3 Configure a KMA with QuickStart
Use the QuickStart program to configure a newly-installed, factory-default KMA.
About the QuickStart Wizard
The KMA QuickStart is a wizard that guides you through configuring a factory-default KMA.
Since the QuickStart program establishes critical security parameters, Oracle recommends that customers run it themselves. The Oracle service rep can use the QuickStart Configuration Checklist to help the customer step through the wizard. After you have configured a KMA, you cannot run the QuickStart program again unless you reset the KMA to its factory-default state (see Reset the KMA to the Factory Default).
Important: The initial configuration is a multi-step process that requires collaboration between the installers and the customer to complete.
Before running the QuickStart program, verify you have:
- Installed the components of the Oracle Key Manager, including the KMA, network cables, and switches.
- Configured the Integrated Lights Out Manager (ILOM).
Caution:
Do not perform a "Core Security Backup" when using "simple settings" or settings that will change before going to a production environment. Wait until all user's have entered their appropriate credentials, passphrases, and quorum details before creating a Core Security Backup for the first time.
Best Practices When Running the QuickStart Wizard after KMA Installation
During the initial configuration when all the required users may not be available,
use simple entries when entering information such as the key split size, split
threshold, and quorum. For example, use an initial value such as 1 of
1.
Once the structure of the KMAs and the OKM Cluster are complete, you can change this information to the production values at a later time using the OKM Manager. This can help speed up the installation and configuration.
During the QuickStart Wizard, customers will want to keep the following information confidential: User IDs, Passphrases, and Key Split Credentials.
QuickStart Configuration Checklist
This list provides a summary of the steps to configure a KMA with the QuickStart program.
-
Enable the Technical Support Account.
To assist in troubleshooting network configurations, you might want to enable the technical support account for the network configuration steps.
-
Specify the network configurations (Management and Service).
Supporting IPv4 and IPv6?
Hostname, IP address, and netmask for the:
- Management network - NET 0
- Service network - NET 1
- DHCP
-
View, add, or delete (modify) gateways.
The gateway should be accessible through the management network connection. Gateways required if there is a router between the KMA and the OKM Manager.
-
Set the DNS configurations.
DNS configuration is optional; however, necessary if the KMA is using hostnames instead of IP addresses.
Note:
DNS requires an IPv4 address/protocol, IPv6 is not used. -
Initialize the KMA.
The KMA Name is a unique identifier. This name should not be the same as any other KMA Name in the cluster. It also should not be the same as any User Names or Agent IDs in the system.
Note:
A KMA Name cannot be altered once set using the QuickStart program. It can only be changed by resetting the KMA to the factory defaults and running QuickStart again. -
Configure the cluster.
You can now use this KMA to create a new Cluster, or join an existing Cluster.
(1) Create New Cluster
(2) Join Existing Cluster
(3) Restore Cluster from Backup
-
Enter Key Split credentials.
When creating a new cluster the key split credentials (M of N) must be specified. The Key Split credentials are used to wrap splits of the Core Security Key Material which protects Data Unit Keys. A Key Split credential, consisting of a unique User Name and Passphrase, is required for each Key Split.
This number must be greater than 0 and can be at most 10.
- Initial recommendations are to keep this simple.
- This information cannot be recovered from the system if it is lost.
- Backups cannot be restored without this information.
- Loss of this information will result in unrecoverable data.
-
Enter Security Officer credentials.
You will be creating a Security Officer role, which is required to do this installation. Make sure you have the person performing that role available to do this QuickStart.
-
Specify the Autonomous Unlocking preference.
Autonomous Unlocking allows the KMA to enter a fully operational state after a hard or soft reset without requiring the entry of a quorum of passphrases using the OKM Manager. This information should not be written down and should be entered by the person to which they belong.
When Autonomous Unlocking is not enabled, a quorum of Key Splits must be entered in order to unlock the KMA and allow access to Data Unit Keys.
Note:
The recommendation for maximum security is to use the default and have Autonomous Unlocking off. Autonomous unlocking selection:- If yes, the KMA will automatically unlock after a reboot.
- If no, the KMA will remain locked until manually unlocked.
Note:
Unlocking requires a quorum.
-
Set the Key Pool size.
Each KMA pre-generates and maintains a pool of keys. These pre-operational keys must be backed up or replicated before a KMA passes them to an Agent.
A smaller key pool size prevents unnecessary initial database and backup size; however, might require frequent backups. Key pool size is 1,000 - 200,000 keys.
-
Synchronize the time.
KMAs in a Cluster must keep their clocks synchronized. Internally, all KMAs use UTC time (coordinated universal time). Use of an external Network Time Protocol (NTP) server is recommended.
You can also use the OKM Manager to adjust date and time settings to local time.Note:
Do not make a mistake setting the system time manually. Adjustments through the OKM Manager GUI are restricted to plus, or minus, 5 minutes per day. -
Start or join a cluster.
After customers have completed going through the QuickStart Wizard, they must install the OKM Manager and finish setting up the OKM Cluster.