1. Installation and Administration Guide
  2. Configure a KMA with QuickStart
  3. Add a KMA to an Existing Cluster

Add a KMA to an Existing Cluster

Create the KMA in the OKM GUI and then use the QuickStart to add the KMA to an existing cluster. Add a new KMA to the cluster only during times of light loads.

Prerequisites:

  1. See Restrictions on Adding a New KMA to a Cluster. Verify the new KMA is compatible with existing KMAs in the cluster.
  2. Set the replication version to the highest value supported by all KMAs in the cluster. Refer to Switch the Replication Version.
  3. The Security Officer must use the OKM GUI to create the KMA entry in the database (see Create a KMA). The KMA Name specified during the KMA QuickStart process must match the KMA name used in the database.

Add the KMA using QuickStart:

  1. Verify all prerequisites are complete.
  2. To access the following prompts of the QuickStart, make sure you have entered 2 in the last step of Name the KMA.
  3. At the QuickStart prompt, type the network address of one KMA in the existing cluster, and then press Enter.
  4. At the prompt, type the passphrase for the KMA and press Enter.
  5. Enter the required number of Key Split user names and passwords.

    Note:

    Enter Key Split user names and passphrases carefully. Any errors cause this process to fail with a non-specific error message. To limit information exposed to an attacker, no feedback is given as to which Key Split user name or passphrase is incorrect.
  6. Once you have entered a sufficient number of Key Split user names and passphrases to form a quorum. Enter a blank name to finish.
  7. The KMA being added checks the firmware version against the existing versions in the cluster. If it is not compatible, the new KMA displays an error and presents the option to upgrade or downgrade the firmware. If you select "Yes", then the KMA being added will:
    • Grab the code from the existing KMA in the cluster
    • Download the code for its own
    • Install the code

    This process takes about 25 to 30 minutes to complete. Once this process completes, reboot the KMA. After the KMA comes back online from the reboot, continue with the QuickStart program.

  8. Consider accelerating initial updates to the new KMA. Review Accelerate Updates to the New KMA in a Cluster before typing y at the prompt.
  9. You will see This KMA has joined the Cluster. Press Enter to exit. The QuickStart program terminates and a login prompt is displayed (refer to Log into the KMA). The KMA now has the minimum system configuration that is required to communicate with the OKM Manager.
  10. Use the OKM Manager to connect to and configure the cluster. For procedures, refer to Configure the Cluster.
  11. The OKM cluster begins to propagate information to the newly added KMA. This causes the new KMA to be very busy until it has caught up with the existing KMAs in the cluster. The other KMAs are also busy. You can observe this activity from the OKM Manager by viewing the KMAs as described by View and Modify KMA Settings.
  12. Observe the Replication Lag Size value of the new KMA. Initially, this value is high. Periodically refresh the information displayed in this panel by pulling down the View menu and selecting Refresh or by pressing the F5 key. Once the Replication Lag Size value of this KMA drops to a similar value of other KMAs in the cluster, then you can unlock the KMA as described by Lock/Unlock the KMA.
  13. The KMA remains locked after it has been added to the cluster. Wait until the KMA has been synchronized (that is, until it has "caught up" with other KMAs in the cluster) before you unlock it. Do not add another KMA to the cluster until you unlock the just-added KMA.

Restrictions on Adding a New KMA to a Cluster

OKM 3.3.2 introduced additional restrictions when joining a new KMA into an existing cluster. Verify your KMAs are compatible before adding one to a cluster.

  • An OKM 3.3.2 KMA cannot be added to an existing OKM cluster with KMAs running a version below OKM 3.1.
  • SunFire KMAs and Netra SPARC T4-1 KMAs have reached End of Service Life and should be replaced with newer SPARC KMAs.

Accelerate Updates to the New KMA in a Cluster

If the cluster's replication version is at least 12, consider accelerating initial updates to the new KMA to speed up the time it takes to incorporate the KMA into the cluster.

If you choose to accelerate updates, perform an OKM backup on a peer KMA (preferably one in the same site as the new KMA) before adding the new KMA to the cluster. Also, ensure that the peer KMA on which you created a backup is currently responding on the network. These steps help the new KMA find a cached backup to download and apply.

The KMA you specified identifies another KMA that has the largest cached backup in this cluster, downloads that backup, and then applies it to its local database. This process is equivalent to replicating the data but at a much faster rate. Informational messages appear during this process.

For example:

Waiting 10 seconds for the join to propagate to Peer KMAs...
Querying Peer KMAs to find the active ones...
Querying active Peer KMAs to find cached backup sizes...
Peer KMA at IP Address 10.172.180.39 has a cached backup size of 729136 bytes.
Downloading the cached backup from this Peer KMA...
Downloaded the cached backup from this Peer KMA.
Initialized the Key Store.
Performed maintenance on the Key Store.
Applying the cached backup to the local database...
.......................................................
Applied the cached backup to the local database.
Successfully accelerated initial updates on this KMA.

Later, the newly joined KMA automatically replicates any data that is not in the backup.

If an error occurs during this process, QuickStart displays the above prompt again (in case the error is due to a temporary condition). QuickStart also displays the above prompt again if the KMA cannot find a peer KMA that has a cached backup.

However, if more than 5 minutes has elapsed since the first time the above prompt was displayed, then QuickStart displays the following message and no longer displays the above prompt:

Failed to accelerate initial updates on this KMA after 300 seconds.
This KMA will gradually be updated with information from other KMAs.