The OKM Console is a terminal text-based interface used to configure basic functions of the KMA. You can access OKM console from the ILOM or ELOM Remote Host Console.
Note:
You can also access the OKM Console by physically connecting a terminal to the SER MGT port on the KMA, but this is typically only done by an Oracle Service Representative during KMA installation or service.The operating system automatically launches the OKM Console when the KMA starts up. The console cannot be terminated by a user. Depending on the roles that a user is assigned, the options in the OKM Console differ.
Before you can login to the OKM Console, the user accounts must be created in the OKM Manager. You must use the same user name and passphrase that was used for authentication in the OKM to login to the OKM Console.
Note:
Only the first Security Officer account is created when the QuickStart program is launched.After the KMA starts up, it displays the following information:
Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. Oracle Key Manager Version 3.3.2 (build2068) – examplekma ------------------------------------------------------------ Please enter your User ID:
Type your user name and press Enter.
Type your passphrase and press Enter.
The options on the OKM Console will differ depending on the role(s) assigned to the user (see "User Role Menu Options"). The menu shows the version of the KMA and the logged on user.
Menu options vary depending on the role assigned to the user.
| Menu Option | Procedures |
|---|---|
Reboot KMA |
"Restart the KMA" |
Shutdown KMA |
"Shut Down the KMA" |
Technical Support |
"Disable the Technical Support Account" |
Primary Administrator |
"Disable the Primary Administrator" |
Set Keyboard LayoutFoot 1 |
"Set the Keyboard Layout" |
Show cluster Root CA Certificate |
"Show Properties of the Root CA Certificate" |
Logout |
"Log Out of Current OKM Console Session" |
Footnote 1 Appears only on Sun Fire KMAs
| Menu Option | Procedures |
|---|---|
Log KMA Back into Cluster |
"Log the KMA Back into the Cluster" |
Set User's Passphrase |
"Set a User's Passphrase" |
Set KMA Management IP Addresses |
"Set the KMA Management IP Addresses" |
Set KMA Service IP Addresses |
"Set the KMA Service IP Addresses" |
Modify Gateway Settings |
"View, Add, and Delete Gateways" |
Set Acceptable TLS Versions |
"Set Acceptable TLS Versions" |
Set DNS Settings |
"Specify the DNS Settings" |
Reset to factory Default State |
"Reset the KMA to the Factory Default" |
Technical Support |
"Disable the Technical Support Account" "Enable the Technical Support Account" |
Primary Administrator |
"Disable the Primary Administrator" |
Set Keyboard LayoutFoot 1 |
"Set the Keyboard Layout" |
Show cluster Root CA Certificate |
"Show Properties of the Root CA Certificate" |
Renew Root CA Certificate |
"Renew the Root CA Certificate" |
Logout |
"Log Out of Current OKM Console Session" |
Footnote 1 Appears only on Sun Fire KMAs
If the user has both Operator and Security Officer roles, the menu options are combined:
| Menu Option | Procedures |
|---|---|
Log KMA Back into Cluster |
"Log the KMA Back into the Cluster" |
Set User's Passphrase |
"Set a User's Passphrase" |
Set KMA Management IP Addresses |
"Set the KMA Management IP Addresses" |
Set KMA Service IP Addresses |
"Set the KMA Service IP Addresses" |
Modify Gateway Settings |
"View, Add, and Delete Gateways" |
Set Acceptable TLS Versions |
"Set Acceptable TLS Versions" |
Set DNS Settings |
"Specify the DNS Settings" |
Reset to factory Default State |
"Reset the KMA to the Factory Default" |
Reboot KMA |
"Restart the KMA" |
Shutdown KMA |
"Shut Down the KMA" |
Technical Support |
"Disable the Technical Support Account" |
Primary Administrator |
"Disable the Primary Administrator" "Enable the Primary Administrator" |
Set Keyboard LayoutFoot 1 |
"Set the Keyboard Layout" |
Show cluster Root CA Certificate |
"Show Properties of the Root CA Certificate" |
Renew Root CA Certificate |
"Renew the Root CA Certificate" |
Logout |
"Log Out of Current OKM Console Session" |
Footnote 1 Appears only on Sun Fire KMAs
All other roles (Backup Operator, Compliance Officer, Auditor, and Quorum Member) have a menu similar to the following:
| Menu Option | Procedures |
|---|---|
Set Keyboard LayoutFoot 1 |
"Set the Keyboard Layout" |
Show cluster Root CA Certificate |
"Show Properties of the Root CA Certificate" |
Logout |
"Log Out of Current OKM Console Session" |
Footnote 1 Appears only on Sun Fire KMAs
The following sections provide procedures for the OKM console functions. For a list of available functions for each user role, see "User Role Menu Options".
The Reboot KMA option stops and restarts the KMA and operating system. Use this function for troubleshooting purposes only.
Available to:
Operator
Procedures:
At the Please enter your choice: prompt on the main menu, select Reboot KMA, and then press Enter.
At the prompt, type y and press Enter.
The current OKM Console session terminates as the KMA begins to restart. After the KMA restarts, the OKM Console login prompt displays.
The Shutdown KMA option terminates (shuts down) all services on the KMA and physically shuts down the KMA.
Note:
If the KMA has been shut down for at least a few hours and the Autonomous Unlock option is enabled, lock the KMA before restarting the KMA. After recent updates have been propagated to this KMA, as shown by the Replication Lag Size in the KMA List panel, unlock the KMA. Refer to the following topics for detailed information: "Enable or Disable Autonomous Unlock Option", "Lock/Unlock the KMA", and "View a List of KMAs".Available to:
Operator
Procedures:
At the Please enter your choice: prompt on the main menu, select Shutdown KMA, and then press Enter.
When prompted, type y and press Enter. When finished with shutdown, it displays:
syncing files... done
The KMA is now powered off. You can power on the KMA using either the power button or the remote power control function in the service processor.
By default, both the Technical Support account and SSH access are disabled. Enabling the support account and SSH access is a SECURITY RISK. Disable the support account unless it is required for troubleshooting purposes. To disable, see "Disable the Technical Support Account".
If you enable the technical support account and then log into the KMA using this account, the KMA will automatically disconnect the SSH session after 10 minutes of inactivity.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Technical Support. Press Enter.
When prompted to enable the support account, type y and press Enter.
To confirm the change, type y and press Enter.
Carefully read the information about the SSH host keys.
When prompted to regenerate the SSH host keys, type y and press Enter.
Record and store the SSH host keys somewhere secure.
Enter a passphrase. See the passphrase requirements below.
Enter the maximum number of days the passphrase is valid.
Technical Support Account Passphrase Requirements:
Beginning with OKM 3.3.2, password policies for the technical support account have changed for added security and compliance with the Solaris 11 Security Technical Implementation Guide (STIG), Release: 13. These changes include:
Minimum length of 15 characters
Must include at least one special character
Must include at least one numeric character
Cannot contain dictionary words 3 characters or longer
When changing the support account password after it has expired, the new password must differ from the previous password by at least 8 characters.
If you provide an invalid support account password, QuickStart and the OKM Console display a message describing why this password is rejected. You have three more attempts to provide a valid password and each attempt has a 30-second timeout.
Available to:
Operator (if Technical Support is already enabled)
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Technical Support, and then press Enter.
When prompted to disable the support account, type y and press Enter.
When prompted to confirm the change, type y and press Enter.
The SSH service automatically stops.
Caution:
The Primary Administrator function allows someone logged in as Technical Support to gain Primary Administrator access, equivalent to root access. Since the passphrase for the Primary Administrator is known only by Oracle Support, only someone from Oracle Support can gain Primary Administrator access. While dangerous, this may be necessary in some situations to recover the system from a problem, however, you may need direct guidance from back line support or engineering.Available to:
Security Officer
Procedures:
To enable Primary Administrator access, you must first enable the Technical Support account (see (UNKNOWN STEP NUMBER) "Enable the Technical Support Account").
At the Please enter your choice: prompt on the main menu, select Primary Administrator. Press Enter.
When prompted to enable the privileges, type y and press Enter.
When prompted to confirm the change, type y and press Enter.
Disabling Primary Administrator access takes place immediately. If someone is connected as a Primary Administrator, and then this access is disabled, the next command they attempt will fail.
Available to:
Operator (if Primary Administrator is already enabled)
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Primary Administrator. Press Enter.
When prompted to disable the account, type y and press Enter.
When prompted to confirm the change, type y and press Enter.
Log KMA Back into Cluster logs the KMA back into the cluster after its passphrase has been changed.
Note:
If the KMA has been logged out of the cluster for at least a few hours, then lock the KMA before logging the KMA back into the cluster. After recent updates have been propagated to this KMA, as shown by the Replication Lag Size in the KMA List panel, unlock the KMA. Refer to the following topics for detailed information: "Lock/Unlock the KMA", and "View a List of KMAs".Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Log KMA Back into Cluster and press Enter.
At the prompt, type the IP address or host name of another KMA in the cluster and press Enter.
At the prompt for a passphrase, type the passphrase of the KMA (see "Set a KMA Passphrase") and press Enter.
Enter the required Key Split user names and passphrases.
Note:
The Security Officer needs to know how many Key Split users to enter (the Key Split Threshold). The Key Split Configuration, including Key Split user names and the Key Split Threshold, appear in the OKM Manager. See "Modify the Key Split Configuration").To end the key split user authorization, leave the user name blank and press Enter.
When prompted, type y and press Enter.
Set User's Passphrase allows a Security Officer to set the passphrase for any user, including the Security Officer.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Set User's Passphrase and press Enter.
At the prompt, type the name of the user and press Enter.
At the prompt, type the passphrase and press Enter.
Re-enter the same passphrase, and press Enter.
If you tried to change the passphrase of another user, you must enter the required number of split key users. Enter the required Key Split user names and passphrases.
Note:
The Security Officer needs to know how many Key Split users to enter (the Key Split Threshold). The Key Split names were established during QuickStart for the first KMA in the OKM Manager Modify Key Split Credentials function (refer to "Modify the Key Split Configuration").To end the key split user authorization, leave the user name blank and press Enter.
Note:
If you do not enter a sufficient quorum of Key Split credentials, the Setting a User's Passphrase process becomes a pending quorum operation. See "View Pending Operations" for more information.Press Enter to return to the main menu.
Set KMA Management IP Addresses modifies the IP address settings for the management network interface of the KMA. These settings are defined initially in the QuickStart program (see "Configuring the Network in QuickStart"), and can be changed here.
After you change these settings, this KMA propagates information about these changes to the other KMAs in the cluster.
Caution:
Use this function carefully. KMAs communicate with each other using their management network interface. Changing the IP address settings for the management network interface of a KMA can affect the network connectivity between the KMA and other KMAs.For example, you have two KMAs not currently communicating with each other (possibly due to a network outage or a change in the network environment). If you change the management IP addresses on both of them, they might not be able to communicate with each other after the network is repaired. In this case, try changing the passphrase of one of these KMAs and then use the procedure for "Log the KMA Back into the Cluster".
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Set KMA Management IP Addresses and press Enter.
This displays the current KMA Management IP address settings. The IPv6 address fields are blank when the KMA is not configured to use IPv6 addresses.
Type either n or y at the Do you want to configure the Management Network interface to have an IPv6 address prompt.
Type either n or y at the Do you want to use DHCP to configure the Management Network IPv4 interface prompt. If you type n, go to Step 4. If you type y, go to Step 6.
At the prompt, type the Management Network IP address and press Enter.
At the Please enter the Management Network Subnet Mask: prompt, type the subnet mask address, (for example 255.255.254.0) and press Enter.
Type y at the Are you sure that you want to commit these changes? [y/n]: prompt.
Set KMA Service IP Addresses modifies the IP address settings for the management network interface of the KMA. These settings are defined initially in the QuickStart program (see "Configuring the Network in QuickStart"), and can be changed here.
In a multi-site cluster where tape drives are deployed as OKM agents, the service network interfaces of KMAs in a particular site are typically configured to support network connectivity with tape drives at that site.
Caution:
This function should be used carefully. KMAs typically communicate with tape drives at the local site using their service network interface over a private service network. This means that changing the IP address settings for the service network interface of this KMA can affect the network connectivity between this KMA and the tape drives.Tape drives do not receive updated IP information immediately after you update the service IP addresses on a KMA; they typically get update IP information when a tape cartridge is mounted.
Consider the example where tape jobs run only at night and you change the service IP addresses of all of the local KMAs during the day. In this case, the tape drives might not be able to communicate with the KMAs. If this happens, the drives must be re-enrolled with the OKM cluster. To avoid this, you should change service IP addresses on one KMA at a time and then wait for the tape drives to receive this change before proceeding to the next KMA.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Set KMA Service IP Addresses and press Enter.
This displays the current KMA Service IP address settings. The IPv6 address fields are blank when the KMA is not configured to use IPv6 addresses.
Type either n or y at the Do you want to configure the Service Network interface to have an IPv6 address prompt.
Type either n or y at the Do you want to use DHCP to configure the Service Network IPv4 interface prompt. If you type n, go to Step 4. If you type y, go to Step 6.
At the prompt, type the Service Network IP address and press Enter.
At the Please enter the Service Network Subnet Mask: prompt, type the subnet mask address, (for example 255.255.255.0) and press Enter.
Type y at the Are you sure that you want to commit these changes? [y/n]: prompt.
Modify Gateway Settings shows the current gateway settings (five gateways to a page) on the Management (M) and Service (S) network interfaces and asks the user to add a gateway, remove a gateway, or accept the current gateway configuration.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Modify Gateway Settings and press Enter.
Note:
If at any time you press Ctrl+c, all changes are discarded and you return to the main menu.At the (1)Continue (2)Back prompt, type 1 to display the next few gateways or 2 to display the previous few gateways.
When the last gateways are displayed, at the Please choose one of the following: prompt, select an option:
1 (add gateway)
2 (remove gateway)
3 (exit)
4 (display again)
Press Enter.
By default, a KMA accepts connections using TLSv1.0, v1.1 or v1.2. While v1.0 is no longer considered secure, if you have KMAs in the cluster running OKM versions prior to 3.1.0, or you have Agents (such as tape drives) that do not support later versions of TLS, you may need to leave all versions of TLS enabled. See for Table 3-3 tape drive TLS compatibility.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Set Acceptable TLS Versions and press Enter.
Select the TLS versions to enable:
1 (TLSv1.0 and higher)
2 (TLSv1.1 and higher)
3 (TLSv1.2 and higher)
Press Enter.
Set DNS Settings shows the DNS settings, and prompts the user for a new DNS domain (if you want to configure one) and the DNS server IP addresses.
Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Set DNS Settings and press Enter.
Enter the DNS domain name at the Please enter the DNS Domain (blank to unconfigure DNS): prompt.
Enter the DNS server IP address at the Please enter DNS Server IP address prompt. You can enter up to three IP addresses.
Press Enter, without specifying an IP address, to finish.
Reset to factory Default State removes the KMA from the cluster and returns it to its factory default state. The KMA is then ready to be added back into a cluster.
Caution:
Use this function carefully. Removing a KMA from the cluster can affect the performance load on other KMAs. If this KMA is the last one in the cluster, you should perform a backup before you reset this KMA to the factory default state.Available to:
Security Officer
Procedures:
At the Please enter your choice: prompt on the main menu, select Reset to factory Default State and press Enter.
At the Type RESET to confirm prompt, type RESET and press Enter.
Once the reset function completes, you are returned to QuickStart. See "Review QuickStart Program Information and Set Keyboard Layout".
Set Keyboard Layout changes the keyboard layout from English to a variety of languages.
Note:
The keyboard layout should be set to match the layout of the keyboard attached to the KMA so that the KMA correctly interprets key presses.Available to:
All roles (but this option appears only on Sun Fire KMAs)
Procedures:
At the Please enter your choice: prompt on the main menu, select Set Keyboard Layout and press Enter.
A list of keyboard layouts displays.
When prompted, enter the number corresponding to the keyboard layout you want to apply.
Show cluster Root CA Certificate properties displays properties of the Root CA certificate in this cluster.
Available to:
All roles
Procedures:
At the Please enter your choice: prompt on the main menu, select Show cluster Root CA Certificate properties and press Enter.
Information about the Root CA certificate displays.
Press Enter to return to the main menu.
Renew Root CA Certificate renews the Root CA Certificate, signs it using the specified signature algorithm, and reissues certificates for itself and the other KMAs in the OKM Cluster. The renew updates credentials for all KMAs in the cluster, but does not automatically update or invalidate credentials for Agents and Users. This means that any already-enrolled Agents and Users can continue to communicate with this OKM cluster. If you changed the signature algorithm and X.509 certificate type during the renew, you may wish to re-enroll Agents and update User passwords so they begin using the new formats (see Task 4 and Task 5 of "Generating Certificates and Signing Using SHA-256").
If the you change to SHA-256, then the cluster will use an X.509v3 certificate for the CA and all subsequently generated entity certificates. Otherwise, the certificate version will remain X.509v1 for legacy compatibility purposes.
Note:
Renewing the Root CA certificate impacts activity in this cluster and makes the current backups obsolete. Always plan the renew in advance.Available to:
Security Officer
This menu option only appears with replication version 16 or later (see "Switch the Replication Version").
Procedures:
At the Please enter your choice: prompt on the main menu, select Renew Root CA Certificate and press Enter.
Enter 1 for SHA256 (default) or 2 for SHA1 — If the encryption endpoints in this OKM environment will not support SHA2, enter 2. Otherwise, enter 1.
See "SHA Compatibility" below for more information on endpoint compatibility.
When prompted to confirm the renew, type y and press Enter.
The following indicates the renew is complete and the OKM service has restarted:
Root CA renew succeeded and OKM service has restarted.Please perform a backup as soon as possible.
Press Enter to return to the main menu.
You should create a new backup (see "Create a Database Backup") and then destroy the oder backups (see "Destroy a Backup").
To display properties of the new Root CA Certificate, see "Show Properties of the Root CA Certificate".
Most types of OKM encryption endpoints support SHA-2 hashing algorithms and X.509v3 certificates. You can enroll agents associated with these encryption endpoints in an OKM cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256).
Some types of OKM encryption endpoints do not support SHA-2 hashing algorithms and X.509v3 certificates. You cannot enrolled agents associated with these encryption endpoints in an OKM Cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256). Instead, you must enrolled the agents in an OKM Cluster where the Root CA certificate is a X.509v1 certificate that is signed using a SHA-1 hashing algorithm.
Encryption endpoints that have compatibility issues with SHA-2 certificates:
HP LTO4 tape drives
IBM LTO4/5/6/7 tape drives running Belisarius firmware version 4.x
All other encryption endpoints will work with SHA-2 certificates. Those specifically tested are:
HP LTO5/6 tape drives
IBM LTO4/5/6/7 tape drives running Belisarius firmware version 5.32.20
PKCS#11 applications that use the KMS PKCS#11 Provider on Oracle Solaris and Oracle Linux, including ZFS file systems on Oracle Solaris 11 servers and ZFS Storage Appliance.
Oracle Transparent Database Encryption (TDE) on Oracle Database servers
Java applications that use the OKM JCE Provider
The Oracle Enterprise Manager plug-in for OKM also works with SHA-256 certificates.