6 Managing Oracle Key Vault Virtual Wallets and Security Objects

Oracle Key Vault provides the mechanism of a virtual wallet to upload and store your security objects that you can then share with trusted peers at access levels appropriate to their organizational function.

6.1 About Virtual Wallets

A virtual wallet is a container for security objects like public and private encryption keys, including TDE, Oracle wallets, Java keystores, certificates, and credential files.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

6.1.1 How Virtual Wallets Work

Oracle Key Vault provides the mechanism of a virtual wallet to group security objects for sharing with multiple users, who need them to access encrypted data.

Any user can create a virtual wallet. After you create a virtual wallet, you can add keys and other security objects to the wallet. You can then grant other users, endpoints, user and endpoint groups access to the virtual wallet at various levels of access. A virtual wallet can be modified at any time. You can modify wallet contents, the users that must have access, and the access level of users according to the needs of the moment.

Other than the Key Administrator, access to the virtual wallet must be granted explicitly to all users. Read, modify, and manage wallet permissions are required to add and remove objects from the wallet, and to grant or modify wallet access to other users and groups.

Parent topic: About Virtual Wallets

6.1.2 Create a Virtual Wallet

You can create a virtual wallet, and add security objects to it at the same time. However, you can also create an empty virtual wallet, and add security objects to it later. You can modify access-mappings on a virtual wallet at any time.

To create a virtual wallet and add security objects to it:

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. Click Create.

    The Create Wallet page appears.

    Figure 6-1 Create Wallet


    Description of Figure 6-1 follows
    Description of "Figure 6-1 Create Wallet "
  4. Enter a name for the wallet in Name and a identifying description in Description.

    Virtual wallet names are case-sensitive. For example, wallet1 and Wallet1 are two different wallets. It is recommended that you add a user friendly description to the wallet to identify it easily.

  5. In the Add Wallet Contents pane, check the box(es) by the name(s) of the listed security objects that you want to add to the wallet.

    The Add Wallet Contents pane lists the security objects you have Read and Modify access to. If the list is empty, it means that you have no access to the security objects already in Key Vault. In this case, you would add security objects to the wallet after you upload them to Key Vault.

  6. Click Save to create the new wallet with the security objects added to it.

    A Wallet created successfully message appears. The Wallets page appears and displays the new wallet in the list.

    To see the contents in the wallet click the wallet name as the following figure shows.

    Figure 6-2 Creation of a New Wallet


    Description of Figure 6-2 follows
    Description of "Figure 6-2 Creation of a New Wallet"

Parent topic: About Virtual Wallets

6.1.3 Add Security Objects to a Virtual Wallet

You can add new security objects to a virtual wallet at any time as needed.

To add items to wallets:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. From the Wallets page, click the pencil icon in the Details column corresponding to the wallet you want to work with.

    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.

  4. Click Add Items. The Add Wallet Contents page appears.
  5. Check the box(es) by the security objects you want to add to the wallet.
  6. Click Save.

    A confirmation message appears.

    The Wallet Overview page appears and Wallet Contents lists the new security objects added.

Parent topic: About Virtual Wallets

6.1.4 Remove Security Objects from a Virtual Wallet

You can remove security objects from virtual wallets at any time as needed.

To remove security objects from wallets:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. From the Wallets page, click the pencil icon in the Details column corresponding to the wallet you want to work with.

    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.

  4. Check the box(es) by the security objects you want to remove from the wallet.
  5. Click Remove Items. A confirmation message appears.

    The Wallet Contents pane in the Wallet Overview page displays the new list with the items deleted.

Parent topic: About Virtual Wallets

6.1.5 Delete a Virtual Wallet

Deleting a virtual wallet removes the wallet as a container, but does not delete the security objects that were contained in it. These security objects will continue to remain in Key Vault. Endpoints that have downloaded this virtual wallet will continue to retain their local copy.

To delete a virtual wallet:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. Check the box(es) next to the name of the wallet that you want to delete from the Wallets table. You may delete more than one virtual wallet at the same time.
  4. Click Delete.
  5. Click OK to confirm.
  6. Select the Keys and Wallets tab to see the updated list of wallets in the Wallets page.

Parent topic: About Virtual Wallets

6.2 Manage Access to Virtual Wallets from Keys & Wallets Menu

Access control is about deciding which users and endpoints need to share virtual wallets and security objects, and what operations they can perform on those virtual wallets.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

6.2.1 How Access to Virtual Wallets from Keys & Wallets Menu Works

You must have access to a virtual wallet or be a key administrator to manage access control for users, endpoints, and their respective groups.

Oracle Key Vault provides two ways to manage access control on virtual wallets for users, endpoints, and their respective groups:

  • From the Keys & Wallets menu, where you select the wallet, and then grant an endpoint, endpoint group, user, or user group access to the wallet.

  • From the Users or Endpoints menu, where you select the user, user group, endpoint or endpoint group, and then grant one of these entities access to the wallet.

This section focusses on managing access to a virtual wallet for users and user groups from the Keys & Wallets menu.

Parent topic: Manage Access to Virtual Wallets from Keys & Wallets Menu

6.2.2 Grant Access to Endpoint Groups, Endpoints, User Groups, and Users

You can choose a virtual wallet and grant endpoint groups, endpoints, user groups, or users Read Only, Read and Modify, and Manage Wallet access levels on the wallet. Once they have access to the wallet, they will have access to all the security objects in the wallet.

To grant access to a virtual wallet:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. Click the pencil icon in the Details column corresponding to the wallet you want to grant access to.

    The Wallet Overview page appears.

  4. In the Wallet Access Settings pane, click Add.

    The Add Access to Wallet page appears.

    Figure 6-3 Add Access to Wallet

    Description of Figure 6-3 follows
    Description of "Figure 6-3 Add Access to Wallet"
  5. Select the entity type you want to grant access from the Select Endpoint/User Group drop down list next to Type.

    Possible values for Type are Endpoint Groups, Endpoints, User Groups, and Users.

    The type you select determines the list that is displayed. For example, if you select Endpoint Groups as the Type, the list of Key Vault endpoint groups is displayed under the heading Endpoint Groups. If you select Users, the list of Key Vault users are displayed under the heading Users.

  6. Select the radio button in the Name table corresponding to the entity you want to grant access.
  7. Select one of Read Only or Read and Modify in the Select Access Level pane.
  8. Check the box to Manage Wallet if needed.
  9. Click Save.

    A message appears: Access mapping successfully added.

    The Wallet Access Settings pane displays the new entity.

Parent topic: Manage Access to Virtual Wallets from Keys & Wallets Menu

6.2.3 Modify Access to Endpoint Groups, Endpoints, User Groups, and Users

You can modify the access settings on a virtual wallet for endpoint groups, endpoints, user groups and users as follows:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, and then select Wallets from the left sidebar. The Wallets page appears.
  3. Click the pencil icon in the Details column corresponding to the wallet name.

    The Wallet Overview page appears, with Wallet Access Settings listing the entities that have access to the wallet and their access levels.

  4. In Wallet Access Settings, click the pencil icon corresponding to the entity under Subject Name.

    A Modify Access window appears.

    Note, that Wallet Access Settings lists all the entities that have access to this wallet under Subject Name, and can include users, endpoints, user and endpoint groups.

  5. Select the access settings you want to modify, then click Save.

    A message appears: Successfully updated.

    The Wallet Overview page appears and Wallet Access Settings displays the new access mapping for the entity.

  6. Click Save in the Wallet Overview page.

Parent topic: Manage Access to Virtual Wallets from Keys & Wallets Menu

6.3 Manage Access to Virtual Wallets from User’s Menu

Oracle Key Vault provides two ways to manage access control on virtual wallets for users, endpoints, and their respective groups.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

6.3.1 How Access to Virtual Wallets from User's Menu Works

The two menus that you can use are as follows:

  • From the Keys & Wallets menu, where you select the wallet, and then grant an endpoint, endpoint group, user, or user group access to the wallet.

  • From the Users or Endpoints menu, where you select the user, user group, endpoint or endpoint group, and then grant one of these entities access to the wallet.

This section focuses on managing access to a virtual wallet for users and user groups from the Users menu.

See Also:

"Manage Endpoint Access to a Virtual Wallet"

Parent topic: Manage Access to Virtual Wallets from User’s Menu

6.3.2 Grant a User Access to a Virtual Wallet

To grant a user access to a virtual wallet:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab.

    The Manage Users page appears.

  3. Click the user's name User Name column.

    The User Details page appears.

  4. In the Access to Wallets pane, click Add.

    The Add Access to User page appears.

  5. Select a virtual wallet from the available list.
  6. In the Select Access Level pane select the desired access levels.
  7. Click Save.

    A message appears: Access mapping successfully added.

    Check Access to Wallets in User Details for the user to see the wallet added.

See Also:

"Access Control Options"

Parent topic: Manage Access to Virtual Wallets from User’s Menu

6.3.3 Revoke User Access from a Virtual Wallet

To revoke access to a virtual wallet for a user:

  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab.

    Then Manage Users page appears.

  3. Click the user's name under User Name.

    The User Details page appears.

  4. In Access to Wallets check the box by the virtual wallet you want to revoke access to.
  5. Click Remove.

    A confirmation dialog box appears.

  6. Click OK.

    A message appears: Access mapping(s) deleted successfully.

    Check Access to Wallets in User Details for the user to see the wallet deleted.

Parent topic: Manage Access to Virtual Wallets from User’s Menu

6.3.4 Grant a User Group Access to a Virtual Wallet

When you grant a user group access to a virtual wallet all members of the group will have access to the security objects within the wallet.

To grant a user group access to a virtual wallet:

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access in the left sidebar.

    The User Groups page appears.

  3. Click the pencil icon in the Details column corresponding to the user group. The User Group Details page appears.
  4. Click Add in the Access to Wallets pane.

    The Add Access to User Group page appears.

  5. Select a virtual wallet from the available list
  6. In the Select Access Level pane select the desired access levels.
  7. Click Save.

    A message appears: Access mapping successfully added.

    Check Access to Wallets in User Groups for the user to see the wallet added.

Parent topic: Manage Access to Virtual Wallets from User’s Menu

6.3.5 Revoke User Group Access from a Virtual Wallet

You can remove user group access to a virtual wallet as follows:

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access in the left sidebar. The User Groups page appears.
  3. Click the pencil icon in the Details column corresponding to the user group. The User Group Details page appears.
  4. In the Access to Wallets pane, check the box by the virtual wallet you want to revoke access to.
  5. Click Remove.
  6. Click OK to confirm.

    A message appears: Access mapping(s) deleted successfully.

    Check Access to Wallets in User Groups to see the wallet removed from the list.

Parent topic: Manage Access to Virtual Wallets from User’s Menu

6.4 Manage State of a Security Object

You can set the start date for a security object to become active, or deactivate it. You can also change the state of some virtual wallet security objects as needed.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

6.4.1 Activate a Key or Security Object

Currently, only keys uploaded via a third-party KMIP client can be in a Pre-Active state and have the Activation date set. For all other keys the Activation Date is system generated and cannot be set.

Most keys are in Active state when they are created. However you can set the Process Start Date for a key to be used for securing data, later than its creation date as follows:

  1. Log in to the Oracle Key Vault management console as a user who has the Read and Modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item, whose start date you want to set.
  4. On the Item Details page for the item, set the Process Start Date to the desired date.
  5. Click Save.

Parent topic: Manage State of a Security Object

6.4.2 Deactivate a Key or Security Object

A key deactivates or expires when it passes the date that has been set for deactivation.

  1. Log in to the Oracle Key Vault management console as a user who has the Read and Modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item to be deactivated.
  4. On the Item Details page for the item, set the Date of Deactivation to the date by which you want the key to be deactivated.
  5. Click Save.

Parent topic: Manage State of a Security Object

6.4.3 Revoke a Key or Security Object

When you revoke a key, its state transitions to Deactivated or Compromised, and the key should no longer be used to encrypt new data.

However, deactivated keys may be downloaded and used to decrypt old data.

  1. Log in to the Oracle Key Vault management console as a user who has the Read and Modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items from the left side bar.

    The All Items page appears listing all the security objects.

  4. Click the pencil icon in the Details column corresponding to the item to be revoked.

    The Item Details page appears.

  5. Click Revoke.

    The Revoke Item page appears.

    Figure 6-4 Revoke Item

    Description of Figure 6-4 follows
    Description of "Figure 6-4 Revoke Item"
  6. Select a Revocation Reason from the drop down list.
  7. Optionally, add more details in Revocation Message
  8. Click Save.

    A message appears, indicating that the revocation succeeded.

Parent topic: Manage State of a Security Object

6.4.4 Destroy a Key or Security Object

When a key is no longer used or compromised in some way you might want to destroy it.

Note:

Meta data for destroyed keys and security objects are kept in Key Vault even after they have been destroyed.

To destroy a key:

  1. Log in to the Oracle Key Vault management console as a user who has the Read and Modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item, whose start date you want to set.
  4. On the Item Details page for the item, click Destroy.
  5. Click Save.

Parent topic: Manage State of a Security Object

6.5 Manage Details of Security Objects

After you create a virtual wallet and add security objects to it, you can search the virtual wallet for the security objects contained in it. You can add new security objects to the virtual wallet, or delete security objects from them. You can modify the contents of a virtual wallet at any time according to your specific needs.

Security objects are managed by Key Vault administrative users with a clear separation of duties. You must be an administrative user with the Key Administrator role to manage wallet privilege on the virtual wallet containing the security objects. A user with the Audit Manager role can view security objects, but cannot modify them, whereas security objects are not even viewable to a user with the System Administrator role.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

6.5.1 Search for Security Object Items

The term item refers to a single security object managed by Oracle Key Vault, such as an encryption key, keystore, certificate, password, or opaque object.

To search for items:

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role, an Audit Manager role, or as a user with access to a virtual wallet.
  2. Click the tab Keys & Wallets.

    The Wallets page appears.

  3. Click All Items in the left sidebar.

    The All Items page appears displaying all the security objects in a table.

    Figure 6-5 All Items Lists all Security Objects in Key Vault

    Description of Figure 6-5 follows
    Description of "Figure 6-5 All Items Lists all Security Objects in Key Vault"

    The table has the following columns for each security object:

    • Type: Indicates the object type of the item. Valid values are Symmetric Key, Private Key, and Opaque Object.

    • Identifier: Lists the identifier for the item and includes a prefix that helps identify a subtype for the item.

    • Creation Time: Date and time that the item was added to Oracle Key Vault.

    • Owner: The endpoint that owns the item.

    • Wallets: The virtual wallet that contains the security object.

    • State: Indicates the state of the object. Valid values are Active and N/A.

    • Details: A pencil icon links to the Item Details for the security object.

  4. Search for specific items using the Search bar or the Actions menu.

See Also:

"Performing Actions and Searches"

Parent topic: Manage Details of Security Objects

6.5.2 View Details of a Security Object

An administrative user with the Key Administrator role can view, add, and modify the details of a security object from its corresponding Item Details page. Item details are attributes of a specific security object and depend on the type of security object.

To view the attributes of a security object from the Item Details page:

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role or as a user with access to the virtual wallet.

  2. Click the tab Keys & Wallets.

    The Wallets page appears.

  3. Click All Items in the left sidebar.

    The All Items page appears displaying all the security objects in Key Vault.

  4. Click the pencil icon in the Details column corresponding to the security object. The Item Details page appears displaying the attributes of the security object.

    Figure 6-6 Item Details

    Description of Figure 6-6 follows
    Description of "Figure 6-6 Item Details"

    You can set the dates when the security object should be deactivated or not used on the Item Details page. The attributes shown in Item Details depends on the type of security object. The attributes for a Symmetric Key are different from those of Private Key or Opaque Object.

    You can revoke or destroy a security object, and add or remove it to and from a wallet from the Item Details page.

    The Wallet Membership pane in the Item Details page allows you to add or delete the security object to or from a wallet.

    The Item Details page contains the following attributes:

    • Identifier: A summary description to help identify the item to the user. For example, if the item is a TDE master key, the Identifier shows the prefix TDE Master Key followed by the identifier used by the database to identify the key.

    • Unique Identifier: This is a globally unique ID that identifies an item.

    • Type: Indicates the object type of the item. Valid values are Symmetric Key, Private Key, Template, Opaque Object, Certificate, and Secret Data.

    • State: Indicates the state of items. Values are as follows:

      • Pre-active: The object exists but is not yet usable for any cryptographic purpose.

      • Active: The object is available for use. Endpoints should examine the Cryptographic Usage Mask attribute to determine which uses are appropriate for this object.

      • Deactivated: The object is no longer active and should not be used to apply cryptographic protection (for example, encryption or signing). It may still be appropriate to use for decrypting or verifying previously protected data.

      • Compromised: The object is believed to be compromised and should not be used.

      • Destroyed: The object is no longer usable for any purpose.

      • Destroyed Compromised: The object was compromised and subsequently destroyed. It is no longer usable for any purpose.

    • Creator: The endpoint that created the security object.

    • Last Modified: The date last modified.

    • Date of Creation: The date created.

    • Date of Activation: The date of activation.

    • Process Start Date: The date when the key may start to be used to encrypt data. It can be equal or later than the Activation Date but cannot precede it.

    • Protect Stop Date: When this date is passed, the key should not be used to encrypt any more data. It cannot be later than the Deactivation Date.

    • Date of Deactivation: The date of deactivation.

  5. Click Advanced to view the cryptographic attributes of the security object.

    Figure 6-7 Item Details - Advanced Pane

    Description of Figure 6-7 follows
    Description of "Figure 6-7 Item Details - Advanced Pane"

    Attribute information and queries may vary depending on the item type. These are some attributes:

    • Cryptographic Algorithms: The encryption algorithm used by the item

    • Key Usage: Operations that the key can be used for

    • Names: Labels attached by a user or endpoint to identify the key

    • Custom attributes: Additional attributes defined by the endpoint and not interpreted by Oracle Key Vault

    • Cryptographic Parameters: Optional parameters for the encryption algorithm used by the item, such as block cipher mode and padding method

    • Digests: Digest values of the security object

    • Link Details: Links to related objects

See Also:

Key Management Interoperability Protocol Specification Version 1.1

Parent topic: Manage Details of Security Objects

6.5.3 Add or Modify Details of a Security Object

To modify the attributes of a security object you must be a user with the Key Administrator role, or you must have Read and Modify access on the security object.

You can get Read and Modify access on a security object in two ways:

  • You own the security object.

  • You have access to a wallet that contains the security object.

To modify details of a security object:

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role, an Audit Manager role, or as a user with access to a virtual wallet.
  2. Click the tab Keys & Wallets.

    The Wallets page appears.

  3. Click All Items in the left sidebar.

    The All Items page appears displaying all the security objects in a table.

  4. Click the pencil icon corresponding to the security object.

    The Item Details page appears.

  5. Click Advanced.

    The Advanced pane appears.

  6. Make the needed changes.
  7. Click Save in the top right.

Parent topic: Manage Details of Security Objects