Exclude/Preserve KMF Keys in Clone Profile

ColK · ‎10-13-2022

Hi! I actually have 2 questions:

1. When creating a custom clone profile, I see that the exclusions for tables under the "System Profile" also show up when I look at the custom clone profile. Are these exclusions also included in the custom profile? Or do exclusions apply only to their associated profile?

2. (The bigger question) I am trying to follow KB0961152 and exclude/preserve the sys_kmf_module_key and sys_kmf_instance_key tables in a custom clone profile, but I am unable to add them to the profile through the "Edit" button, and I am also unable to records for both in the "Exclude Tables" and "Preserve Data" tables, even after elevating my account to security_admin. Is this something only HI Portal is allowed to do? Or am I missing a step?

Fr_d_ric Dhuez · ‎12-16-2022

Hi,

I have no access to this KB but I have almost the same question about cloning and exclusion of the KMF keys table sys_kmf_module_key and sys_kmf_instance_key.

We have 3 self-hosted instances with their own keystores, so cloning the Prod to Dev for example will also clone the KMF keys which are different for each env. Should we exclude the KMF keys before cloning? or maybe should we copy the keystore from prod to other env? This is really unclear.

Fred

jorgegrc · ‎01-19-2023

We have the same issue - every time the instance is cloned, it screws up Data Sources amongst other things.
KMF is currently a headache and the documentation is not clear.

I have also the question about records passing along the instance chain from subprod to prod. Because each instance has it's own key, I cannot find in the documentation the explanation about how this works.

I'm afraid that when for example committing an update Set with a Data Source (which has a password2 field) into a new instance, that instance is not able to decrypt the value (because it was encrypted using a different key from the prev instance).

A real mess.

Fr_d_ric Dhuez · ‎01-19-2023

I think you must copy the same keystore files between all your instances before cloning, it was an advice from the KMF support guy with who I spent several Zoom meetings...

The problem of KMF configuration is that you must open a case to the support to rotate the keys if you have a problem, because the configuration of keys is only accessible from a maint user.

And if you have a problem with the keys, your instance will be really unstable.

Check the logs to be sure what is the root-cause.

But I agree that the KMF is complex and without clear documentation to refer.

jorgegrc · ‎01-19-2023

Thanks for taking the time to reply 🙂 - would you be so kind to specify the name of the table where they are?
I think this will be quicker than waiting for NOW Support to help... I already created a Case but usually it takes days before we get a relevant reply.