CORE Maintenance in FIPS Mode
EKM Service Management in FIPS Mode
Management of the EKM
Enterprise Key Management - previous name of the product. service is an OS-specific procedure. See EKM Service Management.
EKM Service Restart in FIPS Triplet
Restarting the EKMEnterprise Key Management - previous name of the product. service in one of the CORE servers requires restarting the service in the two remaining servers. Restarting each server one by one might cause a race condition among the three servers. We recommend the following sequence:
- Stop the EKMEnterprise Key Management - previous name of the product. service in all three servers of the triplet.
- Start the service in Partner and Aux (in any order).
- Start the service in EP.
| Step | Run on | Command |
|---|---|---|
| 1 |
Partner, |
Start the EKM sudo service ekm start |
| 2 | EP |
Now, start the EKM sudo service ekm start Important. EP2 must be the last to start. |
| 3 | EP |
Run the test ucl server test |
EKM Service Restart in FIPS Cluster
To restart the EKMEnterprise Key Management - previous name of the product. service in multiple triplets, restart each triplet one-by-one in arbitrary yet sequential order. Don't restart triplets in parallel:
- Make sure you know which servers comprise each triplet. If possible, use the
ucl server testcommand to show the triplets. - Select a triplet and restart it - EKM Service Restart in FIPS Triplet
- Run the
ucl server testcommand - make sure that the triplet has returned to service. - Proceed to the next triplet.
FIPS Software Upgrade
- Make sure you know which servers comprise each triplet.
- Stop the EKMEnterprise Key Management - previous name of the product. service on all three servers of the selected triplet.
- Perform Server Upgrade procedure on the selected servers.
- Start the EKMEnterprise Key Management - previous name of the product. service - EKM Service Restart in FIPS Triplet.
FIPS Cluster Scale-out
Servers that are chosen to comprise a new triplet in the cluster must meet the following requirements:
- Platform requirements - see CORE FIPS Specifications.
- Connectivity requirements - see Connectivity Requirements.
- Install the CORE server software that matches the software release in the cluster.
- Bootstrap and start EKMEnterprise Key Management - previous name of the product. service on each of the servers using the
-fipsin the ekm_boot_additional_server.
- Using one of the already functioning EPs - Run Add a Server Triplet.
- Restart the EKMEnterprise Key Management - previous name of the product. service on the new servers - EKM Service Restart in FIPS Triplet.
-
Run the
ucl server test.
Quickstart
We assume that the new triplet of servers are EP2, Partner2, and Aux2
| Step | Run on | Command |
|---|---|---|
| 1 | EP2, Partner2, Aux2 |
sudo rpm -ivh <CORE Server Software>.rpm |
| 2 | EP2 |
Bootstrap the software and start the EKM sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s ep2 -fips |
| Partner2 |
sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s partner2 -fips |
|
| Aux2 |
sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s aux2 -fips |
|
| 4 | EP |
Now, using the main EP server, add the new triplet to the cluster sudo ucl server create -e ep2 -p partner2 -a aux2 |
| 5 |
Partner2, |
Start the EKM sudo service ekm start |
| 6 | EP2 |
Now, start the EKM sudo service ekm start Important. EP2 must be the last to start. |
| 7 | EP |
Run the test ucl server test |
CORE Backup and Restore in FIPS Mode
- Backup: The backup procedure involves only EP and its Partner. It is identical to the standard CORE backup. See Database Backup.
- Restore includes the following steps:
- Prepare three servers:
- Servers designated to serve as EP and Partner - using the standard Preparation Steps.
- Aux - just download the matching software release.
- Restore the database on EP and Partner following steps 1 and 2 in the Restore Quickstart.
- Bootstrap the Restored Triplet.
- As needed, check step 4 in the Restore Quickstart.
- Prepare three servers:
Bootstrap the Restored Triplet
Perform the FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors triplet bootstrap with the -restore option.
Note
The --restore option applies to ekm_boot_ep and ekm_boot_partner only.
For example:
Linux FIPS Restore:- EP:
sudo /opt/ekm/bin/ekm_boot_ep.sh -s <ep-hostname> -p <partner-hostname> -x <auxiliary-hostname> -fips -w <the root so password> -restore [-f]
- Partner:
sudo /opt/ekm/bin/ekm_boot_partner.sh -s <partner-hostname> -p <ep-hostname> -x <auxiliary-hostname> -fips -restore [-f]
- Auxiliary:
sudo /opt/ekm/bin/ekm_boot_auxiliary.sh -s <auxiliary-hostname> -e <ep-hostname> -p <partner-hostname> -fips [-f]
An auxiliary server database is neither backed-up nor restored. The -restore option is not applicable.
If the [-f] option is omitted you will be prompted to approve certificates presented by the other two servers.
Windows FIPS Restore:- EP:
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_ep.bat -s <ep-hostname> -p <partner-hostname> -x <auxiliary-hostname> -fips -w <the root so password> -restore [-f]
- Partner:
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_partner.bat -s <partner-hostname> -p <ep-hostname> -x <auxiliary-hostname> -fips -restore [-f]
- Auxiliary:
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_auxiliary.bat-s <auxiliary-hostname> -e <ep-hostname> -p <partner-hostname> -fips [-f]
An auxiliary server database is neither backed-up nor restored. The -restore option is not applicable.
If the [-f] option is omitted you will be prompted to approve certificates presented by the other two servers.