You should understand the system requirements, how to install Oracle Key Vault, and how to perform postinstallation tasks. You should also understand how to access the Oracle Key Vault management console after you complete the installation process.
Oracle Key Vault is a software appliance whose installation requirements cover system requirements, network ports, supported endpoint platforms, and endpoint database requirements.
Oracle Key Vault is packaged as a software appliance and delivered as an ISO package, which must be installed onto its own dedicated server.
This software appliance consists of a preconfigured operating system, an Oracle database, and the Oracle Key Vault application.
Deployment on virtual machines is not recommended for production systems. However, you can use virtual machines for testing and proof of concept.
The hardware requirements for deploying the software appliance are:
CPU: Minimum: 2 x86 cores, Recommended: 2+ cores with cryptographic acceleration support (Intel Westmere or later)
Memory: Minimum 4 GB of RAM
Disk: Minimum 500 GB hard disk
Network interface: One network interface
Compatibility: Compatible with Oracle Linux, Release 5 Update 10.
To find supported hardware, see the following hardware certification list for Oracle Linux and Oracle VM, for the system supported by 5.10:
Oracle Key Vault and endpoints use the a set of special ports for communication.
Network administrators must ensure that some or all these ports are not blocked by the firewalls.
Table 3-1 describes the ports that Oracle Key Vault requires.
Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault.
See the description of the Network Services pane under "Settings for Configurations Page".
Used by web clients such as browsers to communicate with Oracle Key Vault.
Database TCPS Listener Port
Used for communication between the Oracle Key Vault primary and standby appliances in high availability configurations.
Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP Server.
The supported releases are as follows:
Oracle Linux (5.x and 6.x)
Oracle Solaris (10.x and 11.x)
Oracle supports both 32-bit and 64-bit Linux endpoints. However, only 64-bit endpoints are supported for Oracle databases that use TDE direct connections.
You can create endpoints from Oracle Database 10g and later and use the
okvutil upload command to upload Oracle wallets from these releases. Direct connections between TDE and Oracle Key Vault are supported on Oracle Database 11g Release 2 and later.
If you plan to use Oracle Key Vault with Oracle Database 11.2, then set the
COMPATIBLE initialization parameter for 220.127.116.11 or higher. For example:
SQL> ALTER SYSTEM SET COMPATIBLE = 18.104.22.168 SCOPE=SPFILE;
This is applicable if an Oracle database endpoint is connected with Oracle Key Vault using a TDE direct connection, but this compatibility mode setting is not required for Oracle wallet upload or download operations.
Also, be aware that after setting the
COMPATIBLE parameter for 22.214.171.124, you cannot set it to a lower value, such as 10.2. Ensure that you restart the database after setting this parameter.
See Also:Oracle Database Administrator's Guide for more information about setting the
The installation process installs all required software components onto a dedicated server. The installation process may take from 30 minutes to an hour to complete, depending on the server resources where you are installing Oracle Key Vault.
Caution:This installation takes over the server completely and removes any existing data on the server.
Request a fixed IP address, network mask, and gateway address from your network administrator for the dedicated server. You will need this information for Step 9.
Ensure that this server meets the recommended requirements described in "Oracle Key Vault Installation Requirements".
Insert the installer disk for Oracle Key Vault in the disk drive and then restart the computer.
The system restarts from the disk, and the initial splash screen appears:
install, and then press the Enter key.
The installation proceeds. This step can take several minutes to complete. The next screen prompts for the installation passphrase, which you must create.
Make a note of this passphrase because it is used for authentication during the first login to the Oracle Key Vault management console.
The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and punctuation character. The allowed punctuation characters are period (
.), comma (
,), underscore (
_), plus sign (
+), colon (
:), and space.
Confirm the installation passphrase in the Confirmation screen.
The Oracle Key Vault installation proceeds if the installation passphrase in the confirmation screen matches the one entered previously. Otherwise, the confirmation screen prompts again for confirmation.
Press Enter to select OK.
The Select Management Interface screen appears.
Select the interface and select Select.
Press Enter to accept the defaults when the installer prompts for the MAC address of the management interface.
If more than one network interface is available, then select the interface that you want to serve as the management interface and to communicate with endpoints. Note that the management interface appears as the MAC address in the following screen.
Press Enter to select Select in the following screen.
The screen entitled ”Please enter management interface IP setting” appears next.
Enter the configuration information for the appliance that includes a fixed IP address, the network mask, and the gateway address.
Press Enter to select Reboot to complete installation.
Wait while the installer installs and configures the operating system, database, and Oracle Key Vault on the server to make it a self-contained hardened appliance.
This process will take several minutes, during which time the screen may turn off due to the screen saver. To see whether the installation has completed, press the Shift key to turn the screen back on. If the installation has completed successfully, the following screen appears.
After you have installed the Oracle Key Vault appliance, you are ready to perform the postinstallation tasks, which include creating administrative user accounts, creating a recovery passphrase, and optionally, setting the time and DNS configuration.
Open a web browser.
For example, to log in to an Oracle Key Vault server whose IP address is 192.0.2.254, enter:
Your browser may produce a warning saying that you are connecting to a website with an untrusted or self-signed security certificate. You can safely ignore this warning and proceed.
When the following screen appears, log in to the Oracle Key Vault appliance for the first time using the installation passphrase created in Step 5 under "Task 1: Install the Oracle Key Vault Appliance."
This screen only appears after you have just installed the Oracle Key Vault appliance. The next time that you log in to the appliance, the standard Oracle Key Vault login screen will appear.
Administrative role information (See "Overview of Administrative Roles").
Enter the user name, password, full name (optional), and email (optional) for the Key Administrator, System Administrator, and Audit Manager.
To fully support separation of duty requirements, you can create a different user account for each of these administrative roles. However, if one person performs multiple functions, you can assign two or more roles to the same user account.
Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and punctuation character. The allowed punctuation characters are period (
.), comma (
,), underscore (
_), plus sign (
+), colon (
:), and space.
The recovery passphrase has the same minimum requirements as the passwords that you create for the administrative users. However, it is a good idea to make this passphrase longer and more complex, because it provides access to backups containing all of the data on Oracle Key Vault. Because the recovery passphrase is extremely powerful and infrequently used, it is important to establish a process to store it securely and make it available only in emergency situations.
The recovery passphrase can be used for these situations:
When there are no administrators who are able to access the administrative roles (Key Administrator, System Administrator, Audit Manager). The recovery passphrase can be used to return to this screen to assign each administrative role to a new or existing user account.
When the Oracle Key Vault server must be restored from a previous backup file. The recovery passphrase is required to restore from a backup file and must match the recovery passphrase used when the backup was performed.
Complete the advanced section of the page by supplying the root password and the support user password. If you restore an existing backup to this appliance, then the root and support password you set here will remain the same, but all other data and user passwords will revert to the values when the backup was performed. This is also true if this system is added as the standby node of an high availability cluster.
Time Setup and DNS Setup settings are optional at this stage and can be set up later by a user with the System Administrator role using the Oracle Key Vault management console. (These are available by selecting the System tab, and then Settings.)
When the configuration is successful, the Oracle Key Vault post-install configuration is complete, and the login page appears.
The management console is a browser-based console that connects to the appliance using the
https secure communication channel.
Open a web browser.
For example, to log in to a server whose IP address is 192.0.2.254, enter:
The login screen appears.
Enter your user name and password.
Click the Login.
Note:Detailed help for the Actions menus and Search bars is provided in the Help selection of the Actions drop-down list.
These items are as follows:
Select Columns: Select which column should be displayed.
Filter: Filter by column or row and a user-defined expression.
Format: Choose formatting such as Sort, Control Break, Highlight, Compute, Aggregate, Chart, and Group By.
Save Report: Save reports.
Reset: Reset the report settings, removing any customizations.
Help: Get information about these actions.
Download: Download the result set in CSV or HTML.
This demonstration searches for endpoints, but the process is the same for other searches, except that the column headings are different.
Wildcard characters are not supported, but the search does match any letter or phrase that you enter. You can use the Filter menu item under Actions to further fine-tune the search.
To perform a search:
Enter a name or other identifier in the search field or (optionally) place your cursor on the magnifying icon in the Search bar to select one of the table headings (in this case, All Columns, Endpoint Name, Endpoint Type, Description, Platform, Status, Enrollment Token, and Alert) and then enter a search term.
A new endpoint list appears, displaying only those endpoints that meet the search criteria. A filter icon (looks like a funnel) indicates that a search has been performed and displays the search criteria.
You can select or deselect the filter icon to disable the search and enable the entire list to reappear.