Generate and Sign Certificates Using SHA-256

Generate and sign certificates using SHA-256 if you want the cluster to use an X.509v3 certificate for the CA and all subsequently generated entity certificates. Otherwise, the certificate version will remain X.509v1 for legacy compatibility purposes.

To generate new certificates and then sign them using SHA-256, the OKM administrator must perform this procedure. (For OKM 3.3.1 customers, this procedure is necessary only if they want/need X.509v3 certificates, as they have started in production with SHA-256 signed certificates). The cluster must be running OKM 3.3.2 or later at replication version 16 or later.

Note:

Plan this procedure in advance. It impacts the entire cluster's KMAs, agents, and disaster recovery (obsoletes backups). If you have a lot of tape agents, use the Oracle Virtual Operator Panel 2.2 spreadsheet feature to automate the re-enrollment process and reduce downtime.

Complete the tasks listed below in order.

• Renew the Root Certificate
• Create an OKM Backup After Renewing a Certificate
• Retrieve the New Root CA on Peer KMAs (optional)
• Reissue Certificates for Agents (optional)
• Update Users Passphrase (optional)
• Update Disaster Recovery Records

Renew the Root Certificate

Use OKM console to renew the root certificate. This is task 1 of generating a new certificate.

1. Choose the KMA that will renew the root CA certificate.
2. Ensure that the replication version is greater at least 16 for the selected KMA. See Check the Replication Version of the KMA. If the version is less than 16, switch the replication version to 16. See Switch the Replication Version.
3. Launch the OKM Console on the KMA that you will use to renew, and log into it as a Security Officer. Select the menu option to Renew the Root CA Certificate (see Renew the Root CA Certificate).

Create an OKM Backup After Renewing a Certificate

Use OKM Manager to create a backup and destroy all previous backups. This is task 2 of generating a certificate.

Create a backup on the KMA you used to perform the renew certificate operation. Destroy all other backups in the cluster using the OKM Manager GUI with a note that they are obsolete due to a renew. This will prevent these backups from accidentally being selected in a subsequent cluster join with replication acceleration.

1. Launch the Oracle Key Manager GUI and log into this KMA as a Backup Operator.
2. Navigate to the Backup List panel.
3. Click Create Backup to generate a backup and download it to your workstation.
4. For each previous backup, select it and then click Confirm Destruction. Enter a comment that the backup is obsolete due to a Root CA certificate renew.

Retrieve the New Root CA on Peer KMAs (optional)

Retrieve the new Root CA certificate instead of waiting for the certificate to automatically propagate. This is task 3 of generating a new certificate. It is an optional step.

The new certificates will automatically propagate to the other KMAs in the cluster. However, if a KMA has a large replication lag size, you might want to retrieve the new Root CA Certificate and the certificate for this KMA right away instead of waiting for the certificates to propagate.

1. Launch the OKM GUI and log into the KMA that you used for the backup.
2. Navigate to the KMA List panel.
3. Log this KMA out of the cluster by modifying the KMA passphrase. See Change a KMA Passphrase (Log the KMA Out of the Cluster).
4. Launch the host console from the ILOM of this KMA.
5. Log the KMA back into the cluster. See Log KMA Back into Cluster.

Reissue Certificates for Agents (optional)

Reissue the certificates for agents to have them use the new certificate. This is task 4 of generating a new certificate. It is an optional step.

After renewing the Root CA certificate, agents will continue to use their existing credentials. The OKM administrator might decide to reissue certificates for the agents and then re-enroll them.

1. Launch the Oracle Key Manager GUI and log into it as an Operator or a Compliance Officer.
2. Navigate to the Agent List panel.
3. For each agent:
   1. Bring up the Agent Details dialog (either double-click the agent entry or select an agent and click Details).
   2. Select the Passphrase tab and change the passphrase to the same value or to a different value if desired.
4. Navigate to the KMA List panel.
5. All agents will need to re-enroll into the OKM Cluster. See Enroll Agents. If you have a lot of tape agents, use the VOP 2.2 spreadsheet feature to automate the re-enrollment process.

Update Users Passphrase (optional)

The OKM administrator can reissue certificates for the users by changing their passphrase (OKM users are automatically issued a new certificate when they successfully log in). This is task 5 of generating a new certificate. This is an optional step.

To modify a user's passphrashe, see Modify a User's Details and Set the User's Passphrase.

If there are OKM CLI users, download the new Root CA Certificate and new entity certificate for that user, as described in Save a Client Certificate.

Update Disaster Recovery Records

Update relevant disaster recovery records to reflect the change in the certificate. This is task 6 of generating a new certificate.

1. Update your site's disaster recovery (D/R) records to note that all previous backups will restore the cluster to utilize the former SHA1-based root CA certificate.
2. Replicate the latest backup to D/R sites as soon as possible and in accordance with your site's D/R plans.