After Migrating / Restoring the RSA Key Manager (RSA RKM) from V2.7 to V2.7.1.2 / V2.7.1.8. Perform the following task to avoid prompt for Master Key.
- ID | Title
- a54769 | Master Password prompt on /KMS immediately after upgrading or restoring to 2.7SP1
- Goal
- Master Password prompt on /KMS immediately after upgrading or restoring to 2.7SP1
- Fact
- RSA Key Manager Appliance 2.7 SP1
- RSA Key Manager Appliance 2.7.1.2
- RSA Key Manager Migration Utility 2.7.1.2
- Symptom
- After completing the migration and/or restore process on RKM Appliance 2.7 SP1, a login to access /KMS on browser is successful. However, after login the page prompts for Master Password.
- Change
- Upgraded RKM Appliance to 2.7 SP1 (2.7.1.2) using RKM Appliance Migration Utility 2.7.1.2. Or, restored a backup on RKM Appliance 2.7 SP1 (restore process for 2.7 SP1 requires reimaging the appliance(s) using 2.7 ISO, then upgrading to 2.7 SP1 using RKM Appliance Migration Utility 2.7.1.2, and finally restoring the backup).
- Cause
- After the upgrade or restore process, the system fingerprint on lockbox protected file(s) on RKM Appliance may need to be updated. If the system fingerprint on lockbox protected file(s) needs updating, RKM Server can not be started in unattended mode.
- Fix
- 1. Validate that lockbox protected file(s) on RKM Appliance can be opened in system mode:
Login as root on each RKM Appliance and run the following commands to validate that lockbox files can be opened in system mode. Inspect their results.
/usr/lib/clb -l /opt/KMS/conf/properties/unattendedRestart.properties -r restarter.enabled
/usr/lib/clb -l /opt/rsa/setup/sh/System.properties -r ORA_PASSWORD
A result like the following when reading values from unattendedRestart.properties shows failure or problem:
[root@rkmapp tmp]# /usr/lib/clb -l /opt/KMS/conf/properties/unattendedRestart.properties -r restarter.enabled
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
An error has occured:
The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A result like the following when reading values from unattendedRestart.properties shows success:
[root@rkmapp tmp]# /usr/lib/clb -l /opt/KMS/conf/properties/unattendedRestart.properties -r restarter.enabled
Lockbox file: /opt/KMS/conf/properties/unattendedRestart.properties opened.
This lockbox is running in System mode
Retrieved value "true" for name "restarter.enabled".
Done!
If there's a system fingerprint problem in one or both lockbox files, fix the lockboxed system file(s) that needs fingerprint update. IMPORTANT: Backup the files /opt/KMS/conf/properties/unattendedRestart.properties* and /opt/rsa/setup/sh/System.properties before carrying out the steps below. A sample password "yourlockboxpassword" is shown below, you should use the actual lockbox/security admin passphrase for your environment.
/usr/lib/clbAdmin -l /opt/KMS/conf/properties/unattendedRestart.properties -p yourlockboxpassword -n yourlockboxpassword
/usr/lib/clbAdmin -l /opt/rsa/setup/sh/System.properties -p yourlockboxpassword -n yourlockboxpassword
After updating system fingerprint on lockbox file(s), validate the updated file(s) using steps provided above to ensure that lockbox file can be successfully opened in system mode.
For more details on fixing other issues with lockbox files or to recreate the lockbox files, contact RSA Customer Support and quote solution "a52945 - How to update or create lockbox protected configuration files on RKM Appliance?".2. If the lockbox file(s) are corrected as described in step #1, restart Tomcat and then access /KMS (you should no longer get prompted for Master Password):
service tomcat restart
No comments:
Post a Comment