12 General Oracle Key Vault Management

General management consists of system and audit management tasks. You must be an administrative user with the System Administrator and Audit Manager role to perform these tasks.

• About General Oracle Key Vault Management
  
• Remote Monitoring Using SNMP
  
• Email Notification
  
• Oracle Key Vault System Administration
  
• Oracle Key Vault Alert Configuration
  
• Oracle Key Vault Auditing
  
• Oracle Key Vault Reports
  
• Upgrade Oracle Key Vault Server Software
  

12.1 About General Oracle Key Vault Management

System administrators configure system settings, remote monitoring, email notification, backup, and recovery. Audit managers configure alerts, and download system diagnostics for further debugging and analysis.

See Also:

Managing Oracle Key Vault Users

Managing Oracle Key Vault Endpoints

Managing Oracle Key Vault Virtual Wallets and Security Objects

12.2 Remote Monitoring Using SNMP

With SNMP enabled, system administrators can remotely monitor the Key Vault appliance and its services. The collected data can be further processed and presented for the needs of the enterprise.

• About Using SNMP for Oracle Key Vault
  
• Granting SNMP Access to Users
  
• Changing the SNMP User Name and Password
  
• Changing SNMP Settings on the Standby Server
  
• Remotely Monitoring Oracle Key Vault Using SNMP
  
• SNMP Management Information Base Variables for Oracle Key Vault
  
• Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP
  

12.2.1 About Using SNMP for Oracle Key Vault

You can use the Simple Network Management Protocol (SNMP) to monitor devices on a network for resource usage.

Monitoring Oracle Key Vault is an important aspect how critical Oracle Key Vault's availability is when hundreds or thousands of Oracle and MySQL databases store their TDE master encryption keys in Oracle Key Vault. The types of resource usage that you should monitor include memory, CPU utilization, and processes.

You can use Simple Network Management Protocol (SNMP) third-party tool to monitor remote systems that access Oracle Key Vault. The benefits of using SNMP to monitor Oracle Key Vault are as follows:

• There is no need to allow SSH access to Oracle Key Vault. (SSH access should only be enabled for the window of time in which it is being used.)
• You do not need to install additional tools to perform an SNMP monitoring operation.

Oracle Key Vault uses SNMP version 3 for user authentication and data encryption features. Unlike SNMP versions 1 and 2 that communicate in readable, insecure plaintext, SNMP 3 authenticates users and encrypts data on the communication channel between the monitoring server and the target. The information from Oracle Key Vault is unreadable to an intruder, even if the communication channel is intercepted.

In addition, with SNMP enabled on Oracle Key Vault, you can determine whether the key management server (KMIP daemon) is running. To track this information, you must use a third-party SNMP client to poll the Oracle Key Vault instance, because Oracle Key Vault does not provide SNMP client software.

Oracle Key Vault audits the creation and modification of SNMP credentials.

You must be a user with the System Administrator role to configure the SNMP account with a user name and password. These SNMP credentials are needed to access SNMP data.

Note:

You must ensure that the SNMP username and password is not the same username and password as any of the Oracle Key Vault administrative user accounts with the System Administrator, Key Administrator, or Audit Manager role.

12.2.2 Granting SNMP Access to Users

You can grant any user, including users who are not Oracle Key Vault administrators, access to SNMP data.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the System tab, and then select Monitoring Settings from the left side bar.

   The Monitoring page appears.

3. In the Monitoring page, enter the following information:
   • SNMP Access: Select All to enable a client at any IP address to poll Oracle Key Vault for information, Disabled to prevent any client, regardless of the client IP address, to poll Oracle Key Vault for information, or IP Address(es) if you want to restrict polling to clients with specific IP addresses. If you select IP Address(es), then enter the IP addresses of the users you want to grant access to in the IP Address field. Separate multiple IP addresses by a space. You cannot enter a range of IP addresses. You must list each IP address individually.
   • Username: Enter a name to associate with the SNMP configuration that will perform the monitoring.
   • Password and Confirm Password: Enter a secure password for this user that is at least 8 or more characters and contains at least one of each of the following: an uppercase letter, a lowercase letter, a number, and a special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space. The SNMP password must not be the same as the password used to login into the Oracle Key Vault management console in any of the administrative roles.
4. Click Save.

12.2.3 Changing the SNMP User Name and Password

You can change the SNMP user name and password for a node at any time.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the System tab, and then select Monitoring Settings.
3. In the Username, Password, and Reenter Password fields, enter the user name and password information.
4. Click Save.

12.2.4 Changing SNMP Settings on the Standby Server

You change the SNMP settings from the command line on the standby server. To add SNMP support in a primary-standby environment, you should configure SNMP on both the primary and standby servers before pairing them. This is because the standby server is no longer accessible from the Oracle Key Vault management console because all requests are forwarded to the primary server. However, you can change SNMP settings on the standby server in a primary-standby environment.

1. Log in to the standby server as the support user.
2. Switch to the root user.

   su -
   

3. Go to the Oracle Key Vault bin directory.

   cd /usr/local/okv/bin/
   

4. Run the stdby_snmp_enable script.

   ./stdby_snmp_enable parameter "options"
   

   In this specification:

   • parameter can be the following:
     • -a, which sets the SNMP access. It accepts the following options:
       • all grants SNMP access.
       • disabled disables SNMP access.
       • IP_addresses specifies one or more IP addresses to be granted SNMP access. Separate each IP address with a space.
     • -u sets the user's SNMP name.
     • -p sets the user's SNMP password.
   • options is only used with the -a parameter.

The following examples show how to change SNMP settings on a standby server:

To grant SNMP access to all IP addresses and assign a user name snmpuser and password password:

./stdby_snmp_enable -a "all" -u "snmpuser" -p "password"

To disable SNMP access from all IP addresses:

./stdby_snmp_enable -a "disabled"

To grant SNMP access to certain IP addresses and assign user name snmpuser and password password:

./stdby_snmp_enable -a "192.0.2.1 192.0.2.3 192.0.2.3" -u "snmpuser" -p "password"

12.2.5 Remotely Monitoring Oracle Key Vault Using SNMP

SNMP enables you to monitor the vital components of Oracle Key Vault remotely without having to install new software in Oracle Key Vault. Though there are third-party tools that graphically display the information that SNMP extracts from Oracle Key Vault, the examples shown here are given with snmpwalk and snmpget from the command line on a remote computer that has a network connection into the SNMP account in Oracle Key Vault.

1. Log in to the remote host that will monitor Oracle Key Vault.
2. Confirm that the UCD-SNMP-MIB is installed on the remote host from which Oracle Key Vault is monitored.
3. Query the object ID for an Oracle Key Vault-supported SNMP Management Information Base (MIB) variable.
   For example, suppose you wanted to track the number of processes running for the SNMP host. You can use a third-party SNMP client utility to query the status of the KMIP MIB whose object ID is 1.3.6.1.4.1.2021.2, as follows:

   third_party_snmp_client_command -v 3 OKV_IP_address -u SNMP_user -a SHA -A SNMP_password -x AES -X SNMP_password -l authPriv iso.3.6.1.4.1.2021.2.1.2.1  
   

   The output is similar to the following:

   iso.3.6.1.4.1.2021.2.1.2.1 = STRING: "mwecsvc"              <== Event collector
   iso.3.6.1.4.1.2021.2.1.2.2 = STRING: "httpd"                <== httpd
   iso.3.6.1.4.1.2021.2.1.2.3 = STRING: "kmipd"                <== KMIP daemon
   iso.3.6.1.4.1.2021.2.1.2.4 = STRING: "ora_pmon_dbfwdb"      <== embedded DB
   

12.2.6 SNMP Management Information Base Variables for Oracle Key Vault

Oracle Key Vault provides a set of SNMP Management Information Base (MIB) variables that you can track.

The following table lists the MIB variables that are supported.

Table 12-1 MIBs That SNMP Tracks for Oracle Key Vault

MIB Variable	Object ID	Description
hrSystemUptime	1.3.6.1.2.1.25.1.1	Tracks the amount of time that an Oracle Key Vault instance has been running
ifAdminStatus.x	1.3.6.1.2.1.2.2.1.7	Tracks if the Oracle Key Vault network interface (x) are running, not running, or being tested. Values are as follows: 1: Instance is running 2: Instance is down 3: Instance is being tested
memAvailReal	1.3.6.1.4.1.2021.4.6	Tracks the available RAM
memTotalReal	1.3.6.1.4.1.2021.4.5	Tracks the total amount of RAM being used
ssCpuRawIdle	1.3.6.1.4.1.2021.11.53	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent idle
ssCpuRawInterrupt	1.3.6.1.4.1.2021.11.56	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent processing hardware interrupts
ssCpuRawKernel	1.3.6.1.4.1.2021.11.55	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent processing kernel-level code
ssCpuRawNice	1.3.6.1.4.1.2021.11.51	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent processing reduced-priority code
ssCpuRawSystem	1.3.6.1.4.1.2021.11.52	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent processing system-level code
ssCpuRawUser	1.3.6.1.4.1.2021.11.50	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent processing user-level code
ssCpuRawWait	1.3.6.1.4.1.2021.11.54	For CPU monitoring; tracks the number of ticks (typically 1/100s) spent waiting for input-output (IO)
UCD-SNMP-MIB.prTable	1.3.6.1.4.1.2021.2	Tracks the number of processes running under a certain name. Names we monitor are httpd (the http server), kmipd (the kmip daemon), and ora_pmon_dbfwdb (an indicator if the DB is down)

See Also:

For more information refer to the Net-SNMP documentation at http://www.net-snmp.org

12.2.7 Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP

In Linux, you can simplify the SNMP commands you manually enter to find Oracle Key Vault information, yet still have useful and detailed output.

The configuration in this section assumes that you have granted SNMP access to a trusted user. It also assumes that the you have installed the SNMP Management Information Base (MIB) variables on the remote host that will monitor Oracle Key Vault.

For example, a lengthy version of the snmpwalk command for an SNMP user named snmp_admin is as follows:

snmpwalk -v3 OKV_IP_address -n "" -l authPriv -u snmp_admin -a SHA -A snmp_user_password -x AES -X snmp_user_password 

This command lists the vital services that are running on Oracle Key Vault. However, you can modify the command (and other SNMP commands) to be not only shorter, but to show additional information, such as whether the services are running or not running.

To simplify this type of command, you can edit the /etc/snmp/snmp.conf configuration file so that the SNMP commands you enter will automatically include commonly used settings, such as the default user or the default security level. The example in this topic omits password parameters so that users can enter the password at the command line interactively.

1. Log in to the remote host that will monitor Oracle Key Vault.
2. Edit the /etc/snmp/snmp.conf, which appears as follows:

   # As the snmp packages come without MIB files due to license reasons, 
   # loading MIBs is disabled by default. If you added the MIBs you 
   # can reenable loading them by commenting out the following line. 
     mibs : 
   

3. Comment out the # mibs : line and then add the following lines, as follows:

   # loading MIBs is disabled by default. If you added the MIBs you 
   # can reenable loading them by commenting out the following line. 
   # mibs : 
   defSecurityName snmp_admin 
   defSecurityLevel authPriv 
   defAuthType SHA 
   defPrivType AES 
   

   In this example:

   • defSecurityName: Enter the name of the user to whom you granted SNMP access. This example uses snmp_admin.
   • defSecurityLevel: Enter the default security level to use. This example uses authPriv, which enables communication with authentication and privacy.
   • defAuthType: Enter the default authorization type. This example uses SHA.
   • defPrivType: Enter the default privilege type. This example uses AES.
4. Restart snmpd to load the configuration file.

   For example, for Linux 7:

   systemctl restart snmpd
   

   For Linux 6:

   service snmpd restart
   

5. To run the simplified version of the snmpwalk command that was shown earlier, enter the following command:

   snmpwalk okv_ip_address prNames -A snmp_user_pwd -X snmp_user_pwd
   

   In this command, prNames refers to "process names", which displays the names of processes instead of numbers. For example:

   $ snmpwalk 192.0.2.254 prNames -A snmp_user_pwd -X snmp_user_pwd
   UCD-SNMP-MIB::prNames.1 = STRING: mwecsvc
   UCD-SNMP-MIB::prNames.2 = STRING: httpd
   UCD-SNMP-MIB::prNames.3 = STRING: kmipd
   UCD-SNMP-MIB::prNames.4 = STRING: ora_pmon_dbfwdb
   

An example of running the snmptable command now becomes the following.

snmptable okv_ip_address prTable -A snmp_user_pwd -X snmp_user_pwd 

Output similar to the following appears.

SNMP table: UCD-SNMP-MIB::prTable 
prIndex         prNames prMin prMax prCount prErrorFlag prErrMessage prErrFix prErrFixCmd
      1         mwecsvc     1     1       1     noError      noError            
      2           httpd     1    20       9     noError      noError                
      3           kmipd     1     2       2     noError      noError                
      4 ora_pmon_dbfwdb     1     1       1     noError      noError

The next example shows how you would now run the snmpdf command:

snmpdf okv_ip_address -A snmp_user_pwd -X snmp_user_pwd

Output similar to the following appears.

Description                Size (kB)  Used    Available   Used% 
/                              20027260   7249732 12777528      36%
/dev/shm                        8174120         0  8174120       0% < –- not used by Oracle Key Vault
/usr/local/dbfw                  999320    251180   748140      25% < –- not used by Oracle Key Vault
/usr/local/dbfw/tmp             6932408     15764  6916644       0%
/var/tmp                        5932616     15848  5916768       0% < –- not used by Oracle Key Vault
/opt/dbfw                        999320      1544   997776       0% < –- not used by Oracle Key Vault
/home                            999320      6416   992904       0% < –- not used by Oracle Key Vault
/var/log                        5932616     22992  5909624       0%
/tmp                            1999184      3072  1996112       0%
/var/dbfw                       2966224      4524  2961700       0% < –- not used by Oracle Key Vault
/usr/local/dbfw/volatile        1048576         0  1048576       0% < –- not used by Oracle Key Vault
/var/lib/oracle               143592160  45620964  97971196      31% 

12.3 Email Notification

Email notifications can be used to communicate Key Vault status changes directly to administrators without logging into the management console.

To enable email notification you must set your email preferences in Key Vault. You can choose the events that you want updates to. The events include Key Vault system status like disk utilization, backup, and high availability, or user and endpoint status like expiration of user passwords, endpoint certificates, and keys.

• About Email Notification
  
• Configure Email Settings
  
• Test the Email Configuration
  
• Disable Email Notifications for a User
  

12.3.1 About Email Notification

In addition to alerting users on status changes in Oracle Key Vault, email notifications enable administrators to complete the processes of endpoint enrollment and user password reset.

For example:

• The enrollment token generated during endpoint enrollment can be mailed directly to the endpoint administrator from Oracle Key Vault.

• An Oracle Key Vault system administrator can send the random temporary password directly to the user when the user password is reset.

To enable email notifications successfully, there must be a direct connection between Oracle Key Vault and the SMTP server.

You can disable email notifications at any time.

12.3.2 Configure Email Settings

You can enable email notification by configuring the Simple Mail Transfer Protocol (SMTP) server properties of the user's email account. Oracle Key Vault supports anonymous and insecure connections to the SMTP server.

By default, the default Java truststore packaged with Key Vault's Java library is used to validate the server certificate. Optionally, you can upload a custom truststore in order to use a specific certificate or certificate chain at the same time you configure SMTP settings.

The SMTP server configuration can be modified at any time. If a custom SMTP certificate was used initially, and the user later decides to use the default, you simply have to modify the trust store setting to default, instead of custom.

To configure email settings follow these steps:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Click the System tab, and then click Email Settings. The Email Settings page appears.

   Figure 12-1 Email Settings

   
   
   Description of "Figure 12-1 Email Settings"
   
3. In the Email Settings page, enter values for the following:

   • SMTP Server Address: Enter a valid SMTP server address or hostname for the user account. This setting should match the SMTP server setting of the user's email account. Ensure that the SMTP server or hostname is reachable from Key Vault. If you enter the SMTP hostname, you must configure DNS from the System Settings menu, so the hostname can be resolved.

   • SMTP Port: Enter the SMTP port number of the outgoing SMTP server, usually 465. This port number can be another number, if expressly configured that way in your organization.

   • Name: Enter an alias for the SMTP user that will appear in the From field of the email.

   • From Address: Enter the email address you want to provide as a sender.

   • If the SMTP server requires a secure connection, select Require Secure Connection.

     Note:

     If you are using anonymous relay on Microsoft Exchange Server, or an external SMTP server such as Gmail or Office 365, do not select Require Secure Connection. Ensure that your firewall rules allow forwarding of SMTP requests to an external SMTP server.

     If Require Secure Connection is selected, the Authentication Protocol field is displayed with two options, SSL and TLS:

     • Select the authentication protocol for the email server, either SSL or TLS. The default is TLS.

   • If you have an SMTP user account, check the box Require Credentials. When checked, the input fields Username, Password, and Reenter Password appear:

     • Enter the username of the SMTP user account.

     • Enter the password for the SMTP user account.

     • Reenter the password for the SMTP user account.

     Caution:

     It is recommended to have a secure connection to the SMTP server, as auto-generated tokens are sent over email for operations like the creation of administrative users and Key Vault system alerts.

     Do not check Require Credentials for non-secure connections.

   • If Custom SMTP Server Certificate is checked, the field Upload Certificate File appears with a Choose File button to its right. Select this option, if you want to upload a custom SMTP server's certificate to establish a TLS session between SMTP and Oracle Key Vault. This is how an administrator can add a custom truststore, in cases where the default Java truststore does not contain a necessary certificate.

     • Upload Certificate File: Click Choose File to upload a custom certificate file.

4. Click Configure.

   On successful configuration, a SMTP successfully configured message is displayed.

   If the configuration fails, you should check the SMTP server settings of the user email account and verify that they are correct. Error messages highlight the field where the error occurs to help isolate the problem.

12.3.3 Test the Email Configuration

You can test the email configuration of the SMTP user account any time after saving the configuration. If you change an existing SMTP configuration, you must save the configuration in order to test it.

To test the email configuration:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the System tab, and then select Email Settings.

   The Email Settings page appears.

3. Configure the user's SMTP settings.
4. Save the configuration. You must save the configuration in order to test it.
5. In the Send Test Email section, enter the user email address in the Email Address field. Then click Test.

   An email is sent to the user with Oracle Key Vault: Test Message in the subject line.

   Depending on the Oracle Key Vault server timestamp, the email notification may not show up as the latest email.

   The email notification may also not show up in your inbox, in which case you must check the spam folder.

   If the email notification is not received, click the Reports tab and select System Reports from the left sidebar. On the System Reports page, click Notification Report. Check the list to determine the issue encountered while sending the email notification.

See Also:

"Configure Email Settings"

12.3.4 Disable Email Notifications for a User

An Oracle Key Vault user may elect not to receive email alerts. Only a user with the System Administrator role, or a user managing his own account can disable email notifications.

To disable email notifications:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Users tab.

   The Manage Users page appears.

3. Click User Name of the user.

   The User Details page appears.

4. Check the box to the left of text Do not receive email alerts.
5. Click the Save button on the top right.

   A 'Successfully updated user attributes' confirmation message appears.

12.4 Oracle Key Vault System Administration

The System Administrator is the only administrative user who can access the System tab and menus. This user configures system settings, recovers the system when no other administrative users are present, and downloads the system diagnostics file for further analysis.

• Configure System Settings
  
• System Recovery
  
• Download System Diagnostics
  
• View the Oracle Key Vault Dashboard
  
• Status Panes in the Dashboard
  

12.4.1 Configure System Settings

You can configure the system time, syslog, DNS, network services, RESTful services and Oracle Audit Vault Integration. In addition you can reboot and power off Oracle Key Vault.

On the system Settings page, you can configure the system time, syslog, DNS, network services, RESTful services and Oracle Audit Vault Integration. Click System, then System Settings in the left side bar to arrive at this page.

To configure system settings:

1. Log into the Key Vault management console as a user with the System Administrator role.
2. Select System, then System Settings from the left sidebar.

   The Settings page appears.

   Figure 12-2 Oracle Key Vault System Settings

   
   Description of "Figure 12-2 Oracle Key Vault System Settings "

   The system Settings page has the following panes:

   • System Time

     You can configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. If an NTP server is not available, then you can set the current time manually. You should use the calendar icon to set the date and time so that these values are stored in the correct format. In a high availability deployment, you must set the primary and standby servers to the same time.

   • Syslog

     All system related alerts are sent to syslog. These include the following: Disk Utilization, System Backup, Failed System Backup, High Availability Role Change, High Availability Destination Failure, SSH Tunnel Failure

     Select the protocol to transfer syslog files: TCP for Transmission Control Protocol, a connection-oriented, reliable protocol, or UDP for User Datagram Protocol, a connection-less, best effort protocol.

     You can set the destination computer for syslog files by entering the IP address (and port number for TCP) in the format shown in the Syslog Destinations field. For more than one destination computer add the IP address (and port number for TCP) of each destination computer separated by a space.

     Note:

     For TCP, specify the IP address and the port number. For UDP, specify only the IP address.

     You can elect to send Key Vault alerts to syslog to allow external monitoring.

   • Network

     Fields in this pane are automatically populated with the IP address and hostname of your Oracle Key Vault server. But if anything changes, you have the ability to update the Host Name, IP Address, Network Mask and the Gateway for your Key Vault installation. You cannot change the MAC Address, as this is the hard-wired address of the network interface.

     If you have a high availability configuration, then you must unpair the primary and standby Oracle Audit Vault Servers before changing the IP address. After you have changed the IP address of the primary or standby Oracle Audit Vault Server, pair the two servers again. After you complete the pairing process, redeploy the Oracle Audit Vault agents to ensure that they are updated with the new IP addresses for both the primary and the standby Oracle Audit Vault servers.

   • DNS

     You can configure Domain Name Service (DNS) to translate host names to IP addresses. This is useful, if you only know the hostname and not the IP address of a server you need access to. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP Address, after you set up DNS.

   • Network Services

     You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses by selecting one of the following options:

     • All, to select all IP addresses

     • IP address(es) to select a set of IP address(es) that you specify in the next field, separating each IP address by a space.

     The IP address(es) web access option allows you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.

     Enabling SSH Access gives you access to Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user 'support', with the support password you created during installation.

     If you are using the Bash shell, you may need to download patch sets or security fixes that work with SSH Access. Instructions on downloading and enabling patch sets or security fixes come with the patch set release notes.

     Best Practice: Enable SSH access for short durations, solely for diagnostics and troubleshooting purposes, and disable it as soon as you are done.

     Note:

     Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

   • RESTful Services

     • First, ensure that the Web Access options in Network Services are set.

     • Next, check the box after Enable to enable RESTful Services. RESTful services allow you to automate endpoint enrollment and provisioning.

   • Oracle Audit Vault Integration

     Check the box after Enable to enable audit report consolidation between Key Vault and Audit Vault. It will prompt you to enter and confirm the password.

3. Modify any of the system settings and click Save.
4. You can reboot or power off the Key Vault server by clicking Reboot and Power Off in the top right.

12.4.2 System Recovery

In an emergency when no administrative users are available, or you need to change the password of administrative users, you can recover the system with the recovery passphrase that was created during Key Vault installation. In addition, you can change the recovery passphrase to keep up with security best practices.

• Recovering Credentials for Administrators
  
• Change the Recovery Passphrase
  
• Change the Installation Passphrase
  

12.4.2.1 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault installation.
2. In the Oracle Key Vault login page, do not log in.
3. Click the System Recovery link at the lower right corner of the page.
4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.

   The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

5. In the Administrator Recovery page, fill out the fields in the Key Administrator, System Administrator, and Audit Manager panes to assign these roles to new or existing user accounts.
6. Click Save.

12.4.2.2 Change the Recovery Passphrase

Oracle highly recommends that a user with the System Administrator role perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.

To change the recovery passphrase:

1. From a web browser, enter the IP address of your Key Vault installation. The Key Vault login page appears. Do not log in.
2. Click the System Recovery link.

   A new login page appears with a single field: Recovery Passphrase.

3. Enter the recovery passphrase and click Login.

   The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

4. Click Recovery Passphrase.

   The Recovery Passphrase page appears with two fields to enter and re-enter the new passphrase.

5. Enter the new recovery passphrase in the two fields.
6. Click Submit.

12.4.2.3 Change the Installation Passphrase

The Installation Passphrase is specified during installation. The Installation Passphrase is used to log in to Oracle Key Vault and complete the post-installation tasks.

The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.

If you forget the installation passphrase, you can specify a new installation passphrase.

It is important to store the installation passphrase securely.

To change the Installation Passphrase:

1. Using SSH, log in to the Oracle Key Vault server terminal as the System Administrator.

   The Oracle Key Vault Server <Release Number> screen appears.

   Figure 12-3 Oracle Key Vault Server <Release Number> Screen

   
   Description of "Figure 12-3 Oracle Key Vault Server <Release Number> Screen"
2. Select Change Installation Passphrase and press Enter.

   The New Passphrase screen appears.

   Figure 12-4 New Passphrase Screen

   
   Description of "Figure 12-4 New Passphrase Screen"
3. Type the new installation passphrase in the New Passphrase and Confirm fields. Select OK and press Enter.

   The Installation Passphrase screen appears.

   Figure 12-5 Installation Passphrase Screen

   
   Description of "Figure 12-5 Installation Passphrase Screen"
4. Enter the old Installation Passphrase and press Enter.

The Installation Passphrase is changed.

12.4.3 Download System Diagnostics

You can view status information about disk usage, server uptime, version, high availability, and backup on the Status page. Further, you can download the diagnostics file and provide it to Oracle support for further analysis and debugging. This feature provides advanced debug and troubleshooting capability for problems you may encounter.

In Oracle Key Vault 12.2.0.6.0 and later, diagnostics reporting is not enabled by default. The user must enable the feature to generate diagnostics reports. Once enabled, the user can configure the necessary information to be captured in diagnostics reports. The user can customize and package diagnostics reports with flexibility.

If you plan to upgrade Oracle Key Vault, then you must remove the diagnostics generation utility before performing the upgrade.

To download the diagnostics file:

1. Log in to the Oracle Key Vault management console as a root user.
2. Select System. The Status page appears.

   Figure 12-6 System Status Page

   
   Description of "Figure 12-6 System Status Page"

   The Status page displays the following information:

   • Uptime

   • Free Space

   • Version

   • High Availability Status

   • Backup Status

   • Disk Usage

3. Click Download Diagnostics.

   If the diagnostics generation utility is not installed:

   1. You are prompted to save the diagnostics-not-enabled.readme file.

   2. Save and open diagnostics-not-enabled.readme. Follow the instructions to install, enable, and run the diagnostics generation utility.

   3. Install the diagnostics generation utility:

      /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --install
      

   4. Enable the collection of diagnostics:

      /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --enable ALL
      

4. If diagnostics collection is enabled, you are prompted to download a .zip file containing the diagnostics reports.

   Save the .zip file containing the diagnostics reports.

You can customize the dbfw-diagnostics-package.yml file in the /usr/local/dbfw/etc/ directory to include and exclude a combination of files in multiple categories. Each section of dbfw-diagnostics-package.yml contains options to enable and disable a specific category by setting the value to true or false.

For more information about installing, enabling, and running the diagnostics generation utility, refer to the help:

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --help

To free up disk space, you can remove dbfw-diagnostics-package.rb after installing the diagnostics generation utility. You must also remove the diagnostics generation utility before you upgrade Oracle Key Vault.

/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --remove

12.4.4 View the Oracle Key Vault Dashboard

The Home tab of the management console displays the dashboard when you log into the management console. The dashboard presents the current status of the Oracle Key Vault at a high level and is visible to all users.

Alerts and Managed Content are the first sections you will see on logging in.

Figure 12-7 Alerts and Managed Content Panes

Description of "Figure 12-7 Alerts and Managed Content Panes"

The Data Interval, Operations, Endpoint Activity, and User Activity panes of the Home page follow Alerts and Managed Content.

Figure 12-8 Data Interval, Operations, Endpoint Activity, and User Activity Panes

Description of "Figure 12-8 Data Interval, Operations, Endpoint Activity, and User Activity Panes"

12.4.5 Status Panes in the Dashboard

The status panes on the dashboard provide useful high level information as follows:

• Alerts

  To take corrective action on a particular alert:

  1. Click the link in the Details column corresponding to the alert. The appropriate page appears.

  2. Take corrective action appropriate to the alert.

  To configure the alerts you want to see on the dashboard:

  1. Click the Reports tab, then Alerts from the left side bar.

     The Alerts page appears.

  2. Click Configure from the top right, or Configure Alerts from the left sidebar under ALERTS.

     The Configure Alerts page appears.

  3. Select the Alert Type and click Save.

• Managed Content

  The Managed Content pane of the dashboard displays aggregated information about security objects currently stored and managed in Oracle Key Vault.

  This status pane categorizes the aggregate information based on the item type such as keys, certificates, opaque objects, private keys, and TDE master keys, as well as the item state such as pre-active, active, and deactivated.

  In the Managed Content pane, the item type and item state are displayed at the last time refreshed, which is set by the refresh interval described in the Data Interval status pane.

• Data Interval

  This pane shows the length of the time period.

  This time period can be Last 24 hours, Last week, or Last Month, or a user-defined date range. It also shows the refresh interval for the Operations, Endpoint Activity, and User Activity sections described later.

• Operations

  The Operations pane contains a bar graph with bars for key-related operations such as locate, activate, add endpoint, and assign default wallet.

• Endpoint Activity

  The Endpoint Activity pane contains a bar graph for tracking the number of operations performed by each endpoint.

• User Activity

  The User Activity pane contains a three-dimensional bar graph for tracking the number of operations performed by each user.

See Also:

"Search for Security Object Items" for details of Item Types and Item States

12.5 Oracle Key Vault Alert Configuration

You can select the type of alerts that you want to see in the Oracle Key Vault dashboard. The dashboard is the first page you see on logging into to the management console. You can navigate to this page by clicking the Home tab. All users can see the alerts on security objects they have access to, but only users with the System Administrator role can configure alerts.

• About Configuring Alerts
  
• Configuring Alerts
  
• Viewing Open Alerts
  

12.5.1 About Configuring Alerts

Oracle Key Vault has a variety of alerts that you can configure with appropriate thresholds according to your requirements. You can configure the following alerts:

• Disk Utilization

• Endpoint Certificate Expiration

• Failed System Backup

• High Availability Data Guard Broker Status

• High Availability Data Guard Fast-Start Failover Status

• High Availability Destination Failure

• High Availability Restricted Mode

• High Availability Role Change

• Key Rotations

• SSH Tunnel Failure

• System Backup

• User Password Expiration

• Invalid HSM Configuration

See Also:

Create an Oracle Key Vault User

Oracle Key Vault Integration with Hardware Security Module

12.5.2 Configuring Alerts

To configure alerts:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the Reports tab.
3. Select Configure Alerts from the left sidebar.

   The Configure Alerts page appears.

   Figure 12-9 Configure Alerts Page

   
   Description of "Figure 12-9 Configure Alerts Page"
4. Check the box(es) in the Enabled column to the right of the alert type(s) to enable it. Then set the threshold value in the box under Limit. This value determines when the alert will be sent. You can un-check the boxes by alerts that you do not want to appear in the dashboard.
5. Click Save.

See Also:

"View the Oracle Key Vault Dashboard"

12.5.3 Viewing Open Alerts

Users with the System Administrator role can view all alerts. Users without system administrator privileges can only view alerts related to objects they can access.

To view open alerts follow these steps:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Click the Reports tab. The Audit Trail appears.
3. Click Alerts from the left sidebar.

   The Alerts page appears displaying all the alerts that have not been resolved. When you resolve the issue stated in the alert message, the alerts are automatically removed. They cannot be explicitly deleted

   Figure 12-10 Alerts Page

   
   Description of "Figure 12-10 Alerts Page"

   Oracle Key Vault sends all system alerts to the syslog. The following is an example of a system alert in syslog:

   July 29 18:36:29 okv080027361e7e logger[13171]: No successful backup done for 4 day(s)
   

   The following table lists the conditions that trigger alerts, and the accompanying system alert message:

   Condition	System Alert Message
   Key Rotations	Key expiration: <date>
   Endpoint Certificate Expiration	Endpoint certificate expiration: <date>
   User Password Expiration	Password expiration: <date>
   Disk Utilization	Free disk space is below <threshold value> (currently <current value>)
   System Backup	No successful backup for <number> day(s)
   Failed System Backup	Most recent backup failed!
   High Availability Role Change	HA role changed. Primary IP Address: <IP address>
   High Availability Destination Failure	HA destination failure
   SSH Tunnel Failure	SSH tunnel is not available
   High Availability Restricted Mode	HA running in read-only restricted mode
   High Availability Data Guard Fast-Start Failover Status	HA FSFO is not synchronized. FSFO status is <HA status>
   High Availability Data Guard Broker Status	Dataguard Broker is disabled
   OKV Server Certificate Expiration	The Oracle Key Vault Server certificate is expiring within 30 days. Please refer to the Oracle Key Vault Administrator's Guide.
   Invalid HSM Configuration	HSM configuration error. Please refer to the "HSM Alert" section in the Oracle Key Vault Integration with Hardware Security Module

12.6 Oracle Key Vault Auditing

Oracle Key Vault records and time-stamps all endpoint and user activity, with details on who initiated which action, with what keys and tokens, and the result of the action.

• About Auditing in Oracle Key Vault
  
• Configuring Syslog to Store Audit Records
  
• View Audit Records
  
• Export or Delete Audit Records
  
• Audit Consolidation with Audit Vault and Database Firewall
  

12.6.1 About Auditing in Oracle Key Vault

Oracle Key Vault records all endpoint and user activity including endpoint groups and user groups from endpoint enrollment and user password reset, to the management of keys and wallets, and changes to system settings and SNMP credentials. In addition, it records the success or failure of each action.

This recording of comprehensive system activity is presented in an audit trail, which, while visible to all users, can only be managed by a user with the Audit Manager role. This user alone has the privilege to export or delete audit records up to a given date.

Auditing in Oracle KeyVault is enabled by default.

A user with the Audit Manager role can see all the audit records and manage them. Other users can see only those audit records, which pertain to security objects that they have created, or have been granted access to.

You can export audit records to view system activity off line. After exporting the records, you can delete them from the system to free up resources.

See Also:

"Overview of Administrative Roles" for more on Audit Manager privileges

12.6.2 Configuring Syslog to Store Audit Records

You can configure the Oracle Key Vault system log to store audit records if the System Administrator has enabled this functionality.

To configure the Oracle Key Vault system log to store audit records:

1. Log in to the Oracle Key Vault management console as the Audit Manager.
2. Click the Reports tab. The Audit Trail page is displayed.

   Figure 12-11 Audit Trail Page

   
   Description of "Figure 12-11 Audit Trail Page"
3. Click Send Audit Records To Syslog.

   If Syslog is not configured, an error message “Syslog forwarding to remote machines not enabled.” is displayed.

   Figure 12-12 Error Message-Remote Syslog is Not Enabled

   
   Description of "Figure 12-12 Error Message-Remote Syslog is Not Enabled"

   For more information about configuring Syslog, see Configure System Settings.

4. If Syslog is configured, the Settings page is displayed. In the Syslog section, do the following:
   1. Select the protocol to use to transfer Syslog files: TCP or UDP.
   2. Enter the IP address of the remote system where Syslog files are stored.

   Figure 12-13 Settings Page

   
   Description of "Figure 12-13 Settings Page"
5. Click Save.

The remote Syslog stores audit records.

12.6.3 View Audit Records

The reports page shows the Audit Trail by default. The Audit Trail page lists all system activity with details on who (Subject Name) performed what (Operation), when (Time), using what (Object), and the result of the action (Result).

To view the audit trail follow these steps:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab.

   The Audit Trail page appears.

Figure 12-14 Audit Trail Page

Description of "Figure 12-14 Audit Trail Page"

12.6.4 Export or Delete Audit Records

A user with the Audit Manger role may export or delete the audit trail as needed. Audit records are exported in a .csv file that can be downloaded to the user's local system. The .csv file contains the same details found in the Audit Trail on the Reports page.

Note, that the timestamp in the .csv file will reflect the time zone of the particular Key Vault server, whose records were exported.

To export or delete the audit trail:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab.

   The Audit Trail is displayed.

3. Click Export/Delete on the top right.

   The Export/Delete Audit Records page appears.

   Figure 12-15 Export/Delete Audit Records Page

   
   Description of "Figure 12-15 Export/Delete Audit Records Page"
4. Select the date by clicking the calendar icon.

   The number of records appears.

5. Click Export to download the audit records in .csv file format to a local folder.

   After you export the records you can delete them from Key Vault to free up resources.

6. Click Delete to remove audit records.

   A confirmation message appears, warning you about permanent loss of audit records.

7. Click OK to delete and Cancel to stop.

12.6.5 Audit Consolidation with Audit Vault and Database Firewall

Oracle Key Vault audit data can be forwarded to Audit Vault and Database Firewall (AVDF) for audit consolidation.

To enable audit consolidation with AVDF:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Click the System tab, then System Settings.

   The Settings page appears.

3. Click the box to the right of Enable in the Oracle Audit Vault Integration pane. Two password fields appear: Enter Password and Reenter Password.
4. Enter the password and confirm it.

   You must keep this password in a safe place. You will need it when you create a secured target on the AVDF side.

See Also:

• Figure 12-2 for Key Vault System Settings

• "Audit Vault Database Firewall Integration Instructions"

12.7 Oracle Key Vault Reports

Oracle Key Vault collects statistical information on system activity, the expiration of certificates, keys, and passwords, entitlement status, and metadata in four report categories: endpoints, users, keys, and system.

• About Oracle Key Vault Reports
  
• View Reports for Endpoint, User, Keys and Wallets, and System
  

12.7.1 About Oracle Key Vault Reports

Oracle Key Vault provides four types of reports for endpoints, users, keys and wallets, and system.

The four report types and their description are:

• Endpoint reports contain details of all endpoint and endpoint group activity, certificate and password expiration, and access privileges.

• User reports contain details of all user and user group activity, their certificate and password expiration, and access privileges.

• Keys and wallets reports list the access privileges granted to all keys and wallets, and the details of TDE master keys managed by Key Vault.

• System reports contain a history of system backups taken and scheduled, details of remote restoration points, and RESTful API usage.

The Audit Manager can view all reports. The Key Administrator can view User reports and Keys and Wallets reports. Users with System Administrator privileges can view Endpoint, User, and System reports.

See Also:

"Oracle Key Vault Auditing" for more on audit reports

12.7.2 View Reports for Endpoint, User, Keys and Wallets, and System

The Reports page list the four report types in the left side bar under the heading REPORTS.

To view the reports for endpoints, users, keys and wallets, and system:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab to get to the Reports page.
3. The REPORTS heading displays four reports: Endpoint Reports, User Reports, Keys and Wallets Reports, System Reports.

• View Endpoint Reports
  
• View User Reports
  
• View Keys and Wallets Reports
  
• View System Reports
  

See Also:

Figure 12-14 shows the Key Vault Audit Trail

12.7.2.1 View Endpoint Reports

Key Vault offers four endpoint reports for Endpoint Activity, Endpoint Certificate Expiry, Endpoint Entitlement, and Endpoint Metadata.

To view endpoint reports:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab to get to the Reports page.
3. Click Endpoint Reports under Reports in the left sidebar.

   The Endpoint Reports page appears displaying four endpoint report types.

   Figure 12-16 Endpoint Reports

   
   Description of "Figure 12-16 Endpoint Reports"

   Click the link under Name to view the report you want.

4. Click Endpoint Activity Report to view the corresponding report.

   Figure 12-17 Endpoint Activity Report

   
   Description of "Figure 12-17 Endpoint Activity Report"
5. Click Endpoint Certificate Expiry Report to view the corresponding report.

   Figure 12-18 Endpoint Certificate Expiry Report

   
   Description of "Figure 12-18 Endpoint Certificate Expiry Report"
6. Click Endpoint Entitlement Report to view the corresponding report.

   Figure 12-19 Endpoint Entitlement Report

   
   Description of "Figure 12-19 Endpoint Entitlement Report"
7. Click Endpoint Metadata Report to view the corresponding report.

   Figure 12-20 Endpoint Metadata Report

   
   Description of "Figure 12-20 Endpoint Metadata Report"

12.7.2.2 View User Reports

Key Vault offers four user reports for User Activity, User Entitlement, User Expiry, and User Failed Login.

To view user reports:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab.
3. Click User Reports to see user specific reports.

   The User Reports page appears displaying the four types of user reports.

   Click the report name to see the corresponding user report.

   Figure 12-21 User Reports

   
   Description of "Figure 12-21 User Reports"

12.7.2.3 View Keys and Wallets Reports

Key Vault offers two reports for keys and wallets: Entitlement and TDE Key Metadata.

To view reports for keys and wallets:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab.
3. Click Keys and Wallets Reports under the REPORTS heading.

   The Keys and Wallets Reports page appears displaying the reports available. Click the report name to see the corresponding report.

Figure 12-22 Keys and Wallets Reports

Description of "Figure 12-22 Keys and Wallets Reports"

12.7.2.4 View System Reports

Key Vault offers three system reports for Backup History, Backup Restoration Catalog, and RESTful API Usage.

To view system reports:

1. Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
2. Click the Reports tab.
3. Click System Reports under the REPORTS heading.

   The System Reports page appears displaying the system reports available.

   Click the report type to see the corresponding system report.

   Figure 12-23 System Reports

   
   Description of "Figure 12-23 System Reports"

12.8 Upgrade Oracle Key Vault Server Software

When you upgrade the Key Vault server software appliance, it is recommended that you also upgrade the endpoint software to get the latest enhancements. However, the previous version of endpoint software will continue to function with the upgraded Oracle Key Vault Server.

• How an Oracle Key Vault Server Software Upgrade Works
  
• Step 1: Backup the Server before Upgrade
  
• Step 2: Pre-Upgrade Tasks for Release 12.2.0.0.0
  
• Step 3: Upgrade the Oracle Key Vault Server or Server Pair
  
• Step 4: Upgrade Endpoint Software
  
• Step 5: Backup Just Upgraded Server
  

12.8.1 How an Oracle Key Vault Server Software Upgrade Works

You must upgrade in the step order shown: first perform a full backup of Key Vault, upgrade the Key Vault server or server pair in the case of a high availability deployment, the endpoint software, and last, perform another full backup of the upgraded server. Note that upgrading requires a reboot of the Oracle Key Vault appliance.

The Oracle Key Vault server is not available to endpoints for a limited duration during the upgrade. You can enable the persistent cache feature to enable endpoints to continue operation during the upgrade process.

12.8.2 Step 1: Backup the Server before Upgrade

Before you upgrade the Key Vault server we recommend that you backup the server you are upgrading. This step ensures that you can recover in case the upgrade fails unexpectedly.

Caution:

Do not skip this step. Back up the server before you perform the upgrade so your data is safe and recoverable.

12.8.3 Step 2: Pre-Upgrade Tasks for Release 12.2.0.0.0

To ensure a smooth upgrade to Oracle Key Vault 12.2.0.0.0, the following steps are recommended:

• Ensure that the minimum disk space requirement for an upgrade is met.

• Ensure that no full or incremental backup jobs are running. Delete all scheduled full or incremental backup jobs before the upgrade.

• Plan for downtime according to the following specifications:

  Oracle Key Vault Usage	Downtime required
  Wallet upload or download	NO
  Java Keystore upload or download	NO
  Transparent Data Encryption (TDE) direct connect	YES
  Primary Server Upgrade in a high availability deployment	YES

  If an online master key (formerly known as TDE direct connect) is used with Oracle Key Vault, then plan for a downtime of 15 minutes during the Oracle Database endpoint software upgrades. Database endpoints can be upgraded in parallel to reduce total downtime.

  For a primary server upgrade in a high availability deployment plan for a downtime of 1 hour.

• If the Oracle Key Vault system has a syslog destination configured, ensure that the remote syslog destination is reachable from the Oracle Key Vault system, and that logs are being correctly forwarded. If the remote syslog destination is not reachable from the Oracle Key Vault system, then the upgrade process can become much slower than normal.

12.8.4 Step 3: Upgrade the Oracle Key Vault Server or Server Pair

How you upgrade the Oracle Key Vault server depends on whether you are using a standalone environment or a high availability deployment.

• About the Upgrade of an Oracle Key Vault Server or Server Pair
  
• Upgrade a Standalone Key Vault Server
  
• Upgrade a Pair of Key Vault Servers in a High Availability Deployment
  

12.8.4.1 About the Upgrade of an Oracle Key Vault Server or Server Pair

Oracle Key Vault may be deployed as a standalone appliance in test and development environments or in a high availability configuration in production environments. In a standalone deployment you must upgrade a single Key Vault server, but in a high availability deployment you must upgrade both primary and standby Key Vault servers. Note that persistent caching enables endpoints to continue to be operational during the upgrade process.

Note:

• Ensure that the system you are upgrading has 8 GB memory. From release 12.2.0.2.0 and onwards you must have 8 GB memory. In a high availability deployment both primary and standby servers must have 8 GB system memory.

• If you are upgrading from a system with 4 GB memory, first add an additional 4 GB memory to the system before upgrading.

12.8.4.2 Upgrade a Standalone Key Vault Server

This procedure is for upgrading a single Key Vault server in a standalone deployment, the most typical deployment in test and development environments.

To upgrade to Oracle Key Vault 12.2.0.0.0:

1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable. Do not proceed without completing this step.
2. Ensure that SSH access is enabled by logging into the management console and checking System Settings ->Network Services ->SSH Access.
3. Ensure you have enough space in the destination directory for the upgrade ISO.
4. Log in to the Oracle Key Vault Server through SSH as user support, then switch user (su) to root.
5. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method:

   scp remote_host:remote_path/okv-upgrade-disc-12.2.0.0.0.iso /var/lib/oracle/<destination_directory where you are copying the iso file to>
   

   Where:

   remote_host is the IP address of the computer containing the ISO upgrade file

   remote_path is the directory of the ISO upgrade file

6. Make the upgrade accessible using the mount command:

   root# /bin/mount -oloop,ro /var/lib/oracle/okv-upgrade-disc-12.2.0.0.0.iso /images 
   

7. Clear the cache using this command:

   root# yum -c/images/upgrade.repo clean all
   

8. Apply the upgrade with this command:

   root# /usr/bin/ruby /images/upgrade.rb --confirm
   

   If the system is successfully upgraded, then the command will display the following message:

   Remove media and reboot now to fully apply changes.

   If you see an error message, then check the log file /var/log/messages for additional information.

9. Reboot the Key Vault server by running the command:

   root# /sbin/reboot
   

   On first reboot after upgrade, the system will apply changes. This can take up to 45 minutes. Do not shut down the system during this time.

   The upgrade is completed, when the screen with heading: Oracle Key Vault Server 12.2.0.0.0 appears. The revision should reflect the upgraded release. Below the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.

10. Log in to the Oracle Key Vault management console UI as System Administrator. Select the System tab, and then Status. Verify that the version displayed is 12.2.0.0.0.

12.8.4.3 Upgrade a Pair of Key Vault Servers in a High Availability Deployment

Note:

• Allocate 1 hour to upgrade the primary server after upgrading the standby. You must upgrade standby and primary servers in one session with as little time between the standby and primary upgrade. Note that the upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data the upgrade time may be greater than an hour.

• While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

• Upgrade the Oracle Key Vault Server during a planned maintenance window because the upgrade process requires the endpoints to be shutdown during the upgrade.

• Ensure that both the primary and standby systems have 8 GB memory.

• With persistent cache enabled endpoints will continue to be operational during the upgrade process.

To upgrade a pair of Oracle Key Vault Servers configured for high availability:

1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable. Do not proceed without completing this step.
2. First upgrade the standby server while the primary server is running.

   Follow Step 2 through to Step 10 of the standalone mode upgrade process.

3. Ensure that the upgraded standby Oracle Key Vault Server is restarted and running.
4. Upgrade the primary Oracle Key Vault Server following Steps 1-10 of the standalone mode upgrade.

   After both the standby and primary Key Vault servers are upgraded, the two servers will automatically sync up.

5. Log in to the Oracle Key Vault management console as System Administrator. Select the System tab, and then Status. Verify that the Version field displays the new software version 12.2.0.0.0.

12.8.5 Step 4: Upgrade Endpoint Software

To upgrade the endpoint software:

1. Ensure that you have upgraded the Key Vault server(s) outlined in Step 1. If you are upgrading the endpoint software for an Oracle database configured for direct-connect, then shutdown the database.

2. Download the endpoint software (okvclient.jar) for your platform from the Oracle Key Vault Server as follows:

   1. Go to the Oracle Key Vault management console login screen.

   2. Click the Endpoint Enrollment and Software Download link.

   3. Go to the Download Endpoint Software section, and select the appropriate platform from the drop down list.

   4. Click the Download button.

3. Identify the path to your existing endpoint installation which is about to be upgraded. For example, /home/oracle/okvutil

4. Install the endpoint software by executing the following command:

   java -jar okvclient.jar -d <path to the existing endpoint directory>

   For example, java -jar okvclient.jar -d /home/oracle/okvutil

5. On UNIX platforms, run root.sh from the bin directory of endpoint installation directory to copy the latest liborapkcs.so file for Oracle Database endpoints. On Windows platforms, run root.bat from the bin directory of endpoint installation directory to copy the latest liborapkcs.dll file for Oracle Database endpoints. This step is needed only for online TDE master key management by Oracle Key Vault. For example,

   $ sudo ./$OKV_HOME/bin/root.sh
   

   bin\root.bat
   

   Or,

   $ su -
   # bin/root.sh
   

   On Windows platforms, you are prompted for the version of the RDBMS in use when you execute root.bat.

6. Restart the endpoint if it was shutdown in Step 1.

12.8.6 Step 5: Backup Just Upgraded Server

You must perform the following tasks after completing a successful upgrade:

• Take a full backup of the upgraded Oracle Key Vault Server Database to a new remote destination. Avoid using the old backup destination for the new backups.

• Schedule a new periodic incremental backup to the new destination defined in the step above.

• Password hashing has been upgraded to a more secure standard starting at version 12.1.0.2. This change affects the operating system passwords, support and root. You must change Oracle Key Vault administrative passwords after the upgrade to take advantage of the more secure hash if you have not done so already.

  Password hashing is applicable only when upgrading from Oracle Key Vault 12.1.0.0.0 to Oracle Key Vault 12.2.0.0.0 directly or from Oracle Key Vault 12.1.0.1.0 to Oracle Key Vault 12.2.0.0.0 directly. This fix was included in Oracle Key Vault 12.1.0.2.0 and onwards.