Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2375821.1
Update Date:2018-03-26
Keywords:
Solution Type  Technical Instruction Sure

Solution  2375821.1 :   Oracle Key Manager (OKM) - How To Decommission KMA Servers From An OKM Cluster  

Related Items 
    

  • Sun StorageTek Crypto Key Management System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
    •  






In this Document


Goal


Solution



Created from <SR 3-16992135741>


Applies to:  

Sun StorageTek Crypto Key Management System - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.



Goal


 Document the easiest way to remove the KMA servers from the OKM cluster without loosing any encryption keys.


Solution


How to decommission a KMS server from an OKM Cluster:


1. Lock the OKM servers that are going to be decommissioned, So they will no longer try to issue encryption keys to any tape drives. If there are any tape drives still enrolled to these servers, the KMA server will try to replicate those keys to the other KMA servers in the cluster, unless they are  Locked.


NOTE: To Lock a KMS server, the customer needs to log into EACH KMA server, they plan to decommission and select "Lock" in the lower left menu of the OKM GUI.


The tape drive Agent List will still likely show they have tape drives "enrolled= T", even though the tape drives have been un-enrolled or even removed from the site.
The customer can then select an Agent and "Details" and enter the Passphrase.  This will change the "enrolled = T" to "enrolled= F".


Or they can just Delete the Agent from the Agent List,  if they are sure the agent will no longer be needed.


 


2. Once all of the KMA servers have been Locked, the customer can then log into an active KMA server in the Cluster and go to the KMA List. 


   The KMA List will show all of the KMA servers that currently belong to the OKM Cluster.


    The customer then would "Select" one of the KMA servers in the Cluster and select "Delete".  This will remove the KMA server name from the OKM List and the Cluster entirely.


   Until the decommissioned KMA servers are physically removed from the KMA List, the "Audit Event"  log will show the Active cluster servers trying to contact the decommissioned servers to replicate their encryption keys but will show SOAP errors since the Active KMA servers can not communicate with the decommissioned KMA servers.


    The customer continues to "Delete" all of the decommissioned KMA servers from the Cluster until only the Active KMA servers are showing.


3. Once all of the KMA servers have been "Deleted" from the cluster, the decommissioned servers  can be powered off and removed from the site or left in place for awhile, in case they need to bring them back into the cluster to read some data off of some old tape media.


    However it would be easier to ship the tape media to an Active KMA server site that has the same type of tape drives as the tape media, and are already enrolled to an Active KMA servers.



   Since all of the encryption keys have been replicated to all of the KMA servers in the cluster, the encryption keys required to read the data from the tape media should already be available.



 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback