KMS/OKM - Current -06 Level SCA6000 Card Has Issues Initializing with KMS/OKM

Asset ID:	1-72-1354690.1
Update Date:	2011-09-02
Keywords:

Solution Type Problem Resolution Sure

Solution 1354690.1 : KMS/OKM - Current -06 Level SCA6000 Card Has Issues Initializing with KMS/OKM

Applies to:

Oracle Key Manager - Version: 2.3 and later [Release: 2.0 and later ]
Information in this document applies to any platform.

Symptoms

The current 375-3424-06 level sca6000 card has issues initializing with KMS/OKM.

Cause

Solution

The general recommendation for customers whose KMAs run OKM 2.3 or 2.4 is to upgrade them to OKM 2.4.1, which contains this fix. If such an upgrade is not currently feasible or if the KMAs run KMS 2.1 or 2.2.X, then here is one workaround that Oracle service personnel can try:

1. Ask the customer to log into the OKM Console as a Security Officer and enable the technical support
   account and enable primary administrator privileges.
2. Use the ssh utility (or putty on Windows) to log into that KMA as the technical support account and
   assume padm privileges.
3. Invoke the /opt/SUNWkms2/bin/InitializeSCA6000 script and watch its output.
4. Check the SCA 6000 card:
        scadiag -l mca0
        /opt/SUNWkms2/bin/CoreSecuritySCA Login
5. If step 4 shows errors, then repeat steps 3 and 4.
6. If step 5 still shows errors, then manually initialize the SCA 6000 card:
       scadiag -l mca0
       scadiag -r mca0
       scadiag -l mca0
       /opt/SUNWkms2/bin/CoreSecuritySCA Initialize
       /opt/SUNWkms2/bin/CoreSecuritySCA Login
    The last command should display a single line that looks like:
       [KMS-Keystore                        ]
7. If the commands in step 6 do not run successfully, then:
     a) Log into the OKM Console as an Operator and shut down the KMA.
     b) Remove power, wait several seconds, and reapply power.
     c) Log into the ILOM/ELOM and power up the KMA.
     d) Repeat step 2.
     e) Repeat step 6.
     f) If step 6 still shows errors after the power cycle, then:
         i) Reload the SCA 6000 drivers and services:
             a) svcadm disable scad
             b) svcadm disable scakiod
             c) svcs -a | grep sca
             d) modinfo | grep mca
             e) modunload -i <mcaCtlId>
                  (where <mcaCtlId> is the id of the mcactl module)
             f) modunload -i <mcaId>
                 (where <mcaId> is the id of the mca module)
             g) modinfo | grep mca
             h) devfsadm -i mca
             i) svcadm enable scad
             j) svcadm enable scakiod
        ii) Repeat step 6.
8. If step 4, 6, or 7 runs successfully, then restart the KMS2 service so that the HSM Status of this KMA
      is shown to be Hardware:
     a) svcadm disable kms2
     b) ps -ef | grep KeyMgr
     c) Repeat the above ps command until the KeyMgr process is no longer running.
     d) svcadm enable kms2
     e) ps -ef | grep KeyMgr
9. Ask the customer to bring up the Oracle Key Manager GUI, log into the cluster, navigate to the KMA
   List panel, and inspect the HSM Status of this KMA. It should show a value of Hardware.
10. Exit out of the ssh session.
11. Ask the customer to log into the OKM Console as a Security Officer (if not still logged in) and disable
primary administrator privileges and disable the technical support account.

Provided by Stephen Patching.

Attachments

This solution has no attachment