Table of Contents
- Title and Copyright Information
- Preface
-
Changes in This Release for Oracle Key Vault
-
Changes for Oracle Key Vault Release 18.2
- Endpoint Software Installation Logs Environment Variables For Later Diagnostics
- New Endpoint Database Persistent Cache Parameter
- Oracle Key Vault Server Certificate Rotation
- Recover the Candidate Node If There Is a Failure or Error During Node Induction
- Limit Reset of User Password to Recovery Through Email Only
- Automatically Update Endpoint Configuration with Changes to Reverse-SSH Tunnels in the Cluster
- Upgrade Oracle Key Vault Server with HSM as Root of Trust Without the Need to Reverse Migrate
- HSM as Root of Trust Improvements
- RESTful Services Improvements
- Refresh Cached Oracle Key Vault Configuration Periodically In Long Running Processes
- Changes for Oracle Key Vault Release 18.1
-
Changes for Oracle Key Vault Release 18.2
-
1
Introduction to Oracle Key Vault
- 1.1 About Oracle Key Vault and Key Management
- 1.2 Benefits of Using Oracle Key Vault
- 1.3 Oracle Key Vault Use Cases
- 1.4 Who Should Use Oracle Key Vault
-
1.5
Major Features of Oracle Key Vault
- 1.5.1 Centralized Storage and Management of Security Objects
- 1.5.2 Management of Key Lifecycle
- 1.5.3 Reporting and Alerts
- 1.5.4 Separation of Duties for Oracle Key Vault Users
- 1.5.5 Support for a Primary-Standby Environment
- 1.5.6 Persistent Master Encryption Key Cache
- 1.5.7 Backup and Restore Functionality for Security Objects
- 1.5.8 Automation of Endpoint Enrollment Using RESTful Services
- 1.5.9 Key Management Support Using RESTful Services
- 1.5.10 Support for OASIS Key Management Interoperability Protocol (KMIP)
- 1.5.11 Database Release and Platform Support
- 1.5.12 Integration with External Audit and Monitoring Services
- 1.5.13 Integration of MySQL with Oracle Key Vault
- 1.5.14 Automatic Storage Management Cluster File System (ACFS) Encryption
- 1.5.15 Support for Oracle Cloud Database as a Service Endpoints
- 1.5.16 Oracle Key Vault Hardware Security Module Integration
- 1.6 Oracle Key Vault Interfaces
- 1.7 Overview of an Oracle Key Vault Deployment
- 2 Oracle Key Vault Concepts
-
3
Oracle Key Vault Multi-Master Cluster Concepts
- 3.1 Oracle Key Vault Multi-Master Cluster Overview
- 3.2 Benefits of Oracle Key Vault Multi-Master Clustering
-
3.3
Multi-Master Cluster Architecture
- 3.3.1 Oracle Key Vault Cluster Nodes
- 3.3.2 Cluster Node Limitations
- 3.3.3 Cluster Subgroup
- 3.3.4 Critical Data in Oracle Key Vault
- 3.3.5 Oracle Key Vault Read-Write Nodes
- 3.3.6 Oracle Key Vault Read-Only Nodes
- 3.3.7 Cluster Node Mode Types
- 3.3.8 Operations Permitted on Cluster Nodes in Different Modes
- 3.4 Building and Managing a Multi-Master Cluster
- 3.5 Oracle Key Vault Multi-Master Cluster Deployment Scenarios
- 3.6 Multi-Master Cluster Features
-
4
Oracle Key Vault Installation and Configuration
- 4.1 About Oracle Key Vault Installation and Configuration
- 4.2 Oracle Key Vault Installation Requirements
- 4.3 Installing and Configuring Oracle Key Vault
- 4.4 Logging In to the Oracle Key Vault Management Console
-
4.5
Upgrading a Standalone or Primary-Standby Oracle Key Vault Server
- 4.5.1 About Upgrading the Oracle Key Vault Server Software
- 4.5.2 Step 1: Back Up the Server Before You Upgrade
- 4.5.3 Step 2: Perform Pre-Upgrade Tasks
- 4.5.4 Step 3: Upgrade the Oracle Key Vault Server or Server Pair
- 4.5.5 Step 4: Upgrade the Endpoint Software
- 4.5.6 Step 5: If Necessary, Remove Old Kernels
- 4.5.7 Step 6: If Necessary, Add Disk Space to Extend Swap Space
- 4.5.8 Step 7: If Necessary, Remove SSH-Related DSA Keys
- 4.5.9 Step 8: Back Up the Upgraded Oracle Key Vault Server
-
4.6
Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
- 4.6.1 About Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
- 4.6.2 Step 1: Perform Pre-Upgrade Tasks
- 4.6.3 Step 2: Execute the Pre-Upgrade Script on Each Multi-Master Cluster Node
- 4.6.4 Step 3: Upgrade Each Multi-Master Cluster Node
- 4.6.5 Step 4: Check the Node Version and the Cluster Version
- 4.6.6 Rolling Back the Pre-Upgrade Script
- 4.7 Overview of the Oracle Key Vault Management Console
- 4.8 Performing Actions and Searches
-
5
Managing Oracle Key Vault Multi-Master Clusters
- 5.1 About Managing Oracle Key Vault Multi-Master Clusters
- 5.2 Creating the First (Initial) Node of a Cluster
- 5.3 Adding a Node to the Cluster
- 5.4 Terminating the Pairing of a Node
- 5.5 Disabling a Cluster Node
- 5.6 Enabling a Disabled Cluster Node
- 5.7 Deleting a Cluster Node
- 5.8 Force Deleting a Cluster Node
- 5.9 Managing Replication Between Nodes
- 5.10 Cluster Management Information
- 5.11 Cluster Monitoring Information
- 5.12 Naming Conflicts and Resolution
- 5.13 Multi-Master Cluster Deployment Recommendations
-
6
Managing an Oracle Key Vault Primary-Standby Configuration
-
6.1
Overview of the Oracle Key Vault Primary-Standby Configuration
- 6.1.1 About the Oracle Key Vault Primary-Standby Configuration
- 6.1.2 Benefits of an Oracle Key Vault Primary-Standby Configuration
- 6.1.3 Difference Between Primary-Standby Configuration and Multi-Master Cluster
- 6.1.4 Primary Server Role in a Primary-Standby Configuration
- 6.1.5 Standby Server Role in a Primary-Standby Configuration
- 6.2 Configuring the Primary-Standby Environment
- 6.3 Switching the Primary and Standby Servers
- 6.4 Restoring Primary-Standby After a Failover
- 6.5 Disabling (Unpairing) the Primary-Standby Configuration
-
6.6
Read-Only Restricted Mode in a Primary-Standby Configuration
- 6.6.1 About Read-Only Restricted Mode in a Primary-Standby Configuration
- 6.6.2 Primary-Standby with Read-Only Restricted Mode
- 6.6.3 Primary-Standby without Read-Only Restricted Mode
- 6.6.4 States of Read-Only Restricted Mode
- 6.6.5 Enabling Read-Only Restricted Mode
- 6.6.6 Disabling Read-Only Restricted Mode
- 6.6.7 Recovering from Read-Only Restricted Mode
- 6.6.8 Read-Only Restricted Mode Notifications
- 6.7 Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
-
6.1
Overview of the Oracle Key Vault Primary-Standby Configuration
-
7
Managing Oracle Key Vault Users
- 7.1 Managing User Accounts
- 7.2 Managing Administrative Roles and Privileges
- 7.3 Managing User Passwords
- 7.4 Managing User Email
-
7.5
Managing User Groups
- 7.5.1 About Managing User Groups
- 7.5.2 How a Multi-Master Cluster Affects User Groups
- 7.5.3 Creating a User Group
- 7.5.4 Adding a User to a User Group
- 7.5.5 Granting a User Group Access to a Virtual Wallet
- 7.5.6 Renaming a User Group
- 7.5.7 Changing a User Group Description
- 7.5.8 Removing a User from a User Group
- 7.5.9 Deleting a User Group
- 8 Managing Oracle Key Vault Virtual Wallets and Security Objects
-
9
Managing Oracle Key Vault Endpoints
- 9.1 Overview of Managing Endpoints
- 9.2 Managing Endpoints
- 9.3 Default Wallets and Endpoints
- 9.4 Managing Endpoint Access to a Virtual Wallet
-
9.5
Managing Endpoint Groups
- 9.5.1 How a Multi-Master Cluster Affects Endpoint Groups
- 9.5.2 Creating an Endpoint Group
- 9.5.3 Modifying Endpoint Group Details
- 9.5.4 Granting an Endpoint Group Access to a Virtual Wallet
- 9.5.5 Adding an Endpoint to an Endpoint Group
- 9.5.6 Removing an Endpoint from an Endpoint Group
- 9.5.7 Deleting Endpoint Groups
- 9.6 Managing Endpoint Details
- 9.7 Upgrading Endpoints
-
10
Enrolling Endpoints for Oracle Key Vault
- 10.1 About Endpoint Enrollment and Provisioning
- 10.2 Finalizing Enrollment and Provisioning
- 10.3 Environment Variables and Endpoint Provisioning Guidance
- 10.4 Endpoints That Do Not Use the Oracle Key Vault Client Software
- 10.5 Transparent Data Encryption Endpoint Management
- 10.6 Endpoint okvclient.ora Configuration File
-
11
Oracle Database Instances in Oracle Cloud Infrastructure
- 11.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints
- 11.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
-
11.3
Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
- 11.3.1 Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance
- 11.3.2 Managing a Reverse SSH Tunnel in a Multi-Master Cluster
- 11.3.3 Managing a Reverse SSH Tunnel in a Primary-Standby Configuration
- 11.3.4 Viewing SSH Tunnel Configuration Details
- 11.3.5 Disabling an SSH Tunnel Connection
- 11.3.6 How the Connection Works if the SSH Tunnel Is Not Active
- 11.3.7 Deleting an SSH Tunnel Configuration
-
11.4
Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 11.4.1 About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 11.4.2 Step 1: Register the Endpoint in the Oracle Key Vault Management Console
- 11.4.3 Step 2: Prepare the Endpoint Environment
- 11.4.4 Step 3: Install the Oracle Key Vault Software onto the Endpoint
- 11.4.5 Step 4: Perform Post-Installation Tasks
- 11.5 Suspending Database Cloud Service Access to Oracle Key Vault
- 11.6 Resuming Database Cloud Service Access to Oracle Key Vault
- 11.7 Resuming a Database Endpoint Configured with a Password-Based Keystore
-
12
Oracle Key Vault Administration and Key Management with RESTful Services
- 12.1 About RESTful Services
- 12.2 Required Privileges for Using RESTful Services
- 12.3 Enabling RESTful Services
-
12.4
Managing the RESTful Services Configuration File
- 12.4.1 About Managing the RESTful Services Configuration File
- 12.4.2 Configuration File Creation Guidelines
- 12.4.3 Creating the RESTful Services Configuration File
- 12.4.4 Examples of Configuration Files
- 12.4.5 Executing a Single RESTful Command
- 12.4.6 Executing Multiple RESTful Administrative Commands Using a Script
- 12.5 Disabling RESTful Services
-
12.6
Oracle Key Vault Administrative REST Client Tool Commands
- 12.6.1 RESTful Services Command Syntax
- 12.6.2 RESTful Services Wallet Command Syntax
- 12.6.3 Commands to Add and Enroll Endpoints
- 12.6.4 Commands to Modify Endpoint Details
- 12.6.5 Endpoint Group Commands
-
12.6.6
Virtual Wallet Commands
- 12.6.6.1 add_wallet_access_ep Command
- 12.6.6.2 add_wallet_access_epg Command
- 12.6.6.3 check_object_status Command
- 12.6.6.4 create_unique_wallet Command
- 12.6.6.5 create_wallet Command
- 12.6.6.6 delete_wallet Command
- 12.6.6.7 drop_wallet_access_ep Command
- 12.6.6.8 drop_wallet_access_epg Command
- 12.6.6.9 get_default_wallet Command
- 12.6.6.10 get_object_name Command
- 12.6.6.11 get_wallets Command
- 12.6.6.12 modify_wallet_access_ep Command
- 12.6.6.13 modify_wallet_access_epg Command
- 12.6.6.14 modify_wallet_desc Command
- 12.6.6.15 set_default_wallet Command
- 12.6.7 Error Reporting
- 12.6.8 Help Information
-
12.7
Oracle Key Vault Key Management REST Client Tool Commands
- 12.7.1 About Oracle Key Vault Key Management REST Client Tool Commands
- 12.7.2 Oracle Key Vault Key Management REST Client API Using OKVRESTSERVICE
- 12.7.3 List of Key Management REST Client Tool Commands
- 12.7.4 Key Creation and Registration Commands
- 12.7.5 Key Attribute Management Commands
- 12.7.6 Key Life Cycle Management Commands
- 12.7.7 Wallet Commands
-
13
Backup and Restore Operations
- 13.1 About Backing Up and Restoring Data in Oracle Key Vault
- 13.2 Oracle Key Vault Backup Destinations
- 13.3 Backup Schedules and States
- 13.4 Scheduling and Managing Oracle Key Vault Backups
-
13.5
Restoring Oracle Key Vault Data
- 13.5.1 About the Oracle Key Vault Restore Process
- 13.5.2 Procedure for Restoring Oracle Key Vault Data
- 13.5.3 Multi-Master Cluster and the Restore Operation
- 13.5.4 Primary-Standby and the Restore Operation
- 13.5.5 Third-Party Certificates and the Restore Operation
- 13.5.6 Changes Resulting from a System State Restore
- 13.6 Backup and Restore Best Practices
-
14
Oracle Key Vault General System Administration
- 14.1 Overview of Oracle Key Vault General System Administration
- 14.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
-
14.3
Configuring Oracle Key Vault in a Multi-Master Cluster Environment
- 14.3.1 Configuring System Settings for Individual Multi-Master Cluster Nodes
-
14.3.2
Managing Oracle Key Vault Multi-Master Clusters
- 14.3.2.1 About Configuring Cluster System Settings
- 14.3.2.2 Configuring the System Time for the Cluster
- 14.3.2.3 Configuring DNS for the Cluster
- 14.3.2.4 Configuring Maximum Disable Node Duration for the Cluster
- 14.3.2.5 Configuring RESTful Services for the Cluster
- 14.3.2.6 Configuring Syslog for the Cluster
- 14.3.2.7 Configuring SNMP Settings for the Cluster
- 14.4 Managing System Recovery
- 14.5 Support for a Primary-Standby Environment
-
14.6
Commercial National Security Algorithm Suite Support
- 14.6.1 About Commercial National Security Algorithm Suite Support
- 14.6.2 Running the Commercial National Security Algorithm Scripts
- 14.6.3 Performing Backup and Restore Operations with CNSA
- 14.6.4 Upgrading a Standalone Oracle Key Vault Server to Use CNSA
- 14.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA
- 14.7 Minimizing Downtime
- 15 Managing Certificates
-
16
Monitoring and Auditing Oracle Key Vault
-
16.1
Managing System Monitoring
-
16.1.1
Configuring Remote Monitoring to Use SNMP
- 16.1.1.1 About Using SNMP for Oracle Key Vault
- 16.1.1.2 Granting SNMP Access to Users
- 16.1.1.3 Changing the SNMP User Name and Password
- 16.1.1.4 Changing SNMP Settings on the Standby Server
- 16.1.1.5 Remotely Monitoring Oracle Key Vault Using SNMP
- 16.1.1.6 SNMP Management Information Base Variables for Oracle Key Vault
- 16.1.1.7 Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP
- 16.1.2 Configuring Email Notification
- 16.1.3 Configuring the Syslog Destination for Individual Multi-Master Cluster Nodes
- 16.1.4 Capturing System Diagnostics
- 16.1.5 Configuring Oracle Audit Vault Integration for a Multi-Master Cluster Node
-
16.1.1
Configuring Remote Monitoring to Use SNMP
- 16.2 Configuring Oracle Key Vault Alerts
- 16.3 Managing System Auditing
- 16.4 Using Oracle Key Vault Reports
-
16.1
Managing System Monitoring
-
17
Managing Security Objects in Oracle Key Vault
- 17.1 Configuring an Oracle Key Vault-to-New TDE-Enabled Database Connection
- 17.2 Migrating Existing TDE Wallets to Oracle Key Vault
-
17.3
Using the Persistent Master Encryption Key Cache
- 17.3.1 About the Persistent Master Encrption Key Cache
- 17.3.2 About Oracle Key Vault Persistent Master Encyrption Key Cache Architecture
- 17.3.3 Caching Master Encryption Keys in the In-Memory and Persistent Master Encryption Key Cache
- 17.3.4 Storage Location of Persistent Master Encryption Key Cache
- 17.3.5 Persistent Master Encryption Key Cache Modes of Operation
- 17.3.6 Persistent Master Encryption Key Cache Refresh Window
-
17.3.7
Persistent Master Encryption Key Cache Parameters
- 17.3.7.1 PKCS11_CACHE_TIMEOUT Parameter
- 17.3.7.2 PKCS11_PERSISTENT_CACHE_TIMEOUT Parameter
- 17.3.7.3 PKCS11_PERSISTENT_CACHE_FIRST Parameter
- 17.3.7.4 PKCS11_CONFIG_PARAM_REFRESH_INTERVAL Parameter
- 17.3.7.5 PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW Parameter
- 17.3.7.6 EXPIRE PKCS11 PERSISTENT CACHE ON DATABASE SHUTDOWN Parameter
- 17.3.8 Listing the Contents of the Persistent Master Encryption Key Cache
- 17.3.9 Oracle Database Deployments and Persistent Master Encryption Key Cache
- 17.4 Uploading and Downloading Oracle Wallets
- 17.5 Uploading and Downloading JKS and JCEKS Keystores
- 17.6 Uploading and Downloading Credential Files
- 17.7 Using a User-Defined Key as the TDE Master Encryption Key
-
18
Using Oracle Key Vault with Other Features
- 18.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
- 18.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
-
18.3
Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
- 18.3.1 About Uploading Oracle Wallets in an Oracle Data Guard Environment
- 18.3.2 Uploading Oracle Wallets in an Oracle Data Guard Environment
- 18.3.3 Performing an Online Master Key Connection in an Oracle Data Guard Environment
- 18.3.4 Migrating Oracle Wallets in an Oracle Data Guard Environment
- 18.3.5 Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
- 18.3.6 Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
- 18.3.7 Checking the Oracle TDE Wallet Migration for a Logical Standby Database
- 18.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
- 18.5 MySQL Integration with Oracle Key Vault
- 18.6 Other Oracle Database Features That Oracle Key Vault Supports
- A Oracle Key Vault Multi-Master Cluster Operations
- B Oracle Key Vault okvutil Endpoint Utility Reference
-
C
Troubleshooting Oracle Key Vault
- C.1 Oracle Key Vault Pre-Installation Checklist
-
C.2
Integrating Oracle Key Vault with Oracle Audit Vault and Database Firewall
- C.2.1 Step 1: Check the Environment
- C.2.2 Step 2: Register Oracle Key Vault as a Secured Target with AVDF
- C.2.3 Step 3: Register Oracle Key Vault as a Host with AVDF
- C.2.4 Step 4: Download the AVDF Agent and Upload it to Oracle Key Vault
- C.2.5 Step 5: Install the AVDF agent.jar File on the Oracle Key Vault Server
- C.2.6 Step 6: Add the Oracle Key Vault Audit Trail to AVDF
- C.2.7 Step 7: View Oracle Key Vault Audit Data Collected by AVDF
- C.3 RESTful Services Troubleshooting Help
- C.4 Error: Cannot Open Keystore Message
- C.5 KMIP Error: Invalid Field
- C.6 WARNING: Could Not Store Private Key Errors
- C.7 Errors After Upgrading Oracle Key Vault
- C.8 Error: Failed to Open Wallet
- C.9 Transaction Check Error: Diagnostics Generation Utility
- C.10 Fast-Start Failover (FSFO) Suspended (ORA-16818)
- C.11 SSH Tunnel Add Failure
- C.12 Error: Provision Command Fails if /usr/bin/java Does Not Exist
- C.13 TDE Endpoint Integration Issues
- C.14 Failover Situations in Primary-Standby Mode
- C.15 Performing a Planned Shutdown
- D Security Technical Implementation Guides Compliance Standards
- Glossary
- Index