Oracle Key Vault is a software appliance that is delivered as an ISO image. Key Vault should be installed onto its own dedicated physical server.
The software appliance consists of a pre-configured operating system, an Oracle database, and the Oracle Key Vault application.
You can install the Oracle Key Vault appliance by meeting specific system requirements and completing a set of post-installation tasks.
The Oracle Key Vault installation requirements cover system requirements like CPU, RAM, disk space, network interfaces, and supported endpoint platforms.
Parent topic: Oracle Key Vault Installation and Configuration
The Oracle Key Vault installation removes existing software on a server.
Deployment on virtual machines is not recommended for production systems. However, virtual machines are useful for testing and proof of concept purposes.
The minimum hardware requirements for deploying the Oracle Key Vault software appliance are:
CPU: Minimum: x86–64 2 cores, Recommended: 8–16 cores with cryptographic acceleration support (Intel AESNI)
Memory: Minimum 8 GB of RAM, Recommended: 32–64 GB
Disk: Minimum 500 GB, Recommended: 1 TB
Network interface: One network interface
Hardware Compatibility: Refer to the hardware compatibility list (HCL) for Oracle Linux Release 6 Update 9 at the link in the See Also section.
Note:
Ensure that the hardware supports booting in legacy BIOS mode. Hardware that supports Unified Extensible Firmware Interface (UEFI) only is currently unable to recognize the Oracle Key Vault ISO image. However, be aware that Oracle Key Vault does not support the QLogic QL4* family of network cards.
RESTful Services Client: If RESTful Services are enabled, then each endpoint that connects to the Oracle Key Vault management console must have at least Java 1.7.0_21 installed.
The REST API requires the cURL utility. Ensure that cURL 7.43 or higher is installed on the endpoint system before using the REST API to provision endpoints.
Note:
For deployment with a large number of endpoints the hardware requirement may need to scale to meet the workload.See Also:
The hardware certification list for Oracle Linux and Oracle VM may be found at the Oracle Linux website at:
http://linux.oracle.com/pls/apex/f?p=117:1
You can find the supported hardware by filtering results through All Operating Systems and choosing Oracle Linux 6.9.
Parent topic: Oracle Key Vault Installation Requirements
Oracle Key Vault and its endpoints use a set of special ports for communication. Network administrators must ensure that these ports are open in the network firewall.
Table 3-1 lists the required network ports for Oracle Key Vault:
Table 3-1 Ports Required for Oracle Key Vault
Port Number | Protocol | Descriptions |
---|---|---|
|
SSH/SCP Port |
Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault. |
|
SNMP Port |
Used by monitoring software to poll Oracle Key Vault for system information. |
|
HTTPS Port |
Used by web clients such as browsers and RESTful Services to communicate with Oracle Key Vault. |
|
Database TCPS Listener Port |
Listener port used in a high availability configuration by Oracle Data Guard to communicate between the primary and standby server. |
|
Database TCPS Listener Port |
Listener port used in a high availability configuration to run OS commands like synchronizing wallets and configuration files via HTTPS. |
|
KMIP Port |
Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP Server. |
Parent topic: Oracle Key Vault Installation Requirements
Oracle supports both 32-bit and 64-bit Linux endpoints. However, only 64-bit endpoints are supported for Oracle databases that use Online Master Key, previously called TDE direct connections.
The supported endpoint platforms in this release are:
Oracle Linux (5.x, 6.x, and 7.x)
Oracle Solaris (10.x and 11.x)
Oracle Solaris Sparc (10.x and 11.x)
RHEL 5, 6, and 7
IBM AIX (5.3, 6.1 and 7.1)
HP-UX (IA) (11.31)
Windows Server 2008
Windows Server 2012
Parent topic: Oracle Key Vault Installation Requirements
Endpoints that are Oracle Database 10 g Release 2 and later can use the okvutil upload
command to upload Oracle wallets to Oracle Key Vault. Endpoints that are Oracle Database 11 g Release 2 and later can use the Online Master Key to manage TDE master keys.
Note, that the term Online Master Key replaces the term TDE direct connection.
Endpoints that are Oracle Database might need to set the COMPATIBLE
initialization parameter.
For an endpoint that is Oracle Database 11.2 or 12.1, set the COMPATIBLE
initialization parameter to 11.2.0.0 or higher. For example:
SQL> ALTER SYSTEM SET COMPATIBLE = '11.2.0.0' SCOPE=SPFILE;
This applies to an Oracle Database endpoint that is connected with Oracle Key Vault using an Online Master Key (formerly known as TDE direct connection). This compatibility mode setting is not required for Oracle wallet upload or download operations.
Also note that after setting the COMPATIBLE
parameter to 11.2.0.0, you cannot set it to a lower value like 10.2. After setting the COMPATIBLE
parameter you must restart the database.
See Also:
Oracle Database Administrator's Guide for more information about setting the COMPATIBLE
parameter
Parent topic: Oracle Key Vault Installation Requirements
This section explains how to install and configure Oracle Key Vault 12.2.0.5.0 and later. To install and configure Oracle Key Vault 12.2.0.4.0 and earlier, see Installing and Configuring Oracle Key Vault 12.2.0.4.0 and Earlier.
Parent topic: Oracle Key Vault Installation and Configuration
For a fresh installation, the Oracle Key Vault appliance software can be downloaded from Software Delivery Cloud. Note that this package cannot be used to upgrade Oracle Key Vault.
For an upgrade, Oracle Key Vault can be downloaded from the Oracle Automated Release Updates (ARU) website.
To download the Oracle Key Vault Appliance Software:
The installation process installs all required software components onto a dedicated server. The installation process may take from 30 minutes to an hour to complete, depending on the server resources where you are installing Oracle Key Vault.
Caution:
The Oracle Key Vault installation wipes the server and installs a stripped-down version of Oracle Linux 6.9, thus erasing existing software and data on the server.
Ensure that the server meets the recommended requirements.
Request a fixed IP address, network mask, and gateway address from your network administrator for the dedicated server. You will need this information to configure the network in Step 13.
To install the Oracle Key Vault appliance:
After you install Oracle Key Vault, you must complete the following post-installation tasks: setting up the administrative user accounts, and passwords for recovery, root, and support.
To perform the post-installation tasks:
Parent topic: Oracle Key Vault Installation and Configuration
The Oracle Key Vault management console is a browser-based console that connects to the appliance using the https
secure communication channel. It provides the graphical user interface for Oracle Key Vault, where users can perform tasks like:
Creating and managing users, endpoints, and their respective groups
Creating and managing virtual wallets and security objects
Setting system settings, like network and other services
Setting up high availability and backup
Parent topic: Oracle Key Vault Installation and Configuration
Many of the tab and menu pages contain an Actions menu or Search bars that allow you to search and perform actions on lists and the results of searches.
Note:
Detailed help for the Actions menus and Search bars is provided in the Help selection of the Actions drop-down list.
The actions available from an Actions drop-down menu can vary but typically include a set of standard menu items.
These items are as follows:
Select Columns: Select which column should be displayed.
Filter: Filter by column or row and a user-defined expression.
Rows Per Page: Choose how many rows you want to view .
Format: Choose formatting such as Sort, Control Break, Highlight, Compute, Aggregate, Chart, and Group By.
Save Report: Save reports.
Reset: Reset the report settings, removing any customizations.
Help: Get information about these actions.
Download: Download the result set in CSV or HTML.
Parent topic: Performing Actions and Searches
Along with Actions menus, many tabs contain search bars.
This demonstration searches for endpoints, but the process is the same for other searches, except that the column headings are different.
Wildcard characters are not supported, but the search does match any letter or phrase that you enter. You can use the Filter menu item under Actions to further fine-tune the search.
To perform a search:
Parent topic: Performing Actions and Searches