000015892 - Sun LTO-4 integration troubleshooting with RSA Key Manager (RKM) and RSA Data Protection Manager (DPM)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015892
Applies ToRSA Product Set: RSA Key Manager (RKM), Data Protection Manager (DPM)
RSA Product/Service Type: Key Manager Server, Key Manager Appliance
RSA Version/Condition: RKM 2.7 SP1
Platform: Sun LTO-4 Tape Drive
IssueTape drive enrollment is failing.
Tape drive re-enrollment is failing.
ResolutionThere is a troubleshotting guide available at https://sftp.rsa.com/human.aspx?Username=support&password=Password1&arg12=downloaddirect&transaction=signon&quiet=true&arg01=659750889

Make sure of the following:

- You have enabled Sun LTO-4 integration via RKM Admin console under Settings --> Enable LTO-4
- You have provided the hostname and IP addresses of the appliances in the "Change Discovery" page
- You have run the script /opt/rsa/setup/sh/enableLto4.sh on all appliances. Note: There is a known issue (KMA-1184) where you should provide "" instead of the appliance's physical IP address
- Check the bottom of the file /etc/httpd/conf/http.conf. Make sure the two following lines do NOT have the appliance's physical IP address, but "" or "localhost"

        ProxyPass / http://localhost:8080/KMS/services/KMS_CA
        ProxyPassReverse / http://localhost:8080/KMS/services/KMS_CA

- If your server certificate is not issued by a Root CA but rather by a Sub CA,

1. make sure Apache is sending its chain properly. Hit https://youAppliance.domain.com/status/certs.jsp and you should see something like the following in the "SSL Handshake Test" section:

Certificate chain
 0 s:Subject DN of your web server certificate
   i:Issuer DN of the web server certificate
 1 s:Subject DN of the web server's issuer
   i:Issuer DN of of the web server's issuer
 2 s:Subject DN of the certificate above
   i:Root CA Subject DN

2. Apache's Trusted CA file must contain the Sub CA certificate

- In RKM Admin console, under Settings --> Change Server CA, you should provide the Root CA certificate.
- You have imported PKCS#12 via Settings --> Manage Certificates
- You have created a Key class of type AES - 256 - CBC - New Key Each Time - Allow Auto-generation
- You have created ONE auto-registration profile PER DRIVE, each drive using the registration profile name for its Agent ID
- The P12 file must contain a valid SSL client certificate. If it has only SSL Server Authentication Enhanced key Usage the SSL handshake will fail.

Legacy Article IDa52806