Conflict resolution

Data conflict can occur in the following scenarios: importing device group data into an IBM® Security Guardium® Key Lifecycle Manager server, merging the split clusters in a Multi-Master setup, and rejoining an isolated read/write master server to a Multi-Master cluster. Duplicate values for objects such as key alias, certificate alias, and device serial number in the source and target IBM Security Guardium Key Lifecycle Manager servers cause data conflicts.

Data conflict types and resolution

The conflict details are categorized based on the objects in the conflict. Run the relevant REST services on the IBM Security Guardium Key Lifecycle Manager server to modify the required object values and resolve the data conflicts.

The following table provides details about each data conflict type, the cause, and the possible resolution. You can use this table to determine the method to resolve the data conflicts.

Table 1. Data conflict types and resolution
Data conflict type	Cause of data conflict	Conflict resolution REST services
Key conflicts	Duplicate values for key alias are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.	Renew Key Alias REST Service
Certificate conflicts	Duplicate values for certificate alias are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.	Change Certificate Alias REST Service
Device conflicts	Duplicate values for device serial number are found in the source and target IBM Security Guardium Key Lifecycle Manager servers.	Change Name REST Service
Delete conflicts	This conflict appears only in the scenario of merging the split clusters in a Multi-Master setup. Objects such as device groups, certificates, keys, and devices exist in one of the split clusters only.	Delete Certificate REST Service Device Delete REST Service Device Group Delete REST Service Delete Key REST Service You can run these REST services on any master server of the cluster.

You can use the Get Change History REST Service to get a summarized report of the changes that are done to the objects by using these REST services.

When you are importing device group data, and data conflict occurs, you can modify object values in one of the following ways:

Run the conflict resolution REST services on the source server before you run the export operation.
(Preferred) Run the conflict resolution REST services on the target or destination server before you run the import operation.

Note: The Conflict resolution REST services make significant changes to the IBM Security Guardium Key Lifecycle Manager server that might impact its operation and the communication with the storage device. Consider the following points before you run any of these REST services:

Plan and evaluate the changes that are required on both IBM Security Guardium Key Lifecycle Manager and the storage device.
Ensure that the changes are atomic, that is, the changes are done on both the IBM Security Guardium Key Lifecycle Manager system and the devices for key serving to continue.
The REST services handle the changes only for IBM Security Guardium Key Lifecycle Manager.
After changing the alias of a server certificate, you must restart the IBM Security Guardium Key Lifecycle Manager server.
If this certificate is marked In Use, then you must first mark the certificate as In Use again, and then restart the server.

For the complete process handling, take the guidance of your IBM support representative.

Example 1: Scenario - Importing device group

Sample conflict output:

Key Conflicts	
UUID	                                           Alias
KEY-1371d98-59c37695-35b9-4c3b-b8af-6632be4db59b   ss
KEY-1371d98-c714c3c0-2694-4447-b5cb-3d9569759ca2   ss
	
Certificate Conflicts	
UUID	                                                  Alias
CERTIFICATE-1371d98-955229b0-b8cb-4636-8834-37a18116af87  ss
	
Device Conflicts	
Alias      Serial Number
null	4.24E+11

The output indicates that duplicate values for the following object attributes must be changed in the target server: key alias, certificate alias, and device serial number

You can run the following REST services on the target IBM Security Guardium Key Lifecycle Manager server to resolve the conflicts, and then retry the import device group operation:

Example 2: Scenario - Merging split clusters in a Multi-Master setup scenario

Sample conflict output:


delete Conflicts
type,attributes
dg1,uuid=11118,name=dg1,DeviceGroup,11118,
dg3,uuid=CERTIFICATE-a7a86f7-efa86f7-4444-69c2-79b6-a754dsd5658e,aliasName=dg3,Certificate,CERTIFICATE-a7a86f7-efa86f7-4444-69c2-79b6-a754dsd5658e,

The output indicates that the following objects must be deleted from the cluster: device group, certificate

You can run the following REST services on any master server of the cluster to resolve the conflicts, and then retry the merge clusters operation: