Table of Contents

• List of Figures
• List of Tables
• Title and Copyright Information
• Preface
  • What's New
  • Related Documentation
  • Documentation Accessibility
• 1 About Oracle Key Manager
  • OKM Clusters
    • Mixed Clusters and Upgrading Older KMAs
    • Sample OKM Cluster Configurations
      • Single Site OKM Configuration
      • Dual Sites OKM Configuration
      • Dual Sites OKM Configuration with Disaster Recovery
      • Multiple Sites OKM Configuration with Partitioned Library
  • Agents (Encryption Endpoints)
    • How Agents Retrieve Keys from a KMA
    • Oracle Database with Transparent Data Encryption (TDE)
    • Oracle Solaris 11 ZFS Encryption
    • ZFS Storage Appliance
    • Java Applications using Java Cryptographic Extension Provider
    • Encryption Capable Tape Drives
      • T-series Tape Drive Encryption Behavior
      • LTO Tape Drive Encryption Behavior
      • Updating Tape Drive Firmware
  • Key Management Appliance
    • SPARC T8-1 Server
    • SPARC T7-1 Server
    • Netra SPARC T4-1
    • Cryptographic Card for KMA
      • Thales Smart Card and Smart Card Reader
  • Networking
    • Network Connections on the KMA
      • Management Network
      • Service Network and Port Aggregation
    • Managed Switches
    • Network Routing Configuration
  • Part Numbers for OKM Components
• 2 Install the KMA
  • Prepare for the Installation
    • Installation Planning Checklist
    • Verify or Obtain a Cryptographic Card
    • Verify the Site is Ready for Installation
    • Verify the Rack Meets the Specifications for Installing a KMA
    • Acclimate the Equipment to the Environment
    • Obtain Required Installation Tools
    • Obtain Necessary Documentation
    • Unpack and Inventory Contents
  • SPARC T7-1 or T8-1 Server Installation
    • Install the Cryptographic Card in a SPARC T7-1 or T8-1 Server
  • Netra SPARC T4-1 Server Installation
    • Install the T4-1 Server in a 19-Inch, 4-Post Sliding Rail Rack
    • Install the Cryptographic Card into a Netra SPARC T4-1
  • Initial ILOM Configuration
• 3 Configure a KMA with QuickStart
  • About the QuickStart Wizard
    • QuickStart Configuration Checklist
  • Launch the KMA QuickStart Program
    • Launch the QuickStart from the ILOM Web Interface
    • Launch the QuickStart from the ILOM CLI
    • What happens once the KMA startup completes?
  • Record the Configuration Information
  • Review QuickStart Information and Set Keyboard Layout
  • Configure the Network in QuickStart
    • Set KMA Management IP Addresses (using QuickStart)
    • Enable Technical Support Account (using QuickStart)
    • Set the KMA Service IP Addresses (using QuickStart)
    • Modify Gateway Settings (using QuickStart)
    • Set DNS Configuration (using QuickStart)
    • Set Acceptable TLS Versions (using QuickStart)
  • Name the KMA
  • Create a New Cluster with QuickStart
    • Enter Key Split Credentials (using QuickStart)
    • Enter Initial Security Officer Credentials (using QuickStart)
    • Specify Autonomous Unlocking Preference
    • Set the Key Pool Size (using QuickStart)
    • Select Certificate Signature Algorithm (using QuickStart)
    • Synchronize the KMA Time (using QuickStart)
  • Add a KMA to an Existing Cluster
    • Restrictions on Adding a New KMA to a Cluster
    • Accelerate Updates to the New KMA in a Cluster
  • Restore a Cluster from a Backup
    • Create Security Officer and Provide Quorum Login
    • Set Time Information
• 4 Install OKM Manager
  • Supported Platforms for OKM Manager
  • Uninstall Previous Versions of OKM Manager
    • Uninstall OKM Manager by Invoking the Executable File
    • Uninstall OKM Manager with Add/Remove Programs (Windows Only)
  • Download the OKM Installer
  • Launch the OKM Installer
  • Complete the OKM Installation Wizard
  • Launch OKM Manager
• 5 Configure the Cluster
  • Connect to a KMA
    • Create a Cluster Profile
    • Delete a Cluster Profile
  • Review and Modify the Cluster Security Parameters
    • Security Parameters
  • Enroll Agents
    • Record Agent Information
• 6 Enroll Tape Drives
  • Tape Drive Enrollment Process Overview
    • Required Tools for Tape Drive Enrollment
  • Supported Tape Drives and Required Firmware Levels
    • About the Ethernet Adapter Card for LTO Drives
  • Gather Information about the Tape Drives
  • Obtain the T10000 Encryption Enablement Drive Data (Installer Task)
  • Activate the Tape Drives (Installer Task)
  • Enroll the Tape Drives (Customer Task)
  • Assign Key Groups for Each Tape Drive (Customer Task)
  • Switch Encryption On and Off
  • Use Tokens to Transfer Encryption Keys
  • Rebuild the Media Information Region for T10000 Drives
• 7 Basic OKM GUI Operations
  • Disconnect from the KMA
  • Access Online Help
  • Filter Lists
  • Export a List as a Text File (Save Report)
  • Navigate OKM Manager with the Keyboard
  • Specify OKM Manager Configuration Settings
    • IPv6 Addresses with Zone IDs
• 8 Users and Roles
  • Change Your Passphrase
    • Passphrase Requirements
  • View a List of Users
  • Create a User
    • Record User Information
  • Modify a User's Details and Set the User's Passphrase
  • Delete a User
  • View Roles and Valid Operations
    • Available Roles
    • Valid Operations for Each Role
• 9 Monitor KMAs
  • Configure SNMP
    • SNMP Protocol Versions
    • SNMP MIB Data
    • View SNMP Managers for a KMA
    • Create a New SNMP Manager
    • Modify an SNMP Manager's Details
    • Delete an SNMP Manager
  • Configure the Hardware Management Pack (HMP)
    • Download the HMP MIBs from the OKM Manager GUI
    • HMP Prerequisites
    • Enable/Disable HMP
  • Display the Current Load
  • View and Export Audit Logs
    • Audit Log - Field Descriptions
  • Create a System Dump
  • Send Messages to Remote Syslog Servers
    • Configure TLS for Remote Syslog Communication
    • Create a Remote Syslog Server
    • View or Modify Remote Syslog Details
    • Test Remote Syslog Support
    • Delete a Remote Syslog Server
• 10 Backups
  • What is a Core Security Backup?
  • What is a Database Backup?
  • Considerations When Performing Backups and Key Sharing
  • View Backup File Information
    • Backup List - Field Descriptions
  • Create a Core Security Backup
  • Create a Database Backup
  • Restore a Backup
  • Destroy a Backup
• 11 Keys, Key Policies, and Key Groups
  • About Key Lifecycles
  • Manage Key Policies
    • Create a Key Policy
    • View and Modify Key Policies
    • Delete a Key Policy
  • Manage Key Groups
    • Create a Key Group
    • View and Modify Key Groups
    • Delete a Key Group
    • Assign Agents to Key Groups
    • Assign a Transfer Partner to a Key Group
    • Import a KMS 1.0 Key Export File
  • Manage Keys
    • View and Modify Key Information
    • Compromise Keys
  • Transfer Keys Between Clusters
    • Configure Key Transfer Partners
      • Create and Send a Key Transfer Public Key
      • Create the Transfer Partner
      • Assign Key Groups to a Transfer Partner
    • Export a Transfer Partner Key
    • Import Transfer Partner Keys
    • View and Modify the Transfer Partner List
    • View the Key Transfer Public Key List
    • Delete a Transfer Partner
    • Sharing Keys with Older Clusters
• 12 Sites, KMAs, Agents, and Data Units
  • Manage KMAs
    • Create a KMA
    • View and Modify KMA Settings
      • KMA List - Field Descriptions
    • Change a KMA Passphrase (Log the KMA Out of the Cluster)
    • Delete a KMA
    • Query KMA Performance
    • Modify Key Pool Size
      • Determine Key Pool Size
    • Lock/Unlock the KMA
      • Enable or Disable Autonomous Unlock Option
    • Upgrade Software on a KMA
      • Check the Software Version of a KMA
      • Upload the Software Upgrades
      • Activate a Software Version
    • Check the Replication Version of the KMA
    • Switch the Replication Version
      • Replication Version Features
    • View KMA Network Configuration Information
    • View and Adjust the KMA Clock
    • Check the Cryptographic Card
  • Manage Sites
    • Create a Site
    • View and Modify a Site
    • Delete a Site
  • Manage Agents
    • Create an Agent
    • View and Modify Agents
      • Agent List - Field Descriptions
    • Set an Agent's Passphrase
    • Assign Key Groups to an Agent
    • Delete Agents
    • Query Agent Performance
  • Manage Data Units
    • View and Modify Data Units
      • Data Unit List - Field Descriptions
    • View Data Unit Key Details
      • Key List - Field Descriptions
    • View Backups with Destroyed Data Unit Keys
      • How OKM Determines if a Backup Contains a Data Unit Key
    • View Key Counts for a Data Unit
    • Destroy Keys for a Data Unit
• 13 Quorum Authentication
  • What Occurs If You Do Not Enter a Quorum
  • Operations that Require a Quorum
  • View and Modify the Key Split Configuration
  • View Pending Operations
  • Approve Pending Quorum Operations
  • Delete Pending Quorum Operations
• 14 OKM Console
  • Log into the KMA
  • User Role Menu Options
    • Operator Menu Options
    • Security Officer Menu Options
    • Combined Operator and Security Officer Menu Options
    • Menu Options for Other Roles
  • OKM Console Functions
    • Log KMA Back into Cluster
    • Set a User's Passphrase
    • Set KMA Management IP Addresses
    • Set KMA Service IP Addresses
    • View, Add, and Delete Gateways
    • Set Acceptable TLS Versions
    • Specify the DNS Settings
    • Reset the KMA to the Factory Default
    • Restart the KMA
    • Shutdown the KMA
    • Enable the Technical Support Account (using OKM Console)
      • Technical Support Account Password Requirements
    • Disable the Technical Support Account
    • Enable the Primary Administrator
    • Disable the Primary Administrator
    • Set the Keyboard Layout
    • Show Properties of the Root CA Certificate
    • Renew the Root CA Certificate
      • SHA Compatibility
    • Log Out of Current OKM Console Session
• 15 Command Line Utilities
  • OKM Command Line Utility
    • OKM Command Line Subcommand Descriptions
    • OKM Command Line Options
    • OKM Command Line Filter Parameters
    • OKM Command Line Examples
    • OKM Command Line Exit Values
    • OKM Command Line Sample Perl Scripts
  • Backup Command Line Utility
• 16 Certificates
  • Generate and Sign Certificates Using SHA-256
    • Renew the Root Certificate
    • Create an OKM Backup After Renewing a Certificate
    • Retrieve the New Root CA on Peer KMAs (optional)
    • Reissue Certificates for Agents (optional)
    • Update Users Passphrase (optional)
    • Update Disaster Recovery Records
  • Ongoing Renewal Policy for the Root CA Certificate
  • Save a Client Certificate
    • Convert PKCS#12 Format to PEM Format
• A Disaster Recovery
  • Recover a KMA
  • Example Scenarios for Recovering Data
    • Replicate from Another Site
    • Dedicated Disaster Recovery Site
    • Shared Resources for Disaster Recovery
    • Key Transfer Partners for Disaster Recovery
• B Configure the Network for the SL4000
  • Configure the SL4000 OKM Network Port
  • Configure the KMA to Connect with the SL4000
  • Enable SL4000 Drive Access Using MDVOP
• C OKM-ICSF Integration
  • Key Stores and Master Key Mode
  • Understanding the ICSF Solution
    • Defining the ICSF System Components
  • System Requirements for ICSF
  • IBM Mainframe Configuration for ICSF
    • Install and Configure the CEX2C Cryptographic Card for ICSF
    • StorageTek ELS Setup for OKM-ICSF
    • Preparing ICSF
    • Configuring AT-TLS
      • TCPIP OBEY Parameter
      • Policy Agent (PAGENT) Configuration
    • Update OKM Cluster Information
• D Switch Configurations
  • Brocade ICX 6430 Switch Configuration
  • Extreme Network Switch Configuration
  • 3COM Network Switch Configuration
• E Advanced Security Transparent Data Encryption (TDE)
  • About Transparent Data Encryption (TDE)
    • OKM PKCS#11 Provider
    • TDE Authentication with OKM
  • Load Balancing and Failover When Using pkcs11_kms
  • Planning Considerations When Using TDE
    • Oracle Database Considerations When Using TDE
    • OKM Performance and Availability Considerations When Using pkcs11_kms
    • Network and Disaster Recovery Planning When Using pkcs11_kms
    • Key Management Planning When Using pkcs11_kms
  • Integrate OKM and TDE
    • System Requirements for OKM and TDE
    • Install OKM for TDE
    • Install pkcs11_kms
    • Uninstall pkcs11_kms
    • Configure Database for TDE
    • Configure the OKM Cluster for TDE
    • Configure kcs11_kms
  • Migrate Master Keys from the Oracle Wallet
    • Re-Key Due to OKM Policy Based Key Expiration
  • Convert from Another Hardware Security Module Solution
  • Key Destruction When Using TDE
  • Key Transfer in Support of Oracle RMAN and Oracle Data Pump
  • Attestation, Auditing, and Monitoring for TDE
  • Locate TDE Master Keys in OKM
  • Troubleshoot pkcs11_kms Issues
    • Cannot Retrieve the Master Key When Using pkcs11_kms
    • Loss of the pkcs11_kms Configuration Directory
    • No Slots Available Error When Using pkcs11_kms
    • CKA_GENERAL_ERROR Error When Using pkcs11_kms
    • Could Not Open PKCS#12 File Error
• F Solaris ZFS Encryption
  • Use pkcs11_kms with ZFS
  • Considerations When Using ZFS
  • Integrate OKM and ZFS
    • Configure the OKM Cluster for ZFS
    • Install pkcs11_kms on Solaris 11
    • Configure pkcs11_kms on Solaris 11
    • Configure ZFS to use pkcs11_kms
  • Troubleshoot pkcs11_kms Issues with ZFS
• G Upgrade and Configure Integrated Lights Out Manager (ILOM)
  • About ILOM (Integrated Lights Out Manager)
  • ILOM Upgrade Overview
  • Verify ILOM and OBP or BIOS Levels
  • Download ILOM Server Firmware
  • Upgrade the ILOM Server Firmware
  • Set the Boot Mode for OpenBoot from the ILOM - SPARC KMAs Only
  • Launch the BIOS Setup Utility from the ILOM - Sun Fire X4170 M2 Only
  • ILOM Security Hardening
    • Configure ILOM FIPS Mode - SPARC KMAs Only
  • Configure the BIOS (Sun Fire X4170 Server Only)
  • Configure OpenBoot Firmware (SPARC KMAs Only)
• Index