1. Installation and Administration Guide
  2. Configure the Cluster
  3. Enroll Agents

Enroll Agents

Enroll agents after you have configured the cluster.

When you enroll an agent, you provide its Agent ID, its passphrase, and an network address (IP address or host name) of one of the KMAs. The encryption endpoint associated with this agent can then use this OKM cluster.The procedure to enroll an agent is determined by the type of encryption endpoint associated with it:
  • Tape Drives - Use the Virtual Operator Panel (VOP) to connect to a tape drive and then to enroll the agent associated with it (see the VOP documentation for instructions). With guidance from your Oracle service representative, enroll each tape drive agent. See Enroll Tape Drives.
  • Oracle Database Servers - Agents associated with Oracle Database servers are enrolled when these Oracle Database servers are configured to use OKM (see Advanced Security Transparent Data Encryption (TDE)).
  • Oracle Solaris ZFS Filesystems - Agents associated with Oracle Solaris ZFS filesystems are enrolled when these ZFS filesystems are configured to use OKM (see Solaris ZFS Encryption).
  • Oracle ZFS Storage Appliances - Agents associated with Oracle ZFS Storage Appliances are enrolled when these ZFS Storage Appliances are configured to use OKM. This procedure is described in Oracle ZFS Storage Appliances documentation.
  • Java Applications that use the OKM JCE Provider - Agents associated with Java applications that use the OKM JCE Provider are enrolled when the OKM JCE Provider is configured to use OKM. This procedure is described in the OKM JCE Provider documentation.

See also: Agents (Encryption Endpoints).

Record Agent Information

Collect agent information for your records.

Agent Type:

IP Address:

Agent ID:

Passphrase: (do not record here)

Default Key Group:

Roaming (true/false):

Can Revoke Keys (true/false):

Agent Type

The Agent Type can be a tape drive type (such as IBM LTO-7) or some other type of agent (such as ZFSSA, PKCS#11 application, Java application). The IP address is needed for tape drives when an Oracle service rep goes to configure them, and is useful when enrolling other types of agents.

Roaming

This attribute shows the opposite value of the Agent's One Time Passphrase attribute. For example, tape drive agents are not roaming agents, therefore the One Time Passphrase attribute should be set to True for these agents.

Can Revoke Keys?

This is an attribute of the Key Policy that is associated with the Default Key Group for that agent. For agents associated with a ZFS Storage Appliance, you must set this attribute to True on the associated Key Policy. You should set this attribute to False for Key Policies used by tape drive agents. Typically you should set this to False for Key Policies used by other types of agents.