What's New in Oracle Key Vault 12.2

This section lists the new features and enhancements of the following Oracle Key Vault Release 12.2 bundle patches.

New Features in Bundle Patch 11

The following are the new features and enhancements in Bundle Patch 11 (also referred to as Oracle Key Vault Release 12.2.0.11.0).

Re-Enroll All Endpoints With a Single RESTful Command

If a customer has many endpoints, it is time consuming to re-enroll all endpoints one by one, even with RESTful API. With this enhancement, Oracle Key Vault provides a single RESTful command to re-enroll all endpoints. The new RESTful command is re_enroll_all.

New Features in Bundle Patch 10

The following are the new features and enhancements in Bundle Patch 7 (also referred to as Oracle Key Vault Release 12.2.0.7.0).

Oracle Key Vault Server Certificate Rotation

Starting with this release, you can rotate certificates in the Oracle Key Vault server and for all endpoints in one operation. You can use this feature in both standalone and primary-standby environments. You also can configure an alert to warn you when it is time to rotate the certificates. This feature helps to prevent the scenario of inadvertently allowing certificates to expire. If this happens, then the endpoints cannot connect to the Oracle Key Vault server, and you would need to re-enroll the endpoints.

Related Topics

Re-Enroll All Endpoints With a Single RESTful Command

If a customer has many endpoints, it is time consuming to re-enroll all endpoints one by one, even with RESTful API. With this enhancement, Oracle Key Vault provides a single RESTful command to re-enroll all endpoints. The new RESTful command is re_enroll_all.

Related Topics

Periodically Verify Oracle Key Vault Access to RoT in HSM in Alert Job

In Oracle Key Vault release 12.2.0.9 and earlier with Root-of-Trust provided by a hardware security module (HSM), Oracle Key Vault needed to access the HSM only once during startup.

Starting with Oracle Key Vault release 12.2.0.10.0, periodic checks were added to the internal alert framework that validate connectivity to the HSM, presence of the Root-of-Trust key in the HSM, as well as a sanity check of the HSM client software installation inside Oracle Key Vault. If any of these checks fail, then an alert is raised. The time between tests can be configured to multiples of 5 minutes.

In Oracle Key Vault 12.2.0.10.0, as a part of the regular alert job, the server will attempt to validate the HSM configuration by contacting the HSM and using the Root of Trust key, as well as doing sanity checks of the HSM-related files on the server. In the case where any of the aforementioned checks are failed, a new alert is raised so that you can immediately take action to protect your server. By default, it will contact the HSM every five minutes, but you can configure the amount of time between checks or disable the alert altogether.

New Features in Bundle Patch 9

Bundle Patch 9 (also referred to as Oracle Key Vault Release 12.2.0.9.0) does not include any new features and enhancements.

New Features in Bundle Patch 8

Bundle Patch 8 (also referred to as Oracle Key Vault Release 12.2.0.8.0) does not include any new features and enhancements.

New Features in Bundle Patch 7

The following are the new features and enhancements in Bundle Patch 7 (also referred to as Oracle Key Vault Release 12.2.0.7.0).

Automatic Endpoint Configuration tuning using OKV Management Console

Users with system administrator role can centrally update certain endpoint configuration parameters in the Oracle Key Vault Management Console. This feature enables system administrators to set certain endpoint configuration parameters globally, i.e. for all endpoints, or on a per-endpoint basis. It simplifies the process of managing multiple endpoints for system administrators.

Endpoint specific parameters if set take precedence over global parameters. Global parameters, if set will take effect when endpoint-specific parameters are cleared. OKV will use the default system parameters if both global and endpoint specific parameters are cleared or not set from OKV management console.

The configuration parameter values set in the OKV management console are pushed to endpoints dynamically. After configuration parameters have been set in the OKV Management Console, the next time the endpoint contacts the OKV server, it will get the configuration parameters update. Endpoint configuration parameter update is best-effort. In case of error, the update is not applied. Both okvutil and PKCS11 library can get and apply the endpoint configuration updates.

For more information, see Configuring Global Endpoint Configuration Parameters and Configuring Endpoint Configuration Parameters.

UEFI BOOT MODE Support 

Oracle Key Vault 12.2.0.7.0 supports both Legacy BIOS and UEFI BIOS boot modes. The support for UEFI BIOS mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI BIOS only, such as Oracle X7-2 Server. OKV can be installed on Oracle X7–2 servers as a standalone server or in a High Availability (HA) configuration. For more information, see Oracle Key Vault Administrator's Guide.

Support for IBM AIX 5.3 Endpoint Platform

IBM AIX 5.3 is one of the supported operating systems for Oracle Database 11g Release 2. Oracle Key Vault 12.2.0.7.0 has added AIX 5.3 as a new endpoint platform in limited capacity. This is in addition to the AIX platforms 6.2 and 7.1 that are already supported since OKV 12.2. Customers can enroll endpoints with AIX 5.3 as their endpoint platform. You can download the endpoint software for AIX 5.3 platform from the OKV server during endpoint enrollment and provisioning process. However, before deploying the endpoint software the customer should enable TLS 1.0 on the OKV server. For more information, see Oracle Key Vault Administrator's Guide.

New Features in Bundle Patch 6

The following are the new features and enhancements in Bundle Patch 6 (also referred to as Oracle Key Vault Release 12.2.0.6.0).

Quick Discovery of Unreachable Key Vault Server

In Oracle Key Vault 12.2.0.5.0 and earlier, clients attempt to connect to Oracle Key Vault by checking each of the two Oracle Key Vault servers in HA deployment. If the Oracle Key Vault server is unavailable, the client currently encounters an OS-defined delay which could be 20 seconds or longer, depending upon the OS.

In the HA deployment, the endpoint first attempts to connect to primary and then to the standby as specified in the endpoint configuration file. A switchover or a failover does not update the configuration files on the endpoint. So the endpoint continues to try and setup a connection with the server that was configured as the primary before switchover. This endpoint encounters an OS-defined delay and then moves on to make a connection to the server configured as the standby and succeeds. An endpoint thus encounters an OS-defined delay of several seconds before it can get a response from Oracle Key Vault. Every new process that attempts to setup a connection to Oracle Key Vault where a switchover or failover has taken place encounters this delay. This significantly slows down database operations like database startup, where many processes, one after the other, attempt a connection to Oracle Key Vault.

In Oracle Key Vault 12.2.0.6.0, clients first establish a non-blocking TCP connection to Oracle Key Vault to quickly detect unreachable servers. Oracle Key Vault 12.2.0.6.0 introduces the SERVER_POLL_TIMEOUT parameter in the okvclient.ora file, after which Oracle Key Vault would attempt to connect to the next server. The default value is 300 (milliseconds).

After the first attempt, the client makes a second and final attempt to connect to the server but this time waits for twice as long as the duration specified by the SERVER_POLL_TIMEOUT parameter. This is done to overcome possible network congestion or delays.

For more information about the SERVER_POLL_TIMEOUT parameter, see Endpoint okvclient.ora Configuration File.

Extend Persistent Master Key Cache for Improved Resiliency with Unavailable Key Vault Servers

In Oracle Key Vault 12.2.0.5.0 and earlier, if the Oracle Key Vault server is not available, the PKCS#11 library retrieves master key from the Persistent Master Key Cache if set. However, in the unlikely scenario that the Key Vault Servers are still not available, and if the persistent master key cache time limit specified by the PKCS11_PERSISTENT_CACHE_TIMEOUT has expired, the PKCS#11 library attempt to refresh the master key fails and the endpoint database operations are affected.

The Refresh Window feature of the Persistent Master Key Cache enables the database endpoint to make multiple attempts to refresh the expired master key from the OKV server. In that sense, the endpoint waits for the OKV server to be back online for the master key refresh to complete. Meanwhile, if the master key refresh attempt fails, the keys are retrieved from the persistent cache for the duration of the refresh window.

The Refresh Window feature of the Persistent Master Key Cache thus extends the duration for which the master key is available after it is cached in the persistent master key cache. At the same time the endpoints can refresh the key during the refresh window instead of once at the end of the cache time. This addresses the possibility that persistent cache expires in the window when the Oracle Key Vault is unavailable such as when HA switchover is in progress. The refresh window terminates and the cache period begins as soon as the key is refreshed.

In the okvclient.ora file, the parameter PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW is used to extend the duration for which the master key is available after it is cached in the persistent master key cache. This value reflects the amount of time it takes for the Oracle Key Vault server to recover and come back online. The value is specified in minutes. The default value for PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW is 30 (minutes).

For more information about the Persistent Cache Refresh Window, see Persistent Master Key Cache - Refresh Window.

Support for Bring Your Own TDE Master Encryption Keys

You can now import your generated key to be used as the Transparent Data Encryption (TDE) master encryption key in Oracle Key Vault.

Key Administrators can upload this user-defined key to the groups that they have write access to. This feature provides Key Administrators with more control on creation of the master key used to encrypt TDE data encryption keys.

The type parameter of the okvutil upload command features a new option TDE_KEY_BYTES that allows you to upload a user-defined key to Oracle Key Vault. The key is then registered as a TDE master encryption key by running the ADMINISTER KEY MANAGEMENT command on the database. For more information about activating a TDE master encryption key, see Activating TDE Master Encryption Keys.

For more information about importing a user-defined key to use as the Transparent Data Encryption (TDE) master key in Oracle Key Vault, see Using an User-Defined Key as the TDE Master Encryption Key.

Update SNMP Settings on Standby Server

In a High Availability deployment of Oracle Key Vault 12.2.0.5.0 and earlier, SNMP Settings on the Standby server cannot be updated, as the Oracle Key Vault management console is unavailable on the Standby server.

Oracle Key Vault 12.2.0.6.0 introduces the stdby_snmp_enable script to enable the root user to modify SNMP settings on the standby server.

For more information about using the stdby_snmp_enable script, see Changing SNMP Settings on the Standby Server.

New Alerts for High Availability Operations

Oracle Key Vault generates alerts to inform Administrators about certain conditions that may affect the functioning of Oracle Key Vault.

Generate alert when FSFO failure causes HA configuration process to fail

When FSFO (Fast Start Failover) is unavailable due to a failure, the High Availability configuration process fails. This issue is not displayed in the Oracle Key Vault management console.

In Oracle Key Vault 12.2.0.6.0 and later, the following alert is generated to inform the Administrator that the High Availability configuration process failed due to a Fast Start Failover failure:
HA FSFO is not synchronized. FSFO status is <HA status>

For more information about configuring alerts, see Oracle Key Vault Alert Configuration.

Generate alert when HA nodes are not successfully synchronized

If the Oracle Key Vault primary server is unable to function in High Availability mode because of an Active Data Guard or other unknown failure, the issue is not displayed in the Oracle Key Vault management console.

In Oracle Key Vault 12.2.0.6.0 and later, the following alert is generated to inform the Administrator that the Oracle Key Vault primary server is unable to function in High Availability mode due to an Active Data Guard or other unknown failure:
Dataguard Broker is disabled

For more information about configuring alerts, see Oracle Key Vault Alert Configuration.

New install option to update the Oracle database-specific okvclient.ora symlink

In Oracle Key Vault 12.2.0.5.0 and earlier, the symlink reference to okvclient.ora is not updated during re-enrollment.

In Oracle Key Vault 12.2.0.6.0, new okvclient.jar option -o allows you to overwrite the symlink reference pointing to okvclient.ora in the new directory.

Support for Oracle Database 12.2.0.1.0 on Windows Server 2008 and 2012

Oracle Key Vault 12.2.0.6.0 supports Oracle Database 12.2.0.1.0 on Windows Server 2008 and Windows Server 2012.

Oracle Database 11.2.0.4 and 12.1.0.2 on Windows Server 2008 and Windows Server 2012 are also supported, as in previous versions of Oracle Key Vault.

New Features in Bundle Patch 5

The following are the new features and enhancements in Bundle Patch 5 (also referred to as Oracle Key Vault Release 12.2.0.5.0).

Support for Read- Only Restricted Mode

Oracle Key Vault supports Read-Only Restricted mode in High Availability deployments. Read-Only Restricted mode ensures operational continuity when the primary or standby servers encounter a failure that disrupts communication between the servers. Read-Only Restricted mode ensures that keys are accessible in the event of a primary or standby server failure.

When Read-Only Restricted mode is enabled, the primary or standby server will ensure that operations such as key retrieval are not affected if the peer server encounters a failure. Operations that create or modify critical data are disabled.

In earlier releases, when the primary or standby servers encountered a failure, operations were disabled in order to prevent the risk of data loss. You can disable Read-Only Restricted mode to continue applying the previous mode of operation.

For more information, see High Availability Read-Only Restricted Mode.

Additional Attributes on the All Items page to improve Key Searchability

Additional attributes like Name, Deactivation Date and Protect Stop Date added to the All Items page. This feature enables a user to search for the keys that are deactivated or will be deactivated soon. Keys uploaded using okvutil have multiple identifiers. This feature improves the lookup of such keys.

Support for Sending Audit Records to Remote Syslog

Oracle Key Vault supports sending of audit records to a remote Syslog. Oracle Key Vault audit managers can enable this option, if remote Syslog has been configured by the System administrator.

For more information about configuring Syslog to store audit records, see Configuring Syslog to Store Audit Records.

Persistent Cache - New Mode and Lookup

Persistent cache features a new mode of operation - Persistent Master Key Cache First. When a key is required by the database, a lookup is performed on the persistent cache before fetching the key from the Oracle Key Vault. This improves performance because the PKCS#11 library will connect to Oracle Key Vault only if the key is not found in the persistent master key cache. This is the default persistent cache mode.

A new type okv_persistent_cache, is added to the okvutil list command. Okv_persistent_cache allows customers to view the persistent cache and check if the keys are available or expired.

For more information about the Persistent Master Key Cache, see Persistent Master Key Cache Modes of Operation.

Upgraded to Oracle Linux 6.9

Oracle Key Vault 12.2.0.5.0 installs a stripped-down version of Oracle Linux 6.9 during a fresh installation.

Two Disc Installation

Oracle Key Vault is now installed using two discs (created from two ISO files). For a fresh installation, Oracle Key Vault can be downloaded from Software Delivery Cloud. Note that this package cannot be used for an upgrade.

For more information, see Oracle Key Vault Installation and Configuration.

Note:

The upgrade package is installed using a single ISO file. For an upgrade, Oracle Key Vault can be downloaded from the Oracle Automated Release Updates (ARU) website.

New Features in Bundle Patch 4

New in Release 12.2 BP 4 is support for Oracle Databse 11.2.0.4 (BP 9 and later) and 12.1.0.2 on Windows Server 2008 and 2012.

Support for Oracle Database 11.2.0.4 (BP 9 and later) and 12.1.0.2 on Windows Server 2008 and 2012

Oracle Key Vault supports Oracle Database 11.2.0.4 (BP 9 and later) and 12.1.0.2 on Windows Server 2008 and Windows Server 2012.

New Features in Bundle Patch 3

The following are the new features and enhancements in Bundle Patch 3 (also referred to as Oracle Key Vault Release 12.2.0.3.0).

Persistent Master Key Cache

The persistent master key cache feature enables databases to be operational when the Key Vault server is unavailable for any reason. The TDE master key is cached in the persistent cache in addition to the in-memory cache, so it works across database processes. It eliminates the need for databases to contact the Key Vault server for every new process, redo log switch, or database startup. Implemented in the Oracle Key Vault PKCS#11 library it additionally eliminates the need for database patching for previous database releases.

Integration with nCipher Hardware Security Module (HSM)

This release supports integration with the Hardware Security Module nCipher nShield Connect .

Support for NIST CNSA Suite

Oracle Key Vault supports the Commercial National Security Algorithm Suite (CNSA), a list of strong encryption algorithms and key lengths that offer greater security and relevance into the future.

See Also:

SMTP Business Service for Email Notification

Supports Google and Office365 SMTP business service for email notifications and alerts. This feature is beneficial for customers who are dependent on external email services such as Google and Office365.

New REST API to Manage Virtual Wallets

Release 12.2 BP 3 offers two new virtual wallet commands to better manage virtual wallets in Oracle Key Vault. Endpoint administrators can now retrieve the default wallet and all virtual wallets associated with an endpoint. This makes it easier to manage keys and credentials stored in virtual wallets.

New Features in Bundle Patch 2

The following are the new features and enhancements in Bundle Patch 2 (also referred to as Oracle Key Vault Release 12.2.0.2.0).

Support for New Endpoint Platforms

Support for two new platforms:

  • AIX

  • HP-UX (IA)

Support for Modern Hardware

The 12.2 Release is based on Oracle Linux Release 6 Update 6 operating system and Oracle Database 12.1.0.2 which are compatible with most modern hardware.

See Also:

"System Requirements"

Preconfigured Management Reports

Oracle Key Vault audits all endpoint and user activity and outputs the collected data in the form of preconfigured reports for endpoints, users, security objects and system. These reports provide a comprehensive and in-depth view of system activity that administrators can use for planning purposes.

Compliance

A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD) to reduce the attack surface of computer systems and networks, thereby ensuring a lockdown of highly confidential information stored within the DOD network.

Third-party CA support for the Management Console

Key Vault administrators can use their own certificate or upload certificates signed by a third-party Certificate Authority (CA) to replace the self-signed certificate used by Key Vault's browser-based graphical user interface and users for administrative operations.

Automatic Email Notifications

This feature enables Key Vault system administrators to:

  • Send the endpoint enrollment token directly to the endpoint administrator instead of using an out-of-band method.

  • Reset a user's password in case of a security breach.

  • Elect to be notified about system and status changes to respond quickly to security threats and risks.

See Also:

"Email Notification"

Remote Monitoring via SNMP v3

With SNMP enabled, system administrators can remotely monitor the Key Vault appliance for resource usage like memory, CPU utilization, processes, network bandwidth, and the key management server (KMIP daemon). The collected information can be used to monitor system performance and to recover quickly from any failures. Oracle Key Vault uses SNMP Version 3 for its user authentication and data encryption features.

Automation of Endpoint Enrollment Using the RESTful Software Utility

The RESTful Services utility is a scripting tool that enables you automate endpoint enrollment at scale. Automation reduces the multiple steps of enrolling and provisioning endpoints to a single command or script that you can execute at the command line. This is useful for administrators who might need to enroll and provision hundreds of endpoints simultaneously with minimum human intervention.

Audit consolidation using Oracle Audit Vault and Database Firewall

Key Vault can send its audit records to Audit Vault and Database Firewall (AVDF) allowing enterprise administrators to view Key Vault audit data from the AVDF management console. Enabling this feature frees up storage in Key Vault as the audit data no longer resides in Key Vault .

Diagnostics

Diagnostics may be gathered for the:

  • Oracle Key Vault server and provided to Oracle support for further analysis.

  • Endpoint with the diagnostics function in the endpoint software.

New Features in Bundle Patch 1

The following are the new features and enhancements in Bundle Patch 1 (also referred to as Oracle Key Vault Release 12.2.0.1.0).

Support for Oracle Cloud Database as a Service Endpoints

An Oracle Key Vault on-premises appliance can manage Transparent Data Encryption (TDE) master keys for Oracle Cloud Database as a Service instances.

Oracle Key Vault HSM Integration

Oracle Key Vault can use HSMs to generate and store a top-level encryption key, thereby acting as a Root of Trust (RoT) that protects encryption keys used by Key Vault. HSMs are built with specialized tamper-resistant hardware which is harder to access than normal servers. This protects the RoT and makes it difficult to extract, lowering the risk of compromise. In addition HSMs can be used in FIPS 140-2 Level 3 mode which can help meet certain compliance requirements.

Note that an existing Oracle Key Vault deployment cannot be migrated to use an HSM as a Root of Trust. To use Oracle Key Vault with an HSM, a new Oracle Key Vault deployment is required.