Oracle Key Manager (OKM) - Seeing Certificate Errors That May be Causing KMAs to Drop Connections With Other KMAs (Doc ID 1983647.1)

Last updated on SEPTEMBER 01, 2016

Applies to:

Sun StorageTek Crypto Key Management System - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Symptoms

We are having intermittent OKM GUI login errors on our KMAs.
When we reset / reboot the KMAs, then we are able to login to the GUI, however a few hours later it will not let us login again.

We are seeing a lot of "Peer Certificate serial number does not match", and "Peer Certificate is invalid", on one of our KMAs.
This KMA was recently removed from the cluster, had parts replaced, and then joined back to the cluster from a clean state.

We have tried resetting each KMA in the cluster multiple times, however the problem keeps coming up where we cannot login to the GUI (for any KMA), and some KMAs soon drop their connections with the other KMAs.
Both problems are resolved soon after resetting each KMA, however both problems keep coming back shortly after.


Certificate errors in the /var/adm/messages file:
-----------------------------------------------------------

 

Changes

One KMA had multiple parts replaced, including disk and system board.  Replacing the KMA hard drive and system board will require a QuickStart and a regeneration of the security certificate
when the KMA entity is recreated.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms