Upgrade Software on a KMA

Upgrading software requires two separate steps: uploading and activating.

• The Operator uploads the software file to the KMA . See Upload the Software Upgrades.
• The Security Officer activates the software version that the Operator uploaded. See Activate a Software Version.

Version Requirements

Use a GUI release that matches the version you want to load on the KMA(s). Always use a newer OKM GUI to activate a newer OKM software version on a KMA.

Handling a Slow Upgrade Process

The upload and apply process can be lengthy if the OKM Manager is remotely connected to the KMA or if the connection between the OKM Manager and KMA is slow. To mitigate this, the software upgrade file can be downloaded to a laptop or workstation that has the OKM Manager installed and the laptop or workstation connected to the same subnet as the KMA. The presence of a router between the OKM Manager and the KMA may slow down the upgrade process.

The upload and apply processes, with a good connection between the OKM Manager and the KMA, optimally take about 30 minutes. The activate process optimally takes about 5 to 15 minutes. If the uploading process is very slow, try connecting to the same subnet as the KMA.

Upload and apply the software upgrade file on each KMA one at a time (to help to spread out the network load), and then activate the software upgrade on each KMA one at a time (to minimize the number of KMAs that are offline concurrently).

If any of the upgrade processes fail (upload, verify, apply, activate, switch replication version), the OKM Manager generates audit messages describing the reason for the failure and a suggested solution.

Master Key Provider Settings

With OKM 3.3.3, OKM-ICSF integration is no longer supported. If your OKM cluster currently defines Master Key Provider settings, you must clear these settings before upgrading a KMA to OKM 3.3.3:

1. In the left navigation, expand System Management, then expand Security, and then select Security Parameters.
2. Click Master Key Provider ...
3. In the Master Key Provider Settings dialog, inspect the Master Key Mode field. If it is set to a value other than Off, click Clear and then Save.

Check the Software Version of a KMA

View the software version running on a specific KMA.

Available to: All roles

1. From the System Management menu, select KMA List.
2. Check the software level in the Version field.
   For OKM 3.0 KMAs, the version string shows the following format: <OKM release>-5.11-<OKM build>. For example, 3.0.0-5.11-2012.

Upload the Software Upgrades

Upload the software package to the KMA so that it can be activated.

Uploading software adds traffic to the network. Avoid uploading KMAs simultaneously in a busy cluster. Software updates are signed by Oracle and verified by the KMA before they are applied.

Available to: Operator

1. Before upgrading, create a backup (see to Create a Database Backup).
2. Download the software upgrade file, and save it to a location accessible to OKM Manager.
3. From the Local Configuration menu, select Software Upgrade.
4. Click Browse, and locate the upgrade file.
5. Click Upload and Apply.

Activate a Software Version

Activate a software version that has been already uploaded and applied.

Available to: Security Officer

1. Verify the Operator has uploaded the correct software version.
   For OKM 3.0.x KMAs, the version string has the following format: <OKM release>-5.11-<OKM build>. For example, 3.0.0-5.11-2027. For OKM 3.0.x KMAs, the Software Upgrade screen displays software versions in reverse chronological order. That is, the newest version appears at the top of the list. Check the Active column to see which version is active.
2. Before activating software, ensure there is a current backup of the OKM cluster.
3. In the left navigation menu, expand System Management, expand Local Configuration, and then select Software Upgrade.
4. Select the new software version, and then click Activate.

   Note:

   The KMA restarts as part of the activate process. Since the KMA is offline while it restarts, you may not want to activate KMAs simultaneously in a cluster.
5. Software activation requires a quorum. Within the Key Split Quorum Authentication dialog, the quorum must type their usernames and passphrases to authenticate the operation. See Quorum Authentication for more information.
6. The Technical Support account is disabled on the upgraded KMAs, and the accounts must be reenabled if needed.

Upgrade nShield Solo Firmware

Whenever a KMA that has an nShield Solo+ or Solo XC cryptographic card boots, it checks the firmware on this card. If firmware is not at the appropriate level, the KMA prompts you to upgrade the firmware on its nShield card.

If your KMA includes an nShield Solo+ cryptographic card, you must prepare to upgrade the nShield firmware before you activate OKM 3.3.3 on your KMA. After OKM 3.3.3 has been activated, your KMA will not use the nShield Solo+ card and its HSM Status appears as "Not Present" in the KMA List panel of the OKM GUI until the nShield firmware is upgraded.

To prepare to upgrade the nShield Solo+ firmware, first attach a smart card reader to the nShield Solo+ card, insert a smart card into the reader, and ensure that the mode switch is set to Operational (O). Then launch the host console from the KMA's ILOM. Proceed to activate the OKM 3.3.3 software version from the Software Upgrade panel of the OKM GUI. Monitor messages that appear in the host console as the KMA boots.

Near the end of the boot process, look for the following messages in the host console:

Incorrect firmware version 2.61.2 is installed on the nShield Solo+ HSM
nShield HSM Solo+ firmware=2.61.2 and an update is required.
nShield Solo+ HSM firmware upgrade takes approximately 10 minutes
nShield Solo+ firmware=2.61.2, you will not be able to downgrade back to this version after the update

The following prompt appears:

Perform the nShield HSM firmware update(y) or run OKM without an HSM(n)?

Enter y at this prompt. The KMA displays additional messages:

Updating nShield HSM firmware - do NOT power off ...
Loading new nShield HSM module firmware ...

Several seconds later, the KMA displays a message when the firmware upgrade completes:

nShield HSM firmware update is complete.

Note:

If the nShield firmware was not upgraded when the KMA was upgraded to OKM 3.3.3, you can upgrade it later by rebooting the KMA and performing these steps.