Changes in This Release for Oracle Key Vault

Oracle Key Vault release introduces new features that enhance the use of Oracle Key Vault in a large enterprise.

• Changes for Oracle Key Vault Release 18.5
  Oracle Key Vault release 18.5 introduces the following new features.
• Changes for Oracle Key Vault Release 18.4
  Oracle Key Vault release 18.4 introduces the ability to set a time-out value for the Oracle Key Vault management console.

Changes for Oracle Key Vault Release 18.5

Oracle Key Vault release 18.5 introduces the following new features.

• Support for Longer Names of Wallets, Users, User Groups, Endpoints, and Endpoint Groups
  Starting with this release, the length of names of wallets, users, user groups, endpoints, and endpoint groups have been increased to 120 bytes in order to accommodate the longer system generated names.
• Ability to Download okvrestservices.jar from Enroll Endpoint & Software Download Page
  You can now download the okvrestservices.jar file, from the Enroll Endpoint & Software Download page of the Oracle Key Vault management console.
• RESTful APIs to Determine the Oracle Key Vault Deployment Type, Server Version, and Object Existence
  A new RESTful API, get_system_info, and an enhanced API, check_object_status, have been added to Oracle Key Vault.

Support for Longer Names of Wallets, Users, User Groups, Endpoints, and Endpoint Groups

Starting with this release, the length of names of wallets, users, user groups, endpoints, and endpoint groups have been increased to 120 bytes in order to accommodate the longer system generated names.

In previous releases, Oracle Key Vault identifier names for wallets, endpoints, endpoint groups, users, and user groups were limited to 30 bytes for users in standalone or primary-standby deployments. In cluster deployments, the identifiers were further limited to 24 bytes since the last 6 bytes were used for name conflict resolution. Systems that need automation, for example, databases deployed in the cloud, can make use of system generated identifiers for these object names. 24 bytes was too short for these names.

In a multi-master cluster configuration, until all the nodes in the cluster are upgraded to release 18.5 or later, you will not be allowed to create these entities with names longer than 30 bytes. If you attempt to do so, an error will be displayed on the user interface.

Ability to Download okvrestservices.jar from Enroll Endpoint & Software Download Page

You can now download the okvrestservices.jar file, from the Enroll Endpoint & Software Download page of the Oracle Key Vault management console.

Prior to Oracle Key Vault release 18.5, you could only download the rest utility, okvrestservices.jar, after logging in to the Oracle Key Vault web console. There was no way to download the okvrestservices.jar file by using tools like wget without first logging into Oracle Key Vault. Starting with release 18.5, you can download the okvrestservices.jar file from the Enroll Endpoint and Download Software page of the Oracle Key Vault web console or by using tools like the wget or curl.

RESTful APIs to Determine the Oracle Key Vault Deployment Type, Server Version, and Object Existence

A new RESTful API, get_system_info, and an enhanced API, check_object_status, have been added to Oracle Key Vault.

The new RESTful API, get_system_info, was added and returns the client tool version, the server version, and the deployment mode. The deployment modes values are Standalone, Primary-Standby, and Cluster.

The existing RESTful API, check_object_status, was enhanced to return the status for an endpoint, endpoint group, or wallet. You must supply the object name to the API or alternatively the UUID if running in cluster mode. The status returned is either Object_Type does not exist or Object_Type exists, where Object_Type is Endpoint, Endpoint Group, or Wallet.

Changes for Oracle Key Vault Release 18.4

Oracle Key Vault release 18.4 introduces the ability to set a time-out value for the Oracle Key Vault management console.

• Management Console Idle Session Timeout
  Starting with this release, Oracle Key Vault will detect if the user session is idle, log the user out, and redirect the user to the login screen.
• Oracle Key Vault HSM Integration Supports Use of Token Labels
  Oracle Key Vault now provides the ability to choose a softcard slot based on a token label.
• Utimaco as a Supported HSM Vendor
  Utimaco is now a supported vendor for integration with Oracle Key Vault as the Root of Trust.

Management Console Idle Session Timeout

Starting with this release, Oracle Key Vault will detect if the user session is idle, log the user out, and redirect the user to the login screen.

Starting with Oracle Key Vault release 18.4, Oracle Key Vault will detect if the user's management console session is idle, log the user out, and redirect the user to the login screen. The user's session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other management console related activities. If the user's session is idle for more than the management console timeout duration, then the user is logged out and redirected to the login screen.

The management console timeout is configurable and has a default setting of 10 minutes. Before the management console session ends, the user is notified and is given an option to extend the session. The notification is raised 2 minutes before session expiry if the timeout value is 10 minutes or longer. For smaller timeout values, the notification will be raised 10 seconds or 30 seconds prior to session expiry depending on whether the timeout value is less than or greater than 5 minutes respectively. For example, if the timeout was set to 20 minutes, then the user will be notified after 18 minutes of inactivity and can extend the session. After the session is extended, if there is another period of 18 minutes with no activity detected, the user would be requested to extend the session once again. If the user does not extend the session this time, the user is logged out and redirected to login screen.

The management console idle session timeout applies to standalone, primary-standby, and multi-master cluster environments. In a multi-master cluster environment, setting the timeout value in one node applies the value to all nodes in the cluster. The timeout value takes effect after you click Save in the System Settings page, or click Save to Cluster in the Cluster System Settings page. Any update to the timeout value affects all new management console sessions immediately but affects the currently active sessions when the user's session is extended, the user refreshes the page, or the user navigates to another page.

Oracle Key Vault HSM Integration Supports Use of Token Labels

Oracle Key Vault now provides the ability to choose a softcard slot based on a token label.

HSMs may support multiple tokens each with a token label. You can now specify a token label in order to create or use keys from tokens in specific slots for HSM integration. If you do not specify a token label, Oracle Key Vault will fall back to the previous behavior where it will choose the token in the first slot of the slot list. Token Labels in Oracle Key Vault enable support for softcards in nCipher HSMs and partitions in Thales Luna HSMs (formerly called Safenet Luna HSM).

Utimaco as a Supported HSM Vendor

Utimaco is now a supported vendor for integration with Oracle Key Vault as the Root of Trust.

Starting with this release, you can configure Utimaco as a supported HSM vendor for integration with Oracle Key Vault, in addition to the current Thales Luna (formerly called Safenet Luna) and nCipher vendors. For both the hardware security modules and associated client-side libraries and tools, only version 4.31.1 is supported at this time.