10 General Oracle Key Vault Management
You can administer Oracle Key Vault by configuring the types of alerts, audits, and reports that users may view to check system status.
Topics:
About General Management of Oracle Key Vault
You must be an administrative user with the System Administrator or Audit Manager role to perform general management tasks on Key Vault.
See Also:
Related management topics:
Managing Oracle Key Vault Users
Managing Oracle Key Vault Endpoints
Managing Oracle Key Vault Virtual Wallets and Security Objects
Oracle Key Vault Alert Configuration
You can configure alerts to other administrators for activities such as key rotation, expiration dates for endpoint certifications, and so on.
Topics:
About Configuring Alerts
Administrators who have been granted the System Administrator role can configure alerts.
Oracle Key Vault provides alerts for key rotation, expiration dates for endpoint certifications and user passwords, maximum amount of allowed disk space, time in days for backup operations to be performed, and whether to be notified if system backup operations fail. Users with the System Administrator role can configure these alerts, but all users can view the open alerts.
See Also:
"Creating Oracle Key Vault Users" for information about how to configure users to receive alertsConfiguring the Alerts That Appear in the Oracle Key Vault Dashboard
You can customize the alerts that appear in the Oracle Key Vault Dashboard by alert type, and enable and disable them.
See "Viewing Oracle Key Vault Status on the Dashboard".
You can limit the alerts by various numerical criteria.
-
Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
-
Select the Reports tab.
-
Select Configure Alerts.
The Configure Reports page appears.
Description of the illustration ''okv_25.png''
-
Enable or disable individual alerts as needed and set the threshold values for when the alert is raised.
-
Click Save.
Viewing Open Alerts
All users can view open alerts that relate to objects they can access. Users with the System Administrator role also see alerts that relate to the Oracle Key Vault appliance, such as those about the status of backups.
-
To access open alerts, from the Oracle Key Vault management console, select the Reports tab and then select Alerts. This table lists all alerts that have not been resolved.
Alerts are removed automatically when you resolve the issue, but they cannot be explicitly deleted.
Description of the illustration ''okv_49.png''
Oracle Key Vault Auditing
Oracle Key Vault automatically audits activities that user perform in the Key Vault system. You can find audit reports of these activities, and if necessary, you can export and delete Key Vault audit records.
Topics:
About Auditing in Oracle Key Vault
All operations relating to items, wallets, endpoints, endpoint groups, users, and user groups are audited in Oracle Key Vault. This includes the creation, modification, or deletion of any of these entities or their attributes. Oracle Key Vault also audits the creation and modification of SNMP credentials.
You can find reports that describe these activities by selecting Audit Report in the Audit tab of the Oracle Key Vault management console. If an action fails, then the Result column shows an error code.
You cannot explicitly disable auditing.
You can review the audit reports that pertain to the security objects you have access to, and the Audit Manager can see audit records for all objects. If you are logged in with the Audit Manager role, then you can export or delete a range of audit records, specified by a start and end time, from the audit report.
See Also:
"Overview of Administrative Roles" for details about the Audit Manager privilegesHow Oracle Key Vault Audit Record Export and Deletion Operations Work
Only a user who has been granted the Audit Manager role can export or delete audit records.
Other users cannot export or delete audit records. Each time you perform an export operation, Oracle Key Vault creates a .csv file that contains the audit records. You can export a range of audit records and delete a range of audit records. Or, you may want to archive this information for use in audit screenings. After you export the audit records, you may want to delete them from the management console. When you export a set of audit records, the timestamp for the audit records within the .csv file is in the time zone of the management console where you exported the audit records.
Exporting and Deleting Oracle Key Vault Audit Records
You can export or delete Oracle Key Vault audit records.
-
Log in to the Oracle Key Vault management console as a user who has the Audit Manager role.
See "Logging In to the Oracle Key Vault Management Console."
-
Select the Reports tab.
-
Click Export/Delete.
-
Determine the date up to which you want to perform the action. Click the calendar icon and select the date.
-
Click Export, Delete, or Cancel.
A message appears, indicating success or failure.
Description of the illustration ''okv_48.png''
Viewing Oracle Key Vault Reports
All users can access the Oracle Key Vault reports but only the Audit Manager can perform management tasks.
Topics:
About Oracle Key Vault Reports
Oracle Key Vault provides two types of reports, one for the audit trail and the other for management activities.
-
Audit Trail report: This report indicates actions that users have performed. It covers the time the operation took place, who performed it, what the operation was, the object affected (such as a user group, single security object, or virtual wallet), and the result of the operation, which could be a check for success and an error code for failure. All users can view the audit reports, but only the Audit Manager can export and delete the audit records in this report.
-
Management reports: These reports provide information about wallet access, key deactivation or expiration, endpoint certificate expiration, and the user password expiration date. The Key Administrator and the Audit Manager can view the management reports.
To access the reports, from the Oracle Key Vault management console, select the Reports tab.
The Reports page appears. By default, the Audit Trail report appears.
Figure 10-1 shows the Audit Trail reports page.
Figure 10-1 Oracle Key Vault Audit Trail Reports Page
Description of ''Figure 10-1 Oracle Key Vault Audit Trail Reports Page''
See Also:
"Oracle Key Vault Auditing" for more information about the reportAccessing the Oracle Key Vault Management Reports
The Management Reports page provides detailed information about the expiration dates for keys, endpoint certificates, and user passwords. Only the Key Administrator and the Audit Manager can view the management reports.
-
To access the Managements report, select the Reports tab, and then select Management Reports.
Figure 10-2 shows the Management Reports page.
Figure 10-2 Oracle Key Vault Management Reports Page
Description of ''Figure 10-2 Oracle Key Vault Management Reports Page''
Viewing Oracle Key Vault Status on the Dashboard
With the dashboard on the Home tab, you can view the current status of the Oracle Key Vault appliance at a high level.
The Home tab is visible to all users. It is a complete scrollable page, displayed here in two screenshots, Figure 10-3 and Figure 10-4, followed by descriptions of the various status panes.
Figure 10-3 shows the Alerts and Managed Content panes of the Home page.
Figure 10-3 Alerts and Managed Content Panes
Description of ''Figure 10-3 Alerts and Managed Content Panes''
Figure 10-4 shows the Data Interval, Operations, Endpoint Activity, and User Activity panes of the Home page.
Figure 10-4 Data Interval, Operations, Endpoint Activity, and User Activity Panes
Description of ''Figure 10-4 Data Interval, Operations, Endpoint Activity, and User Activity Panes''
Status Panes in the Dashboard
Oracle Key Vault provides a set of status panes on the dashboard. These status panes provide useful information for alerts, managed content, data intervals, operations, endpoint activities, and user activities.
See Figure 10-3 and Figure 10-4 to see the status panes.
The status panes are as follows:
-
Alert status
You can list all alerts generated. For any alert, you can click the link in the Details column, which takes you to a related details or information page.
Click All Alerts to go to the Alerts page of the Reports tab, described in "Viewing Open Alerts".
From the Reports tab, you can configure how details about alerts appear on the dashboard. See "Configuring the Alerts That Appear in the Oracle Key Vault Dashboard".
-
Managed Content status
The Managed Content pane of the dashboard displays tables with aggregated information about all the security objects currently stored and managed in Oracle Key Vault.
This status pane categorizes the aggregate information based on the item type such as keys, certificates, opaque objects, private keys, and TDE master keys, as well as the item state such as pre-active, active, and deactivated.
See Also:
"Searching for Security Object Items" for details of Item Types and Item StatesIn the Managed Content pane, the item type and item state are displayed at the last time refreshed, which is set by the refresh interval described in the Data Interval status pane.
-
Data Interval status
This pane shows the length of the time period.
This time period can be Last 24 hours, Last week, or Last Month, or a user-defined date range. It also shows the refresh interval for the Operations, Endpoint Activity, and User Activity sections described later.
-
Operations status
The Operations pane contains a bar graph with bars for key-related operations such as locate, activate, add endpoint, and assign default wallet.
-
Endpoint Activity status
The Endpoint Activity pane contains a bar graph for tracking the number of operations performed by each endpoint.
-
User Activity status
The User Activity pane contains a three-dimensional bar graph for tracking the number of operations performed by each user.
Oracle Key Vault System Administration
Users who have been granted the System Administrator role can configure appliance settings and perform operational tasks such as initiating backup or recovery, and configuring high availability, network, and service settings.
Topics:
Viewing Oracle Key Vault Status
The Oracle Key Vault Status page displays status information, but does not allow for any activities or changes.
-
Log in to the Oracle Key Vault management console as a user who has the System Administrator role. See "Logging In to the Oracle Key Vault Management Console."
-
Select System and then Status.
The status information is as follows:
-
Version
-
Uptime
-
High Availability Status
-
Backup Status
-
Free and used disk space
Setting the Oracle Key Vault Configurations
By using the Settings menu, under the System tab, a user who has been granted the System Administrator role can reboot or turn off Oracle Key Vault and also set other aspects of the system.
Topics:
Settings for Configurations Page
The Settings page shows configurations such as the system time, syslog settings, network (such as IP addresses), DNS server information, and network services locations.
Figure 10-5 shows the Settings page.
Figure 10-5 Settings Page for Oracle Key Vault Configurations
Description of ''Figure 10-5 Settings Page for Oracle Key Vault Configurations''
These panes are as follows:
-
System Time pane
The System Time pane enables you to configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. If an NTP server is not available, then you can set the current time manually. When you use a manual time setting, ensure that the primary and standby Key Vault servers are set to the same time.
-
Syslog Configuration
In the Syslog Configuration pane, you set the destination computer for syslog files, and indicate whether they are sent to this computer using a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection.
-
Network pane
In the Network pane, you set the network address of the Oracle Key Vault installation.
-
DNS pane
Use the DNS pane to configure the servers to use for Domain Name Service (DNS), converting host names to IP addresses.
-
Network Services page
Your settings in the Network Services pane control whether each service (Web Access, SSH Access, and SNMP Access) is enabled for all clients, none, or specific IP addresses provided in a space-separated list. For example, if web access is enabled for only specific IP addresses, then only web browsers from those IP addresses can access the Oracle Key Vault management console.
Note:
Oracle strongly recommends that you enable SSH access for a short duration when command-line access is needed and disable SSH access as soon as the diagnostics function is completed.If you are using the Bash shell, you may need to download patch sets or security fixes that work with SSH Access. Instructions on downloading and enabling patch sets or security fixes come with the patch set release notes.
Enabling SSH Access
You can enable SSH access to log in as a support user for diagnostics purposes.
-
Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
See "Logging In to the Oracle Key Vault Management Console."
-
In Network Services section, click SSH Access, and Save.
System Recovery
Oracle Key Vault provides system recovery functionality for emergencies.
This section contains:
About System Recovery
In an emergency when no administrators can log in to Oracle Key Vault, or if you need to change the passwords of an administrator who is unavailable, you can use the special recovery passphrase that was created during Oracle Key Vault installation and configuration.
When there are administrative roles that no user can access, the recovery passphrase enables a user to go to the System Recovery pane of the Post-Install Configuration page and assign each role to a new or existing user account.
See Also:
"Task 2: Perform Postinstallation Tasks"Performing System Recovery
You can perform the system recovery procedure from the login page of the Oracle Key Vault management console.
-
Go to the login page, but do not log in.
-
In the lower-right corner of the login screen, click the System Recovery link shown in "Logging In to the Oracle Key Vault Management Console."
-
Enter the recovery passphrase in the field provided and press Enter.
The System Recovery pane of the Post-Install Configuration page appears. See Step 4, "Task 2: Perform Postinstallation Tasks".
-
Fill out the fields for the Key Administrator, System Administrator, and Audit Manager to assign these roles to new or existing user accounts.
-
Click Save.
Changing the Recovery Passphrase
Oracle highly recommends that a user with the System Administrator role perform a new backup whenever the recovery passphrase changes. It is important that there is always a copy of the backup that is protected by the current recovery passphrase.
-
Go to the login page, but do not log in.
-
Click the System Recovery link shown in "Logging In to the Oracle Key Vault Management Console."
-
Enter the recovery passphrase in the field provided and press Enter.
The System Recovery pane of the Post-Install Configuration page appears.
-
Fill out the fields for the recovery passphrase.
-
Click Save.