Table of Contents

• Title and Copyright Information
• Preface
  • Audience
  • Documentation Accessibility
  • Related Documents
  • Conventions
• Changes in This Release for Oracle Key Vault
  • Changes for Oracle Key Vault Release 18.5
    • Support for Longer Names of Wallets, Users, User Groups, Endpoints, and Endpoint Groups
    • Ability to Download okvrestservices.jar from Enroll Endpoint & Software Download Page
    • RESTful APIs to Determine the Oracle Key Vault Deployment Type, Server Version, and Object Existence
  • Changes for Oracle Key Vault Release 18.4
    • Management Console Idle Session Timeout
    • Oracle Key Vault HSM Integration Supports Use of Token Labels
    • Utimaco as a Supported HSM Vendor
• 1 Introduction to Oracle Key Vault
  • 1.1 About Oracle Key Vault and Key Management
  • 1.2 Benefits of Using Oracle Key Vault
  • 1.3 Oracle Key Vault Use Cases
    • 1.3.1 Centralized Storage of Oracle Wallet Files and Java Keystores
    • 1.3.2 Centralized Management of TDE Master Encryption Keys Using Online Master Keys
    • 1.3.3 Storage of Credential Files
    • 1.3.4 Online Management of Endpoint Keys and Secret Data
  • 1.4 Who Should Use Oracle Key Vault
  • 1.5 Major Features of Oracle Key Vault
    • 1.5.1 Centralized Storage and Management of Security Objects
    • 1.5.2 Management of Key Lifecycle
    • 1.5.3 Reporting and Alerts
    • 1.5.4 Separation of Duties for Oracle Key Vault Users
    • 1.5.5 Support for a Primary-Standby Environment
    • 1.5.6 Persistent Master Encryption Key Cache
    • 1.5.7 Backup and Restore Functionality for Security Objects
    • 1.5.8 Automation of Endpoint Enrollment Using RESTful Services
    • 1.5.9 Key Management Support Using RESTful Services
    • 1.5.10 Support for OASIS Key Management Interoperability Protocol (KMIP)
    • 1.5.11 Database Release and Platform Support
    • 1.5.12 Integration with External Audit and Monitoring Services
    • 1.5.13 Integration of MySQL with Oracle Key Vault
    • 1.5.14 Automatic Storage Management Cluster File System (ACFS) Encryption
    • 1.5.15 Support for Oracle Cloud Database as a Service Endpoints
    • 1.5.16 Oracle Key Vault Hardware Security Module Integration
  • 1.6 Oracle Key Vault Interfaces
    • 1.6.1 Oracle Key Vault Management Console
    • 1.6.2 Oracle Key Vault okvutil Endpoint Utility
    • 1.6.3 Oracle Key Vault RESTful Services
  • 1.7 Overview of an Oracle Key Vault Deployment
• 2 Oracle Key Vault Concepts
  • 2.1 Overview of Oracle Key Vault Concepts
  • 2.2 Oracle Key Vault Deployment Architecture
  • 2.3 Access Control Configuration
    • 2.3.1 About Access Control Configuration
    • 2.3.2 Access Grants
    • 2.3.3 Access Control Options
  • 2.4 Administrative Roles within Oracle Key Vault
    • 2.4.1 About Administrative Roles in Oracle Key Vault
    • 2.4.2 Separation of Duties in Oracle Key Vault
    • 2.4.3 System Administrator Role Duties
    • 2.4.4 Key Administrator Role Duties
    • 2.4.5 Audit Manager Role Duties
  • 2.5 Naming Guidelines for Objects
  • 2.6 Emergency System Recovery Process
  • 2.7 Root and Support User Accounts
  • 2.8 Endpoint Administrators
  • 2.9 FIPS Mode
• 3 Oracle Key Vault Multi-Master Cluster Concepts
  • 3.1 Oracle Key Vault Multi-Master Cluster Overview
  • 3.2 Benefits of Oracle Key Vault Multi-Master Clustering
  • 3.3 Multi-Master Cluster Architecture
    • 3.3.1 Oracle Key Vault Cluster Nodes
    • 3.3.2 Cluster Node Limitations
    • 3.3.3 Cluster Subgroups
    • 3.3.4 Critical Data in Oracle Key Vault
    • 3.3.5 Oracle Key Vault Read-Write Nodes
    • 3.3.6 Oracle Key Vault Read-Only Nodes
    • 3.3.7 Cluster Node Mode Types
    • 3.3.8 Operations Permitted on Cluster Nodes in Different Modes
  • 3.4 Building and Managing a Multi-Master Cluster
    • 3.4.1 About Building and Managing a Multi-Master Cluster
    • 3.4.2 Creation of the Initial Node in a Multi-Master Cluster
    • 3.4.3 Expansion of a Multi-Master Cluster
      • 3.4.3.1 About the Expansion of a Multi-Master Cluster
      • 3.4.3.2 Management of Cluster Reconfiguration Changes Using a Controller Node
      • 3.4.3.3 Addition of a Candidate Node to the Multi-Master Cluster
      • 3.4.3.4 Addition of More Nodes to a Multi-Master Cluster
    • 3.4.4 Migration to the Cluster from an Existing Deployment
      • 3.4.4.1 Conversion of an Oracle Key Vault Standalone Server to a Multi-Master Cluster
      • 3.4.4.2 Conversion from a Primary-Standby Server to a Multi-Master Cluster
  • 3.5 Oracle Key Vault Multi-Master Cluster Deployment Scenarios
    • 3.5.1 Cluster Size and Availability in Deployments
    • 3.5.2 Two-Node Cluster Deployment
    • 3.5.3 Mid-Size Cluster Across Two Data Centers Deployment
  • 3.6 Multi-Master Cluster Features
    • 3.6.1 Cluster Inconsistency Resolution in a Multi-Master Cluster
    • 3.6.2 Name Conflict Resolution in a Multi-Master Cluster
    • 3.6.3 Endpoint Node Connection Lists (Endpoint Node Scan Lists)
• 4 Oracle Key Vault Installation and Configuration
  • 4.1 About Oracle Key Vault Installation and Configuration
  • 4.2 Oracle Key Vault Installation Requirements
    • 4.2.1 System Requirements
    • 4.2.2 Network Port Requirements
    • 4.2.3 Supported Endpoint Platforms
    • 4.2.4 Endpoint Database Requirements
  • 4.3 Installing and Configuring Oracle Key Vault
    • 4.3.1 Downloading the Oracle Key Vault Appliance Software
    • 4.3.2 Installing the Oracle Key Vault Appliance Software
    • 4.3.3 Performing Post-Installation Tasks
  • 4.4 Logging In to the Oracle Key Vault Management Console
  • 4.5 Upgrading a Standalone or Primary-Standby Oracle Key Vault Server
    • 4.5.1 About Upgrading the Oracle Key Vault Server Software
    • 4.5.2 Step 1: Back Up the Server Before You Upgrade
    • 4.5.3 Step 2: Perform Pre-Upgrade Tasks
    • 4.5.4 Step 3: Upgrade the Oracle Key Vault Server or Server Pair
      • 4.5.4.1 About Upgrading an Oracle Key Vault Server or Server Pair
      • 4.5.4.2 Upgrading a Standalone Oracle Key Vault Server
      • 4.5.4.3 Upgrading a Pair of Oracle Key Vault Servers in a Primary-Standby Deployment
    • 4.5.5 Step 4: Upgrade the Endpoint Software
    • 4.5.6 Step 5: If Necessary, Remove Old Kernels
    • 4.5.7 Step 6: If Necessary, Add Disk Space to Extend Swap Space
    • 4.5.8 Step 7: If Necessary, Remove SSH-Related DSA Keys
    • 4.5.9 Step 8: Back Up the Upgraded Oracle Key Vault Server
  • 4.6 Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
    • 4.6.1 About Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
    • 4.6.2 Step 1: Perform Pre-Upgrade Tasks
    • 4.6.3 Step 2: If Upgrading from Release 18.1, Run the Pre-Upgrade Script on Each Node
    • 4.6.4 Step 3: Upgrade Each Multi-Master Cluster Node
    • 4.6.5 Step 4: Check the Node Version and the Cluster Version
    • 4.6.6 Rolling Back the Pre-Upgrade Script
  • 4.7 Overview of the Oracle Key Vault Management Console
  • 4.8 Performing Actions and Searches
    • 4.8.1 Actions Menus
    • 4.8.2 Search Bars
• 5 Managing Oracle Key Vault Multi-Master Clusters
  • 5.1 About Managing Oracle Key Vault Multi-Master Clusters
  • 5.2 Creating the First (Initial) Node of a Cluster
  • 5.3 Adding a Node to the Cluster
    • 5.3.1 Creating a Read-Write Pair of Nodes in a Cluster
    • 5.3.2 Creating a Read-Only Node in a Cluster
    • 5.3.3 Creating an Additional Read-Write Pair in a Cluster
  • 5.4 Terminating the Pairing of a Node
  • 5.5 Disabling a Cluster Node
  • 5.6 Enabling a Disabled Cluster Node
  • 5.7 Deleting a Cluster Node
  • 5.8 Force Deleting a Cluster Node
  • 5.9 Managing Replication Between Nodes
    • 5.9.1 Restarting Cluster Services
    • 5.9.2 Disabling Node Replication
    • 5.9.3 Enabling Node Replication
  • 5.10 Cluster Management Information
  • 5.11 Cluster Monitoring Information
  • 5.12 Naming Conflicts and Resolution
    • 5.12.1 About Naming Conflicts and Resolution
    • 5.12.2 Naming Conflict Resolution Information
    • 5.12.3 Changing the Suggested Conflict Resolution Name
    • 5.12.4 Accepting the Suggested Conflict Resolution Name
  • 5.13 Multi-Master Cluster Deployment Recommendations
• 6 Managing an Oracle Key Vault Primary-Standby Configuration
  • 6.1 Overview of the Oracle Key Vault Primary-Standby Configuration
    • 6.1.1 About the Oracle Key Vault Primary-Standby Configuration
    • 6.1.2 Benefits of an Oracle Key Vault Primary-Standby Configuration
    • 6.1.3 Difference Between Primary-Standby Configuration and Multi-Master Cluster
    • 6.1.4 Primary Server Role in a Primary-Standby Configuration
    • 6.1.5 Standby Server Role in a Primary-Standby Configuration
  • 6.2 Configuring the Primary-Standby Environment
    • 6.2.1 Step 1: Configure the Primary Server
    • 6.2.2 Step 2: Configure the Standby Server
    • 6.2.3 Step 3: Complete the Configuration on the Primary Server
  • 6.3 Switching the Primary and Standby Servers
  • 6.4 Restoring Primary-Standby After a Failover
  • 6.5 Disabling (Unpairing) the Primary-Standby Configuration
  • 6.6 Read-Only Restricted Mode in a Primary-Standby Configuration
    • 6.6.1 About Read-Only Restricted Mode in a Primary-Standby Configuration
    • 6.6.2 Primary-Standby with Read-Only Restricted Mode
    • 6.6.3 Primary-Standby without Read-Only Restricted Mode
    • 6.6.4 States of Read-Only Restricted Mode
      • 6.6.4.1 About the States of Read-Only Restricted Mode
      • 6.6.4.2 Read-Only Restricted State Functionality During a Primary Server Failure
      • 6.6.4.3 Read-Only Restricted Mode Functionality During a Standby Server Failure
      • 6.6.4.4 Read-Only Restricted State Functionality During a Network Failure
    • 6.6.5 Enabling Read-Only Restricted Mode
    • 6.6.6 Disabling Read-Only Restricted Mode
    • 6.6.7 Recovering from Read-Only Restricted Mode
    • 6.6.8 Read-Only Restricted Mode Notifications
  • 6.7 Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
• 7 Managing Oracle Key Vault Users
  • 7.1 Managing User Accounts
    • 7.1.1 About Oracle Key Vault User Accounts
    • 7.1.2 How a Multi-Master Cluster Affects User Accounts
      • 7.1.2.1 Multi-Master Cluster Effect on System Administrator Users
      • 7.1.2.2 Multi-Master Cluster Effect on Key Administrator Users
      • 7.1.2.3 Multi-Master Cluster Effect on Audit Manager Users
      • 7.1.2.4 Multi-Master Cluster Effect on Administration Users
      • 7.1.2.5 Multi-Master Cluster Effect on System Users
    • 7.1.3 Creating an Oracle Key Vault User Account
    • 7.1.4 Viewing User Account Details
    • 7.1.5 Deleting an Oracle Key Vault User Account
  • 7.2 Managing Administrative Roles and User Privileges
    • 7.2.1 About Managing Administrative Roles
    • 7.2.2 Granting or Changing an Administrative Role of a User
    • 7.2.3 Granting a User Access to a Virtual Wallet
    • 7.2.4 Revoking an Administrative Role from a User
  • 7.3 Managing User Passwords
    • 7.3.1 About Changing User Passwords
    • 7.3.2 Changing Your Own Password
    • 7.3.3 Changing Another User's Password
      • 7.3.3.1 Changing a Password Manually
      • 7.3.3.2 Changing a Password Through Email Notification
      • 7.3.3.3 Changing Operating System User Account Passwords
    • 7.3.4 Controlling the Use of Password Reset Methods
      • 7.3.4.1 About Controlling the Use of Password Reset Methods
      • 7.3.4.2 Configuring the Use of Password Reset Operations
  • 7.4 Managing User Email
    • 7.4.1 Changing the User Email Address
    • 7.4.2 Disabling Email Notifications for a User
  • 7.5 Managing User Groups
    • 7.5.1 About Managing User Groups
    • 7.5.2 How a Multi-Master Cluster Affects User Groups
    • 7.5.3 Creating a User Group
    • 7.5.4 Adding a User to a User Group
    • 7.5.5 Granting a User Group Access to a Virtual Wallet
    • 7.5.6 Renaming a User Group
    • 7.5.7 Changing a User Group Description
    • 7.5.8 Removing a User from a User Group
    • 7.5.9 Deleting a User Group
• 8 Managing Oracle Key Vault Virtual Wallets and Security Objects
  • 8.1 Managing Virtual Wallets
    • 8.1.1 About Virtual Wallets
    • 8.1.2 Creating a Virtual Wallet
    • 8.1.3 Modifying a Virtual Wallet
    • 8.1.4 Adding Security Objects to a Virtual Wallet
    • 8.1.5 Removing Security Objects from a Virtual Wallet
    • 8.1.6 Deleting a Virtual Wallet
  • 8.2 Managing Access to Virtual Wallets from Keys and Wallets Tab
    • 8.2.1 About Managing Access to Virtual Wallets from Keys and Wallets Tab
    • 8.2.2 Granting Access to Users, User Groups, Endpoints, and Endpoint Groups
    • 8.2.3 Modifying Access to Users, User Groups, Endpoints, and Endpoint Groups
  • 8.3 Managing Access to Virtual Wallets from User’s Menu
    • 8.3.1 Granting a User Access to a Virtual Wallet
    • 8.3.2 Revoking User Access from a Virtual Wallet
    • 8.3.3 Granting a User Group Access to a Virtual Wallet
    • 8.3.4 Revoking User Group Access from a Virtual Wallet
  • 8.4 Managing the State of a Key or a Security Object
    • 8.4.1 About Managing the State of a Key or a Security Object
    • 8.4.2 How a Multi-Master Cluster Affects Keys and Security Ojects
    • 8.4.3 Activating a Key or Security Object
    • 8.4.4 Deactivating a Key or Security Object
    • 8.4.5 Revoking a Key or Security Object
    • 8.4.6 Destroying a Key or Security Object
  • 8.5 Managing Details of Security Objects
    • 8.5.1 About Managing the Details of Security Objects
    • 8.5.2 Searching for Security Object Items
    • 8.5.3 Viewing the Details of a Security Object
    • 8.5.4 Adding or Modifying Details of a Security Object
• 9 Managing Oracle Key Vault Endpoints
  • 9.1 Overview of Managing Endpoints
    • 9.1.1 About Managing Endpoints
    • 9.1.2 How a Multi-Master Cluster Affects Endpoints
  • 9.2 Managing Endpoints
    • 9.2.1 Types of Endpoint Enrollment
    • 9.2.2 Endpoint Enrollment in a Multi-Master Cluster
    • 9.2.3 Adding an Endpoint as an Oracle Key Vault System Administrator
    • 9.2.4 Adding Endpoints Using Self-Enrollment
      • 9.2.4.1 About Adding Endpoints Using Self-Enrollment
      • 9.2.4.2 Adding an Endpoint Using Self-Enrollment
    • 9.2.5 Deleting, Suspending, or Reenrolling Endpoints
      • 9.2.5.1 About Deleting Endpoints
      • 9.2.5.2 Deleting One or More Endpoints
      • 9.2.5.3 Deleting One Endpoint (Alternative Method)
      • 9.2.5.4 Suspending an Endpoint
      • 9.2.5.5 Reenrolling an Endpoint
  • 9.3 Managing Endpoint Details
    • 9.3.1 About Endpoint Details
    • 9.3.2 Modifying Endpoint Details
    • 9.3.3 Global Endpoint Configuration Parameters
      • 9.3.3.1 About Global Endpoint Configuration Parameters
      • 9.3.3.2 Setting Global Endpoint Configuration Parameters
  • 9.4 Default Wallets and Endpoints
    • 9.4.1 Associating a Default Wallet with an Endpoint
    • 9.4.2 Setting the Default Wallet for an Endpoint
  • 9.5 Managing Endpoint Access to a Virtual Wallet
    • 9.5.1 Granting an Endpoint Access to a Virtual Wallet
    • 9.5.2 Revoking Endpoint Access to a Virtual Wallet
    • 9.5.3 Viewing Wallet Items Accessed by Endpoints
  • 9.6 Managing Endpoint Groups
    • 9.6.1 How a Multi-Master Cluster Affects Endpoint Groups
    • 9.6.2 Creating an Endpoint Group
    • 9.6.3 Modifying Endpoint Group Details
    • 9.6.4 Granting an Endpoint Group Access to a Virtual Wallet
    • 9.6.5 Adding an Endpoint to an Endpoint Group
    • 9.6.6 Removing an Endpoint from an Endpoint Group
    • 9.6.7 Deleting Endpoint Groups
  • 9.7 Upgrading Endpoints
    • 9.7.1 Upgrading Endpoint Software from an Endpoint
      • 9.7.1.1 Step 1: Prepare the Endpoint Environment
      • 9.7.1.2 Step 2: Download the Oracle Key Vault Software onto the Endpoint
      • 9.7.1.3 Step 3: Install the Oracle Key Vault Software onto the Endpoint
      • 9.7.1.4 Step 4: Perform Post-Installation Tasks
    • 9.7.2 Upgrading Endpoint Software on an Enrolled Endpoint
• 10 Enrolling Endpoints for Oracle Key Vault
  • 10.1 About Endpoint Enrollment and Provisioning
  • 10.2 Finalizing Enrollment and Provisioning
    • 10.2.1 Step 1: Enroll the Endpoint and Download the Software
    • 10.2.2 Step 2: Prepare the Endpoint Environment
    • 10.2.3 Step 3: Install the Oracle Key Vault Software onto the Endpoint
    • 10.2.4 Step 4: Perform Post-Installation Tasks
  • 10.3 Environment Variables and Endpoint Provisioning Guidance
    • 10.3.1 How the Location of JAVA_HOME Location Is Determined
    • 10.3.2 Location of the okvclient.ora File and Environment Variables
    • 10.3.3 Setting OKV_HOME for Non-Database Utilities to Communicate with Oracle Key Vault
    • 10.3.4 Environment Variables in sqlnet.ora File
  • 10.4 Endpoints That Do Not Use the Oracle Key Vault Client Software
  • 10.5 Transparent Data Encryption Endpoint Management
  • 10.6 Endpoint okvclient.ora Configuration File
• 11 Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance
  • 11.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
  • 11.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
  • 11.3 Provisioning an Oracle Key Vault Compute Instance
    • 11.3.1 About Provisioning an Oracle Key Vault Compute Instance
    • 11.3.2 Launching the Oracle Key Vault Compute Instance
      • 11.3.2.1 About Launching the Oracle Key Vault Compute Instance
      • 11.3.2.2 Step 1: Ensure That You Have Prerequisites in Place
      • 11.3.2.3 Step 2: Find the Oracle Key Vault Image
      • 11.3.2.4 Step 3: Launch the Oracle Key Vault VM Compute Instance
      • 11.3.2.5 Step 4: Perform Post-Launch and Post-Installation Tasks
  • 11.4 General Management of an Oracle Key Vault Compute Instance
    • 11.4.1 Starting, Restarting, or Stopping an Oracle Key Vault Compute Instance
    • 11.4.2 System Settings in an Oracle Key Vault Compute Instance
    • 11.4.3 Backup and Restore Operations for Oracle Key Vault Compute Instances
    • 11.4.4 Terminating an Oracle Key Vault Compute Instance
  • 11.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI
    • 11.5.1 About Performing Migrations with Oracle Key Vault Compute Instance Data
    • 11.5.2 Migrating Oracle Key Vault Deployments into OCI Using Backup and Restore
    • 11.5.3 Migrating Oracle Key Vault Deployments Out of OCI Using Backup and Restore
• 12 Oracle Database Instances in Oracle Cloud Infrastructure
  • 12.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints
  • 12.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
    • 12.2.1 About Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
    • 12.2.2 Configuring a Database Cloud Service Instance
    • 12.2.3 Creating a Low Privileged Operating System User on Database as a Service
  • 12.3 Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
    • 12.3.1 Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance
    • 12.3.2 Managing a Reverse SSH Tunnel in a Multi-Master Cluster
    • 12.3.3 Managing a Reverse SSH Tunnel in a Primary-Standby Configuration
    • 12.3.4 Viewing SSH Tunnel Configuration Details
    • 12.3.5 Disabling an SSH Tunnel Connection
    • 12.3.6 How the Connection Works if the SSH Tunnel Is Not Active
    • 12.3.7 Deleting an SSH Tunnel Configuration
  • 12.4 Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
    • 12.4.1 About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
    • 12.4.2 Step 1: Register the Endpoint in the Oracle Key Vault Management Console
    • 12.4.3 Step 2: Prepare the Endpoint Environment
    • 12.4.4 Step 3: Install the Oracle Key Vault Software onto the Endpoint
    • 12.4.5 Step 4: Perform Post-Installation Tasks
  • 12.5 Suspending Database Cloud Service Access to Oracle Key Vault
    • 12.5.1 About Suspending Database Cloud Service Access to Oracle Key Vault
    • 12.5.2 Suspending Access for a Database Cloud Service to Oracle Key Vault
  • 12.6 Resuming Database Cloud Service Access to Oracle Key Vault
  • 12.7 Resuming a Database Endpoint Configured with a Password-Based Keystore
• 13 Oracle Key Vault Administration and Key Management with RESTful Services
  • 13.1 About RESTful Services
  • 13.2 Required Privileges for Using RESTful Services
  • 13.3 Enabling RESTful Services
    • 13.3.1 Step 1: Check the Endpoint System Requirements
    • 13.3.2 Step 2: Enable Network Services
    • 13.3.3 Step 3: Enable RESTful Services
    • 13.3.4 Step 4: Download the RESTful Software Utility
  • 13.4 Managing the RESTful Services Configuration File
    • 13.4.1 About Managing the RESTful Services Configuration File
    • 13.4.2 Configuration File Creation Guidelines
    • 13.4.3 Creating the RESTful Services Configuration File
    • 13.4.4 Examples of Configuration Files
    • 13.4.5 Executing a Single RESTful Command
    • 13.4.6 Executing Multiple RESTful Administrative Commands Using a Script
    • 13.4.7 Creating a Script to Automatically Enroll Oracle Databases as Endpoints
  • 13.5 Disabling RESTful Services
  • 13.6 Oracle Key Vault Administrative REST Client Tool Commands
    • 13.6.1 RESTful Services Command Syntax
    • 13.6.2 RESTful Services Wallet Command Syntax
    • 13.6.3 Commands to Add and Enroll Endpoints
      • 13.6.3.1 create_endpoint Command
      • 13.6.3.2 create_unique_endpoint Command
      • 13.6.3.3 delete_endpoint Command
      • 13.6.3.4 download Command
      • 13.6.3.5 get_enrollment_token Command
      • 13.6.3.6 modify_endpoint_desc Command
      • 13.6.3.7 modify_endpoint_email Command
      • 13.6.3.8 modify_endpoint_name Command
      • 13.6.3.9 modify_endpoint_platform Command
      • 13.6.3.10 modify_endpoint_type Command
      • 13.6.3.11 provision Command
      • 13.6.3.12 re_enroll Command
      • 13.6.3.13 re_enroll_all Command
    • 13.6.4 Endpoint Group Commands
      • 13.6.4.1 add_epg_member Command
      • 13.6.4.2 create_endpoint_group Command
      • 13.6.4.3 create_unique_endpoint_group Command
      • 13.6.4.4 delete_endpoint_group Command
      • 13.6.4.5 drop_epg_member Command
      • 13.6.4.6 modify_endpoint_group_desc Command
      • 13.6.4.7 modify_endpoint_group_name Command
    • 13.6.5 Virtual Wallet Commands
      • 13.6.5.1 add_wallet_access_ep Command
      • 13.6.5.2 add_wallet_access_epg Command
      • 13.6.5.3 create_unique_wallet Command
      • 13.6.5.4 create_wallet Command
      • 13.6.5.5 delete_wallet Command
      • 13.6.5.6 drop_wallet_access_ep Command
      • 13.6.5.7 drop_wallet_access_epg Command
      • 13.6.5.8 get_default_wallet Command
      • 13.6.5.9 get_object_name Command
      • 13.6.5.10 get_wallets Command
      • 13.6.5.11 modify_wallet_access_ep Command
      • 13.6.5.12 modify_wallet_access_epg Command
      • 13.6.5.13 modify_wallet_desc Command
      • 13.6.5.14 modify_wallet_name Command
      • 13.6.5.15 set_default_wallet Command
    • 13.6.6 Error Reporting
      • 13.6.6.1 About Error Reporting
      • 13.6.6.2 Command Line Error Reporting
      • 13.6.6.3 Error Reporting while Running Commands from a Script
    • 13.6.7 Status and Help Information Commands
      • 13.6.7.1 check_object_status Command
      • 13.6.7.2 get_system_info Command
      • 13.6.7.3 Help Information
  • 13.7 Oracle Key Vault Key Management REST Client Tool Commands
    • 13.7.1 About Oracle Key Vault Key Management REST Client Tool Commands
    • 13.7.2 Oracle Key Vault Key Management REST Client API Using OKVRESTSERVICE
    • 13.7.3 List of Key Management REST Client Tool Commands
    • 13.7.4 Key Creation and Registration Commands
      • 13.7.4.1 create_key Command
      • 13.7.4.2 get_cert Command
      • 13.7.4.3 get_key Command
      • 13.7.4.4 get_opaque Command
      • 13.7.4.5 get_secret Command
      • 13.7.4.6 reg_cert Command
      • 13.7.4.7 reg_key Command
      • 13.7.4.8 reg_opaque Command
      • 13.7.4.9 reg_secret Command
    • 13.7.5 Key Attribute Management Commands
      • 13.7.5.1 add_attr Command
      • 13.7.5.2 add_custom_attr Command
      • 13.7.5.3 all_attr Command
      • 13.7.5.4 del_attr Command
      • 13.7.5.5 del_custom_attr Command
      • 13.7.5.6 get_attr Command
      • 13.7.5.7 list_attr Command
      • 13.7.5.8 mod_attr Command
      • 13.7.5.9 mod_custom_attr Command
    • 13.7.6 Key Life Cycle Management Commands
      • 13.7.6.1 activate Command
      • 13.7.6.2 destroy Command
      • 13.7.6.3 locate Command
      • 13.7.6.4 revoke Command
      • 13.7.6.5 query Command
    • 13.7.7 Wallet Commands
      • 13.7.7.1 add_member Command
      • 13.7.7.2 del_member Command
      • 13.7.7.3 list_wallet Command
• 14 Backup and Restore Operations
  • 14.1 About Backing Up and Restoring Data in Oracle Key Vault
  • 14.2 Oracle Key Vault Backup Destinations
    • 14.2.1 About the Oracle Key Vault Backup Destination
    • 14.2.2 Creating a Remote Backup Destination
    • 14.2.3 Changing Settings on a Remote Backup Destination
    • 14.2.4 Deleting a Remote Backup Destination
  • 14.3 Backup Schedules and States
    • 14.3.1 About Backup Schedule Types and States
    • 14.3.2 Types of Oracle Key Vault Backups
    • 14.3.3 Scheduled Backup States in Oracle Key Vault
  • 14.4 Scheduling and Managing Oracle Key Vault Backups
    • 14.4.1 Scheduling a Backup for Oracle Key Vault
    • 14.4.2 Changing a Backup Schedule for Oracle Key Vault
    • 14.4.3 Deleting a Backup Schedule from Oracle Key Vault
    • 14.4.4 How Primary-Standby Affects Oracle Key Vault Backups
    • 14.4.5 Protecting the Backup Using the Recovery Passphrase
  • 14.5 Restoring Oracle Key Vault Data
    • 14.5.1 About the Oracle Key Vault Restore Process
    • 14.5.2 Procedure for Restoring Oracle Key Vault Data
    • 14.5.3 Multi-Master Cluster and the Restore Operation
    • 14.5.4 Primary-Standby and the Restore Operation
    • 14.5.5 Third-Party Certificates and the Restore Operation
    • 14.5.6 Changes Resulting from a System State Restore
  • 14.6 Backup and Restore Best Practices
• 15 Oracle Key Vault General System Administration
  • 15.1 Overview of Oracle Key Vault General System Administration
    • 15.1.1 About Oracle Key Vault General System Administration
    • 15.1.2 Viewing the Oracle Key Vault Dashboard
    • 15.1.3 Using the Status Panes in the Dashboard
  • 15.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
    • 15.2.1 Configuring the Network Details
    • 15.2.2 Configuring the Network Services
    • 15.2.3 Configuring the System Time
    • 15.2.4 Configuring DNS
    • 15.2.5 Configuring FIPS Mode
    • 15.2.6 Configuring Syslog
    • 15.2.7 Configuring RESTful Services
    • 15.2.8 Configuring Oracle Audit Vault Integration
    • 15.2.9 Configuring the Oracle Key Vault Management Console Web Session Timeout
    • 15.2.10 Restarting or Powering Off Oracle Key Vault
  • 15.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment
    • 15.3.1 Configuring System Settings for Individual Multi-Master Cluster Nodes
      • 15.3.1.1 Configuring the Network Details for the Node
      • 15.3.1.2 Configuring the Network Services for the Node
      • 15.3.1.3 Configuring the System Time for the Node
      • 15.3.1.4 Configuring DNS for the Node
      • 15.3.1.5 Configuring the FIPS Mode for the Node
      • 15.3.1.6 Configuring Syslog for the Node
      • 15.3.1.7 Configuring Oracle Audit Vault Integration for the Node
      • 15.3.1.8 Restarting or Powering Off Oracle Key Vault from a Node
    • 15.3.2 Managing Oracle Key Vault Multi-Master Clusters
      • 15.3.2.1 About Configuring Cluster System Settings
      • 15.3.2.2 Configuring the System Time for the Cluster
      • 15.3.2.3 Configuring DNS for the Cluster
      • 15.3.2.4 Configuring Maximum Disable Node Duration for the Cluster
      • 15.3.2.5 Configuring RESTful Services for the Cluster
      • 15.3.2.6 Configuring Syslog for the Cluster
      • 15.3.2.7 Configuring SNMP Settings for the Cluster
      • 15.3.2.8 Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster
  • 15.4 Managing System Recovery
    • 15.4.1 About Managing System Recovery
    • 15.4.2 Recovering Credentials for Administrators
    • 15.4.3 Changing the Recovery Passphrase in a Non-Clusters Environment
    • 15.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster
      • 15.4.4.1 Step 1: Initiate the Recovery Passphrase Change Across the Nodes
      • 15.4.4.2 Step 2: Change the Recovery Passphrase
    • 15.4.5 Changing the Installation Passphrase
      • 15.4.5.1 About Changing the Installation Passphrase
      • 15.4.5.2 Changing an Installation Passphrase
  • 15.5 Support for a Primary-Standby Environment
  • 15.6 Commercial National Security Algorithm Suite Support
    • 15.6.1 About Commercial National Security Algorithm Suite Support
    • 15.6.2 Running the Commercial National Security Algorithm Scripts
    • 15.6.3 Performing Backup and Restore Operations with CNSA
    • 15.6.4 Upgrading a Standalone Oracle Key Vault Server with CNSA
    • 15.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA
  • 15.7 Minimizing Downtime
• 16 Managing Certificates
  • 16.1 Rotating Certificates
    • 16.1.1 About Rotating Certificates
    • 16.1.2 Advice for Managing Certificate Rotations
    • 16.1.3 Factors That May Affect the Certificate Rotation Process
    • 16.1.4 Rotating All Certificates
    • 16.1.5 Checking the Certificate Rotation Status
  • 16.2 Managing Console Certificates
    • 16.2.1 About Managing Console Certificates
    • 16.2.2 Step 1: Download the Certificate Request
    • 16.2.3 Step 2: Have the Certificate Signed
    • 16.2.4 Step 3: Upload the Signed Certificate to Oracle Key Vault
    • 16.2.5 Console Certificates in Special Use Case Scenarios
• 17 Monitoring and Auditing Oracle Key Vault
  • 17.1 Managing System Monitoring
    • 17.1.1 Configuring Remote Monitoring to Use SNMP
      • 17.1.1.1 About Using SNMP for Oracle Key Vault
      • 17.1.1.2 Granting SNMP Access to Users
      • 17.1.1.3 Changing the SNMP User Name and Password
      • 17.1.1.4 Changing SNMP Settings on the Standby Server
      • 17.1.1.5 Remotely Monitoring Oracle Key Vault Using SNMP
      • 17.1.1.6 SNMP Management Information Base Variables for Oracle Key Vault
      • 17.1.1.7 Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP
    • 17.1.2 Configuring Email Notification
      • 17.1.2.1 About Email Notification
      • 17.1.2.2 Configuring Email Settings
      • 17.1.2.3 Testing the Email Configuration
      • 17.1.2.4 Disabling Email Notifications for a User
    • 17.1.3 Configuring the Syslog Destination for Individual Multi-Master Cluster Nodes
      • 17.1.3.1 Setting the Syslog Destination Setting for the Node
      • 17.1.3.2 Clearing the Syslog Destination Setting for the Node
    • 17.1.4 Capturing System Diagnostics
      • 17.1.4.1 About Capturing System Diagnostics
      • 17.1.4.2 Installing the Diagnostics Generation Utility
      • 17.1.4.3 Generating a System Diagnostics File
      • 17.1.4.4 Removing the Diagnostic Generation Utility Temporary Files
      • 17.1.4.5 Removing the Diagnostic Generation Utility
    • 17.1.5 Configuring Oracle Audit Vault Integration for the Node
  • 17.2 Configuring Oracle Key Vault Alerts
    • 17.2.1 About Configuring Alerts
    • 17.2.2 Configuring Alerts
    • 17.2.3 Viewing Open Alerts
  • 17.3 Managing System Auditing
    • 17.3.1 About Auditing in Oracle Key Vault
    • 17.3.2 Configuring Syslog to Store Audit Records
    • 17.3.3 Configuring Audit Settings for a Multi-Master Cluster
    • 17.3.4 Viewing Audit Records
    • 17.3.5 Exporting and Deleting Audit Records
    • 17.3.6 Audit Consolidation with Audit Vault and Database Firewall
  • 17.4 Using Oracle Key Vault Reports
    • 17.4.1 About Oracle Key Vault Reports
    • 17.4.2 Viewing Endpoint Reports
    • 17.4.3 Viewing User Reports
    • 17.4.4 Viewing Keys and Wallets Reports
    • 17.4.5 Viewing System Reports
• 18 Managing Oracle Key Vault Master Encryption Keys
  • 18.1 Configuring an Oracle Key Vault-to-New TDE-Enabled Database Connection
    • 18.1.1 About Configuring an Oracle Key Vault-to-New TDE-Enabled Database Connection
    • 18.1.2 Limitations to Transparent Data Encryption Endpoint Integration
    • 18.1.3 Step 1: Configure the Oracle Key Vault Server Environment
    • 18.1.4 Step 2: Integrate Transparent Data Encryption with Oracle Key Vault
  • 18.2 Migrating Existing TDE Wallets to Oracle Key Vault
    • 18.2.1 About Migrating Existing TDE Wallets to Oracle Key Vault
    • 18.2.2 Migrating an Existing TDE Wallet to Oracle Key Vault
    • 18.2.3 Restoring Database Contents Previously Encrypted by TDE Using an Oracle Wallet
  • 18.3 Using the Persistent Master Encryption Key Cache
    • 18.3.1 About the Persistent Master Encrption Key Cache
    • 18.3.2 About Oracle Key Vault Persistent Master Encyrption Key Cache Architecture
    • 18.3.3 Caching Master Encryption Keys in the In-Memory and Persistent Master Encryption Key Cache
    • 18.3.4 Storage Location of Persistent Master Encryption Key Cache
    • 18.3.5 Persistent Master Encryption Key Cache Modes of Operation
      • 18.3.5.1 Oracle Key Vault First Mode
      • 18.3.5.2 Persistent Master Encryption Key Cache First Mode
    • 18.3.6 Persistent Master Encryption Key Cache Refresh Window
    • 18.3.7 Persistent Master Encryption Key Cache Parameters
      • 18.3.7.1 PKCS11_CACHE_TIMEOUT Parameter
      • 18.3.7.2 PKCS11_PERSISTENT_CACHE_TIMEOUT Parameter
      • 18.3.7.3 PKCS11_PERSISTENT_CACHE_FIRST Parameter
      • 18.3.7.4 PKCS11_CONFIG_PARAM_REFRESH_INTERVAL Parameter
      • 18.3.7.5 PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW Parameter
      • 18.3.7.6 EXPIRE PKCS11 PERSISTENT CACHE ON DATABASE SHUTDOWN Parameter
    • 18.3.8 Listing the Contents of the Persistent Master Encryption Key Cache
    • 18.3.9 Oracle Database Deployments and Persistent Master Encryption Key Cache
  • 18.4 Uploading and Downloading Oracle Wallets
    • 18.4.1 About Uploading and Downloading Oracle Wallets
    • 18.4.2 Uploading Oracle Wallets
    • 18.4.3 Downloading Oracle Wallets
    • 18.4.4 Guidelines for Uploading and Downloading Oracle Wallets
  • 18.5 Uploading and Downloading JKS and JCEKS Keystores
    • 18.5.1 About Uploading and Downloading JKS and JCEKS Keystores
    • 18.5.2 Uploading JKS or JCEKS Keystores
    • 18.5.3 Downloading JKS or JCEKS Keystores
    • 18.5.4 Guidelines for Uploading and Downloading JKS and JCEKS Keystores
  • 18.6 Using a User-Defined Key as the TDE Master Encryption Key
    • 18.6.1 About Using a User-Defined Key as the TDE Master Encryption Key
    • 18.6.2 Step 1: Upload the User-Defined Key
    • 18.6.3 Step 2: Activate the User-Defined Key as a TDE Master Encryption Key
• 19 Managing Online and Offline Secrets
  • 19.1 Uploading and Downloading Credential Files
    • 19.1.1 About Uploading and Downloading Credential Files
    • 19.1.2 Uploading a Credential File
    • 19.1.3 Downloading a Credential File
    • 19.1.4 Guidelines for Uploading and Downloading Credential Files
  • 19.2 Managing Secrets and Credentials for SQL*Plus
  • 19.3 Managing Secrets and Credentials for SSH
  • 19.4 Managing Opaque Objects
  • 19.5 Managing Passwords in Oracle Key Vault in Scripts for Large Database Deployments
    • 19.5.1 About Managing Passwords in Oracle Key Vault in Scripts for Large Database Deployments
    • 19.5.2 Configuring the External Keystore Password Upload
    • 19.5.3 Example: Script for Using External Keystore Passwords in SQL*Plus Operations
    • 19.5.4 Sharing Secrets with Other Databases
    • 19.5.5 Changing Passwords for a Large Database Deployment
• 20 Managing Keys for Oracle Products
  • 20.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
  • 20.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
    • 20.2.1 Oracle Wallets in an Oracle GoldenGate Environment
    • 20.2.2 Online Master Keys in an Oracle GoldenGate Deployment
    • 20.2.3 Migration of TDE Wallets in Oracle GoldenGate to Oracle Key Vault
  • 20.3 Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
    • 20.3.1 About Uploading Oracle Wallets in an Oracle Data Guard Environment
    • 20.3.2 Uploading Oracle Wallets in an Oracle Data Guard Environment
    • 20.3.3 Performing an Online Master Key Connection in an Oracle Data Guard Environment
    • 20.3.4 Migrating Oracle Wallets in an Oracle Data Guard Environment
    • 20.3.5 Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
    • 20.3.6 Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
    • 20.3.7 Checking the Oracle TDE Wallet Migration for a Logical Standby Database
  • 20.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
    • 20.4.1 About Uploading Keystores from Automatic Storage Management to Oracle Key Vault
    • 20.4.2 Uploading a Keystore from Automatic Storage Management to Oracle Key Vault
    • 20.4.3 Copying a Keystore from Oracle Key Vault to Automatic Storage Management
  • 20.5 MySQL Integration with Oracle Key Vault
  • 20.6 Other Oracle Database Features That Oracle Key Vault Supports
• A Oracle Key Vault Multi-Master Cluster Operations
• B Oracle Key Vault okvutil Endpoint Utility Reference
  • B.1 About the okvutil Utility
  • B.2 okvutil Command Syntax
  • B.3 okvutil changepwd Command
  • B.4 okvutil diagnostics Command
  • B.5 okvutil download Command
  • B.6 okvutil list Command
  • B.7 okvutil upload Command
• C Troubleshooting Oracle Key Vault
  • C.1 Oracle Key Vault Pre-Installation Checklist
  • C.2 Integrating Oracle Key Vault with Oracle Audit Vault and Database Firewall
    • C.2.1 Step 1: Check the Environment
    • C.2.2 Step 2: Register Oracle Key Vault as a Secured Target with AVDF
    • C.2.3 Step 3: Register Oracle Key Vault as a Host with AVDF
    • C.2.4 Step 4: Download the AVDF Agent and Upload it to Oracle Key Vault
    • C.2.5 Step 5: Install the AVDF agent.jar File on the Oracle Key Vault Server
    • C.2.6 Step 6: Add the Oracle Key Vault Audit Trail to AVDF
    • C.2.7 Step 7: View Oracle Key Vault Audit Data Collected by AVDF
  • C.3 RESTful Services Troubleshooting Help
  • C.4 Error: Cannot Open Keystore Message
  • C.5 KMIP Error: Invalid Field
  • C.6 WARNING: Could Not Store Private Key Errors
  • C.7 Errors After Upgrading Oracle Key Vault
  • C.8 Error: Failed to Open Wallet
  • C.9 Transaction Check Error: Diagnostics Generation Utility
  • C.10 Fast-Start Failover (FSFO) Suspended (ORA-16818)
  • C.11 SSH Tunnel Add Failure
  • C.12 Error: Provision Command Fails if /usr/bin/java Does Not Exist
  • C.13 TDE Endpoint Integration Issues
  • C.14 Failover Situations in Primary-Standby Mode
    • C.14.1 About Failover Situations in Primary-Standby Mode
    • C.14.2 Failover Situations Without Read-Only Restricted Mode
      • C.14.2.1 Primary Server: Planned Shutdown During an Upgrade
      • C.14.2.2 Primary Server: Planned Shutdown During Maintenance
      • C.14.2.3 Standby Server: Planned Shutdown
      • C.14.2.4 Primary Server: Unplanned Shutdown
      • C.14.2.5 Standby Server: Unplanned Shutdown
    • C.14.3 Failover Situations with Read-Only Restricted Mode
      • C.14.3.1 Primary Server: Planned Shutdown During an Upgrade
      • C.14.3.2 Primary Server: Planned Shutdown During Maintenance
      • C.14.3.3 Standby Server: Planned Shutdown
      • C.14.3.4 Primary Server: Unplanned Shutdown
      • C.14.3.5 Standby Server: Unplanned Shutdown
  • C.15 Performing a Planned Shutdown
    • C.15.1 Primary Server Planned Shutdown
      • C.15.1.1 Performing a Primary Server Planned Shutdown During an Upgrade
      • C.15.1.2 Performing a Primary Server Planned Shutdown During Maintenance
    • C.15.2 Standby Server Planned Shutdown
      • C.15.2.1 Performing a Standby Server Planned Shutdown During an Upgrade
      • C.15.2.2 Performing a Standby Server Planned Shutdown During Maintenance
• D Security Technical Implementation Guides Compliance Standards
  • D.1 About Security Technical Implementation Guides
  • D.2 Enabling and Disabling STIG Rules on Oracle Key Vault
    • D.2.1 Enabling STIG Rules on Oracle Key Vault
    • D.2.2 Disabling STIG Rules on Oracle Key Vault
  • D.3 Current Implementation of STIG Rules on Oracle Key Vault
  • D.4 Current Implementation of Database STIG Rules
  • D.5 Current Implementation of Operating System STIG Rules
• Glossary
• Index