Access Management Commands

4 Access Management Commands

You can use the access management commands to manage wallets and endpoint groups.

okv manage-access endpoint-group add-endpoint Command
The okv manage-access endpoint-group add-endpoint command adds an existing endpoint to an endpoint group.
okv manage-access endpoint-group check-status Command
The okv manage-access endpoint-group check-status command checks the naming conflict resolution status of an endpoint group in a multi-master cluster.
okv manage-access endpoint-group create Command
The okv manage-access endpoint-group create command creates a new endpoint group.
okv manage-access endpoint-group delete Command
The okv manage-access endpoint-group delete command deletes an endpoint group.
okv manage-access endpoint-group remove-endpoint Command
The okv manage-access endpoint-group remove-endpoint command removes an endpoint from an endpoint group.
okv manage-access endpoint-group update Command
The okv manage-access endpoint-group update command changes the name and description of an endpoint group, and can be used to ensure that the endpoint group name is unique.
okv manage-access wallet add-access Command
The okv manage-access wallet add-access command grants an endpoint or an endpoint group a level of access to a wallet.
okv manage-access wallet check-status Command
The okv manage-access wallet check-status command checks the naming conflict resolution status of a wallet in a multi-master cluster.
okv manage-access wallet create Command
The okv manage-access wallet create command creates a wallet.
okv manage-access wallet delete Command
The okv manage-access wallet delete command deletes a wallet.
okv manage-access wallet get-default Command
The okv manage-access wallet get-default command gets the default wallet that has been associated with an endpoint.
okv manage-access wallet list-endpoint-wallets Command
The okv manage-access wallet list-endpoint-wallets command lists the wallets that are associated with an endpoint.
okv manage-access wallet remove-access Command
The okv manage-access wallet remove-access command removes the access that an endpoint or an endpoint group has to a wallet.
okv manage-access wallet set-default Command
The okv manage-access wallet set-default command sets the default wallet for an endpoint.
okv manage-access wallet update Command
The okv manage-access wallet update command updates a wallet.
okv manage-access wallet update-access Command
The okv manage-access wallet update-access command updates the level of access that an endpoint or an endpoint group has to a wallet.

4.1 okv manage-access endpoint-group add-endpoint Command

The okv manage-access endpoint-group add-endpoint command adds an existing endpoint to an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group add-endpoint --endpoint-group endpoint_group_name --endpoint endpoint_member

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.
`--endpoint` / `endpoint`	Required	Name of the endpoint. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page.

JSON Example

Generate JSON input for the okv manage-access endpoint-group add-endpoint command.

okv manage-access endpoint-group add-endpoint --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, add_ep_to_group.json) and then edit it so that you can add the endpoint to an endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "epg_hr",
      "endpoint" : "hr_db_ep"
    }
  }
}

Execute the okv manage-access endpoint-group add-endpoint command using the generated JSON file.
```
okv manage-access endpoint-group add-endpoint --from-json add_ep_to_group.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.2 okv manage-access endpoint-group check-status Command

The okv manage-access endpoint-group check-status command checks the naming conflict resolution status of an endpoint group in a multi-master cluster.

This command is meant primarily for multi-master cluster environments. However, it is still valid for other deployments and can be used to check the existence of an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group check-status --endpoint-group endpoint_group_name|--locator-id UUID

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "endpointGroup" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint_group` / `-endpointGroup` or `--locator-id` / `locatorID`	Required	The name of the endpoint group or the locator ID (universally unique ID (UUID)) of the endpoint group that you want to check. The `--locator-id` / `locatorID` is required only if you are using a multi-master cluster environment. You must specify either the `--endpoint-group` / `endpointGroup` value or the `--locator-id` / `locatorID` value, not both. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab, then Endpoint Groups in the left navigation bar, and in the Endpoint Groups page, check the Endpoints Groups page. To find the locator ID in the Oracle Key Vault management console, select the Cluster tab and then in the left navigation bar, select Conflict Resolution. In the Keys, Secrets & Objects table, check the Unique Identifier column.

--endpoint_group / -endpointGroup or --locator-id / locatorID

Required

The name of the endpoint group or the locator ID (universally unique ID (UUID)) of the endpoint group that you want to check. The --locator-id / locatorID is required only if you are using a multi-master cluster environment.

You must specify either the --endpoint-group / endpointGroup value or the --locator-id / locatorID value, not both.

To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab, then Endpoint Groups in the left navigation bar, and in the Endpoint Groups page, check the Endpoints Groups page.

To find the locator ID in the Oracle Key Vault management console, select the Cluster tab and then in the left navigation bar, select Conflict Resolution. In the Keys, Secrets & Objects table, check the Unique Identifier column.

JSON Example

Generate JSON input for the okv manage-access endpoint-group check-status command.

okv manage-access endpoint-group check-status --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "endpointGroup" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, check-status_epg.json) and then edit it so that you can check the endpoint group's status. Specify either the endpointGroup value or the locatorID value, but not both.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
    }
  }
}
```
Execute the okv manage-access endpoint-group check-status command using the generated JSON file.
```
okv manage-access endpoint-group check-status --from-json check-status_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "ACTIVE",
    "endpointGroup" : "EPG_HR"
  }
}
```
Output includes the name of the endpoint group if the endpoint group object is in ACTIVE state. The endpoint group name shown here may be different from what was specified at the endpoint group creation time. If the endpoint groups with the same name are created on multiple cluster nodes, then Oracle Key Vault performs naming conflict resolution and it renames all but one endpoint groups by appending _OKVnode-id to the endpoint group name. For example, if you named the endpoint group EPG_HR, and there is a naming conflict, then the name could be EPG_HR_OKV01.

On deployments other than multi-master cluster, this command returns Success if the endpoint group exists and output does not include entries showing the endpoint group name and its state.

Parent topic: Access Management Commands

4.3 okv manage-access endpoint-group create Command

The okv manage-access endpoint-group create command creates a new endpoint group.

Required Authorization

Key Administrator role or Create Endpoint Group system privilege

Syntax

okv manage-access endpoint-group create --endpoint-group endpoint_group_name --description "endpoint group description" --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. See Naming Guidelines for Objects. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.
`--description` / `description`	Optional	A user-friendly description of the endpoint group enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: `given_epg_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable. `FALSE` (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is `ACTIVE`, then the endpoint group is usable. To check the status, execute the `okv admin endpoint-group check-status` command. If the name that you provided is already used in another node, then the name for this endpoint group will have `_OKVxx` appended to it. For example, if you named the endpoint group `epg12`, and there is a naming conflict, the name could be `EPG12_OKV01`.

--endpoint-group / endpointGroup

Required

Name of the endpoint group. See Naming Guidelines for Objects. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.

--description / description

Optional

A user-friendly description of the endpoint group enclosed within double quotation marks

--unique / unique

Optional

Applies to a multi-master cluster environment only. This --unique parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: given_epg_name_OKVnode_id.

Valid settings are as follows:

TRUE appends _OKVnode_id to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable.
FALSE (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (PENDING) or complete (ACTIVE). If the status is PENDING, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is ACTIVE, then the endpoint group is usable. To check the status, execute the okv admin endpoint-group check-status command. If the name that you provided is already used in another node, then the name for this endpoint group will have _OKVxx appended to it. For example, if you named the endpoint group epg12, and there is a naming conflict, the name could be EPG12_OKV01.

JSON Example

Generate JSON input for the okv manage-access endpoint-group create command.

okv manage-access endpoint-group create --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, create_epg.json) and then edit it so that you can create the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "epg_hr",
      "description" : "HR endpoint group",
      "unique" : "FALSE"
    }
  }
}

Execute the okv manage-access endpoint-group create command using the generated JSON file.
```
okv manage-access endpoint-group create --from-json create_epg.json
```
Output for a multi-master cluster environment appears similar to the following:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
  }
}
```
You can use the locatorID from this output with the okv manage-access endpoint-group check-status command to display the current state of the endpoint group object. If the object status is ACTIVE, this command also displays the object name after the conflict-name resolution.

Parent topic: Access Management Commands

4.4 okv manage-access endpoint-group delete Command

The okv manage-access endpoint-group delete command deletes an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group delete --endpoint-group endpoint_group_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.

JSON Example

Generate JSON input for the okv manage-access endpoint-group delete command.

okv manage-access endpoint-group delete --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, delete_epg.json) and then edit it so that you can delete the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "epg_hr"
    }
  }
}

Execute the okv manage-access endpoint-group delete command using the generated JSON file.
```
okv manage-access endpoint-group delete --from-json delete_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.5 okv manage-access endpoint-group remove-endpoint Command

The okv manage-access endpoint-group remove-endpoint command removes an endpoint from an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group remove-endpoint --endpoint-group endpoint_group_name --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group that you want to remove. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.
`--endpoint` / `endpoint`	Required	Name of the endpoint that is associated with the endpoint group. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page.

JSON Example

Generate JSON input for the okv manage-access endpoint-group remove-endpoint command.

okv manage-access endpoint-group remove-endpoint --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, remove_ep_from_epg.json) and then edit it so that you can remove the endpoint from the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "epg_hr",
      "endpoint" : "hr_db_ep"
    }
  }
}

Execute the okv manage-access endpoint-group remove-endpoint command using the generated JSON file.
```
okv manage-access endpoint-group remove-endpoint --from-json remove_ep_from_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.6 okv manage-access endpoint-group update Command

The okv manage-access endpoint-group update command changes the name and description of an endpoint group, and can be used to ensure that the endpoint group name is unique.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group update --endpoint-group endpoint_group_name --description "description" --name new_endpoint_group_name --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Current name of the endpoint group. To find existing endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoint Groups page.
`--description` / `description`	Optional	A user-friendly description of the endpoint group enclosed within double quotation marks
`--name` / `name`	Optional	New endpoint group name. See Naming Guidelines for Objects.
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: `given_epg_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable. `FALSE` (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is `ACTIVE`, then the endpoint group is usable. To check the status, execute the `okv admin endpoint-group check_status` command. If the name that you provided is already used in another node, then the name for this endpoint group will have `_OKVxx` appended to it. For example, if you named the endpoint group `epg12`, and there is a naming conflict, the name could be `EPG12_OKV01`.

JSON Example

Generate JSON input for the okv manage-access endpoint-group update command.

okv manage-access endpoint-group update --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, epg_update.json) and then edit it so that you can update the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "epg_hr",
      "name" : "epg_hr_global",
      "description" : "Global HR Endpoint Group",
      "unique" : "FALSE"
    }
  }
}

Execute the okv manage-access endpoint-group update command using the generated JSON file.
```
okv manage-access endpoint-group update --from-json epg_update.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
  }
}
```
This example shows the output for renaming an endpoint group in a multi-master cluster. On renaming, an endpoint group is placed into the PENDING state for the duration of the naming conflict resolution.

You can use the locatorID from this output with the okv manage-access endpoint-group check-status command to display the current state of the endpoint group object. If the object status is ACTIVE, then this command also displays the object name after the conflict-name resolution.

Unless you renamed the endpoint group in a multi-master cluster, the status and locatorID entries are not included in the output.

Parent topic: Access Management Commands

4.7 okv manage-access wallet add-access Command

The okv manage-access wallet add-access command grants an endpoint or an endpoint group a level of access to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet add-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name --access RO|RM|RO_MW|RM_MW

JSON Input File Template

{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "#VALUE",
      "endpointGroup": "#VALUE",
      "endpoint": "#VALUE",
      "access": "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group. You can only specify either an endpoint or an endpoint group, but not both. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page. For endpoint groups, check the Endpoint Groups page.

--access / access

Required

Enter one of the following values:

RO for read-only access
RM for read-and-modify access
RO_MW for read-only and manage-wallet access
RM_MW for read-and-modify and manage-wallet access

JSON Example

Generate JSON input for the okv manage-access wallet add-access command.

okv manage-access wallet add-access --generate-json-input

The generated input appears as follows. This output includes wallet access settings for both endpoints and endpoint groups. When you edit it, you must include either the endpoint settings or the endpoint group settings, but not both.

{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "#VALUE",
      "endpointGroup": "#VALUE",
      "endpoint": "#VALUE",
      "access": "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Save the generated input to a file (for example, add_access_wallet.json) and then edit it so that you can add wallet access to the endpoint or endpoint group. The following example is for the wallet access to an endpoint only.
```
{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "hr_wallet",
      "endpoint": "hr_db_ep",
      "access": "RO"
    }
  }
}
```
Execute the okv manage-access wallet add-access command using the generated JSON file.
```
okv manage-access wallet add-access --from-json add_access_wallet.json
```
Output similar to the following appears:
```
{
  "result": "Success"
}
```

Parent topic: Access Management Commands

4.8 okv manage-access wallet check-status Command

The okv manage-access wallet check-status command checks the naming conflict resolution status of a wallet in a multi-master cluster.

This command is meant primarily for multi-master cluster environments. However, it is still valid for other deployments and can be used to check the existence of a wallet.

This command uses a user name and password for the authentication.

Required Authorization

None, but the user only gets the status for the wallets to which he or she has access.

Syntax

okv manage-access wallet check-status --wallet wallet_name|--locator-id UUID

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "wallet" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet` or `--locator-id` / `locatorID`	Optional	The name of the wallet or the locator ID (universally unique ID (UUID)) of the wallet that you want to check. The `--locator-id` / `locatorID` is required only if you are using a multi-master cluster environment. You must specify either the `--wallet` / `wallet` value or the `--locator-id` / `locatorID` value, not both. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar. To find the locator ID in the Oracle Key Vault management console, select the Cluster tab and then in the left navigation bar, select Conflict Resolution. In the Keys, Secrets & Objects table, check the Unique Identifier column.

--wallet / wallet or --locator-id / locatorID

Optional

The name of the wallet or the locator ID (universally unique ID (UUID)) of the wallet that you want to check. The --locator-id / locatorID is required only if you are using a multi-master cluster environment.

You must specify either the --wallet / wallet value or the --locator-id / locatorID value, not both.

To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.

JSON Example

Generate JSON input for the okv manage-access wallet check-status command.

okv manage-access wallet check-status --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "wallet" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, check_wallet.json) and then edit it so that you can check the status of the wallet. Specify either the wallet value or the locatorID value, but not both.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
    }
  }
}

Execute the okv manage-access wallet check-status command using the generated JSON file.
```
okv manage-access wallet check-status --from-json check_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "ACTIVE",
    "wallet" : "hr_wallet"
  }
}
```
Output includes the name of the wallet if the wallet object is in ACTIVE state. The wallet name shown here may be different from what was specified at the wallet creation time. If the wallets with the same name are created on multiple cluster nodes, Oracle Key Vault performs naming conflict resolution and it renames all but one wallets by appending _OKVnode-id to the wallet name. For example, if you named the wallet HR_WALLET, and there is a naming conflict, the name could be HR_WALLET_OKV01.

On deployments other than multi-master cluster, this command returns Success if the wallet exists and output does not include entries showing the wallet name and its state.

Parent topic: Access Management Commands

4.9 okv manage-access wallet create Command

The okv manage-access wallet create command creates a wallet.

This command uses a user name and password for the authentication.

Required Authorization

None

Syntax

okv manage-access wallet create --wallet wallet_name --description "wallet_description" --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar. See Naming Guidelines for Objects.
`--description` / `description`	Optional	A user-friendly description for the wallet, enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: `given_wallet_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevents the conflict for this wallet name. The wallet is immediately usable. `FALSE` causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the wallet will fail. If the status is `ACTIVE`, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the `okv manage-access wallet check-status` command. If the name that you provided is already used in another node, then the name for this wallet will have `_OKVxx` appended to it. For example, if you named the wallet `wallet12`, and there is a naming conflict, the name could be `WALLET12_OKV01`. If the name that you provided has no naming conflicts, then it will be accepted as the wallet name without any changes.

--wallet / wallet

Required

See Naming Guidelines for Objects.

--description / description

Optional

A user-friendly description for the wallet, enclosed within double quotation marks

--unique / unique

Optional

Applies to a multi-master cluster environment only. This --unique parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: given_wallet_name_OKVnode_id.

Valid settings are as follows:

TRUE appends _OKVnode_id to the given name and thus prevents the conflict for this wallet name. The wallet is immediately usable.
FALSE causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (PENDING) or complete (ACTIVE). If the status is PENDING, then it is not yet usable, so any actions performed on the wallet will fail. If the status is ACTIVE, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the okv manage-access wallet check-status command. If the name that you provided is already used in another node, then the name for this wallet will have _OKVxx appended to it. For example, if you named the wallet wallet12, and there is a naming conflict, the name could be WALLET12_OKV01. If the name that you provided has no naming conflicts, then it will be accepted as the wallet name without any changes.

JSON Example

Generate JSON input for the okv manage-access wallet create command.

okv manage-access wallet create --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, create_wallet.json) and then edit it so that you can create the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "hr_wallet",
      "description" : "wallet for HR endpoint",
      "unique" : "FALSE"
    }
  }
}

Execute the okv manage-access wallet create command using the generated JSON file.
```
okv manage-access wallet create --from-json create_wallet.json
```
Output for a multi-master cluster environment appears similar to the following:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
  }
}
```
You can use the locatorID from this output with the okv manage-access wallet check-status command to display the current state of the wallet object. If the object status is ACTIVE, then this command also displays the object name after the conflict-name resolution.

Related Topics

okv manage-access wallet check-status Command

Parent topic: Access Management Commands

4.10 okv manage-access wallet delete Command

The okv manage-access wallet delete command deletes a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet delete --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.

JSON Example

Generate JSON input for the okv manage-access wallet delete command.

okv manage-access wallet delete --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, del_wallet.json) and then edit it so that you can delete the wallet from Oracle Key Vault.

{
  "service" : {
    "category" : "manage-access",
    "resource ": "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "hr_wallet"
    }
  }
}

Execute the okv manage-access wallet delete command using the generated JSON file.
```
okv manage-access wallet delete --from-json del_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.11 okv manage-access wallet get-default Command

The okv manage-access wallet get-default command gets the default wallet that has been associated with an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

None, but the default wallet information for the endpoint is returned if the user has some level of access on that wallet.

Syntax

okv manage-access wallet get-default --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint` / `endpoint`	Required	Name of the endpoint. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page.

JSON Example

Generate JSON input for the okv manage-access wallet get-default command.

okv manage-access wallet get-default --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_def_wallet.json) and then edit it so that you can get the default wallet that is associated with the specified endpoint.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "hr_db_ep"
    }
  }
}
```

Execute the okv manage-access wallet get-default command using the generated JSON file.

okv manage-access wallet get-default --from-json get_def_wallet.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "defaultWallet" : "hr_wallet"
  }
}

Parent topic: Access Management Commands

4.12 okv manage-access wallet list-endpoint-wallets Command

The okv manage-access wallet list-endpoint-wallets command lists the wallets that are associated with an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

None, but this command returns information about only those wallets on which user has some level of access.

Syntax

okv manage-access wallet list-endpoint-wallets --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint` / `endpoint`	Required	The name of the endpoint. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page

JSON Example

Generate JSON input for the okv manage-access wallet list-endpoint-wallets command.

okv manage-access wallet list-endpoint-wallets --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, list_ep_wallets.json) and then edit it so that you can find the wallets that are associated with the specified endpoint.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "hr_db_ep"
    }
  }
}

Execute the okv manage-access wallet list-endpoint-wallets command using the generated JSON file.

okv manage-access wallet list-endpoint-wallets --from-json list_ep_wallets.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "wallets" : [ "Wallet10", "Wallet11" ]
  }
}

Parent topic: Access Management Commands

4.13 okv manage-access wallet remove-access Command

The okv manage-access wallet remove-access command removes the access that an endpoint or an endpoint group has to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet remove-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group. To find existing endpoints or endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints or Endpoint Groups page.

JSON Example

Generate JSON input for the okv manage-access wallet remove-access command.
```
okv manage-access wallet remove-access --generate-json-input
```
The generated input appears as follows. This output includes the entire output, for both the endpoint and endpoint group. When you edit it, you must include the entry for either the endpoint or the endpoint group, but not both.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}
```
Save the generated input to a file (for example, remove_wallet_access_ep.json) and then edit it so that you can remove wallet access from an endpoint or an endpoint group. The following example shows how to remove access from an endpoint.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep"
    }
  }
}
```
Execute the okv manage-access wallet remove-access command using the generated JSON file.
```
okv manage-access wallet remove-access --from-json remove_wallet_access_ep.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.14 okv manage-access wallet set-default Command

The okv manage-access wallet set-default command sets the default wallet for an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or Manage Endpoint privilege for the endpoint and Full Wallet privileges on the wallet

Syntax

okv manage-access wallet set-default --wallet wallet_name --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
`--endpoint` / `endpoint`	Required	Name of the endpoint. To find existing endpoints, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints page.

Example

Generate JSON input for the okv manage-access wallet set-default command.

okv manage-access wallet set-default --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, set_def_wallet.json) and then edit it so that you can set the default wallet for an endpoint.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep"
    }
  }
}

Execute the okv manage-access wallet set-default command using the generated JSON file.
```
okv manage-access wallet set-default --from-json set_def_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.15 okv manage-access wallet update Command

The okv manage-access wallet update command updates a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet update --wallet wallet_name --name new_wallet_name --description description --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, in the Oracle Key Vault management console, select the Keys & Wallets tab, and then click Wallets in the left navigation bar.
`--name` / `name`	Optional	A new name for the wallet. See Naming Guidelines for Objects.
`--description` / `description`	Optional	A user-friendly description for the wallet, enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: `given_wallet_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The wallet is immediately usable. `FALSE` causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the wallet will fail. If the status is `ACTIVE`, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the `okv manage-access wallet check-status` command. If the name that you provided is already used in another node, then the name for this wallet will have `_OKVxx` appended to it. For example, if you named the wallet `wallet12`, and there is a naming conflict, the name could be `WALLET12_OKV01`.

JSON Example

Generate JSON input for the okv manage-access wallet update command.

okv manage-access wallet update --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, update_wallet.json) and then edit it so that you can update the name and description of a wallet. This example shows how to update the name of a wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "hr_wallet",
      "name" : "global_hr_wallet",
      "unique" : "FALSE"
    }
  }
}

Execute the okv manage-access wallet update command using the generated JSON file.
```
okv manage-access wallet update --from-json update_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
  }
}
```
This example shows the output for renaming a wallet in a multi-master cluster. On renaming, a wallet is placed into the PENDING state for the duration of the naming conflict resolution.

Unless you renamed the wallet in a multi-master cluster, the status and locatorID entries are not included in the output.

Related Topics

okv manage-access wallet check-status Command

Parent topic: Access Management Commands

4.16 okv manage-access wallet update-access Command

The okv manage-access wallet update-access command updates the level of access that an endpoint or an endpoint group has to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet update-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name --access RO|RM|RO_MW|RM_MW

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE",
      "access" : "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group. You can only specify either an endpoint or an endpoint group, but not both. To find existing endpoints or endpoint groups, in the Oracle Key Vault management console, select the Endpoints tab and then check the Endpoints or Endpoint Groups page.

--access / access

Required

Enter one of the following values:

RO for read-only access
RM for read-and-modify access
RO_MW for read-only and manage-wallet access
RM_MW for read-and-modify and manage-wallet access

JSON Example

Generate JSON input for the okv manage-access wallet update-access command.

okv manage-access wallet update-access --generate-json-input

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE",
      "access" : "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Save the generated input to a file (for example, update_wallet_access_ep.json) and then edit it so that you can update the wallet access to an endpoint or an endpoint group. This example shows how to update access of a wallet to an endpoint.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep",
      "access" : "RM"
    }
  }
}
```
Execute the okv manage-access wallet update-access command using the generated JSON file.
```
okv manage-access wallet update-access --from-json update_wallet_access_ep.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands