1. Administrator's Guide
  2. Oracle Key Vault Installation and Configuration

4 Oracle Key Vault Installation and Configuration

Installing Oracle Key Vault entails ensuring that the environment meets the necessary requirements before you begin the installation and configuration.

4.1 About Oracle Key Vault Installation and Configuration

Oracle Key Vault is a software appliance that is delivered as an ISO image.

The software appliance consists of a pre-configured operating system, an Oracle database, and the Oracle Key Vault application. You must install Oracle Key Vault onto its own dedicated server.

Parent topic: Oracle Key Vault Installation and Configuration

4.2 Oracle Key Vault Installation Requirements

The Oracle Key Vault installation requirements cover system requirements such as CPU, memory, disk space, network interfaces, and supported endpoint platforms.

Parent topic: Oracle Key Vault Installation and Configuration

4.2.1 System Requirements

System requirements include CPU, memory, disk, network interface, hardware compatibility, and RESTful services client.

The Oracle Key Vault installation removes existing software on a server.

Deployment on virtual machines is not recommended for production systems. However, virtual machines are useful for testing and proof of concept purposes.

The minimum hardware requirements for deploying the Oracle Key Vault software appliance are:

  • CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI).

  • Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.

  • Disk: Minimum 2 TB. Recommended: 4 TB.

  • Network interface: One network interface.

  • Hardware Compatibility: Refer to the hardware compatibility list (HCL) for Oracle Linux Release 6 Update 10 at the link in the Related Topics section.

    Note:

    You can find the supported hardware from the hardware certification list for Oracle Linux and Oracle VM. Filter the results by selecting All Operating Systems and choosing Oracle Linux 6.10.

    Oracle Key Vault release 18.1 supports both Legacy BIOS and UEFI BIOS boot modes. The support for UEFI BIOS mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI BIOS only, such as Oracle X7-2 Server. Oracle Key Vault can be installed on Oracle X7–2 servers as a standalone server, a primary-standby configuration, or a multi-master cluster configuration.

  • RESTful Services Client: If RESTful Services are enabled, then each endpoint that connects to the Oracle Key Vault management console must have at least Java 1.7.0.21 installed.

    The REST API requires the cURL utility. Ensure that you have installed a cURL version that supports Transport Layer Security (TLS) 1.2 or later on the endpoint before using the REST API to provision endpoints.

Note:

For deployment with a large number of endpoints, the hardware requirement may need to scale to meet the workload.

Related Topics

Parent topic: Oracle Key Vault Installation Requirements

4.2.2 Network Port Requirements

Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.

Oracle Key Vault and its endpoints use a set of specific ports for communication. Network administrators must ensure that these ports are open in the network firewall.

The following table lists the required network ports for Oracle Key Vault:

Table 4-1 Ports Required for Oracle Key Vault

Port Number Protocol Descriptions

22

SSH/SCP port

Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault

161

SNMP port

Used by monitoring software to poll Oracle Key Vault for system information

443 or 5695

HTTPS port

Used by web clients such as browsers and RESTful Services to communicate with Oracle Key Vault

1522

Database TCPS listener port

Listener port used in a primary-standby configuration by Oracle Data Guard to communicate between the primary and standby server

7443

Database TCPS listener port

Listener port used in a primary-standby configuration to run OS commands like synchronizing wallets and configuration files through HTTPS. This port is also used when you add a new node to a cluster.

5696

KMIP port

Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP Server

7093

TCP port

Used by Oracle GoldenGate for transmitting data in a Multi-Master Cluster configuration.

Parent topic: Oracle Key Vault Installation Requirements

4.2.3 Supported Endpoint Platforms

Oracle Key Vault supports both UNIX and Windows endpoint platforms.

Oracle supports both 32-bit and 64-bit Linux endpoints. However, only 64-bit endpoints are supported for Oracle databases that use the online master key. The operating systems on which the endpoint runs must be compatible with Transport Layer Security (TLS) 1.2, either directly or with appropriate patches.

The supported endpoint platforms in this release are as follows:

  • Oracle Linux (6 and 7)

  • Oracle Solaris (10 and 11)

  • Oracle Solaris Sparc (10 and 11)

  • RHEL 6 and 7

  • IBM AIX (6.1, and 7.1) and AIX 5.3 in a limited capacity

  • HP-UX (IA) (11.31)

  • Windows Server 2008

  • Windows Server 2012

Parent topic: Oracle Key Vault Installation Requirements

4.2.4 Endpoint Database Requirements

For endpoints, Oracle Key Vault supports Oracle Database release 10 and later.

Administrators who manage endpoints that are Oracle Database 10g release 2 and later can use the okvutil upload command to upload Oracle wallets to Oracle Key Vault. Administrators who manage endpoints that are Oracle Database 11g release 2 and later can use the online master key to manage TDE master encryption keys.

Administrators who manage endpoints that are Oracle Database may need to set the COMPATIBLE initialization parameter.

For an endpoint that is Oracle Database release 11.2 or 12.1, set the COMPATIBLE initialization parameter to 11.2.0.0 or later. For example: 

SQL> ALTER SYSTEM SET COMPATIBLE = 11.2.0.0 SCOPE=SPFILE;

This applies to an Oracle Database endpoint that use the online master key to manage TDE master encryption keys. This compatibility mode setting is not required for Oracle wallet upload or download operations.

Also note that after setting the COMPATIBLE parameter to 11.2.0.0, you cannot set it to a lower value such as 10.2. After you set the COMPATIBLE parameter, you must restart the database.

Related Topics

Parent topic: Oracle Key Vault Installation Requirements

4.3 Installing and Configuring Oracle Key Vault

You must download the Oracle Key Vault application software, and then you can perform the installation.

Parent topic: Oracle Key Vault Installation and Configuration

4.3.1 Downloading the Oracle Key Vault Appliance Software

You can download executables for both a fresh Oracle Key Vault installation or an upgrade.

For a fresh installation, you can download the Oracle Key Vault appliance software from Software Delivery Cloud. You cannot use this package to upgrade Oracle Key Vault. For an upgrade, you can download the Oracle Key Vault upgrade software from the My Oracle Support website.

  1. Use a web browser to access the Oracle Software Delivery Cloud portal:
  2. Click Sign In, and if prompted, enter your User ID and Password.
  3. In the All Categories menu, select Release. In the next field, enter Oracle Key Vault and then click Search.
  4. From the list that is displayed, select Oracle Key Vault 18.1.0.0.0 or click the +Add to Cart button next to the Oracle Key Vault 18.1.0.0.0.
    The download is added to your cart. (To check the cart contents, click View Cart in the upper right of the screen.)
  5. Click Checkout.
  6. On the next page, verify the details of the installation package, and then click Continue.
  7. In the Oracle Standard Terms and Restrictions page, select I have reviewed and accept the terms of the Commercial License, Special Programs License, and/or Trial License, and click Continue.

    The download page appears, which lists the following Oracle Key Vault ISO files:

    • Vpart_number.iso (Oracle Key Vault 18.1.0.0.0 - Disc 1)

    • Vpart_number.iso (Oracle Key Vault 18.1.0.0.0 - Disc 2)

  8. To the right of the Print button, click View Digest Details.

    The listing for the two ISO files expands to display the SHA-1 and SHA-256 checksum reference numbers for each ISO file.

  9. Copy the SHA-256 checksum reference numbers and store them for later reference.
  10. Click Download and select a location to save the ISO files. 
    You can save each file individually by clicking its name and then specifying a location for the download.
  11. Click Save.

    The combined size of both ISO files exceeds 4 GB, and will take time to download, depending on the network speed. The estimated download time and speed are displayed in the File Download dialog box.

  12. After the ISO files are downloaded to the specified location, verify the SHA-256 checksums of the downloaded files:
    1. Generate a SHA256 checksum for the first Vpart_number.iso:
      $ sha256sum Vpart_number.iso

      Ensure that the checksum matches the value that you copied from the File Download dialog box in 9.

    2. Generate a SHA-256 checksum for the second Vpart_number.iso:
      $ sha256sum Vpart_number.iso

      Ensure that the checksum matches the value that you copied from the File Download dialog box in 9.

  13. Burn each of the two Vpart_number.iso files to a DVD-ROM disc and then label the discs:

    • OKV Disc 1

    • OKV Disc 2

You can now install Oracle Key Vault on the server.

Parent topic: Installing and Configuring Oracle Key Vault

4.3.2 Installing the Oracle Key Vault Appliance Software

The Oracle Key Vault installation process installs all the required software components onto a dedicated server.

The installation process may take from 30 minutes or longer to complete, depending on the server resources where you are installing Oracle Key Vault.

Caution:

The Oracle Key Vault installation wipes the server and installs a customized Oracle Linux 6 Update 10. The installation erases existing software and data on the server.

  • Ensure that the server meets the recommended requirements.

  • Request a fixed IP address, network mask, and gateway address from your network administrator for the dedicated server. You will need this information to configure the network.

To install the Oracle Key Vault appliance:

  1. Insert OKV Disc 1 into the DVD drive and then restart the computer.

    The installation starts, and the initial screen appears.

    Description of installation_01_180000.png follows
    Description of the illustration installation_01_180000.png

  2. Using the up and down arrow keys, select the desired installation option or the option to perform a memory test, and then press Enter.

    Choosing Install with FIPS Mode enabled (wipes system) automatically enables FIPS mode on the system.

    The installation begins and after several minutes, the message Please insert disc 2 is displayed.

  3. Insert OKV Disc 2 into the DVD drive, and then press Enter.

    The installation proceeds and after some time the message Please insert disc 1 is displayed.

  4. Insert OKV Disc 1 into the DVD drive, and press Enter.
    The installation proceeds and after some time the message Please enter installation passphrase is displayed.

    Description of installation_02_bp5.png follows
    Description of the illustration installation_02_bp5.png

    The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.

    It is important to store the installation passphrase securely. You will need it later to authenticate yourself at the Oracle Key Vault management console, complete the post-installation tasks, and add nodes in a multi-master cluster.

  5. Enter the installation passphrase, and then press Enter.
  6. Confirm the installation passphrase, and then press Enter.
    The message Installation passphrase was successfully configured is displayed. Press Enter. The Select Network Interface screen is displayed.

    Description of installation_03_bp5.png follows
    Description of the illustration installation_03_bp5.png

  7. Select the interface and press Enter. If more than one network interface is available, select the interface that you want to serve as the management interface, and to communicate with endpoints.
    The Network Selection Interface screen is displayed.

    Description of installation_04_bp5.png follows
    Description of the illustration installation_04_bp5.png

  8. Press Enter.
    The IP Address Setting for Management Interface Screen is displayed.

    Description of installation_05_bp5.png follows
    Description of the illustration installation_05_bp5.png

  9. Enter the fixed IP address, network mask, and gateway address you received from your network administrator. Select Reboot to complete installation and press Enter.

    The installer installs and configures the operating system, database, and Oracle Key Vault on the server to make it a self-contained hardened appliance. The installation and configuration process can take between 30 minutes or longer.

    If the installation completed successfully, the Oracle Key Vault Server <Release Number> screen appears.

    Description of installation_02_18100.png follows
    Description of the illustration installation_02_18100.png

  10. Select Display Appliance Info and press Enter to see the IP address settings for the appliance. Make a note of the IP address of the appliance. You will need it to log into the browser-based management console of Oracle Key Vault.

    If you need to correct the IP Address, network mask, or the IP gateway for any reason, then you can select Change IP Settings and enter the new IP settings.

    Select Set User Passwords to set the root and support user passwords. You can also set the root and support user passwords when performing the post-installation tasks, but be aware that after you set these passwords, you can only change them by using Secure Shell (SSH) on the computer on which these passwords were created.

    You have the option to change the installation passphrase by selecting Change Installation Passphrase. For more information about changing the installation passphrase, see Change the Installation Passphrase.

    Note:

    You will need to enter the old installation passphrase in order to update the installation passphrase.

    Make a note of the installation passphrase. You will need it to log into the management console for the first time, in order to complete the post-installation tasks.

Parent topic: Installing and Configuring Oracle Key Vault

4.3.3 Performing Post-Installation Tasks

After you install Oracle Key Vault, you must complete a set of post-installation tasks.

These tasks include configuring the administrative user accounts and passwords for recovery, and operating system accounts and passwords for root and support.

  1. Use a web browser to connect to the Oracle Key Vault server.

    To connect in to an Oracle Key Vault server whose IP address is 192.0.2.254, enter the following in the address bar:

    https://192.0.2.254

  2. If the web browser displays a security warning message stating that you are connecting to a website with an untrusted or self-signed security certificate, accept the security warning message and proceed to connect to the Oracle Key Vault server.

    This message is only temporary. When you configure third-party certificates, this message will no longer appear. After completing the post-installation tasks, you can upload a custom certificate or certificate chain that is trusted by the browser, so that you can connect to the Oracle Key Vault server without encountering the security warning message. For more information about uploading a custom certificate, see Managing Third-Party Certificates.

  3. The Installation Passphrase screen is displayed.

    Description of install_passphrase.png follows
    Description of the illustration install_passphrase.png

    The Installation Passphrase screen is displayed when you connect to the Oracle Key Vault server for the first time, in order to complete the post-installation tasks. After you complete the post-installation tasks, the Oracle Key Vault login screen is displayed when you access the Oracle Key Vault management console through the web browser.

  4. Enter the installation passphrase.

    The Post-Install Configuration screen is displayed.

    Description of screenshot-install-configuration.png follows
    Description of the illustration screenshot-install-configuration.png

  5. In the User Setup pane, create three administrative user accounts for the Key Administrator, System Administrator, and Audit Manager.

    Description of installation_configuration-user_setup.png follows
    Description of the illustration installation_configuration-user_setup.png

    In the User Setup section:

    • Enter the user name and password, the full name (optional), and email (optional) for each administrative user account.

      Note that the passwords are one-time use passwords which must be changed when the user logs in the first time.

    • Ideally, create a different user account for each of these administrative roles for a strict separation of duties, or combine roles as necessary.

    • Ensure that passwords have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and one special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.

  6. In the Recovery Passphrase section, create the recovery password.

    Description of installation_configuration-recovery_passphrase.png follows
    Description of the illustration installation_configuration-recovery_passphrase.png

    The recovery passphrase has the same minimum requirements as user passwords. For greater security, Oracle recommends that you make the recovery passphrase longer and more complex. Because this is a critical password, you must properly secure and safeguard the recovery password. The recovery password is required in the following scenarios:

    • In an emergency, when there are no administrative users available to access Oracle Key Vault

    • To restore Oracle Key Vault data from a backup

    • To reset the recovery password

    • Induct a new node into a multi-master cluster

    • To configure a hardware security module (HSM)

    Caution:

    It is important to establish a secure process for the storage and retrieval of the recovery passphrase, including older recovery passphrases. The only way to recover from a lost recovery passphrase is to re-install Key Vault.
  7. Set the root and support user passwords if you did not set the passwords using the Set User Passwords option on the Oracle Key Vault Server screen in the previous procedure, Installing the Oracle Key Vault Appliance Software.

    Description of installation_configuration-root_support_user_passwords.png follows
    Description of the illustration installation_configuration-root_support_user_passwords.png

    The root password is the super user account for the operating system hosting Oracle Key Vault. You will need the support password to log into Oracle Key Vault remotely using the SSH protocol.

    Caution:

    Keep the root and support user passwords safe because these passwords are set during post-installation only. After post-installation you cannot change them from the Oracle Key Vault management console.

    The Time Setup and DNS Setup settings are optional at this stage. The System Administrator can configure these later on.

  8. Click Save in the upper right corner of the Post-Install Configuration screen.

    The Oracle Key Vault management console login screen is displayed.

    Description of ep_enroll_sw_dwnload.png follows
    Description of the illustration ep_enroll_sw_dwnload.png

You can now log in to the Oracle Key Vault management console with the credentials of any of the user accounts that were created during the post-installation process.

Related Topics

Parent topic: Installing and Configuring Oracle Key Vault

4.4 Logging In to the Oracle Key Vault Management Console

To use Oracle Key Vault, you can log in to the Oracle Key Vault management console.

  1. Open a web browser.
  2. Connect using an HTTPS connection and the IP address of Oracle Key Vault.

    For example, to log in to a server whose IP address is 192.0.2.254, enter:

    https://192.0.2.254

  3. After the login screen appears, enter your user name and password.
  4. Click Login.

Parent topic: Oracle Key Vault Installation and Configuration

4.5 Upgrading the Oracle Key Vault Server Software

The upgrade includes the Oracle Key Vault server software and utilities that control the associated endpoint software.

Parent topic: Oracle Key Vault Installation and Configuration

4.5.1 About Upgrading the Oracle Key Vault Server Software

When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.

However, the endpoint software downloaded from the previous Oracle Key Vault release will continue to function with the upgraded Oracle Key Vault server.

You must upgrade in the order shown: first perform a full backup of Oracle Key Vault, upgrade the Oracle Key Vault server or server pair in the case of a primary-standby deployment, the endpoint software, and last, perform another full backup of the upgraded server. Note that upgrading requires a restart of the Oracle Key Vault server.

The Oracle Key Vault server is not available to endpoints for a limited duration during the upgrade. You can enable the persistent cache feature to enable endpoints to continue operation during the upgrade process.

Before you begin the upgrade, refer to Oracle Key Vault Release Notes for additional information about performing upgrades.

Related Topics

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.2 Step 1: Back Up the Server Before You Upgrade

Before you upgrade the Oracle Key Vault server, back up this server so that you can recover data in case the upgrade fails.

Caution:

Do not bypass this step. Back up the server before you perform the upgrade so that your data is safe and recoverable.

Related Topics

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.3 Step 2: Perform Pre-Upgrade Tasks

To ensure a smooth upgrade to Oracle Key Vault, you should prepare the server you are upgrading.

  • Use SSH to log in to the server where Oracle Key Vault is installed.
  • Ensure that the server meets the minimum disk space requirement for an upgrade. If the /usr/local/dbfw/tmp directory does not have sufficient free space, then delete any diagnostics .zip files that maybe stored in that directory.
  • To increase available disk space, remove the temporary jar files located in /usr/local/okv/ssl.
  • Ensure that no full or incremental backup jobs are running. Delete all scheduled full or incremental backup jobs before the upgrade.
  • Plan for downtime according to the following specifications:
    Oracle Key Vault Usage Downtime required

    Wallet upload or download

    NO

    Java Keystore upload or download

    NO

    Transparent Data Encryption (TDE) direct connect

    YES (NO with persistent cache)

    Primary Server Upgrade in a primary-standby deployment

    YES (NO with persistent cache)
  • Plan for downtimes:
    • If Oracle Key Vault uses an online master key, then plan for a downtime of 15 minutes during the Oracle Database endpoint software upgrades. Database endpoints can be upgraded in parallel to reduce total downtime.
    • For a primary server upgrade in a primary-standby deployment, plan for a downtime of a few hours. The persistent cache allows you to upgrade Oracle Key Vault servers without database downtime. The default duration of the persistent cache from the moment the Oracle Key Vault server becomes unavailable is 1,440 minutes (one day).
  • Set the $OKV_HOME to the location where endpoint is installed so that the upgrade process for the endpoint software can complete successfully.

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.4 Step 3: Upgrade the Oracle Key Vault Server or Server Pair

You can upgrade a standalone Oracle Key Vault server or a pair of Oracle Key Vault servers in a primary-standby deployment.

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.4.1 About Upgrading an Oracle Key Vault Server or Server Pair

You can deploy Oracle Key Vault as a standalone server in test and development environments or in a primary-standby configuration in production environments.

In a standalone deployment you must upgrade a single Oracle Key Vault server, but in a primary-standby deployment you must upgrade both primary and standby Oracle Key Vault servers. Note that persistent caching enables endpoints to continue to be operational during the upgrade process.

Note:

If you are upgrading from a system with 4 GB memory, first add an additional 12 GB memory to the system before upgrading.
4.5.4.2 Upgrading a Standalone Oracle Key Vault Server

A single Oracle Key Vault server in a standalone deployment is the most typical deployment in test and development environments.

  1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Do not proceed without completing this step.
  2. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  3. Ensure that SSH access is enabled by logging into the Oracle Key Vault management console, selecting System Settings, then Network Services, and SSH Access.
  4. Ensure you have enough space in the destination directory for the upgrade ISO files.
  5. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
  6. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
    scp remote_host:remote_path/okv-upgrade-disc-18.1.0.0.0.iso /var/lib/oracle/<destination_directory where you are copying the iso file to>

    In this specification:

    • remote_host is the IP address of the computer containing the ISO upgrade file
    • remote_path is the directory of the ISO upgrade file
  7. Make the upgrade accessible by using the mount command:
    root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-18.1.0.0.0.iso /images
  8. Clear the cache using the clean all command:
    root# yum -c /images/upgrade.repo clean all
  9. Apply the upgrade with upgrade.rb command:
    root# /usr/bin/ruby /images/upgrade.rb --confirm

    If the system is successfully upgraded, then the command will display the following message:

    Remove media and reboot now to fully apply changes.

    If you see an error message, then check the log file /var/log/messages for additional information.

  10. Restart the Oracle Key Vault server by running reboot command:
    root# /sbin/reboot

    On the first restart of the computer after the upgrade, the system will apply the neceessary changes. This can take a few hours. Do not shut down the system during this time.

    The upgrade is completed when the screen with heading: Oracle Key Vault Server 18.1.0.0.0 appears. The revision should reflect the upgraded release. Following the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.

  11. Confirm that Oracle Key Vault has been upgraded to the correct version.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select Status.
    3. Verify that the version displayed is 18.1.0.0.0.
      The release number is also at the bottom of each page, to the right of the copyright information.
4.5.4.3 Upgrading a Pair of Oracle Key Vault Servers in a Primary-Standby Deployment

You should allocate several hours to upgrade the primary server after upgrading the standby.

You must the upgrade standby and primary servers in one session with as little time between the standby and primary upgrade. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.
  1. Prepare for the upgrade.

    • While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

    • Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.

    • Ensure that both the primary and standby systems have 8 GB memory.

  2. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not included in the backup.
    Do not proceed without completing this step.
  3. First, upgrade the standby server while the primary server is running.

    Follow Step 2 through to Step 10 of the standalone mode upgrade process.

  4. Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
  5. Upgrade the primary Oracle Key Vault server following Steps 1-10 of the standalone mode upgrade.

    After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.

  6. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  7. Select the System tab, and then Status.
  8. Verify that the Version field displays the new software version 18.1.0.0.0.

4.5.5 Step 4: Upgrade the Endpoint Software

As part of the upgrade, you must reenroll endpoints created in earlier releases of Oracle Key Vault, or update the endpoint software.

If you are upgrading from an earlier release to Oracle Key Vault release 18.1 or later, then you need to reenroll the endpoint instead of upgrading the endpoint software. Reenrolling the endpoint automatically updates the endpoint software.

  1. Ensure that you have upgraded the Oracle Key Vault servers. If you are upgrading the endpoint software for an Oracle database configured for direct-connect, then shut down the database.

  2. Download the endpoint software (okvclient.jar) for your platform from the Oracle Key Vault server as follows:

    1. Go to the Oracle Key Vault management console login screen.

    2. Click the Endpoint Enrollment and Software Download link.

    3. In the Download Endpoint Software Only section, select the appropriate platform from the drop-down list.

    4. Click the Download button.

  3. Identify the path to your existing endpoint installation that you are about to upgrade (for example, /home/oracle/okvutil).

  4. Install the endpoint software by executing the following command:

    java -jar okvclient.jar -d existing_endpoint_directory_path

    For example: 

    java -jar okvclient.jar -d /home/oracle/okvutil
  5. Install the updated PKCS#11 library file.

    This step is needed only for online TDE master encryption key management by Oracle Key Vault.

    • On UNIX/Linux platforms: Run root.sh from the bin directory of endpoint installation directory to copy the latest liborapkcs.so file for Oracle Database endpoints.
      $ sudo $OKV_HOME/bin/root.sh

      Or

      $ su -
# bin/root.sh
    • On Windows platforms: Run root.bat from the bin directory of endpoint installation directory to copy the latest liborapkcs.dll file for Oracle Database endpoints. You will be prompted for the version of the database in use.
      bin\root.bat

  6. Restart the endpoint if it was shut down.

Related Topics

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.6 Step 5: If Necessary, Remove Old Kernels

Oracle recommends that you clean up the older kernels that were left behind after the upgrade.

While the older kernel is not in use, it may be marked as an issue by some code analysis tools.
  1. Log in to the Oracle Key Vault server as the support user.
  2. Switch to the root user.
    su -
  3. Mount /boot if it was not mounted on the system.
    1. Check if the /boot is mounted. The following command should display /boot information if it was mounted.
      df -h /boot;
    2. Mount it if /boot is not mounted.
      mount /boot;
  4. Check the installed kernels and the running kernel.
    1. Search for any kernels that are installed. 
      rpm -q kernel-uek | sort;

      The following example output shows that two kernels are installed:

      kernel-uek-4.1.12-103.9.4.el6uek.x86_64
kernel-uek-4.1.12-112.16.7.el6uek.x86_64
    2. Check the latest kernel. 
      uname -r;

      The following output shows an example of a kernel version that was installed at the time:

      4.1.12-112.16.7.el6uek.x86_64

      This example assumes that 4.1.12-112.16.7.el6uek.x86_64 is the latest version, but newer versions may be available by now. Based on this output, you will need to remove the kernel-uek-4.1.12-103.9.4.el6uek.x86_64 kernel. You should remove all kernels that are older than the latest kernel.

  5. Remove the older kernel and its associated RPMs.

    For example, to remove the kernel-uek-4.1.12-103.9.4.el6uek.x86_64 kernel: 

    yum --disablerepo=* remove `rpm -qa | grep 4.1.12-103.9.4.el6uek`;

    Output similar to the following appears: 

    Loaded plugins: security
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package kernel-uek.x86_64 0:4.1.12-103.9.4.el6uek will be erased
---> Package kernel-uek-devel.x86_64 0:4.1.12-103.9.4.el6uek will be erased
---> Package kernel-uek-firmware.noarch 0:4.1.12-103.9.4.el6uek will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================================
 Package                                      Arch                            Version                                        Repository                                                                    Size
================================================================================================================================================================================================================
Removing:
 kernel-uek                                   x86_64                          4.1.12-103.9.4.el6uek                          @anaconda-OracleLinuxServer-201410181705.x86_64/6.6                          241 M
 kernel-uek-devel                             x86_64                          4.1.12-103.9.4.el6uek                          @anaconda-OracleLinuxServer-201410181705.x86_64/6.6                           38 M
 kernel-uek-firmware                          noarch                          4.1.12-103.9.4.el6uek                          @anaconda-OracleLinuxServer-201410181705.x86_64/6.6                          2.9 M

Transaction Summary
================================================================================================================================================================================================================
Remove        3 Package(s)

Installed size: 282 M
Is this ok [y/N]:
  6. Enter y to accept the deletion output.
  7. Repeat these steps starting with Step 4 for all kernels that are older than the latest kernel.

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.7 Step 6: If Necessary, Add Disk Space to Extend Swap Space

If you upgraded from an earlier release, you should extend swap space to accommodate the new Oracle Key Vault software.

By default, Oracle Key Vault releases earlier than release 18.1 were installed with approximately 4 GB of disk space. After you complete the upgrade to release 18.1, Oracle recommends that you increase the swap space allocation for the server on which you upgraded Oracle Key Vault. A new Oracle Key Vault installation is automatically configured with sufficient swap space. However, if you upgraded from a previous release, then you must manually add disk space to extend the swap space, particularly if the intention is to convert the upgraded server into the first node of a multi-master cluster.
  1. Log in to the server in which you upgraded Oracle Key Vault and connect as root.
  2. Check the current amount of swap space. 
    [root@my_okv_server support]# swapon -s

    Output similar to the following appears. This example shows that the system has 4 GB of swap space.

    Filename Type Size Used Priority
/dev/dm-0 partition 4194300 3368 -1
  3. Check the amount of space on the system by executing the vgdisplay and vgs commands.
    1. Run the vgdisplay command.
      [root@my_okv_server support]# vgdisplay

      Output similar to the following appears. Note the values that are displayed after Alloc PE and Free PE (in bold). 

      --- Volume group ---
VG Name vg_root
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 17
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 12
Open LV 12
Max PV 0
Cur PV 1
Act PV 1
VG Size 2048.78 GiB
PE Size 32.00 MiB
Alloc PE / Size 7289 / 2027.78 GiB
Free PE / Size 672 / 21.00 GiB
VG UUID HGesFT-0JiY-C47e-kuVn-yzZ0-Htlw-KnUni0
    2. Run the vgs command. 
      [root@my_okv_server support]# vgs

      Output similar to the following appears.

      VG #PV #LV #SN Attr VSize VFree
vg_root 1 12 0 wz--n- 2048.78g 21.00g
  4. Follow these guidelines to determine if you need more swap space:
    • If the hard disk is equal to or greater than 1 TB in size, then you should have approximately 64 GB of swap space.
    • If the hard disk is less than 1 TB in size, then you should have approximately 20 to 25 percent of hard disk space set aside for swap space.

    If you need more swap space, then complete the rest of the steps in this procedure.

  5. Shut down the Oracle Key Vault system server.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select System Settings.
    3. Click the Power Off button.
    After you shut down the Oracle Key Vault server, you can add a new disk if needed, and then power the server back on.
  6. Run the fdisk -l to find if there are any available partitions on the new disk.
    At this stage, there should be no available partitions.
  7. Run the fdisk disk_device_to_be_added command to create the new partition.
    For example, to create a disk device named /dev/sdb:
    fdisk /dev/sdb

    In the prompts that appear, enter the following commands in sequence:

    n for new partition

    p for primary

    1 for partition number

    Accept the default values for cylinder (press Enter twice)

    w to write and exit

  8. Use the pvcreate disk_device_partition command to add the newly added disk to the physical volume.
    For example, for a disk device named /dev/sdb1, which is the name of the partition on that disk to be created (based on the name used for the disk device that was added).
    [root@my_okv_server support]# pvcreate /dev/sdb1

    Output similar to the following appears:

    Physical volume "/dev/sdb1" successfully created
  9. Extend the logical volume with this disk space that you just added:
    [root@my_okv_server support]# vgextend vg_root /dev/sdb1

    Output similar to the following appears. 

    Volume group "vg_root" successfully extended
  10. Check that the disk space has been successfully extended by running the vgdisplay and vgs commands again. 
    [root@my_okv_server support]# vgdisplay
 --- Volume group ---
 VG Name vg_root
 System ID
 Format lvm2
 Metadata Areas 2
 Metadata Sequence No 18
 VG Access read/write
 VG Status resizable
 MAX LV 0
 Cur LV 12
 Open LV 11
 Max PV 0
 Cur PV 2
 Act PV 2
 VG Size 328.75 GiB
 PE Size 32.00 MiB
 Total PE 10520
 Alloc PE / Size 7289 / 227.78 GiB
 Free PE / Size 3231 / 100.97 GiB
 VG UUID GeaZEb-Fivt-fFCv-i60c-x598-04Ot-J3GmEF

[root@my_okv_server support]# vgs
 VG #PV #LV #SN Attr VSize VFree
 vg_root 2 12 0 wz--n- 328.75g 100.97g

    This output indicates that the space allocation has increased after you added the new disk.

  11. Disable swapping. 
    [root@my_okv_server support]# swapoff -v /dev/vg_root/lv_swap
  12. To extend the swap space, run the lvresize command. 
    [root@my_okv_server support]# lvresize -L +60G /dev/vg_root/lv_swap

    Output similar to the following appears:

    Size of logical volume vg_root/lv_swap changed from 4.00 GiB (128 extents) to 64.00 GiB (2048 extents
Logical volume lv_swap successfully resized.
  13. Format the newly added swap space.
    [root@my_okv_server support]# mkswap /dev/vg_root/lv_swap

    Output similar to the following appears:

    mkswap: /dev/vg_root/lv_swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 67108860 KiB
no label, UUID=fea7fc72-0fea-43a3-8e5d-e29955d46891
  14. Enable swapping again. 
    [root@my_okv_server support]# swapon -v /dev/vg_root/lv_swap
  15. Verify the amount of swap space that is available.
    [root@my_okv_server support]# swapon -s

    Output similar to the following appears.

    Filename Type Size Used Priority

/dev/dm-0 partition 67108860 0 -1
  16. Restart the Oracle Key Vault server.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select System Settings.
    3. Click the Reboot button.

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.8 Step 7: If Necessary, Remove SSH-Related DSA Keys

You should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.

  1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  2. Enable SSH.
    1. Select System, then System Settings from the left sidebar.
    2. Under Network Services, select All for SSH Access.
    3. Restart the Oracle Key Vault server by clicking the Reboot button on the top right.
  3. Login to the Oracle Key Vault support account using SSH.
    ssh support@OracleKeyVault_serverIPaddress
  4. Switch to the root user.
    su -
  5. Change directory to /etc/ssh.
    cd /etc/ssh
  6. Rename the following keys. 
    mv ssh_host_dsa_key.pub ssh_host_dsa_key.pub.retire
mv ssh_host_dsa_key ssh_host_dsa_key.retire

Parent topic: Upgrading the Oracle Key Vault Server Software

4.5.9 Step 8: Back Up the Upgraded Oracle Key Vault Server

You must perform server backup and user password tasks after completing a successful upgrade.

  • Take a full backup of the upgraded Oracle Key Vault Server Database to a new remote destination. Avoid using the old backup destination for the new backups.

  • Schedule a new periodic incremental backup to the new destination defined in the step above.

  • Password hashing has been upgraded to a more secure standard than in earlier releases. This change affects the operating system passwords, support and root. You must change Oracle Key Vault administrative passwords after the upgrade to take advantage of the more secure hash.

Related Topics

Parent topic: Upgrading the Oracle Key Vault Server Software

4.6 Overview of the Oracle Key Vault Management Console

The Oracle Key Vault management console provides a graphical user interface for System Administrators, Key Administrators, and Audit Managers.

The Oracle Key Vault management console is a browser-based console that connects to the server using the https secure communication channel. It provides the graphical user interface for Oracle Key Vault, where users can perform tasks such as the following:

  • Setting up and managing the cluster

  • Creating and managing users, endpoints, and their respective groups

  • Creating and managing virtual wallets and security objects

  • Setting system settings, like network and other services

  • Setting up primary-standby

  • Performing backups

Parent topic: Oracle Key Vault Installation and Configuration

4.7 Performing Actions and Searches

The Oracle Key Vault management console enables you to perform standard actions and search operations, as well as get help information.

Many of the tab and menu pages contain an Actions menu or Search bars that allow you to search and perform actions on lists and the results of searches. The Help selection of the Actions list provides detailed help for using these features.

  • Actions Menus
    The actions available from an Actions drop-down menu can vary but typically include a set of standard menu items.
  • Search Bars
    Along with Actions menus, many tabs in the Oracle Key Vault management console contain search bars.

Parent topic: Oracle Key Vault Installation and Configuration

4.7.1 Actions Menus

The actions available from an Actions drop-down menu can vary but typically include a set of standard menu items.

These items are as follows:

  • Select Columns: Select which column should be displayed.

  • Filter: Filter by column or row and a user-defined expression.

  • Rows Per Page: Choose how many rows you want to view .

  • Format: Choose formatting such as Sort, Control Break, Highlight, Compute, Aggregate, Chart, and Group By.

  • Save Report: Save reports.

  • Reset: Reset the report settings, removing any customizations.

  • Help: Get information about these actions.

  • Download: Download the result set in CSV or HTML.

Parent topic: Performing Actions and Searches

4.7.2 Search Bars

Along with Actions menus, many tabs in the Oracle Key Vault management console contain search bars.

This demonstration searches for endpoints, but the process is the same for other searches, except that the column headings are different. Wildcard characters are not supported, but the search does match any letter or phrase that you enter. You can use the Filter menu item under Actions to further fine-tune the search.
  1. Enter a name or other identifier in the search field or (optionally) place your cursor on the magnifying icon in the Search bar to select one of the table headings (in this case, All Columns, Endpoint Name, Endpoint Type, Description, Platform, Status, Enrollment Token, and Alert) and then enter a search term.
  2. Click Go.

    A new endpoint list appears, displaying the endpoints that meet the search criteria. A filter icon (a funnel) indicates that a search has been performed and displays the search criteria.

  3. You can select or deselect the filter icon to disable search and view the entire list.

Parent topic: Performing Actions and Searches