Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

6 Compliance Officer Operations

This chapter describes the operations that a user who has been given a Compliance Officer role can perform. If you have been assigned multiple roles, refer to the appropriate chapter for instructions on performing the specific role.

Compliance Officer Role

The Compliance Officer manages the flow of data through your organization and has the ability to define and deploy data contexts (Key Groups) and rules that determine how data is protected and ultimately destroyed (Key Policies). The menus that provide these functions are shown below.

Surrounding text describes compliance_officer_role.jpg.

Key Policies

Key Policies provide guidance for managing data. The OKM Manager uses Key Policies to determine how data is protected and destroyed. Key Policies must be created before keys can be created and delivered to agents.

Only a Compliance Officer can create and modify Key Policies. This ensures that the data complies with a policy throughout the data's lifetime.

Key Policy List Menu

The Key Policies List menu allows you to manage the Key Policies in your organizations.

The Key Policy List menu option gives you the ability to:

  • View Key Policies

  • View/Modify a Key Policy's Details

  • Create a Key Policy

  • Delete existing Key Policies.

Viewing Key Policies

To view Key Policies:

  1. From the Secure Information Management menu, select Key Policy List. The Key Policy List screen is displayed.

Surrounding text describes key_policy_list_revoked.jpg.

You can also scroll through the database and filter the Key Policy list by any of the following keys:

  • Key Policy ID

  • Description

  • Key Type

  • Encryption Period

  • Cryptoperiod

  • Allow Export From

  • Allow Import To

  • Allow Agents To Revoke Keys.

The Use button applies the filter to the displayed list for the Key Policy.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Key Policy ID

  • Description

  • Key Type

  • Encryption Period

  • Cryptoperiod

  • Allow Export From

  • Allow Import To

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty

Filter Value text box:

Type a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Click the plus button to add additional filters.

Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.

Use:

Click this button to apply the selected filters to the displayed list and go to the first page.

Refresh:

Click this button to refresh the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of records per page that were configured in the Query Page Size field in the Options dialog box.

Key Policy ID

Displays the unique identifier that distinguishes each Key Policy. This value can be between 1 and 64 (inclusive) characters. Key Policy IDs cannot be changed once they are created.

Description

Describes the Key Policy. This value can be between 1 and 64 (inclusive) characters.

Key Type

Indicates the type of encryption algorithm that Keys associated with this Key Policy use. The only possible value is AES-256.


Note:

Encryption Period and Cryptoperiod begin when the key is first given to an Agent. Encryption period and Cryptoperiod cannot be changed for a policy. This is to avoid a change in the Key Policy from affecting large numbers of keys.

Encryption Period

Displays how long keys associated with this Key Policy can be used to encrypt or decrypt data. The time interval units are: minutes, hours, days, week, months, or years.

Cryptoperiod

Displays how long keys associated with this Key Policy can be used to decrypt (but not encrypt) data. The time interval units are: minutes, hours, days, week, months, or years.

Allow Export From

Indicates whether Data Unit keys associated with this Key Policy can be exported. Possible values are True or False.

Allow Import To

Indicates whether Data Unit keys associated with this Key Policy can be imported. Possible values are True or False.

If you want to create a Key Policy, click the Create button. For more information, refer to "Creating a Key Policy".

If you want to view / modify a Key Policy, highlight the Key Policy and click the Details button. For more information, refer to "Viewing/Modifying a Key Policy".

If you want to delete a Key Policy, click the Delete button. For more information, refer to "Deleting a Key Policy".

Allow Agents To Revoke Keys

Allows agents using a Key Group that specifies this key policy to deactivate (revoke) the keys associated with them, even if the keys are in an operational state such as protect-and-process.

Select the Allow Agents To Revoke Keys check box to set the attribute to True (deactivate). Deselect the check box to set the attribute to False, disallowing agents from revoking keys that are in an operational state. False is the default.

The OKM Cluster must use Replication Version 14 or later before this attribute can be set to True.

Tape drive agents should use the default value (False).

Applications using a pkcs11_kms provider (see "OKM's PKCS#11 Provider") should be configured to use an agent with a default key policy set to True if they want to call to revoke a key they will no longer use, such as in a re-key operation. ZFS encryption is an example of a pkcs11_kms application.

Creating a Key Policy

To create a Key Policy:

  1. From the Key Policy List screen, click the Create button. The Create Key Policy dialog box is displayed.

    Surrounding text describes key_policy_create_revoked.jpg.
  2. Complete the following parameters:

    Key Policy ID

    Type a value that identifies the policy. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that describes the policy. This value can be between 1 and 64 (inclusive) characters. This field can be blank.

    Encryption Period

    Displays how long keys associated with this Key Policy can be used to encrypt or decrypt data. The time interval units are: minutes, hours, days, week, months, or years.

    Cryptoperiod

    Displays how long keys associated with this Key Policy can be used to decrypt (but not encrypt) data. The time interval units are: minutes, hours, days, week, months, or years.

    Flags

    Allow Export From

    Indicates whether Data Unit keys associated with this Key Policy can be exported. Possible values are True or False.

    Allow Import To

    Indicates whether Data Unit keys associated with this Key Policy can be imported. Possible values are True or False.

    Allow Agents To Revoke Keys

    Allows agents using a Key Group that specifies this key policy to deactivate (revoke) or activate the keys associated with them, even if the keys are in an operational state such as protect-and-process.

    Select the Allow Agents To Revoke Keys check box to set the attribute to True (deactivate). Deselect the check box to set the attribute to False (activate). False is the default.

  3. Click the Save button to save the Key Policy. The new Key Policy is displayed in the Key Policy List screen. It can now be used by Key Groups.

    Surrounding text describes key_policy_new.jpg.

Viewing/Modifying a Key Policy


Note:

Only a Compliance Officer can view a Key Policy's detailed information.

To modify a Key Policy's details:

  1. From the Key Policy List screen, double-click a Key Policy for which you want more information or highlight a Key Policy and click the Details button. The Key Policy Details dialog box is displayed.

    Surrounding text describes key_policy_details_revoked.jpg.
  2. You can change the Description, Allow Export From, Allow Import To, and Allow Agents To Revoke Keys check boxes, as required. When you are finished, click the Save button to save the changes. After the system verifies and validates the new Key Policy, the Key Group is associated with the new Key Policy.

  3. If you click the Cancel button, your changes are not saved and the dialog box closes.

Deleting a Key Policy

A key policy can only be deleted if it is not used by any Key Group or key.

To delete a Key Policy:

  1. From the Key Policy List screen, highlight the Key Policy you want to delete and click the Delete button. The following dialog box is displayed, prompting you to confirm that you want to delete the specific Key Policy.

    Surrounding text describes aysdeletekeypolicy.jpg.
  2. Click the Yes button to delete the Key Policy. The Key Policy is removed from the database. You are returned to the Key Policy List screen, where the Key Policy is removed from the list.

Key Groups

A Key Group represents a data context that determines the Key Policy to which it applies and the Agents that can access it. When a Key is assigned to an agent and is first used for a Data Unit, it is associated with a Key Group. When you create a Key Group, you must select a Key Policy. The selected Key Policy is applied to Keys in that Key Group.

Agents are associated with Key Groups. An Agent has one or more keys groups that it is allowed to access. An Agent can only retrieve keys belonging to Key Groups it is allowed to access. An Agent may also have a default Key Group. When an agent allocates a new key, the key is placed in the agents default Key Group. An agent can only allocate new keys if it has a default Key Group.

Figure 6-1 shows the relationship between Key Groups, Key Polices, Agents, and Data Units.

Figure 6-1 Key Group Relationship with Key Policies, Agents, Data Units

Surrounding text describes Figure 6-1 .

Key Groups Menu

The Key Groups menu includes the Key Group List menu option, which allows the Compliance Officer to manage Key Groups.

Surrounding text describes key_groups_menu_co.jpg.

Key Group List Menu

The Key Group List menu option gives you the ability to:

  • View Key Groups

  • Create a Key Group

  • Modify existing Key Groups

  • Delete existing Key Groups.

Viewing Key Groups

To view all Key Groups:

From the Key Groups menu, select Key Group List. The Key Group List screen is displayed.

Surrounding text describes key_group_list.jpg.

You can scroll through the database and filter through the Key Group list by any of the following keys:

  • Key Group ID

  • Description

  • Key Policy ID.

The Use button applies the filter to the displayed list for the Key Group.

The fields and their descriptions are given below:

Filter:

Select filter options to filter the displayed list of Key Groups. Only Key Groups that satisfy all filters are displayed.

Filter Attribute combo box:

Click the down-arrow and select an attribute to filter by. Possible values are:

  • Key Group ID

  • Description

  • Key Policy ID.

Filter Operator box:

Click the down-arrow and select the filter operation to apply to the selected attribute. Possible values are:

  • Equals =

  • Not equal <>

  • Greater than >

  • Less than <

  • Greater than or equals >=

  • Less than or equals <=

  • Starts with ~

  • Empty

  • Not empty.

Filter Value text box:

Type a value to filter the selected attribute by.

Filter Value combo box:

Click the down-arrow and select a value to filter the selected attribute by. This filter option is not displayed for all filter attributes.

Click the plus button to add additional filters.

Click the minus button to remove a filter. This button is only displayed if there is more than one filter shown.

Use:

Click this button to apply the selected filters to the displayed list and go to the first page.

Refresh:

Click this button to refresh the displayed list. This does not apply filters selected since the last Use or Reset, and does not change the page of the list.

Reset:

Click this button to remove all filters and reset the displayed list to the first page.

Click this button to go to the first page of the list.

Surrounding text describes okm_first_page.jpg.

Click this button to go to the previous page.

Surrounding text describes okm_prev_page.jpg.

Click this button to go to the next page.

Surrounding text describes okm_next_page.jpg.

Results in Page:

Displays the number of items that can be displayed on the current page. Appends ”(last page)” to the number of items if you are at the end of the list. The maximum number of items displayed on a page is defined by the Query Page Size value on the Options dialog.

Key Group ID

Displays the unique identifier that distinguishes each Key Group. This value can be between 1 and 64 (inclusive) characters. The Key Group ID cannot be changed once it is defined.

Description

Describes the Key Group. This value can be between 1 and 64 (inclusive) characters.

Key Policy ID

Displays a unique identifier for an existing Key Policy that applies for every Data Unit in the Key Group.

The Key Policy ID for an existing Key Group cannot be changed. This is to avoid a change affecting a large number of keys.

If you want to create a Key Group, click the Create button. For more information, refer to "Creating a Key Group".

If you want to view/modify a Key Group, highlight the Key Group and click the Details button. For more information, refer to "Viewing/Modifying a Key Group's Details".

If you want to delete a Key Group, click the Delete button. For more information, refer to "Deleting a Key Group".

Creating a Key Group

To create a new Key Group:

  1. From the Key Group List screen, click the Create button. The Create Key Group dialog box is displayed.

    Surrounding text describes create_key_group.jpg.
  2. Complete the following parameters:

    Key Group ID

    Type a value that identifies the Key Group. This value can be between 1 and 64 (inclusive) characters.

    Description

    Type a value that describes the Key Group. This value can be between 1 and 64 (inclusive) characters.

    Key Policy ID

    Click the down-arrow and select the Key Policy with which you want to associate this Key Group. When creating a new Key Group, existing Key Policies are displayed.

  3. Click the Save button. The new Key Group is created and saved in the database and is displayed in the Key Group List screen. It can now be used by Data Units, Agents, and so forth.

    Surrounding text describes create_key_group_list_added.jpg.

Viewing/Modifying a Key Group's Details


Note:

If you are not a Compliance Officer, when you view a Key Group's detailed information, all fields, including the Save button are disabled.

To modify a Key Group:

  1. From the Key Group List screen, double-click a Key Group entry for which you want more information or highlight a Key Group entry and click the Details button. The Key Group Details dialog box is displayed.

    Surrounding text describes key_policy_details.jpg.

    The following parameters are displayed:

    Key Group ID:

    Uniquely identifies the Key Group. This field is read-only.

    Description:

    Type a value that describes the Key Group. This value can be between 1 and 64 (inclusive) characters. This field can be blank.

    Key Policy ID:

    Displays a unique identifier for an existing Key Policy that is associated with the Key Group and all the Keys in the Key Group. This field is read-only.

  2. The Description field is the only field that can be modified. When you are finished, click the Save button to save the changes. You are returned to the Key Group List screen.

Deleting a Key Group


Note:

You cannot delete a Key Group if it is active, that is, to which Agents or Data Units are assigned.

To delete a Key Group:

  1. From the Key Groups List screen, highlight the Key Group you want to delete and click the Delete button.The following Confirmation dialog box is displayed, prompting you to confirm that you want to delete the selected Key Group.

    A Key Group can only be deleted if it is not used by any key and is not associated with any Agent.

    Surrounding text describes aysdeletekeygroup.jpg.
  2. Click the Yes button to delete the Key Group. The Key Group and its associated entries are deleted from the database. You are returned to the Key Groups List screen, where the Key Group is no longer listed.

Agent Assignment to Key Groups Menu

The Agent Assignment to Key Groups menu option gives you the ability to assign Agents to Key Groups. When you assign Agents to Key Groups, it determines the storage devices that the Agent can access. It is the converse of the Key Group Assignment menu option under the Agents menu, both accomplishing the same result.

Important – You must set a default Key Group for an Agent before that Agent can allocate keys.

Surrounding text describes agent_assgn_key_groups_tree.jpg.

To view Agents assignments, from the Key Groups menu, select Agent Assignment to Key Groups. The Agent Assignment to Key Groups screen is displayed.

Surrounding text describes agent_assgmnt_to_key_groups.jpg.

The Key Groups column lists the Key Groups. The Agents Allowed Access column lists the Agents that are assigned to the selected Key Group(s). The Agents Not Allowed Access column lists the Agents that are not assigned to the selected Key Group(s).

Assigning an Agent to a Key Group

To assign an Agent to a Key Group:

  1. In the Key Groups column, highlight the Key Group you want. In the Agents Not Allowed Access column, highlight the Agent you want to add and click the Move to back-arrow button.

    Surrounding text describes adding_agent_to_key_group.jpg.
  2. The selected Agent is moved to the Agents Allowed Access column, indicating that the Agent is successfully added to the selected Key Group's Agent list.

    Surrounding text describes adding_agent_to_key_groups2.jpg.

To assign Agents to a Key Group and set the Default Key Group:

  1. From the Agent Assignment to Key Groups screen, select the Key Group you want in the Key Groups list.

  2. In the Agents Not Allowed Access list, select one or more Agents you want to add and set the Default Key Group for.

  3. Click the Default Key Group for Agent button. The selected Agents are moved to the Agents Allowed Access list and their Default Key Group is set to the Key Group. The Agents are now allowed access to the Key Group.

To set the Default Key Group for already assigned Agents:

  1. From the Agent Assignment to Key Groups screen, select the Key Group you want in the Key Groups list.

  2. In the Agents Allowed Access list, select one or more Agents that do not have the selected Key Group as their Default Key Group.

  3. Click the Default Key Group for Agent button. The selected Agents' Default Key Group is set to the Key Group.

Removing an Agent from a Key Group

To remove an Agent from a Key Group's Agent list:

  1. In the Key Groups column, highlight the Key Group you want. In the Agents Allowed Access column, highlight the Agent you want to remove, and click the Move from forward-arrow button.

    Surrounding text describes remov_agent_fr_key_grp.jpg.
  2. The selected entry is removed from the Agents Allowed Access column and is listed in the Agents Not Allowed Access column. It is no longer assigned to the selected Key Group.

    Surrounding text describes remov_agent_fr_key_grp2.jpg.

Key Group Assignment to Agents Menu

The Key Group Assignment to Agents menu option allows you to assign Key Groups to Agents. It is the converse of the Agent Assignment to Key Groups menu option, both accomplishing the same result.

Surrounding text describes key_group_assgn_to_agents.jpg.

To view the Key Groups:

  1. From the Agents menu, select Key Group Assignment. The Key Group Assignment to Agents screen is displayed.

    Surrounding text describes key_group_assgnment_menu.jpg.

    The Agents column lists the Agents in the database. The Allowed Key Groups column lists the Key Groups which the Agent can access. The Disallowed Key Groups column lists the Key Groups which the Agent cannot access.

  2. Clicking an Agent entry displays the Key Group that are members or non-members of the selected Agent.

    Surrounding text describes key_group_assgn1_to_agents.jpg.

Assigning a Key Group to an Agent

To assign a Key Group to an Agent:

  1. From the Key Group Assignment to Agents screen, in the Agents column, highlight the Agent you want. In the Disallowed Key Groups column, highlight the Key Group you want to add and click the Move to back-arrow button.

    Surrounding text describes key_group_assgn_to_agents2.jpg.
  2. The selected entry is moved to the Allowed Key Groups column and the Key Group is successfully added to the selected Agent.

    Surrounding text describes key_group_assgn_to_agents3.jpg.

To assign a Key Group to an Agent as the Default Key Group:

  1. From the Key Group Assignment to Agents screen, select the Agent you want in the Agents list.

  2. In the Disallowed Key Groups list, select one Key Group you want to add and set the Default Key Group for.

  3. Click the Default Key Group button. The selected Key Group is moved to the Allowed Key Groups list and is set as the Default Key Group for the Agent. The Agent is now allowed access to the Key Group.

To set an already assigned Key Group to the Default Key Group:

  1. From the Key Group Assignment to Agents screen, select the Agent you want in the Agents list.

  2. In the Allowed Key Groups list, select one Key Group that is not the Default Key Group for the Agent.

Click the Default Key Group button. The Agent's Default Key Group is set to the selected Key Group.

Removing a Key Group from an Agent

To remove a Key Group to an Agent:

  1. From the Key Group Assignment to Agents screen, in the Agents column, highlight the Agent you want. In the Allowed Key Groups column, highlight the Key Group you want to remove and click the Move from forward-arrow button.

    Surrounding text describes key_group_assgn_to_agents4.jpg.
  2. The selected entry is removed from the Allowed Key Groups column to the Non-member of Info. Groups column and is no longer assigned to the Agent.

    Surrounding text describes key_group_assgn1_to_agents.jpg.

Key Group Assignment to Transfer Partners Menu

The Key Group Assignment to Transfer Partners menu option allows you to assign Key Groups to Transfer Partners.

Surrounding text describes key_grps_asgn_trnsprts_mn.jpg.

Viewing Key Group Assignments

To view Key Group assignments, from the Transfer Partners menu, select Key Group Assignment to Transfer Partners. The following screen is displayed.

Surrounding text describes key_grp_asgn_to_trns_part1.jpg.

The screen shows the Key Groups that can access a Transfer Partner. The Allowed Key Groups column lists the Key Groups assigned to the selected Transfer Partner. The Disallowed Key Groups column displays the Key Groups not assigned to the Transfer Partner.

Adding a Key Group to a Transfer Partner

To add a Key Group to a Transfer Partner list:

  1. In the Transfer Partners column, highlight the Transfer Partner you want to affect. In the Disallowed Key Groups column, highlight the Key Group you want to add and click the Move to back-arrow button.

    Surrounding text describes adding_key_grp_transpart.jpg.
  2. The selected Key Group is moved to the Allowed Key Groups column, indicating that the Transfer Partner can now access that Key Group.

Removing a Key Group from a Transfer Partner

To remove a Key Group list from a Transfer Partner:

  1. In the Transfer Partners column, highlight the Transfer Partner you want to affect. In the Allowed Key Groups column, highlight the Key Group you want to remove and click the Move from forward-arrow button.

    Surrounding text describes key_grp_asgn_to_trns_part1.jpg.
  2. The selected Key Group is moved to the Disallowed Key Groups column, indicating that the Transfer Partner cannot access that Key Group.

Transfer Partner Assignment to Key Groups Menu

The Transfer Partner Assignment to Key Groups menu allows you to add a key Transfer Partner to the set of Key Transfer Partners that are permitted access to a specific Key Group.

Surrounding text describes transpart_assgn_t_keygp_mn.jpg.

Viewing Transfer Group Assignments

To view Transfer Group assignments, from the Key Groups menu, select Transfer Partner Assignment to Key Groups. The following screen is displayed.

Surrounding text describes transpart_assgn_keygrp_vw.jpg.

The screen shows the Transfer Partners that can access a Key Group. The Transfer Partners Allowed Access column lists the Transfer Partners assigned to the Key Group. The Transfer Partners Not Allowed Access column displays the Transfer Partners not assigned to the Key Group.

Adding a Transfer Partner to a Key Group

To add a Transfer Partner to a Key Group:

  1. In the Key Groups column, highlight the Key Group you want to affect. In the Transfer Partners Allowed Access column, highlight the Key Group you want to add and click the Move to back-arrow button.

    Surrounding text describes transpart_assgn_key_grp_ad.jpg.
  2. The selected Transfer Partner is moved to the Transfer Partners Allowed Access column, indicating that the Key Group can now access that Transfer Partner.

Removing a Transfer Partner from a Key Group

To remove a Transfer Partner from a Key Group:

  1. In the Key Groups column, highlight the Key Group you want to affect. In the Transfer Partners Allowed Access column, highlight the Transfer Partner you want to remove and click the Move from forward-arrow button.

    Surrounding text describes transpart_assgn_keygrp_vw.jpg.
  2. The selected Transfer Partner is moved to the Transfer Partners Not Allowed Access column, indicating that the Key Group cannot access that Transfer Partner.

Importing a KMS 1.0 Key Export File

To import a KMS 1.0 Key Export file to the KMA and to create a new Key for each Key in this file:

  1. Go to the KMS 1.2 system and export the keys into a file. Only keys exported from KMS 1.2 systems can be imported. KMS 1.0 and 1.1 systems must be upgraded to 1.2 before exporting keys.

  2. From the Secure Information Management menu, select Import 1.0 Keys.

    Surrounding text describes import_10_keys.jpg.
  3. Complete the following parameters:

    Destination Key Group

    Select the Destination Key Group into which these keys will be imported.

    KMS 1.0 Key Export File Name

    Type the name of the KMS 1.0 Key Export file.

    Browse

    Click this button to locate the file.

    Start

    Click this button to begin to upload the KMS 1.0 keys file to the KMA, and a new Key is created for each Key it contains. Each new Key is associated with the Key Group you selected. Messages are displayed indicating when the file is uploaded and applied.

Audit Event List Menu

The Audit Event List menu gives you the ability to view the Audit Log events.

Surrounding text describes audit_event_list_menu.jpg.

Viewing Audit Logs

To view the Audit Log events:

From the System Management menu, select Audit Event List. The Audit Event List screen is displayed.

Surrounding text describes audit_event_list.jpg.

You can also scroll through the database and filter the Audit Event list by any of the following keys:

  • Created Date

  • Operation

  • Severity

  • Condition

  • Entity ID

  • Entity Network Address

  • KMA ID

  • KMA Name

  • Class

  • Retention Term

  • Audit Log ID.

The Use button applies the filter to the displayed list for the Audit Log.

The fields and their descriptions are given below:

Filter:

Displays the fields that you can use to filter the results of queries made to the KMA. Possible values are:

  • Created Date

  • Operation

  • Severity

  • Condition

  • Entity ID

  • Entity Network Address

  • KMA Name

  • Class

  • Retention Term

  • Audit Log ID.

Filter Operator box:

Click the down-arrow and select the filter operation you want. Possible values are:

  • Empty

  • Not empty

Filter Value 1 box:

If you selected the Date filter, click Set Date to specify start date and time. The value appears as a starting value of the filter key range. If you selected any other filter, type a value in this field.

Filter Value 2 box:

If you selected the Date filter, click Set Date to select an end date and time. The value appears as a ending value of the filter key range.

Filter Value 3 box:

Click the down-arrow and select one of the following filters:

  • Don't Show Short Term

  • Show All Retentions.

Created Date

Displays the date and time that the Audit Event was created.

Operation

Displays the operation that resulted in the creation of the Audit Event record.

Severity

Indicates the severity of the condition if the operation was not successful. Possible values are Success (no error), Warning, or Error.


Note:

If the Severity value is Error, the KMA that generated the event also issues an SNMP inform message with the event details.

Condition

Indicates whether the operation was successful or not.


Note:

Errors are highlighted in red; Warnings are highlighted in yellow. If you hover the cursor over an error message, a more detailed description of the error is displayed.

If the Condition value is Server Busy, the KMA that generated the event also issues an SNMP inform message with the event details.


Event Message

Displays detailed information of the Audit Event entry.

Entity ID

If this Audit Event is generated in response to an operation requested by a user, Agent, or peer KMA, then this field displays the user-specified identifier of that entity. Otherwise, this field is blank.

Entity Network Address

If this Audit Event is generated in response to an operation requested by a user, Agent, or peer KMA, then this field displays the network address of that entity. Otherwise, this field is blank.

KMA ID

Displays the name of the KMA that generated this audit event. This KMA name is the user-supplied identifier that distinguishes each KMA in a Cluster.

KMA Name

Displays the user-supplied identifier that distinguishes each Appliance in a Cluster.

Class

Identifies the class of operations to which the Audit Event entry belongs.


Note:

If the Class value is Security Violation, the KMA that generated the event also issues an SNMP inform message with the event details.

Possible values are:

  • Agent Access Control Management Operations

  • Agent Client Generated Audits

  • Agent Management Operations

  • Appliance Management Operations

  • Audit Log Agent Operations

  • Audit Log Management Operations

  • Audit Log Operations

  • Backup Management Operations

  • CA Operations

  • Cluster Client Communication

  • Cluster Operations

  • Communication and Authentication

  • Console Security Management Operations

  • Data Unit Agent Operations

  • Data Unit Management Operations

  • Discovery Operations

  • Key Group Agent Operations

  • Key Group Management Operations

  • Key Policy Management Operations

  • License Key Management Operations

  • Local Management Operations

  • Management Client Generated Audits

  • Passphrase Agent Operations

  • Replication Operations

  • Retrieve Certificate Operations

  • Role Management Operations

  • SNMP Management Operations

  • Security Management Operations

  • Security Parameter Management Operations

  • Security Violation

  • Site Management Operations

  • System Messages

  • User Management Operations.

Retention Term

Displays the defined length of time that the Audit Event record is retained. Possible values are Long Term, Medium Term, and Short Term.

Long Term

Event records that must be stored for a lengthy period of time.

Medium Term

Event records that must be stored for a medium length period of time.

Short Term

Event records that must be stored for a short period of time.

Audit Log Entry ID

Displays a system-generated unique identifier that distinguishes each type of Audit Event entry.

Audit Log ID

Displays a system-generated unique identifier that distinguishes each Audit Event entry.

If you want more detailed information on an Audit Log, highlight the Audit Log and click the Details button. For more information, refer to "Viewing Audit Log Details" below.

Click the Export button to export the Audit Log. For more information, refer to "Exporting an Audit Log".

Viewing Audit Log Details

To view Audit Log details:

  1. From the Audit Event List screen, select the Audit Log entry on which you want more information and click the Details button or double-click the entry. The Audit Event Details dialog box is displayed, where all fields are disabled, except for the Previous, Close, and Next buttons.

    Surrounding text describes audit_event_details.jpg.
  2. Click the Previous or Next buttons to access the previous or next Audit Event, or the Close button to return to the Audit Event List screen.

Exporting an Audit Log

The Export function allows you to export all or specific Audit Log entries to a text file on your workstation. You can then bring up the file in a spreadsheet application.

To export an Audit Log:

  1. From the Audit Event List screen, either select Save Report... from the View menu or press Ctrl-S.

  2. When you are finished, click the Start button to initiate the export process. If you have filtered the entries in the Audit Event List screen, only those entries are exported. Otherwise, all audit events are exported.

  3. When the export process is completed, the number of Audit Logs that have been exported is shown at the bottom of the dialog box.

  4. Click the Close button to close this dialog box and return to the Audit Event List screen.

Data Unit List Menu

The Data Unit List menu allows you to:

  • View Data Units

  • View/Modify Data Unit details

  • View the activity history for a Data Unit

  • Destroy post-operational keys for a Data Unit.

For procedures on using the Data Units menu, refer to "Data Unit List Menu".

Compromising Keys

Compliance Officers are authorized to compromise keys.

  1. From the Data Unit List screen, select the Data Unit you want to modify and click the Details button. The Data Unit Details dialog box is displayed.

    Surrounding text describes data_unit_details.jpg.
  2. Click the Key List tab to view the key(s) associated with this Data Unit.

    Surrounding text describes data_unit_det_key_list_co.jpg.
  3. Select the key(s) you want to compromise and click the Compromise button. A dialog box is displayed confirming the compromise of the key(s).

  4. Click the Yes button. The following dialog box is displayed, prompting you to enter a comment.

    Surrounding text describes dataunit_keylist_comp_cmnt.jpg.
  5. Type a comment about the compromise of the selected key(s). If you click the Compromise button, another dialog box is displayed confirming the compromise of the key(s).

  6. Click the Yes button. A dialog box is displayed showing the number of keys that have been compromised.

Key List Menu

The Key List menu allows you to:

  • query keys directly without having to query data units

  • query the keys associated with a particular data unit.

Surrounding text describes key_list_menu.jpg.

Querying Keys

To query keys directly:

  1. From the System Management menu, select Key List. The Key List screen is displayed.

    Surrounding text describes key_list.jpg.
  2. Click the Details button (or double-click on a key) to display more information about that key. The Key Details dialog appears.

    A Compliance Officer can change the key group this key is associated with. An Operator can change the In Use By Data Unit flag, which indicates whether or not this key is associated with a data unit.

    Surrounding text describes key_list_details.jpg.
  3. Click the Data Unit Info tab to display information about the data unit that is associated with this key (if any).

    Surrounding text describes key_list_data_unit.jpg.

Other Functions

A Compliance Officer can also:

  • View the Audit Event List

  • View the System Time

  • Lock/Unlock KMA status

  • Access the KMA List screen.

  • Query KMA performance information about KMAs in this OKM cluster.

  • Query load information about the KMA the GUI is connected to.

  • Query agent performance information.

  • Query data unit list key counts.

For procedures on viewing the these functions, refer to Chapter 5, "Security Officer Operations".