17 Oracle Key Vault General System Administration

General system administration refers to system management tasks for the Oracle Key Vault system, such as configuring network details and services.

17.1 Overview of Oracle Key Vault General System Administration

System administrators can perform most general administration tasks in the Oracle Key Vault management console, including finding the current status of the overall system.

17.1.1 About Oracle Key Vault General System Administration

System administrators configure the Oracle Key Vault system settings.

The Oracle Key Vault system settings include administration, local and remote monitoring, email notification, backup and recovery operations, and auditing. You must have the appropriate role for performing these tasks. Users who have the System Administrator role can perform most of the administrative tasks, and users with the Audit Manager role can configure audit settings and export audit records. In most cases, you will perform these tasks in the Oracle Key Vault management console.

To quickly find information about the current status of the Oracle Key Vault system, you can view the Oracle Key Vault dashboard.

17.1.2 Viewing the Oracle Key Vault Dashboard

The dashboard presents the current status of the Oracle Key Vault at a high level and is visible to all users.

17.1.3 Using the Status Panes in the Dashboard

The status panes on the dashboard provide useful high level information, such as links to alerts.

  1. Log in to the Oracle Key Vault management console.
    The dashboard appears in the Home tab.
  2. To take corrective action on a particular alert:
    1. Click Show Details to find a summary of the alerts.
    2. Click the link that corresponds to the alert. The appropriate page appears.
    3. Take the corrective action for the alert as necessary.
  3. To configure the alerts that you want to see on the dashboard:
    1. Click the Reports tab, and then click Alerts from the left side bar to display the Alerts page.
    2. Click Configure from the top right to display the Configure Alerts page.
    3. Select the Alert Type, check Enabled, set the Limit, and then click Save.
  4. To view managed content, click appropriate button in the panes that follow the alerts.

    These panes on the dashboard display aggregated information about security objects and other areas of the product that are currently stored and managed in Oracle Key Vault. The contents are as follows:

    • Tabs at the top of the page for you to perform various tasks. For example, to create a new endpoint, you click the Endpoints tab.
    • Alerts enables you to access alerts. Fin more information by clicking Show Details or All Alerts.
    • Managed Entities enables you to find the status of these categories: Endpoints; Endpoint Groups; Users; User Groups; Keys, Secrets & Objects; Wallets. Each categories indicates how many of that category's item is configured. For example, if the system has 23 endpoints, then 23 appears above the Endpoints label. To find and modify the details of these endpoints, click the Endpoints label.
    • Managed Keys, Secrets & Objects shows the different details of each of the supported security objects: TDE Master Encryption Keys, MySQL Master Encryption Keys, DB Passwords, Secret Data, Symmetric Keys, Opaque Objects, GoldenGate Master Keys, ACFS Volume Encryption Keys. Similar to the Managed Entities contents, to find and modify the details about a security object, click on its label.
    • System Overview provides information about the installation: Deployment Mode, Service Status, Used Disk Space, and CPU Utilization.
    • Endpoints provides a status and count of the Type (Oracle Database, Oracle Non-Database, Non-Oracle) and Status (Registered, Enrolled, Suspended) of the registered endpoints.
    • Keys, Secrets State provides a status and count of these objects: Pre-Active, Active, Deactivated, Compromised, Destroyed, Destroyed Compromised.

    Throughout this page, the item type and item state are displayed at the last time refreshed.

17.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment

On the system Settings page, you can configure the network settings for either a standalone environment or a primary-standby environment.

17.2.1 Configuring the Network Details

In a non-multi-master cluster environment, you can configure the network details from any Oracle Key Vault management console.

If you have a high availability configuration, then you must unpair the primary and standby Oracle Key Vault servers before changing the IP address. After you have changed the IP address of the primary or standby Oracle Key Vault server, pair the two servers again. After you complete the pairing process, re-enroll the Oracle Key Vault endpoints to ensure that they are updated with the new IP addresses for both the primary and the standby Oracle Key Vault servers.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In Network Details area, click Network Info.
    The Network Details area appearance depends on whether you are using Classic mode or Dual NIC mode.
  4. Update the values for the following fields:
    • Host Name: Enter the name of the server.
    • IP Address: Enter the IP address of the server.
    • Network Mask: Enter the network mask of the server.
    • Gateway: Enter the network gateway of the server.
    The fields in this pane are automatically populated with the IP address and host name of your Oracle Key Vault server. But if you want, then you can update the Host Name, IP Address, Network Mask, and the Gateway for the Oracle Key Vault installation.
    You cannot change the MAC Address and Network Mode settings. If you are using Dual NIC mode, then the same applies: you cannot change the Bonding Mode, Active Interface, and Backup Interface settings, but these values are useful if you want to check their status.
  5. Click Save.

17.2.2 Configuring the Network Services

In a non-multi-master cluster, you can configure the network services from any Oracle Key Vault management console.

You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Web Access.
  4. Select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.
  5. Click Save.
  6. To set the SSH access, in the Settings page under Network Details, select SSH Access.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    As a best practice, enable SSH access for short durations, solely for diagnostic, troubleshooting, or upgrade purposes, and then disable it as soon as you are done.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

  7. In the SSH Access window, enter the following settings:
    • Disabled to disable all IP addresses SSH access
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space.
    • All to enable SSH access from all IP addresses.
  8. Click Save.

17.2.3 Configuring the System Time

In a non-multi-master cluster environment, you can set the system time for the Oracle Key Vault system.

You can configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. (Fields for up to three servers are provided.) If an NTP server is not available, then you can set the current time manually. You should use the calendar icon to set the date and time so that these values are stored in the correct format. In a primary-standby deployment, you must set the primary and standby servers to the same time. If you want to save an NTP server using its host name, then ensure that you have already configured DNS.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click NTP to display the System Time window.

    The following screen shows a partial view of the System Time window. NTP Server 3 has the same settings as NTP Server 2.

    Description of 21_network_time.png follows
    Description of the illustration 21_network_time.png
  4. Enter up to three NTP server IP addresses, and then click Save.
    If you plan to use host names for the NTP servers, then you must configure DNS beforehand.
  5. If necessary, return to the System Settings page by select System Settings under the System tab.
  6. Choose Use Network Time Protocol.
  7. Enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  8. Click Save.

Related Topics

17.2.4 Configuring DNS

In a non-multi-master cluster environment, you can enter up to three DNS server IP addresses.

You can configure up to three domain name service (DNS) servers with IP addresses that Oracle Key Vault will use to resolve host names. This is useful if you only know the host name and not the IP address of a server you need access to. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP address, after you set up DNS.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.
  4. Enter up to three IP addresses for DNS servers.
    You must at minimum configure the DNS setting for Server 1.
  5. Click Save.

17.2.5 Configuring FIPS Mode

In a non-multi-master cluster environment, you can enable or disable FIPS mode for Oracle Key Vault.

In a primary-standby environment, ensure that both servers are consistent in their FIPS mode setting: either both are enabled, or both are disabled.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click FIPS.
  4. Do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  5. Click Save.
    After you click Save, a confirmation dialog box will appear.
  6. In the confirmation dialog box, click OK to apply the changes and restart the Oracle Key Vault system.
    If you click OK, be aware that the operation cannot be canceled. The restart operation takes place immediately.

17.2.6 Configuring Syslog

In a non-multi-master cluster environment, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

All system related alerts are sent to syslog.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Syslog.
  4. Select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  5. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  6. Click Save.

17.2.7 Changing the Network Interface Mode

You can switch between dual NIC mode and classic mode for the network interface.

You can both switch the network mode and update the IP information. If you are using a primary/standby configuration, then you cannot change this mode. You first configured the network interface mode when you installed the Oracle Key Vault appliance software.
  1. Log in to the Oracle Key Vault server as the support user.
  2. Switch to the root user.
    su - root
  3. At the command line, execute the following script:
    /usr/local/okv/bin/okv_configure_network
  4. In the Select Network Mode window, select the network interface that you want to use, and then select OK.
  5. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, used in previous releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. You cannot change the mode if you are using a multi-master cluster or primary/standby configuration. Choose this option if the server has only one network card.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  6. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
You do not need to restart Oracle Key Vault after changing the network mode.

17.2.8 Configuring RESTful Services

In a non-multi-master cluster environment, you can enable or disable RESTful services.

RESTful services allow you to automate endpoint enrollment and provisioning. RESTful services also support regular key management activities.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click RESTful Services.
  4. Select the Enable checkbox in the RESTful Services section.
    To disable RESTful services, clear the Enable checkbox.
  5. Click Save.

17.2.9 Configuring Oracle Audit Vault Integration

In a non-multi-master cluster environment, you can enable Oracle Key Vault to send data to Oracle Audit Vault for centralized audit reporting and alerting.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Audit Vault.
  4. Select the Enable check box.
  5. When prompted, enter the Oracle Audit Vault Super Administrator password.
  6. Click Save.

17.2.10 Configuring the Oracle Key Vault Management Console Web Session Timeout

In a non-multi-master cluster environment, you can configure a timeout value in minutes for the Oracle Key Vault management console Web session.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Console Timeout.
  4. Enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save.
    After you click Save, for the currently active user Web session as well as for other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, the user will be notified, starting earlier if the timeout value is larger, and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

17.2.11 Restarting or Powering Off Oracle Key Vault

You can manually restart or power off Oracle Key Vault as required for maintenance or for patch and upgrade procedures.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Status from the left navigation bar.
  3. Go to the top of the Status page.
  4. Do one of the following:
    • To restart, click Reboot.
    • To power off, click Power Off.

17.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment

When you configure Oracle Key Vault in a multi-master cluster environment, you can configure either individual nodes or the entire multi-master cluster environment.

17.3.1 About Configuring Oracle Key Vault in a Multi-Master Cluster Environment

You have the option of configuring settings for individual nodes or the entire multi-master cluster.

Some of the settings for individual nodes and the entire cluster are the same. For example, you can set the DNS for an individual node or for an entire cluster. Any values that are set and saved to an individual node will not be overridden by cluster settings. When you set a value for the entire cluster, it may take several minutes for changes to propagate to other nodes.

When you start the configuration, you have the choice of setting the following View Settings menu options:

  • Node only means that the setting can be set only on that node and will apply to only node.
  • Cluster only means that the setting is a cluster-wide setting and updating it will change the settings across the cluster.
  • Both means that the setting can be set at both node level and cluster level. For these settings, you can navigate between node and cluster settings by using the right arrow button that is present in the respective setting page. For example, if you select DNS, then you can configure DNS settings for both individual nodes and for the entire cluster, in one operation.
  • All shows all the available settings without any filter.

17.3.2 Configuring System Settings for Individual Multi-Master Cluster Nodes

You can set or change settings that apply to the cluster node.

Examples of these settings are the network details, network services, system time, FIPS mode, syslog, and Oracle Audit Vault integration. Values set for the node override the cluster setting.  However, you can clear any individual node setting to revert to the cluster setting.

17.3.2.1 Configuring the Network Details for the Node

In a multi-master cluster, you can change the host name for a node.

  1. Log into any Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Network Info.
  4. In the Host Name field, enter the name of the host name for the node.
    You cannot modify the IP Address, Network Mask, Gateway, and MAC Address fields, which are automatically populated.
  5. Click Save.
17.3.2.2 Configuring the Network Services for the Node

In a multi-master cluster, you can configure the network services for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Web Access.
  4. Select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.
  5. Click Save.
  6. To set the SSH access, in the Settings page under Network Details, select SSH Access.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    As a best practice, enable SSH access for short durations, solely for diagnostic, troubleshooting, or upgrade purposes, and then disable it as soon as you are done.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

  7. In the SSH Access window, enter the following settings:
    • Disabled to disable all IP addresses SSH access
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space.
    • All to enable SSH access from all IP addresses.
  8. Click Save.
17.3.2.3 Configuring the System Time for the Node

In a multi-master cluster, you can set the system time for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. If you want to configure NTP servers using their host names, then ensure that DNS is configured first.
  4. If necessary, return to the system settings page by select Settings under the System tab.
  5. In the Network Services area, click NTP.
    In cluster mode, you must use the Network Time Protocol (NTP), so you cannot change the selection from Use Network Time Protocol to Set Manually.
  6. In the System Time window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  7. In the Node Details - Effective on this Node page, enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time for the node to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time for the node at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  8. Click Save (or Save to Cluster).
17.3.2.4 Configuring DNS for the Node

When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.
  4. In the DNS window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node window, enter up to three DNS server IP addresses.
    While only the first value is required, two entries are recommended for fault tolerance.
  6. Click Save.
17.3.2.5 Configuring the FIPS Mode for the Node

All multi-master cluster nodes must use the same FIPS mode setting or you will receive an alert.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click FIPS.
  4. In the FIPS Mode window, do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  5. Click Save.
    After you click Save, Oracle Key Vault will restart automatically.
17.3.2.6 Configuring Syslog for the Node

In a node, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Syslog.
  4. In the Syslog window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  6. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  7. Click Save.
17.3.2.7 Changing the Network Interface Mode for the Node

You can switch between dual NIC mode and classic mode for the network interface for a node in a multi-master cluster environment.

If you are using a primary/standby configuration, then you cannot change this mode. You first configured the network interface mode when you installed the Oracle Key Vault appliance software. Note that the cluster node must be disabled before you can change its network mode.
  1. Log in to the Oracle Key Vault management console as a user who has the System Management role.
  2. Disable the cluster node.
  3. At the command line, connect as the support user.
  4. Switch to the root user.
    su - root
  5. At the command line, execute the following script:
    /usr/local/okv/bin/okv_configure_network
  6. In the Select Network Mode window, select the network interface that you want to use, and then select OK.
  7. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, used in previous releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. You cannot change the mode if you are using a multi-master cluster or primary/standby configuration. Choose this option if the server has only one network card.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  8. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
  9. Re-enable the disabled cluster node.
You do not need to restart Oracle Key Vault after changing the network mode.
17.3.2.8 Configuring Auditing for the Node

You can enable or disable audit settings for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Auditing.
    You can enable or disable the following auditing categories:
    • Enable Auditing: This setting will turn the auditing on or off. Turning off this setting will not generate audit records.
    • Replicate Audit Records: This setting applies only to a cluster configuration. It indicates if the audit records are replicated across the cluster nodes.
    • Send Audit Records to Syslog: This setting writes the audit records to syslog. To enable this setting, you must first configure the syslog destination.
  4. In the Audit Settings window for each of these categories, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select Yes or No for each category.
  6. Click Save.
17.3.2.9 Configuring SNMP Settings for the Node

You can enable or disable SNMP access for a multi-master cluster node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click SNMP.
  4. In the SNMP window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  6. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  7. Click Save.
    Alternatively, you can select Delete to remove the SNMP setting.
17.3.2.10 Configuring Oracle Audit Vault Integration for the Node

You can configure the integration of Oracle Audit Vault (but not the Database Firewall component) for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Audit Vault.
  4. In the Audit Vault Integration window, select the Enable check box to enable Oracle Audit Vault Integration for the node.
  5. In the Password and Reenter password fields that appear after you click Enable, enter the password of the user in the database that Audit Vault and Database Firewall will use to extract the audit records.
  6. Click Save.
17.3.2.11 Restarting or Powering Off Oracle Key Vault from a Node

You can manually restart or power off an Oracle Key Vault node as required for maintenance or for patch and upgrade procedures.

When you restart or power-off Oracle Key Vault nodes, only the current node is restarted or powered-off. The other nodes in the cluster are unable to send information to and from the nodes that are powered off. When the nodes are restarted, there will be a period needed for the restarted nodes to catch up on activities that took place while they were down.
  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Status from the left navigation bar.
  3. At the top of the Status page, do one of the following to restart or power off the node:
    • To restart, click Reboot.
    • To power off, click Power Off.

17.3.3 Configuring System Settings for the Entire Multi-Master Cluster

You can create, configure, manage, and administer an Oracle Key Vault multi-master cluster by using the Oracle Key Vault management console.

17.3.3.1 Configuring the System Time for the Cluster

When you configure the system time, you can set it for multiple servers and also set the synchronization.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click NTP.
  4. In the System Time page, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, enter values for the following fields:
    • Synchronize After Save: This synchronizes the time across the cluster after you save the settings.

    • Synchronize Periodically: This synchronizes the time across the cluster at a predetermined interval. Once selected and applied, this option cannot be deselected.

    • Server 1: Enter the IP address of a NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 2: Enter the IP address of a second NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 3: Enter the IP address of a third NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

  6. Click Save.
17.3.3.2 Configuring DNS for the Cluster

When you configure the DNS for a cluster, you can enter up to three DNS server IP addresses.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.
  4. In the DNS window, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, enter up to three DNS Server IP addresses.
  6. Click Save.
17.3.3.3 Configuring Maximum Disable Node Duration for the Cluster

You can set the maximum node duration time for the cluster in hours.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Maximum Disable Node Duration.
  4. In the Maximum Disable Node Duration window, enter a value, in hours, for the duration that a node can be disabled before it is evicted from the cluster.
    Note that as this value is increased, the average amount of disk space consumed by cluster-related data also increases.
  5. Click Save.
17.3.3.4 Configuring Syslog for the Cluster

In a multi-master cluster environment, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitor and Alerts area, click Syslog.
  4. In the Syslog page, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  6. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  7. Click Save.
17.3.3.5 Configuring RESTful Services for the Cluster

You can enable or disable RESTful Services for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click RESTful Services.
  4. In the RESTful Services window, select the Enable check box.
  5. Click Save.
17.3.3.6 Configuring Auditing for the Cluster

You can enable or disable audit settings for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Auditing.
    You can enable or disable the following auditing categories:
    • Enable Auditing: This setting will turn the auditing on or off. Turning off this setting will not generate audit records.
    • Replicate Audit Records: This setting applies only to a cluster configuration. It indicates if the audit records are replicated across the cluster nodes.
    • Send Audit Records to Syslog: This setting writes the audit records to syslog. To enable this setting, you must first configure the syslog destination.
  4. In the Audit Settings page, for each of these categories, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, select Yes or No for each category.
  6. Click Save.
17.3.3.7 Configuring SNMP Settings for the Cluster

You can enable or disable SNMP access for a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click SNMP.
  4. Select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  5. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  6. Click Save.
    Alternatively, you can select Delete to remove the SNMP setting.
17.3.3.8 Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster

You can configure a timeout value in minutes for the Oracle Key Vault management console for all nodes in a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Console Timeout.
  4. In the Management Console Timeout window, enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save.
    After you click Save,the setting is applied to all nodes in the cluster. For the currently active user Web session as well as for other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, the user will be notified, starting earlier if the timeout value is larger, and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

17.4 Managing System Recovery

System recovery includes tasks such as recovering lost administrative passwords.

17.4.1 About Managing System Recovery

To perform system recovery, you use the recovery passphrase.

In an emergency when no administrative users are available, or you must change the password of administrative users, you can recover the system with the recovery passphrase that was created during Oracle Key Vault installation. In addition, you can change the recovery passphrase to keep up with security best practices.

17.4.2 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault installation.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the page.
  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.
  5. In the page that appears, select the Administrator Recovery tab.
  6. Fill out the fields in the Key Administrator, System Administrator, and Audit Manager panes to assign these roles to new or existing user accounts.
  7. Click Save.

17.4.3 Changing the Recovery Passphrase in a Non-Clusters Environment

Periodically changing the recovery passphrase is a good security practice.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. From a web browser, enter the IP address of your Oracle Key Vault installation.
  3. In the Oracle Key Vault login page, do not log in.
  4. Click the System Recovery link.

    A new login page appears with a single field: Recovery Passphrase.

  5. Enter the recovery passphrase and then click Login.
  6. Select the Recovery Passphrase tab.
  7. In the Recovery Passphrase page, enter and re-enter a new password for the recovery passphrase.
  8. Click Submit.

17.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster

Changing the recovery passphrase in a multi-master cluster is a two-step process.

To change the recovery passphrase for a multi-master cluster, you must first initiate the change throughout the nodes in the multi-master cluster environment before changing the recovery passphrase.

17.4.4.1 Step 1: Initiate the Recovery Passphrase Change Across the Nodes

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes.

This is so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data. First, you must initiate the change for the recovery passphrase so that all nodes in the multi-master cluster will be notified of the impending change.
  1. Perform a server backup.
  2. Ensure that all nodes are in the ACTIVE state and replication has been verified between all nodes. Ensure that there are no cluster operations going on (such as adding a node).
  3. From a web browser, enter the IP address of the Oracle Key Vault installation that is not in read-only restricted mode.
  4. In the Oracle Key Vault login page, do not log in.
  5. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  6. Enter the recovery passphrase and click Login.
  7. Click the Recovery Passphrase tab.
  8. Click the Initiate Change button.
  9. Log out.
  10. Wait 3 to 4 minutes before continuing.

    During this time, all nodes will be notified that a passphrase change will be performed. To cancel a passphrase change, click the Reset button.

    All nodes will determine if more than one passphrase change has been initiated. If more than one passphrase change has been initiated, conflict resolution will be performed.

    After you cancel a passphrase change by using the Reset button, Oracle recommends that you remedy the issue and again initiate a passphrase change, making sure to then change the passphrase on every node in the cluster.

17.4.4.2 Step 2: Change the Recovery Passphrase

After the multi-master cluster nodes have been notified of the impending recovery passphrase change, you can change the recovery passphrase.

  1. From a Web browser, enter the IP address of a multi-master cluster node in the Oracle Key Vault installation.
    You can find a list of available nodes in the Oracle Key Vault management console by selecting the Clusters tab and then checking the Cluster Details section.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.
  4. Enter the recovery passphrase and click Login.
  5. Click the Recovery Passphrase tab.
  6. Enter the new recovery passphrase in the two fields.
  7. Click Submit.
  8. Repeat these steps for each node in the cluster.

    Note:

    HSM reverse migrate cannot run when the recovery passphrase is being changed.

    Caution:

    It is your responsibility to keep the recovery passphrase the same on all nodes in the cluster. If you set the recovery passphrase differently on cluster nodes it will negatively impact cluster functionality, such as adding nodes and HSM-enabling nodes. In addition to the addition of nodes and nodes being HSM-enabled, certificate rotation in a multi-master cluster depends on all nodes having the same recovery passphrase.

17.5 Support for a Primary-Standby Environment

To ensure that Oracle Key Vault can always access security objects, you can deploy Oracle Key Vault in a primary-standby (highly available) configuration.

This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault servers in a primary-standby configuration. The primary server services the requests that come from endpoints. If the primary server fails, then the standby server takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

The primary-standby configuration was previously known as the high availability configuration. The primary-standby configuration and the multi-master cluster configuration are mutually exclusive.

Oracle Key Vault supports primary-standby read-only restricted mode. When the primary server is affected by server, hardware, or network failures, primary-standby read-only restricted mode ensures that an Oracle Key Vault server is available to service endpoints, thus ensuring operational continuity. However, key and sensitive operations, such as generation of keys are disabled, while operations such as generation of audit logs are unaffected.

When an unplanned shutdown makes the standby server unreachable, the primary server is still available to the endpoints in read-only mode.

17.6 Commercial National Security Algorithm Suite Support

You can use scripts to perform Commercial National Security Algorithm (CNSA) operations for Oracle Key Vault HSM backup and upgrade operations.

17.6.1 About Commercial National Security Algorithm Suite Support

You can configure Oracle Key Vault for compliance with the Commercial National Security Algorithm (CNSA) Suite.

This compliance applies to TLS connections to and from the Oracle Key Vault appliance.

The CNSA suite is a list of strong encryption algorithms and key lengths, that offer greater security and relevance into the future.

Oracle Key Vault release 12.2 BP3 and later do not provide complete compliance across every component in the system. You will be able to switch to the CNSA algorithms, where available by means of the following scripts that are packaged with the Oracle Key Vault ISO:

  • /usr/local/okv/bin/okv_cnsa makes configuration file changes to update as many components as possible to use the enhanced algorithms.

  • /usr/local/okv/bin/okv_cnsa_cert regenerates CNSA compliant public key pairs and certificates.

    Note:

    The /usr/local/okv/bin/okv_cnsa and /usr/local/okv/bin/okv_cnsa_cert scripts are both disruptive because they replace the old key pairs with new ones. This has consequences for the following operations:
    • Endpoint Enrollment: Enroll endpoints after running this script when possible. If you had endpoints enrolled before running the CNSA script, you must re-enroll them so that fresh CNSA compliant keys are generated using CNSA algorithms.

    • Primary-Standby: Run the CNSA scripts on both Oracle Key Vault instances before pairing them in a primary-standby configuration when possible. If you had primary-standby before you run the CNSA scripts, then you must re-configure primary-standby as follows: unpair the primary and standby servers, reinstall the standby server, run the CNSA scripts individually on each server, and then pair them again.

Limitations:

  • CNSA compliance is not supported for all components in the Oracle Key Vault infrastructure (for example, SSH or Transparent Data Encryption (TDE)).

  • The Firefox browser is not supported for use with the Oracle Key Vault management console when CNSA is enabled. This is because the Firefox browser does not support CNSA-approved cipher suites.

17.6.2 Running the Commercial National Security Algorithm Scripts

The Commercial National Security Algorithm (CNSA) scripts update the okv_security.conf file.

  1. Back up Oracle Key Vault.
  2. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.

  3. SSH into the Oracle Key Vault server as the support user, entering the support user password that was created during post-installation, when prompted.
     $ ssh support@okv_instance
  4. Change to the root user:
    $  su root
  5. Run the scripts as follows:
    root#  /usr/local/okv/bin/okv_cnsa
    root#  /usr/local/okv/bin/okv_cnsa_cert
  6. Disable SSH access and then restart the Oracle Key Vault server.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save. Restart the Oracle Key Vault server by selecting the System tab, then Status. Click Reboot on the top right.

The scripts update the /usr/local/okv/etc/okv_security.conf with the following line:
USE_ENHANCED_ALGORITHMS_ONLY="1"

17.6.3 Performing Backup and Restore Operations with CNSA

After you back up and restore Oracle Key Vault, use /usr/local/okv/bin/okv_cnsa to use the enhanced Commercial National Security Algorithm (CNSA) Suite.

  1. Perform the backup and restore operation.
  2. Wait until the restore operation is complete and the system has restarted.
    Do not proceed without completing this step.
  3. SSH into the Oracle Key Vault server as the support user:
     $ ssh support@okv_instance
  4. Switch to the root user:
    $ su root
  5. Run the following CNSA script :
     root#  /usr/local/okv/bin/okv_cnsa
    

17.6.4 Upgrading a Standalone Oracle Key Vault Server with CNSA

You can upgrade a standalone Oracle Key Vault while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

  1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Do not proceed without completing this step.
  2. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  3. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.

  4. Ensure you have enough space in the destination directory for the upgrade ISO files.
  5. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
  6. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
    scp remote_host:remote_path/okv-upgrade-disc-new_software_release_number.iso /var/lib/oracle/destination_directory_for_iso_file

    In this specification:

    • remote_host is the IP address of the computer containing the ISO upgrade file.
    • remote_path is the location of the ISO upgrade file.
  7. Make the upgrade accessible by using the mount command:
    root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-new_software_release_number.iso /images
  8. Clear the cache using the clean all command:
    root# yum -c /images/upgrade.repo clean all
  9. Execute the following upgrade ruby script:
    root# /usr/bin/ruby/images/upgrade.rb --confirm

    If the system is successfully upgraded, then the command will display the following message:

    Remove media and reboot now to fully apply changes

    If you see an error message, then check the log file /var/log/messages for additional information.

  10. Run the first CNSA script, which is available from the Oracle Key Vault ISO files location:
     root#  /usr/local/okv/bin/okv_cnsa
  11. Restart the Oracle Key Vault server:
    root# /sbin/reboot

    On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.

    The upgrade is completed when the screen with heading: Oracle Key Vault Server release_number installation has completed. The release_number value should reflect the upgraded release.

  12. Confirm that Oracle Key Vault has been upgraded to the correct version.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select Status.
    3. Verify that the version displayed is that of the new software release.
      The release number is also at the bottom of each page, to the right of the copyright information.
  13. Disable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.

17.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA

You can upgrade Oracle Key Vault primary-standby servers while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

You must perform the upgrade standby and primary servers in one session with as little time between the standby and primary upgrade as possible. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.
  1. Prepare for the upgrade.
    • While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

    • Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.

    • Ensure that both the primary and standby systems have 8 GB memory.

  2. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    You can use Oracle Backup and Recovery (Oracle RMAN) to perform this backup. Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not included in the backup.
    Do not proceed without completing this step.
  3. First, upgrade the standby server while the primary server is running.

    Follow Steps 2 through Step 11 of the standalone server upgrade process for CNSA.

  4. Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
  5. Upgrade the primary Oracle Key Vault server following Steps 1 through 11 of the standalone server upgrade.

    After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.

  6. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  7. Select the System tab, and then Status.
  8. Verify that the Version field displays the new software version release number.

17.7 Minimizing Downtime

Business-critical operations require data to be accessible and recoverable with minimum downtime.

You can configure Oracle Key Vault to ensure minimum downtime in the following ways:

  • Configuring a multi-master cluster: You can configure a multi-master cluster by adding redundancy in the form of additional nodes. The client can access any available node. In the event of a failure of any node, a client will automatically connect to another node in the endpoint node scan list. This reduces and potentially eliminates downtime.

  • Configuring a primary-standby environment: A primary-standby environment is configured by adding redundancy in the form of a standby server. The standby server takes over from the primary server in the event of a failure, thus eliminating single points of failure, and minimizing downtime.

  • Enabling read-only restricted mode: Primary-standby read-only restricted mode ensures endpoint operational continuity when primary or standby Oracle Key Vault servers are affected by server, hardware, or network failures. When an unplanned shutdown causes the standby server to become unreachable, the primary server is still available to the endpoints.

    If primary-standby read-only restricted mode is disabled, then the primary server will become unavailable and stop accepting requests in the event of a standby failure. Endpoints connected to Oracle Key Vault are unable to retrieve keys until connectivity is restored between primary and standby servers.

    To ensure endpoint operational continuity in the event of a primary or standby server failure, enable read-only restricted mode.

  • Enabling persistent master encryption key cache: The persistent master encryption key cache ensures that the endpoints can access keys in the event of a primary or standby server failure. While the surviving server is taking over from the failed peer, the endpoints can retrieve keys from the persistent cache and continue operations normally.

  • Apply the TDE heartbeat database patch on endpoints: Apply the database patch for Bug 22734547 to tune the Oracle Key Vault heartbeat.

Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and enable it to be fully operational with minimum downtime and data loss.

If the Oracle Key Vault installation uses an online master key (formerly known as TDE direct connect), then during an upgrade, ensure that you upgrade database endpoints in parallel to reduce total downtime.