1. Administrator's Guide
  2. Managing Oracle Key Vault Virtual Wallets and Security Objects

8 Managing Oracle Key Vault Virtual Wallets and Security Objects

You can create a virtual wallet to store security objects, and then share this wallet with trusted peers at different access levels.

8.1 Managing Virtual Wallets

A virtual wallet is a container for security objects that you can create and then grant access to users.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

8.1.1 About Virtual Wallets

A virtual wallet is a container for security objects.

These security objects can be public and private encryption keys, including Transparent Data Encryption (TDE) keystores, Oracle wallets, Java keystores, certificates, secret data, and credential files. You can use a virtual wallet to group security objects for sharing with multiple users who need them to access encrypted data.

Any user can create a virtual wallet. After you create a virtual wallet, you can add keys and other security objects to the wallet. You can then grant other users, endpoints, user groups, and endpoint groups access to the virtual wallet at various levels of access. You can modify a virtual wallet and its wallet contents at any time. You can also modify virtual wallet user lists and their respective access level.

Other than the Key Administrator, access to the virtual wallet must be granted explicitly to users. Read, modify, and manage wallet permissions are required to add and remove objects from the wallet, and to grant or modify wallet access to other users and groups.

Parent topic: Managing Virtual Wallets

8.1.2 Creating a Virtual Wallet

You can create a virtual wallet and add security objects to it at the same time.

However, you can also create an empty virtual wallet, and add security objects to it later. You can modify access mappings on a virtual wallet at any time.
  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. Click Create.
  4. Enter a name for the wallet in the Name field and an identifying description in Description.
    Virtual wallet names are case-sensitive. For example, wallet1 and Wallet1 are two different wallets. Oracle recommends that you add a user-friendly description to the wallet to identify it easily.
  5. If you are using a multi-master cluster, then choose whether to select the Make Unique checkbox.

    Make Unique helps to control naming conflicts with virtual wallet names across the multi-master cluster environment. Virtual wallets that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.

    • If you select Make Unique, then the virtual wallet will be active immediately and this wallet can be used in operations.
    • If you do not select Make Unique, then the wallet will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the wallet to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The wallet will then be renamed to a unique name. You will need to go to a read-write node of the cluster and either accept the renamed wallet name or change the wallet name. If you change the wallet name, then this will restart the name resolution operation and the wallet will return to a PENDING state. A wallet in the PENDING state cannot be used to perform most operations.
  6. In the Add Wallet Contents pane, check the boxes by the names of the listed security objects that you want to add to the wallet.
    The Add Wallet Contents pane lists the security objects you have Read and Modify access to. If the list is empty, then you have no access to the security objects already in Oracle Key Vault. In this case, you would add security objects to the wallet after you upload them to Oracle Key Vault.
  7. Click Save to create the new wallet with any associated security objects.

    A Wallet created successfully message appears. The Wallets page appears and displays the new wallet in the list.

    To see the contents in the wallet click the wallet name as the following figure shows.


    Description of wallets-screenshot.png follows
    Description of the illustration wallets-screenshot.png

Related Topics

Parent topic: Managing Virtual Wallets

8.1.3 Adding Security Objects to a Virtual Wallet

You can add new security objects to a virtual wallet at any time as needed.

In a multi-master cluster, you cannot add security objects to a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.
    The Wallets page appears.
  3. From the Wallets page, click the pencil icon in the Details column corresponding to the wallet you want to work with.
    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.
  4. Click Add Items.
    The Add Wallet Contents page appears.
  5. Check the boxes by the security objects that you want to add to the wallet.
  6. Click Save.
    A confirmation message appears, then the Wallet Overview page appears. Wallet Contents lists the new security objects added.

Parent topic: Managing Virtual Wallets

8.1.4 Removing Security Objects from a Virtual Wallet

You can remove security objects from virtual wallets at any time as needed.

In a multi-master cluster, you can remove security objects from a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.
    The Wallets page appears.
  3. From the Wallets page, click the pencil icon in the Details column corresponding to the wallet you want to work with.
    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.
  4. Check the boxes by the security objects you want to remove from the wallet.
  5. Click Remove Items.
    The Wallet Contents pane in the Wallet Overview page displays the revised list.

Parent topic: Managing Virtual Wallets

8.1.5 Deleting a Virtual Wallet

Deleting a virtual wallet removes the wallet as a container, but does not delete the security objects that were contained in it.

These security objects will continue to remain in Oracle Key Vault. Endpoints that have downloaded this virtual wallet will continue to retain their local copy. In a multi-master cluster, you delete a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.

    The Wallets page appears.

  3. Check the boxes next to the name of the wallet that you want to delete from the Wallets table.
    You can delete more than one virtual wallet at the same time.
  4. Click Delete.
  5. Click OK to confirm.
  6. Select the Keys & Wallets tab to see the updated list of wallets in the Wallets page.

Parent topic: Managing Virtual Wallets

8.2 Managing Access to Virtual Wallets from Keys and Wallets Tab

You can grant virtual wallet access to and revoke virtual wallet access from endpoint by using the Keys and Wallets tab.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

8.2.1 About Managing Access to Virtual Wallets from Keys and Wallets Tab

Access control is deciding which users and endpoints share virtual wallets and security objects, and what operations they can perform on those virtual wallets.

You must have access to a virtual wallet or be a key administrator to manage access control for users, endpoints, and their respective groups.

To manage access to virtual wallets, you can use the Keys & Wallets tab, where you select the wallet, you grant an endpoint, endpoint group, user, or user group access to the wallet.

Related Topics

Parent topic: Managing Access to Virtual Wallets from Keys and Wallets Tab

8.2.2 Granting Access to Users, User Groups, Endpoints, and Endpoint Groups

You can grant the Read Only, Read and Modify, and Manage Wallet access levels to users, user groups, endpoints, and endpoint groups.

After they have access to the wallet, they will have access to all the security objects in the wallet. In a multi-master cluster, you cannot grant access to endpoints, endpoint groups, users, or user groups while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab.
    The Wallets page appears.
  3. Click the pencil icon in the Details column corresponding to the wallet to which you want to grant access.
    The Wallet Overview page appears.
  4. In the Wallet Access Settings pane, click Add.
    The Add Access to Wallet page appears.

    Description of okv_42a.png follows
    Description of the illustration okv_42a.png

  5. Select the entity type you want to grant access from the Select Endpoint/User Group drop down list next to Type.
    Possible values for Type are Endpoint Groups, Endpoints, User Groups, and Users.

    The type you select determines the list that is displayed. For example, if you select Endpoint Groups as the Type, the list of Oracle Key Vault endpoint groups is displayed under the heading Endpoint Groups. If you select Users, the list of Oracle Key Vault users are displayed under the heading Users.

  6. Select the radio button in the Name table corresponding to the entity you want to grant access.
  7. Select one of Read Only or Read and Modify in the Select Access Level pane.
  8. Check the box to Manage Wallet if needed.
  9. Click Save.
    The Wallet Access Settings pane displays the new entity.

Parent topic: Managing Access to Virtual Wallets from Keys and Wallets Tab

8.2.3 Modifying Access to Users, User Groups, Endpoints, and Endpoint Groups

You can modify access settings on a virtual wallet for users, user groups, endpoints, and endpoint groups from the Keys & Wallets tab.

In a multi-master cluster, you cannot modify access to endpoints, endpoint groups, users, or user groups while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, and then select Wallets from the left sidebar.
    The Wallets page appears.
  3. Click the pencil icon in the Details column corresponding to the wallet name.
    The Wallet Overview page appears, with Wallet Access Settings listing the entities that have access to the wallet and their access levels.
  4. In Wallet Access Settings, click the pencil icon corresponding to the entity under Subject Name.
    A Modify Access window appears. Wallet Access Settings lists all the entities that have access to this wallet under Subject Name, and can include users, endpoints, user groups, and endpoint groups.
  5. Select the access settings that you want to modify, then click Save.
    A message appears: Successfully updated. The Wallet Overview page appears and Wallet Access Settings displays the new access mapping for the entity.
  6. Click Save in the Wallet Overview page.

Parent topic: Managing Access to Virtual Wallets from Keys and Wallets Tab

8.3 Managing Access to Virtual Wallets from User’s Menu

To manage access control on virtual wallets for users, endpoints, and their respective groups, you can use the Users menu or Endpoints menu.

Related Topics

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

8.3.1 Granting a User Access to a Virtual Wallet

You can grant access to a virtual wallet by using the Users tab.

In a multi-master cluster, you cannot grant a user access to a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab.
    The Manage Users page appears.
  3. Click the user's name User Name column.
    The User Details page appears.
  4. In the Access to Wallets pane, click Add.
    The Add Access to User page appears.
  5. Select a virtual wallet from the available list.
  6. In the Select Access Level pane select the desired access levels.
  7. Click Save.
    A message appears: Access mapping successfully added. You can check Access to Wallets in User Details for the user to see the wallet added.

Related Topics

Parent topic: Managing Access to Virtual Wallets from User’s Menu

8.3.2 Revoking User Access from a Virtual Wallet

You can revoke access to a virtual wallet for a user by using the Users tab.

In a multi-master cluster, you cannot revoke user access from a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab.
    The Manage Users page appears.
  3. Click the user's name under User Name.
    The User Details page appears.
  4. In Access to Wallets, check the box by the virtual wallet that you want to revoke access to.
  5. Click Remove.
    A confirmation dialog box appears.
  6. Click OK.
    A message appears: Access mapping(s) deleted successfully. You can check Access to Wallets in User Details for the user to see the wallet deleted.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

8.3.3 Granting a User Group Access to a Virtual Wallet

You can grant user group access to a virtual wallet by using the Users tab.

When you grant a user group access to a virtual wallet all members of the group will have access to the security objects within the wallet. In a multi-master cluster, you cannot grant a user group access to a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access in the left sidebar.
    The User Groups page appears.
  3. Click the pencil icon in the Details column corresponding to the user group.
    The User Group Details page appears.
  4. Click Add in the Access to Wallets pane.
    The Add Access to User Group page appears.
  5. Select a virtual wallet from the available list
  6. In the Select Access Level pane, select the desired access levels.
  7. Click Save.
    A message appears: Access mapping successfully added. You can check Access to Wallets in User Groups for the user to see the wallet added.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

8.3.4 Revoking User Group Access from a Virtual Wallet

You can remove user group access to a virtual wallet by using the Users tab.

In a multi-master cluster environment, you cannot revoke user group access from a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access in the left sidebar.
    The User Groups page appears.
  3. Click the pencil icon in the Details column corresponding to the user group.
    The User Group Details page appears.
  4. In the Access to Wallets pane, check the box by the virtual wallet you want to revoke access to.
  5. Click Remove.
  6. Click OK to confirm.
    A message appears: Access mapping(s) deleted successfully. You can check Access to Wallets in User Groups to see the wallet removed from the list.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

8.4 Managing the State of a Key or a Security Object

You can set the date to activate or deactivate keys or security objects, and change the state of some virtual wallet security objects.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

8.4.1 About Managing the State of a Key or a Security Object

You can control the dates when a key or a security object is active, that is, when it can be used.

You also revoke and destroy keys and security objects. Be aware that a multi-master cluster affects the activation or de-activation times of keys and security objects on different nodes, and that naming conflicts can arise.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

8.4.2 How a Multi-Master Cluster Affects Keys and Security Ojects

Keys that you create on one node of a multi-master cluster will take some time to appear on other nodes in the cluster.

The time is defined by the replication lag between nodes. The replication lag value is displayed on the Cluster Link State pane of the Monitoring page, which can be accessed by choosing the Cluster tab.

If you add a Transparent Data Encryption (TDE) master encryption key to two different keystores on two different nodes, then it will be shown in both keystores.

Adjusting the activation date, deactivation date, process start date, and protection stop date has restrictions. For these dates, if changes are made to the security object very close to the current time, then state changes can happen because of replication lag.

As with the creation of any object in a multi-master cluster, a security object can have a name conflict with an object created on a different node. If there is a conflict, then Oracle Key Vault will suggest a unique name or allow you to rename it.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

8.4.3 Activating a Key or Security Object

Keys can be in the Active or Pre-Active state.

Most keys are in the Active state when they are created. However, for a key that will be used for securing data later than its creation date, you can set the Process Start Date. Currently, only keys uploaded with a third-party KMIP client can be in a Pre-Active state and have the Activation date set. For all other keys, the Activation Date is system generated and cannot be set.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item for which you want to set.
  4. On the Item Details page for the item, set the Process Start Date to the desired date.
  5. Click Save.

Parent topic: Managing the State of a Key or a Security Object

8.4.4 Deactivating a Key or Security Object

A key deactivates or expires when it passes the date that has been set for deactivation.

  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item to be deactivated.
  4. On the Item Details page for the item, set the Date of Deactivation to the date by which you want the key to be deactivated.
  5. Click Save.

Parent topic: Managing the State of a Key or a Security Object

8.4.5 Revoking a Key or Security Object

When you revoke a key, you can set its state to Deactivated or Compromised.

At this point, the key should no longer be used to encrypt new data. However, you can download and use the deactivated keys to decrypt old data.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select All Items from the left side bar.
    The All Items page appears listing all the security objects.
  4. Click the pencil icon in the Details column corresponding to the item to be revoked.
  5. In the Item Details page, click Revoke.
  6. In the Revoke Item page, from the Revocation Reason drop-down list, select a reason for the revocation.
  7. Optionally, add more details in Revocation Message
  8. Click Save.

Parent topic: Managing the State of a Key or a Security Object

8.4.6 Destroying a Key or Security Object

When a key is no longer used or compromised in some way, then you can destroy it.

Metadata for destroyed keys and security objects are kept in Oracle Key Vault even after they have been destroyed.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab.
  3. Select the All Items menu and then click the edit pencil icon corresponding to the item for which you want to set.
  4. On the Item Details page for the item, click Destroy.
  5. Click Save.

Parent topic: Managing the State of a Key or a Security Object

8.5 Managing Details of Security Objects

You can manage details about security objects, such as find details about these objects and modifying these details.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

8.5.1 About Managing the Details of Security Objects

You can search for security objects within a virtual wallet, and add, modify, or remove these security objects.

Security objects are managed by Oracle Key Vault administrative users with a clear separation of duties. You must be an administrative user with the Key Administrator role to manage wallet privilege on the virtual wallet containing the security objects. A user with the Audit Manager role can view security objects, but cannot modify them, whereas individual security objects are not even viewable to a user with the System Administrator role.

Parent topic: Managing Details of Security Objects

8.5.2 Searching for Security Object Items

You can search for individual security objects if you have privileges to view these objects.

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role, an Audit Manager role, or as a user with access to a virtual wallet.
  2. Click the tab Keys & Wallets.
    The Wallets page appears.
  3. Click All Items in the left sidebar.
    The page appears displaying all the security objects in a table.All Items

    Description of screenshot-8.5.1-step-3.png follows
    Description of the illustration screenshot-8.5.1-step-3.png

    The table has the following columns for each security object:

    • Type: Indicates the object type of security object. Valid values are Symmetric Key, Private Key, Template, Opaque Object, Certificate, and Secret Data.

    • Identifier: Lists the identifier for the security object and includes a prefix that helps identify a subtype for the item.

    • Creation Time: Date and time that the security object was added to Oracle Key Vault.

    • Endpoint Name: The endpoint that owns the security object.

    • Wallets: The virtual wallet that contains the security object.

    • State: Indicates the state of the object. Valid values are Active and N/A.

    • Details: A pencil icon links to the Item Details for the security object.

  4. Search for specific items using the Search bar or the Actions menu.

Related Topics

Parent topic: Managing Details of Security Objects

8.5.3 Viewing the Details of a Security Object

An administrative user with the Key Administrator role can view, add, and modify the details of a security object.

The administrative user can perform these actions on the security object from its corresponding Item Details page. Item details are attributes of a specific security object and depend on the type of security object.

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role or as a user with access to the virtual wallet.

  2. Click the tab Keys & Wallets.

    The Wallets page appears.

  3. Click All Items in the left sidebar.

    The All Items page appears displaying all the security objects in Key Vault.

  4. Click the pencil icon in the Details column corresponding to the security object.

    The Item Details page appears displaying the attributes of the security object.

    Description of screenshot-8.5.2-step-4.png follows
    Description of the illustration screenshot-8.5.2-step-4.png

    You can set the dates when the security object should be deactivated or not used on the Item Details page. The attributes shown in Item Details depends on the type of security object. The attributes for a Symmetric Key are different from those of Private Key or Opaque Object.

    You can revoke or destroy a security object, and add or remove it to and from a wallet from the Item Details page.

    The Wallet Membership pane in the Item Details page enables you to add the security object to a wallet or delete the security object from a wallet.

    The Item Details page contains the following attributes:

    • Identifier: A summary description to help identify the item to the user. For example, if the item is a TDE master encryption key, then the Identifier shows the prefix TDE master encryption key followed by the identifier used by the database to identify the key.

    • Unique Identifier: This is a globally unique ID that identifies an item.

    • Type: Indicates the object type of the item. Valid values are Symmetric Key, Private Key, Template, Opaque Object, Certificate, and Secret Data.

    • State: Indicates the state of the security objects. Values are as follows:

      • Pre-active: The object exists but is not yet usable for any cryptographic purpose.

      • Active: The object is available for use. Endpoints should examine the Cryptographic Usage Mask attribute to determine which uses are appropriate for this object.

      • Deactivated: The object is no longer active and should not be used to apply cryptographic protection (for example, encryption or signing). It may still be appropriate to use for decrypting or verifying previously protected data.

      • Compromised: The object is believed to be compromised and should not be used.

      • Destroyed: The object is no longer usable for any purpose.

      • Destroyed Compromised: The object was compromised and destroyed. It is no longer usable for any purpose.

    • Creator: The endpoint that created the security object.

    • Last Modified: The date last modified.

    • Date of Creation: The date created.

    • Date of Activation: The date of activation.

    • Process Start Date: The date when the key may start to be used to encrypt data. It can be equal or later than the Date of Activation setting but cannot precede it.

    • Protect Stop Date: When this date is passed, the key should not be used to encrypt any more data. It cannot be later than the Date of Deactivation setting.

    • Date of Deactivation: The date of deactivation.

  5. Click Advanced to view the cryptographic attributes of the security object.

    Description of itm_dtls_advanced.png follows
    Description of the illustration itm_dtls_advanced.png

    Attribute information and queries may vary depending on the item type. Examples of attributes are as follows:

    • Cryptographic Algorithms: The encryption algorithm used by the item

    • Key Usage: Operations that the key can be used for. Clients may or may not use these attributes. For example, Transparent Data Encryption does not consult the key usage attributes.

    • Names: Labels attached by a user or endpoint to identify the key

    • Custom Attributes: Additional attributes defined by the endpoint and not interpreted by Oracle Key Vault

    • Cryptographic Parameters: Optional parameters for the encryption algorithm used by the item, such as block cipher mode and padding method

    • Cryptographic Length: The length in bits of the key

    • Retrieved at Least Once: Indicates if the object has been served to the client

    • Contact Information: Used for contact purposes only

    • Digests: Digest values of the security object

    • Link Details: Links to related objects

Related Topics

Parent topic: Managing Details of Security Objects

8.5.4 Adding or Modifying Details of a Security Object

Only users who have the appropriate privileges can add or modify the details of a security object.

To modify the attributes of a security object you must be a user with the Key Administrator role, or you must have Read and Modify access on the security object. You can get Read and Modify access on a security object if you own the security object or if you have access to a wallet that contains the security object.
  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role, an Audit Manager role, or as a user with access to a virtual wallet.
  2. Click the tab Keys & Wallets.
    The Wallets page appears.
  3. Click All Items in the left sidebar.
    The All Items page appears displaying all the security objects in a table.
  4. Click the pencil icon corresponding to the security object.
    The Item Details page appears.
  5. Click Advanced.
    The Advanced pane appears.
  6. Make the necessary changes.
  7. Click Save in the top right corner of the pane.

Parent topic: Managing Details of Security Objects