1. Security Guide
  2. Customer Managed Keys for Oracle Break Glass

Customer Managed Keys for Oracle Break Glass

By default, your Global Trade and Transportation Management environments are protected by Oracle-managed encryption keys. By subscribing to the Oracle Break Glass service, you are offered the customer-managed keys feature that allows you to provide and manage the encryption keys that protect your environments. You can also purchase this option as an add-on subscription.

Global Trade and Transportation Management leverages the OCI Vault service to enable you to create and manage encryption keys to secure the data stored at rest in your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment.

Adding the System Policy to Enable Customer-Managed Keys in Your Tenancy

See Add the System Policy to Enable Customer-Managed Keys in Your Tenancy.

Note: You need to add a System Policy in your Tenancy before proceeding with enabling Customer Managed Keys. The contents of this System Policy are different for each Oracle application service. This policy must be added before you add the vault and key to your environment. If this policy is not added, your environment will not complete provisioning (if added during environment creation) or will not complete the maintenance cycle (if added to an existing environment). The contents of this policy are documented below.

The Policy Statements required for Oracle Global Trade and Transportation Management are as follows:

define tenancy SAAS_OTMGTM as ocid1.tenancy.oc1..aaaaaaaa34ei7lxoivbmsz3rwsr5quzxtiqxstp3okmoarg7ibolesot4kvq
define dynamic-group SAAS_OTMATP_DG as ocid1.dynamicgroup.oc1..aaaaaaaaskhzsjhg5ipgmaokubqk2wlknrb77pkqesmwyb4f44k665wdbiwa
define dynamic-group SAAS_OTMOSM_DG as ocid1.dynamicgroup.oc1..aaaaaaaar527goamanknbhq6rrraspucuggu22zft7pslgdal2tlwiayf7tq
admit dynamic-group SAAS_OTMATP_DG of tenancy SAAS_OTMGTM to use vaults in tenancy
admit dynamic-group SAAS_OTMATP_DG of tenancy SAAS_OTMGTM to use keys in tenancy
admit dynamic-group SAAS_OTMOSM_DG of tenancy SAAS_OTMGTM to use vaults in tenancy
admit dynamic-group SAAS_OTMOSM_DG of tenancy SAAS_OTMGTM to use keys in tenancy
Note: You can make the policy grant specific to the compartment containing your vault/key instead of the entire tenancy.

Refer to the Customer Managed Keys for Oracle Break Glass documentation for more details on managing the Encryption Keys for your environments.