1. Administrator's Guide
  2. Oracle Database Instances in Oracle Cloud Infrastructure

12 Oracle Database Instances in Oracle Cloud Infrastructure

Oracle Key Vault deployed on-premises can manage the TDE master encryption keys for Oracle Database instances running in Oracle Cloud Infrastructure (OCI).

12.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints

This type of Oracle Key Vault server deployment meets compliance standards for the management of encryption keys.

The Oracle Database instances running in Oracle Cloud Infrastructure (OCI) can be deployed on VMshape, bare metal, or Exadata. This type of deployment provides physical separation of keys from the encrypted data, and gives on-premises administrators control and visibility of how encryption keys are used to access encrypted data in the cloud. This also meets compliance requirements where encryption keys must be managed on-premises or separate from systems containing encrypted data.

Related Topics

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

Oracle Key Vault supports the use of Oracle database instances on Oracle Cloud Infrastructure (OCI).

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.2.1 About Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

To prepare an Oracle database instance on OCI to be an Oracle Key Vault endpoint, you must first configure the instance, and then create a low-privileged user.

Oracle databases on Oracle Cloud Infrastructure (OCI) provide fully functional Oracle database instances that use computing and storage resources provided by Oracle Compute Cloud Service. It eliminates the need to purchase, build, and manage silos of server and storage systems. It also makes database resources and capabilities available online so users can consume them whenever and wherever they are needed.

Parent topic: Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

12.2.2 Configuring a Database Cloud Service Instance

An Database as a Service (DBaaS) instance must have the correct network configuration.

You can find instructions for configuring a Database as a Service (DBaaS) instance in the Oracle Database Cloud Service (Database as a Service) documentation.

After you have configured the DBaaS instance, it should have the following default values:

  • A public IP address

  • Two users: oracle and opc (Oracle Public Cloud)

  • SSH access to the oracle and opc users

Parent topic: Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

12.2.3 Creating a Low Privileged Operating System User on Database as a Service

The low privileged user account, okv, will be responsible for configuring an SSH tunnel and communicating with the DBaaS instances.

By default, Database as a Service instances are provisioned with the oracle and opc users. These users have more privileges than necessary to create the SSH tunnel, so Oracle recommends that you create another low privileged operating system user named okv on the Database as a Service instance. Oracle Key Vault will use user okv to configure an SSH tunnel and communicate with the Database as a Service instances.
  1. Log in to the Oracle Cloud Infrastructure (OCI) instance using public key authentication (default for Oracle OCI) as user opc.
    $ ssh -i private_key_file opc@node_ip_address

    In this specification:

    • private_key_file is the path to your private key file (~/.ssh/id_rsa). This key is the counterpart to the public key that you uploaded when you provisioned the Oracle Cloud Infrastructure instance.
    • node_ip_address is the public IP address of the Database as a Service compute node in x.x.x.x format.
    If this is the first time you are connecting to the compute node, the SSH utility prompts you to confirm the public key.
  2. In response to the prompt asking you to confirm the public key, enter  yes.
  3. Create the Oracle Key Vault user.
    $ sudo adduser okv
  4. Append the Oracle Key Vault user okv to the AllowUsers parameter in the SSH sshd_config configuration file in the /etc/ssh/ directory.
    $ sudo vi /etc/ssh/sshd_config
  5. Add the following entry to the end of the file:
    AllowUsers oracle opc okv
  6. Restart the SSH daemon:
    $ sudo /sbin/service sshd restart
  7. Grant the Oracle Key Vault user okv permission to execute /sbin/fuser by following these steps:
    1. Change the file permission of the /etc/sudoers file.
      sudo chmod 740 /etc/sudoers
    2. Edit the /etc/sudoers file.
      sudo vi /etc/sudoers
    3. Add the following entry:
      okv     ALL=(root) NOPASSWD:/sbin/fuser
    4. Save the /etc/sudoers file. Change the file permission of the /etc/sudoers file.
      sudo chmod 440 /etc/sudoers
    5. The /etc/sudoers would look similar to the following:
      ## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL  
okv     ALL=(root) NOPASSWD:/sbin/fuser
  8. Become the okv user.
    $ su okv
  9. Create the authorized_keys file and then set appropriate permissions for this file. 
    $ cd $HOME
$ mkdir ./.ssh
$ chmod 700 ./.ssh
$ touch ./.ssh/authorized_keys
$ chmod 640 ./.ssh/authorized_keys
  10. Log in to the Oracle Key Vault instance as the support user, and switch from root, and then switch to oracle.
  11. Execute the following command to upload the Oracle Key Vault public key into the authorized_keys file in the Oracle Cloud Infrastructure that you just created. 
    ssh-copy-id ./.ssh/id_rsa.pub okv@node_ip_address
  12. Confirm that the oracle user in Oracle Key Vault can log in to the OCI instance without providing a password:
    $ ssh okv@node_ip_address

Parent topic: Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

12.3 Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

An on-premises Oracle Key Vault communicates with an Oracle Cloud Database as a Service instance using a secure SSH tunnel.

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.3.1 Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance

You can create a connection between Oracle Key Vault and a Database as a Service (DBaaS) instance by configuring an SSH tunnel.

You can configure the SSH tunnel only after you set up the Database as a Service instance. You must have the Database as a Service instance's public IP address and the name of the operating system user that you want to use to establish the tunnel.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click System.

    The Status page appears.

  3. Select SSH Tunnel Settings from the left side bar.

    The SSH Tunnel Settings page appears.

    Description of screenshot-11.3-step-3.png follows
    Description of the illustration screenshot-11.3-step-3.png

  4. Click Add.
  5. Copy the text in SSH Public Key field and save it.
    Remember that this is the public key that was copied into the OCI instance for user okv and was uploaded when you created a low privileged operating system user the Database as a Service instance. You will need to transport it to the Database as a Service instance and add it to the authorized_keys file of the Database as a Service user okv at /home/okv/.ssh/authorized_keys.
  6. In the Remote Host Details page, enter information in the following fields:

    • Tunnel Name: Choose a descriptive name that identifies the tunnel, based on the Database as a Service instance to be associated with it.

    • IP Address: Enter the public IP address of the Database as a Service instance.

    • Port: Enter a port number if you want to use a particular port number, or use the displayed default.

    • Username: Enter okv for the user name.

    You can complete these fields only after you set up the Database as a Service instance and obtained the public IP address and user name.

  7. Click Add.

    The SSH Tunnel Settings page appears. It displays the SSH tunnel that you just created and any pre-existing SSH tunnels.

    Description of screenshot-11.3-step-7.png follows
    Description of the illustration screenshot-11.3-step-7.png

    It lists the tunnels created with the name, IP address, port, and registration time of each.

  8. Click a tunnel name to see the SSH Tunnel Details page.
  9. To delete a tunnel, check the box by the tunnel that you want to delete and then click Delete.

    You can delete more than one tunnel by selecting multiple boxes.

    Description of screenshot-11.3-step-9.png follows
    Description of the illustration screenshot-11.3-step-9.png

  10. Click Disable to disable the tunnel.

    When you disable the tunnel, the endpoints that are associated with this tunnel will no longer be able to communicate with Oracle Key Vault.

    Description of screenshot-11.3-step-10.png follows
    Description of the illustration screenshot-11.3-step-10.png

  11. In the confirmation dialog box, click Yes.
    The Disable button is replaced by an Enable button.

Related Topics

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.2 Managing a Reverse SSH Tunnel in a Multi-Master Cluster

You can reverse an SSH tunnel in a multi-master cluster from more than one node to the cloud-based endpoint for redundancy.

Oracle recommends that you configure three tunnels. Ideally, the cloud-based reverse SSH tunnels should be from different read-write pairs. Multiple SSH tunnels to the same endpoint are distinguished by the port number used. Oracle Key Vault suggests unique port numbers based on node ID. If you want to specify different port numbers, make port numbers for SSH tunnels from different nodes to the same endpoint unique.

In a multi-master cluster, multiple SSH tunnels are created from multiple nodes to the same endpoint. However, when you register and enroll endpoints, you will only see the tunnel from that node.

Be aware of the following:

  • You should register and enroll the endpoint where there is a SSH tunnel created to that endpoint.
  • You only see the tunnel from that node to endpoint in the following places:
    • During the registration, the option to select the SSH tunnel.
    • After registration, when you view endpoint details, only that tunnel is displayed.
    • When you submit the enrollment token and download the endpoint software, only that tunnel is displayed. However, the endpoint software downloaded has information about all tunnels to the endpoint. This means that the endpoint is able to use all the tunnels that were created before the endpoint is created.

All nodes which have an SSH tunnel created display their tunnel to the endpoint on the Endpoint Details page. They also list all tunnels that were created from that node on the SSH Tunnels page in the Oracle Key Vault management console.

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.3 Managing a Reverse SSH Tunnel in a Primary-Standby Configuration

A reverse SSH tunnel in a primary-standby configuration is similar to a reverse SSH tunnel on a standalone Oracle Key Vault server.

The SSH key of the primary and standby servers are the same after pairing. Tunnels created on an Oracle Key Vault server before primary-standby pairing as well as tunnels created on the primary after the primary-standby pairing are valid after primary-standby operations such as switchover, and failover, although the tunnels may be unavailable during the execution of these operations.

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.4 Viewing SSH Tunnel Configuration Details

The Oracle Key Vault management console provides information about SSH tunnels that have been configured for Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click System.

    The Status page appears.

  3. Select SSH Tunnel Settings from the left side bar.

    The SSH Tunnel Settings page appears.

    Description of screenshot-11.3-step-3.png follows
    Description of the illustration screenshot-11.3-step-3.png

  4. Click a tunnel name to see the SSH Tunnel Details page.

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.5 Disabling an SSH Tunnel Connection

You can use the Oracle Key Vault management console to disable the Oracle Key Vault and Database as a Service instance connection.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click System.

    The Status page appears.

  3. Select SSH Tunnel Settings from the left side bar.

    The SSH Tunnel Settings page appears.

    Description of screenshot-11.3-step-3.png follows
    Description of the illustration screenshot-11.3-step-3.png

  4. Click a tunnel name to see the SSH Tunnel Details page.
  5. Click Disable to disable the tunnel.

    When you disable the tunnel, the endpoints that are associated with this tunnel will no longer be able to communicate with Oracle Key Vault.

    Description of screenshot-11.3-step-10.png follows
    Description of the illustration screenshot-11.3-step-10.png

  6. In the confirmation dialog box, click Yes.
    The Disable button is replaced by an Enable button.

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.6 How the Connection Works if the SSH Tunnel Is Not Active

The SSH tunnel is kept alive even if there is no activity between Oracle Key Vault and the Database as a Service instance.

If the tunnel stops, then it is automatically restarted. An alert will be sent if the tunnel is not available for any reason. An administrative user may elect to receive these alerts by email by configuring SMTP settings on Oracle Key Vault.

Related Topics

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.3.7 Deleting an SSH Tunnel Configuration

You can use the Oracle Key Vault management console to delete the connection between Key Vault and a Database as a Service instance.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click System.

    The Status page appears.

  3. Select SSH Tunnel Settings from the left side bar.

    The SSH Tunnel Settings page appears.

    Description of screenshot-11.3-step-3.png follows
    Description of the illustration screenshot-11.3-step-3.png

  4. To delete a tunnel, check the box by the tunnel that you want to delete and then click Delete.

    You can delete more than one tunnel by selecting multiple boxes.

    Description of screenshot-11.3-step-9.png follows
    Description of the illustration screenshot-11.3-step-9.png

Parent topic: Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

12.4 Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

You can use the command line and the Oracle Key Vault management console to complete this task.

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.4.1 About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

You must enroll the Oracle Database as a Service instance before it can communicate with an Oracle Key Vault server.

The enrollment of Database as a Service endpoints is similar to the enrollment of on-premises endpoints with the following exceptions:

  • Database as a Service endpoints should be registered with an endpoint type of “Oracle Database Cloud Service".

  • Database as a Service endpoints have a primary tunnel IP associated with them. You must select the SSH tunnel with the same public IP address of the Database as a Service instance.

  • The platform must be Linux. This is automatically selected and cannot be modified.

  • You must download the jar file on-premises and transfer it to the Database as a Service instance using an out-of-band method like SCP or FTP.

Parent topic: Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

12.4.2 Step 1: Register the Endpoint in the Oracle Key Vault Management Console

The endpoint registration process downloads an okvclient.jar file, which contains the Oracle Key Vault software that the endpoint needs, to the local system.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click the Endpoints tab.
    The Endpoints page appears.
  3. Click Add.
  4. Enter the following endpoint details:
    • Endpoint Name: Enter a unique name for the endpoint.
    • Make Unique: If you are using a multi-master cluster, then choose whether to select the Make Unique checkbox. Make Unique helps to control naming conflicts with user names across the multi-master cluster environment.
      • If you select Make Unique, then the enspoing will be active immediately for Oracle Key Vault operations.
      • If you do not select Make Unique, then the user account will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the endpoint name to a name that is unique across the clusters. If there is a naming collision, then you must recreate the user with a unique name. An endpoint in the PENDING state cannot be used in any Oracle Key Vault operations.
    • Type: Select Oracle Database Cloud Service.
    • Platform: Linux is automatically selected.
    • Description: Enter a meaningful description to identify the endpoint.
    • Administrator Email Optionally, enter the email address of an administrator who should receive endpoint-related alerts.
  5. Click Register.
    After a short delay the Endpoints page displays the new endpoint in the Registered state with an Enrollment Token.
  6. Click Endpoint Name. The Endpoint Details page appears.
    Associate a default wallet with the registered endpoint now before enrolling the endpoint.
  7. Copy the Enrollment Token.
    You will need it to download the endpoint software and then enroll the endpoint (next step).
  8. Log out of Oracle Key Vault and open a new session.
    The login page appears. Do not log in.
  9. Click Endpoint Enrollment and Software Download immediately below Login.

    The Enroll Endpoint & Download Software page appears.

    Description of dbcs-enroll-endpoint-and-download-software-screenshot.png follows
    Description of the illustration dbcs-enroll-endpoint-and-download-software-screenshot.png

    The fields are populated with the values that were chosen by the Oracle Key Vault system administrator while registering the endpoint. You can change these values while completing the enrollment of the endpoint. Note that you must select the Primary SSH Tunnel for Database as a Service endpoints from the drop down list. This is the only difference in the enrollment process from on-premises endpoints.

  10. In the Enrollment Token field, enter the name of the endpoint token and then click Submit Token to validate the token.
  11. Click Enroll to download the okvclient.jar file to your local system.
  12. Move the okvclient.jar file to a secure directory on the Cloud Database as a Service instance with appropriate permissions in place so it cannot be read or copied by others. 
    $ scp -i path_to_private_key-file path_to_okvclient.jar_on_local_computer oracle@node_ip_address:path_to_okvclient.jar_on_cloud_db_instance

    In this specification:

    • path_to_okvclient.jar_on_local_computer refers to the location of okvclient.jar on an on-premises local computer.
    • path_to_okvclient.jar_on_cloud_db_instance refers to the location of okvclient.jar on the oracle cloud database as a service instance.

Related Topics

Parent topic: Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

12.4.3 Step 2: Prepare the Endpoint Environment

The endpoint must have a compatible version of the Java Development Toolkit (JDK) and the Oracle Database environment variables must be set.

  1. Ensure that you have the necessary administrative privileges to install software on the endpoint.
  2. Ensure that you have JDK 1.5 or later installed, and that the PATH environment variable includes the java executable (in the JAVA_HOME/bin directory).
    Oracle Key Vault supports JDK versions 1.5, 1.6, 7, and 8.
  3. Run the shell utility oraenv or source oraenv command to set the correct environment variables on Oracle Database servers.
  4. Check that the environment variables ORACLE_BASE and ORACLE_HOME are correctly set.
    If you used oraenv to set these variables, then you must verify that ORACLE_BASE points to the root directory for Oracle Databases, and that ORACLE_HOME points to a sub-directory under ORACLE_BASE where an Oracle database is installed.

Parent topic: Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

12.4.4 Step 3: Install the Oracle Key Vault Software onto the Endpoint

To install the Oracle Key Vault software installation, you run the okvclient.jar file on the endpoint.

  1. Ensure that you are logged in to the endpoint server as the endpoint administrator.
  2. Navigate to the directory in which you saved the okvclient.jar file.
  3. Confirm that the target directory exists, and that it is empty.
  4. Run the java command to install the okvclient.jar file.
    java -jar okvclient.jar -d /home/oracle/okvutil -v

    In this specification:

    • -d specifies the directory location for the endpoint software and configuration files, in this case /home/oracle/okvutil.

    • -v writes the installation logs to the /home/oracle/okvutil/log/okvutil.deploy.log file at the server endpoint.

    -o is an optional argument that enables you to overwrite the symbolic link reference to okvclient.ora when okvclient.jar is deployed in a directory other than the original directory. This argument is used only when you re-enroll an endpoint.

    If you are installing the okvclient.jar file on a Windows endpoint system that has Oracle Database release 11.2.0.4 only, then include the -db112 option. (This option is not necessary for any other combination of endpoint platform or Oracle Database version.) For example: 

    java -jar okvclient.jar -d /home/oracle/okvutil -v -db112
  5. When you are prompted for a password, then perform either of the following two steps.
    The optional password goes into two places: okvutil and in ADMINISTER KEY MANAGEMENT. With okvutil, only users who know that password can upload or download content to and from Oracle Key Vault. With ADMINISTER KEY MANAGEMENT, it becomes the password that you must use in the IDENTIFIED BY password clause. If you choose not to give a password, then okvutil upload and download commands will not prompt for a password, and the password for ADMINISTER KEY MANAGEMENT becomes NULL.NULL is used for an auto-login wallet.
    The choices for handling the password are as follows:
    • If you want to create a password-protected wallet, at minimum enter a password between 8 and 30 characters and then press Enter. For better security, Oracle recommends that you include uppercase letters, lowercase characters, special characters, and numbers in the password. The following special characters are allowed: (.), comma (,), underscore (_), plus sign (+), colon (:), space.
      Enter new Key Vault endpoint password (<enter> for auto-login): Key_Vault_endpoint_password
Confirm new endpoint password: Key_Vault_endpoint_password

      A password-protected wallet is an Oracle wallet file that store the endpoint's credentials to access Oracle Key Vault. This password will be required whenever the endpoint connects to Oracle Key Vault.

    • Alternatively, enter no password and then press Enter.

      No password will be required when the endpoint connects to Oracle Key Vault with okvutil. With the ADMINISTER KEY MANAGEMENT statement, the password becomes NULL.

    A successful installation of the endpoint software creates the following directories:

    • bin: contains the okvutil program, the root.sh and root.bat scripts, and the binary files okveps.x64 and okveps.x86

    • conf: contains the configuration file okvclient.ora

    • jlib: contains the Java library files

    • lib: contains the file liborapkcs.so

    • log: contains the log files

    • ssl: contains the TLS-related files and wallet files. The wallet files contain the endpoint credentials to connect to Oracle Key Vault.

      The ewallet.p12 file refers to a password-protected wallet. The cwallet.sso file refers to an auto-login wallet.

Parent topic: Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

12.4.5 Step 4: Perform Post-Installation Tasks

Post-installation tasks are important for a fully functioning Oracle Key Vault installation.

After you complete the installation, you can optionally configure a TDE connection for the endpoint, check the installation contents, and then delete the okvclient.jar file.
  1. Optionally, configure a TDE connection for the endpoint.
    On UNIX platforms, the liborapkcs.so file contains the library that the Oracle database uses to communicate with Oracle Key Vault. On Windows platforms, the liborapkcs.dll file contains the library that the Oracle database uses to communicate with Oracle Key Vault.
    • On Oracle Linux x86-64, Solaris, AIX, and HP-UX (IA) installations: Log in as the root and then execute either of the following commands: 
      $ sudo bin/root.sh

      Or:

      $ su -
# bin/root.sh

      This command creates the directory tree /opt/oracle/extapi/64/hsm/oracle/1.0.0, changes ownership and permissions, then copies the PKCS#11 library into this directory.

    • On Windows installations: Run the following command:
      bin\root.bat

      This command copies the liborapkcs.dll file to the C:\oracle\extapi\64\hsm\oracle\1.0.0 directory.

  2. Use a command such as namei or ls -l to confirm that a softlink was created in $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora to point to the real file in the /conf subdirectory of the installation target directory.
    If the ORACLE_BASE environment variable has not been set, then the softlink was created in $ORACLE_HOME/okv/$ORACLE_SID.
  3. Run the okvutil list command to verify that the endpoint software installed correctly, and that the endpoint can connect to the Oracle Key Vault server. 
    $ ./okvutil list
    If the endpoint is able to connect to Key Vault, then the No objects found message appears. If a Server connect failed message appears, then you must troubleshoot the installation for possible issues. Check that environment variables are correctly set. To get help on the endpoint software, execute the following command: 
    java -jar okvclient.jar -h

    Output similar to the following appears:

    Production on Fri Apr 12 15:03:01 PDT 2019
Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
Usage:
  java -jar okvclient.jar [-h | -help] [[-v | -verbose] [-d <destination directory>] [-o]]

Options:
  -h or -help : Display command help.
  -v or -verbose : Turn on the verbose mode. Logs will be written to files under
                   <destination directory>/log/ directory.
  -d <destination directory> : Specify the software installation directory.
  -o : Overwrite the current symbolic link to okvclient.ora.
  4. After you complete the installation, securely delete the okvclient.jar endpoint software file.

Parent topic: Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

12.5 Suspending Database Cloud Service Access to Oracle Key Vault

You can suspend one or more enrolled Database as a Service endpoints from access to Oracle Key Vault.

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.5.1 About Suspending Database Cloud Service Access to Oracle Key Vault

When the DBaaS service is suspended, the Oracle Key Vault Server rejects all requests from the suspended endpoints.

When you use an on-premises Oracle Key Vault to manage the online master keys for Database as a Service endpoints, the master encryption keys are never stored persistently in Oracle Cloud. This way, the on-premises Oracle Key Vault administrator can control access to the encrypted data in the cloud.

An on-premises Oracle Key Vault administrator can suspend Database as a Service endpoints with a single click. This means that the Oracle Key Vault Server rejects all requests from the suspended endpoints. Because the endpoint cannot request keys from the Oracle Key Vault server, its ability to access encrypted data is lost after the key cached in memory times out. For Oracle Database Cloud Service endpoints, this time out is 5 minutes by default.

The on-premises Oracle Key Vault administrator can resume a suspended endpoint. This means that the Oracle Key Vault server can start servicing requests from the reinstated endpoint. The reinstated endpoint can now retrieve keys from the Oracle Key Vault server and access sensitive data.

In a multi-master cluster, when a node is being enabled or disabled, the information may not yet have reached all nodes in the cluster. If an endpoint attempts to contact a node whose information has not yet propagated throughout the cluster, an error may be returned.

Caution:

The suspend operation is a disruptive operation as it results in operational discontinuity. Therefore, you should use it with care. Usually, you should suspend the database only if there is a strong indication of abnormal activity in the Database as a Service instance.

You can only suspend enrolled endpoints. You cannot suspend endpoints that are in the Registered state. If you try to suspend endpoints that are already suspended, no operation will be performed. The endpoints will continue to be in suspended state.

Parent topic: Suspending Database Cloud Service Access to Oracle Key Vault

12.5.2 Suspending Access for a Database Cloud Service to Oracle Key Vault

After you suspend the Database as a Service access to Oracle Key Vault, you can resume the access when needed.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click Endpoints.
    The Endpoints page appears.
  3. Check the boxes by the endpoints that you want to suspend.
  4. Click Suspend.
  5. In the confirmation dialog box, click Yes.
  6. Click Endpoints to see the suspended endpoints.

    The status of suspended endpoints are highlighted in red.

    Description of dbcs-suspended-endpoints-screenshot.png follows
    Description of the illustration dbcs-suspended-endpoints-screenshot.png

Parent topic: Suspending Database Cloud Service Access to Oracle Key Vault

12.6 Resuming Database Cloud Service Access to Oracle Key Vault

You can reinstate the connection between suspended Database Cloud Service endpoints and Oracle Key Vault.

When you resume these endpoints, their status will change to Enrolled. Resuming enrolled endpoints does not change their enrolled status.
  1. Click Endpoints.

    The Endpoints page appears. The suspended endpoints have status Suspended in red.

  2. Check the boxes by the endpoints you wish to resume.
  3. Click Resume.
  4. In the confirmation dialog box, click Yes.
  5. Click Endpoints to see the re-enrolled endpoints. Their status is Enrolled.

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure

12.7 Resuming a Database Endpoint Configured with a Password-Based Keystore

Depending on the configuration, a Database as a Service endpoint can resume either automatically or must be manually resumed.

A Database as a Service endpoint that is configured with auto-login keystore support will begin operations as soon as one of the nodes configured with reverse SSH access restores connectivity to the DBCS endpoint. On the other hand, the Database as a Service endpoint configured with password keystore will not resume operations after the endpoint is resumed on the Oracle Key Vault server. The keystore on the Database as a Service instance was closed because Oracle Key Vault suspended the endpoint. You should open the password-based keystore on the Database as a Service instance to resume operations.

Parent topic: Oracle Database Instances in Oracle Cloud Infrastructure