11 Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

You can install Oracle Key Vault on an Oracle Cloud Infrastructure (OCI) VM compute instance from Oracle Cloud Marketplace.

• About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
  Oracle Key Vault on Oracle Cloud Marketplace is the cloud-based version of Oracle Key Vault and provides flexible, continuous and scalable key management.
• Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
  Quick deployments and ease of use are among the benefits of using an Oracle Key Vault Oracle Cloud Infrastructure (OCI) compute instance.
• Provisioning an Oracle Key Vault Compute Instance
  The provisioning process for an Oracle Key Vault compute instance entails launching the compute instance and performing post-launch and post-installation tasks.
• General Management of an Oracle Key Vault Compute Instance
  You can perform many of the Oracle Key Vault compute instance general management tasks in the Oracle Key Vault management console.
• Migrating Oracle Key Vault Deployments Between On-Premises and OCI
  You can migrate an Oracle Key Vault standalone, primary-standby or cluster deployment from an on-premises environment to OCI or back.

11.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance

Oracle Key Vault on Oracle Cloud Marketplace is the cloud-based version of Oracle Key Vault and provides flexible, continuous and scalable key management.

Oracle Key Vault is quick and easy to launch on a VM compute instance of any shape or size in your OCI tenancy. This eliminates the need to procure hardware and drastically shortens the time to provision a fully functional Oracle Key Vault deployment. Oracle Key Vault deployed on an OCI VM compute instance (referred to as an Oracle Key Vault compute instance) is private to your tenancy and is managed by you. After the launch, an Oracle Key Vault compute instance has the same look and feel as an on-premises Oracle Key Vault installation, with the same flexibility in configuration.

An Oracle Key Vault server that is deployed on Oracle Cloud Infrastructure (OCI) VM compute instance can operate in the following situations:

• A standalone environment
• Be paired with another Oracle Key Vault server in OCI or on-premises to form a primary-standby configuration
• Be paired with other nodes in OCI or on-premises to form a multi-master cluster

The Oracle Key Vault multi-master cluster nodes could be entirely in OCI forming a cloud-only Oracle Key Vault cluster or some of the nodes can exist on-premises, thus forming a hybrid Oracle Key Vault cluster. This flexible deployment provides scalability regardless of whether Oracle Key Vault nodes are deployed in on-premises or cloud environments.

The Oracle Key Vault compute instance deployment enables the use of Oracle Key Vault to manage the encryption keys of your OCI-based database deployments. This enables you to maintain control over your encryption keys in a cloud environment. You can have up to 16 Oracle Key Vault compute instances in a multi-master cluster, distributed across any of the Oracle Cloud regions, to provide key management services to your globally distributed, on-premises, hybrid, or cloud-only Oracle database deployments.

When you enroll endpoints with the Oracle Key Vault compute instance, you must ensure that they are in the same VCN as the Oracle Key Vault compute instance itself. The endpoints will communicate with the Oracle Key Vault compute instance using the private IP of the instance. You can optionally configure the Oracle Key Vault compute instance to have a public IP address that can be used to access the Oracle Key Vault management console. You must configure the network to ensure that connectivity exists between Oracle Key Vault compute instances as well as between endpoints and the Oracle Key Vault compute instances.

11.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure

Quick deployments and ease of use are among the benefits of using an Oracle Key Vault Oracle Cloud Infrastructure (OCI) compute instance.

• Key management for OCI-based database environment: The Oracle Key Vault compute instance deployment provides key management to your OCI-based database environments as well as on-premises and hybrid database environments. This enables you to own, manage, and maintain control over encryption keys of your database environments in the cloud.

• Quick deployment: You can launch the Oracle Key Vault compute instance within minutes and without the need to manage hardware or set up virtual machines. After it is launched, the Oracle Key Vault compute instance can run stand-alone, or be added to a multi-master cluster, or used in primary-standby configuration. You can enroll endpoints with an Oracle Key Vault compute instance. This way, you can quickly set up a production environment. You can also use Oracle Key Vault compute instances to quickly set up a test and development environment to validate and experiment with various use-cases and deployment scenarios of Oracle Key Vault.

• Scaling out a production environment during peak load or hardware unavailability: If you use FastConnect or IPSec VPN in OCI, then you can extend the Oracle Key Vault cloud deployments to an on-premises environment. Using FastConnect or IPSec VPN, you can pair Oracle Key Vault nodes on-premises with Oracle Key Vault compute instances in OCI to form a hybrid cluster. You can use a hybrid cluster to run production Oracle Key Vault servers in OCI, or use them to expand the Oracle Key Vault cluster temporarily. Oracle Key Vault compute instances can be added quickly as new nodes to an on-premises, OCI or hybrid Oracle Key Vault cluster. This type of deployment provides spontaneous elasticity to the Oracle Key Vault cluster, and can be used to address any temporary increase of load on nodes of the Oracle Key Vault cluster.

• Reduced latency for hybrid database environments: For use cases where the data is shared between on-premises and cloud databases, managing the keys in a hybrid Oracle Key Vault cluster provides for locality of reference. Because the keys are available on all nodes of the cluster, the cluster subgroups can be setup in such a way that the databases in the cloud can primarily fetch the keys from the cluster nodes in OCI and the on-premises databases can primarily fetch the keys from cluster nodes that are provisioned on-premises.

• Simplified transition of on-premises to OCI-based Oracle Key Vault clusters: If you are connected to OCI using FastConnect or IPSec VPN, then you can extend your on-premises Oracle Key Vault cluster by adding Oracle Key Vault compute instances to that cluster. The IP addresses of the Oracle Key Vault nodes in OCI are added to the scan lists of your database endpoints. Once you have the appropriate number of Oracle Key Vault nodes in your OCI tenancy, you can remove the on-premises Oracle Key Vault nodes from the cluster. Following the same procedure, it is possible to seamlessly transition from an Oracle Key Vault cluster in OCI back to an on-premises Oracle Key Vault cluster.

• Engaging OCI infrastructure and services: You can take advantage of the unique benefits of the Oracle Cloud Infrastructure. If you install multiple Oracle Key Vault compute instances in the same region, you can choose to deploy them in different availability domains (fault domains are selected automatically, but can be changed) to guarantee the highest possible availability of your key management service. Services such as DNS and NTP are also natively available in OCI. You do not have to set them up, thereby simplifying Oracle Key Vault provisioning.

11.3 Provisioning an Oracle Key Vault Compute Instance

The provisioning process for an Oracle Key Vault compute instance entails launching the compute instance and performing post-launch and post-installation tasks.

• About Provisioning an Oracle Key Vault Compute Instance
  To provision the Oracle Key Vault compute instance, you choose an Oracle Key Vault image as your custom image.
• Launching the Oracle Key Vault Compute Instance
  The launching process for the Oracle Key Vault compute instance should take roughly two to five minutes.

11.3.1 About Provisioning an Oracle Key Vault Compute Instance

To provision the Oracle Key Vault compute instance, you choose an Oracle Key Vault image as your custom image.

You will launch this image from the OCI Marketplace on a compute shape. After you complete the process, the Oracle Key Vault compute image becomes unique to your environment. The disk size of this image is 2 TB.

After you complete the launch, you can begin to use the Oracle Key Vault compute image immediately. The steps that you must perform after the launch are similar to the steps that you would perform for an on-premises Oracle Key Vault installation.

11.3.2 Launching the Oracle Key Vault Compute Instance

The launching process for the Oracle Key Vault compute instance should take roughly two to five minutes.

• About Launching the Oracle Key Vault Compute Instance
  The launch process requires some minor preparation work on your system.
• Step 1: Ensure That You Have Prerequisites in Place
  Before you can launch an Oracle Key Vault compute instance, you must ensure that you have prerequisites in place in the Oracle cloud.
• Step 2: Find the Oracle Key Vault Image
  The Oracle Key Vault image is available on the Oracle Cloud Marketplace web site.
• Step 3: Launch the Oracle Key Vault VM Compute Instance
  You perform the entire launching process in the Oracle Cloud Marketplace.
• Step 4: Perform Post-Launch and Post-Installation Tasks
  After you launch Oracle Key Vault in an OCI compute instance, you first perform the post-launch task, followed by post-installation tasks.

11.3.2.1 About Launching the Oracle Key Vault Compute Instance

The launch process requires some minor preparation work on your system.

Before you begin the launch process, ensure that the endpoints that you plan to use are in the same VCN as the Oracle Key Vault instance will be. The endpoints will communicate with Oracle Key Vault using the private IP of the compute instance. Optionally, the Oracle Key Vault compute instance can have a public IP that can be used to access the Oracle Key Vault management console. You will also set up the network and configure it to ensure that network connectivity will exist between the endpoints and the OCI compute instances.

11.3.2.2 Step 1: Ensure That You Have Prerequisites in Place

Before you can launch an Oracle Key Vault compute instance, you must ensure that you have prerequisites in place in the Oracle cloud.

Ensure that the following are in place:

• You have an Oracle cloud account.
• You have access to your assigned Oracle cloud tenant.
• You have sufficient compute node resources within the Oracle cloud tenant.

11.3.2.3 Step 2: Find the Oracle Key Vault Image

The Oracle Key Vault image is available on the Oracle Cloud Marketplace web site.

1. Log in to the Oracle Cloud Marketplace web site.
   https://cloudMarketplace.oracle.com/marketplace/oci
2. In the Products search field, enter Oracle Key Vault and then click Go.
3. Under the Search Results, click Oracle Key Vault to navigate to the Oracle Key Vault page.

11.3.2.4 Step 3: Launch the Oracle Key Vault VM Compute Instance

You perform the entire launching process in the Oracle Cloud Marketplace.

1. Click the Get App button.
2. If you already have an OCI account, select your home region, and then click Sign In. Otherwise, click Sign Up to create a new account.
3. In the Get Version menu, ensure that Oracle Key Vault 18.3 is displayed.
4. From the Compartment menu, select your compartment.
5. Select the I have reviewed the terms and conditions check box.
6. In the Oracle Key Vault page, select Launch Instance.
7. In the page that appears, click Change Instance.
8. For the shape, select VM.Standard2.2 or bigger. If you are using an older standard, then select VM.Standard1.4 or bigger. Then click Select Shape.
   Next, you are ready to configure the network.
9. Upload your SSH public key.
10. Click Advanced Options, and then choose the Network tab.
    Here you can replace the default private address with another one. Both of these addresses must be within the range of your current subnet. In addition, you can change the host name to match your naming convention. Otherwise, the host name will be constructed from okv|MAC-address-of-NIC.
11. In the Boot Volume area, do not select any settings.
12. Click Create to complete the shape creation.
    In a moment, the Oracle Key Vault compute image starts and is made available as an Oracle Key Vault server.

At this stage, you must perform the post-launch and post-installation steps.

11.3.2.5 Step 4: Perform Post-Launch and Post-Installation Tasks

After you launch Oracle Key Vault in an OCI compute instance, you first perform the post-launch task, followed by post-installation tasks.

The post-launch task is to set the installation passphrase. After you set this passphrase, you must perform the post-installation tasks, which are the same tasks that are required for an on-premises deployment. After you complete the post-installation tasks, you can start building your Oracle Key Vault cluster, set up the primary-standby configuration, or leave Oracle Key Vault in stand-alone mode.

1. Set the installation passphrase.
   1. In a command prompt, log in as the opc user.

      ssh opc@Oracle_Key_Vault_OCI_IP_address

   2. Set the installation passphrase by executing the following command:

      set_installation_passphrase

   3. When prompted, enter and confirm the installation passphrase.
      After you successfully enter the passphrase, the system deletes the opc account. After this deletion, logins to the Oracle Key Vault instance using SSH will be disabled.
      Only during upgrades, or when directed by Oracle Support, you can temporarily enable SSH from the Oracle Key Vault management console. You can then use SSH to log into the Oracle Key Vault server as the support user using the same SSH public key as the opc user.
2. Perform the following post-installation tasks:
   • Create the Oracle Key Vault administrator accounts, the recovery passphrase, and the root and support user passwords.
   • Enter the NTP and DNS addresses, using one of the following choices:
     • The NTP server address in Oracle Cloud Infrastructure, which is 169.254.169.254, and then leave the remaining fields empty.
     • In all three fields, enter any external NTP servers. For example:

       0.north-america.pool.ntp.org

       1.north-america.pool.ntp.org

       2.north-america.pool.ntp.org

11.4 General Management of an Oracle Key Vault Compute Instance

You can perform many of the Oracle Key Vault compute instance general management tasks in the Oracle Key Vault management console.

• Starting, Restarting, or Stopping an Oracle Key Vault Compute Instance
  Depending on the action you need, you can use the Oracle Key Vault management console or the OCI console.
• System Settings in an Oracle Key Vault Compute Instance
  Most system settings in an Oracle Key Vault compute instance are the same as an on-premises deployment, with a few exceptions.
• Backup and Restore Operations for Oracle Key Vault Compute Instances
  You can back up and restore Oracle Key Vault data between OCI environments and on-premises environments.
• Terminating an Oracle Key Vault Compute Instance
  You terminate an Oracle Key Vault compute instance from the OCI console.

11.4.1 Starting, Restarting, or Stopping an Oracle Key Vault Compute Instance

Depending on the action you need, you can use the Oracle Key Vault management console or the OCI console.

You can use the Oracle Key Vault management console or OCI console to restart and stop an Oracle Key Vault compute instance, but to start an already stopped instance, you must use the OCI console.

Select one of the following methods to restart or stop an Oracle Key Vault compute instance:

• From the Oracle Key Vault management console, you can restart or stop the Oracle Key Vault compute instance:
  1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
  2. Select System, then System Settings from the left sidebar.
  3. In the Settings page, do one of the following:
     • To restart, click Reboot.
     • To stop, click Power Off.
• From the OCI console, you can start, restart, or stop the Oracle Key Vault compute instance:
  1. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
  2. Select the Oracle Key Vault compute instance that you want to stop or start.
  3. Click one of the following actions:
     • To start a stopped instance, click Start.
     • To gracefully shut down the instance by sending a shutdown command to the operating system, click Stop.

       If the Oracle Key Vault compute instance takes a long time to shut down, it could be improperly stopped, resulting in data corruption. To avoid this, shut down the instance using the commands available in the operating system before you stop the instance using the console.

     • To gracefully reboot the Oracle Key Vault compute instance by sending a shutdown command to the operating system, and then power the instance back on, click Reboot.

11.4.2 System Settings in an Oracle Key Vault Compute Instance

Most system settings in an Oracle Key Vault compute instance are the same as an on-premises deployment, with a few exceptions.

Settings for system features such as auditing, email, RESTful services, integration with Oracle Audit Vault and Database Firewall are the same in both on-premises and OCI deployments.

• You can configure an Oracle Key Vault host name in either the OCI console or in the Oracle Key Vault management console. However, remember that if you set the IP address of the host in the OCI console, later on, you cannot change it in either the OCI console or the Oracle Key Vault management console.
• Oracle Cloud Infrastructure provides NTP and DNS services. For NTP, enter just one IP address into the first of three fields in the NTP section of the Oracle Key Vault management console System Settings page: 169.254.169.254. For the DNS settings, consult with your network team because there are multiple options depending how DNS is configured in your subnet and tenancy.
• The SSH tunnel settings are used when on-premises Oracle Key Vault clusters provide key management services to Oracle databases that are deployed in OCI. Do not establish an SSH tunnel in OCI-based Oracle Key Vault deployments.

11.4.3 Backup and Restore Operations for Oracle Key Vault Compute Instances

You can back up and restore Oracle Key Vault data between OCI environments and on-premises environments.

You can back up an Oracle Key Vault compute instance that is stored in an on-premises host: this is the same backup that will be restored. Another on-premises Oracle Key Vault server can be a backup location for a server that is being restored into an Oracle Key Vault compute instance.

Requirements are as follows:

• If you are performing a backup or restore operation from Oracle Key Vault compute instances to an OCI compute instance, then persistent network connectivity to the OCI compute instance from Oracle Key Vault compute instance must exist.
• If you want to perform a backup or restore operation between an Oracle Key Vault compute instance and an on-premises host, ensure that the VCN can span the on-premises hosts.

11.4.4 Terminating an Oracle Key Vault Compute Instance

You terminate an Oracle Key Vault compute instance from the OCI console.

When you terminate the compute instance, all data, including keys that protect endpoints, are permanently lost and cannot be recovered except from a backup. Even backups may not have the most recent keys. Terminating the instances can lead to loss of data for all endpoints. Exercise extreme caution before terminating an instance. Terminate the Oracle Key Vault compute instance only if you are sure that you have a copy of the keys in another, safe location or that you do not need them.

1. Log in to the OCI console.
2. Under Core Infrastructure, go to Compute, and then click Instances.
3. Select the name of the Oracle Key Vault compute instance that you want to remove.
4. Click Terminate, and then respond to the confirmation prompt.

Terminated instances temporarily remain in the list of instances with the status Terminated.

11.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI

You can migrate an Oracle Key Vault standalone, primary-standby or cluster deployment from an on-premises environment to OCI or back.

• About Performing Migrations with Oracle Key Vault Compute Instance Data
  You can transition an Oracle Key Vault deployment from on-premises to OCI, and from OCI back to on-premises.
• Migrating Oracle Key Vault Deployments into OCI Using Backup and Restore
  A user who has the System Administrator role can transition the Oracle Key Vault deployment from on-premises to OCI using backup and restore.
• Migrating Oracle Key Vault Deployments Out of OCI Using Backup and Restore
  A user who has the System Administrator role can transition the Oracle Key Vault deployment from OCI to on-premises.

11.5.1 About Performing Migrations with Oracle Key Vault Compute Instance Data

You can transition an Oracle Key Vault deployment from on-premises to OCI, and from OCI back to on-premises.

You can quickly set up a production Oracle Key Vault deployment in OCI to address your immediate key management needs and then transition to the on-premises deployment. Alternately, Oracle Key Vault compute instances require little to no overhead of hardware and VM management. To eliminate this overhead, you may want to transition your on-premises Oracle Key Vault deployment to OCI.

You can use the Oracle Key Vault backup and restore features to migrate an Oracle Key Vault cluster from on-premises to OCI, and back. You can transition an on-premises Oracle Key Vault cluster deployment to OCI by adding Oracle Key Vault compute instances to the cluster and removing on-premises Oracle Key Vault nodes from the cluster. The cluster is fully transitioned to OCI when no on-premises Oracle Key Vault node is left in the cluster. Similarly, you can also transition an Oracle Key Vault cluster in OCI to on-premises.

11.5.2 Migrating Oracle Key Vault Deployments into OCI Using Backup and Restore

A user who has the System Administrator role can transition the Oracle Key Vault deployment from on-premises to OCI using backup and restore.

1. Log in to the on-premises Oracle Key Vault server as a user who has the System Administrator role.
2. Configure an OCI compute instance as the backup destination.
3. Back up the on-premises Oracle Key Vault server to an OCI compute instance.
4. Launch an Oracle Key Vault compute instance with same Oracle Key Vault version as the on-premises Oracle Key Vault server.
5. Log in to the Oracle Key Vault compute instance as a user who has the System Administrator role.
6. Restore the backup from the OCI compute instance to the newly installed Oracle Key Vault compute instance.
7. To set up an Oracle Key Vault multi-master cluster, convert the restored Oracle Key Vault compute instance as the first (initial) node of the cluster.
8. Configure additional Oracle Key Vault compute instances and add them to the cluster as needed.

11.5.3 Migrating Oracle Key Vault Deployments Out of OCI Using Backup and Restore

A user who has the System Administrator role can transition the Oracle Key Vault deployment from OCI to on-premises.

1. Log in to the Oracle Key Vault compute instance as a user who has the System Administrator role.
2. Back up the Oracle Key Vault compute instance to an on-premises system.
3. Install a new Oracle Key Vault server on-premises with same Oracle Key Vault version as the Oracle Key Vault compute instance.
4. Log in to the on-premise Oracle Key Vault server as a user who has the System Administrator role.
5. Restore the backup from the on-premises backup destination to the newly installed on-premises Oracle Key Vault server.
6. To set up an Oracle Key Vault multi-master cluster, convert the restored on-premises Oracle Key Vault server as the first (initial) node of the cluster.
7. Configure additional Oracle Key Vault compute instances and add them to the cluster as needed.