| Asset ID: |
1-71-1019675.1 |
| Update Date: | 2017-05-17 |
| Keywords: | |
Solution Type
Technical Instruction Sure
Solution
1019675.1
:
KMS - Tips To Successfully Add A KMA To A Cluster
| Related Items |
- Sun StorageTek Crypto Key Management System
|
| Related Categories |
- PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
- _Old GCS Categories>Sun Microsystems>Storage Software>Data Protection Software - Tape
|
PreviouslyPublishedAs
243526
Applies to:
Sun StorageTek Crypto Key Management System - Version Not Applicable and later
All Platforms
***Checked for relevance on 14-AUG-2013***
Goal
Tips to successfully add a KMA to a Cluster.
Solution
Steps to Follow
When adding a new KMA to an existing KMS Cluster, first the new KMA has to be defined in the KMS Cluster using the Create command on the KMA List screen while connected to an existing KMA in the Cluster. This will define the new KMA in the Cluster and allow the actual new KMA to join the Cluster.
Values that need to be entered carefully when Quickstarting the new KMA that is to be added/joined to the existing KMS Cluster:
Joining KMA's Name - must match value defined in existing KMS Cluster for the new KMA
IP address or hostname of existing KMA in KMS Cluster (i.e. the "target KMA") - needs to be correct so new KMA can find the existing KMS Cluster
Joining KMA's passphrase - must match value defined in existing KMS Cluster for the new KMA
Quorum Credentials - must match Quorum Credentials in existing KMS Cluster
Attributes of new KMA that may need checked in existing KMS Cluster:
Failed Login Attempts - When a join of the new KMA fails due to an incorrect KMA passphrase, this value will be incremented.
If this value is equal to or greater than the "Login Attempt Limit" value in the Security Parameters of the KMS Cluster, then the new KMA will be locked out and will not be able to join the KMS Cluster until the KMA's passphrase is reset in the KMS Cluster.
Join KMA to Existing Cluster potential problems:
1. Incorrect KMA Name for joining KMA entered in Quickstart
On KMA already in Cluster should see error audit similar to:
Operation: Retrieve Root CA Certificate
Severity: Error
Condition: Entity is not valid
Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart, in this case it will be incorrect)
Message Values:
Check KMA Name defined in KMS Cluster and enter correctly when Quickstarting new KMA again.
2. Incorrect IP address or hostname for target KMA or incorrect network configuration for joining KMA entered in Quickstart
On KMA already in Cluster there will not be any audits indicating the joining KMA was able to contact the target KMA.
Look for the following audit after the point in time when the join was performed:
Operation: Retrieve Root CA Certificate
Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart)
This is the first audit created in the Cluster when the joining KMA attempts to join the Cluster, if this audit does not exist (whether it is "Success" or "Error") then the joining KMA was not able to find the Cluster.
Check that IP address or hostname of target KMA is correct and enter correctly when Quickstarting new KMA again.
Also check that network configuration of joining KMA is correct and enter correctly when Quickstarting new KMA again.
3. Incorrect passphrase for joining KMA entered in Quickstart
On KMA already in Cluster should see error audit similar to:
Operation: Retrieve Entity Certificate
Severity: Error
Condition: Invalid Challenge response
Entity ID: Name of joining KMA
Message Values:
Verify correct passphrase for new KMA is being entered (if necessary reset passphrase for new KMA in Cluster) and enter correctly when Quickstarting new KMA again.
4. Joining KMA's passphrase entered incorrectly too many times in Quickstart
On KMA already in Cluster should see that new KMA's Failed Login Attempts value is equal to or greater than the Login Attempt Limit in the Cluster's Security Parameters.
On KMA already in Cluster should see error audit similar to:
Operation: Retrieve Entity Certificate
Severity: Error
Condition: Failed login attempts limit exceeded
Entity ID: Name of joining KMA
Message Values:
Reset passphrase for new KMA in Cluster and enter passphrase correctly when Quickstarting new KMA again.
5. Incorrect Quorum User Name(s) on insufficient Quorum User Name(s) entered in Quickstart
On KMA already in Cluster should see error audit similar to:
Operation: Join Cluster
Severity: Error
Condition: Invalid input
Entity ID: Name of joining KMA
Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...
Check "Quorum Key Split User Name" values to make sure they match what is defined in the cluster and that a sufficient number of them were provided and entered correctly when Quickstarting a new KMA again.
6. Incorrect Quorum User Passphrase(s) entered in Quickstart
On KMA already in Cluster should see error audit similar to:
Operation: Join Cluster
Severity: Error
Condition: Invalid Quorum passphrase
Entity ID: Name of joining KMA
Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...
Verify correct passphrase(s) for Quorum are being entered and enter correctly when Quickstarting new KMA again.
@ KMS, KMA, Incorrect Quorum User Passphrase, Incorrect Quorum User Name, Joining KMA's passphrase entered incorrectly too many times in Quickstart,Incorrect IP address or hostname for target KMA, Incorrect KMA Name Cluster
Attachments
This solution has no attachment
