1. Installation and Administration Guide
  2. Sites, KMAs, Agents, and Data Units
  3. Manage KMAs
  4. View and Modify KMA Settings

View and Modify KMA Settings

View a list of KMAs associated with the cluster. Modify KMA settings.

Available to: Security Officer (requires a quorum to modify), All other roles (can view)

  1. From the System Management menu, select KMA List. See Filter Lists to narrow down the KMAs shown.
  2. Double-click a KMA entry (or highlight a KMA entry and click Details...).
  3. Modify the information as required. Click Save.
  4. Modify KMA details requires a quorum. Within the Key Split Quorum Authentication dialog, the quorum must type their usernames and passphrases to authenticate the operation. See Quorum Authentication for more information.

KMA List - Field Descriptions

The following are descriptions of the fields in the KMA List of OKM Manager.

  • Version - Version of the KMA software. For OKM 3.0 KMAs, the version string shows the following format: <OKM release>-5.11-<OKM build>. For example, 3.0.0-5.11-2012.
  • Responding - Indicates whether the KMA is running. The values shown indicate whether each of the KMAs listed (that is, the remote KMAs) are responding to requests from the local KMA.
    • True — KMA is responding to requests from the local KMA.
    • False — Remote KMA is not responding to requests, perhaps because the remote KMA is down or the communications link to the remote KMA is down.
  • Responding on Service Network - Indicates whether the KMA is responding on the service network. The values indicate whether each of the KMAs listed (that is, the remote KMAs) are responding to requests from the local KMA. Possible values are:
    • Responding — Remote KMA is responding to requests from the local KMA.
    • Not Responding — Remote KMA is not responding to requests, perhaps because the remote KMA is down or the communications link to the remote KMA is down. If the local KMA has configured a default route, then it is considered to have a route to remote KMAs. Other KMAs are shown as "Not Responding" if they do not respond on the service network.
    • Not Accessible — Remote KMA is not accessible to the local KMA, perhaps because the service network configuration does not provide a default or static route to that KMA. If a default or static route is not defined, then other KMAs may be shown as "Not Accessible."
  • Response Time - Time (in milliseconds) the KMA takes to respond to a request on its management network. This is typically a few hundred milliseconds. It can be larger if a WAN connection exists between the local KMA and a remote KMA or if the communications link between KMAs is busy.
  • Replication Lag Size - Number of updates before replication takes place. This number should be zero or a small value. Larger values indicate that replications are not completing in a timely manner, the communications link between KMAs is down or busy, or a remote KMA is down. This value will also be very large when a new KMA has just been added to the cluster.
  • Key Pool Ready - Percentage of unallocated keys that are ready.
  • Key Pool Backed Up - Percentage of the Key Pool that has been backed up. N/A indicates that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower Replication Version.
  • Locked - If true, the KMA is locked. N/A indicates that the KMA cannot determine this value, because either the KMA runs down-level software or it is currently using a lower Replication Version.
  • Enrolled - If true, the KMA has successfully been added or logged into the cluster. This value is False when the KMA is first created and will change to True once the KMA has logged into the cluster. It can also be False when the KMA passphrase is changed. Once a KMA has logged in, the passphrase used to log in can no longer be used. The passphrase must be changed before the KMA can log in to the cluster again.
  • HSM Status - Status of the hardware security module (cryptographic card). Possible values:
    • Unknown The KMA is running a software release older than KMS 2.2.
    • Inactive The KMA currently does not need to use the hardware security module, typically because the KMA is locked.
    • Software The hardware security module is not functional, and the KMA is using the software provider to generate keys.
    • Hardware The hardware security module is functional, and the KMA is using it to generate keys.
    • SW Error/HW Error The KMA encountered an error when it tried to query the status of the software provider (SW Error) or the hardware security module (HW Error).

      Note:

      Normally, the hardware security module is functional (Hardware). However, if the hardware security module becomes non-functional (Software) and the FIPS Mode Only security parameter is set to Off (see Review and Modify the Cluster Security Parameters), then the KMA switches to using the software provider to generate keys.

      If the hardware security module becomes non-functional and the FIPS Mode Only security parameter is set to On, then the KMA cannot generate keys or return AES wrapped key material to agents.

      If the value is Software, SW Error, or HW Error, check the hardware security module on this KMA (see Check the Cryptographic Card).

    • Not Present The hardware security module is not present and the KMA is using the software provider to generate keys.

      Note:

      If your KMA includes an nShield Solo cryptographic card, the firmware level currently running on this card might be incorrect. See Upgrade nShield Solo Firmware for information about how to upgrade this firmware.