| Asset ID: |
1-75-1020864.1 |
| Update Date: | 2012-06-22 |
| Keywords: | |
Solution Type
Troubleshooting Sure
Solution
1020864.1
:
KMS - Diagnosing Encryption Issues
| Related Items |
- Oracle Key Manager
- Sun StorageTek Crypto Key Management System
- Oracle Key Manager
|
| Related Categories |
- PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
|
PreviouslyPublishedAs
266288
Applies to:
Sun StorageTek Crypto Key Management System - Version Not Applicable and later
Oracle Key Manager - Version 2.3 and later
All Platforms
Checked for relevance on 22-June-2012.
Purpose
Troubleshooting Encryption Issues.
Begin here if KMS was fully implemented and you are diagnosing an Encryption problem.
Troubleshooting Steps
Steps to Follow
Use the following steps to assist in diagnosing Encryption issues:
List KMAs in KMS Manager GUI
All KMAs settings enrolled and unlocked?
No - Return to Troubleshoot and Investigate KMA from Implementation Perspective.
Yes - Continue.
List Agents via the KMS Manager. Refer to page 295, Agent List Menu, KMS 2.5 Administration Guide, Part Number: E26025-01,April 2012, Revision 01.
Expected Agents in the List?
No - See process to create Agent. Refer to Page 299, Creating an Agent, KMS 2.5 Administration Guide , Part Number: E26025-01,April 2012, Revision 01.
Yes - Continue.
Agent shows enrolled and show a default group?
No - Return to Process to Enroll Agent. Enroll and Add Agents See Chapter 3, “T-Series Tape Drives” and Chapter 4, “HP LTO4 Tape Drives” to license, enable, and enroll the Agents. Page 22, KMS 2.0: Installation Manual, February 2009 Revision: BB, 316194904.
List Key Group Assigned to Agents. Refer to page 262, Key Group List Menu, KMS 2.5 Administration Guide • Part Number: E26025-01,April 2012, Revision 01..
If a default group is not assigned, the GUI will show the default group column blank.
Yes - Continue.
Default group shows as 'assigned' and not defaulted?
If a default group is not assigned, the GUI will show the default group blank. It will not show as assigned. If you look in assign agents to groups or assign groups to agents, it will show the groups to which each agent is assigned, but from the agent list it is either default or blank. That is the heading on the column "default group"
No - Without Default Group, Drive cannot get Write Key. Return to 'Process Assign Default Key Group'. Refer to page 268, Assigning a Key Group to Agent, KMS 2.5 Administration Guide, Part Number: E26025-01,April 2012, Revision 01..
Yes - Continue.
Agent assigned to proper group?
If you were having read issued, you could have up to 16 groups assigned to your agent. the default group is the one used to write, but if you buy a company or use a group for production and your sister site has their own group, you would have groups you can read from but not write to. Therefore looking at agents assigned to groups or groups assigned to agents (recommended in this diag step), you could see groups that are assigned by not default. These would be "read groups" this agent could access.
No - Without Proper Group, Drives cannot get Correct Key. Return to 'Process Assign Key Group'.
Refer to: Page 60, KMS 2.0: Service Manual, February 2009 Revision: BB, 316194904, for further information.
Yes - Continue.
Access Audit Event Log for Relative Entries. Refer to page 281 KMS 2.5 Administration Guide, Part Number: E26025-01,April 2012, Revision 01. for further information.
Review Drive Hardware, SAN, Application Operating System.
Review Drive Crypto LED.
Each encryption-capable tape drive has an LED status light on the rear of the drive and/or drive tray. Refer to: Page 26, KMS 2.0: Installation Manual • February 2009 Revision: BB • 316194904
Drive Crypto LED Green?
Yes - STK Drive is not licensed. Review License Drive. Go to Document: 1020857.1
This is a properly operation LTO drive. Green means drive is loaded and has a key - look to application or elsewhere for issue.
Go to Document: 1020857.1
No - Continue.
Drive Crypto LED blinking Green?
Yes - STK drive has been reset on a KMS1.x system. The EKT needs to be re-written, this is not called re-enrollment in KMS1.x. KMS 2.x has no equivalent blinking green. Re-enrollment is needed. Go to Document: 1020857.1
No - Continue.
Drive Crypto LED Amber?
Yes - Drive is licensed. Needs Media Keys. Return to Top of Page/Review VOP. Verify KMAs are not locked. Look for missing keys in VOP, check Audit event log, review group assignment, find reason drive is not getting key.
Go to Document: 1020857.1
No - Continue.
Drive Crypto LED Red?
Yes - T-series drive will show red if tape loaded and drive has key. Go to Document: 1020857.1
No - Continue.
Refer to: Crypto Key Management Station Product Information to find further information on KMS.
Should there still be problems, escalate the case to Tape Hardware Support.
Attachments
This solution has no attachment
