Use Oracle Key Vault with Autonomous AI Database on Dedicated Exadata Infrastructure

Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise. The Oracle Key Vault is a customer-provisioned and managed system and it is not part of Oracle Cloud Infrastructure managed services. You can integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises.

Related Topics

Prerequisites

  1. Ensure that OKV is set up and the network is accessible from the Oracle Public Cloud client network. Open ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  2. Ensure that the REST interface is enabled from the OKV user interface.
  3. Create "OKV REST Administrator" user. You can use any qualified username of your choice, for example, "okv_rest_user". For Autonomous AI Database on Cloud@Customer and Oracle Database Exadata Cloud at Customer, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. Oracle Database Exadata Cloud at Customer needs REST user with create endpoint privilege. Autonomous AI Database on Cloud@Customer needs REST user with create endpoint and create endpoint group privileges.
  4. Gather OKV administrator credentials and IP address, which is required to connect to OKV and configure the key store. See Create a Key Store for guidance.
  5. Open the ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  6. On Oracle Public Cloud deployments, ensure OKV has network access to the Autonomous AI Database by setting proper network routes with VPN (Fast connect or VPN as a Service) or any VCN peering if the compute host is in another VCN.

Create a Vault in OCI Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password

Your Dedicated Exadata Infrastructure deployment communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server. These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Dedicated Exadata Infrastructure deployment only when needed. When needed, the credentials are stored in a password-protected wallet file.

Create a Policy Statement for Database Service to Use Secret from OKV Vault Service

To grant the Autonomous AI Database service permission to use the secret in OCI Vault to log in to the OKV REST interface, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your OCI Vaults and Secrets. Then, add a policy statement of this format: 

allow service database to read secret-family in compartment <vaults-and-secrets-compartment>

where <vaults-and-secrets-compartment> is the name of the compartment in which you created your OCI Vaults and Secrets.

Once the OCI Vault is set up and the IAM configuration is in place, you are now ready to deploy your Oracle Key Vault 'Key Store' in OCI and associate it with your Dedicated Exadata VM Cluster.

Update OKV Endpoint Group

You can update the OKV endpoint group from the Details page of an ACD.

Optionally, you can also add an OKV endpoint group name with the OKV keystore while provisioning the ACD or later.

To update the OKV endpoint group on an ACD, you must ensure that:
  • The OKV endpoint group has access to the corresponding OKV wallet.
  • The OKV endpoints corresponding to the ACD are part of the OKV Endpoint group.
  • The OKV endpoint group has read access to default wallet(s) of the endpoints.
To update the OKV endpoint group name:
  • Go to the Details page of the ACD. For instructions, see View Details of an Autonomous Container Database.
  • Click Edit next to the OKV Endpoint Group name under Encryption.
  • Choose a Key Store from the list and enter a name for the OKV endpoint group. The endpoint group name must be in all uppercase and may include numbers, hyphens (-), and underscores (_) and start with an uppercase letter.
  • Click Save.

Manage OKV Endpoints

Delete Oracle Key Vault Endpoints

After you terminate an ACD, you should delete the endpoints corresponding to the ACD from OKV. OKV endpoints are created at the time of ACD provisioning per ACD per cluster node. Deleting the endpoints corresponding to a terminated ACD keeps the OKV organized and helps during OKV CA certificate rotation.

Deleting an endpoint removes it permanently from Oracle Key Vault. However, security objects that were previously created or uploaded by that endpoint will remain in Oracle Key Vault. Similarly, security objects that are associated with that endpoint also remain. To permanently delete or reassign these security objects, you must be a user with the Key Administrator role or authorized to merge these objects by managing wallet privileges. The endpoint software previously downloaded at the endpoint also remains on the endpoint until the endpoint administrator removes it.

You cannot delete an endpoint that is in the PENDING state unless you are the user who created it. You must delete it on the node on which it was created. See Deleting One or More Endpoints for more details.

Re-enrolling Endpoints

Oracle Autonomous AI Database on Dedicated Exadata Infrastructure does not support Re-enrolling OKV endpoints out of the box. To re-enroll OKV endpoints , you need to contact the Autonomous AI Database operations teams.