OKM supports a variety of encryption endpoints. The following are the supported endpoints:
Encryption capable tape drives
Oracle Transparent Database Encryption (TDE) 11g and higher
Oracle ZFS Storage Appliance
Oracle Solaris 11 ZFS file systems
Endpoint tools are available for application developers, system administrators, and Oracle database administrators. Encryption endpoint tools enable applications to obtain keys from an OKM cluster.
A KMS PKCS#11 provider, known as pkcs11_kms, accompanies the Oracle Key Manager release. An administrator can download the Linux PKCS#11 KMS provider from the My Oracle Support website and install it on an Oracle Enterprise Linux server. The KMS PKCS#11 provider has the same security characteristics and authenticates with Oracle Key Manager appliances as other agents do.
The KMS PKCS#11 provider has been integrated with various Oracle products. It is available on the following platforms:
Oracle Solaris 11
Oracle Solaris 10 Update 10
Oracle Linux Server 5.5, 5.6, 5.9, and 6.5
Oracle Database 11.2.0.2 on a supported pkcs11_kms platform and mandatory patch 12626642
Oracle Database 11.2.0.4 on a supported pkcs11_kms platform
Oracle Database 12.1.0.1.0 on a supported pkcs11_kms platform
Oracle ZFS Storage Appliance running 2013.06.05.1.3 or later
The KMS PKCS#11 provider for Oracle Linux Server can be downloaded from the My Oracle Support site.
The KMS PKCS#11 provider stores a log file and profile information under a configuration directory. The user or administrator should manage this log file manually or by using a utility such as logrotate. Access control to the slot configuration directory should be restricted through appropriate permissions. Within the profile directory the authentication credentials for the agent are retained within a PKCS#12 file. The PKCS#12 file is secured with a password.
The default location of this slot configuration directory depends on the operating system, as follows:
/var/user/$USER/kms (Oracle Solaris 11)
/var/kms/$USER (Oracle Solaris 10)
/var/opt/kms/$USER (Oracle Linux Server)
For more information about the KMS PKCS#11 provider, refer to the Oracle Key Manager 3 Administration Guide.
A Java Cryptographic Environment (JCE) Provider, known as the OKM JCE Provider, is available for developers wishing to implement Java client applications that can obtain keys from OKM. The OKM JCE Provider has the same security characteristics and authenticates with Oracle Key Manager appliances as do other agents. The OKM JCE Provider has been integrated with various Oracle products and is available from the My Oracle Support site. For more information about the OKM JCE Provider, refer to the white paper that is distributed with it.
Management endpoint tools enable system administrators and Oracle Database administrators to monitor the KMAs in an OKM Cluster.
The Oracle Key Manager (OKM) appliance plug-in for Oracle Enterprise Manager (OEM) Cloud Control provides monitoring for OKM clusters. Each KMA belonging to a cluster is monitored by the plug-in. A security guide is provided for this tool.