![]() | Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition | ||
|
|
![]() |
||||||||||||
Solution Type Problem Resolution Sure Solution 1354690.1 : KMS/OKM - Current -06 Level SCA6000 Card Has Issues Initializing with KMS/OKM
In this Document
Applies to:Oracle Key Manager - Version: 2.3Information in this document applies to any platform. SymptomsThe current 375-3424-06 level sca6000 card has issues initializing with KMS/OKM.CauseNASolutionThe general recommendation for customers whose KMAs run OKM 2.3 or 2.4 is to upgrade them to OKM 2.4.1, which contains this fix. If such an upgrade is not currently feasible or if the KMAs run KMS 2.1 or 2.2.X, then here is one workaround that Oracle service personnel can try:1. Ask the customer to log into the OKM Console as a Security Officer and enable the technical support account and enable primary administrator privileges. 2. Use the ssh utility (or putty on Windows) to log into that KMA as the technical support account and assume padm privileges. 3. Invoke the /opt/SUNWkms2/bin/InitializeSCA6000 script and watch its output. 4. Check the SCA 6000 card: scadiag -l mca0 /opt/SUNWkms2/bin/CoreSecuritySCA Login 5. If step 4 shows errors, then repeat steps 3 and 4. 6. If step 5 still shows errors, then manually initialize the SCA 6000 card: scadiag -l mca0 scadiag -r mca0 scadiag -l mca0 /opt/SUNWkms2/bin/CoreSecuritySCA Initialize /opt/SUNWkms2/bin/CoreSecuritySCA Login The last command should display a single line that looks like: [KMS-Keystore ] 7. If the commands in step 6 do not run successfully, then: a) Log into the OKM Console as an Operator and shut down the KMA. b) Remove power, wait several seconds, and reapply power. c) Log into the ILOM/ELOM and power up the KMA. d) Repeat step 2. e) Repeat step 6. f) If step 6 still shows errors after the power cycle, then: i) Reload the SCA 6000 drivers and services: a) svcadm disable scad b) svcadm disable scakiod c) svcs -a | grep sca d) modinfo | grep mca e) modunload -i <mcaCtlId> (where <mcaCtlId> is the id of the mcactl module) f) modunload -i <mcaId> (where <mcaId> is the id of the mca module) g) modinfo | grep mca h) devfsadm -i mca i) svcadm enable scad j) svcadm enable scakiod ii) Repeat step 6. 8. If step 4, 6, or 7 runs successfully, then restart the KMS2 service so that the HSM Status of this KMA is shown to be Hardware: a) svcadm disable kms2 b) ps -ef | grep KeyMgr c) Repeat the above ps command until the KeyMgr process is no longer running. d) svcadm enable kms2 e) ps -ef | grep KeyMgr 9. Ask the customer to bring up the Oracle Key Manager GUI, log into the cluster, navigate to the KMA List panel, and inspect the HSM Status of this KMA. It should show a value of Hardware. 10. Exit out of the ssh session. 11. Ask the customer to log into the OKM Console as a Security Officer (if not still logged in) and disable primary administrator privileges and disable the technical support account. Provided by Stephen Patching. Attachments This solution has no attachment |
||||||||||||
|