1. Installation and Administration Guide
  2. Configure the Cluster
  3. Review and Modify the Cluster Security Parameters

Review and Modify the Cluster Security Parameters

Change security parameters, such as the FIPS Mode setting or the passphrase length, before configuring the cluster.

Available to: All roles (can view parameters), Auditor (can view modify screen), Security Officer (can modify)
  1. In the left navigation, expand System Management, then expand Security, and then select Security Parameters. Review the parameters.
  2. To change a parameter, click Modify...
  3. Modify the security parameters, as required. When finished, click Save.

Security Parameters

These parameters are selected when modifying security for the cluster.

Retention-related Fields
For the following six retention-related fields, there is a single audit log that resides in the largest file system in the KMA. The main reason for adjusting these parameters is to control how many audit log entries are returned in queries you issue from the Audit Event List menu (see View and Export Audit Logs). The KMA truncates (removes) old audit log entries based on the limit and lifetime of their retention term. For example, Short Term Audit Log entries are typically truncated more frequently than Medium Term Audit Log entries; Medium Term Audit Log entries are truncated more frequently than Long Term Audit Log entries.
  • Short Term Retention Audit Log Size Limit — Displays the number of Short Term Audit Log entries that are retained before they are truncated. The default is 10,000. The minimum value is 1000; maximum value is 1,000,000.
  • Short Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Short Term Audit Log entries are retained before they are truncated. The default is 7 days. The minimum value is 7 days; maximum value is 25,185 days (approximately 69 years).
  • Medium Term Retention Audit Log Size Limit — Displays the number of Medium Term Audit Log entries that are retained before they are truncated. The default is 100,000. The minimum value is 1000; maximum value is 1,000,000.
  • Medium Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Medium Term Audit Log entries are retained before they are truncated. The default is 90 days. The minimum value is 7 days; maximum value is 25,185 days.
  • Long Term Retention Audit Log Size Limit — Displays the number of Long Term Audit Log entries that are retained before they are truncated. The default is 1,000,000. The minimum value is 1000; maximum value is 1,000,000.
  • Long Term Retention Audit Log Lifetime — Displays the amount of time (in days) that Long Term Audit Log entries are retained before they are truncated. The default is 730 days. The minimum value is 7 days; maximum value is 25,185 days.
Login Attempt Limit
Indicates the number of failed login attempts before an entity is disabled. The default is 5. The minimum value is 1; maximum value is 1000.
Passphrase Minimum Length
Displays the minimum length of the passphrase. The default is 8 characters. The minimum value is 8 characters; the maximum value is 64 characters.
Management Session Inactivity Timeout
Displays the maximum length of time (in minutes) an OKM Manager or Console login session can be left idle before being automatically logged out. Changing this value has no effect on sessions that are already in progress. The default is 15 minutes. The minimum value is 0, meaning no time is used; the maximum value is 60 minutes.
FIPS Mode Only

Displays the setting that determines whether KMAs in this OKM cluster allow communications involving keys with entities outside the cluster in either non-FIPS or FIPS compliant modes, or in FIPS compliant modes only. In a FIPS compliant mode, KMAs wrap keys with an Advanced Encryption Standard (AES) Wrapping Key before sending them to agents (such as tape drives).

Customers who have tape drives should be running tape drive firmware that supports AES Key Wrap with the OKM agent service. All PKCS#11 providers that support OKM include support for AES Key Wrap.

You can confirm whether your agents support AES Key Wrap by viewing the OKM audit log and noting that these agents are using the agent service operations listed below. Specify an audit filter for Operation and choose any of the following specific operations from the menu:

  • Create Key v2
  • Retrieve Key v2
  • Retrieve Keys v2
  • Retrieve Protect and Process Key v2

Any audit events in the resulting list confirm that the specified agent is using AES key wrap with the OKM cluster.

There are two possible values for this setting, "Off" and "On". If the current Replication Version is 8 or 9, this setting has a value of "Off" by default and cannot be modified. If the current Replication Version is 10 or higher, this value can be modified to either value.

If this value is set to "Off", the OKM cluster allows communications involving keys with entities outside the cluster in non-FIPS and FIPS compliant modes:

  • The OKM cluster accepts key requests from agents using both the old KMS 2.0.x protocol (that does not wrap keys) and the FIPS 2.1 protocol (that does wrap keys).
  • Keys from a KMS 1.x system may be imported into the OKM cluster.
  • The OKM cluster allows the export and import of "v2.0" or "v2.1 (FIPS)" format key transfer files.

Note:

If the current Replication Version is 8 or 9, there may be KMS 2.0.x KMAs in the cluster that will not be capable of supporting the FIPS protocols for agent and transfer partner communication. KMAs running KMS 2.1 or higher support the FIPS protocols for agent and transfer partner communication even when the current Replication Version is 8 or 9. In this case, exports to transfer partner will be done only in the "v2.0" format because the export format of transfer partners will be set to "Default".

If this value is set to "On", then the OKM cluster allows communications involving keys with entities outside the cluster only in FIPS compliant modes:

  • The OKM cluster accepts key requests from agents using only the FIPS 2.1 protocol.
  • Keys from a KMS 1.x system cannot be imported into the OKM cluster because the KMS 1.x key export file is not FIPS compliant.
  • The OKM cluster allows the export and import of "v2.1 (FIPS)" format key transfer files only.

Note:

For the keys in the OKM cluster to be FIPS compliant, all entities that receive keys from the cluster must handle the keys in a FIPS-compliant manner. Agents that receive keys must handle these keys in a FIPS-compliant manner when using them to process data. Key transfer partners that receive keys should also be operating with the FIPS Mode Only security parameter set to "On" in their cluster to ensure that exported keys maintain FIPS compliance. A key transfer partner can send and receive "v2.1 (FIPS)" format key transfer files with the FIPS Mode Only set to "Off".

See the Export Format parameter in View and Modify the Transfer Partner List for more information.

Pending Operation Credentials Lifetime
The amount of time (in days) that Key Split Credentials are retained as having approved a pending quorum operation. If an insufficient number of Key Split Credentials approve the pending quorum operation before this lifetime is reached, then these credentials expire. After they expire, Quorum Members must reapprove the pending quorum operation. The default is 2 days. This value is used only when the Replication Version is at least 11..