5 Security Object Commands

Endpoints can make use of the security object commands to operate on the managed objects.

• okv managed-object attribute add Command
  The okv managed-object attribute add command adds one or more attributes to a security object.
• okv managed-object attribute delete Command
  The okv managed-object attribute delete command deletes one or more attributes associated with a security object.
• okv managed-object attribute get Command
  The okv managed-object attribute get command retrieves an attribute or list of attributes of a security object.
• okv managed-object attribute get-all Command
  The okv managed-object attribute get-all command retrieves all attributes of a security object.
• okv managed-object attribute list Command
  The okv managed-object attribute list command retrieves the names of attributes associated with a security object.
• okv managed-object attribute modify Command
  The okv managed-object attribute modify command modifies attributes associated with a security object.
• okv managed-object certificate get Command
  The okv managed-object certificate get command retrieves a digital certificate.
• okv managed-object certificate register Command
  The okv managed-object certificate register command registers a certificate.
• okv managed-object custom-attribute add Command
  The okv managed-object custom-attribute add command adds a custom attribute to a security object.
• okv managed-object custom-attribute delete Command
  The okv managed-object custom-attribute delete command deletes a custom attribute of a security object.
• okv managed-object custom-attribute modify Command
  The okv managed-object custom-attribute modify command modifies a custom attribute of a security object.
• okv managed-object key create Command
  The okv managed-object key create command creates a new key. 
• okv managed-object key get Command
  The okv managed-object key get command retrieves an encryption key.
• okv managed-object key register Command
  The okv managed-object key register command registers a key.
• okv managed-object object activate Command
  The okv managed-object object activate command activates a security object.
• okv managed-object object destroy Command
  The okv managed-object object destroy command requests the server to destroy the key data for a security object.
• okv managed-object object locate Command
  The okv managed-object object locate command locates a security object.
• okv managed-object object query Command
  The okv managed-object object query command identifies supported operations and objects.
• okv managed-object object revoke Command
  The okv managed-object object revoke command revokes a security object.
• okv managed-object opaque get Command
  The okv managed-object opaque get command retrieves an object that contains opaque data.
• okv managed-object opaque register Command
  The okv managed-object opaque register command registers an opaque security object.
• okv managed-object secret get Command
  The okv managed-object secret get command retrieves the secret data from a security object of type secret.
• okv managed-object secret register Command
  The okv managed-object secret register command registers secret data such as passwords or random seeds.
• okv managed-object wallet add-member Command
  The okv managed-object wallet add-member command adds a security object to a wallet as its member.
• okv managed-object wallet delete-member Command
  The okv managed-object wallet delete-member command deletes the membership of the managed-object from a wallet.
• okv managed-object wallet list Command
  The okv managed-object wallet list command lists wallets that have their access granted to the endpoint used to connect to Oracle Key Vault.

5.1 okv managed-object attribute add Command

The okv managed-object attribute add command adds one or more attributes to a security object.

To find the existing attributes for the security object, execute the okv managed-object attribute list command.

If you want to create a custom attribute, then use the okv managed-object custom-attribute add command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute add --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : "#VALUE/text|uri",
        "contactInfo" : "#VALUE",
        "activationDate" : "#yyyy/MM/dd HH:mm:ss",
        "deactivationDate" : "#yyyy/MM/dd HH:mm:ss",
        "protectStopDate" : "#yyyy/MM/dd HH:mm:ss",
        "processStartDate" : "#yyyy/MM/dd HH:mm:ss"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name activationDate contactInfo deactivationDate protectStopDate processStartDate See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes. For date values, use the following format: yyyy/MM/dd HH:mm:ss Example: 20220/07/14 10:09:25

JSON Example

1. Generate JSON input for the okv managed-object attribute add command.

   okv managed-object attribute add --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "add",
       "options" : {
         "uuid" : "#VALUE",
         "attributes" : {
           "name" : "#VALUE/text|uri",
           "contactInfo" : "#VALUE",
           "activationDate" : "#yyyy/MM/dd HH:mm:ss",
           "deactivationDate" : "#yyyy/MM/dd HH:mm:ss",
           "protectStopDate" : "#yyyy/MM/dd HH:mm:ss",
           "processStartDate" : "#yyyy/MM/dd HH:mm:ss"
         }
       }
     }
   }

2. Save the generated input to a file (for example, add_attribute.json) and then edit it so that you can add the attribute to the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "add",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "attributes" : {
           "contactInfo" : "pfitch@example.com",
           "deactivationDate" : "2024/12/31 09:00:00",
           "name" : "PROD-HRDB-MKEY",
           "protectStopDate" : "2024/09/30 09:00:00"
         }
       }
     }
   }

3. Execute the okv managed-object attribute add command using the generated JSON file.

   okv managed-object attribute add --from-json add_attribute.json

   Output similar to the following appears:

   {
     "contactInfo" : "Added",
     "deactivationDate" : "Added",
     "name" : "Added",
     "protectStopDate" : "Added"
   }

5.2 okv managed-object attribute delete Command

The okv managed-object attribute delete command deletes one or more attributes associated with a security object.

To find the existing attributes for the security object, execute the okv managed-object attribute list command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute delete --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : "",
        "contactInfo" : "",
        "activationDate" : "",
        "deactivationDate" : "",
        "protectStopDate" : "",
        "processStartDate" : ""
      }
    }
  }
}

Parameters

Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can delete are as follows: name (You must also specify the value of the name attribute instance that you want to delete.) activationDate contactInfo deactivationDate protectStopDate processStartDate

JSON Example

1. Generate JSON input for the okv managed-object attribute delete command.

   okv managed-object attribute delete --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "delete",
       "options" : {
         "uuid" : "#VALUE",
         "attributes" : {
           "name" : "",
           "contactInfo" : "",
           "activationDate" : "",
           "deactivationDate" : "",
           "protectStopDate" : "",
           "processStartDate" : ""
         }
       }
     }
   }

2. Save the generated input to a file (for example, del_attribute.json) and then edit it so that you can delete the attributes associated with a security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "delete",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "attributes" : {
           "name" : "PROD-HRDB-MKEY"
         }
       }
     }
   }

3. Execute the okv managed-object attribute delete command using the generated JSON file.

   okv managed-object attribute delete --from-json del_attribute.json

   Output similar to the following appears:

   {
     "name" : "Deleted"
   }

5.3 okv managed-object attribute get Command

The okv managed-object attribute get command retrieves an attribute or list of attributes of a security object.

To find the existing attributes for the managed object, execute the okv managed-object attribute list command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute get --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "#ATTRIBUTE_NAME" : "",
        "#ATTRIBUTE_NAME" : "",
        "#ATTRIBUTE_NAME" : ""
      }
    }
  }
}

Parameters

Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
attributes	Required	Attribute names and their values. You can retrieve the value of multiple attributes by including additional optional ATTRIBUTE_NAME attributes. See the example. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. To retrieve the values of all existing attributes for the managed object, execute the okv managed-object attribute get-all command. See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object attribute get command.

   okv managed-object attribute get --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "get",
       "options" : {
         "uuid" : "#VALUE",
         "attributes" : {
           "#ATTRIBUTE_NAME" : "",
           "#ATTRIBUTE_NAME" : "",
           "#ATTRIBUTE_NAME" : ""
         }
       }
     }
   }

2. Save the generated input to a file (for example, get_attribute.json) and then edit it so that you can retrieve the attributes associated with the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "get",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "attributes" : {
           "activationDate" : "",
           "contactInfo" : "",
           "cryptoUsageMask" : "",
           "cryptographicAlgorithm" : "",
           "cryptographicLength" : "",
           "name" : "",
           "objectType" : "",
           "state" : ""
         }
       }
     }
   }

3. Execute the okv managed-object attribute get command using the generated JSON file.

   okv managed-object attribute get --from-json get_attribute.json

   Output similar to the following appears:

   {
     "activationDate" : "21-NOV-20 01:00:00",
     "contactInfo" : "pfitch@example.com",
     "cryptoUsageMask" : "ENCRYPT DECRYPT",
     "cryptographicAlgorithm" : "AES",
     "cryptographicLength" : "256",
     "name" : "PROD-HRDB-MKEY : text",
     "objectType" : "Symmetric Key",
     "state" : "Active"
   }

5.4 okv managed-object attribute get-all Command

The okv managed-object attribute get-all command retrieves all attributes of a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute get-all --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object attribute get-all command.

   okv managed-object attribute get-all --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "get-all",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, get-all_attribute.json) and then edit it so that you can get all the attributes of the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "get-all",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
       }
     }
   }

3. Execute the okv managed-object attribute get-all command using the generated JSON file.

   okv managed-object attribute get-all --from-json get-all_attribute.json

   Output similar to the following appears:

   {
     "activationDate" : "21-NOV-20 01:00:00",
     "contactInfo" : "pfitch@example.com",
     "cryptoUsageMask" : "ENCRYPT DECRYPT",
     "cryptographicAlgorithm" : "AES",
     "cryptographicLength" : "256",
     "deactivationDate" : "31-DEC-24 09:00:00",
     "digest" : "EA31657433D91BF79660525131772D838A1128FCE6B49471726EEF5844EFA3F7 : SHA-256",
     "fresh" : "Yes",
     "initialDate" : "21-NOV-20 00:57:00",
     "lastChangeDate" : "21-NOV-20 20:17:19",
     "name" : "PROD-HRDB-MKEY : text",
     "objectType" : "Symmetric Key",
     "processStartDate" : "21-NOV-20 00:57:00",
     "protectStopDate" : "30-SEP-24 09:00:00",
     "state" : "Active"
   }

5.5 okv managed-object attribute list Command

The okv managed-object attribute list command retrieves the names of attributes associated with a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute list --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "list",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object attribute list command.

   okv managed-object attribute list --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "list",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, list_attribute.json) and then edit it so that you can retrieve the list of attributes for the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "list",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
       }
     }
   }

3. Execute the okv managed-object attribute list command using the generated JSON file.

   okv managed-object attribute list --from-json list_attribute.json

   Output similar to the following appears:

   {
     "activationDate" : "",
     "contactInfo" : "",
     "cryptoUsageMask" : "",
     "cryptographicAlgorithm" : "",
     "cryptographicLength" : "",
     "deactivationDate" : "",
     "digest" : "",
     "fresh" : "",
     "initialDate" : "",
     "lastChangeDate" : "",
     "name" : "",
     "objectType" : "",
     "processStartDate" : "",
     "protectStopDate" : "",
     "state" : ""
   }

5.6 okv managed-object attribute modify Command

The okv managed-object attribute modify command modifies attributes associated with a security object.

To find the existing attributes for the managed object, execute the okv managed-object attribute list command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute modify --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : "#OLD_VALUE:NEW_VALUE/text|uri",
        "contactInfo" : "#VALUE",
        "activationDate" : "#yyyy/MM/dd HH:mm:ss",
        "deactivationDate" : "#yyyy/MM/dd HH:mm:ss",
        "protectStopDate" : "#yyyy/MM/dd HH:mm:ss",
        "processStartDate" : "#yyyy/MM/dd HH:mm:ss"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name activationDate contactInfo deactivationDate protectStopDate processStartDate See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes. For date values, use the following format: yyyy/MM/dd HH:mm:ss Example: 20220/07/14 10:09:25

JSON Example

1. Generate JSON input for the okv managed-object attribute modify command.

   okv managed-object attribute modify --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "modify",
       "options" : {
         "uuid" : "#VALUE",
         "attributes" : {
           "name" : "#OLD_VALUE:NEW_VALUE/text|uri",
           "contactInfo" : "#VALUE",
           "CRYPTO_USAGE_MASK" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
           "activationDate" : "#yyyy/MM/dd HH:mm:ss",
           "deactivationDate" : "#yyyy/MM/dd HH:mm:ss",
           "protectStopDate" : "#yyyy/MM/dd HH:mm:ss",
           "processStartDate" : "#yyyy/MM/dd HH:mm:ss"
         }
       }
     }
   }

2. Save the generated input to a file (for example, modify_attribute.json) and then edit it so that you can modify attributes associated with a security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "attribute",
       "action" : "modify",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "attributes" : {
           "contactInfo" : "jscott@example.com",
           "deactivationDate" : "2024/07/31 09:00:00",
           "protectStopDate" : "2024/04/30 09:00:00"
         }
       }
     }
   }

3. Execute the okv managed-object attribute modify command using the generated JSON file.

   okv managed-object attribute modify --from-json modify_attribute.json

   Output similar to the following appears:

   {
     "contactInfo" : "Modified",
     "deactivationDate" : "Modified",
     "protectStopDate" : "Modified"
   }

5.7 okv managed-object certificate get Command

The okv managed-object certificate get command retrieves a digital certificate.

Required Authorization

The endpoint must have read permission on the certificate object.

Syntax

okv managed-object certificate get --uuid UUID

JSON Input File Template Syntax

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the certificate. To find the unique identifier for the certificate, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object certificate get command.

   okv managed-object certificate get --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "certificate",
       "action" : "get",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, get_cert.json) and then edit it so that you can retrieve the certificate.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "certificate",
       "action" : "get",
       "options" : {
         "uuid" : "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
       }
     }
   }

3. Execute the okv managed-object certificate get command using the generated JSON file.

   okv managed-object certificate get --from-json get_cert.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "object" : "-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgICfVEwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCdXMx\nEzARB << output truncated >> AYP\n4vwrDwBdNdGtj36GqjuCpz/xCVM9ieSRxJU8\n-----END CERTIFICATE-----"
     }
   }

5.8 okv managed-object certificate register Command

The okv managed-object certificate register command registers a certificate.

Required Authorization

None

Syntax

okv managed-object certificate register --object object_file_path --algorithm algorithm --length key_length --mask crypto_usage_mask --type type --wallet wallet_name 

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
      "type" : "X_509",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : "#VALUE",
        "contactInfo" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--object / object	Required	Object file path
--algorithm / algorithm	Required	Cryptographic algorithm. Choose from the following values: AES 3DES
--length / length	Required	Key length for the algorithm. Choose from the following values: For AES: 128, 192, 256 For 3DES: 112, 168
--mask / mask	Required	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: ENCRYPT DECRYPT DERIVE_KEY EXPORT GENERATE_CRYPTOGRAM TRANSLATE_DECRYPT TRANSLATE_ENCRYPT TRANSLATE_UNWRAP TRANSLATE_WRAP UNWRAP_KEY VALIDATE_CRYPTOGRAM WRAP_KEY
--type / type	Required	Type of certificate. Enter the following value: X_509
--wallet / wallet	Optional	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
attributes	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the certificate object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name contactInfo See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object certificate register command.

   okv managed-object certificate register --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "certificate",
       "action" : "register",
       "options" : {
         "object" : "#VALUE",
         "algorithm" : "#3DES|AES",
         "length" : "#112,168(3DES)|128,192,256(AES)",
         "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
         "type" : "X_509",
         "wallet" : "#VALUE",
         "attributes" : {
           "name" : "#VALUE",
           "contactInfo" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, reg_cert.json) and then edit it so that you can register the certificate.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "certificate",
       "action" : "register",
       "options" : {
         "object" : "./cert.pem",
         "algorithm" : "AES",
         "length" : "256",
         "mask" : "ENCRYPT",
         "type" : "X_509",
         "wallet" : "hr_wallet",
         "attributes" : {
           "name" : "CERT-APPID-103",
           "contactInfo" : "pfitch@example.com"
         }
       }
     }
   }

3. Execute the okv managed-object certificate register command using the generated JSON file.

   okv managed-object certificate register --from-json reg_cert.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "uuid" : "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
     }
   }

5.9 okv managed-object custom-attribute add Command

The okv managed-object custom-attribute add command adds a custom attribute to a security object.

To find the existing attributes for the managed object, execute the okv managed-object attribute get-all command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute add --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
customAttribute	Required	Custom attribute name. Include the prefix x- in the attribute name. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. You must use the JSON syntax to add a custom attribute. To add a custom attribute, you must specify these values for the attribute: name value type See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

JSON Example

1. Generate JSON input for the okv managed-object custom-attribute add command.

   okv managed-object custom-attribute add --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "add",
       "options" : {
         "uuid" : "#VALUE",
         "customAttribute" : {
           "name" : "#VALUE",
           "value" : "#VALUE",
           "type" : "#TEXT|NUMBER"
         }
       }
     }
   }

2. Save the generated input to a file (for example, add_cust_attr.json) and then edit it so that you can add the custom attribute to the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "add",
       "options" : {
         "uuid" : "3C695846-BB8D-4FD2-BFC4-E646ACB60404",
         "customAttribute" : {
           "name" : "x-ApplicationTag",
           "value" : "HR-Production",
           "type" : "TEXT"
         }
       }
     }
   }

3. Execute the okv managed-object custom-attribute add command using the generated JSON file.

   okv managed-object custom-attribute add --from-json add_cust_attr.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.10 okv managed-object custom-attribute delete Command

The okv managed-object custom-attribute delete command deletes a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute delete --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
customAttribute	Required	Custom Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for a managed object, execute the okv managed-object attribute get-all command. You cannot specify attributes at the command line. You must use the JSON syntax to delete a custom attribute. To delete a custom attribute, you must specify these values for the attribute: name index See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object custom-attribute delete command.

   okv managed-object custom-attribute delete --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "delete",
       "options" : {
         "uuid" : "#VALUE",
         "customAttribute" : {
           "name" : "#VALUE",
           "index" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, del_cust_attr.json) and then edit it so that you can delete the custom attribute.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "delete",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "customAttribute" : {
           "name" : "x-ApplicationTag",
           "index" : "1"
         }
       }
     }
   }

3. Execute the okv managed-object custom-attribute delete command using the generated JSON file.

   okv managed-object custom-attribute delete --from-json del_cust_attr.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.11 okv managed-object custom-attribute modify Command

The okv managed-object custom-attribute modify command modifies a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute modify --generate-json-input

You must use the JSON syntax for this command to specify the command's attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Template Parameter	Required?	Description
uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
customAttribute	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute get-all command. You cannot specify attributes at the command line. You must use the JSON syntax to modify a custom attribute. To modify a custom attribute, you must specify these values for the attribute: name: Specify the name of the attribute that you want to modify. value: Specify the new value for the attribute. type: Specify the index of the attribute that you want to modify. See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

JSON Example

1. Generate JSON input for the okv managed-object custom-attribute modify command.

   okv managed-object custom-attribute modify --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "modify",
       "options" : {
         "uuid" : "#VALUE",
         "customAttribute" : {
           "name" : "#VALUE",
           "value" : "#VALUE",
           "index" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, modify_cust_attr.json) and then edit it so that you can modify the custom attribute.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "custom-attribute",
       "action" : "modify",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
         "customAttribute" : {
           "name" : "x-ApplicationTag",
           "value" : "Global-HR-Production",
           "index" : "1"
         }
       }
     }
   }

3. Execute the okv managed-object custom-attribute modify command using the generated JSON file.

   okv managed-object custom-attribute modify --from-json modify_cust_attr.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.12 okv managed-object key create Command

The okv managed-object key create command creates a new key. 

Required Authorization

None

Syntax

okv managed-object key create --algorithm  cryptographic_algorithm --length key_length --mask crypographic_usage_mask --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "create",
    "options" : {
      "algorithm" : "#3DES|AES",
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
      "wallet" : "#VALUE"
    }

Parameters

Parameter/Template Parameter	Required?	Description
--algorithm / algorithm	Required	Cryptographic algorithm. Choose from the following values: AES 3DES
--length / length	Required	Key length for the algorithm. Choose from the following values: For AES: 128, 192, 256 For 3DES: 112, 168
--mask / mask	Required	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: ENCRYPT DECRYPT DERIVE_KEY EXPORT GENERATE_CRYPTOGRAM TRANSLATE_DECRYPT TRANSLATE_ENCRYPT TRANSLATE_UNWRAP TRANSLATE_WRAP UNWRAP_KEY VALIDATE_CRYPTOGRAM WRAP_KEY
--wallet / wallet	Optional	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.

JSON Example

1. Generate JSON input for the okv managed-object key create command.

   okv managed-object key create --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "create",
       "options" : {
         "algorithm" : "#3DES|AES",
         "length" : "#112,168(3DES)|128,192,256(AES)",
         "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
         "wallet" : "#VALUE"
       }

2. Save the generated input to a file (for example, create_key.json) and then edit it so that you can create the key.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "create",
       "options" : {
         "algorithm" : "AES",
         "length" : "256",
         "mask" : "ENCRYPT,DECRYPT",
         "wallet" : "hr_wallet"
       }

3. Execute the okv managed-object key create command using the generated JSON file.

   okv managed-object key create --from-json create_key.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
     }
   }

5.13 okv managed-object key get Command

The okv managed-object key get command retrieves an encryption key.

Required Authorization

The endpoint must have read permission on the key object.

Syntax

okv managed-object key get --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the key. To find the unique identifier for the key, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object key get command.

   okv managed-object key get --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "get",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, get_key.json) and then edit it so that you can get the key.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "get",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
       }
     }
   }

3. Execute the okv managed-object key get command using the generated JSON file.

   okv managed-object key get --from-json get_key.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "object" : "E7A641D77DDAF074C62E7A2C2355F2B8D9CD49486E6AF7F38A22CBDEC91630D0"
     }
   }

5.14 okv managed-object key register Command

The okv managed-object key register command registers a key.

Required Authorization

None

Syntax

okv managed-object key register --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --object key_file_path --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "register",
    "options" : {
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : "#VALUE",
        "contactInfo" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--algorithm / algorithm	Required	Cryptographic algorithm. Choose from the following values: AES 3DES
--length / length	Required	Key length for the algorithm. Choose from the following values: For AES: 128, 192, 256 For 3DES: 112, 168
--mask / mask	Required	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: ENCRYPT DECRYPT DERIVE_KEY EXPORT GENERATE_CRYPTOGRAM TRANSLATE_DECRYPT TRANSLATE_ENCRYPT TRANSLATE_UNWRAP TRANSLATE_WRAP UNWRAP_KEY VALIDATE_CRYPTOGRAM WRAP_KEY
object	Required	File path to the object
wallet	Optional	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name contactInfo See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object key register command.

   okv managed-object key register --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "register",
       "options" : {
         "length" : "#112,168(3DES)|128,192,256(AES)",
         "object" : "#VALUE",
         "algorithm" : "#3DES|AES",
         "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
         "wallet" : "#VALUE",
         "attributes" : {
           "name" : "#VALUE",
           "contactInfo" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, reg_key.json) and then edit it so that you can register the key.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "key",
       "action" : "register",
       "options" : {
         "length" : "256",
         "object" : "./object.txt",
         "algorithm" : "AES",
         "mask" : "ENCRYPT,DECRYPT",
         "wallet" : "hr_wallet",
         "attributes" : {
           "name" : "FINDB-PROD-MKEY",
           "contactInfo" : "pfitch@example.com"
         }
       }
     }
   }

3. Execute the okv managed-object key register command using the generated JSON file.

   okv managed-object key register --from-json reg_key.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "uuid" : "39BE0215-5D7B-4F38-BF5F-FC87C82AA004"
     }
   }

5.15 okv managed-object object activate Command

The okv managed-object object activate command activates a security object.

See Oasis Key Management Interoperability Protocol Specification Version 1.1 Oasis Standard for various states that a security object can be in.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object activate --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "activate",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object managed-object activate command.

   okv managed-object object activate --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "activate",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, activate_object.json) and then edit it so that you can activate the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "activate",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
       }
     }
   }

3. Execute the okv managed-object managed-object activate command using the generated JSON file.

   okv managed-object object activate --from-json activate_object.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.16 okv managed-object object destroy Command

The okv managed-object object destroy command requests the server to destroy the key data for a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object destroy --uuid UUID 

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "destroy",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object object destroy command.

   okv managed-object object destroy --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "destroy",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, destroy_obj.json) and then edit it so that you can destroy the security object data.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "destroy",
       "options" : {
         "uuid" : "B36F3AD1-0AC7-4FEB-BF32-79E6F727ECB2"
       }
     }
   }

3. Execute the okv managed-object object destroy command using the generated JSON file.

   okv managed-object object destroy --from-json del_obj.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.17 okv managed-object object locate Command

The okv managed-object object locate command locates a security object.

Required Authorization

The endpoint must have read permission on the objects.

Syntax

okv managed-object object locate --max max_value  --group group_value --state state_value

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "#VALUE",
      "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
      "group" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : "#VALUE",
        "contactInfo" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--max / max	Required	Maximum number of objects that this command should return
--state / state	Optional	Enter one of the following states: PREACTIVE ACTIVE DEACTIVATED COMPROMISED DESTROYED DESTROYED_COMPROMISED
--group / group	Optional	Enter one of the following group values: DEFAULT FRESH
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name contactInfo See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object object locate command.

   okv managed-object object locate --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "locate",
       "options" : {
         "max" : "#VALUE",
         "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
         "group" : "#FRESH|DEFAULT",
         "attributes" : {
           "name" : "#VALUE",
           "contactInfo" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, locate-obj.json) and then edit it so that you can locate the security object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "locate",
       "options" : {
         "max" : "10",
         "state" : "ACTIVE",
         "group" : "FRESH",
         "attributes" : {
           "contactInfo" : "pfitch@example.com"
         }
       }
     }
   }

3. Execute the okv managed-object object locate command using the generated JSON file.

   okv managed-object object locate --from-json locate-obj.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "uuid" : "7DD388D5-9803-4F92-BF68-09DCBA519D16",
       "uuid" : "9C9171E3-3B52-4F38-BF13-0AB156311ED6",
       "uuid" : "F3419776-F535-4FCA-BF5C-54CF342A3AA0"
     }
   }

5.18 okv managed-object object query Command

The okv managed-object object query command identifies supported operations and objects.

Required Authorization

None

Syntax

okv managed-object object query

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "query"
  }
}

Parameters

None

JSON Example

1. Generate JSON input for the okv managed-object object query command.

   okv managed-object object query --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "query"
     }
   }

2. Save the generated input to a file (for example, query-obj.json).
3. Execute the okv managed-object object query command using the generated JSON file.

   okv managed-object object query --from-json query-obj.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "object" : "Symmetric Key, Template, Secret Data, Opaque Object, Certificate",
       "operation" : "Create, Register , Re-key, Locate, Check, Get, Get Attributes, Get Attribute List, Add Attribute, Modify Attribute, Delete Attribute, Activate, Revoke, Destroy, Query, Discover Versions"
     }
   }

5.19 okv managed-object object revoke Command

The okv managed-object object revoke command revokes a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object revoke --code code --reason reason --compromiseDate date --uuid UUID 

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "revoke",
    "options" : {
      "code" : "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
      "reason" : "#VALUE",
      "compromiseOccurrenceDate" : "#yyyy/MM/dd HH:mm:ss",
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--code / code	Required	Enter one of the following values: AFFILIATION_CHANGED CA_COMPROMISE (Certificate authority compromise) CESSATION_OF_OPERATION KEY_COMPROMISE PRIVILEGE_WITHDRAWN SUPERSEDED UNSPECIFIED
--reason / reason	Required	Description of the reason for the revocation
--compromise-occurrence-date / compromiseOccurrenceDate	Optional	Date the compromise took place
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object object revoke command.

   okv managed-object object revoke --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "revoke",
       "options" : {
         "code" : "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
         "reason" : "#VALUE",
         "compromiseOccurrenceDate" : "#yyyy/MM/dd HH:mm:ss",
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, revoke-obj.json) and then edit it so that you can revoke the security object privileges.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "revoke",
       "options" : {
         "code" : "KEY_COMPROMISE",
         "reason" : "security incidence",
         "compromiseOccurrenceDate" : "2020/11/20 10:00:00",
         "uuid" : "E4CA6A16-B3CD-4F98-BF25-4A0EF482B8B8"
       }
     }
   }

3. Execute the okv managed-object object revoke command using the generated JSON file.

   okv managed-object object revoke --from-json revoke-obj.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.20 okv managed-object opaque get Command

The okv managed-object opaque get command retrieves an object that contains opaque data.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object opaque get --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object opaque get command.

   okv managed-object opaque get --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "opaque",
       "action" : "get",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, get_opaque_object.json) and then edit it so that you can retrieve the data from the opaque object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "object",
       "action" : "activate",
       "options" : {
         "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
       }
     }
   }

3. Execute the okv managed-object opaque get command using the generated JSON file.

   okv managed-object opaque get --from-json get_opaque_object.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "object" : "2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A4D494945765149424144414E42676B71686B6947397730424151454641415343424B637767675363
   <<<< Output Truncated>>>>
   7067533170633634656D3630686C72336B786C593858665734317A594A450A724546334C652F4A4F4B4968674A754C367352734C67553D0A2D2D2D2D2D454E442050524956415445204B45592D2D2D2D2D0A"
     }
   }

5.21 okv managed-object opaque register Command

The okv managed-object opaque register command registers an opaque security object.

Objects containing opaque data are not necessarily interpreted by the server.

Required Authorization

None

Syntax

okv managed-object opaque register --object object_name --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : "#VALUE",
        "contactInfo" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--object / object	Required	File path to the object. To find the names of existing objects to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation bar.
--wallet / wallet	Optional	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
attributes	Optional	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name contactInfo See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes. For date values, use the following format: yyyy/MM/dd HH:mm:ss Example: 20220/07/14 10:09:25

JSON Example

1. Generate JSON input for the okv managed-object opaque register command.

   okv managed-object opaque register --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "opaque",
       "action" : "register",
       "options" : {
         "object" : "#VALUE",
         "wallet" : "#VALUE",
         "attributes" : {
           "name" : "#VALUE",
           "contactInfo" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, reg_opaque.json) and then edit it so that you can register the opaque key.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "opaque",
       "action" : "register",
       "options" : {
         "object" : "./key.pem",
         "wallet" : "hr_wallet",
         "attributes" : {
           "name" : "Opaque-Key-102/text",
           "contactInfo" : "pfitch@example.com"
         }
       }
     }
   }

3. Execute the okv managed-object opaque register command using the generated JSON file.

   okv managed-object opaque register --from-json reg_opaque.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.22 okv managed-object secret get Command

The okv managed-object secret get command retrieves the secret data from a security object of type secret.

Required Authorization

The endpoint must have read permission on the secret object.

Syntax

okv managed-object secret get --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the security object. To find the unique identifier for the security object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

1. Generate JSON input for the okv managed-object secret get command.

   okv managed-object secret get --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "secret",
       "action" : "get",
       "options" : {
         "uuid" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, secret_get.json) and then edit it so that you can locate the secret object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "secret",
       "action" : "get",
       "options" : {
         "uuid" : "D69D2F32-2DBB-4FF3-BF52-95487526E6EC"
       }
     }
   }

3. Execute the okv managed-object secret get command using the generated JSON file.

   okv managed-object secret get --from-json secret_get.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "object" : "ki3j&8slo73y2ls"
     }
   }

5.23 okv managed-object secret register Command

The okv managed-object secret register command registers secret data such as passwords or random seeds.

Required Authorization

None

Syntax

okv managed-object secret register --object object_name type PASSWORD|SEED wallet wallet_name --mask cryptogrpahic_usage_mask

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "type" : "#PASSWORD|SEED",
      "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : "#VALUE",
        "contactInfo" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template	Required?	Description
--object / object	Required	Path of the object file containing secret data.
--type / type	Required	Enter one of the following values: PASSWORD SEED
--wallet / wallet	Optional	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
--mask / mask	Required	Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values: ENCRYPT DECRYPT DERIVE_KEY EXPORT GENERATE_CRYPTOGRAM TRANSLATE_DECRYPT TRANSLATE_ENCRYPT TRANSLATE_UNWRAP TRANSLATE_WRAP UNWRAP_KEY VALIDATE_CRYPTOGRAM WRAP_KEY
attributes	Required	Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, execute the okv managed-object attribute list command. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax. Attributes that you can enter are as follows: name contactInfo See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

1. Generate JSON input for the okv managed-object secret register command.

   okv managed-object secret register --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "secret",
       "action" : "register",
       "options" : {
         "object" : "#VALUE",
         "type" : "#PASSWORD|SEED",
         "mask" : "#ENCRYPT,DECRYPT,WRAP_KEY,UNWRAP_KEY|EXPORT,DERIVE_KEY,GENERATE_CRYPTOGRAM,VALIDATE_CRYPTOGRAM,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP",
         "wallet" : "#VALUE",
         "attributes" : {
           "name" : "#VALUE",
           "contactInfo" : "#VALUE"
         }
       }
     }
   }

2. Save the generated input to a file (for example, reg-secret.json) and then edit it so that you can register the secret object.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "secret",
       "action" : "register",
       "options" : {
         "object" : "./hr_db_connect_password.txt",
         "type" : "PASSWORD",
         "mask" : "DERIVE_KEY",
         "wallet" : "hr_wallet",
         "attributes" : {
           "name" : "HR-DB-CONNECT-PASSWORD",
           "contactInfo" : "pfitch@example.com"
         }
       }
     }
   }

3. Execute the okv managed-object secret register command using the generated JSON file.

   okv managed-object secret register --from-json reg-secret.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "uuid" : "0F54D31A-ABA0-4F15-BF67-1B7513DD8634"
     }
   }

5.24 okv managed-object wallet add-member Command

The okv managed-object wallet add-member command adds a security object to a wallet as its member.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet add-member --uuid UUID --wallet wallet_name 

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "add-member",
    "options" : {
      "uuid" : "#VALUE",
      "wallet" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the managed object that is being added to the wallet. To find the unique identifier for the managed object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
--wallet / wallet	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.

JSON Example

1. Generate JSON input for the okv managed-object wallet add-member command.

   okv managed-object wallet add-member --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "wallet",
       "action" : "add-member",
       "options" : {
         "uuid" : "#VALUE",
         "wallet" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, add_wallet_member.json) and then edit it so that you can add a security object to a wallet.

   {
   "service": { 
      "category": "managed-object",
      "resource": "wallet",
      "action": "add-member",
      "options": {
             "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
             "wallet": "hr_wallet"
        } 
     } 
   }

3. Execute the okv managed-object wallet add-member command using the generated JSON file.

   okv managed-object wallet add-member --from-json add_wallet_member.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.25 okv managed-object wallet delete-member Command

The okv managed-object wallet delete-member command deletes the membership of the managed-object from a wallet.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet delete-member --uuid UUID --wallet wallet_name 

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "delete-member",
    "options" : {
      "uuid" : "#VALUE",
      "wallet" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
--uuid / uuid	Required	Universally unique ID (UUID) of the managed object in the wallet. To find the unique identifier for the managed object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys, Secrets & Objects in the left navigation window. In the Keys, Secrets & Objects table, check the Unique Identifier column.
--wallet / wallet	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation panel.

JSON Example

1. Generate JSON input for the okv managed-object wallet delete-member command.

   okv managed-object wallet delete-member --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "wallet",
       "action" : "delete-member",
       "options" : {
         "uuid" : "#VALUE",
         "wallet" : "#VALUE"
       }
     }
   }

2. Save the generated input to a file (for example, delete_wallet_member.json) and then edit it so that you can delete a security object from a wallet.

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "wallet",
       "action" : "delete-member",
       "options" : {
         "uuid" : "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
         "wallet" : "hr_wallet"
       }
     }
   }

3. Execute the okv managed-object wallet delete-member command using the generated JSON file.

   okv managed-object wallet delete-member --from-json delete_wallet_member.json

   Output similar to the following appears:

   {
     "result" : "Success"
   }

5.26 okv managed-object wallet list Command

The okv managed-object wallet list command lists wallets that have their access granted to the endpoint used to connect to Oracle Key Vault.

This command authenticates with the endpoint's client certificate.

Required Authorization

None, but this command returns only those wallets to which the current endpoint is granted access.

Syntax

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "wallet",
    "action" : "list"
  }
}

okv managed-object wallet list

Parameters

None

JSON Example

1. Generate JSON input for the okv managed-object wallet list command.

   okv managed-object wallet list --generate-json-input

   The generated input appears as follows:

   {
     "service" : {
       "category" : "managed-object",
       "resource" : "wallet",
       "action" : "list"
     }
   }

2. Save the generated input to a file (for example, wallet_list.json).
3. Execute the okv managed-object wallet list command using the generated JSON file.

   okv managed-object wallet list --from-json wallet_list.json

   Output similar to the following appears:

   {
     "result" : "Success",
     "value" : {
       "wallets" : "hr_wallet"
     }
   }