Oracle Key Vault is a software appliance that is delivered as an ISO image. Key Vault should be installed onto its own dedicated physical server.
The software appliance consists of a pre-configured operating system, an Oracle database, and the Oracle Key Vault application.
You can install the Oracle Key Vault appliance by meeting specific system requirements and completing a set of post-installation tasks.
The Oracle Key Vault installation requirements cover system requirements like CPU, RAM, disk space, network interfaces, and supported endpoint platforms.
Deployment on virtual machines is not recommended for production systems. However, virtual machines are useful for testing and proof of concept purposes.
The minimum hardware requirements for deploying the Oracle Key Vault software appliance are:
CPU: Minimum: x86–64 2 cores, Recommended: 8–16 cores with cryptographic acceleration support (Intel AESNI)
Memory: Minimum 8 GB of RAM, Recommended: 32–64 GB
Disk: Minimum 500 GB, Recommended: 1 TB
Network interface: One network interface
Hardware Compatibility: Refer to the hardware compatibility list (HCL) for Oracle Linux Release 6 Update 9 at the link in the See Also section .
RESTful Services Client: If RESTful Services are enabled, then each endpoint that connects to the Oracle Key Vault management console must have at least Java 1.7.0_21 installed.
Note:For deployment with a large number of endpoints the hardware requirement may need to scale to meet the workload.
The hardware certification list for Oracle Linux and Oracle VM may be found at the Oracle Linux website at:
You can find the supported hardware by filtering results through All Operating Systems and choosing Oracle Linux 6.9.
Oracle Key Vault and its endpoints use a set of special ports for communication. Network administrators must ensure that these ports are open in the network firewall.
Table 3-1 lists the required network ports for Oracle Key Vault:
Table 3-1 Ports Required for Oracle Key Vault
Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault.
Used by monitoring software to poll Oracle Key Vault for system information.
Used by web clients such as browsers and RESTful Services to communicate with Oracle Key Vault.
Database TCPS Listener Port
Listener port used in a high availability configuration by Oracle Data Guard to communicate between the primary and standby server.
Database TCPS Listener Port
Listener port used in a high availability configuration to run OS commands like synchronizing wallets and configuration files via HTTPS.
Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP Server.
The supported endpoint platforms in this release are:
Oracle Linux (5.x, 6.x, and 7.x)
Oracle Solaris (10.x and 11.x)
Oracle Solaris Sparc (10.x and 11.x)
RHEL 5, 6, and 7
IBM AIX (5.3, 6.1 and 7.1)
HP-UX (IA) (11.31)
Windows Server 2008
Windows Server 2012
Endpoints that are Oracle Database 10 g Release 2 and later can use the
okvutil upload command to upload Oracle wallets to Oracle Key Vault. Endpoints that are Oracle Database 11 g Release 2 and later can use the Online Master Key to manage TDE master keys.
Note, that the term Online Master Key replaces the term TDE direct connection.
For an endpoint that is Oracle Database 11.2 or 12.1, set the
COMPATIBLE initialization parameter to 220.127.116.11 or higher. For example:
SQL> ALTER SYSTEM SET COMPATIBLE = 18.104.22.168 SCOPE=SPFILE;
This applies to an Oracle Database endpoint that is connected with Oracle Key Vault using an Online Master Key (formerly known as TDE direct connection). This compatibility mode setting is not required for Oracle wallet upload or download operations.
Also note that after setting the
COMPATIBLE parameter to 22.214.171.124, you cannot set it to a lower value like 10.2. After setting the
COMPATIBLE parameter you must restart the database.
Oracle Database Administrator's Guide for more information about setting the
To install and configure Oracle Key Vault 126.96.36.199.0 and earlier, see Installing and Configuring Oracle Key Vault 188.8.131.52.0 and earlier.
To install and configure Oracle Key Vault 184.108.40.206.0 and later, do the following:
For a fresh installation, the Oracle Key Vault appliance software can be downloaded from Software Delivery Cloud. Note that this package cannot be used to upgrade Oracle Key Vault.
For an upgrade, Oracle Key Vault can be downloaded from the Oracle Automated Release Updates (ARU) website.
To download the Oracle Key Vault Appliance Software:
Oracle Key Vault 220.127.116.11.0 consists of the following ISO files:
Vxxxxxx-01.iso (Oracle Key Vault 18.104.22.168.0 (12.2 Bundle Patch 9) - Disc 1)
Vxxxxxx-01.iso (Oracle Key Vault 22.214.171.124.0 (12.2 Bundle Patch 9) - Disc 2)
The combined size of both ISO files exceeds 4 GB, and will take time to download, depending on the network speed. The estimated download time and speed are displayed in the File Download dialog box.
Ensure that the checksums match the values that you copied from the File Download dialog box in Step 10.
OKV BP9 Disc 1
OKV BP9 Disc 2
The installation process installs all required software components onto a dedicated server. The installation process may take from 30 minutes to an hour to complete, depending on the server resources where you are installing Oracle Key Vault.
The Oracle Key Vault installation wipes the server and installs a stripped-down version of Oracle Linux 6.9, thus erasing existing software and data on the server.
Ensure that the server meets the recommended requirements.
Request a fixed IP address, network mask, and gateway address from your network administrator for the dedicated server. You will need this information to configure the network in Step 13.
To install the Oracle Key Vault appliance:
OKV BP9 Disc 1into the CD/DVD drive and restart the computer.
Figure 3-1 Oracle Key Vault Install Screen
The installation begins and after several minutes, the message Please insert disc 2 is displayed.
OKV BP9 Disc 2into the CD/DVD drive, and press Enter.
The installation proceeds and after several minutes, the message Please insert disc 1 is displayed.
OKV BP9 Disc 1into the CD/DVD drive, and press Enter.
Figure 3-2 Installation Passphrase Screen
The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (
.), comma (
,), underscore (
_), plus sign (
+), colon (
It is important to store the installation passphrase securely. You will need it later to authenticate yourself at the Key Vault management console and complete the post-installation tasks.
Figure 3-3 Select Network Interface Screen
Figure 3-4 Identify Management Interface Screen
Figure 3-5 IP Address Setting for Management Interface Screen
The installer installs and configures the operating system, database, and Oracle Key Vault on the server to make it a self-contained hardened appliance. The installation and configuration process can take between 30 minutes to an hour. Press the Shift key to check installation status.
Figure 3-6 Oracle Key Vault Server <Release Number> Screen
Select Display Appliance Info and press Enter to see the IP address settings for the appliance. Make a note of the IP address of the appliance. You will need it to log into the browser-based management console of Oracle Key Vault.
If you need to correct the IP Address, network mask, or the IP gateway for any reason, you can select Change IP Settings and enter the new IP settings.
Select Set User Passwords to set the Root and Support User passwords. You can also set the Root and Support User passwords when performing Post-Installation Tasks.
You have the option to change the installation passphrase by selecting Change Installation Passphrase. For more information about changing the installation passphrase, see Change the Installation Passphrase.
Note:You will need to enter the old installation passphrase in order to update the installation passphrase.
Make a note of the installation passphrase. You will need it to log into the management console for the first time, in order to complete the post-installation tasks.
After you install Oracle Key Vault, you must complete the following post-installation tasks: setting up the administrative user accounts, and passwords for recovery, root, and support.
To perform the post-installation tasks:
To connect in to an Oracle Key Vault server whose IP address is 192.0.2.254, enter the following in the Address Bar:
After completing the post-installation tasks, you can upload a custom certificate or certificate chain that is trusted by the browser, so that you can connect to the Oracle Key Vault server without encountering the security warning message. For more information about uploading a custom certificate, see Third Party Certificates.
Figure 3-7 Installation Passphrase Screen
Note:The Installation Passphrase screen is displayed when you connect to the Oracle Key Vault server for the first time, in order to complete the post-installation tasks. After you complete the post-installation tasks, the Oracle Key Vault login screen is displayed when you access the Oracle Key Vault management console through the web browser.
Figure 3-8 Post-Install Configuration Screen
Figure 3-9 Post-Install Configuration — User Setup
In the User Setup section:
Enter the user name and password, the full name (optional), and email (optional) for each administrative user account.
You can create a different user account for each of these administrative roles for a strict separation of duties, or combine roles as needed.
Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and one special character from the set: period (
.), comma (
,), underscore (
_), plus sign (
+), colon (
Figure 3-10 Post-Install Configuration — Recovery Passphrase
The recovery passphrase has the same minimum requirements as user passwords. For greater security, it is recommended that you make the recovery passphrase longer and more complex. You must keep the recovery passphrase safe and retrievable because it is required in the following situations:
In an emergency, when there are no administrative users available to access Key Vault.
To restore Key Vault data from a backup.
To reset the recovery passphrase.
Caution:It is important to establish a secure process for the storage and retrieval of the recovery passphrase, including older recovery passphrases. The only way to recover from a lost recovery passphrase is to re-install Key Vault.
Figure 3-11 Post-Install Configuration — Root and Support User Passwords
The root password is the super user account for the operating system hosting Key Vault. You will need the support password to log into Key Vault remotely using the SSH protocol.
Caution:Keep the root and support user passwords safe because these passwords are set during post-installation only. After post-installation you cannot change them from the Oracle Key Vault management console.
The Time Setup and DNS Setup settings are optional at this stage, and can be set up later by a System Administrator.
Figure 3-12 Oracle Key Vault Management Console Login Screen
For example, to log in to a server whose IP address is 192.0.2.254, enter:
The login screen appears.
Figure 3-13 Oracle Key Vault Screen with Username and Password
The Oracle Key Vault management console is a browser-based console that connects to the appliance using the
https secure communication channel. It provides the graphical user interface for Oracle Key Vault, where users can perform tasks like:
Creating and managing users, endpoints, and their respective groups
Creating and managing virtual wallets and security objects
Setting system settings, like network and other services
Setting up high availability and backup
Detailed help for the Actions menus and Search bars is provided in the Help selection of the Actions drop-down list.
These items are as follows:
Select Columns: Select which column should be displayed.
Filter: Filter by column or row and a user-defined expression.
Rows Per Page: Choose how many rows you want to view .
Format: Choose formatting such as Sort, Control Break, Highlight, Compute, Aggregate, Chart, and Group By.
Save Report: Save reports.
Reset: Reset the report settings, removing any customizations.
Help: Get information about these actions.
Download: Download the result set in CSV or HTML.
This demonstration searches for endpoints, but the process is the same for other searches, except that the column headings are different.
Wildcard characters are not supported, but the search does match any letter or phrase that you enter. You can use the Filter menu item under Actions to further fine-tune the search.
To perform a search:
Figure 3-14 Endpoints Page
A new endpoint list appears, displaying the endpoints that meet the search criteria. A filter icon (a funnel) indicates that a search has been performed and displays the search criteria.