6 Managing Oracle Key Vault Endpoints

An endpoint is the database on which the data that Oracle Key Vault protects resides. You can create, delete, and reenroll endpoints, manage their virtual wallet access, and organize endpoints into groups.

Topics:

• About Managing Endpoints

• Searching for Endpoints

• Adding, Deleting, or Reenrolling Endpoints

• Managing Endpoint Details

• Managing Virtual Wallet Access to Endpoints

• Managing Endpoint Groups

About Managing Endpoints

You store security objects on endpoints, and then upload these objects to and from Oracle Key Vault. This enables you to share these security objects on other endpoints throughout the enterprise.

You can manage endpoints and endpoint groups as follows:

• Endpoints

  Endpoints are databases and other systems that use Oracle Key Vault to store security objects for various cryptographic operations.

  You can view and search for endpoints by specific criteria and then drill down to endpoint details. You can enroll endpoints, rename endpoints, delete endpoints, and create endpoint groups and modify their memberships.

• Endpoint groups

  Endpoint groups are groups of endpoints that have shared access to virtual wallets.

  Administrators who have the Key Administrator role can provide access to specific or multiple virtual wallets at the endpoint group level. Then all the member endpoints of that endpoint group automatically have access to the wallets or keys. For example, if the nodes of an Oracle RAC cluster are set up in an endpoint group, then they can share wallets and wallet contents.

Administrators for endpoints perform different tasks depending on their roles. These roles are as follows:

• The System Administrator role changes endpoint names, endpoint types, descriptions (any information that would be useful), platforms, or email addresses.

• The Key Administrator role changes or adds a default virtual wallets, endpoint group memberships, or access to existing virtual wallets.

Searching for Endpoints

You can search for existing endpoints.

1. Log in to the Oracle Key Vault management console.

   See "Logging In to the Oracle Key Vault Management Console."

2. Search for the endpoints as described in "Search Bars".

   Select one of the columns to search, such as All Columns, Endpoint Name, Endpoint Type, Description, Platform, Status, Enrollment Token, or Alert.

Adding, Deleting, or Reenrolling Endpoints

You can add, delete, or reenroll endpoints, and find the enrollment status. You can add an endpoint using either administrative-initiated enrollment or self-enrollment.

• Types of Endpoint Enrollment

• Enrollment Status

• Adding an Endpoint Using Administrator-Initiated Enrollment

• Adding an Endpoint Using Self-Enrollment

• Deleting or Reenrolling Endpoints

Types of Endpoint Enrollment

There are two methods for enrolling an endpoint, depending on who initiates the enrollment.

• Administrator-initiated enrollment

  An Oracle Key Vault user who has the System Administrator role initiates the enrollment from the Key Vault side by adding the endpoint. When the endpoint is added, Oracle Key Vault generates a one-time token, called an enrollment token. This token must be communicated to the endpoint administrator using an out-of-band method such as email or telephone. The endpoint administrator then submits the enrollment token, from the endpoint side, to Oracle Key Vault as proof of authentication.

  When the endpoint is enrolled, the enrollment token is consumed and can never be used again. To resolve any particular problems or configuration issues, administrators can reenroll the endpoint. See "Deleting or Reenrolling Endpoints" for more information. The reenrollment process generates a new one-time enrollment token.

  See "Adding an Endpoint Using Administrator-Initiated Enrollment" for more information about administrator-initiated enrollment.

• Endpoint self-enrollment

  Endpoint self-enrollment is performed in an environment where it is acceptable to enroll new endpoints without action by an Oracle Key Vault user who has the System Administrator role. This facilitates enrollment with less human administrative intervention. Endpoint self-enrollment is particularly useful when the endpoints do not share security objects and use Oracle Key Vault mainly to archive and restore security objects. In addition, endpoint self-enrollment is useful for testing purposes.

  A self-enrolled endpoint is created with a generic endpoint name, such as ENDPT_001, and it initially has access only to the security objects that it uploads or creates. It does not have access to any virtual wallets. You can subsequently grant the endpoint access to virtual wallets, but you must be careful to ensure that you are granting access to the intended endpoint.

  Endpoint self-enrollment is disabled by default and must be enabled by an Oracle Key Vault administrator with the System Administrator role. Oracle recommends that you only enable endpoint self-enrollment during the period when you expect endpoints to self enroll.

  See "Adding an Endpoint Using Self-Enrollment" for more information about self-enrollment.

Enrollment Status

The status (in processing order) for the Oracle Key Vault endpoint enrollment process can be either registered or enrolled.

• Registered: The endpoint has been added by an administrator and an enrollment token has been generated (from administrator-initiated enrollment), but the okvclient.jar file has not been downloaded to the endpoint.

• Enrolled: The endpoint has presented the enrollment token, if one was necessary, and downloaded the okvclient.jar file.

Adding an Endpoint Using Administrator-Initiated Enrollment

With administrator-initiated enrollment, a user who has the System Administrator role registers the endpoint with Oracle Key Vault, providing details such as a name for the endpoint, the type of endpoint it is, the platform the endpoint uses, and the administrator email address for notifications.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoints.

   
   Description of the illustration ''okv_001.png''
   
   

   When the Endpoints page appears, it displays a table listing previously added endpoints, describing their names, types, IP addresses, platform, and any alerts that may have been generated for the endpoint. The Status column lists each endpoint as being either Registered or Enrolled. Registered indicates that an endpoint has been registered with the Oracle Key Vault server. In this case, an enrollment token appears in the Enrollment Token column. The Status column changes to Enrolled when the endpoint administrator downloads the endpoint software package along with the necessary configuration files after providing the enrollment token. At this time, the one-time enrollment token has been used as part of the process, so it disappears from the page.

3. Click Add on the Endpoints page.

4. On the Register Endpoint page, enter the following metadata for the new endpoint:

   • Endpoint name: The endpoint name is case-insensitive. For example, Oracle Key Vault regards "APP_SERVER1" and "app_server1" as the same endpoint. The name can have letters, numbers, and underscores. The endpoint will be referred to by this name elsewhere (for example, in access settings).

   • Type: Valid values are Oracle Database, Oracle (non-database), and Other. An example of Other is a third-party KMIP endpoint.

     Note:

     If you are using Oracle Advanced Security Transparent Data Encryption (TDE) and want to use Oracle Key Vault to manage a TDE master key or wallet, then you must set Type to Oracle Database.

   • Platform: Valid values are Linux, Solaris SPARC, and Solaris x64.

   • Description (optional): Enter a description, such as the host name or IP address of the endpoint.

   • Administrator Email (optional): Email address of the endpoint administrator. This is useful for notification purposes.

   
   Description of the illustration ''okv_002.png''
   
   

5. Click Register to generate a temporary one-time token for use by the endpoint to complete the enrollment process.

   On the Endpoints page, the Endpoints table now shows the newly created entry, including a one-time enrollment token in the Enrollment Token field. The status now reads Registered, indicating that the enrollment process has begun.

6. Add any necessary information for the endpoint, as described in "Managing Endpoint Details".

7. Provide the endpoint administrator with the temporary one-time token, so that he or she can complete the enrollment process on the endpoint side, as described in "Task 1: Enroll and Provision the Endpoint".

   At this stage, the endpoint is configured on the Oracle Key Vault side.

Adding an Endpoint Using Self-Enrollment

Endpoint self-enrollment is disabled by default and must be enabled by a user who has the System Administrator role.

Note:

Oracle recommends that you, as the System Administrator, enable endpoint self-enrollment (by selecting the Allow Endpoint Self Enrollment check box) only during the period when you expect endpoints to self enroll. After all the endpoints have been enrolled, then you should disable endpoint self-enrollment by deselecting the Allow Endpoint Self Enrollment check box.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select the Settings menu.

   
   Description of the illustration ''okv_24.png''
   
   

3. Select the Allow Endpoint Self-Enrollment check box.

4. Click Save.

   A dialog box appears, indicating that the settings have been saved.

5. Notify the endpoint administrator for this endpoint that the self-enrollment is complete on the Oracle Key Vault side.

   The endpoint administrator now can enroll this endpoint by following the steps in "Task 1: Enroll and Provision the Endpoint". (Self-enrollment does not require an endpoint token.)

Note:

Oracle Key Vault associates a self-enrolled attribute with all endpoints that are enrolled through endpoint self-enrollment. For self-enrolled endpoints, the status becomes Enrolled after you complete the enrollment process. (There is no Registered status for self-enrolled endpoints.)

Deleting or Reenrolling Endpoints

When endpoints are no longer necessary, System Administrators can delete them, and then reenroll them when they are needed again.

Topics:

• About Deleting or Reenrolling Endpoints

• Deleting or Reenrolling an Endpoint

About Deleting or Reenrolling Endpoints

Users who have the System Administrator role can enroll endpoints in Oracle Key Vault and delete endpoints when they no longer use Oracle Key Vault.

Deleting an endpoint removes it permanently from Oracle Key Vault. Security objects created by that endpoint will have no owner. Now these objects can only be accessed through a virtual wallet or by a user who has the Key Administrator role.

Reenrolling an endpoint enables you to download a new endpoint certificate to communicate with Oracle Key Vault, if the old certificate was lost or has expired.

If you must update the software on an enrolled endpoint, you only need to download the software. You do not need to reenroll the endpoint.

Deleting or Reenrolling an Endpoint

You can delete or reenroll an existing endpoint.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoints.

3. On the Endpoints page, search for the endpoint as described in "Searching for Endpoints".

4. Select the check box beside the endpoint name.

5. Click Delete or Enroll.

6. Depending on whether you are deleting or enrolling an endpoint:

   • If you are deleting an endpoint, a confirmation dialog box appears. Click OK.

   • If you are reenrolling an endpoint, a new enrollment token appears in the Enrollment Token column for the selected endpoint. From here, an endpoint administrator must provide this token as part of the reenrollment process (as described in "Task 1: Enroll and Provision the Endpoint").

Managing Endpoint Details

After you create an endpoint, you can manage the endpoint details, such as adding a default wallet or manage the endpoint group membership.

Topics:

• About Endpoint Details

• Modifying Endpoint Details

• Adding Endpoint Membership in a Group

About Endpoint Details

The details of an endpoint cover information such as its email settings, status, creation date, whether it has a default wallet, and whether it is part of a group membership.

You can view information about the endpoint, such as administrator email, status, and creation date on the Endpoints Details page. You can add a default virtual wallet, add and remove endpoint group memberships, and set access to virtual wallets. You can perform these activities after the endpoint is registered, even before the full enrollment process has been completed.

Some changes can only be performed after a virtual wallet has been created.

To use a default virtual wallet, you should add it to Oracle Key Vault and associate it with the endpoint, before you download the Oracle Key Vault client software to the endpoint. If you add a default wallet after downloading the client software, you must reenroll the endpoint for the change to take effect.

Note:

If working with a default wallet, it is very important that you add the wallet and associate it with the endpoint before downloading the client software and installing it at the endpoint.

For endpoints using default virtual wallets, every key that the endpoint creates is automatically added to the default wallet. Default wallets are useful for sharing with other endpoints, such as nodes in an Oracle RAC cluster.

Modifying Endpoint Details

You can modify endpoint details from the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoints.

3. On the Endpoints page, select the name of the endpoint to be viewed or modified.

   The Endpoint Details pane for that endpoint appears.

   
   Description of the illustration ''endpoint_details.png''
   
   

4. On the Endpoints Details pane, optionally modify the endpoint name, endpoint type, description, platform, and email, as necessary.

   This page also enables you to view access information about wallets and endpoint groups.

5. Click Save.

   The Endpoint page for that endpoint appears.

Adding Endpoint Membership in a Group

You can add an endpoint to a group by using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as an administrator who has the Key Administrator role.

2. Select the Endpoints tab, and then select Endpoints.

3. Select the endpoint to be added to a group.

4. Click Add in the Endpoint Group Membership region of the Endpoint Details page.

5. On the Add Endpoints Group Membership page, select the check box next to the group that the endpoint is to become a member of.

6. Click Save.

   A dialog box appears indicating that the member has been successfully added to the group.

Managing Virtual Wallet Access to Endpoints

You can map access or remove access from an endpoint to a virtual wallet, after the wallet has been created.

Topics:

• Adding Endpoint Access to a Virtual Wallet

• Removing Endpoint Access to a Virtual Wallet

Adding Endpoint Access to a Virtual Wallet

You can add endpoint access to a virtual wallet by using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as an administrator who has the Key Administrator role.

2. Select the Endpoints tab, and then select Endpoints.

3. On the Endpoints page, select the endpoint that must have access to the virtual wallet

4. In the Access to Wallets pane of the Endpoint Details page, click Add.

5. On the Add Access to Endpoint page, select a wallet from the available list.

6. Select the desired access control. See "Access Control Options".

7. Click Save.

   A message indicates that the access mapping succeeded.

Removing Endpoint Access to a Virtual Wallet

You can remove endpoint access to a virtual wallet by using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as an administrator who has the Key Administrator role.

2. Select the Endpoints tab, and then select Endpoints.

3. On the Endpoints page, select the endpoint that should not have access to the virtual wallet.

4. In the Access to Wallets pane, select the check box next to the wallet name.

5. Click Remove.

6. When the confirmation dialog box asks if you want to remove this access, click OK.

   A message indicates that the access mapping has been removed.

Managing Endpoint Groups

An endpoint group is a group of endpoints that have a common set of security objects.

Topics:

• Creating Endpoint Groups

• Modifying Endpoint Group Details

• Setting Access from an Endpoint Group to a Virtual Wallet

• Removing a Member from an Endpoint Group

• Deleting Endpoint Groups

Creating Endpoint Groups

Endpoint groups enable you to centralize multiple endpoints that share a common set of security objects.

Topics:

• About Creating Endpoint Groups

• Creating an Endpoint Group

About Creating Endpoint Groups

Endpoints that must share a common set of security objects can be grouped into an endpoint groups.

For example, endpoints using Oracle RAC, Oracle GoldenGate, or Oracle Active Data Guard may need to share keys for access to shared data.

The Endpoint Groups page displays a table of existing endpoint groups. New endpoint groups appear in the table after they are created.

When you click a group name in the table, the group members and mappings to wallets are listed.

Creating an Endpoint Group

You can create an endpoint group b using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab.

3. Select Endpoint Groups.

   The Endpoint Groups page appears.

   
   Description of the illustration ''okv_004.png''
   
   

4. Click the Create Endpoint Group button.

5. On the Create Endpoint Group page, enter the name of the new group and a brief description.

   (Optional) You can use the Search bar and Actions menu preceding the list of endpoint names to select the endpoints you want to add to the group. See "Performing Actions and Searches".

6. (Optional) Select the check box next to each endpoint name that you want to add to the group.

   You can add members later as described in "Modifying Endpoint Group Details".

   
   Description of the illustration ''okv_34.png''
   
   

7. (Optional) Click Actions again to select any actions that you want to perform on the final list of endpoint names.

8. Click Save.

   A message appears indicating that the group has been successfully saved. The Endpoint Group page reappears, listing the new group.

   The Endpoint Groups page also provides a link to the Wallet Overview page.

   From the Wallet Overview page, you can view Wallet Access Settings and Wallet Contents and add or remove access settings as described in "Granting User and Endpoint Access to Virtual Wallets", or "Revoking Access Settings of a Virtual Wallet".

Modifying Endpoint Group Details

You can modify the details of an endpoint group by using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoint Groups.

3. On the Endpoint Groups page, find the endpoint group to be modified, using the Search bar and Actions menu to filter.

   See "Performing Actions and Searches".

4. Click the edit pencil icon next to the endpoint group that you want to modify.

   The Endpoint Group Details page appears.

5. Modify the description, access to wallets, and endpoint group members as necessary.

6. Click Save.

Setting Access from an Endpoint Group to a Virtual Wallet

You can add access to or remove it from an endpoint group to an existing virtual wallet.

1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then Endpoints Group.

3. Select the edit pencil icon next to the endpoint group being modified, as described in "Modifying Endpoint Group Details".

4. In the Access to Wallets pane, click Add.

5. Select a virtual wallet from the available list.

6. Select an Access Level:

   • Read Only: The selected subject only has Read access on the virtual wallet and items in the wallet.

   • Read and Modify: The selected subject has Read and Modify access on the virtual wallet and the items in the wallet.

7. (Optional) Select the Manage Wallet check box.

   This option enables the selected subject to do the following:

   • Add or remove objects from the virtual wallet.

   • Grant others access to the virtual wallet.

8. Click Save.

   A message appears, indicating that the access mapping was successful.

Removing a Member from an Endpoint Group

You can remove a member from an endpoint group. This does not remove the member from Oracle Key Vault.

1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoint Groups.

3. From the Endpoint Groups page, find the endpoint group to be removed, using the Search bar or Actions menu to filter.

   See "Performing Actions and Searches".

4. Click the edit pencil icon next to that endpoint group.

   The Endpoint Group Details page appears.

5. On the Endpoint Group Details page, determine which members (endpoints) to remove, using the Search bar and the Actions menu as necessary.

6. Select the check box next to the endpoint name.

7. Click Remove.

8. When the confirmation dialog box asks if you want to remove the endpoint from the group, click OK.

   A dialog box appears, indicating that the endpoint has been successfully removed from the group.

Deleting Endpoint Groups

You can easily delete endpoint groups if you no longer need them.

Topics:

• About Deleting Endpoint Groups

• Deleting an Endpoint Group

About Deleting Endpoint Groups

You can delete an endpoint group when it is no longer necessary (for example, if you no longer need to group certain endpoints together).

This does not delete the actual endpoints, but it does remove access to virtual wallets that the endpoints gained through their membership in the endpoint group.

Deleting an Endpoint Group

You can delete an endpoint group by using the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.

   See "Logging In to the Oracle Key Vault Management Console."

2. Select the Endpoints tab, and then select Endpoint Groups.

3. From the Endpoint Groups page, find the endpoint group being removed, using the Search bar and Actions menu to filter existing endpoint groups if necessary.

   See "Performing Actions and Searches".

4. Select the check box next to the endpoint group name.

5. Click Delete.

6. In the Confirmation dialog box, click OK.