1. Administrator's Guide
  2. Managing LDAP User Authentication and Authorization in Oracle Key Vault

10 Managing LDAP User Authentication and Authorization in Oracle Key Vault

You can configure a connection between Oracle Key Vault and an LDAP server (currently Microsoft Active Directory) so that their users can access Oracle Key Vault.

Related Topics

10.1 About Managing LDAP User Authentication and Authorization in Oracle Key Vault

You can configure Oracle Key Vault users to be centrally managed in the configured LDAP directory server.

Oracle Key Vault supports only Microsoft Active Directory as an LDAP provider. This type of configuration enables you to manage authentication and authorization of Oracle Key Vault users in an LDAP directory server so that LDAP users can perform the following operations:

  • Log in to the Oracle Key Vault management console and perform administrative tasks for which they are authorized.
  • Run Oracle Key Vault RESTful services commands at the command line.

In a large enterprise, centrally managing users and their authorization not only brings operational efficiencies in user management but also significantly improves compliance, control, and security. For example, when terminating an employee, an LDAP administrator can lock the user's account in the LDAP directory server to end the employee’s access to various systems, including Oracle Key Vault.

By centrally managing Oracle Key Vault users in an LDAP directory server, you eliminate the need to maintain user account policies and password policies for LDAP users in each Oracle Key Vault instance. Instead, you can manage these policies centrally in the LDAP directory server.

This feature implements automatic provisioning of LDAP users in Oracle Key Vault. When an LDAP user successfully logs in to Oracle Key Vault the first time, Oracle Key Vault automatically creates an Oracle Key Vault user account for this user, based on the user account information from the LDAP directory server. You cannot modify this user account except for granting or revoking Oracle Key Vault privileges. Other changes to the user account, such as changing the user's password, must be performed to the actual account in its LDAP directory server. The automatic provisioning of users is not only beneficial for new Oracle Key Vault deployments but also when access to an existing Oracle Key Vault deployment must be granted to other employees, including provisioning of new employees.

To enable authentication and authorization of LDAP users with Oracle Key Vault, an Oracle Key Vault administrator must perform the following configuration in Oracle Key Vault:

  1. Configure a connection to LDAP directory server.
  2. Map one or more Oracle Key Vault administrative roles or user groups with LDAP groups.

Most of the configuration work is performed by an Oracle Key Vault administrator using the Oracle Key Vault management console.

The general process for using Oracle Key Vault in an LDAP directory server is as follows:

  1. An administrator for the LDAP directory server identifies the LDAP users who need access to Oracle Key Vault, along with their authorization requirements in Oracle Key Vault. This administrator configures one or more LDAP groups, depending on the required separation of roles and duties of these users. This administrator then assigns specific users to respective LDAP groups.
  2. To enable the Oracle Key Vault administrator to configure a connection to the LDAP directory server, the LDAP administrator creates an LDAP user account (called service directory user). Oracle Key Vault uses this user account to connect to the LDAP directory server and fetch the necessary information from the LDAP directory server during the user login process. The LDAP administrator provides the details of this LDAP user as well as the trust certificate of the LDAP directory server to an Oracle Key Vault administrator.
  3. The Oracle Key Vault administrator uses the Oracle Key Vault management console to configure the connection between Oracle Key Vault and the LDAP directory server.
  4. The Oracle Key Vault administrator then maps each LDAP group to the appropriate Oracle Key Vault user group or administrative role. These user groups must be granted the appropriate privileges that you want the LDAP user to have. The privileges of these users in Oracle Key Vault are determined based on the Oracle Key Vault administrative roles or user groups that are mapped to the user’s LDAP groups. For example, if the Oracle Key Vault group has been granted the Audit Manager role, then the LDAP user will be indirectly granted the Audit Manager role.
  5. The LDAP users are now able to log in to Oracle Key Vault and perform tasks for which they are authorized. After first successful login, a new user account is automatically created in Oracle Key Vault.
  6. In addition to the administrative roles and privileges granted to the user through LDAP group mappings, you can directly grant privileges to LDAP user account after it has been created in Oracle Key Vault.

Authorization for an LDAP user session is a combination of the authorization granted through the LDAP groups as well as the authorization that is granted to the LDAP user locally. Authorization through LDAP groups is granted at the login time and is effective only for that session. During logon of an LDAP user, Oracle Key Vault fetches the user’s LDAP groups from the directory server and determines mapped administrative roles and groups that are effective for the current user session. The set of these mapped user groups is referred to as effective user group membership of the LDAP user.

Note that you cannot add an LDAP user as a member of an Oracle Key Vault user group directly.

Any changes to the user’s membership in the LDAP groups or to the mapping between the user’s LDAP groups and Oracle Key Vault user groups or administrative roles do not affect the administrative roles and user group memberships that are currently effective for the existing user sessions. However, any changes to the privileges that have been granted to or revoked from the Oracle Key Vault user groups take effect immediately and apply to all existing sessions.

Note the following:

  • You can perform the LDAP configuration with a Microsoft Active Directory version that supports the LDAP-v3 protocol.
  • You can perform the LDAP configuration in a primary-standby environment. No special configuration is necessary.
  • In multi-master cluster environments, the LDAP configuration is effective on all cluster nodes. You can configure node-specific configuration of LDAP directory server and hosts.
  • For LDAP directory servers that support multiple domains, access to users from different domains is enabled by setting up multiple LDAP configurations, one for each domain.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.2 Privilege Grants and Revokes for LDAP Users

LDAP users have limited access to Oracle Key Vault role and privilege grants.

Note the following restrictions with regard to LDAP users, Oracle Key Vault user groups, endpoint privileges, and wallet privileges:

  • You cannot directly add an LDAP user as a member of an Oracle Key Vault user group.
  • Because the endpoint privileges (Create Endpoint, Manage Endpoint, Create Endpoint Group, and Manage Endpoint Group) cannot be granted to Oracle Key Vault user groups, LDAP users cannot have access to these privileges.
  • After the LDAP user is created in Oracle Key Vault, this user can be granted wallet privileges locally. However, the LDAP user cannot be directly granted endpoint or endpoint group privileges.
  • Administrator roles cannot be directly granted to an LDAP user account in Oracle Key Vault. LDAP users cannot be granted endpoint privileges either directly or through an Oracle Key Vault user group.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.3 Configuring the LDAP Directory Server Connection to Oracle Key Vault

Both the LDAP administrator and Oracle Key Vault administrator play a role in configuring the LDAP directory server connection to Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.3.1 Step 1: Prepare the LDAP Directory Server

Before the Oracle Key Vault administrator can create a connection to an LDAP directory server, the LDAP administrator must perform preparation tasks.

  1. As the LDAP administrator (or a user who has the appropriate privileges), log in to the LDAP directory server.
  2. Create or designate existing LDAP groups that you want to map to Oracle Key Vault.
  3. Assign users to these LDAP groups.
    The group will determine the privileges that its member users will have in Oracle Key Vault when the connection configuration is complete. If a user must have specific privileges that are not covered by any existing LDAP groups, then create a specific group for this user.
  4. Create a service directory user account if such an account does not yet exist, and then provide this account name and its password to the Oracle Key Vault administrator.
    This service directory user account will be used in the LDAP configuration that the Oracle Key Vault administrator will create. Oracle Key Vault will use this account to perform necessary LDAP actions, such as searches. If this user account changes in the future, then notify the Oracle Key Vault administrator immediately.
  5. Obtain the trust certificate for the LDAP directory server and then provide this certificate to the Oracle Key Vault administrator.
    This certificate will be used in the LDAP configuration that the Oracle Key Vault administrator will create.

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

10.3.2 Step 2: Create the LDAP Connection in Oracle Key Vault

An Oracle Key Vault user who has the System Administrator role uses the Oracle Key Vault management console to create the LDAP connection.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Click Add to display the Add LDAP Configuration page.
  5. Enter the following settings:
    • Configuration Name: Enter a name for the LDAP configuration. The maximum character length is 120 bytes.
    • Directory Type: Ensure that Microsoft Active Directory is selected from this list.
    • Service Directory User Name: Enter the service directory user account that the LDAP administrator provided. You can enter this name using any of the following formats:
      • NetBIOS Domain Name\Account Name: For example, global\johndoe
      • User principal name: For example, johndoe@example.com
    • Service Directory User Password: Enter the password that the LDAP administrator provided with the service directory user account. If the password changes in the LDAP directory server, you must update it in Oracle Key Vault.
    • Hostname: Enter either a host name or an IP address for the Microsoft Active Directory domain controller (server) that will service the client requests.
    • LDAPS Port: Enter the port number. 636, the default, is the standard port number for LDAP connections for Secure Sockets Layer (SSL) connections.
    • Trusted Certificate: Paste the server trust certificate of the LDAP directory server that the LDAP administrator provided.
    • Domain Name: This setting is auto-populated when you complete the preceding settings and click the Get Domain Name button. This is the name of the Microsoft Active Directory domain of which the specified host (domain controller) is a member. You cannot change this setting.
    • Search Base DN: This setting is auto-populated when you complete the preceding settings and click the Get Domain Name button. It represents a distinguished name of the search base object, which defines the location in the directory from which the LDAP search begins. This setting is useful for environments where the number of users and groups in a directory is very large, and if the users and groups that are relevant for managing Oracle Key Vault access are placed under this directory container. Setting the base DN to this directory container can help to improve performance for user and group searches. Optionally, modify this search base.
    • Defunct LDAP Users Grace Period (in days): Enter the duration in days after which the users deleted in LDAP directory server are automatically deleted from Oracle Key Vault. This value also defines the duration after which the users whose LDAP configuration no longer exists are deleted from Oracle Key Vault automatically. The default is 15 days.
  6. Click Test Connection to ensure that the connection works.
  7. Click Add to complete the configuration.
    The Manage LDAP Configuration page appears, with the new configuration listed under LDAP Configuration Name.

Related Topics

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

10.3.3 Step 3: Map LDAP Groups to Oracle Key Vault User Groups

An Oracle Key Vault user who has the Key Administrator role can map LDAP groups to Oracle Key Vault user groups or administrative roles.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Configure the Oracle Key Vault user groups that you want to map to the LDAP groups.
    Ensure that these groups have the appropriate Oracle Key Vault privileges, and that you understand how privilege grants and revokes work for LDAP users.
  3. Select the Users tab, and then Manage LDAP Mappings from the left navigation bar .
  4. Click Create to display the Create LDAP Group Mapping page.
  5. Enter the following settings:
    • Domain: From the list, select the domain that is associated with the LDAP directory server configuration for which you want to define the mapping.
    • LDAP Group: From the list, select the LDAP group.
    • Roles: Optionally, grant the Key Administrator role to the LDAP group. (Remember that you cannot grant a role that is different from the role you currently have.)

      If you want to grant the user the System Administrator or Audit Manager role, then a user who has the Key Administrator role first must create an LDAP group mapping (with or without any user group). After the LDAP group mapping is created, a user with the System Administrator or Audit Manager role then can edit the existing LDAP group mapping to map it with the corresponding administrative role.

    • Under User Groups, select the Oracle Key Vault user groups that you want to map to the LDAP group.

      You can find information about a user group by clicking its Details button.

  6. Click Create.
    The LDAP Access Mappings page appears, where the new mapping is included in the list.
  7. Define more LDAP group mappings as necessary.
At this stage, the configuration is complete and LDAP users can log in to Oracle Key Vault.

Related Topics

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

10.4 Logins to Oracle Key Vault as an LDAP User

An LDAP user who has been properly configured can log in to the Oracle Key Vault management console.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.4.1 About Logins to Oracle Key Vault as an LDAP User

After the LDAP directory server configuration with Oracle Key Vault is complete, LDAP users can log in to Oracle Key Vault if they have valid authorization.

The login is successful if:

  • The user provides the correct LDAP credential.
  • The user’s LDAP groups from the LDAP directory server map to at least one of the Oracle Key Vault user groups or administrative roles.

At the login time, user's authorization is determined based on the LDAP groups of which this user is a member. The user is granted administrative roles or privileges of the user groups that are mapped to user's LDAP groups. When a user successfully logs into Oracle Key Vault for the first time, a new user account is automatically created in Oracle Key Vault. (Ensure that you understand how privilege grants and revokes work for LDAP users.)

In a multi-master cluster environment, an LDAP user can log in to any node in the cluster. The first time that the LDAP user logs in to a node, a single Oracle Key Vault-generated user account is created for this user. This account will apply to all nodes in the cluster.

Valid LDAP users can execute Oracle Key Vault RESTful services commands. Oracle Key Vault RESTful Services Administrator's Guide describes how to use the RESTful services.

Related Topics

Parent topic: Logins to Oracle Key Vault as an LDAP User

10.4.2 Logging in to Oracle Key Vault as an LDAP User

An LDAP user who is a member of an LDAP group that has been mapped to an Oracle Key Vault user group or administrative role can log in to the Oracle Key Vault management console.

  1. Open a web browser.
  2. Connect using an HTTPS connection and the IP address of Oracle Key Vault.
    For example, to log in to a server whose IP address is 192.0.2.254, enter:
    https://192.0.2.254
  3. After the login screen appears, enter the following credentials:
    • Domain: From the list, select the domain of the LDAP user.
    • User Name: Enter your user name using one of the following formats:
      • NetBIOS Domain Name\Account Name: For example, global\johndoe

        For convenience, when a user specifies the user name in the NetBIOS Domain Name or User Principal Name format (described next), the domain name in the drop-down list is automatically selected based on the pattern matching of the NetBIOS domain name or the domain name of the user principal name with the names of the configured domains. You can select the domain manually, as needed. The domain name Local is not an Active Directory domain. The use of the domain Local indicates that the user account was created locally.

      • User principal name: For example, johndoe@example.com
      • Login name: For example, johndoe. This name must match the sAMAccountName attribute of the LDAP user account.
    • Password: Enter your password.
  4. Click Login.
LDAP users who have the appropriate Oracle Key Vault authorization can also execute the Oracle Key Vault RESTful services commands.

Related Topics

Parent topic: Logins to Oracle Key Vault as an LDAP User

10.5 Managing the LDAP Configuration

You can enable, validate, modify, disable, and delete the LDAP configuration.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.5.1 Enabling an LDAP Configuration

A user who has the System Administrator role can enable an LDAP configuration.

An LDAP configuration is effective only when it has been enabled. By default, after an LDAP configuration is created, it is enabled. In a multi-master cluster environment, the enablement of an LDAP configuration apply to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check box for the LDAP configuration and then click the Enable button.
  5. In the confirmation window, click OK.

Parent topic: Managing the LDAP Configuration

10.5.2 Modifying an LDAP Configuration

A user who has the System Administrator role can modify an LDAP configuration.

In a multi-master cluster environment, changes to an LDAP configuration apply to all nodes in the cluster and can be performed in any node. However, be aware that a node-specific host configuration takes precedence over cluster-wide host configuration.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the LDAP configuration name to display the Edit LDAP Configuration page.
  5. Modify the following settings as necessary:
    • Configuration Name: Update the name of the configuration.
    • Service Directory User Name: Update the service directory user name.
    • Service Directory User Password: Update the service directory user's password.
    • Trusted Certificate: Paste a different server trust certificate.
    • Search Base DN: Update the base DN that is used for searching users and groups
    • Defunct LDAP Users Grace Period (in days): Enter a new grace period value. The default is 15.
    • Under Servers, do the following:
      • To add a new server, click Add and then provide the Hostname, Port, and Service Directory User Password. To test the connection, click Test Server. Then click Add. You can only select a server that is in the same domain as the current server.
      • To remove a server, select its check box and then click Delete.
  6. Click Test Connection(s) to ensure that the new configuration settings work.
  7. Click Save.

Parent topic: Managing the LDAP Configuration

10.5.3 Testing an LDAP Configuration

A user who has the System Administrator role can test an LDAP configuration.

In a multi-master cluster environment, you can test the LDAP configuration from any node in the cluster. The test connection validates the connection to LDAP hosts that are effective for the current cluster node. If node-specific LDAP hosts are configured, then the connection to those hosts is validated.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the LDAP configuration name to display the Edit LDAP Configuration page.
  5. Click Test Connection(s).

Parent topic: Managing the LDAP Configuration

10.5.4 Disabling an LDAP Configuration

A user who has the System Administrator role can disable an LDAP configuration.

Disabling an LDAP configuration effectively makes the configuration unavailable for use. Users from the disabled LDAP configuration are denied access when they try to log in into Oracle Key Vault. However, disabling an LDAP configuration does not affect users who are currently logged in using the configuration. In a multi-master cluster environment, the disablement of an LDAP configuration applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check boxes for the configurations to disable, and then click Disable.
  5. In the confirmation window, click OK.

Parent topic: Managing the LDAP Configuration

10.5.5 Deleting an LDAP Configuration

A user who has the System Administrator role can delete an LDAP configuration.

In a multi-master cluster environment, the deletion of an LDAP configuration applies to all nodes in the cluster and can be performed from any node. However, deleting an LDAP configuration does not log out users who are currently logged in using the configuration.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check boxes for the LDAP configurations that you want to delete and then click one of the following buttons:
    • Click Delete if there are no mappings defined in Oracle Key Vault for any LDAP groups associated with the LDAP configuration.
    • Click Force Delete if there are group mappings defined for this LDAP configuration. You must have both the System Administrator and Key Administrator role to perform this operation. Otherwise, first delete all LDAP group mappings defined for the LDAP configuration before a user with the System Administrator role deletes the LDAP configuration.
  5. In the confirmation window, select OK.
When you delete an LDAP configuration, the associated LDAP user accounts are not deleted immediately. Oracle Key Vault deletes these accounts after number of days that were specified in the Defunct LDAP Users Grace Period setting in the Edit LDAP Configuration page have passed. You can delete an LDAP user account any time. If you recreate the identical LDAP configuration before associated LDAP user accounts are deleted, then Oracle Key Vault will make these user accounts valid again.

Parent topic: Managing the LDAP Configuration

10.6 Managing LDAP Groups

You can modify or delete LDAP group mappings.

  • About Managing LDAP Groups
    The LDAP group can be mapped to Oracle Key Vault administrator roles and one or more user groups.
  • Modifying an LDAP Group Mapping
    You can modify the mappings for an LDAP group after you have configured the LDAP connection.
  • Validating LDAP Group Mappings
    In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault.
  • Deleting LDAP Group Mappings
    A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.6.1 About Managing LDAP Groups

The LDAP group can be mapped to Oracle Key Vault administrator roles and one or more user groups.

A user with the Oracle Key Vault administrator role can modify an LDAP group’s mapping with the Oracle Key Vault administrator roles or user groups depending upon the type of administrator role the user has. This user, however, cannot modify an LDAP group in the LDAP directory server. If an LDAP group mapping changes, then the authorization of the users who are members of the LDAP group changes as well.

Local Oracle Key Vault users cannot be members of an LDAP group.

Parent topic: Managing LDAP Groups

10.6.2 Modifying an LDAP Group Mapping

You can modify the mappings for an LDAP group after you have configured the LDAP connection.

  1. Log in to the Oracle Key Vault management console as a user who has the role that is required for the privileges that must be granted to the LDAP users.
    A user with the Key Administrator role can modify all of the mapping information. Users who have the System Administrator or Audit Manager role can see the basic information and only modify role assignments for the group, depending on what their own role is. For example, a System Administrator can grant or revoke only the System Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. Under LDAP Group Mappings, find the LDAP group whose privileges you want to change.
  4. Select the Edit button for this LDAP group to display.
  5. Under Roles, select from the available roles.
    • Audit Manager
    • Key Administrator
    • System Administrator

    You cannot grant endpoint privileges to LDAP users.

  6. Under User Groups, select from the available Oracle Key Vault user groups to associate with this LDAP group.
  7. To remove an Oracle Key Vault user group from the mapping, select it from the User Groups Mapped list and then click Remove User Groups.
  8. Optionally, select the Details button of the Oracle Key Vault group to modify the user group's settings and privileges.
  9. Click Save.
Oracle Key Vault determines the LDAP user’s authorization for the current session only at the login time. During the login process, Oracle Key Vault fetches the user's LDAP groups from the LDAP directory server and then determines the mapped Oracle Key Vault administrative roles and user groups for the current session. Any changes to the user's membership in the LDAP groups or changes to the mapping between the user’s LDAP groups and Oracle Key Vault user groups or administrative roles do not affect user’s authorization for existing sessions. Note, however, that any changes to the privileges that are granted to the Oracle Key Vault user groups take effect immediately and apply to all existing sessions.

Parent topic: Managing LDAP Groups

10.6.3 Validating LDAP Group Mappings

In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault.

In a multi-master cluster environment, the validation of an LDAP group mapping applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. Under LDAP Group Mappings, select the check boxes for the group mappings that you want to validate.
  4. Select the Validate button.
  5. In the confirmation window, click OK.

Parent topic: Managing LDAP Groups

10.6.4 Deleting LDAP Group Mappings

A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.

In a multi-master cluster environment, the LDAP group mapping deletion applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. In the LDAP Group Mappings page, select the check boxes for the LDAP groups that you want to delete.
  4. Click Delete.
  5. In the confirmation window, click OK.

Parent topic: Managing LDAP Groups

10.7 Managing Oracle Key Vault-Generated LDAP Users

You cannot administer the actual LDAP user account in the LDAP directory server but you can administer the Oracle Key Vault-generated user account that is created the first time the LDAP user logs in to Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

10.7.1 About Managing LDAP Users

The LDAP user account in Oracle Key Vault is an automatically created account that is based on the LDAP user account in the configured LDAP directory server.

Oracle Key Vault creates this account the first time that the LDAP user logs in to Oracle Key Vault, capturing the first name, last name, and email attributes of the user. These values cannot be changed in Oracle Key Vault; they can only be changed in their LDAP directory server corresponding account by a privileged LDAP administrator. If these values change, then Oracle Key Vault updates the user account with these values the next time the LDAP user logs in to Oracle Key Vault. Except for granting and revoking wallet privileges to and from this user from Oracle Key Vault, the Oracle Key Vault administrator cannot make any changes to this account.

In a multi-master cluster environment, there is no need for user name conflict resolution because the uniqueness of the account is guaranteed by the LDAP directory server where the LDAP user account exists. If the LDAP user logs in to different nodes in the cluster, then an identical user account is created, and this account is uniform across the cluster. Each of these account creations is timestamped. The Oracle Key Vault synchronization process keeps the most recent account creation timestamp value (that is, from the node where this user was created last). Hence, throughout the cluster environment, the timestamp value is the same as the most recent user account creation timestamp.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

10.7.2 Finding Information About an Oracle Key Vault-Generated LDAP User

You can find information about the Oracle Key Vault-generated LDAP user accounts.

You cannot change the LDAP user account in Oracle Key Vault; instead you must modify the account in the LDAP directory server where the user account exists. If you want to move the user to a different LDAP group, you must do this in the LDAP directory server.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator, Key Administrator, or Audit Manager role.
  2. Select the Users tab, and then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to the Manage LDAP Users section.
    You can find the following information:
    • The user's distinguished name (DN)
    • The user's full name
    • The name of the LDAP configuration
    • The domain name for the user account
    • Oracle Key Vault roles to which the user has been granted through the LDAP group
    • Mapped groups for the user
    • The effective membership of an LDAP user in Oracle Key Vault user groups
    • The user's access to wallets

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

10.7.3 Validation of Oracle Key Vault-Generated LDAP Users

You can find if an LDAP user account that is associated with the Oracle Key Vault-generated LDAP user account is a valid account.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

10.7.3.1 About the Validation of Oracle Key Vault-Generated LDAP Users

An Oracle Key Vault-generated user account still exists in Oracle Key Vault if the LDAP user account has been deleted in the source LDAP directory server.

A user who has the System Administrator role can find if the Oracle Key Vault-generated user account still exists in the source LDAP directory server by validating it in Oracle Key Vault. In a multi-master cluster environment, the validation of an Oracle Key Vault-Generated LDAP user account applies to all nodes in the cluster.

Oracle Key Vault periodically checks the validity of the LDAP user accounts and marks them as NOT FOUND if the following events take place:

  • The LDAP user account does not exist in the LDAP directory server.
  • The LDAP configuration that is associated with the LDAP user account is deleted.

Oracle Key Vault automatically deletes invalid LDAP user accounts after the number of days configured in the Defunct LDAP Users Grace Period setting (in the Edit LDAP Configuration page) have passed. You can delete an LDAP user account from Oracle Key Vault any time.

10.7.3.2 Validating Oracle Key Vault-Generated LDAP Users

A user who has the System Administrator role can manually validate Oracle Key Vault-Generated LDAP users.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to the Manage LDAP Users section.
  4. Select the check box of the LDAP users that you want to validate.
  5. Click Validate.
    If an LDAP account is not valid, then a NOT FOUND message appears.

10.7.4 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges

Users who have either the Key Administrator role or regular users who have privileges to manage wallets can modify the wallet privileges of Oracle Key Vault-generated LDAP user account.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

10.7.4.1 About Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges

The wallet privileges that you can change are Read Only, Read and Modify, or Manage Wallet.

You cannot change the corresponding LDAP account in the LDAP directory, but you can change the wallet privileges of the Oracle Key Vault-generated LDAP user account. Changes to the privileges granted directly to the LDAP user account in Oracle Key Vault are applied immediately, even to the existing sessions of the same user. If the LDAP user account is modified on the LDAP server (such as a change in LDAP group membership of the user), then the changes take effect from the next user login. In a multi-master cluster environment, changes to an LDAP user apply to all nodes in the cluster and can be performed in any node.

10.7.4.2 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Key Administrators)

A user who has the Key Administrator role can grant and revoke wallet privileges for any wallet to LDAP users in Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. Under Manage Users, scroll down to the Manage LDAP Users section.
  4. Select the name of the LDAP user account to display the LDAP User Details page.
  5. In the Access to Wallets pane, do the following:
    1. Click Add to display the Add Access to User page.
    2. Under Select Wallet, select the wallets to which you want to grant privileges to the LDAP user.
    3. Under Select Access Level, select Read Only, Read and Modify, or Manage Wallet.
    4. Click Save.
      The wallet privilege is added as a direct privilege for this user, as opposed to a wallet privilege that is available through an LDAP group. If the user already has a wallet privilege from the LDAP group to which they are assigned, then the user has a union of the privileges from both the direct privilege grant and the LDAP group privilege grant.
  6. Click Save.
10.7.4.3 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Regular Users)

A regular user who has privileges to manage wallets can grant and revoke privileges for these wallets to LDAP users in Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has privileges to manage wallets.
  2. Select the Keys & Wallets tab, and then Wallets from the left navigation bar.
    The Wallets page lists the wallets for which this user has privileges.
  3. Select the Edit icon for the wallet whose privileges you want to modify.
    The Wallet Access Settings area lists all the users who have privileges for this wallet.
  4. In the Wallet Access Settings area, click Add.
  5. In the Add Access to Wallets page, under Select Endpoint/User Group, select Users from the Type menu.
  6. Select the check boxes for the user to whom you want to grant privileges.
  7. In the Select Access Level area, select Read Only, Read and Modify, or Manage Wallet.
  8. Click Save.
    The wallet privilege is added as a direct privilege for this user, as opposed to a wallet privilege that is available through an LDAP group. If the user already has a wallet privilege from the LDAP group to which they are assigned, then the user has a union of the privileges from both the direct privilege grant and the LDAP group privilege grant.

10.7.5 Deleting Oracle Key Vault-Generated LDAP Users

A user who has the System Administrator role can delete an LDAP user account from Oracle Key Vault.

If an LDAP user account is deleted from the LDAP directory server, during a periodic check, Oracle Key Vault automatically first marks such user accounts as invalid (NOT FOUND) and then deletes these accounts after the Defunct LDAP Users Grace Period setting (on the Edit LDAP Configuration page) passes.
If you inadvertently delete an Oracle Key Vault-generated LDAP user account, then the next time the user logs in, the account is recreated. However, the user would no longer own any objects that they created before the deletion. In a multi-master cluster environment, the removal of an Oracle Key Vault-Generated LDAP user account applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to the Manage LDAP Users section.
  4. Select the check box of the LDAP users that you want to remove.
  5. Click Delete.
  6. In the confirmation window, click OK.
    The user account is deleted immediately.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users