Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1329216.1
Update Date:2011-06-13
Keywords:

Solution Type  Problem Resolution Sure

Solution  1329216.1 :   KMS - Potential Issue With FIPS Mode Only Enabled On A Mixed KMS 2.2.x And OKM 2.3.x Cluster  


Related Items
  • Sun StorageTek Crypto Key Management System
  •  
Related Categories
  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
  •  




In this Document
  Symptoms
  Changes
  Cause
  Solution


Applies to:

Sun StorageTek Crypto Key Management System - Version: Not Applicable and later   [Release: N/A and later ]
Information in this document applies to any platform.

Symptoms

This issue can cause drives to be unable to retrieve keys from the cluster.

It can affect all supported encryption tape drives. It does not affect mixed clusters where the "FIPS Mode Only" security parameter is Off.

Example error reported in the OKM/KMS audit log:

Retrieve Protect And Process Key FIPS mode required Error 000209000287


The drive dump or VOP log will report the following error:

AUDIT_CLIENT_AGENT_RETRIEVE_PROTECT_AND_PROCESS_KEY_SOAP_ERROR

Changes

This will only be an issue if the "FIPS Mode Only" feature is enabled on a mixed KMS 2.2.x and OKM 2.3.x cluster.

Cause

The KMAs running KMS 2.2.x respond to discover cluster requests from the drives with a string beginning with"Build1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string incorrectly. Thus, it thinks that these KMAs do not support version 2 keys (that is, AES key-wrapped keys). The tape drive tries to retrieve version 1 keys (that is, keys that are not wrapped), which is not supported when the FIPS Mode Only security parameter is On.

In contrast, the KMAs running OKM 2.3.x respond to discover cluster requests from the drives with a string beginning with "KMSBuild1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string correctly. Thus, it thinks (correctly) that these KMAs support version 2 keys. The tape drive tries to retrieve version 2 keys, which is required when the FIPS Mode Only security parameter is On.

Note that when the FIPS Mode Only security parameter is Off in a mixed 2.2.x and 2.3.x KMS/OKM cluster, the tape drives will retrieve either version 1 or version 2 keys from OKM 2.3.x KMAs, depending on whether they previously issued a discover cluster request to a KMA running KMS 2.2.x or OKM 2.3.1. The tape drives will always retrieve version 2 keys from KMS 2.2.x KMAs in this environment.

If all KMAs in the cluster are running OKM 2.3.x, then they all will return a string beginning with “KMSBuild1036” for the other OKM 2.3.x KMAs. The drive agent software will sort this build string properly and will think (correctly) that these KMAs support version 2 keys.

Solution

Consider setting the FIPS Mode Only security parameter to Off if both below are true:
- The customer is generating keys using the SCA6000 Crypto Card.
- If wrapping of keys before sending them to the agents is not required in your environment.

Note: This is only an option if you only have LTO 4/5 tape drives since T10K and 9840D fips mode is set permanently.

If FIPS Mode is required, upgrade all KMAs in the cluster to OKM 2.3.1. As an alternative, upgrade the KMAs running OKM 2.3.x to OKM 2.4 after it is released.


Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback