![]() | Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition | ||
|
|
![]() |
||||||||||||
Solution Type FAB (standard) Sure Solution 1332602.1 : Potential issue with FIPS Mode Only enabled on mixed KMS 2.2.x and OKM 2.3.x cluster.
In this Document
Oracle Confidential (PARTNER). Do not distribute to customers
Applies to:Sun StorageTek Crypto Key Management System - Version: Not Applicable to Not Applicable - Release: N/A to N/AInformation in this document applies to any platform. __________ SUNBUG: 7047353 SymptomsDrives are unable to retrieve keys from the cluster.Error reported in the OKM/KMS audit log: Retrieve Protect And Process Key FIPS mode required Error 000209000287 The drive dump or VOP log will report the following error: AUDIT_CLIENT_AGENT_RETRIEVE_PROTECT_AND_PROCESS_KEY_SOAP_ERROR Impact This issue can cause drives to be unable to retrieve keys from the 2.3.x KMAs in the cluster. It can affect all supported encryption tape drives. It does not affect mixed clusters where the FIPS Mode Only security parameter is Off. ChangesContributing FactorsThis issue only affects KMAs in a mixed version cluster with a mix of 2.2.x and 2.3.x versions and only when the FIPS Mode Only security parameter is set to On. CauseRoot CauseThe KMAs running version 2.2.x respond to discover cluster requests from the drives with a string beginning with "Build1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string incorrectly. Thus, it thinks that these KMAs do not support version 2 keys (that is, AES key-wrapped keys). The tape drive tries to retrieve version 1 keys (that is, keys that are not wrapped), which is not supported when the FIPS Mode Only security parameter is On. In contrast, the KMAs running OKM 2.3.x respond to discover cluster requests from the drives with a string beginning with "KMSBuild1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string correctly. Thus, it thinks (correctly) that these KMAs support version 2 keys. The tape drive tries to retrieve version 2 keys, which is required when the FIPS Mode Only security parameter is On. Note that when the FIPS Mode Only security parameter is Off in a mixed 2.2.x and 2.3.x KMA/OKM cluster, the tape drives will retrieve either version 1 or version 2 keys from OKM 2.3.x KMAs, depending on whether they previously issued a discover cluster request to a KMA running KMA 2.2.x or OKM 2.3.1. The tape drives will always retrieve version 2 keys from KMA 2.2.x KMAs in this environment. If all KMAs in the cluster are running OKM 2.3.x, they all will return a string beginning with "KMSBuild1036" for the other OKM 2.3.x KMAs. The drive agent software will sort this build string properly and will think (correctly) that these KMAs support version 2 keys. SolutionWorkaroundConsider setting the FIPS Mode Only security parameter to Off if generating keys from the SCA 6000 card is not a requirement. Drives can continue to request both version 1 and version 2 keys from the KMA when the FIPS Mode Only parameter is set to Off, however, subsequent new keys will be generated from software if the SCA 6000 card fails. Resolution Upgrade your 2.2 KMAs to 2.3.1 to non-mixed version cluster. Upgrade your 2.3.1 KMAs to 2.4 release if in a mixed version cluster (2.4 target release July/August 2011). References BugID: 7047353 For information about FAB documents, its release processes, implementation strategies and billing information, click here. In addition to the above you may email: [email protected] Contacts Contributor/Submitter: [email protected] Eng Responsible Engineer: [email protected] Responsible Manager: [email protected] Eng Business Unit Group: NWS (Storage) Attachments This solution has no attachment |
||||||||||||
|