Prepare to use Oracle Key Vault with Autonomous Database on Dedicated Exadata Infrastructure

Oracle Key Vault is a full-stack, security-hardened software appliance built to centralize the management of keys and security objects within the enterprise. The Oracle Key Vault is a customer-provisioned and managed system and it is not part of Oracle Cloud Infrastructure managed services. You can integrate your on-premises Oracle Key Vault (OKV) with customer-managed database cloud services to secure your critical data on-premises.

Related Topics

Prerequisites

  1. Ensure that OKV is set up and the network is accessible from the Oracle Public Cloud client network. Open ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  2. Ensure that the REST interface is enabled from the OKV user interface.
  3. Create "OKV REST Administrator" user. You can use any qualified username of your choice, for example, "okv_rest_user". For Autonomous Database on Cloud@Customer and Oracle Database Exadata Cloud at Customer, use the same or different REST users. Those databases can be key-managed in the same or different on-prem OKV clusters. Oracle Database Exadata Cloud at Customer needs REST user with create endpoint privilege. Autonomous Database on Cloud@Customer needs REST user with create endpoint and create endpoint group privileges.
  4. Gather OKV administrator credentials and IP address, which is required to connect to OKV and configure the key store. See Create a Key Store for guidance.
  5. Open the ports 443, 5695, and 5696 for egress on the client network to access the OKV server.
  6. On Oracle Public Cloud deployments, ensure OKV has network access to the Autonomous Database by setting proper network routes with VPN (Fast connect or VPN as a Service) or any VCN peering if the compute host is in another VCN.

Create a Vault in OCI Vault Service and Add a Secret to the Vault to Store OKV REST Administrator Password

Your Dedicated Exadata Infrastructure deployment communicates with OKV over REST each time an Oracle Database is provisioned to register the Oracle Database and request a wallet on OKV. Therefore, Exadata infrastructure needs access to the REST admin credentials to register with the OKV server. These credentials are stored securely in the Oracle Vault Service in OCI as a Secret and accessed by your Dedicated Exadata Infrastructure deployment only when needed. When needed, the credentials are stored in a password-protected wallet file.

Create a Dynamic Group and a Policy Statement for Key Store to Access Secret in OCI Vault

To grant your Key Store resources permission to access Secret in OCI Vault, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the Secret you created in the OCI Vaults and Secrets.

When defining the dynamic group, you identify your Key Store resources by specifying the OCID of the compartment containing your Key Store.

  • Copy the OCID of the compartment containing your Key Store resource. You can find this OCID on the Compartment Details page of the compartment.
  • Create a dynamic group by following the instructions in Managing Dynamic Groups in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:
    ALL {resource.compartment.id ='<compartment-ocid>'}

    where <compartment-ocid> is the OCID of the compartment containing your Key Store resource.

After creating the dynamic group, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your vaults and secrets. Then, add a policy statement of this format:

allow dynamic-group <dynamic-group> to use secret-family in compartment <vaults-and-secrets-compartment>

where <dynamic-group> is the name of the dynamic group you created and <vaults-and-secrets-compartment> is the name of the compartment in which you created your vaults and secrets.

Create a Policy Statement for Database Service to Use Secret from OCI Vault Service

To grant the Autonomous Database service permission to use the secret in OCI Vault to log in to the OKV REST interface, navigate to (or create) an IAM policy in a compartment higher up in your compartment hierarchy than the compartment containing your OCI Vaults and Secrets. Then, add a policy statement of this format: 

allow service database to read secret-family in compartment <vaults-and-secrets-compartment>

where <vaults-and-secrets-compartment> is the name of the compartment in which you created your OCI Vaults and Secrets.

Once the OCI Vault is set up and the IAM configuration is in place, you are now ready to deploy your Oracle Key Vault 'Key Store' in OCI and associate it with your Dedicated Exadata VM Cluster.