Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-73-1332602.1
Update Date:2011-07-19
Keywords:

Solution Type  FAB (standard) Sure

Solution  1332602.1 :   Potential issue with FIPS Mode Only enabled on mixed KMS 2.2.x and OKM 2.3.x cluster.  


Related Items
  • Sun StorageTek Crypto Key Management System
  •  
Related Categories
  • PLA-Support>Sun Systems>Sun_Other>Sun Collections>SN-OTH: Sun FAB
  •  




In this Document
  Symptoms
  Changes
  Cause
  Solution


Oracle Confidential (PARTNER). Do not distribute to customers
Reason: FABs available to Internals and Partners only

Applies to:

Sun StorageTek Crypto Key Management System - Version: Not Applicable to Not Applicable - Release: N/A to N/A
Information in this document applies to any platform.
__________

SUNBUG: 7047353

Symptoms

Drives are unable to retrieve keys from the cluster.

Error reported in the OKM/KMS audit log:

   Retrieve Protect And Process Key FIPS mode required Error 000209000287

The drive dump or VOP log will report the following error:

   AUDIT_CLIENT_AGENT_RETRIEVE_PROTECT_AND_PROCESS_KEY_SOAP_ERROR

Impact

This issue can cause drives to be unable to retrieve keys from the 2.3.x KMAs in the cluster. It can affect all supported encryption tape drives.  It does not affect mixed clusters where the FIPS Mode Only security parameter is Off.

Changes

Contributing Factors

This issue only affects KMAs in a mixed version cluster with a mix of 2.2.x and 2.3.x versions and only when the FIPS Mode Only security parameter is set to On.

Cause

Root Cause

The KMAs running version 2.2.x respond to discover cluster requests from the drives with a string beginning with "Build1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string incorrectly. Thus, it thinks that these KMAs do not support version 2 keys (that is, AES key-wrapped keys). The tape drive tries to retrieve version 1 keys (that is, keys that are not wrapped), which is not supported when the FIPS Mode Only security parameter is On.

In contrast, the KMAs running OKM 2.3.x respond to discover cluster requests from the drives with a string beginning with "KMSBuild1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string correctly. Thus, it thinks (correctly) that these KMAs support version 2 keys. The tape drive tries to retrieve version 2 keys, which is required when the FIPS Mode Only security parameter is On.

Note that when the FIPS Mode Only security parameter is Off in a mixed 2.2.x and 2.3.x KMA/OKM cluster, the tape drives will retrieve either version 1 or version 2 keys from OKM 2.3.x KMAs, depending on whether they previously issued a discover cluster request to a KMA running KMA 2.2.x or OKM 2.3.1. The tape drives will always retrieve version 2 keys from KMA 2.2.x KMAs in this environment.

If all KMAs in the cluster are running OKM 2.3.x, they all will return a string beginning with "KMSBuild1036" for the other OKM 2.3.x KMAs. The drive agent software will sort this build string properly and will think (correctly) that these KMAs support version 2 keys.

Solution

Workaround

Consider setting the FIPS Mode Only security parameter to Off if generating keys from the SCA 6000 card is not a requirement. Drives can continue to request both version 1 and version 2 keys from the KMA when the FIPS Mode Only parameter is set to Off, however, subsequent new keys will be generated from software if the SCA 6000 card fails.

Resolution

Upgrade your 2.2 KMAs to 2.3.1 to non-mixed version cluster.
Upgrade your 2.3.1 KMAs to 2.4 release if in a mixed version cluster (2.4 target release July/August 2011).

References

BugID: 7047353


For information about FAB documents, its release processes, implementation strategies and billing information, click here.

In addition to the above you may email:

    [email protected]


Contacts

Contributor/Submitter: [email protected]
Eng Responsible Engineer: [email protected]
Responsible Manager: [email protected]
Eng Business Unit Group: NWS (Storage)

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback