Oracle Key Vault endpoints are computer systems like database servers, application servers, and other information systems, where keys and credentials are used to access encrypted data and other systems. Endpoints must be registered and enrolled to communicate with Oracle Key Vault, after which they can upload their keys to Key Vault, share them with other endpoints, and download them to access their data.
Endpoints must be registered and enrolled to communicate with Oracle Key Vault. Only a user with the System Administrator role can add an endpoint to Key Vault. Once the endpoint is added, the endpoint administrator can enroll the endpoint by downloading and installing the endpoint software at the endpoint. The endpoint can then use the utilities packaged with the endpoint software to upload and download security objects to and from Key Vault.
All users can create virtual wallets but only a user with Key Administrator privileges can grant endpoints access to security objects contained in virtual wallets. The Key Administrator can also create endpoint groups to enable shared access to virtual wallets. When you grant an endpoint group access to a virtual wallet, all the member endpoints will have access to the virtual wallet. For example, you can grant all the nodes in an Oracle RAC access to a virtual wallet by putting them in an endpoint group. This saves you the step of granting each node access to the virtual wallet.
An Oracle Key Vault user name cannot be the same as an Oracle Key Vault endpoint name.
Below is a summary of the two administrative roles as they pertain to endpoints.
A user with the System Administrator role:
Manages the endpoint meta-data like the name, type, platform, description, and email
Manages the endpoint lifecycle which consists of enrolling, deleting, suspending, and reenrolling endpoints
A user with the Key Administrator role:
Manages the endpoint group lifecycle which consists of creating, modifying, and deleting endpoint groups
Manages the lifecycle of security objects, which consists of creating, modifying and deleting security objects
Grants, modifies, and revokes access mappings on shared virtual wallets to endpoints and endpoint groups
Associates an endpoint with a default wallet
Parent topic: Managing Oracle Key Vault Endpoints
You can enroll new endpoints, reenroll existing endpoints, delete them when no longer integrated with Oracle Key Vault, and disable them temporarily for security reasons.
Parent topic: Managing Oracle Key Vault Endpoints
The first step to enrolling an endpoint is to add the endpoint to Key Vault. There are two methods for adding or registering an endpoint:
Administrator-initiated
An Oracle Key Vault user who has the System Administrator role initiates the enrollment from the Key Vault side by adding the endpoint to Key Vault. When the endpoint is added, a one-time enrollment token is generated. This token may be communicated to the endpoint administrator in two ways:
Directly from Key Vault by email. To use email notification you must configure SMTP in email settings.
Out-of-band method such as email or telephone.
The endpoint administrator uses the enrollment token to download the endpoint software and complete the enrollment process on the endpoint side.
Once the enrollment token is used to enroll an endpoint, it cannot be used again for another enrollment. If you need to reenroll an endpoint, the reenrollment process will generate a new one-time enrollment token for this purpose.
Self-enrolled
Endpoints may enroll themselves during specific times without human administrative intervention. Endpoint self-enrollment is useful when the endpoints do not share security objects, and use Oracle Key Vault primarily to store and restore their own security objects. Another use for endpoint self-enrollment is testing.
A self-enrolled endpoint is created with a generic endpoint name in this format: ENDPT_001
. Initially, a self-enrolled endpoint has access only to the security objects that it uploads or creates. It does not have access to any virtual wallets. You can later grant the endpoint access to virtual wallets after verifying its identity.
Endpoint self-enrollment is disabled by default, and must be enabled by a user with the System Administrator role. A best practice is to enable self-enrollment for short periods, when you expect endpoints to self enroll, and disable it when the self-enrollment period ends.
See Also:
Parent topic: Managing Endpoints
Endpoint self-enrollment is disabled by default and must be enabled by a user who has the System Administrator role.
A best practice is to enable endpoint self-enrollment for limited periods when you expect endpoints to enroll. After the expected endpoints have enrolled, you should disable endpoint self-enrollment.
Oracle Key Vault associates a self-enrolled attribute with all endpoints that are enrolled through endpoint self-enrollment. Self-enrolled endpoints go directly to Enrolled status without the intermediate Registered status when they download the endpoint software. You can recognize self-enrolled endpoints by their system generated names in the form ENDPT_001.
To enable endpoint self-enrollment follow these steps:
Parent topic: Managing Endpoints
Users with system administrator role can centrally update certain endpoint configuration parameters in the Oracle Key Vault Management Console. This feature enables system administrators to set certain endpoint configuration parameters globally, that is, for all endpoints, or on a per-endpoint basis. It simplifies the process of managing multiple endpoints for system administrators.
Endpoint specific parameters if set take precedence over global parameters. Global parameters, if set will take effect when endpoint-specific parameters are cleared. OKV will use the default system parameters if both global and endpoint specific parameters are cleared or not set from OKV management console.
The configuration parameter values set in the OKV management console are pushed to endpoints dynamically. After configuration parameters have been set in the OKV Management Console, the next time the endpoint contacts the OKV server, it will get the configuration parameters update. Endpoint configuration parameter update is best-effort. In case of error, the update is not applied. Both okvutil and PKCS11 library can get and apply the endpoint configuration updates.
Parent topic: Managing Endpoints
When endpoints are no longer using Oracle Key Vault to store security objects, System Administrators can delete them, and then reenroll them when they are needed again. Endpoints may also be temporarily suspended and later enabled.
Parent topic: Managing Endpoints
Deleting an endpoint removes it permanently from Oracle Key Vault. However, security objects previously created or uploaded by that endpoint will remain in Oracle Key Vault. Likewise, security objects associated with that endpoint will also remain. To permanently delete or reassign these security objects, you will need to be a user with the Key Administrator role or authorize to merge these objects by managing wallet privileges. The endpoint software previously downloaded at the endpoint also remains on the endpoint until the endpoint administrator removes it.
Parent topic: Delete, Suspend or Reenroll Endpoints
The Endpoints page provides the mechanism to delete a group of endpoints from Key Vault at one time. You can also delete a single endpoint from this page.
To delete one or more endpoints do the following:
See Also:
Parent topic: Delete, Suspend or Reenroll Endpoints
The Endpoint Details page provides a consolidated view for the selected endpoint including a mechanism to delete the endpoint from Key Vault..
To delete an endpoint follow these steps:
See Also:
Parent topic: Delete, Suspend or Reenroll Endpoints
You can suspend an endpoint temporarily for security reasons, and reinstate the endpoint once the threat has passed. When you suspend an endpoint, its status will change from Enrolled to Suspended.
To suspend an endpoint do the following:
See Also:
Parent topic: Delete, Suspend or Reenroll Endpoints
You must reenroll an endpoint to upgrade the endpoint software on the endpoint. You would also reenroll an endpoint to accommodate changes in an Oracle Key Vault deployment, for example, you need to pair a primary Oracle Key Vault server with a new secondary server in a high availability configuration.
The following procedure describes how to reenroll an endpoint:
See Also:
Parent topic: Delete, Suspend or Reenroll Endpoints
You can grant an endpoint access to a virtual wallet, and revoke or modify access when it is no longer necessary. Note, that the endpoint must be granted Read and Modify and Manage Wallet access privileges on the wallet in order to upload and download security objects to and from Key Vault.
Parent topic: Managing Oracle Key Vault Endpoints
You can grant an endpoint access to a virtual wallet as soon as the endpoint has been added to Oracle Key Vault, when it is still in registered status.
To grant an endpoint access to wallets already added to Oracle Key Vault:
See Also:
Parent topic: Manage Endpoint Access to a Virtual Wallet
Parent topic: Manage Endpoint Access to a Virtual Wallet
Wallet items refers to the security objects that the endpoint has access to.
To view these follow these steps:
See Also:
Parent topic: Manage Endpoint Access to a Virtual Wallet
A default wallet is a type of virtual wallet that security objects are uploaded to when a wallet is not explicitly specified. Default wallets are useful for sharing with other endpoints such as nodes in an Oracle RAC, or primary and standby nodes in Dataguard (DG) by having all endpoints use the same default wallet.
The default wallet must be set during the registration process to ensure that the downloaded endpoint software is configured to use the default wallet.
An enrollment status of registered means that the endpoint has been added to Oracle Key Vault, but the endpoint software has not yet been downloaded and installed. This is when you must associate the default wallet with the endpoint.
The endpoint's enrollment status becomes enrolled when you download and install the endpoint software to the endpoint. If you set the default wallet after you enroll the endpoint, then you must re-enroll the endpoint to ensure that all future security objects created by the endpoint are automatically associated with that wallet.
Parent topic: Managing Oracle Key Vault Endpoints
When you set the default wallet for an endpoint, all the endpoint's security objects will be automatically uploaded to this wallet if a wallet is not explicitly specified. Oracle requires that you set the default wallet right after registering the endpoint, and before downloading the endpoint software.
To set the default wallet follow the steps below:
Parent topic: Managing Oracle Key Vault Endpoints
An endpoint group is a group of endpoints that share a common set of wallets.
Parent topic: Managing Oracle Key Vault Endpoints
Endpoints that must share a common set of security objects stored in wallets can be grouped into an endpoint group. For example, endpoints using Oracle RAC, Oracle GoldenGate, or Oracle Active Data Guard may need to share keys for access to shared data.
Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
Select the Endpoints tab, then Endpoint Groups.
The Endpoint Groups page appears.
Click Create Endpoint Group. The Create Endpoint Group page appears.
Enter the name of the new group and a brief description. You can add members to the group right away, from the list in the Select Members pane, just below Create Endpoint Group.
The Select Members pane lists all the endpoints. To add endpoints to the endpoint group, check the boxes to the left of each endpoint.
Click Save to complete creating the endpoint group.
A message appears indicating that the endpoint group has been successfully saved. The new endpoint group now appears in the Endpoint Groups page.
Parent topic: Manage Endpoint Groups
You can add endpoints and access mappings to an endpoint group after creating the endpoint group. An endpoint can belong to more than one endpoint group. You cannot add one endpoint group to another endpoint group.
To modify an endpoint group after creating it, follow these steps:
See Also:
Parent topic: Manage Endpoint Groups
You can remove an endpoint from an endpoint group. This will remove all access to wallets associated with that endpoint group unless the endpoint has been separately granted access to the wallet(s) directly or through another endpoint group. You may remove more than one endpoint at the same time.
To remove an endpoint from an endpoint group, follow these steps:
Parent topic: Manage Endpoint Groups
You can delete endpoint groups, if their member endpoints no longer require access to the same virtual wallets. This action removes the shared access of member endpoints to wallets, not the endpoints themselves.
The following procedure describes how to delete an endpoint group from Key Vault:
Parent topic: Manage Endpoint Groups
After registering or enrolling the endpoint you can modify the endpoint name, type, description, platform, and email as needed. You can add the endpoint to an endpoint group, and upgrade the software on the endpoint.
Parent topic: Managing Oracle Key Vault Endpoints
The endpoint details page provides a consolidated view of the endpoint. From here you can modify endpoint details and complete endpoint management tasks.
See Also:
Default Wallet Figure 7-10
Endpoint Group Membership Figure 7-19
Access to Wallets Figure 7-7
Access to Wallet Items Figure 7-9
Parent topic: Manage Endpoint Details
You can modify the endpoint name, type, platform and email from the Endpoint Details page as follows:
Parent topic: Manage Endpoint Details
See Also:
Add endpoint to group Figure 7-18
Create an endpoint group described in "Create an Endpoint Group"
Parent topic: Manage Endpoint Details
Users with system administrator role can centrally update certain endpoint configuration parameters in the Oracle Key Vault Management Console. This feature enables system administrators to set certain endpoint configuration parameters globally, i.e. for all endpoints, or on a per-endpoint basis. It simplifies the process of managing multiple endpoints for system administrators.
Endpoint specific parameters if set take precedence over global parameters. Global parameters, if set will take effect when endpoint-specific parameters are cleared. OKV will use the default system parameters if both global and endpoint specific parameters are cleared or not set from OKV management console.
The configuration parameter values set in the OKV management console are pushed to endpoints dynamically. After configuration parameters have been set in the OKV Management Console, the next time the endpoint contacts the OKV server, it will get the configuration parameters update. Endpoint configuration parameter update is best-effort. In case of error, the update is not applied. Both okvutil and PKCS11 library can get and apply the endpoint configuration updates.
Parent topic: Manage Endpoint Details
You can delete an endpoint from an endpoint group if the endpoint no longer needs shared access to wallets as follows:
See Also:
Add endpoint to group Figure 7-18
Create an endpoint group described in "Create an Endpoint Group"
Parent topic: Manage Endpoint Details
To upgrade to the latest endpoint software for an enrolled endpoint, you can download the endpoint software without having to reenroll the endpoint.
To download the latest version of the endpoint software follow Steps 1-4 of "Task 1: Enroll Endpoint and Download Software".
Step 4 brings up the Enroll Endpoint & Download Software page.
On the Enroll Endpoint & Download Software page, do the following:
See Also:
Special Notes About Endpoint Provisioning to check environment and setup
Parent topic: Manage Endpoint Details