Configure host operating systems for Oracle Hierarchical Storage Manager and StorageTek QFS Software before proceeding further with installation and configuration. The chapter outlines the following tasks:
Configuring Oracle Solaris hosts for Oracle HSM
Configuring Linux hosts as Oracle HSM clients (if required)
Configuring a key manager for cloud data encryption (if required)
To configure Solaris hosts for use with Oracle HSM software and QFS file systems, carry out the following tasks:
Tune Solaris system and driver parameters for anticipated file system I/O.
If you plan to use encrypted cloud storage, install the required supplementary software.
If possible, always install the latest patches and updates for the Solaris operating system. If you need to use the latest features available in Oracle Hierarchical Storage Manager and StorageTek QFS Software Release 6.1.4, you must have Oracle Solaris 11 operating system software installed on all Solaris hosts. For full information on the minimum recommended operating system releases for use with software, consult the release notes and support.oracle.com.
For installation and update instructions for the chosen version of Solaris, consult the installation and administration documents in the corresponding customer documentation library, the Oracle Technical Network (OTN), and the knowledgebase on support.oracle.com. If you are new to the Image Packaging System (IPS), the following OTN articles may prove especially helpful:
Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11 by Glynn Foster (November 2011)
How to Update Oracle Solaris 11 Systems From Oracle Support Repositories by Glynn Foster (March 2012)
More Tips for Updating Your Oracle Solaris 11 System from the Oracle Support Repository by Peter Dennis (May 2012).
End-to-end input/output (I/O) performance through a system is highest when the operating system, drivers, file systems, and applications transfer data in units that do not have to be fragmented and re-cached unnecessarily. So set up Solaris for the largest data transfers that your the applications and file systems are likely to make. Proceed as follows:
Log in to the Oracle HSM file-system host as root.
root@solaris:~#
Make a backup copy of the /etc/system file, and then open /etc/system in a text editor.
In the example, we use the vi editor.
root@solaris:~# cp /etc/system /etc/system.backup root@solaris:~# vi /etc/system *ident "%Z%%M% %I% %E% SMI" /* SVR4 1.5 */ * SYSTEM SPECIFICATION FILE ...
In the /etc/system file, set maxphys, the size of the largest physical I/O request that any driver can process as a single unit, equal to the largest data transfers that your applications and file systems will make. Enter a line of the form set maxphys = 0xvalue, where value is a hexadecimal number representing a number of bytes. Then save the file and close the editor.
Drivers break up requests that exceed maxphys into maxphys-sized fragments. The default value can vary depending on the operating system release, but it is typically around 128 kilobytes. In the example, we set maxphys to 0x800000 (8,388,608 bytes or 8 megabytes):
root@solaris:~# vi /etc/system *ident "%Z%%M% %I% %E% SMI" /* SVR4 1.5 */ * SYSTEM SPECIFICATION FILE ... set maxphys = 0x800000 :wq root@solaris:~#
Open the /kernel/drv/sd.conf file in a text editor.
In the example, we use the vi editor:
root@solaris:~# vi /kernel/drv/sd.conf
# Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved.
name="sd" class="scsi" target=0 lun=0;
name="sd" class="scsi" target=1 lun=0;
...
# Associate the driver with devid resolution.
ddi-devid-registrant=1;
In the /kernel/drv/sd.conf file, set sd_max_xfer_size, the size of the largest data transfer that the SCSI disk (sd) driver can process, to the value that you set for maxphys. Enter a line of the form sd_max_xfer_size=0xvalue;, where value is a hexadecimal number representing a number of bytes. Save the file, and close the editor.
The default is 0x100000 (1048576 bytes or one megabyte). In the example, we add a comment and set sd_max_xfer_size to 0x800000 (8,388,608 bytes or 8 megabytes):
... # Associate the driver with devid resolution. ddi-devid-registrant=1; # Set SCSI disk maximum transfer size sd_max_xfer_size=0x800000; :wq root@solaris:~#
Open the /kernel/drv/ssd.conf file in a text editor.
In the example, we use the vi editor.
root@solaris:~# vi /kernel/drv/ssd.conf
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
name="ssd" parent="sf" target=0;
name="ssd" parent="fp" target=0;
...
name="ssd" parent="ifp" target=127;
In the /kernel/drv/ssd.conf file, set ssd_max_xfer_size, the size of the largest data transfer that the Fibre Channel disk (ssd) driver can process to the value that you set for maxphys. Enter a line of the form ssd_max_xfer_size=0xvalue;, where value is a hexadecimal number representing a number of bytes. Then save the file and close the editor.
The default is 0x100000 (1048576 bytes or one megabyte). In the example, we add a comment and set ssd_max_xfer_size to 0x800000 (8,388,608 bytes or 8 megabytes):
... name="ssd" parent="ifp" target=127; # Set Fibre Channel disk maximum transfer size ssd_max_xfer_size=0x800000; :wq root@solaris:~#
Restart the system. Use the command init 6.
root@solaris:~# init 6
If you plan to use encryption with cloud storage, install the additional required software now.
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
Cloud libraries (equipment type cr) and cloud media volumes (media type cl) are the Oracle HSM interface to public and private storage clouds. Storage clouds are abstract, network services that provide an agreed level of service rather than a set of defined physical resources. Oracle HSM cloud libraries and media let you use cloud resources in the same way that you use a removable media library.
If you intend to make use of the Oracle HSM cloud library, carry out the following preliminary tasks:
Install Java Development Kit 7.
If you plan on using the cloud drive encryption feature, enable cloud encryption by installing cryptography software and configuring a key-management solution.
If you intend to make use of the Oracle HSM cloud library (cr) equipment type, you must install Java Development Kit 7 (JDK 7) on the Oracle HSM metadata server. JDK 7 is the most recent release of the software to include compatible, 32-bit executables. If you have an active Oracle support agreement, you can obtain the most recent version, updated with all current security enhancements.
To make sure that the required software is installed, carry out the tasks listed below:
Uninstall older versions of Java Development Kit 7 (older versions may not include the latest security updates).
Install the latest version of Java Development Kit 7 by using the Solaris Image Packaging System, by downloading the SVR4 packages and installing them with pkgadd, or by downloading the executables and copying them to the required location.
Log in to the Oracle HSM metadata server as root.
root@mds:~#
List the contents of the directory /usr/jdk/instances/, and see if the listing contains a directory named jdk1.7.0.
In the example, the listing does include a JDK 7 directory:
root@mds:~# ls /usr/jdk/instances
jdk1.5.0 jdk1.6.0 jdk1.7.0 jdk1.8.0
root@mds:~#
If JDK 7 is already installed, uninstall it using the method that was used to install it. Use the IPS pkg uninstall command, use the SVR 4 pkgrm command, or delete the installation directory with the rm -R /usr/jdk/instances/jdk1.7.0 command.
In the example, we uninstall an earlier IPS installation:
root@mds:~# pkg uninstall //solaris/developer/java/jdk-7 ... root@mds:~#
Now install JDK 7 by using Solaris IPS, by downloading and installing SVR4 packages, or by downloading and installing executables.
To install Java Development Kit 7 (JDK 7) using IPS, proceed as follows:
If you have not already done so, log in to the Oracle HSM metadata server as root.
root@mds:~#
If you have already made the Oracle support repository the default Solaris 11 publisher, go to step 14 and install the JDK.
Otherwise, check your Oracle support entitlements. Open a web browser window to the URL https://pkg-register.oracle.com.
Log in to the page using your Oracle Single Sign On user name and password, just as you would on My Oracle Support (https://support.oracle.com).
The Oracle SSO user name is usually an e-mail address registered with Oracle. Once you log in, you see a list of entitlements.
Click the CERTIFICATE link on the upper left part of the screen left under the page-header bar.
The link URL is https://pkg-register.oracle.com/register/certificate
When the Your Certificate page appears, press the Download Key button to download the cryptographic key for the entitlement. Save the key file to a convenient working directory.
While still on the Your Certificate page, press the Download Certificate button to download the cryptographic key for the entitlement. Save the key file to your working directory.
Click the REPOSITORIES link on the upper left part of the screen left under the page-header bar.
The link URL is https://pkg-register.oracle.com/register/repos/
Locate the Oracle Solaris 11 Support repository and press the corresponding Show Details button.
Configure your local repository and install the certificate. Use the command:
pkg set-publisher -k dir/pkg.oracle.com.key.pem -c dir/pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solaris/support/ solaris
where dir is the working directory where you downloaded the files.
The packaging system creates copies of the key and certificate files and installs them in the required location. In the example, we have downloaded the files to the directory /root/mos/:
root@mds:~# pkg set-publisher -k /root/mos/pkg.oracle.com.key.pem -c /root/mos/pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solaris/support/ solaris Refreshing catalog 1/1 solaris 87.76 MB... root@mds:~#
You can now delete the downloaded key and certificate files from the working directory.
root@mds:~# rm /root/mos/*.pem
root@mds:~#
Check your IPS publisher settings, making sure that the configuration does not include mirrors. Use the command pkg publisher solaris.
In the example, the string Mirror does not appear, so there are no mirrors:
root@mds:~# pkg publisher solaris
Publisher: solaris
Alias:
Origin URI: https://pkg.oracle.com/solaris/support/
SSL Key: /var/pkg/ssl/57df...
SSL Cert: /var/pkg/ssl/30d4...
Cert. Effective Date: Thu Jun 08 22:12:19 2017
Cert. Expiration Date: Sun Jun 16 22:12:19 2019
Client UUID: f07e...
Catalog Updated: Tue Jun 06 23:17:46 2017
Enabled: Yes
root@mds:~#
If the pkg publisher solaris output lists mirrors, remove them. Use the command pkg set-publisher -M mirrorURL solaris, where mirrorURL is the URL of the mirror.
Install the JDK 7 software. Use the command pkg install --accept //solaris/developer/java/jdk-7.
The pkg install command installs JDK 7 in the /usr/jdk/instances/jdk1.7.0/ directory. The --accept switch indicates that you agree to the license. The string //solaris/developer/java/jdk-7 is the Solaris fault management resource identifier (FMRI) that identifies the package within the Solaris Image Packaging System.
root@mds:~# pkg install --accept //solaris/developer/java/jdk-7
Packages to install: 2 ...
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 2/2 655/655 43.8/43.8 2.4M/s
PHASE ITEMS
Installing new actions 738/738
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
root@mds:~#
If you intend to use the cloud drive encryption feature, enable encryption now.
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
If you have not already done so, log in to the Oracle HSM metadata server as root.
root@mds:~#
In a web browser, log in to My Oracle Support (https://support.oracle.com).
You must have a support account.
In a web browser tab or window, open the Information Center article "Installation & Configuration for Oracle Java SE" (Doc ID 1412103.2).
The document can be found at the following URL:
Scroll down the page to the section titled "Downloads (Latest JDK/JRE)", and click on the link corresponding to the latest JDK/JRE 7 build.
When the page Patch 13079846: Oracle JDK 1.7.0 opens, use the Platform control to select the 32-bit software bundle for the Solaris platform that you use for your Oracle HSM metadata server.
For example, applicable selections might be named Oracle Solaris on SPARC (32-bit) or Oracle Solaris on x86 (32-bit).
Click the Download button.
When the File Download panel appears, click the link to the patch archive (zip) file and save the file to your working directory.
JDK 1.7 patch archive files are named pidnumber_17000_platform.zip, where:
idnumber is a string of numerals
platform is the operating system and hardware platform that you selected
For example, the download file might be p13079846_17000_SOLARIS.zip for SPARC platforms or p13079846_17000_Solarisx86.zip for x86 platforms.
If you require 64-bit JDK 7 executables for other uses, repeat this procedure, this time selecting the 64-bit software bundle for the Solaris platform that you use for your Oracle HSM metadata server.
Next, install JDK 7, either by using SVR4 packages or by manually installing the executables.
In the patch archive (.zip) file, locate the compressed tape archive file jdk-7ubuild-platform.tar.gz, where:
build is the build number
platform is the operating system and hardware platform that you selected
For example, jdk-7u141-solaris-sparc.tar.gz would contain 32-bit SPARC executables, while jdk-7u141-solaris-i586.tar.gz would hold the equivalents for the x86 platform.
Decompress the tape archive (.tar) file. Use the command gunzip jdk-7ubuild-platform.tar.gz.
In the example, we extract Solaris SPARC packages for JDK 7 build 141:
root@mds:~# gunzip jdk-7u141-solaris-sparc.tar.gz
root@mds:~# ls
jdk-7u141-solaris-i586.tar
Extract the directory that holds the executables, jdk1.7.0_build, from the tape archive (tar) file to the working directory. Use the command gunzip jdk-7ubuild-platform.tar.gz and tar -xf jdk-7ubuild-platform.tar
root@mds:~# tar -xf jdk-7u141-solaris-sparc.tar
...
root@mds:~#
If you require 64-bit JDK 7 executables for other uses, repeat this procedure, this time using the 64-bit software bundle for the Solaris platform that you use for your Oracle HSM metadata server.
Move the directory that holds the executables, jdk1.7.0_build to the JDK installation directory and rename it, omitting the build number string. Use the command mv jdk1.7.0_141 /usr/jdk/instances/jdk1.7.0.
JDK 7 is now installed.
root@mds:~# mv jdk1.7.0_141 /usr/jdk/instances/jdk1.7.0
root@mds:~#
If you intend to use the cloud drive encryption feature, enable encryption now.
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
In the patch archive (.zip) file, locate the compressed tape archive file jdk-7ubuild-platform.tar.gz, where:
build is the build number
platform is the operating system and hardware platform that you selected
For example, jdk-7u141-solaris-sparc.tar.gz would contain 32-bit SPARC executables, while jdk-7u141-solaris-i586.tar.gz would hold the equivalents for the x86 platform.
Decompress the tape archive (tar) file, and extract the SVR4 packages from the tape archive (tar) to the working directory. Use the command zcat jdk-7ubuild-platform.tar.Z | tar xf -.
In the example, we extract Solaris SPARC packages for JDK 7 build 141:
root@mds:~# zcat jdk-7u141-solaris-sparc.tar.Z | tar xf -
Install the SVR4 packages, answering yes to all questions. Use the command yes | pkgadd -d . package-list, where package-list is a space delimited list of package names.
In the example, the list of packages includes SUNWj7dev, SUNWj7rt, SUNWj7cfg, SUNWj7jmp, and SUNWj7man.
root@mds:~# yes | pkgadd -d . SUNWj7dev SUNWj7rt SUNWj7cfg SUNWj7jmp SUNWj7man
If you intend to use the cloud drive encryption feature, enable encryption now.
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
If you intend to use the cloud-drive encryption feature of the cloud library (cr) equipment type, carry out the following tasks:
Install Java Cryptography Extensions Unlimited Strength Jurisdiction Policy Files 7.
If you plan to manage encryption keys using a Public Key Cryptography Standards #11 (Cryptoki) key manager, configure the Oracle HSM metadata server to use the selected key manager, Oracle Key Manager (OKM) or Oracle Key Vault (OKV).
If you plan to manage encryption keys using a local file, create the keystore file now.
Java Cryptography Extensions (JCE) jurisdiction policy files specify the cryptographic strength that the JDK/JCE software can provide. The default jurisdiction policy files distributed with the JDK 7 development kit limit cryptographic strength in keeping with the import restrictions in force in some countries. The JCE Unlimited Strength Jurisdiction Policy Files 7 allow unlimited strength encryption.
If you have not already done so, log in to the Oracle HSM metadata server as root.
root@mds:~#
In a web browser window, open the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download page.
The page is available at the following URL:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Click the Accept License Agreement radio button.
In the download field, click on the link UnlimitedJCEPolicyJDK7.zip.
When prompted, save the UnlimitedJCEPolicyJDK7.zip file in a convenient working directory.
Decompress and extract the contents of the UnlimitedJCEPolicyJDK7.zip file.
The file contains a directory, jce/, that holds a README.txt file and local and export policy Java Archive (jar) files:
root@solaris:~# ls jce root@solaris:~# ls jce README.txt local_policy.jar US_export_policy.jar root@solaris:~#
Read the README.txt file carefully, so that you understand the jurisdictional issues surrounding import and export of strong cryptography.
Install the policy files, US_export_policy.jar and local_policy.jar. Copy the files to the directory /usr/jdk/instances/jdk1.7.0/jre/lib/security/.
root@mds:~# cp US_export_policy.jar /usr/jdk/instances/jdk1.7.0/jre/lib/security/ root@mds:~# cp local_policy.jar /usr/jdk/instances/jdk1.7.0/jre/lib/security/ root@mds:~#
If you plan on managing cryptographic keys using a PKCS #11 key manager rather than a local text file, enroll Oracle HSM with the key manager now. You can enroll the Oracle HSM metadata server with Oracle Key Manager or with Oracle Key Vault.
If you plan on managing cryptographic keys using a local keystore file, create the file now.
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
If you plan on using Oracle Key Manager (OKM) as your key manager, have an OKM administrator register Oracle HSM as an agent and provide the following access information:
the name of the profile that applies to Oracle HSM
the OKM Agent ID for Oracle HSM
the password for logging in as Oracle HSM
the IP address of the Key Management Appliance (KMA) that Oracle HSM should try to access first.
A Key Management Appliance (KMA) is a host node in an OKM cluster.
For more information on OKM, see the Oracle Key Manager Online Documentation Library at the following URL:
http://www.oracle.com/technetwork/documentation/tape-storage-curr-187744.html#crypto
If you have not already done so, log in to the Oracle HSM metadata server as root.
root@mds:~#
Install the pkcs11_kms package on the Oracle HSM metadata server. Use the IPS command pkg install system/library/security/crypto/pkcs11_kms.
The Oracle Solaris pkcs11_kms encryption services provider lets Oracle HSM use encryption and decryption keys by requesting application-defined key labels. Using a private protocol, the pkcs11_kms provider passes this label to Oracle Key Manager (OKM) for inclusion in the metadata associated with encrypted data. The client application can then encrypt and decrypt data via the key management server, without direct access to encryption keys.
root@mds:~# pkg install system/library/security/crypto/pkcs11_kms
Packages to install: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 16/16 0.6/0.6 1.6M/s
PHASE ITEMS
Installing new actions 43/43
...
Updating package cache 1/1
root@mds:~#
Plug pkcs11_kms into the Solaris Cryptographic Framework. Use the command cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
root@mds:~# cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
root@mds:~#
Start the pkcs11_kms configuration process. Enter the command kmscfg.
The Profile Name: prompt appears:
root@mds:~# kmscfg
Profile Name:
At the Profile Name: prompt, enter the name of the profile that the OKM administrator specified for use with Oracle HSM.
In the example, the specified profile is named HSMcloud:
root@mds:~# kmscfg
Profile Name: HSMcloud
When prompted for an Agent Name, enter the agent ID that the OKM administrator assigned to Oracle HSM.
In the example, the Agent ID is HSMcloudArchive:
root@mds:~# kmscfg
Agent ID: HSMcloudArchive
When prompted for an KMA IP Address, enter the Internet Protocol address that the OKM administrator provided.
In the example, this IP address is 192.168.123.123:
root@mds:~# kmscfg
KMA IP Address:: 192.168.123.123
Display the configuration. Use the command cryptoadm list -m -v provider='/usr/lib/security/$ISA/pkcs11_kms.so.1'
root@mds:~# cryptoadm list -m -v provider='/usr/lib/security/$ISA/pkcs11_kms.so.1' Provider: /usr/lib/security/$ISA/pkcs11_kms.so.1 Number of slots: 1 Slot #1 Description: Oracle Key Management System Manufacturer: Oracle Corporation PKCS#11 Version: 2.20 Hardware Version: 0.0 Firmware Version: 0.0 Token Present: True Slot Flags: CKF_TOKEN_PRESENT Token Label: KMS ... Mechanisms: E D S V P E n e D i V e K a U D C c c i g e r e i n e r r g S + r + y r W w r C y y e i R i R G G r r i a H p p s g e f e e e a a v p Mechanism Name Minimum Maximum W t t t n c y c n n p p e s ------------------------ -------- ---------- - - - - - - - - - - - - - - CKM_AES_KEY_GEN 32 32 . . . . . . . . X . . . . . CKM_AES_CBC 32 32 . X X . . . . . . . X X . . CKM_AES_CBC_PAD 32 32 . X X . . . . . . . X X . . root@mds:~#
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
If you plan on using Oracle Key Vault (OKV) as your key manager, have an OKV system administrator initiate enrollment of the Oracle HSM metadata server as an OKV endpoint.
The OKV administer will provide you with a one-time enrollment token via email or some other out-of-band communication method.
When you receive the enrollment token, download and install the OKV client software. Follow the instructions the chapter "Using Oracle Key Vault Endpoints" in the Key Vault Administrator's Guide, Oracle Key Vault 12c Release 1 Documentation Library.
Full documentation for all available versions of Oracle Key Vault can be found at the following URL:
https://docs.oracle.com/en/database/related-products.html#DatabaseSecurity
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
For each cloud library that will manage encryption keys using a local file, proceed as follows:
If you have not already done so, log in to the Oracle HSM metadata server as root.
root@mds:~#
Using a text editor, create the keystore file for the cloud library.
In the example, we create the keystore file in the directory /root/. For clarity, we name the file cl800.ksf, where cl800 is the family set name of corresponding cloud library, and add a comment:
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
Using the text editor, add a line to the keystore file of the form key-label = string, where string is the alias that will indirectly identify the key that cloud drives will use when encrypting volumes stored in the cloud library.
In the example, the key label is Key1.
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
key-label = Key1
In another terminal window, create an Advanced Encryption Standard (AES) encryption key. Use the command dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -t x1 -An | tr -d '\n \t' ; echo, where:
dd is the Solaris utility that copies an input source to an output destination
if=/dev/urandom makes the Solaris pseudorandom number generator the input source for dd
bs=32 sets the input and output block size for dd to the maximum AES key size, 32 bytes
count=1 tells dd to copy one 32-byte block
2>/dev/null redirects any errors that dd generates from stderr to /dev/null
| od pipes the output of the dd utility to od, the Solaris octal dump utility
-t x1 specifies the type of output that od is to generate: a one byte, hexadecimal number
-An tells od to omit an input offset address from the output
| tr pipes the output of the dd utility to the Solaris character translation utility
-d'\n \t' tells tr to delete all tab and newline characters from the input
echo writes the result of the preceding command string to standard output
In the example, the output is the AES key 4e6e2666f...41ba25e3:
root@mds1:~# dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -t x1 -An | tr -d '\n \t' ; echo
4e6e2666f053e84ce8f1b67308c77d2d884e2c182bdaf965040c590f41ba25e3
root@mds1:~#
Using the text editor, add a line to the keystore file of the form key-value = AES_key, where AES_key is the key that you just generated.
In the example, the key-value is 4e6e2666f...41ba25e3:
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
key-label = Key1
key-value = 4e6e2666f053e84ce8f1b67308c77d2d884e2c182bdaf965040c590f41ba25e3
In another terminal window, create a SHA-256 hash of the key label and the AES key value. Use the command print -n "KeylabelKeyvalue" | digest -a sha256, where Keylabel is the value of the key-label parameter and Keyvalue is the value of the key-value parameter.
In the example, the SHA-256 hash of Key1 and 4e6e2666f...41ba25e3 is 1384cec4...9f522186:
root@mds1:~# print -n "Key14e6e2666f...41ba25e3" | digest -a sha256
1384cec4e2e81eb80bed983a484b57dcaeaccea0d98ef8d068f00fb29f522186
root@mds1:~#
Using the text editor, add a line to the keystore file of the form key-hash = hash, where hash is the hash value that you just calculated.
In the example, the key-hash is 1384cec4...9f522186:
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
key-label = Key1
key-value = 4e6e2666f053e84ce8f1b67308c77d2d884e2c182bdaf965040c590f41ba25e3
key-hash = 1384cec4e2e81eb80bed983a484b57dcaeaccea0d98ef8d068f00fb29f522186
Save the keystore file.
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
key-label = Key1
key-value = 4e6e2666f053e84ce8f1b67308c77d2d884e2c182bdaf965040c590f41ba25e3
key-hash = 1384cec4e2e81eb80bed983a484b57dcaeaccea0d98ef8d068f00fb29f522186
:w
For each additional key that you intend to use when encrypting volumes in this cloud library, repeat steps 3 through 8.
When you have created keystore records for all required keys, close the editor.
In the example, the finished keystore file holds entries for two AES keys, labelled Key1 and Key2:
root@mds1:~# vi /root/cl800.ksf
# keystore file for Oracle HSM cloud library cl800
key-label = Key1
key-value = 4e6e2666f053e84ce8f1b67308c77d2d884e2c182bdaf965040c590f41ba25e3
key-hash = 1384cec4e2e81eb80bed983a484b57dcaeaccea0d98ef8d068f00fb29f522186
key-label = Key2
key-value = 240dd62a6af501fafdd693fd05b0ac5779e7f743ca09d116408c1b5ff53a1c07
key-hash = 073ffe4c4184977939195a68c8ba1c1febb4a28abda0cce121a2b9cf50435297
:q
root@mds1:~#
Encrypt the keystore file. Use the command encrypt -a aes -i inputfile -o outputfile, and enter a strong password when prompted for a Passphrase.
The command parameters have the following functions:
-a aes specifies Advanced Encryption Standard
-i inputfile specifies the absolute path and file name of the keystore file
-o outputfile also specifies the absolute path and file name of the keystore file
In the example, the string P^ssw0rd represents a strong password:
root@mds1:~# encrypt -a aes -i /root/cl800.ksf -o /root/cl800.ksf Enter passphrase: P^ssw0rd Re-enter passphrase: P^ssw0rd root@mds1:~#
Create a password file to hold the password for the AES-encrypted keystore file. Use the command sam-cloudd -p keyfile_password_file, where keyfile_password_file is the fully qualified path and file name of the new password file. When prompted for a Password, enter the password for the AES-encrypted keystore file.
In the example, we create the password file cl800.ksf.pwd in the directory /root/ and enter the password that we used when encrypting keystore file cl800.ksf:
root@mds1:~# sam-cloudd -p /root/cl800.ksf.pwd Enter Password: P^ssw0rd Reenter Password: P^ssw0rd root@mds1:~#
Change the keystore file permissions so that the owner has read and write access and others have none. Use the command chmod 0600 keystore_file, where keystore_file is the fully qualified path and file name of the keystore file.
In the example, the keystore file is /root/cl800.ksf:
root@mds1:~# chmod 0600 /root/cl800.ksf
root@mds1:~#
If you are preparing a solution that includes additional Solaris hosts, repeat the tasks specified in "Configuring Oracle Solaris Hosts for Oracle HSM" until all Solaris hosts have been configured.
If you are preparing a solution that includes one or more Linux clients, go to "Configuring Linux Hosts for Oracle HSM Clients".
Otherwise, go to "Configuring Storage Hosts and Devices".
Before you install the Oracle HSM client software, you must the prepare the Linux operating system as follows:
Log in to the Oracle HSM client host as root.
[root@linux ~]#
If SELinux (Secure Linux) is installed, disable it. Open the file /etc/selinux/config in a text editor, set the SELINUX flag to disabled, save the file, close the editor, and reboot.
Oracle HSM does not support SELinux, which is enabled by default on Oracle Linux and Red Hat Enterprise Linux. In the example, we open the file in the vi editor.
[root@linux ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system. ... #SELINUX=enforcing #SELINUX=permissive SELINUX=disabled SELINUXTYPE=targeted :wq [root@linux ~]# reboot
If AppArmor is installed, disable it using the procedure recommended in the documentation for your Linux distribution.
AppArmor is sometimes used as an alternative to SELinux. Oracle HSM does not support AppArmor.
Next, install the required kernel-development and utility packages.
Prior to installation of the Oracle HSM client software, the Linux kernel development package has to be installed, along with some specified utility packages. To identify and install required packages, use the following procedure:
Log in to the Linux client host as root.
In the example, the client is hosted on Oracle Linux:
[root@linux ~]#
Identify the kernel version installed on the client. Use the command uname -r.
In the example, the kernel version is 2.6.9-89.0.0.0.1.EL:
[root@linux ~]# uname -r 2.6.9-89.0.0.0.1.EL [root@linux ~]#
Install the kernel development kit, kernel-devel-kernel-version, where kernel-version is the version string that you identified in the preceding step.
The Oracle HSM client installation requires the Module.symvers that is part of this package. In the example, we use the Oracle Linux command yum with parameters -y install (-y to insure that all prompts are automatically answered "yes"):
[root@linux ~]# yum -y install \ kernel-devel-2.6.9-89.0.0.0.1.EL.i686.rpm [root@linux ~]#
See if the Korn shell, ksh, is installed. If it is not, install it.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string ksh. The command returns no output, which shows that ksh is not installed. So we install it using the command yum install ksh:
[root@linux ~]# rpm -qa | grep ksh [root@linux ~]# [root@linux ~]# yum install ksh ... --> Running transaction check ---> Package ksh-20100621-19.e16.x86_64 set to be installed =============================================================================== Package Arch Version Repository Size =============================================================================== Installing: ksh i686 2.6.9-89.0.0.0.1.EL updates 506 k ... Installed: ksh-2.6.9-89.0.0.0.1.EL.i686 Complete! [root@linux ~]#
See if the cpio utility is installed. If it is not, install it.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string cpio. The command returns version information, so the cpio utility is installed:
[root@linux ~]# rpm -qa | grep cpio cpio-2.10-10.e16.x86_64 [root@linux ~]#
See if the find utilities are installed. If they are not, install them.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string findutils. The command returns version information, so the findutils package is installed:
[root@linux ~]# rpm -qa | grep findutils findutils-4.4.2-6.e16.x86_64 [root@linux ~]#
See if the gcc compiler is installed. If it is not, install it.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string gcc. The command returns version information, so the gcc compiler is installed:
[root@linux ~]# rpm -qa | grep gcc gcc-4.4.7-3.e16.x86_64 libgcc-4.4.7-3.e16.x86_64 [root@linux ~]#
See if the make utility is installed. If it is not, install it.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string make. The command returns version information, so the make utility is installed:
[root@linux ~]# rpm -qa | grep make make-4.4.7-3.e16.x86_64 libmake-3.81.20.e16.x86_64 [root@linux ~]#
See if the binutils package is installed. If it is not, install it.
If the Oracle HSM installation software needs to build the Linux kernel, it requires the nm utility, which is part of this package. In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string nm. The command returns version information, so the nm utility is installed:
[root@linux ~]# rpm -qa | grep nm binutils-2.20.51.0.2-5.34.e16.x86_64 [root@linux ~]#
See if the rpmbuild package is installed. If it is not, install it.
In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string rpmbuild. The command returns version information, so the rpmbuild package is installed:
[root@linux ~]# rpm -qa | grep rpmbuild rpm-build-4.8.0-37.el6.x86_64 [root@linux ~]#
See if the rpm package is installed. If it is not, install it.
If the Oracle HSM installation software needs to build the Linux kernel, it requires the rpm2cpio utility, which is part of this package. In the example, we pipe the output of the Oracle Linux command rpm -qa to the grep command and search for the string rpm. The command returns version information, so the utility is installed:
[root@linux ~]# rpm -qa | grep rpm rpm-4.8.0-27.e16.x86_64 rpm-libs-4.8.0-27.e16.x86_64 rpm-python-4.8.0-27.e16.x86_64 [root@linux ~]#
If you are preparing a solution that includes additional Linux clients, repeat the tasks specified in "Configuring Linux Hosts for Oracle HSM Clients" until all Linux clients have been configured.
Otherwise, go to "Configuring Storage Hosts and Devices".