To generate new certificates and then sign them using SHA-256, the OKM administrator must perform this procedure. (For OKM 3.3.1 customers, this procedure is necessary only if they want/need X.509v3 certificates, as they have started in production with SHA-256 signed certificates). The cluster must be running OKM 3.3.2 or later at replication version 16 or later.
Note:
Plan this procedure in advance. It impacts the entire cluster's KMAs, agents, and disaster recovery (obsoletes backups). If you have a lot of tape agents, use the Oracle Virtual Operator Panel 2.2 spreadsheet feature to automate the re-enrollment process and reduce downtime.Choose the KMA that will renew the root CA certificate.
Ensure that the replication version is greater at least 16 for the selected KMA. See "Check the Replication Version of the KMA". If the version is less than 16, switch the replication version to 16. See "Switch the Replication Version".
Launch the OKM Console on the KMA that you will use to renew, and log into it as a Security Officer. Select the menu option to Renew the Root CA Certificate (see "Renew the Root CA Certificate").
Perform a backup on the KMA you used to perform the renew operation in the previous step. Destroy all other backups in the cluster using the OKM Manager GUI with a note that they are obsolete due to a renew This will prevent these backups from accidentally being selected in a subsequent cluster join with replication acceleration.
Launch the Oracle Key Manager GUI and log into this KMA as a Backup Operator.
Navigate to the Backup List panel.
Click Create Backup to generate a backup and download it to your workstation.
For each previous backup, select it and then click Confirm Destruction. Enter a comment that the backup is obsolete due to a Root CA certificate renew.
The new certificates will automatically propagate to the other KMAs in the cluster. However, if a KMA has a large replication lag size, you might want to retrieve the new Root CA Certificate and the certificate for this KMA right away instead of waiting for the certificates to propagate.
Launch the OKM GUI and log into the KMA that you used for the backup.
Navigate to the KMA List panel.
Log this KMA out of the cluster by modifying the KMA passphrase. See "Set a KMA Passphrase".
Launch the host console from the ILOM of this KMA.
Log the KMA back into the cluster. See "Log the KMA Back into the Cluster".
After renewing the Root CA certificate, agents will continue to use their existing credentials. The OKM administrator might decide to reissue certificates for the agents and then re-enroll them:
Launch the Oracle Key Manager GUI and log into it as an Operator or a Compliance Officer.
Navigate to the Agent List panel.
For each agent:
Bring up the Agent Details dialog (either double-click the agent entry or select an agent and click Details).
Select the Passphrase tab and change the passphrase to the same value or to a different value if desired.
Navigate to the KMA List panel.
All agents will need to re-enroll into the OKM Cluster. See "Enroll Agents".
If you have a lot of tape agents, use the VOP 2.2 spreadsheet feature to automate the re-enrollment process.
After renewing the Root CA certificate, users will continue to use their existing credentials. The OKM administrator might decide to reissue certificates for the users by changing their passphrase (OKM users are automatically issued a new certificate when they successfully log in). See "Modify a User's Details and Set the User's Passphrase".
If there are OKM CLI users, download the new Root CA Certificate and new entity certificate for that user, as described in "Saving Certificates".
If you perform disaster recovery procedures for your OKM deployment, you should update relevant records to reflect this activity.
Update your site's disaster recovery (D/R) records to note that all previous backups will restore the cluster to utilize the former SHA1-based root CA certificate.
Replicate the latest backup to D/R sites as soon as possible and in accordance with your site's D/R plans.
You might choose to adopt a policy of renewing the Root CA certificate in your cluster on a regular basis. You can view the age of the current Root CA certificate from the OKM Console (see "Show Properties of the Root CA Certificate") or by downloading the Root CA certificate from the OKM Manager GUI to your workstation (see "Saving Certificates"). When you are ready, you can renew the Root CA certificate (see "Renew the Root CA Certificate").
This function allows you to export certificates that can be used by the OKM Command Line utility (refer to Chapter 13, "Command Line Utilities").
The Root CA Certificate is a public certificate saved in PEM format and can be used for Command Line Interface (CLI) operations as a PEM file.
The Client Certificate can be saved in either PEM format or PKCS#12 format. The PEM format contains the certificate and the unencrypted private key. A Client Certificate saved in this format can be used for CLI operations as a PEM file.
The PKCS#12 format is encrypted. A Client Certificate saved in this format must be converted to PEM format before being used for CLI operations (see "Convert PKCS#12 Format to PEM Format"). A password to use for encryption is required to save a Client Certificate in PKCS#12 format. This password must contain at least 8 characters.
Note:
You should store these certificate files in a secure location with sufficient permissions to restrict access by other users. If you save the Client Certificate in PKCS#12 format, then you must retain the password.From the System menu, select Save Certificates.
Note:
The Save Certificates menu option is enabled only if the user is connected to a KMA.The Save Certificates dialog box is displayed, with automatically-generated filenames for the Root CA Certificate and the Client Certificates.
You can edit these filenames directly or click Browse to select a different destination path or edit the filenames.
In the Format field, select the format that the Client Certificate should be in when it is exported.
If you selected the PKCS#12 format, type a passphrase in the Passphrase field and retype this passphrase in the Confirm Passphrase field.
Click OK to export these certificates. When these certificates have been exported, a message is displayed, indicating the locations of these files.
You can use the openssl utilty to view the contents of the downloaded certificate. For example:
openssl x509 -text -noout -in ca.crt
If you saved the Client Certificate in PKCS#12 format, then you must convert it to PEM format before you can use it with the OKM Command Line utility. Use the openssl utility to convert it.
The openssl utility appears in the directory where the OpenSSL distribution is installed on your workstation.
The syntax is:
openssl pkcs12 -in PKCS12file -out PEMfile -nodes
For example:
openssl pkcs12 -in KeyTransferOperator.p12 \ -out KeyTransferOperator.pem -nodes Enter Import Password:
The -nodes argument is necessary to export the private key. Since the private key is not password protected, you should appropriately manage this file.
Note:
The Import Password can optionally be specified on the command line using the -passin parameter, if required.