Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Key Vault
-
1
Introduction to Oracle Key Vault
- 1.1 About Oracle Key Vault and Key Management
- 1.2 Benefits of Using Oracle Key Vault
- 1.3 Oracle Key Vault Use Cases
- 1.4 Who Should Use Oracle Key Vault
-
1.5
Major Features of Oracle Key Vault
- 1.5.1 Centralized Storage and Management of Security Objects
- 1.5.2 Management of Key Lifecycle
- 1.5.3 Reporting and Alerts
- 1.5.4 Separation of Duties for Oracle Key Vault Users
- 1.5.5 Persistent Master Encryption Key Cache
- 1.5.6 Backup and Restore Functionality for Security Objects
- 1.5.7 Management of Oracle Key Vault Using RESTful Service
- 1.5.8 Support for OASIS Key Management Interoperability Protocol (KMIP)
- 1.5.9 Database Release and Platform Support
- 1.5.10 Integration with External Audit and Monitoring Services
- 1.5.11 Integration of MySQL with Oracle Key Vault
- 1.5.12 Automatic Storage Management Cluster File System (ACFS) Encryption
- 1.5.13 Support for Oracle Cloud Database as a Service Endpoints
- 1.5.14 Oracle Key Vault Hardware Security Module Integration
- 1.5.15 Support for a Primary-Standby Environment
- 1.6 Oracle Key Vault Interfaces
- 1.7 Overview of an Oracle Key Vault Deployment
-
2
Oracle Key Vault Concepts
- 2.1 Overview of Oracle Key Vault Concepts
- 2.2 Oracle Key Vault Deployment Architecture
- 2.3 Access Control Configuration
- 2.4 Administrative Roles and Endpoint Privileges within Oracle Key Vault
- 2.5 Naming Guidelines for Objects
- 2.6 Emergency System Recovery Process
- 2.7 Root and Support User Accounts
- 2.8 Endpoint Administrators
- 2.9 FIPS Mode
-
3
Oracle Key Vault Multi-Master Cluster Concepts
- 3.1 Oracle Key Vault Multi-Master Cluster Overview
- 3.2 Benefits of Oracle Key Vault Multi-Master Clustering
-
3.3
Multi-Master Cluster Architecture
- 3.3.1 Oracle Key Vault Cluster Nodes
- 3.3.2 Cluster Node Limitations
- 3.3.3 Cluster Subgroups
- 3.3.4 Critical Data in Oracle Key Vault
- 3.3.5 Oracle Key Vault Read-Write Nodes
- 3.3.6 Oracle Key Vault Read-Only Nodes
- 3.3.7 Cluster Node Mode Types
- 3.3.8 Operations Permitted on Cluster Nodes in Different Modes
- 3.4 Building and Managing a Multi-Master Cluster
- 3.5 Oracle Key Vault Multi-Master Cluster Deployment Scenarios
- 3.6 Multi-Master Cluster Features
- 3.7 Cluster Management Information
-
4
Oracle Key Vault Installation and Configuration
- 4.1 About Oracle Key Vault Installation and Configuration
- 4.2 Oracle Key Vault Installation Requirements
- 4.3 Installing and Configuring Oracle Key Vault
- 4.4 Logging In to the Oracle Key Vault Management Console
-
4.5
Upgrading a Standalone or Primary-Standby Oracle Key Vault Server
- 4.5.1 About Upgrading the Oracle Key Vault Server Software
- 4.5.2 Step 1: Back Up the Server Before You Upgrade
- 4.5.3 Step 2: Perform Pre-Upgrade Tasks
- 4.5.4 Step 3: Add Disk Space to Extend the vg_root for the Release 21.1 Upgrade
- 4.5.5 Step 4: Upgrade the Oracle Key Vault Server or Primary-Standby Pair
- 4.5.6 Step 5: Upgrade the Endpoint Software
- 4.5.7 Step 6: If Necessary, Add Disk Space to Extend Swap Space
- 4.5.8 Step 7: If Necessary, Remove Old Kernels
- 4.5.9 Step 8: If Necessary, Remove SSH-Related DSA Keys
- 4.5.10 Step 9: Back Up the Upgraded Oracle Key Vault Server
-
4.6
Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
- 4.6.1 About Upgrading Oracle Key Vault in a Multi-Master Cluster Environment
- 4.6.2 Step 1: Perform Pre-Upgrade Tasks
- 4.6.3 Step 2: Add Disk Space to Extend the vg_root for Upgrade to Oracle Key Vault Release 21.1
- 4.6.4 Step 3: Upgrade Multi-Master Clusters
- 4.6.5 Step 4: Check the Node Version and the Cluster Version
- 4.6.6 Step 5: If Necessary, Change the Network Interface for Upgraded Nodes
- 4.7 Overview of the Oracle Key Vault Management Console
- 4.8 Performing Actions and Searches
-
5
Managing Oracle Key Vault Multi-Master Clusters
- 5.1 About Managing Oracle Key Vault Multi-Master Clusters
- 5.2 Setting Up a Cluster
- 5.3 Terminating the Pairing of a Node
- 5.4 Disabling a Cluster Node
- 5.5 Enabling a Disabled Cluster Node
- 5.6 Deleting a Cluster Node
- 5.7 Force Deleting a Cluster Node
- 5.8 Managing Replication Between Nodes
- 5.9 Cluster Management Information
- 5.10 Cluster Monitoring Information
- 5.11 Naming Conflicts and Resolution
- 5.12 Multi-Master Cluster Deployment Recommendations
-
6
Managing an Oracle Key Vault Primary-Standby Configuration
-
6.1
Overview of the Oracle Key Vault Primary-Standby Configuration
- 6.1.1 About the Oracle Key Vault Primary-Standby Configuration
- 6.1.2 Benefits of an Oracle Key Vault Primary-Standby Configuration
- 6.1.3 Difference Between Primary-Standby Configuration and Multi-Master Cluster
- 6.1.4 Primary Server Role in a Primary-Standby Configuration
- 6.1.5 Standby Server Role in a Primary-Standby Configuration
- 6.2 Configuring the Primary-Standby Environment
- 6.3 Switching the Primary and Standby Servers
- 6.4 Restoring Primary-Standby After a Failover
- 6.5 Disabling (Unpairing) the Primary-Standby Configuration
-
6.6
Read-Only Restricted Mode in a Primary-Standby Configuration
- 6.6.1 About Read-Only Restricted Mode in a Primary-Standby Configuration
- 6.6.2 Primary-Standby with Read-Only Restricted Mode
- 6.6.3 Primary-Standby without Read-Only Restricted Mode
- 6.6.4 States of Read-Only Restricted Mode
- 6.6.5 Enabling Read-Only Restricted Mode
- 6.6.6 Disabling Read-Only Restricted Mode
- 6.6.7 Recovering from Read-Only Restricted Mode
- 6.6.8 Read-Only Restricted Mode Notifications
- 6.7 Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
-
6.1
Overview of the Oracle Key Vault Primary-Standby Configuration
-
7
Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance
- 7.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
- 7.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
- 7.3 Provisioning an Oracle Key Vault Compute Instance
- 7.4 General Management of an Oracle Key Vault Compute Instance
- 7.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI
-
8
Oracle Database Instances in Oracle Cloud Infrastructure
- 8.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints
- 8.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
-
8.3
Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
- 8.3.1 Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance
- 8.3.2 Managing a Reverse SSH Tunnel in a Multi-Master Cluster
- 8.3.3 Managing a Reverse SSH Tunnel in a Primary-Standby Configuration
- 8.3.4 Viewing SSH Tunnel Configuration Details
- 8.3.5 Disabling an SSH Tunnel Connection
- 8.3.6 How the Connection Works if the SSH Tunnel Is Not Active
- 8.3.7 Deleting an SSH Tunnel Configuration
-
8.4
Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 8.4.1 About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 8.4.2 Step 1: Register the Endpoint in the Oracle Key Vault Management Console
- 8.4.3 Step 2: Prepare the Endpoint Environment
- 8.4.4 Step 3: Install the Oracle Key Vault Software onto the Endpoint for Registration and Enrollment
- 8.4.5 Step 4: Perform Post-Installation Tasks
- 8.5 Suspending Database Cloud Service Access to Oracle Key Vault
- 8.6 Resuming Database Cloud Service Access to Oracle Key Vault
- 8.7 Resuming a Database Endpoint Configured with a Password-Based Keystore
-
9
Managing Oracle Key Vault Users
- 9.1 Managing User Accounts
-
9.2
Managing Administrative Roles and User Privileges
- 9.2.1 About Managing Administrative Roles and User Privileges
- 9.2.2 Granting or Changing an Administrative Role of a User
- 9.2.3 Granting the Create Endpoint Privilege
- 9.2.4 Granting the Manage Endpoint Privilege
- 9.2.5 Granting the Create Endpoint Group Privilege
- 9.2.6 Granting the Manage Endpoint Group Privilege
- 9.2.7 Granting a User Access to a Virtual Wallet
- 9.2.8 Revoking an Administrative Role or Endpoint Privilege from a User
- 9.3 Managing User Passwords
- 9.4 Managing User Email
-
9.5
Managing User Groups
- 9.5.1 About Managing User Groups
- 9.5.2 How a Multi-Master Cluster Affects User Groups
- 9.5.3 Creating a User Group
- 9.5.4 Adding a User to a User Group
- 9.5.5 Granting a User Group Access to a Virtual Wallet
- 9.5.6 Renaming a User Group
- 9.5.7 Changing a User Group Description
- 9.5.8 Removing a User from a User Group
- 9.5.9 Deleting a User Group
-
10
Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 10.1 About Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 10.2 Privilege Grants and Revokes for LDAP Users
- 10.3 Configuring the LDAP Directory Server Connection to Oracle Key Vault
- 10.4 Logins to Oracle Key Vault as an LDAP User
- 10.5 Managing the LDAP Configuration
- 10.6 Managing LDAP Groups
-
10.7
Managing Oracle Key Vault-Generated LDAP Users
- 10.7.1 About Managing LDAP Users
- 10.7.2 Finding Information About an Oracle Key Vault-Generated LDAP User
- 10.7.3 Validation of Oracle Key Vault-Generated LDAP Users
- 10.7.4 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges
- 10.7.5 Deleting Oracle Key Vault-Generated LDAP Users
-
11
Managing Oracle Key Vault Virtual Wallets and Security Objects
- 11.1 Managing Virtual Wallets
- 11.2 Managing Access to Virtual Wallets from Keys and Wallets Tab
- 11.3 Managing Access to Virtual Wallets from User’s Menu
-
11.4
Managing the State of a Key or a Security Object
- 11.4.1 About Managing the State of a Key or a Security Object
- 11.4.2 How a Multi-Master Cluster Affects Keys and Security Objects
- 11.4.3 Activating a Key or Security Object
- 11.4.4 Deactivating a Key or Security Object
- 11.4.5 Revoking a Key or Security Object
- 11.4.6 Destroying a Key or Security Object
- 11.5 Managing Details of Security Objects
-
12
Managing Oracle Key Vault Master Encryption Keys
-
12.1
Using the Persistent Master Encryption Key Cache
- 12.1.1 About the Persistent Master Encryption Key Cache
- 12.1.2 About Oracle Key Vault Persistent Master Encryption Key Cache Architecture
- 12.1.3 Caching Master Encryption Keys in the In-Memory and Persistent Master Encryption Key Cache
- 12.1.4 Storage Location of Persistent Master Encryption Key Cache
- 12.1.5 Persistent Master Encryption Key Cache Modes of Operation
- 12.1.6 Persistent Master Encryption Key Cache Refresh Window
-
12.1.7
Persistent Master Encryption Key Cache Parameters
- 12.1.7.1 PKCS11_CACHE_TIMEOUT Parameter
- 12.1.7.2 PKCS11_PERSISTENT_CACHE_TIMEOUT Parameter
- 12.1.7.3 PKCS11_PERSISTENT_CACHE_FIRST Parameter
- 12.1.7.4 PKCS11_CONFIG_PARAM_REFRESH_INTERVAL Parameter
- 12.1.7.5 PKCS11_PERSISTENT_CACHE_REFRESH_WINDOW Parameter
- 12.1.7.6 EXPIRE PKCS11 PERSISTENT CACHE ON DATABASE SHUTDOWN Parameter
- 12.1.8 Listing the Contents of the Persistent Master Key Cache
- 12.1.9 Oracle Database Deployments and Persistent Master Encryption Key Cache
- 12.2 Configuring an Oracle Key Vault to New TDE-Enabled Database Connection
- 12.3 Migrating Existing TDE Wallets to Oracle Key Vault
- 12.4 Uploading and Downloading Oracle Wallets
- 12.5 Uploading and Downloading JKS and JCEKS Keystores
- 12.6 Using a User-Defined Key as the TDE Master Encryption Key
-
12.1
Using the Persistent Master Encryption Key Cache
-
13
Managing Oracle Key Vault Endpoints
- 13.1 Overview of Managing Endpoints
- 13.2 Managing Endpoints
- 13.3 Managing Endpoint Details
- 13.4 Default Wallets and Endpoints
- 13.5 Managing Endpoint Access to a Virtual Wallet
-
13.6
Managing Endpoint Groups
- 13.6.1 How a Multi-Master Cluster Affects Endpoint Groups
- 13.6.2 Creating an Endpoint Group
- 13.6.3 Modifying Endpoint Group Details
- 13.6.4 Granting an Endpoint Group Access to a Virtual Wallet
- 13.6.5 Adding an Endpoint to an Endpoint Group
- 13.6.6 Removing an Endpoint from an Endpoint Group
- 13.6.7 Deleting Endpoint Groups
-
14
Enrolling and Upgrading Endpoints for Oracle Key Vault
- 14.1 About Endpoint Enrollment and Provisioning
- 14.2 Finalizing Enrollment and Provisioning
- 14.3 Environment Variables and Endpoint Provisioning Guidance
- 14.4 Endpoints That Do Not Use the Oracle Key Vault Client Software
- 14.5 Transparent Data Encryption Endpoint Management
- 14.6 Endpoint okvclient.ora Configuration File
- 14.7 Upgrading Endpoints
-
15
Managing Keys for Oracle Products
- 15.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
- 15.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
-
15.3
Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
- 15.3.1 About Uploading Oracle Wallets in an Oracle Data Guard Environment
- 15.3.2 Uploading Oracle Wallets in an Oracle Data Guard Environment
- 15.3.3 Performing an Online Master Key Connection in an Oracle Data Guard Environment
- 15.3.4 Migrating Oracle Wallets in an Oracle Data Guard Environment
- 15.3.5 Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
- 15.3.6 Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
- 15.3.7 Checking the Oracle TDE Wallet Migration for a Logical Standby Database
- 15.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
- 15.5 MySQL Integration with Oracle Key Vault
- 15.6 Other Oracle Database Features That Oracle Key Vault Supports
-
16
Managing Online and Offline Secrets
- 16.1 Uploading and Downloading Credential Files
- 16.2 Managing Secrets and Credentials for SQL*Plus
- 16.3 Managing Secrets and Credentials for SSH
-
16.4
Centrally Managing Passwords in Oracle Key Vault
- 16.4.1 About Centrally Managing Passwords in Oracle Key Vault
- 16.4.2 Creating and Sharing Centrally Managed Passwords
- 16.4.3 Example: Script for Using External Keystore Passwords in SQL*Plus Operations
- 16.4.4 Sharing Secrets with Other Databases
- 16.4.5 Changing Passwords for a Large Database Deployment
-
17
Oracle Key Vault General System Administration
- 17.1 Overview of Oracle Key Vault General System Administration
-
17.2
Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
- 17.2.1 Configuring the Network Details
- 17.2.2 Configuring the Network Services
- 17.2.3 Configuring the System Time
- 17.2.4 Configuring DNS
- 17.2.5 Configuring FIPS Mode
- 17.2.6 Configuring Syslog
- 17.2.7 Changing the Network Interface Mode
- 17.2.8 Configuring RESTful Services
- 17.2.9 Configuring Oracle Audit Vault Integration
- 17.2.10 Configuring the Oracle Key Vault Management Console Web Session Timeout
- 17.2.11 Restarting or Powering Off Oracle Key Vault
-
17.3
Configuring Oracle Key Vault in a Multi-Master Cluster Environment
- 17.3.1 About Configuring Oracle Key Vault in a Multi-Master Cluster Environment
-
17.3.2
Configuring System Settings for Individual Multi-Master Cluster Nodes
- 17.3.2.1 Configuring the Network Details for the Node
- 17.3.2.2 Configuring the Network Services for the Node
- 17.3.2.3 Configuring the System Time for the Node
- 17.3.2.4 Configuring DNS for the Node
- 17.3.2.5 Configuring the FIPS Mode for the Node
- 17.3.2.6 Configuring Syslog for the Node
- 17.3.2.7 Changing the Network Interface Mode for the Node
- 17.3.2.8 Configuring Auditing for the Node
- 17.3.2.9 Configuring SNMP Settings for the Node
- 17.3.2.10 Configuring Oracle Audit Vault Integration for the Node
- 17.3.2.11 Restarting or Powering Off Oracle Key Vault from a Node
-
17.3.3
Managing Oracle Key Vault Multi-Master Clusters
- 17.3.3.1 Configuring the System Time for the Cluster
- 17.3.3.2 Configuring DNS for the Cluster
- 17.3.3.3 Configuring Maximum Disable Node Duration for the Cluster
- 17.3.3.4 Configuring Syslog for the Cluster
- 17.3.3.5 Configuring RESTful Services for the Cluster
- 17.3.3.6 Configuring Auditing for the Cluster
- 17.3.3.7 Configuring SNMP Settings for the Cluster
- 17.3.3.8 Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster
- 17.4 Managing System Recovery
- 17.5 Support for a Primary-Standby Environment
-
17.6
Commercial National Security Algorithm Suite Support
- 17.6.1 About Commercial National Security Algorithm Suite Support
- 17.6.2 Running the Commercial National Security Algorithm Scripts
- 17.6.3 Performing Backup and Restore Operations with CNSA
- 17.6.4 Upgrading a Standalone Oracle Key Vault Server with CNSA
- 17.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA
- 17.7 Minimizing Downtime
- 18 Managing Certificates
-
19
Backup and Restore Operations
- 19.1 About Backing Up and Restoring Data in Oracle Key Vault
- 19.2 Oracle Key Vault Backup Destinations
- 19.3 Backup Schedules and States
-
19.4
Scheduling and Managing Oracle Key Vault Backups
- 19.4.1 Scheduling a Backup for Oracle Key Vault
- 19.4.2 Changing a Backup Schedule for Oracle Key Vault
- 19.4.3 Deleting a Backup Schedule from Oracle Key Vault
- 19.4.4 How Primary-Standby Affects Oracle Key Vault Backups
- 19.4.5 How Using a Cluster Affects Oracle Key Vault Backups
- 19.4.6 Protecting the Backup Using the Recovery Passphrase
-
19.5
Restoring Oracle Key Vault Data
- 19.5.1 About the Oracle Key Vault Restore Process
- 19.5.2 Procedure for Restoring Oracle Key Vault Data
- 19.5.3 Multi-Master Cluster and the Restore Operation
- 19.5.4 Primary-Standby and the Restore Operation
- 19.5.5 Certificates and the Restore Operation
- 19.5.6 Changes Resulting from a System State Restore
- 19.6 Backup and Restore Best Practices
-
20
Monitoring and Auditing Oracle Key Vault
-
20.1
Managing System Monitoring
-
20.1.1
Configuring Remote Monitoring to Use SNMP
- 20.1.1.1 About Using SNMP for Oracle Key Vault
- 20.1.1.2 Granting SNMP Access to Users
- 20.1.1.3 Changing the SNMP User Name and Password
- 20.1.1.4 Changing SNMP Settings on the Standby Server
- 20.1.1.5 Remotely Monitoring Oracle Key Vault Using SNMP
- 20.1.1.6 SNMP Management Information Base Variables for Oracle Key Vault
- 20.1.1.7 Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP
- 20.1.2 Configuring Email Notification
- 20.1.3 Configuring the Syslog Destination for Individual Multi-Master Cluster Nodes
- 20.1.4 Capturing System Diagnostics
- 20.1.5 Configuring Oracle Audit Vault Integration for the Node
-
20.1.1
Configuring Remote Monitoring to Use SNMP
- 20.2 Configuring Oracle Key Vault Alerts
- 20.3 Managing System Auditing
- 20.4 Using Oracle Key Vault Reports
-
20.1
Managing System Monitoring
- A Oracle Key Vault Multi-Master Cluster Operations
- B Oracle Key Vault okvutil Endpoint Utility Reference
-
C
Troubleshooting Oracle Key Vault
- C.1 Oracle Key Vault Pre-Installation Checklist
-
C.2
Integrating Oracle Key Vault with Oracle Audit Vault and Database Firewall
- C.2.1 Step 1: Check the Environment
- C.2.2 Step 2: Register Oracle Key Vault as a Secured Target with AVDF
- C.2.3 Step 3: Register Oracle Key Vault as a Host with AVDF
- C.2.4 Step 4: Download the AVDF Agent and Upload it to Oracle Key Vault
- C.2.5 Step 5: Install the AVDF agent.jar File on the Oracle Key Vault Server
- C.2.6 Step 6: Add the Oracle Key Vault Audit Trail to AVDF
- C.2.7 Step 7: View Oracle Key Vault Audit Data Collected by AVDF
- C.3 RESTful Services Troubleshooting Help
- C.4 Error: Cannot Open Keystore Message
- C.5 KMIP Error: Invalid Field
- C.6 WARNING: Could Not Store Private Key Errors
- C.7 Errors After Upgrading Oracle Key Vault
- C.8 Error: Failed to Open Wallet
- C.9 Transaction Check Error: Diagnostics Generation Utility
- C.10 Fast-Start Failover (FSFO) Suspended (ORA-16818)
- C.11 SSH Tunnel Add Failure
- C.12 Error: Provision Command Fails if /usr/bin/java Does Not Exist
- C.13 TDE Endpoint Integration Issues
- C.14 Failover Situations in Primary-Standby Mode
- C.15 Performing a Planned Shutdown
- D Security Technical Implementation Guides Compliance Standards
- Glossary
- Index