OKM - Seeing Certificate Errors That May be Causing KMAs to Drop Connections With Peer KMAs
(Doc ID 1983647.1)
Last updated on FEBRUARY 07, 2019
Applies to:Sun StorageTek Crypto Key Management System - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.
Intermittent OKM GUI login errors.
Login to the OKM GUI is possible when the KMA is rebooted. However, a few hours later, login errors occur again.
These are the errors shown on the OKM audit event log of the KMA: "Peer Certificate serial number does not match", and "Peer Certificate is invalid".
The KMA was recently removed from the cluster, had parts replaced, and then joined back to the cluster from a clean state.
Some KMAs soon drop their connections with the other KMAs. The problems are resolved soon after resetting each KMA, but the problems keep coming back shortly after.
Certificate errors in the /var/adm/messages file:
Any of these changes could have happened:
1. One KMA had multiple parts replaced, including disk and system board. Replacing the KMA hard drive and system board will require a QuickStart and a regeneration of the security certificate when the KMA entity is recreated.
2. New KMA was added to cluster during QuickStart and "catch up now" was selected for Initial Replication Acceleration. A bug related to an issue of which backup file to choose when "catch up now" option is selected during QuickStart is fixed in OKM 3.3.2. The problem of choosing an older backup instead of the latest backup file is manifested as communication issues with peer KMAs and/or agents if the agents have re-enrolled.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document