1. Administrator's Guide
  2. Oracle Key Vault General System Administration

14 Oracle Key Vault General System Administration

General system administration refers to system management tasks for the Oracle Key Vault system, such as configuring network details and services.

14.1 Overview of Oracle Key Vault General System Administration

System administrators can perform most general administration tasks in the Oracle Key Vault management console, including finding the current status of the overall system.

Parent topic: Oracle Key Vault General System Administration

14.1.1 About Oracle Key Vault General System Administration

System administrators configure the Oracle Key Vault system settings.

The Oracle Key Vault system settings include administration, local and remote monitoring, email notification, backup and recovery operations, and auditing. You must have the appropriate role for performing these tasks. Users who have the System Administrator role can perform most of the administrative tasks, and users with the Audit Manager role can configure audit settings and export audit records. In most cases, you will perform these tasks in the Oracle Key Vault management console.

To quickly find information about the current status of the Oracle Key Vault system, you can view the Oracle Key Vault dashboard.

Related Topics

Parent topic: Overview of Oracle Key Vault General System Administration

14.1.2 Viewing the Oracle Key Vault Dashboard

The dashboard presents the current status of the Oracle Key Vault at a high level and is visible to all users.

The Home tab of the management console displays the dashboard when you log into the management console.

Alerts and Managed Content are the first sections you will see on logging in.

Figure 14-1 Alerts and Managed Content Panes

Description of Figure 14-1 follows
Description of "Figure 14-1 Alerts and Managed Content Panes"

The Data Interval, Operations, Endpoint Activity, and User Activity panes of the Home page follow Alerts and Managed Content.

Figure 14-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes

Description of Figure 14-2 follows
Description of "Figure 14-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes"

Parent topic: Overview of Oracle Key Vault General System Administration

14.1.3 Using the Status Panes in the Dashboard

The status panes on the dashboard provide useful high level information, such as links to alerts and an overview of current user activity.

  1. Log in to the Oracle Key Vault management console.
    The dashboard appears in the Home tab.
  2. To take corrective action on a particular alert:
    1. Click the link in the Details column that corresponds to the alert. The appropriate page appears.
    2. Take the corrective action for the alert as necessary.
  3. To configure the alerts that you want to see on the dashboard:
    1. Click the Reports tab, and then click Alerts from the left side bar to display the Alerts page.
    2. Click Configure from the top right, or Configure Alerts from the left sidebar under ALERTS, to display the Configure Alerts page.
    3. Select the Alert Type and then click Save.
  4. To view managed content, click the Managed Content button, which appears below the Alerts pane, along with the Show All and Activity buttons.

    The Managed Content pane of the dashboard displays aggregated information about security objects that are currently stored and managed in Oracle Key Vault.

    This status pane categorizes the aggregate information based on the item type such as keys, certificates, opaque objects, private keys, and TDE master encryption keys, as well as the item state such as pre-active, active, and deactivated.

    In the Managed Content pane, the item type and item state are displayed at the last time refreshed, which is set by the refresh interval described in the Data Interval status pane.

  5. To view information about from a specific time (data interval) about operations and endpoint activity, click the Show All button.

    Data Interval: This pane shows the length of the time period. You can set the time period to Last 24 hours, Last week, or Last Month, or a user-defined date range. It also shows the refresh interval for the Operations, Endpoint Activity, and User Activity panes.

    Operations: The Operations pane contains a bar graph with bars for key-related operations such as locate, activate, add endpoint, and assign default wallet.

    Endpoint Activity: The Endpoint Activity pane contains a bar graph for tracking the number of operations performed by each endpoint.

    User Activity: The User Activity pane contains a three-dimensional bar graph for tracking the number of operations performed by each user.

Related Topics

Parent topic: Overview of Oracle Key Vault General System Administration

14.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment

On the system Settings page, you can configure the network settings.

These settings include settings such as DNS connection information, SSH, FIPS mode, and performing restart or shut down operations on Oracle Key Vault.
  1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
  2. Select System, then System Settings from the left sidebar.

    The Settings page appears.

    Description of system_settings.png follows
    Description of the illustration system_settings.png

    The system Settings page has the following panes:

    • Network Details: Fields in this pane are automatically populated with the IP address and host name of your Oracle Key Vault server. But if anything changes, then you can update the Host Name, IP Address, Network Mask and the Gateway for the Oracle Key Vault installation. You cannot change the MAC Address, because this is the hard-wired address of the network interface.

    • Network Services: You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses by selecting one of the following options:

      • All to select all IP addresses

      • IP address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.

      Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only when you must download bundle patches and copy them to an appropriate location.

      If you are using the Bash shell, then you may need to download patch sets or security fixes that work with SSH access. Instructions on downloading and enabling patch sets or security fixes come with the patch set release notes.

      As a best practice, enable SSH access for short durations, solely for diagnostics and troubleshooting purposes, and then disable it as soon as you are done.

      Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

    • System Time: You can configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. (Fields for up to three servers are provided.) If an NTP server is not available, then you can set the current time manually. You should use the calendar icon to set the date and time so that these values are stored in the correct format. In a primary-standby deployment, you must set the primary and standby servers to the same time. If you want to use an NTP server, then ensure that you have already configured and saved a DNS server IP address for it.

    • DNS: You can configure Domain Name Service (DNS) to translate host names to up to three IP addresses. This is useful if you only know the host name and not the IP address of a server you need access to. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP Address, after you set up DNS.

    • FIPS mode: Select the check box by Enable to use FIPS mode, or clear this check box to disable FIPS mode. In a primary-standby environment, ensure that both servers are consistent in their FIPS mode setting: either both are enabled, or both are disabled.

    • Syslog: All system related alerts are sent to syslog. Select the protocol to transfer syslog files: TCP or UDP.

      You can set the destination computer for syslog files by entering the IP address (and port number for TCP) in the format shown in the Syslog Destinations field. For more than one destination computer add the IP address (and port number for TCP) of each destination computer separated by a space.

      For TCP, specify the IP address and the port number. For UDP, specify only the IP address.

    • RESTful Services: First, ensure that the Web Access options in Network Services are set. Next, check the box after Enable to enable RESTful Services. RESTful services allow you to automate endpoint enrollment and provisioning. RESTful services also support regular key management activities. (This setting appears in non-cluster mode for standalone or primary-standby configurations. It also appears in the Cluster System Settings page in a multi-master cluster configuration.)

    • Oracle Audit Vault Integration: Check the box after Enable to send audit data from Oracle Key Vault to Oracle Audit Vault for centralized audit reporting and alerting. It will prompt you to enter and confirm the password.

  3. Click Save.
  4. Manually restart or power off the Oracle Key Vault server by clicking Reboot or Power Off in the top right.
    This is available specifically for manual restart or power off situations as required for maintenance or as a documented step in patch and upgrade procedures, A manual restart is not required for changing system settings.

Parent topic: Oracle Key Vault General System Administration

14.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment

When you configure Oracle Key Vault in a multi-master cluster environment, you can configure either individual nodes or the entire multi-master cluster environment.

Parent topic: Oracle Key Vault General System Administration

14.3.1 Configuring System Settings for Individual Multi-Master Cluster Nodes

You can set or change settings that apply to the cluster node.

Examples of these settings are the network details, network services, system time, DNS, FIPS mode, syslog, and Oracle Audit Vault integration. Values set for the node override the cluster setting.  However, you can clear any individual node setting to revert to the cluster setting.

Parent topic: Configuring Oracle Key Vault in a Multi-Master Cluster Environment

14.3.1.1 Configuring the Network Details for the Node

In a multi-master cluster, you can configure the network details from any Oracle Key Vault management console.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Update the values for the following fields:
    • Host Name: Enter the name of the node.
    • IP Address: Enter the IP address of the node. Note that this value cannot be changed after it is saved.
    • Network Mask: Enter the network mask of the node.
    • Gateway: Enter the network gateway of the node.
  4. Click Save.
14.3.1.2 Configuring the Network Services for the Node

In a multi-master cluster, you can configure the network services from any Oracle Key Vault management console.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. For Web Access, select one of the following options:
    • All: Allows all IP addresses to access the management console of this node.
    • IP Address(es): Restricts management console access to the space separated list of IP addresses entered in the address box.
  4. Click Save.
14.3.1.3 Configuring the System Time for the Node

You can set and clear the time for individual nodes.

Parent topic: Configuring System Settings for Individual Multi-Master Cluster Nodes

14.3.1.3.1 Setting the System Time for the Node

In a multi-master cluster, you can set the system time for a node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the DNS section of the System Settings page, enter up to three DNS server IP addresses, and then click Save.
    Before you can configure the necessary NTP servers for the system time, you must have the DNS servers configured and saved.
  4. If necessary, return to the System Settings page by select System Settings under the System tab.
  5. Choose Use Network Time Protocol.
  6. Enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time for the node to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time for the node at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  7. Click Save.
14.3.1.3.2 Clearing the System Time for the Node

In a multi-master cluster, you can clear the time setting for the node and reset it to use the cluster time setting.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Click the Use Cluster Settings button in the System Time section.
    Clicking Use Cluster Settings is immediate for this setting. You do not need to click Save afterward.
14.3.1.4 Configuring DNS for the Node

You can set and clear the DNS for individual nodes.

  • Setting DNS for the Node
    When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.
  • Clearing DNS for the Node
    In a multi-master cluster, you can clear DNS for the node, which resets it to the use the cluster DNS.

Parent topic: Configuring System Settings for Individual Multi-Master Cluster Nodes

14.3.1.4.1 Setting DNS for the Node

When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the DNS section of the System Settings pages, enter up to three DNS server IP addresses.
    While only the first value is required, two entries are recommended for fault tolerance.
  4. Click Save.
14.3.1.4.2 Clearing DNS for the Node

In a multi-master cluster, you can clear DNS for the node, which resets it to the use the cluster DNS.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Click the Use Cluster Settings button in the DNS section.
    Clicking Use Cluster Settings is immediate for this setting. You do not need to click Save afterwards.
14.3.1.5 Setting the FIPS Mode for the Node

All multi-master cluster nodes must use the same FIPS mode setting or you will receive an alert.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the FIPS Mode section, do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes.
  4. Click Save.
    After you click Save, Oracle Key Vault will restart automatically.

14.3.2 Managing Oracle Key Vault Multi-Master Clusters

You can create, configure, manage, and administer an Oracle Key Vault multi-master cluster by using the Oracle Key Vault management console.

Parent topic: Configuring Oracle Key Vault in a Multi-Master Cluster Environment

14.3.2.1 About Configuring Cluster System Settings

You can set or change settings that apply to an entire multi-master cluster. 

You can set the system time, DNS, the maximum time a server can be disabled before it is evicted from the cluster, enable RESTful services, the protocol to use for syslog, the syslog destination, and monitoring settings for the cluster. Any values that are set and saved to an individual node will not be overridden by cluster settings. It may take several minutes for changes to propagate to other nodes.

14.3.2.2 Configuring the System Time for the Cluster

When you configure the system time, you can set it for multiple servers and also set the synchronization.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Choose the User Network Time Protocol option.
    Only the first value is required.
  4. Enter values for the following fields:

    • Synchronize After Save: This synchronizes the time across the cluster after you save the settings.

    • Synchronize Periodically: This synchronizes the time across the cluster at a predetermined interval. Once selected and applied, this option cannot be deselected.

    • Server 1: Enter the IP address of a NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 2: Enter the IP address of a second NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 3: Enter the IP address of a third NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

  5. In the System Time section, click Save to Cluster.
14.3.2.3 Configuring DNS for the Cluster

When you configure the DNS for a cluster, you can enter up to three DNS server IP addresses.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the DNS section of the Cluster System Settings page, enter up to three DNS Server IP addresses.
  4. In the DNS section, click Save to Cluster.
14.3.2.4 Configuring Maximum Disable Node Duration for the Cluster

You can set the Configuring Maximum Node Duration time for the cluster in hours.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Maximum Disable Node Duration section, enter a value, in hours, for the duration that a node can be disabled before it is evicted from the cluster.
  4. In the Maximum Disable Node Duration section, click Save to Cluster.
14.3.2.5 Configuring RESTful Services for the Cluster

You can enable or disable RESTful Services for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Select the Enable checkbox in the RESTful Services section.
  4. In the RESTful Services section, click Save to Cluster.
14.3.2.6 Configuring Syslog for the Cluster

You can enable syslog for either the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Syslog section, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  4. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  5. In the Syslog section, click Save to Cluster.
14.3.2.7 Configuring SNMP Settings for the Cluster

You can enable or disable SNMP access for a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Monitoring Settings from the left navigation bar.
  3. For Scope, select Cluster.
  4. Select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  5. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  6. Click Save to Cluster.

14.4 Managing System Recovery

System recovery includes tasks such as recovering lost administrative passwords.

Parent topic: Oracle Key Vault General System Administration

14.4.1 About Managing System Recovery

To perform system recovery, you use the recovery passphrase.

In an emergency when no administrative users are available, or you must change the password of administrative users, you can recover the system with the recovery passphrase that was created during Oracle Key Vault installation. In addition, you can change the recovery passphrase to keep up with security best practices.

Parent topic: Managing System Recovery

14.4.2 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault installation.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the page.
  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. In the Administrator Recovery page, fill out the fields in the Key Administrator, System Administrator, and Audit Manager panes to assign these roles to new or existing user accounts.
  6. Click Save.

Related Topics

Parent topic: Managing System Recovery

14.4.3 Changing the Recovery Passphrase in a Non-Clusters Environment

Periodically changing the recovery passphrase is a good security practice.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. From a web browser, enter the IP address of your Oracle Key Vault installation.
  3. In the Oracle Key Vault login page, do not log in.
  4. Click the System Recovery link.

    A new login page appears with a single field: Recovery Passphrase.

  5. Enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  6. Click Recovery Passphrase.

    The Recovery Passphrase page appears with two fields to enter and reenter the new passphrase.

  7. Enter the new recovery passphrase in the two fields.
  8. Click Submit.

Related Topics

Parent topic: Managing System Recovery

14.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster

Changing the recovery passphrase in a multi-master cluster is a two-step process.

To change the recovery passphrase for a multi-master cluster, you must first initiate the change throughout the nodes in the multi-master cluster environment before changing the recovery passphrase.

Parent topic: Managing System Recovery

14.4.4.1 Step 1: Initiate the Recovery Passphrase Change Across the Nodes

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes.

This is so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data. First, you must initiate the change for the recovery passphrase so that all nodes in the multi-master cluster will be notified of the impending change.
  1. Perform a server backup.
  2. Ensure that all nodes are in the ACTIVE state and replication has been verified between all nodes. Ensure that there are no cluster operations going on (such as adding a node).
  3. From a web browser, enter the IP address of the Oracle Key Vault installation that is not in read-only restricted mode.
  4. In the Oracle Key Vault login page, do not log in.
  5. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  6. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  7. Click the Recovery Passphrase tab.
  8. Click the Initiate Change button.
  9. Log out.
  10. Wait 3 to 4 minutes before continuing.

    During this time, all nodes will be notified that a passphrase change will be performed. To cancel a passphrase change, click the Reset button.

    All nodes will determine if more than one passphrase change has been initiated. If more than one passphrase change has been initiated, conflict resolution will be performed.

14.4.4.2 Step 2: Change the Recovery Passphrase

After the multi-master cluster nodes have been notified of the impending recovery passphrase change, you can change the recovery passphrase.

  1. From a Web browser, enter the IP address of a multi-master cluster node in the Oracle Key Vault installation.
    You can find a list of available nodes in the Oracle Key Vault management console by selecting the Clusters tab and then checking the Cluster Details section.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  4. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. Click the Recovery Passphrase tab.

    The Recovery Passphrase page appears with two fields to enter and re-enter the new passphrase.

  6. Enter the new recovery passphrase in the two fields.
  7. Click Submit.
  8. Repeat these steps for each node in the cluster.

    Note:

    HSM reverse migrate cannot run when the recovery passphrase is being changed.

    Caution:

    It is your responsibility to keep the recovery passphrase the same on all nodes in the cluster. If you set the recovery passphrase differently on cluster nodes it will negatively impact cluster functionality, such as adding nodes and HSM-enabling nodes.

14.4.5 Changing the Installation Passphrase

You can change the installation passphrase from the system console.

Parent topic: Managing System Recovery

14.4.5.1 About Changing the Installation Passphrase

You can only change the installation passphrase during a specific window of time.

The installation passphrase is specified during installation. You must use the installation passphrase to log in to Oracle Key Vault and complete the post-installation tasks. The installation passphrase can only be changed on the console after installation but before post-installation. After the post-installation tasks are completed, this option no longer appears on the console.

If you forget the installation passphrase, then you can create a new installation passphrase. As with all Oracle Key Vault passphrases, it is important to store the installation passphrase securely.

14.4.5.2 Changing an Installation Passphrase

You must change the installation passphrase in the system console.

  1. Access the system console of the server where Oracle Key Vault is installed.
  2. Select Change Installation Passphrase and press Enter.

    The New Passphrase screen appears.

    Description of os_user_pwd_change3.png follows
    Description of the illustration os_user_pwd_change3.png

  3. Enter the new installation passphrase in the New Passphrase and Confirm fields.
    The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.
  4. Select OK and then press Enter.

    The Installation Passphrase screen appears.

    Description of os_user_pwd_change4.png follows
    Description of the illustration os_user_pwd_change4.png

  5. Enter the old installation passphrase and then press Enter.

14.5 Support for a Primary-Standby Environment

To ensure that Oracle Key Vault can always access security objects, you can deploy Oracle Key Vault in a primary-standby (highly available) configuration.

This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault servers in a primary-standby configuration. The primary server services the requests that come from endpoints. If the primary server fails, then the standby server takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

The primary-standby configuration was previously known as the high availability configuration. The primary-standby configuration and the multi-master cluster configuration are mutually exclusive.

Oracle Key Vault supports primary-standby read-only restricted mode. When the primary server is affected by server, hardware, or network failures, primary-standby read-only restricted mode ensures that an Oracle Key Vault server is available to service endpoints, thus ensuring operational continuity. However, key and sensitive operations, such as generation of keys are disabled, while operations such as generation of audit logs are unaffected.

When an unplanned shutdown makes the standby server unreachable, the primary server is still available to the endpoints in read-only mode.

Related Topics

Parent topic: Oracle Key Vault General System Administration

14.6 Commercial National Security Algorithm Suite Support

You can use scripts to perform Commercial National Security Algorithm (CNSA) operations for Oracle Key Vault HSM backup and upgrade operations.

Parent topic: Oracle Key Vault General System Administration

14.6.1 About Commercial National Security Algorithm Suite Support

Oracle Key Vault is compliant with the Commercial National Security Algorithm (CNSA).

This compliance applies to TLS connections to and from the Oracle Key Vault appliance.

The CNSA suite is a list of strong encryption algorithms and key lengths, that offer greater security and relevance into the future.

Oracle Key Vault release 12.2 BP3 and later do not provide complete compliance across every component in the system. You will be able to switch to the CNSA algorithms, where available by means of the following scripts that are packaged with the Oracle Key Vault ISO:

  • /usr/local/okv/bin/okv_cnsa makes configuration file changes to update as many components as possible to use the enhanced algorithms.

  • /usr/local/okv/bin/okv_cnsa_cert regenerates CNSA compliant public key pairs and certificates.

    Note:

    The /usr/local/okv/bin/okv_cnsa and /usr/local/okv/bin/okv_cnsa_cert scripts are both disruptive because they replace the old key pairs with new ones. This has consequences for the following operations:

    • Endpoint Enrollment: Enroll endpoints after running this script when possible. If you had endpoints enrolled before running the CNSA script, you must re-enroll them so that fresh CNSA compliant keys are generated using CNSA algorithms.

    • Primary-Standby: Run the CNSA scripts on both Oracle Key Vault instances before pairing them in a primary-standby configuration when possible. If you had primary-standby before you run the CNSA scripts, then you must re-configure primary-standby as follows: unpair the primary and standby servers, reinstall the standby server, run the CNSA scripts individually on each server, and then pair them again.

Limitations:

  • CNSA compliance is not supported for all components in the Oracle Key Vault infrastructure (for example, SSH or Transparent Data Encryption (TDE)).

  • The Firefox browser is not supported for use with the Oracle Key Vault management console when CNSA is enabled. This is because the Firefox browser does not support CNSA-approved cipher suites.

Parent topic: Commercial National Security Algorithm Suite Support

14.6.2 Running the Commercial National Security Algorithm Scripts

The Commercial National Security Algorithm (CNSA) scripts update the okv_security.conf file.

  1. Back up Oracle Key Vault.
  2. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select SSH Access. Select IP address(es) and then enter only the IP addresses that you need. Click Save.

  3. SSH into the Oracle Key Vault server as the support user, entering the support user password that was created during post-installation, when prompted.
     $ ssh support@okv_instance
  4. Change to the root user:
    $  su root
  5. Run the scripts as follows:
    root#  /usr/local/okv/bin/okv_cnsa
root#  /usr/local/okv/bin/okv_cnsa_cert
  6. Disable SSH access and then restart the Oracle Key Vault server.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select Disabled. Click Save. Restart the Oracle Key Vault server by clicking Reboot on the top right.

The scripts update the /usr/local/okv/etc/okv_security.conf with the following line:
USE_ENHANCED_ALGORITHMS_ONLY="1"

Related Topics

Parent topic: Commercial National Security Algorithm Suite Support

14.6.3 Performing Backup and Restore Operations with CNSA

After you back up and restore Oracle Key Vault, use /usr/local/okv/bin/okv_cnsa to use the enhanced Commercial National Security Algorithm (CNSA).

  1. Perform the backup and restore operation.
  2. Wait until the restore operation is complete and the system has restarted.
    Do not proceed without completing this step.
  3. SSH into the Oracle Key Vault server as the support user:
     $ ssh support@okv_instance
  4. Switch to the root user: 
    $ su root
  5. Run the following CNSA script : 
     root#  /usr/local/okv/bin/okv_cnsa

Related Topics

Parent topic: Commercial National Security Algorithm Suite Support

14.6.4 Upgrading a Standalone Oracle Key Vault Server to Use CNSA

You can upgrade a standalone Oracle Key Vault to use the Commercial National Security Algorithm (CNSA) by executing the okv_cnsa script.

  1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Do not proceed without completing this step.
  2. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  3. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select SSH Access. Select IP address(es) and then enter only the IP addresses that you need. Click Save.

  4. Ensure you have enough space in the destination directory for the upgrade ISO files.
  5. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
  6. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
    scp remote_host:remote_path/okv-upgrade-disc-18.2.0.0.0.iso /var/lib/oracle/destination_directory_for_iso_file

    In this specification:

    • remote_host is the IP address of the computer containing the ISO upgrade file.
    • remote_host is the IP address of the computer containing the ISO upgrade file.
  7. Make the upgrade accessible by using the mount command:
    root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-18.2.0.0.0.iso /images
  8. Clear the cache using the clean all command:
    root# yum -c /images/upgrade.repo clean all
  9. Execute the following upgrade ruby script:
    root# /usr/bin/ruby/images/upgrade.rb --confirm

    If the system is successfully upgraded, then the command will display the following message:

    Remove media and reboot now to fully apply changes

    If you see an error message, then check the log file /var/log/messages for additional information.

  10. Run the first CNSA script, which is available from the Oracle Key Vault ISO files location:
     root#  /usr/local/okv/bin/okv_cnsa
  11. Restart the Oracle Key Vault database server:
    root# /sbin/reboot

    On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.

    The upgrade is completed when the screen with heading: Oracle Key Vault Server 18.2.0.0.0 appears. The revision should reflect the upgraded release. Following the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.

  12. Confirm that Oracle Key Vault has been upgraded to the correct version.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select Status.
    3. Verify that the version displayed is 18.2.0.0.0.
      The release number is also at the bottom of each page, to the right of the copyright information.
  13. Disable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select Disabled. Click Save.

Related Topics

Parent topic: Commercial National Security Algorithm Suite Support

14.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA

You can upgrade Oracle Key Vault primary-standby servers to use the Commercial National Security Algorithm (CNSA) by executing the okv_cnsa script.

You must perform the upgrade standby and primary servers in one session with as little time between the standby and primary upgrade as possible. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.
  1. Prepare for the upgrade.

    • While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

    • Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.

    • Ensure that both the primary and standby systems have 8 GB memory.

  2. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    You can use Oracle Backup and Recovery (Oracle RMAN) to perform this backup. Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not included in the backup.
    Do not proceed without completing this step.
  3. First, upgrade the standby server while the primary server is running.

    Follow Steps 2 through Step 11 of the standalone server upgrade process for CNSA.

  4. Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
  5. Upgrade the primary Oracle Key Vault server following Steps 1 through 11 of the standalone server upgrade.

    After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.

  6. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  7. Select the System tab, and then Status.
  8. Verify that the Version field displays the new software version 18.2.0.0.0.

Related Topics

Parent topic: Commercial National Security Algorithm Suite Support

14.7 Minimizing Downtime

Business-critical operations require data to be accessible and recoverable with minimum downtime.

You can configure Oracle Key Vault to ensure minimum downtime in the following ways:

  • Configuring a multi-master cluster: You can configure a multi-master cluster by adding redundancy in the form of additional nodes. The client can access any available node. In the event of a failure of any node, a client will automatically connect to another node in the endpoint node scan list. This reduces and potentially eliminates downtime.

  • Configuring a primary-standby environment: A primary-standby environment is configured by adding redundancy in the form of a standby server. The standby server takes over from the primary server in the event of a failure, thus eliminating single points of failure, and minimizing downtime.

  • Enabling read-only restricted mode: Primary-standby read-only restricted mode ensures endpoint operational continuity when primary or standby Oracle Key Vault servers are affected by server, hardware, or network failures. When an unplanned shutdown causes the standby server to become unreachable, the primary server is still available to the endpoints.

    If primary-standby read-only restricted mode is disabled, then the primary server will become unavailable and stop accepting requests in the event of a standby failure. Endpoints connected to Oracle Key Vault are unable to retrieve keys until connectivity is restored between primary and standby servers.

    To ensure endpoint operational continuity in the event of a primary or standby server failure, enable read-only restricted mode.

  • Enabling persistent master encryption key cache: The persistent master encryption key cache ensures that the endpoints can access keys in the event of a primary or standby server failure. While the surviving server is taking over from the failed peer, the endpoints can retrieve keys from the persistent cache and continue operations normally.

  • Apply the TDE heartbeat database patch on endpoints: Apply the database patch for Bug 22734547 to tune the Oracle Key Vault heartbeat.

Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and enable it to be fully operational with minimum downtime and data loss.

If the Oracle Key Vault installation uses an online master key (formerly known as TDE direct connect), then during an upgrade, ensure that you upgrade database endpoints in parallel to reduce total downtime.

Related Topics

Parent topic: Oracle Key Vault General System Administration