The KMA QuickStart is a wizard that guides you through configuring a factory-default KMA. After you have configured a KMA, you cannot run the QuickStart program gain unless you reset the KMA to its factory-default state ("Reset the KMA to the Factory Default").
Note:
An Oracle service representative can also run the QuickStart program, but since the program establishes critical security parameters, Oracle recommends that customers run it themselves, according to their corporate security policies.The KMA QuickStart program launches from the server Lights Out Manager, which is the interface to the KMA Service Processor. Depending on your KMA server model, the Lights Out Manager is either an Integrated Lights Out Manager (ILOM) or Embedded Lights Out Manager (ELOM). See Table 3-1 for details.
There are three ways to launch the QuickStart:
Note:
Popup blockers can prevent Windows from launching the QuickStart. Disable any popup blockers before beginning. If the window appears, but a console window does not, the Web browser or Java version is incompatible with the Service Processor. Upgrade to the latest versions of the browser and Java. See Table 3-2.Accessing the Lights Out Manager Interfaces
During KMA installation, your Oracle Service Representative assigns a unique IP address to the KMA Service Processor. To access the server Lights Out Manager, you connect to this IP address on the KMA Management Network (NET MGT).
The Lights Out Manager can also be accessed by physically connecting a terminal to the SER MGT port on the KMA, but this is typically only done by an Oracle Service Representative during KMA installation or service.
Table 3-1 provides details about the Lights Out Manager interfaces available for each KMA server model.
Table 3-1 Lights Out Manager Interface for Each KMA Server Model
| KMA Server Model | Lights Out Manager Interface |
|---|---|
|
SPARC T7-1 Netra SPARC T4-1 |
ILOM, Web or CLI |
|
Sun Fire X4170 M2 |
ILOM, Web only |
|
Sun Fire X2100 M2 Sun Fire X2200 M2 |
ELOM, Web only |
Table 3-2 Supported ELOM Compatible Web Browsers and Java Versions
| Client Operating System | Supports These Web Browsers | Java Runtime Environment Including Java Web Start |
|---|---|---|
|
Microsoft Windows XP |
Internet Explorer 6.0 and later Mozilla 1.7.5 or later Mozilla Firefox 1.0 |
JRE 1.5Foot 1 (Java 5.0 Update 7 or later) |
|
Microsoft Windows 2003 |
Internet Explorer 6.0 and later Mozilla 1.7.5 or later Mozilla Firefox 1.0 |
JRE 1.5Footref 1 (Java 5.0 Update 7 or later) |
|
Microsoft Windows Vista |
Internet Explorer 6.0 and later Mozilla 1.7.5 or later Mozilla Firefox 1.0 |
JRE 1.5Footref 1 (Java 5.0 Update 7 or later) |
|
Red Hat Linux 3.0 and 4.0 |
Mozilla 1.7.5 or later Mozilla Firefox 1.0 |
NA |
|
Solaris 9, 10, 11 SUSE Linux 9.2 |
Mozilla 1.7.5 |
NA |
Footnote 1 You can download the Java 1.5 runtime environment at: http://java.com. The current version of the ELOM guide is available at: http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6588-14/819-6588-14.pdf.
For ILOM Web interface browser requirements, see the Oracle ILOM Administrator's Guide for Configuration and Maintenance.
See Appendix F "Service Processor Procedures" for additional procedures to configure and upgrade the ELOM and ILOM.
See the following documents for details about the ILOM or ELOM for your KMA.
Oracle ILOM Administrator's Guide for Configuration and Maintenance
Oracle ILOM 3.1 Configuration and Maintenance Guide
Embedded Lights Out Manager Administration Guide
Using a workstation on the KMA Management Network, launch a web browser.
Connect to the KMA ILOM using the IP address of the KMA Service Processor. This IP address was assigned by your Oracle Service Representative at installation.
Because the certificate in the ILOM does not match the Service Processor IP address, the web browser displays one or more certificate warnings.
Click OK or Yes to bypass the certificate warnings.
Log in as the system root user.
In the Navigation Bar, select Host Management, then select Power Control.
If the KMA host is powered off, power it on (from the Settings drop-down, select Power On, and then click Save).
In the Navigation Bar, select Remote Control, then select Redirection.
Select Use serial redirection, then click Launch Remote Console.
In the dialog box, select Open with Java(TM) Web Start Launcher and click OK to open the Remote Host Console Java applet. Accept any warnings that may be displayed.
In the dialog box, click Run to start the Remote Host Console. Accept any warnings that may be displayed.
Monitor the startup messages that appear in the Remote Host Console, including the status of the hardware security module.
Console unavailable while KMA Maintenance is in progress...
Once the KMA startup completes, the KMA QuickStart program automatically launches and guides you through the initial KMA configuration. See "Review QuickStart Program Information and Set Keyboard Layout".
This procedure applies to KMAs on SPARC T7-1 and Netra SPARC T4-1 servers.
Using a workstation on the KMA Management Network (NET MGT), establish a Secure Shell (SSH) connection to the KMA Service Processor.
$ ssh SP_ipaddress
where SP_address is the IP address of the KMA Service Processor. This was assigned by your Oracle Service Representative at installation.
Log in using the system root account and password.
Display the power status of the KMA.
-> show /System power_state
If the KMA host is powered off, power it on.
-> start /System
Start the Remote Host Console.
-> start /Host/console
Monitor the startup messages that appear in the Remote Host Console, including the status of the hardware security module.
Console unavailable while KMA Maintenance is in progress...
Once the KMA startup completes, the KMA QuickStart program automatically launches and guides you through the initial KMA configuration. See "Review QuickStart Program Information and Set Keyboard Layout".
This procedure applies to KMAs based on Sun Fire X2100 M2 and X2200 M2 servers.
Using a workstation on the OKM Management Network (NET MGT), launch a web browser.
Connect to the KMA ELOM using the IP address of the KMA Service Processor. This IP address was assigned by your Oracle Service Representative at installation.
Because the certificate in the ELOM does not match the Service Processor IP address, the web browser displays one or more certificate warnings.
Click OK or Yes to bypass the certificate warnings.
Log in as the system root user.
Select the System Monitoring tab. View the host power setting
If the KMA host is powered off, use the following steps to power it on.
Select the Remote Control tab, then the Remote Power Control tab.
In the Power Control menu, select Power On, then click Save.
Select the Remote Control tab, then the Redirection tab. Click Launch Redirection.
In the dialog box, select Open with Java(TM) Web Start Launcher and click OK to open the Remote Host Console Java applet. Accept any warnings that may be displayed.
In the Run this application dialog box, click Run to start the Remote Host Console. Accept any warnings that may be displayed.
Monitor the startup messages that appear in the Remote Host Console, including the status of the hardware security module.
Console unavailable while KMA Maintenance is in progress...
Once the KMA startup completes, the KMA QuickStart program automatically launches and guides you through the initial KMA configuration. See "Review QuickStart Program Information and Set Keyboard Layout".
If the KMA is in the factory-default state, the KMA QuickStart program automatically launches and guides you through the initial KMA configuration. See "Review QuickStart Program Information and Set Keyboard Layout" for instructions.
If the KMA has already been configured for your site, the OKM Console appears and you can display or make changes to the KMA configuration. See "Using the OKM Console" for instructions.
Note:
If you press Ctrl-c anytime during the QuickStart program, no changes are saved and you return to the Welcome screen.This procedure assumes you have completed the startup of QuickStart. If not, see "Launch the KMA QuickStart Program"
Review the instructions on the QuickStart Welcome screen and press Enter.
On Sun Fire-based KMAs, specify the keyboard layout you want to use.
These procedures assume you have completed the prior steps in the QuickStart. If not, see "Launch the KMA QuickStart Program".
QuickStart Network Configuration Task 1: Set KMA Management IP Addresses
QuickStart Network Configuration Task 2: Enable Technical Support Account
QuickStart Network Configuration Task 3: Set the KMA Service IP Addresses
QuickStart Network Configuration Task 4: Modify Gateway Settings
QuickStart Network Configuration Task 5: Set DNS Configuration (Optional)
QuickStart Network Configuration Task 6: Set Acceptable TLS versions
Type either n or y to configure IPv6.
Type either n or y to use DHCP for the IPv4 interface.
Note:
If you elect to use DHCP, any host name information provided by the DHCP server is ignored. Any DNS information provided by the DHCP server is presented in "QuickStart Network Configuration Task 5: Set DNS Configuration (Optional)".Type the Management Network IP address and press Enter.
Type the Subnet Mask address (for example 255.255.254.0) and press Enter.
If you type y to configure the support account, see "Enable the Technical Support Account" for more information. The Technical Support account can assist in troubleshooting network configurations.
If you have enabled the Technical Support account, QuickStart will disable it after you complete "QuickStart Network Configuration Task 5: Set DNS Configuration (Optional)".
Type either n or y to configure IPv6.
Type either n or y to use DHCP for the IPv4 interface.
Type the Service Network IP address and press Enter.
Type the Subnet Mask address (for example 255.255.254.0) and press Enter.
Enter 1 to display the next gateway setting or 2 to return to the previous gateway setting. For example:
# Destination Gateway Netmask IF ---- ----------------- ---------------- -------------------- -- 1 default 10.172.181.254 0.0.0.0 M 2 default 10.172.181.21 0.0.0.0 M 3 default 192.168.1.119 0.0.0.0 S 4 10.0.0.0 10.172.180.25 255.255.254.0 M * 5 10.172.180.0 10.172.180.39 255.255.254.0 M ...
At the Please choose one of the following: prompt, type 1, 2, 3, or 4 and press Enter.
(1) Add a gateway (2) Remove a configured gateway (only if modifiable) (3) Exit gateway configuration (4) Display again
Note:
If you chose to use DHCP on the management network in "QuickStart Network Configuration Task 1: Set KMA Management IP Addresses", the KMA displays any DNS settings from a DHCP server on the management network. You can enter information to override these DNS settings.When prompted, enter the DNS domain name.
When prompted, enter the DNS server IP address. You can enter up to three addresses.
Press Enter, without specifying an IP address, to finish.
When prompted, select the TLS versions to enable:
(1) TLSv1.0 and higher (2) TLSv1.1 and higher (3) TLSv1.2 and higher
By default, a KMA will accept connections using TLSv1.0, TLSv1.1 or TLSv1.2 While TLSv1.0 is no longer considered secure, if you have KMAs in the cluster running OKM versions prior to OKM 3.1.0, or you have Agents (such as tape drives) that cannot connect using later versions of TLS, you may need to leave all versions of TLS enabled.
OpenSSL 0.9.x and 1.0.0 do not support TLS v1.2. If you configure a KMA to accept only connections that use TLS v1.2, the KMA will not accept connections from an OKM GUI or CLI that uses OpenSSL 0.9.x or 1.0.0. You should plan on installing the latest OKM GUI and CLIs if migrating to OKM 3.3.2.
Each KMA must have a unique name within the cluster.
IMPORTANT:
A KMA Name cannot be altered once you set it using the QuickStart program. It can only be changed by resetting the KMA to the factory default and running QuickStart again.This KMA name is used as the host name for the KMA.
This procedure assumes you have completed the prior steps in the QuickStart. If not, see "Launch the KMA QuickStart Program".
At the prompt, type a unique identifier for the KMA. Press Enter.
Make your selection as follows:
Enter 1 and then see "Create a New Cluster with QuickStart".
Enter 2 and then see "Join an Existing Cluster".
Enter 3 and then see "Restore a Cluster from a Backup".
These procedures assume you have completed the prior steps in the QuickStart. If not, see "Launch the KMA QuickStart Program".
Create New Cluster Task 2: Enter Initial Security Officer User Credentials
Create New Cluster Task 3: Specify Autonomous Unlocking Preference
Create New Cluster Task 5: Select Certificate Signature Algorithm
Key Split Credentials user IDs and passphrases should be entered by the individual who owns that user ID and passphrase. Using one person to collect and enter this information defeats the purpose of having the Key Split Credentials.
If it is impractical for all members of the Key Split Credentials to enter this information at this time, enter a simple set of credentials now, and then enter the full credentials later in the OKM Manager. However, doing this creates a security risk. If a Core Security backup is created with simple Key Split Credentials, it can then be used to restore a backup.
To access the following prompts of the QuickStart, make sure you have entered 3 in the last step of "Name the KMA".
Type the key splits to generate (1 to 10) and press Enter.
Type the number of required keys splits to obtain a quorum and press Enter.
Type the user name for the first Key Split user and press Enter.
Type the passphrase and press Enter. Re-enter the passphrase and press Enter.
Repeat until all user names and passphrases have been entered for the selected Key Split size.
Note:
The Key Split user names and passphrases are independent of other user accounts that are established for KMA administration. Oracle recommends that key split user names be different from KMA user names.When prompted, create the initial Security Officer user (used to logon to the KMA using the OKM Manager). Enter the Security Officer's username and passphrase.
Note:
All KMAs have their own passphrases that are independent of passphrases assigned to users and agents. The first KMA in a cluster is assigned a random passphrase. If this KMA's certificate expires, and you want to retrieve its entity certificate from another KMA in the cluster, you would have to use the OKM Manager to set the passphrase to a known value. For procedures, refer to "Set a KMA Passphrase".When prompted, type y (to enable) or n (to disable). Press Enter
Autonomous unlocking allows the KMA to become fully operational after a reset without requiring the entry of a quorum of passphrases. You can change this option from the OKM Manager at a later time.
Caution:
While enabling autonomous unlocking is more convenient and increases the availability of the OKM cluster, it creates security risks.When autonomous unlocking is enabled, a powered-off KMA must retain sufficient information to start up fully and begin decrypting stored keys. This means a stolen KMA can be powered up, and an attacker can begin extracting keys for the KMA. While it is not easy to extract keys, a knowledgeable attacker will be able to dump all keys off the KMA. No cryptographic attacks are needed.
If autonomous unlocking is disabled, cryptographic attacks are required to extract keys from a stolen KMA.
At the prompt, enter the key pool size. The value entered determines the initial size that the new KMA generates and maintains.
Each KMA generates and maintains a pool of preoperational keys, which must be backed up or replicated before the KMA passes them to an agent.
When prompted, enter 1 for SHA256 (default) or 2 for SHA1.
If you are deploying encryption endpoints that do not support SHA2, select SHA1. Otherwise, use SHA256.
A Root CA certificate is generated when the cluster is first initialized. This Root CA certificate is used to generate certificates for KMA, user, and agent entities. The Root CA certificate and the entity certificates can be X.509v3 certificates signed using the SHA-256 hashing algorithm, or they can be X.509v1 certificates signed using the SHA-1 hashing algorithm.
KMAs in a cluster must keep their clocks synchronized. Internally, all KMAs use UTC time (Coordinated Universal Time). You can also use the OKM Manager to adjust date and time settings to local time.
When prompt, optionally enter the NTP server host name or IP address.
Note:
You can provide an IPv6 address for this NTP server. This IPv6 address must not include square brackets or a prefix length.If an NTP server is not available, press Enter. Then, enter the date and time in one of the specified formats, or press Enter to use the displayed date and time.
At the prompt, press Enter. KMA initialization is complete.
Press Enter to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Log into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.
Your next step is to use OKM Manager to connect to and configure the cluster. For procedures, refer to "Configuring the Cluster".
You should add a new KMA to the cluster during times of light loads. When you add a new KMA to an existing OKM cluster, the OKM cluster begins to propagate cluster information to the new KMA. It takes time for the cluster to finish circulating this information to the new KMA, and as a result, the cluster becomes busy during this time period.
OKM 3.3.2 introduces more restrictions when joining a new KMA into an OKM cluster. An OKM 3.3.2 KMA cannot be added to an existing OKM cluster with KMAs running a version below OKM 3.1. Assess the types of KMAs in your OKM cluster and the OKM releases they run:
Netra SPARC T4 KMAs running OKM 3.0.x must be upgraded to OKM 3.1 or later.
Sun Fire X4170 M2 KMAs running OKM 3.0.2 must be upgraded to OKM 3.1 or later.
Sun Fire X2x00 M2 KMAs do not support OKM 3.1 and later releases. These KMAs should be replaced with SPARC KMAs.
If all KMAs are running OKM 3.1 or later, proceed through QuickStart:
To access the following prompts of the QuickStart, make sure you have entered 2 in the last step of "Name the KMA".
Before you add a KMA to the cluster, the replication version must be set to the highest value supported by all KMAs in the cluster. Refer to "Switch the Replication Version".
Before this new KMA can communicate with an existing KMA in the cluster, the Security Officer must first log in to the OKM cluster using the OKM Manager and create an entry for this KMA in the existing KMA's database. For procedures, refer to "Create a KMA". The KMA Name specified in the KMA initialization process (see "Name the KMA") must match the KMA name you enter when you create the KMA.
At the QuickStart prompt, type the network address of one KMA in the existing cluster, and then press Enter.
At the prompt, type the passphrase for the KMA and press Enter.
Enter the required number of Key Split user names and passwords.
Note:
Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.Once you have entered a sufficient number of Key Split user names and passphrases to form a quorum. Enter a blank name to finish.
Consider accelerating initial updates to the new KMA. Review "Accelerating Updates to the New KMA in a Cluster" before typing y at the prompt.
You will see This KMA has joined the Cluster. Press Enter to exit. The QuickStart program terminates and a login prompt is displayed (refer to "Log into the KMA"). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.
Your next step is to use the OKM Manager to connect to and configure the cluster. For procedures, refer to "Configuring the Cluster".
The OKM cluster begins to propagate information to the newly added KMA. This causes the new KMA to be very busy until it has caught up with the existing KMAs in the cluster. The other KMAs are also busy. You can observe this activity from the OKM Manager by viewing the KMAs as described by "View a List of KMAs".
Observe the Replication Lag Size value of the new KMA. Initially, this value is high. Periodically refresh the information displayed in this panel by pulling down the View menu and selecting Refresh or by pressing the F5 key. Once the Replication Lag Size value of this KMA drops to a similar value of other KMAs in the cluster, then you can unlock the KMA as described by "Lock/Unlock the KMA".
The KMA remains locked after it has been added to the cluster. Wait until the KMA has been synchronized (that is, until it has "caught up" with other KMAs in the cluster) before you unlock it. Do not add another KMA to the cluster until you unlock the just-added KMA.
If the cluster's replication version is at least 12, consider accelerating initial updates to the new KMA, as described in "Join an Existing Cluster". If you choose to use this feature, perform an OKM backup on a peer KMA (preferably one in the same Site as the new KMA) before adding the new KMA to the cluster. Also, ensure that the peer KMA on which you created a backup is currently responding on the network. These steps help the new KMA find a cached backup to download and apply.
The KMA you specified identifies another KMA that has the largest cached backup in this cluster, downloads that backup, and then applies it to its local database. This process is equivalent to replicating the data but at a much faster rate. Informational messages appear during this process.
For example:
Waiting 10 seconds for the join to propagate to Peer KMAs... Querying Peer KMAs to find the active ones... Querying active Peer KMAs to find cached backup sizes... Peer KMA at IP Address 10.172.180.39 has a cached backup size of 729136 bytes. Downloading the cached backup from this Peer KMA... Downloaded the cached backup from this Peer KMA. Initialized the Key Store. Performed maintenance on the Key Store. Applying the cached backup to the local database... ....................................................... Applied the cached backup to the local database. Successfully accelerated initial updates on this KMA.
Later, the newly joined KMA automatically replicates any data that is not in the backup.
If an error occurs during this process, QuickStart displays the above prompt again (in case the error is due to a temporary condition). QuickStart also displays the above prompt again if the KMA cannot find a peer KMA that has a cached backup.
However, if more than 5 minutes has elapsed since the first time the above prompt was displayed, then QuickStart displays the following message and no longer displays the above prompt:
Failed to accelerate initial updates on this KMA after 300 seconds. This KMA will gradually be updated with information from other KMAs.
These procedures assume you have completed the prior steps in the QuickStart. If not, see "Launch the KMA QuickStart Program".
Restore a Cluster Task 1: Create Security Officer and Provide Quorum Login
Restore a Cluster Task 3: Restore the Backup using OKM Manager
To access the following steps of the QuickStart, you must enter 3 in the last step of "Name the KMA".
This option allows you to create a Security Officer account that can be used to restore the backup image to the KMA using the OKM Manager. You can use a backup to restore a KMA's configuration in the event a KMA experiences a failure (for example, hard disk damage). This, however, is not typically required since a KMA that is restored to the factory default state can readily join an existing cluster and build up its database by receiving replication updates from cluster peers. Restoring a KMA from a backup is still useful in the event that all KMAs in a cluster have failed.
Note:
You first must create a backup. For procedures on creating backups using the OKM Manager, refer to "Create a Database Backup".Oracle recommends you specify a new Security Officer name that did not exist in the OKM cluster when the last backup was performed.
If you specify an existing Security Officer name and provide a different passphrase, the old passphrase is overwritten. If you specify an existing Security Officer name and other roles were added to that user before the last backup was performed, these other roles are no longer assigned to this User.
To access the following prompts of the QuickStart, make sure you have entered 3 in the last step of "Name the KMA".
At the prompt, enter the Security Officer's user name and password.
Best Practice:
Enter a temporary restore Security Officer user ID (for example, RestoreSO) instead of the Security Officer user ID that existed before the restore.(Optional)— At the prompt, provide the quorum login user ID and password.
If you choose to define initial quorum user credentials in QuickStart, you can enter a quorum login name and passphrase at this time so that the restore operation from the OKM Manager GUI (Step 1) is pended. Quorum members can then use this login and passphrase later to log in to the OKM Manager GUI and enter their credentials to approve the restore (see "Restore a Backup").
If you do not enter a quorum login user ID here, the only user that exists at the end of QuickStart is the Security Officer created in Step 2. In this case, all Key Split Credentials must be entered at once for the restore to occur (Step 3).
If an NTP server is available in your network environment, at the prompt, enter the NTP server host name or IP address.
If an NTP server is not available, press Enter. Then, enter the date and time in one of the specified formats, or press Enter to use the displayed date and time.
Ensure the date and time are accurate. Key lifecycles are based on time intervals, and the original creation times for the keys are contained in the backup. An accurate time setting on the replacement KMA is essential to preserve the expected key lifecycles.
Once you see KMA initialization complete!, press Enter to exit. The QuickStart program terminates and a login prompt is displayed.
Best Practice: Log in to the OKM Manager GUI as the temporary restore Security Officer user ID you established in Task 1 above.
Select Backup List. Click Restore to upload and restore the backup to the KMA.
Provide the location of the backup, backup key file, and Core Security backup file. The backup key file and backup file must match, but any Core Security Backup file can be used.
Enter the Key Split Credentials. These must be Key Split Credential users that were in effect when the Core Security Backup was performed.
Once the restore is complete, the Key Split Credentials that were in effect when the backup (not the Core Security Backup) was completed, will be restored.
Note:
Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.When the restore process is completed, a new cluster is created.
Best Practice: Log in to the OKM Manager GUI using the original Security Officer user ID (the one that existed before the restore), and delete the temporary restore Security Officer user ID as a cleanup step. Refer to "Delete a User".