CORE Maintenance in FIPS Mode

EKM Service Management in FIPS Mode

Management of the EKMClosedEnterprise Key Management - previous name of the product. service is an OS-specific procedure. See EKM Service Management.

EKM Service Restart in FIPS Triplet

Restarting the EKMClosedEnterprise Key Management - previous name of the product. service in one of the CORE servers requires restarting the service in the two remaining servers. Restarting each server one by one might cause a race condition among the three servers. We recommend the following sequence:

  1. Stop the EKMClosedEnterprise Key Management - previous name of the product. service in all three servers of the triplet.
  2. Start the service in Partner and Aux (in any order).
  3. Start the service in EP.
Step Run on Command
1

Partner,
Aux

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the Partner and Aux servers

sudo service ekm start

2 EP

Now, start the EKMClosedEnterprise Key Management - previous name of the product. service on the EP server.

sudo service ekm start

Important. EP2 must be the last to start.

3 EP

Run the test

ucl server test

EKM Service Restart in FIPS Cluster

To restart the EKMClosedEnterprise Key Management - previous name of the product. service in multiple triplets, restart each triplet one-by-one in arbitrary yet sequential order. Don't restart triplets in parallel:

  1. Make sure you know which servers comprise each triplet. If possible, use the ucl server test command to show the triplets.
  2. Select a triplet and restart it - EKM Service Restart in FIPS Triplet
  3. Run the ucl server test command - make sure that the triplet has returned to service.
  4. Proceed to the next triplet.

FIPS Software Upgrade

  1. Make sure you know which servers comprise each triplet.
  2. Stop the EKMClosedEnterprise Key Management - previous name of the product. service on all three servers of the selected triplet.
  3. Perform Server Upgrade procedure on the selected servers.
  4. Start the EKMClosedEnterprise Key Management - previous name of the product. service - EKM Service Restart in FIPS Triplet.

FIPS Cluster Scale-out

Servers that are chosen to comprise a new triplet in the cluster must meet the following requirements:

Prepare a New Triplet:

  1. Install the CORE server software that matches the software release in the cluster.
  2. Bootstrap and start EKMClosedEnterprise Key Management - previous name of the product. service on each of the servers using the -fips in the ekm_boot_additional_server.

Add the New Triplet:

  1. Using one of the already functioning EPs - Run Add a Server Triplet.
  2. Restart the EKMClosedEnterprise Key Management - previous name of the product. service on the new servers - EKM Service Restart in FIPS Triplet.
  3. Run the ucl server test.

Quickstart

We assume that the new triplet of servers are EP2, Partner2, and Aux2

Step Run on Command
1 EP2,
Partner2,
Aux2

sudo rpm -ivh <CORE Server Software>.rpm

2 EP2

Bootstrap the software and start the EKMClosedEnterprise Key Management - previous name of the product. service

sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s ep2 -fips
sudo service ekm start

Partner2

sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s partner2 -fips
sudo service ekm start

Aux2

sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s aux2 -fips
sudo service ekm start

4 EP

Now, using the main EP server, add the new triplet to the cluster

sudo ucl server create -e ep2 -p partner2 -a aux2

5

Partner2,
Aux2

Start the EKMClosedEnterprise Key Management - previous name of the product. service on the Partner2 and Aux2 servers

sudo service ekm start

6 EP2

Now, start the EKMClosedEnterprise Key Management - previous name of the product. service on the EP2 server.

sudo service ekm start

Important. EP2 must be the last to start.

7 EP

Run the test

ucl server test

CORE Backup and Restore in FIPS Mode

Bootstrap the Restored Triplet

Perform the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors triplet bootstrap with the -restore option.

Note
The --restore option applies to ekm_boot_ep and ekm_boot_partner only.

For example: