4 Support Guidance
The support guidance provides information about troubleshooting, vendor specific notes, and the CNSA Suite support.
4.1 General Troubleshooting
This section covers general troubleshooting help. Vendor specific troubleshooting is covered in the vendor specific notes.
- hsm_initialize: Could Not Get Slot for HSM
- hsm_initialize: Could Not Load PKCS#11 Library
- Oracle Key Vault Management Console Does Not Start After Restarting HSM-Enabled Oracle Key Vault Server
- Primary-Standby Errors
- Backup
- Restoring an HSM-Enabled Backup
Parent topic: Support Guidance
4.1.1 hsm_initialize: Could Not Get Slot for HSM
This error indicates that Oracle Key Vault is not properly enrolled as a client of the HSM. Check vendor-specific instructions for more information.
Parent topic: General Troubleshooting
4.1.2 hsm_initialize: Could Not Load PKCS#11 Library
This error indicates that Oracle Key Vault is not properly enrolled as a client of the HSM. Check vendor-specific instructions for more information.
Parent topic: General Troubleshooting
4.1.3 Oracle Key Vault Management Console Does Not Start After Restarting HSM-Enabled Oracle Key Vault Server
If the management console does not appear after restarting the HSM-enabled Oracle
Key Vault server, log into the Oracle Key Vault server using SSH as user
support
and verify the following:
-
Try to manually open the wallet:
$ ssh support@okv_instance <Enter password when prompted> $ su root root# su oracle $ cd /usr/local/okv/hsm/bin $ ./hsmclient open_wallet
If the
open_wallet
command succeeds, the database will open and the management console will appear, unless there is another non-HSM problem. If the command does not succeed, check for vendor-specific instructions. Otherwise, copy the output and contact Oracle Support. - If using DNS with the HSM configuration, due to the known issue, Bug 24478865, ensure
that DNS entries are both in the management console (System tab > System
Settings page > DNS section) and in
/etc/resolv.conf
.An example configuration of
/etc/resolv.conf
:search <default search domains> nameserver <dns ip 1> nameserver <dns ip 2> nameserver <dns ip 3>
Parent topic: General Troubleshooting
4.1.4 Primary-Standby Errors
-
Check that the files have been transported to the standby server:
Execute the command
ls -l
as root on the standby server:$ ls -l /usr/local/okv/hsm/wallet -rw------- 1 oracle oinstall 324 May 16 22:57 cwallet.sso -rw------- 1 oracle oinstall 176 May 16 22:57 enctdepwd $ ls -l /usr/local/okv/hsm/restore -rw------- 1 oracle oinstall 320 May 16 22:57 ewallet.p12
You must see
cwallet.sso
andenctdepwd in
the/usr/local/okv/hsm/wallet
directory andewallet.p12
in the/usr/local/okv/hsm/restore
directory. -
Check that the mode is set to HSM on the standby server:
Open the file
okv_security.conf
as root on the standby server:$ cat /usr/local/okv/etc/okv_security.conf Look for the line: HSM_ENABLED="1"
You must see the number within double quotes.
-
Check the vendor-specific instructions.
Parent topic: General Troubleshooting
4.1.5 Backup
You must check that the pre_restore
command has been run on the target as follows:
Execute the command ls -l
as root on the standby server:
$ ls -l /usr/local/okv/hsm/wallet
-rw------- 1 oracle oinstall 324 May 16 22:57 cwallet.sso
You must see the wallet file cwallet.sso
.
You must also check that you have followed the instructions from the HSM vendor.
Parent topic: General Troubleshooting
4.1.6 Restoring an HSM-Enabled Backup
This procedure must only be used in a restore operation and you must enter the HSM credential correctly. If you enter an incorrect credential or if Oracle Key Vault is unable to connect to the HSM, the credential will not be stored. Ensure that Oracle Key Vault is enrolled as a client of the HSM and then ensure that the correct credential has been entered.
For more information about enrolling Oracle Key Vault as a client of the HSM, see Enroll Oracle Key Vault as a Client of HSM.
Parent topic: General Troubleshooting
4.2 Vendor Specific Notes - SafeNet
Release 12.2 BP 1 and higher support Oracle Key Vault integration with SafeNet (Gemalto) Luna SA 7000. The use of a Host Trust Link (HTL) for SafeNet Luna HSM is unsupported at this time.
The following installation and enrollment instructions apply to the SafeNet Luna SA 7000 HSM.
- Install the HSM Client Software on the Oracle Key Vault Server
- HSM Credential
- Enroll Oracle Key Vault as a Client of HSM
- HSM Provider Value
- HSM Vendor Specific Checks
- Verify Connection between Oracle Key Vault and SafeNet
Parent topic: Support Guidance
4.2.1 Install the HSM Client Software on the Oracle Key Vault Server
To install the HSM client on Oracle Key Vault:
-
Obtain the SafeNet client software package, version 6.2 for Linux x64. For the purposes of this document, we will refer to this as "safenet.tar".
-
Transport the SafeNet client software package to the Oracle Key Vault machine. Oracle recommends using scp, for example:
scp safenet.tar support@[okv hostname]:/tmp
-
Install the SafeNet client software on Oracle Key Vault.
-
Log in to the Oracle Key Vault Server through SSH as user
support
, and switch user (su
) toroot
:$ ssh support@okv_instance $ su root $ cd /usr/local/okv/hsm $ cp /tmp/safenet.tar /usr/local/okv/hsm $ tar -xvf safenet.tar $ cd 64 $ ./install.sh
-
Accept the SafeNet license by typing ‘y’ at the prompt.
-
Install the Luna SA by entering ‘1’, ‘n’, ‘i’ at the successive prompts:
This installs the SafeNet software in the directory
/usr/safenet/lunaclient
. -
Delete the safenet.tar file from /tmp directory.
$ rm -f /tmp/safenet.tar
Parent topic: Vendor Specific Notes - SafeNet
4.2.2 HSM Credential
The HSM credential is the SafeNet partition password. You choose a partition with the client assignPartition
command.
Parent topic: Vendor Specific Notes - SafeNet
4.2.3 Enroll Oracle Key Vault as a Client of HSM
To enroll Oracle Key Vault as an HSM client:
-
Set the DNS servers for Oracle Key Vault via the management console from System -> System Settings. This step is required for the Luna SA to communicate with Oracle Key Vault.
If using DNS with the HSM configuration, due to the known issue, Bug 24478865, ensure that DNS entries are both in the management console (System tab > System Settings page > DNS section) and in
/etc/resolv.conf
. -
Exchange certificates between Oracle Key Vault and the Luna SA:
Log in to the Oracle Key Vault Server through SSH as user
support
, and switch user (su
) toroot
:$ ssh support@okv_instance $ su root $ cd /usr/safenet/lunaclient/bin $ scp admin@[hsm hostname]:server.pem . $ ./vtl addServer -n [hsm hostname] -c server.pem $ ./vtl createCert -n [okv hostname] $ scp /usr/safenet/lunaclient/cert/client/[okv hostname].pem admin@[hsm hostname]:
You will need to enter the HSM admin password when using scp with the HSM.
-
Register Oracle Key Vault as a client of the Luna SA. This assumes you have a partition set up on the Luna SA. You can use any client name that is not yet taken. Oracle recommends using a descriptive name that will identify the Oracle Key Vault instance.
Access the HSM administrative console by using SSH to admin@[hsm hostname] and providing the admin password:
$ client register -client [client name] -hostname [okv hostname] $ client hostip map -c [client name] -i [okv IP] $ client assignPartition -client [client name] -partition [partition name]
-
Verify enrollment:
Login to Oracle Key Vault as the support user using SSH:
$ su root $ cd /usr/safenet/lunaclient/bin $ ./vtl verify
The following output appears:
The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 [serial #] [partition name]
Parent topic: Vendor Specific Notes - SafeNet
4.2.4 HSM Provider Value
For Safenet, the provider value is 1. If setting manually for primary-standby, set HSM_PROVIDER="1". For more information about enabling HSM in a primary-standby deployment, see Enabling HSM in a High Availability Deployment.
Parent topic: Vendor Specific Notes - SafeNet
4.2.5 HSM Vendor Specific Checks
The instructions in this section apply to the SafeNet (Gemalto) Luna SA 7000 only.
You can verify the connection to the HSM for every Oracle Key Vault server as follows:
Login to the Oracle Key Vault server as user support
using SSH:
$ ssh support@okv_instance
$ su root
$ cd /usr/safenet/lunaclient/bin
$ ./vtl verify
The following output appears when the HSM is set up properly:
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ======== =====
1 [serial #] [partition name]
If you do not see this output, it means that the HSM is not set up properly. You may diagnose further as follows:
-
Log into the Luna SA administrative console.
-
Type the command:
client show -client [client name]
-
Verify that the expected client exists and is assigned a partition.
-
If it does not exist, register the client with the command:
client register -client [client name]-hostname [hostname]
-
If no partition is assigned, assign a partition with the command:
client assignPartition -client [client name] -partition [partition name]
-
Verify that all client IPs are mapped correctly. If entries are missing, run the command:
client hostip map -c [client name] -i [ip]
Parent topic: Vendor Specific Notes - SafeNet
4.2.6 Verify Connection between Oracle Key Vault and SafeNet
vtl
verify
command as
follows:$ su root root# cd /usr/safenet/lunaclient/bin root# ./vtl verify
The following Luna SA Slots/Partitions were found:
Slot Serial # Label
==== ======== =====
1 [serial #] [partition name]
If
the command fails, it means that the Oracle Key Vault server is unable to contact the HSM.
Check the vendor’s other troubleshooting sections for instructions to restore vtl
verify
functionality. Contact your HSM administrator and confirm that Oracle Key
Vault's access to the HSM has not been revoked. If you are unable to resolve the problem,
contact Oracle Support.
Parent topic: Vendor Specific Notes - SafeNet
4.3 Vendor Specific Notes - nCipher
Release 12.2 BP 3 and higher support Oracle Key Vault integration with the nCipher HSM. At this time, only the nCipher nShield Connect 6000+ is supported.
The following installation and enrollment instructions apply to the nCipher HSM.
- Install the HSM Client Software on the Oracle Key Vault Server
- HSM Credential
- Enroll Oracle Key Vault as a Client of HSM
- HSM Provider Value
- Enable HSM Mode
- Backup
- Restore
- HSM in a Primary-Standby Oracle Key Vault Installation
Parent topic: Support Guidance
4.3.1 Install the HSM Client Software on the Oracle Key Vault Server
The nCipher HSM requires a separate non-HSM computer on the network to use as the Remote File System. You must set up this computer and copy the nCipher software files to it before you start.
To install the nCipher software on the Oracle Key Vault server do:
-
Log in to the OKV server as support user using SSH:
$ ssh support$okv_instance <Enter the support user password when prompted>
-
Switch to root:
$ su root
-
Go to the
root
directory and create the directoriesctls
,hwsp
, andpkcs11
:root# cd /root root# mkdir ctls root# mkdir hwsp root# mkdir pkcs11
-
Transfer the nCipher software installation files using the Secure Copy (SCP) protocol as follows:
For example:root# scp <user@remote_file_system_machine>:/<your_source_directory>/ncipher/nfast/ctls/agg.tar ctls root# scp <user@remote_file_system_machine>:/<your_source_directory>/ncipher/nfast/hwsp/agg.tar hwsp root# scp <user@remote_file_system_machine>:/<your_source_directory>/ncipher/nfast/pkcs11/user.tar pkcs11
-
Install these files as follows:
root# cd / root# tar xvf /root/ctls/agg.tar root# tar xvf /root/hwsp/agg.tar root# tar xvf /root/pkcs11/user.tar root# /opt/nfast/sbin/install
-
As
root
perform additional edits on the Oracle Key Vault server:root# usermod -a -G nfast oracle root# cd /etc/rc.d/rc5.d root# mv S50nc_hardserver S40nc_hardserver root# cd /etc/rc.d/rc3.d root# mv S50nc_hardserver S41nc_hardserver
-
Switch to user
oracle
and verify the installation:root# su oracle oracle$ PATH=/opt/nfast/bin:$PATH oracle$ export PATH oracle$ enquiry
The state should say “operational” in the output. -
Reboot the system for the group change to take effect.
Parent topic: Vendor Specific Notes - nCipher
4.3.2 HSM Credential
The HSM credential is the Operator Card Set password.
Parent topic: Vendor Specific Notes - nCipher
4.3.3 Enroll Oracle Key Vault as a Client of HSM
Enroll Oracle Key Vault as an HSM client as follows:
-
Add the Oracle Key Vault server IP address to the client list on the HSM using the front panel. Select privileged on any port.
-
Switch to user
oracle
:root# su oracle oracle$ PATH=/opt/nfast/bin:$PATH oracle$ export PATH
-
On the Oracle Key Vault server, enroll with the HSM :
oracle$ nethsmenroll --privileged <HSM IP address> <HSM ESN> <HSM keyhash>
-
Configure TCP sockets:
oracle$ config-serverstartup --enable-tcp --enable-privileged-tcp
-
Switch to root and restart the hardserver (nCipher client process that communicates with the HSM):
oracle$ su root root# /opt/nfast/sbin/init.d-ncipher restart
-
On the Remote File System machine run the following command:
rfs-setup --gang-client --write-noauth <IP address of your Oracle Key Vault server>
-
On the Oracle Key Vault server as user
oracle
run the commands:oracle$ rfs-sync --setup --no-authenticate <IP address of Remote File System machine> oracle$ rfs-sync --update
-
Test PKCS#11 access as follows:
root# /opt/nfast/bin/ckcheckinst
A prompt appears listing the module. You can confirm or exit. -
Create the config file
/opt/nfast/cknfastrc
as userroot
. Write the following lines to the file:CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm
-
Perform the steps described in Protect the Oracle Key Vault TDE Master Key with the HSM.
-
On the Oracle Key Vault server as user
oracle
run the command:oracle$ /opt/nfast/bin/rfs-sync --commit
Parent topic: Vendor Specific Notes - nCipher
4.3.4 HSM Provider Value
For nCipher, the provider value is 2. If setting manually for primary-standby, set HSM_PROVIDER="2". For more information about enabling HSM in a primary-standby deployment, see Enabling HSM in a High Availability Deployment.
Parent topic: Vendor Specific Notes - nCipher
4.3.5 Enable HSM Mode
After installing HSM software and enrolling Oracle Key Vault as an HSM client, you can enable HSM mode with nCipher from the Oracle Key Vault user interface on the management console. Just select nCipher from the vendor drop-down list.
Parent topic: Vendor Specific Notes - nCipher
4.3.6 Backup
To take a backup of the Oracle Key Vault server in HSM mode, do the following:
-
Install a new Oracle Key Vault server.
-
Install the nCipher HSM software as described in a previous section.
-
From the Oracle Key Vault user interface add the backup destination on the System Backup page, just as you would in non-HSM mode.
-
Perform a backup as usual from the user interface on the management console.
Parent topic: Vendor Specific Notes - nCipher
4.3.7 Restore
To restore an Oracle Key Vault server from a backup, do the following:
-
Go to the Prepare for HSM Restore page from the user interface.
-
Select nCipher from the Vendor drop down list and enter the HSM credential twice as requested.
-
Click Set Credential .
-
Log in to the Oracle Key Vault Server through SSH as user
support
, switch user (su
) toroot
, then switch user (su
) tooracle
.$ ssh support@okv_instance <Enter password when prompted> $ su root root# su oracle
-
Run the following command, which retrieves information from the RFS:
oracle$ /opt/nfast/bin/rfs-sync --update
-
Restore via the user interface as usual, as in non-HSM mode.
Parent topic: Vendor Specific Notes - nCipher
4.3.8 HSM in a Primary-Standby Oracle Key Vault Installation
This procedure shows you how to pair two Oracle Key Vault servers in HSM mode in a primary-standby configuration. You must enable HSM mode in both primary and standby Oracle Key Vault servers before pairing them. To configure the HSM for primary-standby, please see the vendor documentation.
To configure Oracle Key Vault with nCipher HSM in a primary-standby installation, do the following:
-
Install Oracle Key Vault on two servers that you mean to designate as primary and standby.
-
Install the nCipher HSM software on each Oracle Key Vault server.
-
On the server you mean to designate as primary server do the following:
-
Log in to the designated Oracle Key Vault Primary Server through SSH as user
support
, switch user (su
) toroot
, then switch user (su
) tooracle
:$ ssh support@okv_primary_instance <Enter password when prompted> $ su root root# su oracle
-
Run the following command:
oracle$ /opt/nfast/bin/rfs-sync --update
-
-
From the user interface on the Oracle Key Vault management console initialize the intended primary server for HSM mode with nCipher.
-
On the server you mean to designate as primary server do the following:
-
Log in to the designated Oracle Key Vault Primary Server through SSH as user
support
, switch user (su
) toroot
, then switch user (su
) tooracle
:$ ssh support@okv_primary_instance <Enter password when prompted> $ su root root# su oracle
-
Run the following command:
oracle$ /opt/nfast/bin/rfs-sync --commit
-
-
Repeat Step 3 on the intended standby server.
-
Perform the following manual steps on the intended primary as user
oracle
:$ ssh support@okv_primary_instance <Enter password when prompted> $ su root root# su oracle oracle$ cd /usr/local/okv/hsm/wallet oracle$ scp cwallet.sso support@standby:/tmp oracle$ scp enctdepwd support@standby:/tmp oracle$ cd /usr/local/okv/hsm/restore oracle$ scp ewallet.p12 support@standby:/tmp
Note:
While performing this procedure on Oracle Key Vault 12.2.0.5.0 and earlier, use the commands in HSM in a Primary-Standby Oracle Key Vault Installation.
-
Perform the following manual steps on the intended standby as user
root
:$ ssh support@okv_standby_instance <Enter password when prompted> $ su root root# cd /usr/local/okv/hsm/wallet root# mv /tmp/enctdepwd . root# mv /tmp/cwallet.sso . root# chown oracle * root# chgrp oinstall * root# cd /usr/local/okv/hsm/restore root# mv /tmp/ewallet.p12 . root# chown oracle * root# chgrp oinstall *
Note:
While performing this procedure on Oracle Key Vault 12.2.0.5.0 and earlier, use the commands in HSM in a Primary-Standby Oracle Key Vault Installation.
-
Continuing as user
root
open the fileokv_security.conf
for writing:root# vi /usr/local/okv/etc/okv_security.conf
-
Make two updates to the file as follows:
-
Set the variable
HSM_ENABLED
to 1. If the variable does not exist, add it and set its value to 1.HSM_ENABLED="1"
-
Add the following line:
HSM_PROVIDER="2"
-
-
Then proceed to set up primary-standby as usual via the user interface on the Oracle Key Vault management console.
Parent topic: Vendor Specific Notes - nCipher
4.4 CNSA Suite Support
Oracle Key Vault 12.2 BP3 and higher offer compliance with the Commercial National Security Algorithm (CNSA) for TLS connections to and from the appliance.
The CNSA suite is a list of strong encryption algorithms and key lengths, that offer greater security and relevance into the future. A link to the full CNSA specification is in the Related Links section that follows this section.
Note that 12.2 BP3 and higher do not provide complete compliance across every component in the system. You will be able to switch to the CNSA algorithms, where available by means of two scripts that are packaged with the ISO:
-
The first script
/usr/local/okv/bin/okv_cnsa
makes configuration file changes to update as many components as possible to use the enhanced algorithms. It is reversible and will not interfere with existing operations. -
The second script
/usr/local/okv/bin/okv_cnsa_cert
regenerates CNSA compliant public key pairs and certificates.Note:
The second script/usr/local/okv/bin/okv_cnsa_cert
is disruptive because it replaces the old key pairs with new ones. This has consequences for the following operations:-
Endpoint Enrollment: Enroll endpoints after running this script when possible. If you had endpoints enrolled before running the CNSA script, you must re-enroll them so that fresh CNSA compliant keys are generated using CNSA algorithms.
-
Primary-Standby: Run the CNSA scripts on both Oracle Key Vault instances before pairing them in a primary-standby configuration when possible. If you had primary-standby set up prior to running the CNSA scripts, you must re-configure primary-standby as follows: unpair the primary and standby servers, run the CNSA scripts individually on each server, then pair them again.
-
Parent topic: Support Guidance
4.4.1 Running the CNSA Scripts
To run the CNSA scripts, do the following:
-
Install Oracle Key Vault and complete the post-installation tasks. The last post-installation task is to set the support user password, which is needed now.
-
Log into the Oracle Key Vault browser-based management console and enable SSH access to the server.
-
SSH into the Oracle Key Vault server as the support user. Enter the support user password created during post-installation, when prompted.
$ ssh support@okv_instance <Enter support user password created during post-installation>
-
Change to root user:
$ su root
-
Run the scripts as root user:
root# /usr/local/okv/bin/okv_cnsa root# /usr/local/okv/bin/okv_cnsa_cert
-
The scripts put data into
/usr/local/okv/etc/okv_security.conf
.The line
USE_ENHANCED_ALGORITHMS_ONLY="1"
will be added if the scripts are run.
Parent topic: CNSA Suite Support
4.4.2 Backup
After restoring a backup, re-run the first script:/usr/local/okv/bin/okv_cnsa
to update the configuration to use the enhanced CNSA algorithms as follows:
-
Wait for the system to reboot after the restore operation initiated via the user interface of the Oracle Key Vault management console.
-
SSH into the Oracle Key Vault server as the support user:
$ ssh support@okv_instance <Enter support user password created during post-installation>
-
Switch to root user:
$ su root
-
Run the first CNSA script :
root# /usr/local/okv/bin/okv_cnsa
Parent topic: CNSA Suite Support
4.4.3 Upgrade
You must re-run the first script during the upgrade to ensure CSNA compliance as follows:
-
Execute Step 8 of the upgrade procedure which is to run the ruby script as root:
root# /usr/bin/ruby/images/upgrade.rb --format
-
Run the first CNSA script :
root# /usr/local/okv/bin/okv_cnsa
-
Continue with Step 9 of upgrade procedure:
root# /sbin/reboot
Limitations:
-
CNSA compliance is not supported for some components in the Oracle Key Vault infrastructure, for example SSH, or for the database encryption via TDE.
-
The Firefox browser is not supported for use with the Oracle Key Vault management console when CNSA is enabled. This is because the Firefox browser does not support CNSA-approved cipher suites.