Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1354690.1
Update Date:2011-09-02
Keywords:

Solution Type  Problem Resolution Sure

Solution  1354690.1 :   KMS/OKM - Current -06 Level SCA6000 Card Has Issues Initializing with KMS/OKM  


Related Items
  • Oracle Key Manager
  •  
Related Categories
  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
  •  




In this Document
  Symptoms
  Cause
  Solution


Applies to:

Oracle Key Manager - Version: 2.3 and later   [Release: 2.0 and later ]
Information in this document applies to any platform.

Symptoms

The current 375-3424-06 level sca6000 card has issues initializing with KMS/OKM.

Cause

NA

Solution

The general recommendation for customers whose KMAs run OKM 2.3 or 2.4 is to upgrade them to OKM 2.4.1, which contains this fix.  If such an upgrade is not currently feasible or if the KMAs run KMS 2.1 or 2.2.X, then here is one workaround that Oracle service personnel can try:

1.  Ask the customer to log into the OKM Console as a Security Officer and enable the technical support
     account and enable primary administrator privileges.
2.  Use the ssh utility (or putty on Windows) to log into that KMA as the technical support account and
     assume padm privileges.
3.  Invoke the /opt/SUNWkms2/bin/InitializeSCA6000 script and watch its output.
4.  Check the SCA 6000 card:
        scadiag -l mca0
        /opt/SUNWkms2/bin/CoreSecuritySCA Login
5.  If step 4 shows errors, then repeat steps 3 and 4.
6.  If step 5 still shows errors, then manually initialize the SCA 6000 card:
       scadiag -l mca0
       scadiag -r mca0
       scadiag -l mca0
       /opt/SUNWkms2/bin/CoreSecuritySCA Initialize
       /opt/SUNWkms2/bin/CoreSecuritySCA Login
    The last command should display a single line that looks like:
       [KMS-Keystore                        ]
7.  If the commands in step 6 do not run successfully, then:
     a)  Log into the OKM Console as an Operator and shut down the KMA.
     b)  Remove power, wait several seconds, and reapply power.
     c)  Log into the ILOM/ELOM and power up the KMA.
     d)  Repeat step 2.
     e)  Repeat step 6.
     f)  If step 6 still shows errors after the power cycle, then:
         i)  Reload the SCA 6000 drivers and services:
             a)  svcadm disable scad
             b)  svcadm disable scakiod
             c)  svcs -a | grep sca
             d)  modinfo | grep mca
             e)  modunload -i <mcaCtlId>
                  (where <mcaCtlId> is the id of the mcactl module)
             f)  modunload -i <mcaId>
                 (where <mcaId> is the id of the mca module)
             g)  modinfo | grep mca
             h)  devfsadm -i mca
             i)  svcadm enable scad
             j)  svcadm enable scakiod
        ii) Repeat step 6.
8.  If step 4, 6, or 7 runs successfully, then restart the KMS2 service so that the HSM Status of this KMA
      is shown to be Hardware:
     a)  svcadm disable kms2
     b)  ps -ef | grep KeyMgr
     c)  Repeat the above ps command until the KeyMgr process is no longer running.
     d)  svcadm enable kms2
     e)  ps -ef | grep KeyMgr
9. Ask the customer to bring up the Oracle Key Manager GUI, log into the cluster, navigate to the KMA
     List panel, and inspect the HSM Status of this KMA.  It should show a value of Hardware.
10. Exit out of the ssh session.
11. Ask the customer to log into the OKM Console as a Security Officer (if not still logged in) and disable
      primary administrator privileges and disable the technical support account.


Provided by Stephen Patching.

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback