1. Ensure that OKV is set up and the network is accessible from the Oracle Public Cloud client network. Open ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
2. Ensure that the REST interface is enabled from the OKV user interface.
3. Create "OKV REST Administrator" user. You can use any qualified username of your choice, for example, "okv_rest_user". For Autonomous Database on Cloud@Customer and Oracle Database Exadata Cloud at Customer, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. Oracle Database Exadata Cloud at Customer needs REST user with create endpoint privilege. Autonomous Database on Cloud@Customer needs REST user with create endpoint and create endpoint group privileges.
4. Gather OKV administrator credentials and IP address, which is required to connect to OKV.
5. Open the ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
6. On Oracle Public Cloud deployments, ensure OKV has network access to the Autonomous Database by setting proper network routes with VPN (Fast connect or VPN as a Service) or any VCN peering if the compute host is in another VCN.

Your Dedicated Exadata Infrastructure deployment communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server. These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Dedicated Exadata Infrastructure deployment only when needed. When needed, the credentials are stored in a password-protected wallet file.

To grant your Key Store resources permission to access Secret in OCI Vault, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Secret you created in the OCI Vaults and Secrets.

When defining the dynamic group, you identify your Key Store resources by specifying the OCID of the compartment containing your Key Store.

• Copy the OCID of the compartment containing your Key Store resource. You can find this OCID on the Compartment Details page of the compartment.
• Create a dynamic group by following the instructions in Managing Dynamic Groups in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:

  ALL {resource.compartment.id ='<compartment-ocid>'}

  where <compartment-ocid> is the OCID of the compartment containing your Key Store resource.

After creating the dynamic group, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your vaults and secrets. Then, add a policy statement of this format:

allow dynamic-group <dynamic-group> to use secret-family in compartment <vaults-and-secrets-compartment>

where <dynamic-group> is the name of the dynamic group you created and <vaults-and-secrets-compartment> is the name of the compartment in which you created your vaults and secrets.

To grant your Exadata infrastructure resources permission to access Key Store, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Key Store you created.

When defining the dynamic group, you identify your Exadata infrastructure resources by specifying the OCID of the compartment containing your Exadata infrastructure.

• Copy the OCID of the compartment containing your Exadata infrastructure resource. You can find this OCID on the Compartment Details page of the compartment.
• Create a dynamic group by following the instructions in Managing Dynamic Groups in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:

  ALL {resource.compartment.id ='<compartment-ocid>'}

  where <compartment-ocid> is the OCID of the compartment containing your Exadata infrastructure resource.

• After creating the dynamic group, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your Key Store. Then, add a policy statement of this format:

  allow dynamic-group <dynamic-group> to use keystores in compartment
          <key-store-compartment>

  where <dynamic-group> is the name of the dynamic group you created and <key-store-compartment> is the name of the compartment in which you created your Key Store.

To grant the Autonomous Database service permission to use the secret in OCI Vault to log in to the OKV REST interface, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your OCI Vaults and Secrets. Then, add a policy statement of this format:

allow service database to read secret-family in compartment <vaults-and-secrets-compartment>

where <vaults-and-secrets-compartment> is the name of the compartment in which you created your OCI Vaults and Secrets.

Once the OCI Vault is set up and the IAM configuration is in place, you are now ready to deploy your Oracle Key Vault 'Key Store' in OCI and associate it with your Dedicated Exadata VM Cluster.