Release Notes
Release 12.1
E54108-09
May 2015
These Release Notes contain important information about Oracle Key Vault. See Oracle Key Vault Administrator's Guide for detailed information about Oracle Key Vault.
Topics:
You can download the most current version of this document from the following website:
http://www.oracle.com/technetwork/database/options/key-management/downloads/index.html
To access the Oracle Key Vault documentation, visit the following site:
This section describes known issues and workarounds for general administration and configuration issues.
Topics:
Unable to Refresh the Current Key Vault Management Console Page
Failure When Setting Up High Availability with Asymmetric System Memory
Adding a Default Wallet to an Endpoint Requires Re-Enrollment
Cannot Change System Recovery Password When in High Availability
Unable to Download Security Objects to an Auto-login Wallet in Some Endpoints
TDE_MASTER_KEY Is Not Set in Pluggable Database After HSM Migration
Reverse Migration from Oracle Key Vault to a Local Wallet Does Not Set Master Key in PDBs
Incorrect Error Message When Invalid Certificate Information Entered for High Availability
While using the Key Vault management console, the following error may appear:
Session state protection violation This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
Workaround: Close the browser window and establish a new session with the Key Vault management console.
For example:
https://192.0.2.254
Oracle Bug: 18710655
If you are logged into the Key Vault management console but leave the page and then try to refresh later on, the following error may appear:
Success message checksum content error Contact your application administrator.
Workaround: Close the browser window and establish a new connection to the Key Vault management console.
For example:
https://192.0.2.254
Oracle Bug: 18866155
The following error may appear after you run an okvutil command that affects wallets:
Error: KMIP Operation General Failure
Workaround: As a Key Administrator, check for the following possible problems:
The wallet name supplied for the -g group option is incorrect. Remember that the group name you specify is case sensitive, and that it must match exactly the virtual wallet that was created in Oracle Key Vault. You can check the wallet names in the Key Vault management console by selecting the Keys & Wallets tab, and then selecting Wallets. The names of the wallets are in the Wallets pane.
The endpoint on which the command was used does not have access to the wallet. Look for the wallet name in the list of wallets for the endpoint, and then ensure that it has Read, Modify, and Manage Wallet permissions.
Oracle Bug: 17631393
When configuring a standby appliance for High Availability, the standby appliance may fail to start if its memory size is smaller than the memory size of the primary appliance.
Workaround: Deploy a standby appliance with same system memory size as the primary appliance. Ensure that the hardware configurations (CPU, memory size, and disk size) for the primary and the standby match.
Oracle Bug: 18906235
If a default wallet is not specified when you enroll an endpoint, then you must re-enroll the endpoint and as part of that process, specify the default wallet.
Workaround: None
Oracle Bug: 19079333
When the Oracle Key Vault appliance instance is operating in High Availability mode, an Operation not allowed error is returned when if you try to change the recovery passphrase. Therefore, when you use the system recovery page to create new administrative users or reset passwords for existing administrative users, ensure that you leave the system recovery passphrase fields blank.
Workaround: If you want to change the recovery passphrase, then revert the existing primary appliance node to a standalone appliance.
Oracle Bug: 19259565
In some cases, backups to remote destination may fail to transfer backups larger than 4GB when using password authentication.
Workaround: Configure the remote backup destination to use key-based authentication. Only use password authentication for testing and proof-of-concept deployments.
Oracle Bug: 19158043
For Oracle Database 12c endpoints, downloading security objects from Oracle Key Vault directly into an auto-login wallet may fail to create an auto-login wallet in the specified path. This is due to changes in the orapki utility between the Release 11g and 12c orapki utility.
Workaround: Download the password-protected wallet and then manually convert it to an auto-login wallet by using the orapki utility.
Oracle Bug: 19266884
In a multitenant environment, after running the ADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY ... MIGRATE statement, the TDE_MASTER_KEY column is set in the PROPS$ table for CDB$ROOT even though you do not have column encryption in CDB$ROOT. However, the null value is set for the TDE_MASTER_KEY in the CDB1_PDB1 view.
Workaround: None. TDE direct connections to Oracle Key Vault are not supported on databases using the Oracle Multitenant option.
Oracle Bug: 17409174
In a multitenant environment, performing a reverse migration fails in a pluggable database (PDB). The reverse migration succeeds in the CDB$ROOT, but the master key is not set in any of the PDBs in this container.
Workaround: None. TDE direct connections to Oracle Key Vault are not supported on databases using the Oracle Multitenant option. However, you can perform Oracle wallet uploads and downloads in a multitenant environment.
Oracle Bug: 18223527
If you are configuring high availability, in the Configure High Availability window, then you must enter a peer system IP address and certificate. If you enter invalid settings, a message saying Peer system: IP and Certificate settings saved successfully appears. This message is incorrect. If the settings are valid, they are saved. If they are invalid, the settings are not saved, even though the message indicates otherwise.
Workaround: None
Oracle Bug: 17400789
You may encounter one or more of the following Oracle Database bugs when using Oracle Key Vault for key management. In most cases, the bugs have already been fixed in the latest release. Check with Oracle Support to see if a patch is available for your version and platform of the Oracle Database.
Topics:
ORA-00600 Error on Database Shutdown When Using TDE Direct Connection to Oracle Key Vault
ADMINISTER KEY MANGEMENT SET KEY Returns ORA-600 in Oracle RAC Environments
An ORA-00600 internal error code error appears during a shutdown of the database after you have selected from the V$ENCRYPTION_KEYS or V$CLIENT_SECRETS TDE view when using TDE in an HSM configuration. This error occurs in the Oracle Database 12.1.0.2 release.
Workaround: This problem occurs when you try to clean up the SGA cache for V$ENCRYPTION_KEYS and V$CLIENT_SECRETS views after the database shutdown has been initiated. Closing the wallet also cleans up the system global area (SGA) cache for these views.
Before shutting down the database, explicitly close the keystore, as follows:
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY "Key_Vault_endpoint_password";
Oracle Bug: 18419520
An ORA-03113: end-of-file on communication channel error appears under the following conditions:
The endpoint database is Oracle Database Release 11.2.0.3.
You attempt DDL actions on an encrypted table after uploading the keys to Oracle Key Vault but before migrating to Oracle Key Vault.
Workaround: Complete the migration process to Oracle Key Vault. For example:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Key_Vault_endpoint_password" MIGRATE USING "wallet_password";
Oracle Bug: 17707304
An ORA-03113: end-of-file on communication channel error appears under the following conditions:
The endpoint database is Oracle Database Release 11.2.0.3.
You attempt to rekey the table keys before you perform a migration of the TDE master key from an Oracle wallet file to Oracle Key Vault.
Workaround: Complete the migration process to Oracle Key Vault. For example:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Key_Vault_endpoint_password" MIGRATE USING "wallet_password";
Oracle Bug: 17738957
An ORA-03113: end-of-file on communication channel error appears under the following conditions:
The endpoint database is Oracle Database Release 12.1.0.1.
You perform a create key operation using the ADMINISTER KEY MANAGEMENT CREATE ENCRYPTION KEY USING TAG statement in a new session.
Workaround: Execute a SQL statement that accesses Oracle Key Vault before you create the key in the same session. For example:
SELECT KEY_ID FROM V$ENCRYPTION_KEYS;
Oracle Bug: 17834007
In an Oracle Real Application Clusters (Oracle RAC) environment using Oracle Database 12.1.0.1, the following error appears if you try to run the ADMINISTER KEY MANAGEMENT SET KEY statement to set a key using a TDE direct connection in a pluggable database:
ORA-00600: internal error code
Workaround: Use the ALTER SYSTEM SQL statement instead of ADMINISTER KEY MANAGEMENT.
For example:
ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Key_Vault_endpoint_password";
Oracle Bug: 18144599
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Key Vault Release Notes, Release 12.1
E54108-09
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.