Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2303290.1
Update Date:2018-04-27
Keywords:
Solution Type  Problem Resolution Sure

Solution  2303290.1 :   Oracle Key Manager (OKM) - Upgrade of LTO7 Belisarius Card to 5.32.20.40 Causes Encryption Issues in OKM Versions Below 3.1  

Related Items 
    

  • IBM LTO7 Tape Drive
    •  
  • Oracle Key Manager
    •  
  • IBM LTO5 Tape Drive
    •  
  • IBM LTO6 Tape Drive
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
    •  






In this Document


Symptoms


Changes


Cause


Solution


References

Created from <SR 3-15647727431>


Applies to:  

IBM LTO7 Tape Drive - Version All Versions and later
Oracle Key Manager - Version 3.0.2 to 3.1 [Release 3.0]
IBM LTO5 Tape Drive - Version All Versions and later
IBM LTO6 Tape Drive - Version All Versions and later
Information in this document applies to any platform.



Symptoms


Customer installed LTO7 drives in environment shipped with LTO7 firmware: G9Q2
All was working until latest Belisaurius firmware was updated from code level 4.20.20.40 to 5.32.20.40

Backup Application jobs fail when writing to tape.


Backup Application is able to mount tapes on the encrypted LTO7 drives but errors out with typical encryption-related error.

The drives were re-enrolled with OKM but the problem persisted.

When enrolling the tape drive to OKM, VOP returns error: 
 "Enrollment Failed; ERROR: command error"


 


Changes


Upgraded LTO7 Belisarius card firmware to 5.32.20.40


Cause


The site's KMAs are running OKM 3.0.2. To support the LTO7 Belisarius code 5.32.20.40, OKM must be upgraded to version 3.1.


From the OKM 3.1 release notes:

--
Install Requirements: This Belisarius code was tested and qualified with the following library, drive, OKM versions and VOP versions. Using this Bel code with library, drive, OKM or VOP versions lower than the prerequisite level may cause compatibility issues not found during qualification. 
  

SL8500 8.50 Minimum required for Gen 7

SL3000 4.40 Minimum required for Gen 7

SL-500 1501


IBM Gen 4 C7QH / Patch 128549-12 Minimum Required
IBM Gen 5 F3J4 / Patch 145784-08 Minimum Required
IBM Gen 6 F3J6 / Patch 150683-03 Minimum Required
IBM Gen 7 FA14 / Gen 7 FH FC Initial release

OKM Version 3.1 - (Minimum Requirement)

Belisarius code - 5.32.20.40 / Patch 25248602

Virtual OP Panel - 2.3.3 or newer --- Minimum Requirement


* This Bel code upgrades the Bel card's Digi device OS to Version 7.5.2. This Digi OS version addresses all known CVE vulnerabilities to date, by means of upgrading the TLS layer to version 1.2.
* It is extremely important to note that this Digi OS version cannot negotiate downward to TLS layer prior to version 1.2. This means that older KMA appliances,
specifically the Sun Fire[tm] X2100 and X2200 Servers, which cannot upgrade to the minimum OKM version of 3.1, therefore are not capable of connecting to this level of Bel code.
---
 


Solution


There are two options:


1) Upgrade OKM to OKM 3.1 ( or later OKM release )


2) If upgrading OKM is not possible, downgrade LTO7 BEL code back to code level 4.20.20.40.

 Note: When upgrading OKM to OKM 3.1 or OKM 3.3, please read these documents first:  
 <Document: 2292422.1> - Any KMA Running 3.x Code Version Prior To 3.1 Will Get An Error On Future OKM Software Downloads After November 12 2017 
 <Document: 2384194.1> - OKM Manual Update Process For SPARC Platforms 
 <Document: 2360299.1> - How To Create A 3.3 Imaged USB Flash Drive For a x4170 M2 KMA  
 
 


References
<NOTE:2138532.1> - Oracle Key Manager 3.1 - OpenSSL Distribution Is No Longer Included In GUI Installations 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback