![]() | Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition | ||
|
|
![]() |
||||||||||||
Solution Type Problem Resolution Sure Solution 1329216.1 : KMS - Potential Issue With FIPS Mode Only Enabled On A Mixed KMS 2.2.x And OKM 2.3.x Cluster
In this Document
Applies to:Sun StorageTek Crypto Key Management System - Version: Not ApplicableInformation in this document applies to any platform. SymptomsThis issue can cause drives to be unable to retrieve keys from the cluster.It can affect all supported encryption tape drives. It does not affect mixed clusters where the "FIPS Mode Only" security parameter is Off. Example error reported in the OKM/KMS audit log: Retrieve Protect And Process Key FIPS mode required Error 000209000287 The drive dump or VOP log will report the following error: AUDIT_CLIENT_AGENT_RETRIEVE_PROTECT_AND_PROCESS_KEY_SOAP_ERROR ChangesThis will only be an issue if the "FIPS Mode Only" feature is enabled on a mixed KMS 2.2.x and OKM 2.3.x cluster.CauseThe KMAs running KMS 2.2.x respond to discover cluster requests from the drives with a string beginning with"Build1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string incorrectly. Thus, it thinks that these KMAs do not support version 2 keys (that is, AES key-wrapped keys). The tape drive tries to retrieve version 1 keys (that is, keys that are not wrapped), which is not supported when the FIPS Mode Only security parameter is On.In contrast, the KMAs running OKM 2.3.x respond to discover cluster requests from the drives with a string beginning with "KMSBuild1036" for the OKM 2.3.x KMAs in the cluster. Drive agent software sorts this build string correctly. Thus, it thinks (correctly) that these KMAs support version 2 keys. The tape drive tries to retrieve version 2 keys, which is required when the FIPS Mode Only security parameter is On. Note that when the FIPS Mode Only security parameter is Off in a mixed 2.2.x and 2.3.x KMS/OKM cluster, the tape drives will retrieve either version 1 or version 2 keys from OKM 2.3.x KMAs, depending on whether they previously issued a discover cluster request to a KMA running KMS 2.2.x or OKM 2.3.1. The tape drives will always retrieve version 2 keys from KMS 2.2.x KMAs in this environment. If all KMAs in the cluster are running OKM 2.3.x, then they all will return a string beginning with “KMSBuild1036” for the other OKM 2.3.x KMAs. The drive agent software will sort this build string properly and will think (correctly) that these KMAs support version 2 keys. SolutionConsider setting the FIPS Mode Only security parameter to Off if both below are true:- The customer is generating keys using the SCA6000 Crypto Card. - If wrapping of keys before sending them to the agents is not required in your environment. Note: This is only an option if you only have LTO 4/5 tape drives since T10K and 9840D fips mode is set permanently. If FIPS Mode is required, upgrade all KMAs in the cluster to OKM 2.3.1. As an alternative, upgrade the KMAs running OKM 2.3.x to OKM 2.4 after it is released. Attachments This solution has no attachment |
||||||||||||
|