This chapter describes the following topics:
Accessing the KMA Through the Service Processor – the Embedded Lights Out Manager (ELOM) and Integrated Lights Out Manager (ILOM) provide a remote connection to the console (see "Accessing the KMA Through the Service Processor")
Note: Additional Service Processor procedures can be found in Appendix D, "Service Processor Procedures" . |
Running the QuickStart program – QuickStart is a utility that a customer (Security Officer or qualified representative) can use to configure a new KMA (see "Running the QuickStart Program").
Note: A service representative can also run QuickStart, however, since this program establishes critical security parameters, customers may prefer to do it themselves, following their corporate security policies. |
The Embedded Lights Out Manager (ELOM) and Integrated Lights Out Manager (ILOM) contain a separate Service Processor from the main server. These Service Processors provide a remote connection to the KMA, allowing you to perform server functions, such as the QuickStart program.
Note: KMAs that are Sun Fire X2100 M2 or X2200 M2 servers use an ELOM as the Service Processor, whereas KMAs that are Sun Fire X4170 M2 servers employ an ILOM as their service processor.Refer to the Embedded Lights Out Manager Administration Guide or the Integrated Lights Out Manager Web Interface Procedures Guide for configuration information. |
Connect to the KMA through the ELOM or ILOM using either:
The network connection, LAN 1 NET MGT ELOM or ILOM interface (suggested), or
The keyboard and monitor attached to the KMAs.
Note: Popup blockers prevent Windows from launching in the following procedures. Disable the popup blockers before beginning. If the window appears, but a console window does not, the Web browser or Java version is incompatible with the Service Processor. Upgrade to the latest versions of the browser and Java. See Table 2-1 for a list of compatible versions. |
Table 2-1 Supported ELOM Compatible Web Browsers and Java Versions
Client OS | Supports These Web Browsers | Java Runtime Environment Including Java Web Start |
---|---|---|
|
|
JRE 1.5 (Java 5.0 Update 7 or later) |
|
|
|
|
|
|
You can download the Java 1.5 runtime environment at: The current version of the ELOM guide is available at:
|
Table 2-2 Supported ILOM Compatible Web Browsers and Java Versions
Client OS |
Supports These Web Browsers |
Java Runtime Environment Including Java Web Start |
|
|
JRE 1.5 (Java 5.0 Update 7 or later) |
|
|
|
|
|
|
You can download the Java 1.5 runtime environment at: The current version of the ILOM guide is available at: |
Using another workstation on the network, launch a Web browser.
Connect to the KMA ELOM using the IP Address or hostname of LAN 1 (NET MGT), which is the address just configured.
Note: Because the certificate in the ELOM will not match the assigned name or IP, you will receive one or more warnings from your web browser. |
Click OK or Yes to bypass these warnings.
Once past the warnings, you receive the ELOM login prompt.
Log in using:
Userid = root
Password = changeme
The next screen is the Manager Screen. If the server has just been connected to power, and it has not been powered on, it will not have completed a system boot.
KMAs are configured to boot up automatically when initially powered on and should boot up to the QuickStart prompt within a few minutes of being powered on.
Check the power status by clicking on the System Monitoring tab.
If the Power Status shows ”power off,” click the Remote Control tab to the far right of the upper row of tabs.
Click the Remote Power Control tab in the second row of tabs.
In the Select Action drop-down, choose Power On and click the Save button.
The KMA begins powering up. This takes a few minutes; however, you can continue with the KMA configuration.
Click the Remote Control tab in the first row of tabs.
Click the Redirection tab in the second row of tabs.
Click the Launch Redirection button.
A java applet is downloaded before starting the remote console window.
This launches the remote console screen in a new window.
Save the javaRKVM.jnlp file when requested, then open it to start the remote console. Click past any warnings that may be displayed.
Go to "Launching the OKM Console" for the next steps in the process.
Using another workstation on the network, launch a Web browser.
Connect to the KMA ILOM using the IP Address or hostname of LAN 1 (NET MGT), which is the address just configured.
Note: Because the certificate in the ILOM does not match the assigned name or IP, you receive one or more warnings from your web browser. |
Click OK or Yes to bypass these warnings.
Once past the warnings, you receive the ILOM login prompt.
Log in using:
Userid = root
Password = changeme
The next screen is the Manager Screen. If the server has just been connected to power, and it has not been powered on, it will not have completed a system boot.
KMAs are configured to boot up automatically when initially powered on and should boot up to the QuickStart prompt within a few minutes of being powered on.
Check the power status shown next to Host Power.
If Host Power shows that the power is off, click the Change drop-down.
In the Select Action drop-down, choose Power On and click the Save button.
The KMA begins powering up. This will take a few minutes; however, you can continue with the KMA configuration.
Click the Remote Control tab in the first row of tabs.
Click the Redirection tab in the second row of tabs.
Click the Launch Remote Console button.
A java applet is downloaded before starting the remote console window. This launches the remote console screen in a new window.
Save the javaRKVM.jnlp file when requested, then open it to start the remote console. Click past any warnings that may be displayed.
Go to "Launching the OKM Console" for the next steps in the process.
Press any key and press <Enter> to continue. The KMA checks the SCA 6000 card and reports its status.
After a reboot, reset, or initial installation, a new message is displayed if the SCA 6000 card is being initialized or upgrading its firmware. The console is disabled until it is complete.
Console unavailable while KMA Maintenance is in progress...
Press <Enter>.
You now proceed to the QuickStart program prompt described in "Starting QuickStart".
See Appendix D "Service Processor Procedures" for procedures to configure and upgrade the ELOM and ILOM.
When a KMA in the factory default state is powered on, a special mode of the KMA Configuration Menu called QuickStart is automatically executed. QuickStart collects the minimal configuration information required for initializing the KMA. Once the QuickStart program has been successfully completed, it cannot be re-executed. The only way to access the QuickStart program again is to reset the KMA to its factory default state (refer to "Resetting the KMA to the Factory Default".)
Note: In the following screen examples, entries in bold represent areas where you respond. |
To run the QuickStart Program:
Power on the KMA. When you power up the KMA for the first time, QuickStart is executed, and the Welcome to QuickStart! screen is displayed.
KMAs perform initial configuration steps after they are first booted. These steps can take a few minutes to complete. KMAs display messages that indicate the initial configuration is occurring.
If you press Ctrl-c, the QuickStart program resets and the Welcome to QuickStart! screen is redisplayed.
Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved. Oracle Key Manager Version 3.0.0 (build2020) SO on Strathclyde ---------------------------------------------------------- Welcome to QuickStart! Authorized users only. All activity may be monitored and reported. Performing initial configuration of this KMA - Please waitInitial configuration of this KMA completed The QuickStart program will guide you through the necessary steps for configuring the KMA. You may enter Ctrl-c at any time to abort; however, it is necessary to successfully complete all steps in this initialization program to enable the KMA. Press Enter to continue: Set Keyboard Layout __________________________________________________________ Press Ctrl-c to abort. You may change the keyboard layout here. Available keyboard layouts: ( 1) Arabic ( 2) Belgian ( 3) Brazilian ( 4) Canadian-Bilingual ( 5) Canadian-French ( 6) Danish ( 7) Dutch ( 8) Dvorak ( 9) Finnish (10) French (11) German (12) Italian (13) Japanese-type6 (14) Japanese (15) Korean (16) Latin-American (17) Norwegian (18) Portuguese (19) Russian (20) Spanish (21) Swedish (22) Swiss-French (23) Swiss-German (24) Traditional-Chinese (25) TurkishQ (26) UK-English (27) US-English The current layout is US-English Please enter the number for the keyboard layout [27] : The keyboard layout has been applied successfully. Press Enter to continue
The following procedures allow you to establish the network configuration.
To set the KMA Management IP addresses:
Press <Enter> to continue. The following information is displayed.
Set KMA Management IP Addresses ------------------------------------------------------- Press Ctrl-c to abort. An IP Address configuration must be defined in order for the KMA to communicate with other KMAs or Users in your system. Do you want to configure the Management Network interface to have an IPv6 address? [y/n]: Do you want to use DHCP to configure the Management Network IPv4 interface? [y/n]: Please enter the Management Network IP Address [10.172.180.39]: Please enter the Management Network Subnet Mask [255.255.254.0]:
At the Please enter your choice:
prompt on the main menu, type 3 and press <Enter>.
Type either n or y at the Do you want to configure the Management Network interface to have an IPv6 address
prompt.
Type either n or y at the Do you want to use DHCP to configure the Management Network IPv4 interface
prompt. If you type n, go to Step 5. If you type y, you go to the procedure "Setting the KMA Service IP Addresses".
Note: If you elect to use DHCP, any hostname information provided by the DHCP server is ignored. Any DNS information provided by the DHCP server is presented in "Specifying the DNS Settings". |
At the prompt, type the Management Network IP address and press <Enter>.
At the Please enter the Management Network Subnet Mask:
prompt, type the subnet mask address, (for example 255.255.254.0) and press <Enter>.
To enable the Technical Support account:
Press <Enter> to continue. The following information is displayed.
To assist in troubleshooting your network configuration, you might want to enable the technical support account for the network configuration steps of the QuickStart process. Do you want to enable this support account for the network configuration steps of the QuickStart process? [y/n]: y Press Enter to continue:
If you want to enable the technical support account in QuickStart, type y at the Do you want to enable this support account for the network configuration steps of the QuickStart process?
prompt. Otherwise, type n, and you proceed to Step 3.
Note: If you type y, you see the same prompts that are described in "Enabling the Technical Support Account". After answering these prompts, you move to Step 3. |
Press <Enter> to continue.
If you have enabled the Technical Support account, QuickStart disables it after you complete the "Specifying the DNS Settings" process. The following screen is displayed.
The support account is now being disabled. Technical Support configuration changes have been completed. Press Enter to continue:
To set the KMA Service IP addresses:
Press <Enter> to continue. The following information is displayed.
Set KMA Service IP Addresses ------------------------------------------------------- Press Ctrl-c to abort. An IP Address configuration must be defined in order for the KMA to communicate with other Agents in your system. Do you want to configure the Service Network interface to have an IPv6 address? [y/n]: y Do you want to use DHCP to configure the Service Network IPv4 interface? [y/n]: n Please enter the Service Network IP Address [192.168.1.39]: Please enter the Service Network Subnet Mask [255.255.255.0]:
At the Please enter your choice:
prompt on the main menu, type 4 and press <Enter>.
Type either n or y at the Do you want to configure the Service Network interface to have an IPv6 address
prompt.
Type either n or y at the Do you want to use DHCP to configure the Service Network IPv4 interface
prompt. If you type n, go to Step 5. If you type y, you go to the procedure "Viewing/Adding/Deleting Gateways".
At the prompt, type the Service Network IP address and press <Enter>.
At the Please enter the Service Network Subnet Mask:
prompt, type the subnet mask address, (for example 255.255.255.0) and press <Enter>.
This menu option shows the current gateway settings (five to a page) on the Management (M) and Service (S) interfaces.
Press <Enter> to continue. The following information is displayed, indicating that you can add a gateway, remove a gateway, or accept the current gateway configuration.
Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M', and service routes with an 'S'. # Destination Gateway Netmask IF ---- ----------------- ---------------- -------------------- -- 1 default 10.172.181.254 0.0.0.0 M 2 default 10.172.181.21 0.0.0.0 M 3 default 192.168.1.119 0.0.0.0 S 4 10.0.0.0 10.172.180.25 255.255.254.0 M * 5 10.172.180.0 10.172.180.39 255.255.254.0 M Press Enter to continue: Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M', and service routes with an 'S'. # Destination Gateway Netmask IF ---- -------------------- ----------------- ---------------- -- * 6 192.168.1.0 192.168.1.39 255.255.255.0 S 7 192.168.25.0 10.172.180.25 255.255.255.0 M 8 192.168.26.0 10.172.180.25 255.255.255.0 M * 9 127.0.0.1 127.0.0.1 255.255.255.255 * 10 fe80:: 2001:db8::/32 10 M (1) Continue (2) Back 1 Modify Gateway Settings ------------------------------------------------------------ Press Ctrl-c to abort. Gateways that are configured automatically are not modifiable, and are indicated with an asterisk (*). Management routes are indicated with an 'M',and service routes with an 'S'. # Destination Gateway Netmask IF ---- ------------ ------------------------ ------------- -- * 11 fe80:: fe80::216:36ff:feca:15b9 10 S You can add a route, delete a route, or exit the gateway configuration. Please choose one of the following: (1) Add a gateway (2) Remove a configured gateway (only if modifiable) (3) Exit gateway configuration (4) Display again 3
At the Please enter your choice:
prompt on the main menu, type 5 and press <Enter>.
At the (1) Continue (2) Back
prompt, type 1 to display the next gateway setting or 2 to return to the previous gateway setting.
At the Please choose one of the following:
prompt, type 1, 2, 3, or 4 and press <Enter>.
Note: If at any time you press Ctrl+c, no changes are saved and you are returned to the main menu. |
This menu option shows the DNS settings, and prompts you for a new DNS domain (if you want to configure one) and the DNS server IP addresses.
Note: If you chose to use DHCP on the management network in "Setting the KMA Management IP Addresses", the KMA displays any DNS settings from a DHCP server on the management network. You can enter information to override these DNS settings. |
Press <Enter> to continue. The following information is displayed.
Set DNS Configuration ------------------------------------------------------- Press Ctrl-c to abort. DNS configuration is optional, but necessary if this KMA will be configured using hostnames instead of IP addresses. Current DNS configuration: Domain: Nameservers: Please enter the DNS Domain (blank to unconfigure DNS): example.com Up to 3 DNS Name Servers can be entered. Enter each name server separately, and enter a blank name to finish. Please enter DNS Server IP Address #1: 10.172.0.5 Please enter DNS Server IP Address #2:
At the Please enter your choice:
prompt on the main menu, type 6 and press <Enter>.
Enter the DNS domain name at the Please enter the DNS Domain (blank to unconfigure DNS):
prompt.
Enter the DNS server IP address at the Please enter DNS Server IP address
prompt. You can enter up to three IP addresses.
Press <Enter>,
without specifying an IP address, to finish.
Press <Enter> to continue. The following information is displayed.
The KMA Name is a unique identifier for your KMA. This name should not be the same as the KMA Name for any other KMA in your cluster. It also should not be the same as any User Names or Agent IDs in your system. Please enter the KMA Name: KMA-1 Press Enter to continue:
At the prompt, type a unique identifier for the KMA.
Note: A KMA Name cannot be altered once it is set using the QuickStart program. It can only be changed by resetting the KMA to the factory default and running QuickStart again.This KMA name is used as the hostname for the KMA. |
At the prompt, press <Enter>. The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.
You can now use this KMA to create a new Cluster, or you can have this KMA join an existing Cluster. You can also restore a backup to this KMA or change the KMA version.Please choose one of the following:
(1) Create New Cluster
(2) Join Existing Cluster
(3) Restore Cluster from Backup
Please enter your choice:
1Create New Cluster
At the prompt, type 1, 2, or 3 and press <Enter>.
If you type 1, go to "Entering Key Split Credentials".
If you type 2, go to "Joining an Existing Cluster".
If you type 3, go to "Restoring a Cluster From a Backup".
Key Split Credentials user IDs and passphrases should be entered by the individual who owns that user ID and passphrase. Using one person to collect and enter this information defeats the purpose of having the Key Split Credentials.
If it is impractical for all members of the Key Split Credentials to enter this information at this time, enter a simple set of credentials now, and then enter the full credentials later in the OKM Manager.
However, doing this creates a security risk. If a Core Security backup is created with simple Key Split Credentials, it can then be used to restore a backup.
At the Please enter your choice:
prompt, type 1. The following information is displayed.
The Key Split credentials are used to wrap splits of the Core Security Key Material which protects Data Unit Keys. When Autonomous Unlocking is not enabled, a quorum of Key Splits must be entered in order to unlock the KMA and allow access to Data Unit Keys.A Key Split credential, consisting of a unique User Name and Passphrase, is required for each Key Split.
The Key Split Size is the total number of splits that will be generated.
This number must be greater than 0 and can be at most 10.
Please enter the Key Split Size:
2
The Key Split Threshold is the number of Key Splits required to obtain a quorum.
Please enter the Key Split Threshold:
1
Please enter the Key Split User Name #1: user1
Passphrases must be at least 8 characters and at most 64 characters in length.
Passphrases must not contain the User's User Name.
Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other).
Please enter Key Split Passphrase #1: ********
Please re-enter Key Split Passphrase #1: ********
Press Enter to continue:
Press Ctrl-c to abort.
Note: The Key Split Size and Key Split Threshold can be changed using "Modifying the Key Split Configuration". The Key Split Threshold must be less than or equal to the Key Split Size.User IDs and passphrases should be entered only by an authorized user to keep them secure. These items also can be changed after running the QuickStart program. |
At the Please enter the Key Split Size:
prompt, type the number of key splits to be generated and press <Enter>.
At the Please enter the Key Split Threshold:
prompt, type the number of required keys splits to obtain a quorum and press <Enter>.
At the Please enter the Key Split User Name #1:
prompt, type the user name for the first Key Split user and press <Enter>.
At the Please enter Key Split Passphrase #1:
prompt, type the passphrase for the first Key Split user and press <Enter>.
At the Please re-enter Key Split Passphrase #1:
prompt, type the same passphrase that you previously entered and press <Enter>.
Repeat Steps 4 through 6 until all user names and passphrases have been entered for the selected Key Split size.
Note: The Key Split user names and passphrases are independent of other user accounts that are established for KMA administration. Oracle recommends that key split user names be different from KMA user names. |
At the Press Enter to continue:
prompt, press <Enter>. The following information is displayed.
The initial Security Officer User is the first User that can connect to the KMA via the Oracle Key Manager GUI. This User can subsequently create additional Users and administer the system.Please enter a Security Officer User Name: SecOfficer
A Passphrase is used to authenticate to the KMA when a connection is made via the Oracle Key Manager GUI.
Passphrases must be at least 8 characters and at most 64 characters in length.
Passphrases must not contain the User's User Name.
Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other).
Please enter the Security Officer Passphrase: ********
Please re-enter the Security Officer Passphrase: ********
Press Enter to continue:
Press Ctrl-c to abort.
Note: This initial Security Officer user account is used to logon to the KMA using the OKM Manager. |
At the prompt, type the Security Officer's user name and press <Enter>. The following information is displayed.
At the prompt, type the Security Officer's passphrase and press <Enter>.
At the Please re-enter the Security Officer Passphrase: prompt, re-type the same passphrase and press <Enter>.
Important – All KMAs have their own passphrases that are independent of passphrases assigned to users and Agents. The first KMA in a Cluster is assigned a random passphrase. If this KMA's certificate expires, and you want to retrieve its entity certificate from another KMA in the Cluster, you would have to use the OKM Manager to set the passphrase to a known value. For procedures, refer to "Setting a KMA Passphrase".
At the Press Enter to continue:
prompt, press <Enter>. The following information is displayed.
When Autonomous Unlocking is DISABLED, it is necessary to UNLOCK the KMA using a quorum of Key Split Credentials EACH TIME the KMA starts before normal operation of the system can continue. Agents may NOT register Data Units with or retrieve Data Unit Keys from a locked KMA. When Autonomous Unlocking is ENABLED, the KMA will automatically enter the UNLOCKED state each time the KMA starts, allowing it to immediately service Agent requests. Do you wish to enable Autonomous Unlocking? [y/n]: y
Note: The Autonomous Unlocking feature allows the KMA to enter a fully operational state after a hard or soft reset without requiring the entry of a quorum of passphrases using the OKM Manager. You can change this option from the OKM Manager at a later time. |
At the prompt, type y or n and press <Enter>.
At the Press Enter to continue:
prompt, press <Enter>. The following information is displayed.
Enter Key Pool Size ------------------------------------------------------- Press Ctrl-c to abort. Each KMA pre-generates and maintains a pool of keys. These pre-operational keys must be backed up or replicated before a KMA will provide them to an Agent for use in protecting data. This helps to ensure that a key will never be permanently lost, even in disaster scenarios. A smaller key pool size prevents unnecessary initial database (and backup) size, but requires frequent backups or a reliable network to ensure that activation-ready keys are always available. Conversely, a large key pool size is more tolerant of infrequent backups or unreliable network connections between KMAs, but the large number of pre-generated keys causes the database (and backups) to be quite large. Please select the key pool size (1000 - 200000):
At the prompt, enter the key pool size. The value entered determines the initial size that the new KMA generates and maintains.
KMAs in a Cluster must keep their clocks synchronized. Internally, all KMAs use UTC time (Coordinated Universal Time).
You can also use the OKM Manager to adjust date and time settings to local time.
KMAs in a Cluster must keep their clocks synchronized. Specify an NTP server if one is available in your network. Otherwise, specify the date and time to which the local clock should be set. Please enter the NTP Server Hostname or IP Address (optional): ntp.example.com Press Enter to continue: Initializing new cluster... New cluster has been created. Press Enter to continue: Oracle Key Manager Version 3.0.0 (Build2020) __________________________________________________________ KMA initialization complete! You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration. Press Enter to exit: Copyright (c) 2007, 2013, Oracle and/or its futilities. All rights reserved. Oracle Key Manager Version 3.0.0 (Build2020) __________________________________________________________ Please enter your User Name:
If an NTP server is available in your network environment, at the Please enter the NTP Server Hostname or IP Address (optional):
prompt, enter the NTP server hostname or IP address.
Note: You can provide an IPv6 address for this NTP server. This IPv6 address must not include square brackets or a prefix length. |
If an NTP server is not available, press <Enter>. Then, at the Please enter the date and time for this KMA
prompt, enter the date and time in one of the specified formats, or press <Enter> to use the displayed date and time.
At the prompt, press <Enter>. KMA initialization is complete.
Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Logging into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.
Your next step is to use the OKM Manager to connect to the Cluster. For procedures, refer to "Connecting to the Cluster".
Important
Before performing this task, the Security Officer must first log into the OKM Cluster using the OKM Manager and create a KMA.
See "Creating a KMA". The KMA Name specified in the KMA initialization process (see "Initializing the KMA") must match the KMA name you enter when you create the KMA.
When you add a new KMA to an existing OKM Cluster, the OKM Cluster begins to propagate Cluster information to the new KMA. It takes time for the Cluster to finish circulating this information to the new KMA, and as a result, the Cluster becomes busy during this time period.
Add KMAs to the Cluster during times of light loads so that this propagation activity does not interfere with normal operations. To avoid problems caused by Agents attempting to use the new KMA during the synchronization period, the KMA remains locked after it has been added to the Cluster. Wait until the KMA has been synchronized (that is, until it has ”caught up” with other KMAs in the Cluster) before you unlock it.
In earlier KMS releases, if the release running on a new KMA was different from an existing KMA in the Cluster, then the new KMA was automatically upgraded or downgraded to the release of the existing KMA when the new KMA joined the Cluster. For OKM 2.3 and later, if the new KMA runs OKM 2.3 and later and the existing KMA runs an earlier KMS release, then the new KMA can join the Cluster without downgrading to the earlier release.
If you are running OKM 2.3 or later, before you add a KMA to the Cluster, the replication version must be set to the highest value supported by all KMAs in the Cluster. Refer to "Switching the Replication Version".
To join a new KMA to an existing Cluster:
When you complete the KMA initialization process (see "Initializing the KMA"), at the prompt, press <Enter>.
The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.
You can now use this KMA to create a new Cluster, or you can have this KMA join an existing Cluster. You can also restore a backup to this KMA or change the KMA Version. Please choose one of the following: (1) Create New Cluster (2) Join Existing Cluster (3) Restore Cluster from Backup Please enter your choice: 2 Join Existing Cluster
At the Please enter your choice:
prompt, type 2. The following information is displayed.
Join Existing Cluster ------------------------------------------------------- Press Ctrl-c to abort. In order to join a Cluster, the KMA must contact another KMA which is already in the Cluster. Please enter the Management Network IP Address or Host Name of an existing KMA in the cluster: 10.172.60.172 Please enter this KMA's Passphrase:******** Press Enter to continue: This command requires authorization by a quorum of Key Split Users. Enter sufficient Key Split credentials to form a quorum. Enter a blank name to finish. Press Ctrl-c to abort. Please enter Key Split User Name #1: user1 Please enter Key Split Passphrase #1: ******** Press Enter to continue: Joining cluster... This KMA has joined the Cluster. Press Enter to continue: Oracle Key Manager Version 2.3 (Build1036) ------------------------------------------------------- KMA initialization complete! You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration. Press Enter to exit:
Note: Before this new KMA can communicate with an existing KMA in the Cluster, you must use the OKM Manager to create an entry for this KMA in the existing KMA's database. For procedures, refer to "Creating a KMA". |
At the prompt, type the network address of one KMA in the existing Cluster and press <Enter>.
At the prompt, type the passphrase for the KMA and press <Enter>.
Enter the first Key Split user name for the first KMA.
Type the passphrase for the Key Split user, and press <Enter>.
Important – Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.
Repeat Steps 5 and 6 until you have entered a sufficient number of Key Split user names and passphrases to form a quorum.
At the next Please enter Key Split User Name
prompt, press <Enter>. Enter a blank name to finish.
The initialization is complete.
At the end of a successful Join Cluster session, QuickStart displays the following prompt if the Cluster's replication version is at least 12.
It might take some time for this KMA to be updated with information from other KMAs in the Cluster. This amount of time can be greater in Clusters that have more KMAs or when the KMAs have been online for a long time. To accelerate these initial updates (that is, to catch up now), you can choose now to download a backup from another KMA in the Cluster and then restore from it. There will not be an opportunity to accelerate these updates later. Catch up now? [y/n]:
Type y to accelerate initial updates. Otherwise, type n to go to Step 10.
Note: Before you type y at the above prompt, create a backup on a peer KMA after you have switched the Cluster's replication version to 12. Also, ensure that the peer KMA on which you created a backup is currently responding on the network. These steps help the new KMA find a cached backup to download and apply. |
The KMA you specified identifies another KMA that has the largest cached backup in this Cluster, downloads that backup, and then applies it to its local database. This process is equivalent to replicating the data but at a much faster rate. Informational messages appear during this process.
For example:
Waiting 10 seconds for the join to propagate to Peer KMAs... Querying Peer KMAs to find the active ones... Querying active Peer KMAs to find cached backup sizes... Peer KMA at IP Address 10.172.180.39 has a cached backup size of 729136 bytes. Downloading the cached backup from this Peer KMA... Downloaded the cached backup from this Peer KMA. Initialized the Key Store. Performed maintenance on the Key Store. Applying the cached backup to the local database... ....................................................... ....................................................... ....................................................... ....................................................... ....................................................... ....................................................... ....................................................... Applied the cached backup to the local database. Successfully accelerated initial updates on this KMA.
Later, the newly joined KMA automatically replicates any data that is not in the backup.
If an error occurs during this process, QuickStart displays the above prompt again (in case the error is due to a temporary condition). QuickStart also displays the above prompt again if the KMA cannot find a peer KMA that has a cached backup.
However, if more than 5 minutes has elapsed since the first time the above prompt was displayed, then QuickStart displays the following message and no longer displays the above prompt:
Failed to accelerate initial updates on this KMA after 300 seconds. This KMA will gradually be updated with information from other KMAs.
Regardless of whether you typed y or n at Step 9, or even if the process timed out, these messages appear:
This KMA has joined the Cluster. Press Enter to continue:
Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Logging into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.
Your next step is to use the OKM Manager to connect to the Cluster. For procedures, refer to "Connecting to the Cluster".
The OKM Cluster begins to propagate information to the newly added KMA. This causes the new KMA to be very busy until it has caught up with the existing KMAs in the Cluster. The other KMAs are also busy. You can observe this activity from the OKM Manager by viewing the KMAs as described by "Viewing KMAs".
Observe the Replication Lag Size value of the new KMA. Initially, this value is high. Periodically refresh the information displayed in this panel by pulling down the View menu and selecting Refresh or by pressing the F5 key. Once the Replication Lag Size value of this KMA drops to a similar value of other KMAs in the Cluster, then you can unlock the KMA as described by "Unlocking the KMA".
This option allows you to create a Security Officer account that can be used to restore the Backup image to the KMA using the OKM Manager. You can use a Backup to restore a KMA's configuration in the event a KMA experiences a failure (for example, hard disk damage). This, however, is not typically required since a KMA that is restored to the factory default state can readily join an existing Cluster and build up its database by receiving replication updates from Cluster peers. Restoring a KMA from a Backup is still useful in the event that all KMAs in a Cluster have failed.
Note: You first must create a Backup. For procedures on creating Backups using the OKM Manager, refer to "Creating a Backup".Oracle recommends you specify a new Security Officer name that did not exist in the OKM Cluster when the last backup was performed. If you specify an existing Security Officer name and provide a different passphrase, the old passphrase is overwritten. If you specify an existing Security Officer name and other roles were added to that user before the last backup was performed, these other roles are no longer assigned to this User. |
To restore the backup image:
When you complete the KMA initialization process (see "Initializing the KMA"), at the prompt, press <Enter>.
The following information is displayed, indicating that you can use this KMA to create a new Cluster, join an existing Cluster, or restore a Cluster from a backup of this KMA.
You can now use this KMA to create a new Cluster, or you can have this KMA join an existing Cluster. You can also restore a backup to this KMA or change the KMA Version. Please choose one of the following: (1) Create New Cluster (2) Join Existing Cluster (3) Restore Cluster from Backup Please enter your choice: 3 Restore Cluster from Backup
At the Please enter your choice:
prompt, type 3. The following information is displayed.
Initial Restore Cluster From Backup Enter Initial Security Officer User Credentials ------------------------------------------------------- Press Ctrl-c to abort. The initial Security Officer User is the first User that can connect to the KMA via the Oracle Key Manager GUI. This User can subsequently create additional Users and administer the system.Please enter a Security Officer User ID: SO1A Passphrase is used to authenticate to the KMA when a connection is made via the KMS Manager. Passphrases must be at least 8 characters and at most 64 characters in length.
At the prompt, type the Security Officer's user name and press <Enter>.
Best Practice: Enter a temporary restore Security Officer user ID (for example, RestoreSO) instead of the Security Officer user ID that existed prior to the restore.
At the prompt, type the Security Officer's passphrase and press <Enter>.
Steps 5 through 7 are optional.
If you choose to define initial quorum user credentials in QuickStart, you can enter a quorum login name and passphrase at this time so that the restore operation from the OKM Manager GUI (Step 13) is pended.
Quorum members can then use this login and passphrase later to log in to the OKM Manager GUI and enter their credentials to approve the restore (see "Restoring a Backup").
If you do not enter a quorum login user ID here, the only user that exists at the end of QuickStart is the Security Officer created in Step 3. In this case, all Key Split Credentials must be entered at once for the restore to occur ().
The following information is displayed:
Enter Initial Quorum Login User Credentials
-------------------------------------------------------
Press Ctrl-c to abort.
The initial Quorum Login User is an optional user that will allow the restore
operation to be pended until quorum members can connect to the KMA via the
Oracle Key Manager GUI and enter their credentials. If this user is not
created here, then a quorum of credentials must be entered at the time the
restore operation is requested.
Please enter a Quorum Login User ID (optional): Q
Passphrases must be at least 8 characters and at most 64 characters in length.
Passphrases must not contain the User's User ID.
Passphrases must contain characters from 3 of 4 character classes (uppercase, lowercase, numeric, other).
Please enter the Quorum Login Passphrase:
Please re-enter the Quorum Login Passphrase:
At the prompt, either press <Enter> or type the quorum login user ID and press <Enter>.
At the prompt, either press <Enter> or type the quorum login passphrase and press <Enter>.
At the Please re-enter the Quorum Login Passphrase: prompt, either press <Enter> or re-type the same passphrase and press <Enter>.
At the Please re-enter the Security Officer's Passphrase:
prompt, retype the passphrase you entered in Step 4 and press <Enter>.
Set Time Information ------------------------------------------------------- Press Ctrl-c to abort. KMAs in a Cluster must keep their clocks synchronized. Specify an NTP server if one is available in your network. Otherwise, specify the date and time to which the local clock should be set. Please enter the NTP Server Hostname or IP Address (optional): The date and time for this KMA must be specified in ISO 8601 format including a time zone. Here are some valid ISO 8601 format patterns: YYYY-MM-DDThh:mm:ssZ YYYY-MM-DD hh:mm:ssZ YYYY-MM-DDThh:mm:ss-0600 YYYY-MM-DD hh:mm:ss-0600 YYYY-MM-DDThh:mm:ss+02:00 YYYY-MM-DD hh:mm:ss+02:00 Please enter the date and time for this KMA [2007-09-17 22:32:53.698Z]: 2007-09-17 22:33:00-0600 Press Enter to continue: The KMA is now ready to be restored. Press Enter to continue:
If an NTP server is available in your network environment, at the Please enter the NTP Server Hostname or IP Address (optional):
prompt, enter the NTP server hostname or IP address.
If an NTP server is not available, press <Enter>. Then, at the Please enter the date and time for this KMA
prompt, enter the date and time in one of the specified formats, or press <Enter> to use the displayed date and time.
Ensure the date and time are accurate. Key lifecycles are based on time intervals, and the original creation times for the keys are contained in the backup. An accurate time setting on the replacement KMA is essential to preserve the expected key lifecycles.
At the prompt, press <Enter>. The following information is displayed, indicating that initialization is complete.
Oracle Key Manager Version 3.0.0 (build2020) -- SO on Strathclyde Serial Number 1251BD0E48 OpenBoot PROM Version OBP 4.34.3 2013/02/06 11:46 ------------------------------------------------------- KMA initialization complete! You may now connect to the KMA via the Oracle Key Manager GUI in order to continue with Cluster configuration. Press Enter to exit:
Press <Enter> to exit. The QuickStart program terminates and a login prompt is displayed.
Best Practice: Log in to the OKM Manager GUI as the temporary restore Security Officer user ID you established in Step 3.
Login as the Security Officer on the OKM Manager and select Backup List. From the Backup List screen, click the Restore button to upload and restore the backup to the KMA.
To complete the restore operation, the OKM Manager prompts for a Backup File that corresponds to the Backup Key file, a Backup Key file, and a Core Security backup file.
The Backup Key file and Backup file must match, but any Core Security Backup file can be used.
The OKM Manager then prompts for a quorum of Key Split users. These must be Key Split Credential users that were in effect when the Core Security Backup was performed.
Once the restore is complete, the Key Split Credentials that were in effect when the backup (not the Core Security Backup) was completed, will be restored.
Important – Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.
When the restore process is completed, a new Cluster is created.
Best Practice: Log in to the OKM Manager GUI using the original Security Officer user ID (the one that existed prior to the restore), and delete the temporary restore Security Officer user ID as a cleanup step. Refer to "Deleting Users".
After you set up the KMA, you can add agents and enroll tape drives to use that KMA:
Log into the OKM Manager GUI as an Operator and create an agent (refer to "Creating an Agent").
Using the Virtual Operator Panel (VOP), perform the following operations. Refer to the VOP documentation if you do not know how to connect to and use the VOP.
Ask the service representative to license the tape drive(s) (refer to ”License the Tape Drives” in chapter 3 of the OKM Installation and Service Manual). Use the Virtual Operator Panel (VOP) to perform this function.
With guidance from the service representative, enroll the tape drive(s) (refer to ”Enroll the Tape Drives” in chapter 3 of the OKM Installation and Service Manual).
You must supply this information:
Is the drive going to use a permanently encrypting tape drive?
What is the agent ID, passphrase, and OKM IP address of the appliance?
Log into the OKM Manager GUI as a Compliance Officer, create at least one Key Group (refer to "Creating a Key Group"), and assign the tape drives (agents) to this Key Group (refer to "Assigning a Key Group to an Agent" and to ”Enroll the Tape Drives” in the OKM Installation and Service Manual).
You must assign this Key Group as the default or the drive cannot write. If you do not specify a default, the drive is read-only for the assigned group(s).