Use the following checklist to configure the cluster. Follow the procedures referenced and then return to this checklist for the next step.
Connect to the cluster — see "Connect to a KMA"
Review security parameters — see "Review and Modify the Cluster Security Parameters"
Create a user — "Create a User"
Login to the OKM manager with the new user
Create key policies — see "Create a Key Policy"
Create key groups — see "Create a Key Group"
Create agents and define a default key group for each agent — see "Create an Agent"
Backup core security — see "Create a Core Security Backup"
Create a backup — see "Create a Database Backup"
Create KMAs — "Create a KMA" and "Configuring a KMA with QuickStart"
Join the KMA to the cluster — "Join an Existing Cluster"
Enroll agents — "Enroll Agents"
Note:
Before connecting to a KMA, at least one cluster profile must exist and a user must be created and enabled on the KMA. If you have not yet created a cluster, see "Create a Cluster Profile".Available to:
All roles
Procedures:
From the System menu of OKM Manager, select Connect (or click Connect in the tool bar).
In the Connect to Cluster dialog, enter the following:
User ID — the name of the user who will connect to specified KMA. Or, if this is the first time that you are connecting to the KMA after the initial QuickStart process, enter the name of the Security Officer created during QuickStart.
Passphrase — the passphrase for the selected user.
Cluster Name — the cluster to connect to.
Member KMAs — the KMA to connect to within that cluster.
If a KMA joined the cluster after you connected to that cluster, that KMA will not appear in the Member KMAs list. To update the list, enter the user name and passphrase, choose a cluster profile, and click Refresh KMAs.
IP Preference — IPv4 only, IPv6 only, or IPv6 preferred.
Click Connect.
If the connection is successful, the Status bar of the OKM Manager GUI displays the user name and alias, the KMA's connection status (Connected), the KMA's IP address.
You can now use the OKM Manager to perform various operations.
Note:
Depending on the role assignment, the tasks in the KMA Management Operations Tree pane differ.Note:
You only need to create a single cluster profile because it covers the entire cluster and can be used by any user (of the agent). Only create another cluster profile if you want to establish a second cluster or you have changed the IP addresses of all KMAs in the current cluster.Available to:
All roles
Procedures:
From the System menu of OKM Manager, select Connect (or click Connect in the tool bar).
In the Connect to Cluster dialog, click New Cluster Profile.
Enter the following in the Create Cluster Profile dialog:
Cluster Name — value that uniquely identifies the cluster profile name
Initial IP Address or Host Name — the Service Network IP address or Host Name of the initial KMA in this cluster to connect to. Choosing which network to connect to depends on what network the computer system where the OKM Manager is running is connected to.
Click OK.
Available to:
All roles
Procedures:
From the System menu of OKM Manager, select Connect (or click Connect in the tool bar).
In the Connect to Cluster dialog, select the Cluster Name from the drop-down list. Click Delete Cluster Profile.
Confirm that you want to delete the cluster by clicking Yes.
If you want to change any parameters, such as the FIPS Mode setting or the passphrase length, you should do so before configuring the cluster.
Note:
The Master Key Provider button is used only if you want the OKM cluster to obtain master keys from an IBM mainframe. The button is enabled only when the replication version of the OKM cluster is currently set to 11 or higher and the FIPS Mode Only value is "Off." See the OKM-ICSF Integration Guide for details.Available to:
All roles (can view parameters)
Auditor (can view modify screen)
Security Officer (can modify)
Procedures:
In the left navigation, expand System Management, then expand Security, and then select Security Parameters. Review the parameters.
To change a parameter, click Modify...
Modify the security parameters, as required. When finished, click Save.
Security Parameter - Field Descriptions
For the following six Retention-related fields, there is just one audit log, and it resides in the largest file system in the KMA. The main reason for adjusting these parameters is to control how many audit log entries are returned in queries you issue from the Audit Event List menu (see "View and Export Audit Logs").
The KMA truncates (removes) old audit log entries based on the limit and lifetime of their retention term. For example, Short Term Audit Log entries are typically truncated more frequently than Medium Term Audit Log entries; Medium Term Audit Log entries are truncated more frequently than Long Term Audit Log entries.
Short Term Retention Audit Log Size Limit — Displays the number of Short Term Audit Log entries that are retained before they are truncated. The default is 10,000. The minimum value is 1000; maximum value is 1,000,000.
Short Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Short Term Audit Log entries are retained before they are truncated. The default is 7 days. The minimum value is 7 days; maximum value is 25,185 days (approximately 69 years).
Medium Term Retention Audit Log Size Limit — Displays the number of Medium Term Audit Log entries that are retained before they are truncated. The default is 100,000. The minimum value is 1000; maximum value is 1,000,000.
Medium Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Medium Term Audit Log entries are retained before they are truncated. The default is 90 days. The minimum value is 7 days; maximum value is 25,185 days.
Long Term Retention Audit Log Size Limit — Displays the number of Long Term Audit Log entries that are retained before they are truncated. The default is 1,000,000. The minimum value is 1000; maximum value is 1,000,000.
Long Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Long Term Audit Log entries are retained before they are truncated. The default is 730 days. The minimum value is 7 days; maximum value is 25,185 days.
Indicates the number of failed login attempts before an entity is disabled. The default is 5. The minimum value is 1; maximum value is 1000.
Displays the minimum length of the passphrase. The default is 8 characters. The minimum value is 8 characters; the maximum value is 64 characters.
Displays the maximum length of time (in minutes) an OKM Manager or Console login session can be left idle before being automatically logged out. Changing this value has no effect on sessions that are already in progress. The default is 15 minutes. The minimum value is 0, meaning no time is used; the maximum value is 60 minutes.
Displays the setting that determines whether KMAs in this OKM cluster allow communications involving keys with entities outside the cluster in either non-FIPS or FIPS compliant modes, or in FIPS compliant modes only. In a FIPS compliant mode, KMAs wrap keys with an Advanced Encryption Standard (AES) Wrapping Key before sending them to agents (such as tape drives).
Customers who have tape drives should be running tape drive firmware that supports AES Key Wrap with the OKM agent service. All PKCS#11 providers that support OKM, as well as the OKM JCE provider, include support for AES Key Wrap.
You can confirm whether your agents support AES Key Wrap by viewing the OKM audit log and noting that these agents are using the agent service operations listed below. Specify an audit filter for Operation and choose any of the following specific operations from the menu:
Create Key v2
Retrieve Key v2
Retrieve Keys v2
Retrieve Protect and Process Key v2
Any audit events in the resulting list confirm that the specified agent is using AES key wrap with the OKM cluster.
There are two possible values for this setting, "Off" and "On". If the current Replication Version is 8 or 9, this setting has a value of "Off" by default and cannot be modified. If the current Replication Version is 10 or higher, this value can be modified to either value.
If this value is set to "Off", the OKM cluster allows communications involving keys with entities outside the cluster in non-FIPS and FIPS compliant modes:
The OKM cluster accepts key requests from agents using both the old KMS 2.0.x protocol (that does not wrap keys) and the FIPS 2.1 protocol (that does wrap keys).
Keys from a KMS 1.x system may be imported into the OKM cluster.
The OKM cluster allows the export and import of "v2.0" or "v2.1 (FIPS)" format key transfer files.
Note:
If the current Replication Version is 8 or 9, there may be KMS 2.0.x KMAs in the cluster that will not be capable of supporting the FIPS protocols for agent and transfer partner communication. KMAs running KMS 2.1 or higher support the FIPS protocols for agent and transfer partner communication even when the current Replication Version is 8 or 9. In this case, exports to transfer partner will be done only in the "v2.0" format because the export format of transfer partners will be set to "Default".If this value is set to "On", then the OKM cluster allows communications involving keys with entities outside the cluster only in FIPS compliant modes:
The OKM cluster accepts key requests from agents using only the FIPS 2.1 protocol.
Keys from a KMS 1.x system cannot be imported into the OKM cluster because the KMS 1.x key export file is not FIPS compliant.
The OKM cluster allows the export and import of "v2.1 (FIPS)" format key transfer files only.
Note:
For the keys in the OKM cluster to be FIPS compliant, all entities that receive keys from the cluster must handle the keys in a FIPS-compliant manner. Agents that receive keys must handle these keys in a FIPS-compliant manner when using them to process data. Key transfer partners that receive keys should also be operating with the FIPS Mode Only security parameter set to "On" in their cluster to ensure that exported keys maintain FIPS compliance. A key transfer partner can send and receive "v2.1 (FIPS)" format key transfer files with the FIPS Mode Only set to "Off".See the Export Format parameter in "View the Transfer Partner List" for more information.
The amount of time (in days) that Key Split Credentials are retained as having approved a pending quorum operation. If an insufficient number of Key Split Credentials approve the pending quorum operation before this lifetime is reached, then these credentials expire. After they expire, Quorum Members must reapprove the pending quorum operation. The default is 2 days. This value is used only when the Replication Version is at least 11..
After you have configured the cluster, you are ready to enroll agents to use it. When you enroll an agent, you provide its Agent ID, its passphrase, and an network address (IP address or host name) of one of the KMAs. The encryption endpoint associated with this agent can then use this OKM cluster.The procedure to enroll an agent is determined by the type of encryption endpoint associated with it:
Use the Virtual Operator Panel (VOP) to connect to a tape drive and then to enroll the agent associated with it (see the VOP documentation for instructions). With guidance from your Oracle service representative, enroll each tape drive agent. Oracle personnel can refer to the OKM Installation and Service Manual for more information.
Agents associated with Oracle Database servers are enrolled when these Oracle Database servers are configured to use OKM (see Appendix D).
Agents associated with Oracle Solaris ZFS filesystems are enrolled when these ZFS filesystems are configured to use OKM (see Appendix E).
Agents associated with Oracle ZFS Storage Appliances are enrolled when these ZFS Storage Appliances are configured to use OKM. This procedure is described in Oracle ZFS Storage Appliances documentation.
Agents associated with Java applications that use the OKM JCE Provider are enrolled when the OKM JCE Provider is configured to use OKM. This procedure is described in the OKM JCE Provider documentation.