1. Installation and Administration Guide
  2. About Oracle Key Manager
  3. OKM Clusters

OKM Clusters

A cluster is a group of Key Management Appliances (KMAs) that are aware of each other and fully replicate information to each other. The cluster provides encryption endpoints (agents) a high availability service from which they can retrieve keys.

  • Clusters must contain a minimum of two KMAs and maximum of 20 KMAs.
  • New keys generated at any site replicate to all other KMAs in the cluster.
  • You can define sites to provide a logical grouping of KMAs within the cluster, for example a site representing the KMAs in a particular data center. You can associate encryption agents with a specific site to preference KMAs within that site.
  • All administrative changes propagate to all other KMAs in the cluster.
  • You can cluster multiple KMAs con a dedicated private, local, or wide area network.
  • Any KMA in a cluster can service any agent on the network.
  • You can use any KMA in the cluster for administration functions.

Note:

KMAs in one cluster will be unaware of those in other clusters.

Figure 1-1 OKM Cluster Overview

Description of Figure 1-1 follows
Description of "Figure 1-1 OKM Cluster Overview"

Monitoring OKM

OKM supports monitoring using Oracle Enterprise Manager with the OKM plug-in, remote syslog, SNMP, or Oracle Hardware Management Pack. The Oracle Service Delivery Platform (SDP2) may be deployed for monitoring tape libraries and their encrypting tape drives on the service network.

Mixed Clusters and Upgrading Older KMAs

A mixed cluster contains KMAs running different OKM version. There are compatibility considerations when using a mixed cluster.

  • Sun Fire KMAs cannot be directly upgraded to OKM 3.x, but can communicate with OKM 3.x KMAs in the same cluster.
  • Sun Fire KMAs can be migrated to OKM 3.0.2 by submitting a request to have an Oracle customer service representative perform the migration. The process is described in the Oracle Support Document 1670455.1 published on the My Oracle Support site.
  • Sun Fire X4170 M2 KMAs that have been migrated to OKM 3.0.2 should be upgraded to OKM 3.3 or higher, following a manual procedure. This manual procedure is described in the Oracle Support Document 229422.1 published on the My Oracle Support site.
  • KMAs running an OKM release earlier than OKM 3.1 should not be added to an OKM cluster where there are KMAs are running newer OKM releases. Instead, they should be initialized into their own temporary cluster, upgraded to OKM 3.3 or later, and then reset to factory default settings. They can then be added to the existing OKM cluster.
  • OKM 3.1 and later releases are not supported on Sun Fire X2100/X2200 M2 KMAs. These KMAs should be replaced with SPARC KMAs.
  • OKM 3.x KMAs can join an existing OKM 2.x cluster using a KMA running KMS 2.2 or later.