Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-75-1020864.1
Update Date:2011-05-12
Keywords:
Solution Type  Troubleshooting Sure

Solution  1020864.1 :   KMS - Diagnosing Encryption Issues  

Related Items 
    

  • Oracle Key Manager
    •  
  • Sun StorageTek Crypto Key Management System
    •  
  • Oracle Key Manager
    •  
Related Categories 
    

  • GCS>Sun Microsystems>Storage - Tape>Encryption KMS
    •  

PreviouslyPublishedAs
266288 




Applies to: 
 
Oracle Key Manager - Version: 1.1.0 and later    [Release: 1.0 and later]
Sun StorageTek Crypto Key Management System - Version: Not Applicable and later    [Release: N/A and later]
Oracle Key Manager - Version: 2.3 and later    [Release: 2.0 and later]
All Platforms

Checked for relevance on 3-Feb-2011.



Purpose

Troubleshooting Encryption Issues.
Begin here if KMS was fully implemented and you are diagnosing an Encryption problem.


Last Review Date

February 3, 2011

Instructions for the Reader


A Troubleshooting Guide is provided to assist 
in debugging a specific issue. When possible, diagnostic tools are included in the document 
to assist in troubleshooting.


Troubleshooting Details

Steps to Follow
Use the following steps to assist in diagnosing Encryption issues:
List KMAs in KMS Manager GUI

All KMAs settings enrolled and unlocked?
No - Return to Troubleshoot and Investigate KMA from Implementation Perspective.
Yes - Continue.

List Agents via the KMS Manager.  Refer to page 245, Agent List Menu, KMS 2.1 Administration Guide, 1/30/09 Rev. A, 316195102 .

Expected Agents in the List?
No - See process to create Agent.  Refer to Page 248, Creating an Agent, KMS 2.1 Administration Guide , 1/30/09 Rev. A , 316195102,
Yes - Continue.

Agent shows enrolled and show a default group?
No - Return to Process to Enroll Agent.  Enroll and Add Agents See Chapter 3, “T-Series Tape Drives” and Chapter 4, “HP LTO4 Tape Drives” to license, enable, and enroll the Agents.  Page 22, KMS 2.0: Installation Manual, February 2009 Revision: BB, 316194904.
List Key Group Assigned to Agents.  Refer to page 204, Key Group List Menu, KMS 2.1 Administration Guide • 1/30/09 Rev. A • 316195102.
If a default group is not assigned, the GUI will show the default group column blank.
Yes - Continue.

Default group shows as 'assigned' and not defaulted?
If  a default group is not assigned, the GUI will show the default group blank.  It will not show as assigned.  If you look in assign agents to groups or assign groups to agents, it will show the groups to which each agent is assigned, but from the agent list it is either default or blank.  That is the heading on the column "default group"

No - Without Default Group, Drive cannot get Write Key.  Return to 'Process Assign Default Key Group'.   Refer to page 221, Assigning a Key Group to Agent, KMS 2.1 Administration Guide, 1/30/09 Rev. A, 316195102.
Yes - Continue.

Agent assigned to proper group?
If you were having read issued, you could have up to 16 groups assigned to your agent.  the default group is the one used to write, but if you buy a company or use a group for production and your sister site  has their own group, you would have groups you can read from but not write to.  Therefore looking at agents assigned to groups or groups assigned to agents (recommended in this diag step), you could see groups that are assigned byuut not default.  These would be "read groups" this agent could access.

No - Without Proper Group, Drives cannot get Correct Key.  Return to 'Process Assign Key Group'.  
Refer to: Page 60, KMS 2.0: Service Manual, February 2009 Revision: BB, 316194904, for further information.

Yes - Continue.

Access Audit Event Log for Relative Entries.  Refer to page 235 KMS 2.1 Administration Guide, 1/30/09 Rev. A, 316195102 for further information.

Review Drive Hardware, SAN, Application Operating System.

Review Drive Crypto LED.  
Each encryption-capable tape drive has an LED status light on the rear of the drive and/or drive tray.  Refer to: Page 26, KMS 2.0: Installation Manual • February 2009 Revision: BB • 316194904 

Drive Crypto LED Green?
Yes - STK Drive is not licensed.  Review License Drive.  Go to Document: 1020857.1
This is a properly operation LTO drive.  Green means drive is loaded and has a key - look to application or elsewhere for issue.  
Go to Document: 1020857.1
No - Continue.

Drive Crypto LED blinking Green?
Yes - STK drive has been reset on a KMS1.x system.  The EKT needs to be re-written, this is not called re-enrollment in KMS1.x.  KMS 2.x has no equivalent blinking green.  Re-enrollment is needed.  Go to Document: 1020857.1
No - Continue.

Drive Crypto LED Amber?
Yes - Drive is licensed.  Needs Media Keys.  Return to Top of Page/Review VOP.   Verify KMAs are not locked.  Look for missing keys in VOP, check Audit event log, review group assignment, find reason drive is not getting key.
 Go to Document: 1020857.1
No - Continue.

Drive Crypto LED Red?
Yes - T-series drive will show red if tape loaded and drive has key.   Go to Document: 1020857.1
No - Continue.

Refer to: Crypto
Key Management Station
Product Information to find further information on KMS.

Should there still be problems, escalate the case to Tape Hardware Support.




 Troubleshooting, Trouble shooting, Diagnosing, Diagnose, KMA, KMS, 1.0, 2.0, 2.x, Encryption





Attachments

This solution has no attachment


















       

Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.

 Feedback