Data conflict can occur in the following scenarios: importing device group data into an IBM® Security Guardium® Key Lifecycle Manager server, merging the split clusters in a Multi-Master setup, and rejoining an isolated read/write master server to a Multi-Master cluster. Duplicate values for objects such as key alias, certificate alias, and device serial number in the source and target IBM Security Guardium Key Lifecycle Manager servers cause data conflicts.
Data conflict types and resolution
The conflict details are categorized based on the objects in the conflict. Run the relevant REST services on the IBM Security Guardium Key Lifecycle Manager server to modify the required object values and resolve the data conflicts.
|Data conflict type||Cause of data conflict||Conflict resolution REST services|
|Key conflicts||Duplicate values for key alias are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.||Renew Key Alias REST Service|
|Certificate conflicts||Duplicate values for certificate alias are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.||Change Certificate Alias REST Service|
|Device conflicts||Duplicate values for device serial number are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.||Change Name REST Service|
|Delete conflicts||This conflict appears only in the scenario of merging the split clusters in a Multi-Master
Objects such as device groups, certificates, keys, and devices exist in one of the split clusters only.
- Run the conflict resolution REST services on the source server before you run the export operation.
- (Preferred) Run the conflict resolution REST services on the target or destination server before you run the import operation.
- Plan and evaluate the changes that are required on both IBM Security Guardium Key Lifecycle Manager and the storage device.
- Ensure that the changes are atomic, that is, the changes are done on both the IBM Security Guardium Key Lifecycle Manager system and the devices for key serving to continue.
- The REST services handle the changes only for IBM Security Guardium Key Lifecycle Manager.
- After changing the alias of a server certificate, you must restart the IBM Security Guardium Key Lifecycle Manager server.
If this certificate is marked In Use, then you must first mark the certificate as In Use again, and then restart the server.
Example 1: Scenario - Importing device group
Key Conflicts UUID Alias KEY-1371d98-59c37695-35b9-4c3b-b8af-6632be4db59b ss KEY-1371d98-c714c3c0-2694-4447-b5cb-3d9569759ca2 ss Certificate Conflicts UUID Alias CERTIFICATE-1371d98-955229b0-b8cb-4636-8834-37a18116af87 ss Device Conflicts Alias Serial Number null 4.24E+11
The output indicates that duplicate values for the following object attributes must be changed in the target server: key alias, certificate alias, and device serial number
Example 2: Scenario - Merging split clusters in a Multi-Master setup scenario
delete Conflicts type,attributes dg1,uuid=11118,name=dg1,DeviceGroup,11118, dg3,uuid=CERTIFICATE-a7a86f7-efa86f7-4444-69c2-79b6-a754dsd5658e,aliasName=dg3,Certificate,CERTIFICATE-a7a86f7-efa86f7-4444-69c2-79b6-a754dsd5658e,
The output indicates that the following objects must be deleted from the cluster: device group, certificate