Prepare to use Oracle Key Vault with Autonomous Database on Dedicated Exadata Infrastructure

Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise. The Oracle Key Vault is a customer-provisioned and managed system and it is not part of Oracle Cloud Infrastructure managed services. You can integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises.

Prerequisites

  1. Ensure that OKV is set up and the network is accessible from the Oracle Public Cloud client network. Open ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  2. Ensure that the REST interface is enabled from the OKV user interface.
  3. Create "OKV REST Administrator" user. You can use any qualified username of your choice, for example, "okv_rest_user". For Autonomous Database on Cloud@Customer and Oracle Database Exadata Cloud at Customer, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. Oracle Database Exadata Cloud at Customer needs REST user with create endpoint privilege. Autonomous Database on Cloud@Customer needs REST user with create endpoint and create endpoint group privileges.
  4. Gather OKV administrator credentials and IP address, which is required to connect to OKV and configure the key store. See Create a Key Store for guidance.
  5. Open the ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  6. On Oracle Public Cloud deployments, ensure OKV has network access to the Autonomous Database by setting proper network routes with VPN (Fast connect or VPN as a Service) or any VCN peering if the compute host is in another VCN.

Create a Vault in OCI Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password

Your Dedicated Exadata Infrastructure deployment communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server. These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Dedicated Exadata Infrastructure deployment only when needed. When needed, the credentials are stored in a password-protected wallet file.