You can deploy an Oracle Key Vault appliance as a standalone server, a member of a primary-standby configuration, or a node in a multi-master cluster.
An Oracle Key Vault administrative role that enables a user to manage audit lifecycle and policies and to separate the role of auditing from the role of managing the Oracle Key Vault server.
An Oracle wallet file that can be accessed without a password. An auto-login wallet is stored in a
During node induction, an Oracle Key Vault server to be added to a multi-master cluster. A candidate node must be a freshly installed Oracle Key Vault appliance, except when it is the initial node, in which case it provides the entirety of the cluster's initial data. A candidate node must be at the same release and patch level as the multi-master cluster to which it is being added.
After the server has been inducted into a cluster, it is a called a node. After a successful node induction, you can configure the server to use the cluster-wide configuration settings. The cluster data set is then replicated to the node.
cluster data set
The set of all security objects managed by the cluster. When creating the cluster, the initial node provides all of the security objects that will be part of the initial cluster data set.
A link that represents the outbound network connection (to the node) and the inbound replication process (from the node). You can enable or disable the link to manage node data replication.
A group of one or more nodes that is a subgroup of a cluster. Each node in a cluster can belong to only one subgroup. The node is assigned to a subgroup when the node is added to the multi-master cluster and this assignment remains unchanged for the lifetime of the node. The assignment is for each node, and members of a read-write pair can be in different subgroups.
The subgroup implements a notion of endpoint affinity. It is used when you set the endpoint's node search order in the endpoint node scan list. Nodes in the same subgroup as the node where the endpoint was added are considered local to the endpoint. The local subgroup is scanned first before communicating with nodes that are not in the local subgroup.
The cluster topology can change when you add or remove new nodes to and from the cluster. The endpoints get this information with the response messages for the operations the endpoint initiated. Oracle Key Vault periodically sends the updated endpoint node scan list back to the endpoint even if there is no change to cluster topology. This is to account for any lost messages.
A node that controls or manages a cluster reconfiguration change, such as adding, enabling, disabling, or removing nodes. A node is only a controller node while the change is being made. During node induction, the controller node provides the server certificate and the data that is used to initialize the candidate node.
Each concurrent operation will have its own controller node. One controller node can only control one cluster configuration transaction at a time.
A file that contains sensitive information such as user IDs, passwords, and keys. The file, such as a Kerberos keytab file, is stored as an opaque object, which means that its individual contents are not interpreted by Oracle Key Vault. The entire file is uploaded and downloaded as an object.
See also security object.
A node that has been disassociated from the cluster, either by using the Delete or Force Delete buttons on the Oracle Key Vault management console. If it has been disabled for longer than the Maximum Disable Node duration, then you must delete the node.
Once a node has been deleted, you cannot re-associate it with the cluster. If it is to be inducted into the cluster, then you must re-image it and then convert into a freshly installed server.
You can use the Delete option under normal operating circumstances. Only use the Force Delete option if the node is unreachable when the Delete option does not work.
A computer system such as a database server, an application server, and other information systems, where keys are used to access encrypted data and credentials are used to authenticate to other systems.
Owner of an endpoint. Endpoint administrators can be typically system, security, or database administrators, but they can be any personnel charged with deploying, managing and maintaining security within an enterprise. They are responsible for enrolling endpoints and controlling endpoint access to security objects.
A monitored metric that determines the health of the multi-master cluster. This is an indication of the node and network health. It is the time since the current node received a heartbeat message from a given node. A heartbeat is sent out from each node every two minutes. Every heartbeat should be received on each other node shortly thereafter.
A higher heartbeat lag indicates that the user operations that require conflict resolution like creating a wallet will take longer. Heartbeat lags between any two nodes affect the operations cluster wide. If the heartbeat lag is high, ensure that the cluster services are active and that replication is active. Disable and then re-enable the links between the two nodes between which the heartbeat lag is significant.
The first, or initial, node of an Oracle Key Vault Multi-Master Cluster. You create a multi-master cluster by converting a single Oracle Key Vault server to become the initial node. The Oracle Key Vault server can be a clean installed Oracle Key Vault server, or it can already be in service with active data. A standalone server or a member of a primary-standby configuration can be converted to be the initial node of a cluster. If you want to use a member of a primary-standby configuration, then you must first break the primary-standby relationship splitting the pair.
If the initial node has been active and therefore has data, then Oracle Key Vault uses this data as the cluster data set to initialize the cluster.
Initialization can occur only once in the life of the cluster.
The environment variable that points to the location of Java files (JDK/JRE) in the system. This allows Java applications to look up the
JAVA_HOME variable in order to operate.
Java keystore file
A file that can hold multiple security objects such as keys and certificates. It uses the Java Keystore File (JKS) format.
An Oracle Key Vault administrator role that enables a user to manage the key lifecycle and control access to all security objects within Oracle Key Vault. This is a highly sensitive role and should be granted with care.
A generalized term for a container that stores encryption keys including but not limited to TDE master encryption keys.
Management Information Base (MIB)
master encryption key
maximum disable node duration
The time, in hours, that a node may remain in the disabled state. If the node has been disabled for a longer duration, it can no longer be enabled.
The default maximum disable node duration is 24 hours.
Management information base; a text file that, if Oracle Key Vault is monitored through SNMP, describes the variables that contain the information that SNMP can access. The variables described in a MIB, which are also called MIB objects, are the items that can be monitored using SNMP. There is one MIB for each element that is monitored.
name resolution time
A monitored metric used to determine the health of the multi-master cluster. It is the average time taken to ascertain that there is no name conflict in the cluster or to resolve the name conflict after an attempt to use conflicting names took place.
A Oracle Key Vault server that has been converted to be member of a Oracle Key Vault multi-master cluster. It is known as an Oracle Key Vault cluster node or simply a node.
The process of converting an Oracle Key Vault server to be a node in the multi-master cluster.
The initial node in a cluster provides the initial cluster data set. Subsequently, only new Oracle Key Vault servers can be inducted to the multi-master cluster, and the current data in the multi-master cluster is loaded into the new nodes.
The environment variable that points to the location in which the Oracle Key Vault endpoint software will reside. It contains sub-directories for endpoint software such as the configuration files, log files, libraries, binaries, and other files that the endpoint software utility needs.
online master key
A security object that Oracle Key Vault cannot interpret.
Oracle Key Vault appliance
Oracle Key Vault multi-master cluster
A distributed set of Oracle Key Vault nodes that are grouped together so that they all communicate with one another. Some pairs of nodes are configured as read-write pairs. In a read-write pair, an update to one node is replicated to the other node, and the update must be verified on the other node before the update is considered successful.
All nodes in the multi-master cluster connect to all other nodes. Data updated in a read-write pair is replicated to all nodes.
Oracle Key Vault node
Oracle Key Vault server
Oracle wallet file
A container that can hold multiple security objects such as keys and certificates. It uses the PKCS#12 cryptographic standard.
You can manage Oracle wallets in Oracle Key Vault just like other security objects. Optionally, you can encrypt them and protect them with a password. An Oracle wallet that can be accessed without a password is called an auto-login wallet.
See also password-protected wallet.
The environment variable that points to the root of the Oracle Database directory tree. The Oracle Base directory is the top level directory that you can use to install the various Oracle software products. You can use the same Oracle base directory for multiple installations. For example,
/u01/app/oracle is an Oracle base directory created by the
The environment variable that points to the directory path to install Oracle components (for example,
/u01/app/oracle/product/18.3.0/db_n). You are prompted to enter an Oracle home in the Path field of the Specify File Locations window.
ORACLE_HOME corresponds to the environment in which Oracle Database products run. If you install an OFA-compliant database, using Oracle Universal Installer defaults, then the Oracle home (known as
$ORACLE_HOME in this guide) is located beneath
$ORACLE_BASE. The default Oracle home is
n is the Oracle home number. It contains subdirectories for Oracle Database software executable files and network files.
The environment variable that represents the Oracle System ID (SID), which uniquely identifies a particular database on a system. For this reason, you cannot have more than one database with the same SID on a computer system.
When using Oracle Real Application Clusters, you must ensure that all instances that belong to the same database have a unique SID.
coraenv, a Unix/ Linux command line utility that sets the required environment variables (
PATH) to allow a user to connect to a given database instance. If these environment variables are not set, then commands such as
exp will not work (or not be found).
coraenv when using the C Shell and
oraenv when using a Bourne, Korn, or Bash shell.
An encrypted Oracle wallet that has a user-defined password stored in an
A library that allows an Oracle TDE database to connect to Oracle Key Vault to manage the master encryption keys.
In cryptography, PKCS#12 defines an archive file format for storing many cryptographic objects as a single file. Wallet files are stored in PKCS#12 format.
A node that is not part of a replication pair. Most data cannot be directly updated using the Oracle Key Vault management console, or with Oracle Key Vault client software. Critical data such as keys, wallets, and certificates in a read-only node is only updated through replication from read-write nodes.
read-only restricted mode
A node enters read-only restricted mode when it has no read-write pair, or if its read-write peer is unavailable. The Oracle Key Vault console displays a warning that the node is operating in read-only restricted mode. In read-only restricted mode, updates using the Oracle Key Vault management console, or Oracle Key Vault client software are restricted. However, you can still perform system configuration on the node.
When the node is a member of a read-write pair, this indicates the other node has been disabled but not deleted from the cluster, or the heartbeat is not detected for other reasons.
A node is in read-write mode when it is available for endpoint and wallet data updates using the Oracle Key Vault management console, or Oracle Key Vault client software. The node must be a member of a read-write pair, and the read-write peer must be online and active.
When both nodes in the pair are available, both nodes can accept updates, and all updates to one node are synchronously replicated to the peer. If one of the nodes in the pair becomes unavailable, then the remaining node enters read-only restricted mode and will not accept any data updates until the peer is restored.
The node state is displayed on the Monitoring page of the Cluster tab of the node management console. The Cluster tab of the node management console displays the type and status of all nodes in the cluster.
An active, connected, member of a read-write pair of nodes.
A pair of nodes that operates with bidirectional synchronous replication. You create the read-write pair by pairing a new node with a read-only node. You can update data, including the endpoint and wallet data, in either node by using the Oracle Key Vault management console, or Oracle Key Vault client software. The updates are replicated immediately to the other node in the pair. Updates are replicated asynchronously to all other nodes.
A node can be a member of at most one bidirectional synchronous pair.
A multi-master cluster requires at least one read-write pair to be fully operational. It can have a maximum of 8 read-write pairs.
The specific member of one, and only one, read-write pair in the cluster. Each read-write pair consists of only two nodes. You configure nodes as peers by setting Add Candidate Node as Read-Write Peer to Yes on the controller node during induction of the candidate node. Peers are identified on the Cluster Management Configuration page.
If one member of the pair is deleted, then the peer automatically becomes a read-only node.
A secret token that is created during the installation of an Oracle Key Vault appliance. The recovery passphrase created for the initial node is subsequently used by the cluster and propagated to all other nodes in the cluster.
You enter the existing recovery passphrase on both the controller page and the candidate page during induction of any nodes into the cluster. Because there is only one recovery passphrase, you must use that same recovery passphrase when the recovery passphrase is required.
The process of replicating data changes that were made to a read-write node to all other nodes. The read-write peer is updated immediately. Replication is used to distribute the data to all other nodes in the cluster.
A monitored metric that determines the health of the multi-master cluster. It is the time taken for an object to be replicated to another node.
A higher replication lag indicates that the Oracle Key Vault operations like changing the access permissions for an endpoint on the wallet will take longer to replicate. Depending on the operation, a replication lag may or may not have a cluster-wide impact. If the replication lag is significant between two notes, then you should disable and re-enable the cluster links.
An object that contains critical data provided by the user. A security object can be of the following types:
- private encryption key
- Oracle wallet
- Java keystore
- Java Cryptography Extension keystore
- credential file
A self-contained preconfigured product that can be installed on supported hardware dedicated for a specific purpose.
An Oracle Database configuration file for the client or server. By default, the
sqlnet.ora file resides in
$ORACLE_HOME/network/admin directory. It specifies the following connection information:
Client domain to append to unqualified service names or net service names
Order of naming methods for the client to use when resolving a name
Logging and tracing features to use
Route of connections
External naming parameters
Oracle Advanced Security parameters
An Oracle Key Vault administrator role that enables a user to create users, endpoints and their respective groups, configure system settings and alerts, and generally administer Oracle Key Vault. This is a highly sensitive role and should be granted with care.
A collection of attributes for security objects. When a security object is created using a template, then the attributes in the template are automatically assigned to the new object.
A staff member who uses Oracle Key Vault. Users can be administrators, auditors, or ordinary users with no administrative roles.
A named collection of Oracle Key Vault users. A user group can collectively be granted privileges or roles.