with Destroyed Keys List Tab
Destroying Post-operational Keys
Viewing Key Counts
Software Upgrade Menu
Guidelines for Implementing Software Upgrades
Uploading and Applying Software Upgrades
Activating a Software Version
Other Functions
8
Backup Operator Operations
Backup Operator Role
Backup List Menu
Viewing Backup Files History
Viewing Backup Details
Creating a Backup
Confirming a Backup's Destruction
KMA List Menu
Modifying a Key Pool Size
Other Functions
9
Auditor Operations
Auditor Role
Audit List Menu
Security Parameters Menu
Other Functions
10
Quorum Member Operations
Quorum Member Role
Pending Quorum Operation List Menu
Viewing Pending Operations Details
Approving Pending Quorum Operations
Deleting Pending Quorum Operations
Other Functions
11
Using the OKM Console
What is the OKM Console?
Logging into the KMA
Operator
Security Officer
Other Roles
Operator Role Functions
Rebooting the KMA
Shutting Down the KMA
Disabling the Technical Support Account
Disabling the Primary Administrator
Setting the Keyboard Layout
Logging Out
Security Officer Role Functions
Logging the KMA Back into the Cluster
Setting a User's Passphrase
Setting the KMA Management IP Address
Setting the KMA Service IP Addresses
Viewing/Adding/Deleting Gateways
Specifying the DNS Settings
Resetting the KMA to the Factory Default
Enabling the Technical Support Account
Disabling the Technical Support Account
Enabling the Primary Administrator
Disabling the Primary Administrator
Setting the Keyboard Layout
Logging Out
Other Role Functions
Setting the Keyboard Layout
Logging Out
12
Command Line Utilities
OKM Command Line Utility
Solaris/Windows1 Syntax
Parameter Descriptions
Subcommands
Options
Examples
Exit Values
Sample Perl Scripts
Backup Command Line Utility
Solaris Syntax
Windows Syntax
Parameter Descriptions
Example
A
SNMP Management Information Base (MIB) Data
B
Using OKM with Advanced Security Transparent Data Encryption (TDE)
Overview of Transparent Data Encryption (TDE)
OKM's PKCS#11 Provider
TDE Authentication with OKM
Managing Authentication Credentials
Load Balancing and Failover
Planning Considerations
Oracle Database Considerations
OKM Performance and Availability Considerations
Disaster Recovery Planning
Network Planning
Key Management Planning
Key Policy Considerations
Key Access Control Through Key Groups
Key and Data Destruction Considerations
Integrating OKM and TDE
System Requirements
Oracle Key Manager
pkcs11_kms
Installing OKM
Installing pkcs11_kms
Installing pkcs11_kms for Oracle Solaris 11 or Solaris 11 Express
Installing pkcs11_kms for Oracle Solaris 10 Update 10
Installing pkcs11_kms for Oracle Enterprise Linux
Uninstalling pkcs11_kms
Uninstalling pkcs11_kms for Oracle Solaris 11
Uninstalling pkcs11_kms for Oracle Solaris 10 Update 10
Uninstalling pkcs11_kms for Oracle Enterprise Linux
Configuring OKM for TDE
Oracle Database TDE Configuration
Configuring the OKM Cluster for TDE
Configuring pkcs11_kms for TDE
Ongoing Operations
Migration of Master Keys from the Oracle Wallet
Re-Key Operation
Re-Key Due to OKM Policy Based Key Expiration
Converting from Another HSM Solution
Key Destruction
Key Transfer in Support of Oracle RMAN and/or Oracle Data Pump
Management
Attestation, Auditing, and Monitoring
Locating TDE Master Keys in OKM
Troubleshooting
Cannot Retrieve the Master Key
Loss of the pkcs11_kms Configuration Directory
No Slots Available Error
CKA_GENERAL_ERROR Error
Could Not Open PKCS#12 File Error
C
Using OKM with Solaris ZFS Encryption
Planning Considerations
Integrating OKM and ZFS
Configuring the OKM Cluster for ZFS
Installing pkcs11_kms on Solaris 11
Configuring pkcs11_kms
Configuring ZFS to Use pkcs11_kms
Troubleshooting
D
Service Processor Procedures
ELOM Procedures
ELOM Upgrade Overview
Related Documentation
Configuring ELOM – X2100 M2 or X2200 M2 Servers
ELOM Configuration Process
Verifying ELOM and BIOS Levels
Upgrading the ELOM Server Firmware
Launching the BIOS Setup Utility from the ELOM
ILOM Procedures
ILOM Upgrade Overview
Related Documentation
ILOM 3.0
ILOM 3.2
Netra SPARC T4-1
Sun Fire X4170 M2
Configuring ILOM – Netra SPARC T4-1 and X4170 M2 Servers
ILOM Configuration Process
Verifying ILOM and BIOS Levels - X4170 M2 Only
Upgrading the ILOM 3.0 Server Firmware
Upgrading the ILOM 3.2 Server Firmware
Launching the BIOS Setup Utility from the ILOM - X4170 M2 Only
ILOM Security Hardening
Configuring the BIOS - X4170 M2 Only
Keyboard and Monitor Attachment to the KMA
Glossary
Index