My Oracle Support Banner

Oracle Key Manager (OKM) - Seeing Certificate Errors That May be Causing KMAs to Drop Connections With Other KMAs (Doc ID 1983647.1)

Last updated on OCTOBER 31, 2018

Applies to:

Sun StorageTek Crypto Key Management System - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.


We are having intermittent OKM GUI login errors on our KMAs.
When we reset / reboot the KMAs, then we are able to login to the GUI, however a few hours later it will not let us login again.

We are seeing a lot of "Peer Certificate serial number does not match", and "Peer Certificate is invalid", on one of our KMAs.
This KMA was recently removed from the cluster, had parts replaced, and then joined back to the cluster from a clean state.

We have tried resetting each KMA in the cluster multiple times, however the problem keeps coming up where we cannot login
to the GUI (for any KMA), and some KMAs soon drop their connections with the other KMAs. Both problems are resolved soon after
resetting each KMA, however both problems keep coming back shortly after.

Certificate errors in the /var/adm/messages file:



Any of these changes could have happened:

1. One KMA had multiple parts replaced, including disk and system board.  Replacing the KMA hard drive and system board will require a QuickStart and a regeneration of the security certificate when the KMA entity is recreated.

2. New KMA was added to cluster during QuickStart and "catch up now" was selected for Initial Replication Acceleration


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.