4 Oracle Key Vault HSM Support Guidance
The Oracle Key Vault HSM support guidance provides information about troubleshooting and vendor specific notes.
- General Troubleshooting
Oracle Key Vault provides general troubleshooting help. Vendor-specific notes cover vendor-specific troubleshooting. - Vendor Specific Notes for Thales
Oracle Key Vault supports integration with Thales (formerly Safenet Luna) NetworkHSM version 7000, but does not support Host Trust Link (HTL) for Thales HSM. - Vendor Specific Notes for Entrust
You can integrate Oracle Key Vault release 12.2 BP 3 and later with the HSM from Entrust nShield Connect + and XC models. - Vendor Specific Notes for Utimaco
Oracle Key Vault supports Oracle Key Vault integration with Utimaco SecurityServer 4.31.1. - Vendor Specific Notes for Other HSMs
For HSMs other than Thales Luna Network HSM version 7000, Entrust nShield Connect + and XC models, or Utimaco’s SecurityServer 4.31.1, Oracle Key Vault supports an integration with HSM vendors that meet the Oracle Key Vault requirements.
4.1 General Troubleshooting
Oracle Key Vault provides general troubleshooting help. Vendor-specific notes cover vendor-specific troubleshooting.
- Trace Files for Diagnosing Issues
Oracle Key Vault provides trace files so that you can better diagnose issues that may arise. - HSM Alert
Oracle Key Vault provides an alert mechanism that periodically monitors the HSM configuration to check for Root of Trust key availability and file health. - Could Not Get Slot for HSM Error
TheCould Not Get Slot for HSM
error indicates that Oracle Key Vault could not get a slot from the HSM. - Could Not Load PKCS#11 Library Error
TheCould Not Load PKCS#11 Library
error indicates that Oracle Key Vault could not load the PKCS#11 library. - Oracle Key Vault Management Console Does Not Start After Restarting HSM-Enabled Oracle Key Vault Server
The Oracle Key Vault management console may not appear after you restart the HSM-enabled Oracle Key Vault server. - Primary-Standby Errors
Theokv_security.conf
file contains settings that can help you diagnose primary-standby errors. - Errors from HSM-Enabled Oracle Key Vault Backups
You can use thecwallet.sso
file to diagnose HSM-enabled Oracle Key Vault backup errors. - Restoration of a Backed Up HSM-Enabled Oracle Key Vault Server
Before you restore a backup that was taken on an HSM-enabled Oracle Key Vault server, ensure that you have set the same HSM credential and token label that were used when the backup was taken.
Parent topic: Oracle Key Vault HSM Support Guidance
4.1.1 Trace Files for Diagnosing Issues
Oracle Key Vault provides trace files so that you can better diagnose issues that may arise.
Use these trace files to more finely diagnose issues when you attempt hardware security module operations. These trace files are located in the /var/okv/log/hsm/
directory on the Oracle Key Vault server. To see the most recently failed operation, you can sort the trace files by their last modified time. For example, ls -ltr /var/okv/log/hsm
lists the most recently modified trace files at the bottom of the list.
Parent topic: General Troubleshooting
4.1.2 HSM Alert
Oracle Key Vault provides an alert mechanism that periodically monitors the HSM configuration to check for Root of Trust key availability and file health.
When an Oracle Key Vault server is HSM-enabled, Oracle Key Vault contacts the HSM every five minutes (or whatever you have set the monitoring interval to on the Configure Alerts page) to ensure that the Root of Trust key is available and the TDE wallet password can be decrypted. When a problem in the HSM configuration arises (for example, the HSM cannot be reached or if there are conflicting keys in the HSM with the same ID), then the up arrow on the Hardware Security Module page (accessed by selecting the System tab, then Settings, then in the Network Services area, clicking HSM) switches to a down arrow and an alert is raised. The down arrow signifies that the HSM is not configured or the HSM configuration has a problem. When an alert has been raised, the following error message appears: HSM configuration error. Please refer to the HSM Alert section in the Oracle Key Vault Root of Trust HSM Configuration Guide
.
If this alert appears, then follow these steps:
- Log in as root as follows:
$ ssh support@okv_instance_ip_address support$ su - root
- Back up the SSO wallet. For example:
root# cp /mnt/okvram/cwallet.sso /var/lib/oracle/cwallet_hsm_backup.sso
- Diagnose the source of the alert.
The following
verify
command should show why the alert was raised. Thels -ltrh
command shows the most recent log file at the bottom of the output.root# su - oracle oracle$ /usr/local/okv/hsm/bin/hsmclient verify oracle$ cd /var/okv/log/hsm oracle$ ls -ltrh
- If you cannot resolve this problem, then contact Oracle Support.
Parent topic: General Troubleshooting
4.1.3 Could Not Get Slot for HSM Error
The Could Not Get Slot for HSM
error indicates that Oracle Key Vault could not get a slot from the HSM.
Consult the most recent trace files for more details. Possible causes include providing an invalid or nonexistent token label and the HSM failing to return a list of slots.
Parent topic: General Troubleshooting
4.1.4 Could Not Load PKCS#11 Library Error
The Could Not Load PKCS#11 Library
error indicates that Oracle Key Vault could not load the PKCS#11 library.
Possible reasons for this error could be due to file permission issues or failing to properly deploy the HSM client software on Oracle Key Vault. More details can be found in recent trace files. Oracle looks for the PKCS#11 library at the following locations, depending on the vendor:
- For Thales,
/usr/safenet/lunaclient/lib/libCryptoki2_64.so
- For Entrust,
/opt/nfast/toolkits/pkcs11/libcknfast.so
- For Utimaco,
/opt/utimaco/lib/libcs_pkcs11_R2.so
Parent topic: General Troubleshooting
4.1.5 Oracle Key Vault Management Console Does Not Start After Restarting HSM-Enabled Oracle Key Vault Server
The Oracle Key Vault management console may not appear after you restart the HSM-enabled Oracle Key Vault server.
If this happens, then log into the Oracle Key Vault server using SSH as user support
and try manually opening the wallet as follows:
$ ssh support@okv_instance_ip_address
support$ su root
root# su oracle
oracle$ cd /usr/local/okv/hsm/bin
oracle$ ./hsmclient open_wallet
If the open_wallet
command succeeds, the database will open and the management console will appear, unless there is another non-HSM problem. If the command does not succeed, then check the recent log files under /var/okv/log/hsm
and check for vendor-specific instructions.
Parent topic: General Troubleshooting
4.1.6 Primary-Standby Errors
The okv_security.conf
file contains settings that can help you diagnose primary-standby errors.
-
Check that the files have been transported to the standby server.
Execute the command
ls -l
as root on the standby server:root# ls -l /usr/local/okv/hsm/wallet -rw------- 1 oracle oinstall 324 May 16 22:57 cwallet.sso -rw------- 1 oracle oinstall 176 May 16 22:57 enctdepwd root# ls -l /usr/local/okv/hsm/restore -rw------- 1 oracle oinstall 320 May 16 22:57 ewallet.p12
You should see
cwallet.sso
andenctdepwd in
the/usr/local/okv/hsm/wallet
directory andewallet.p12
in the/usr/local/okv/hsm/restore
directory. -
Check that the mode is set to HSM on the standby server:
Open the file
okv_security.conf
asroot
on the standby server:root# cat /usr/local/okv/etc/okv_security.conf Look for the line: HSM_ENABLED="1"
You should see the number within double quotes.
-
Check the vendor-specific instructions.
Parent topic: General Troubleshooting
4.1.7 Errors from HSM-Enabled Oracle Key Vault Backups
You can use the cwallet.sso
file to diagnose HSM-enabled Oracle Key Vault backup errors.
You should check that the pre_restore
command has been run on the target as follows:
Execute the command ls -l
as root
on the Oracle Key Vault server to which you are restoring the backup:
root# ls -l /usr/local/okv/hsm/wallet
-rw------- 1 oracle oinstall 324 May 16 22:57 cwallet.sso
You should see the wallet file cwallet.sso
, which indicates that the credential has successfully been set and stored on Oracle Key Vault.
You should also check that you have followed the instructions from the HSM vendor. In addition, check the most recent log files generated by the recent backup restore, which are in the /var/okv/log/db
directory.
Parent topic: General Troubleshooting
4.1.8 Restoration of a Backed Up HSM-Enabled Oracle Key Vault Server
Before you restore a backup that was taken on an HSM-enabled Oracle Key Vault server, ensure that you have set the same HSM credential and token label that were used when the backup was taken.
The HSM credential for Thales is the Thales partition password. For Entrust, the credential is the password that is associated with the Operator Card Set or Softcard. For Utimaco, the credential is the PIN that was initialized when the token was configured.
When using the Set Credential operation, if you enter an incorrect credential or token label, or if Oracle Key Vault is unable to connect to the HSM, then the operation will not succeed and the credential, token label, and vendor provided will not be stored. Ensure that Oracle Key Vault has been enrolled as a client of the HSM and then ensure that the correct credential and token label are entered such that Oracle Key Vault will be able to access the same Root of Trust key that was in use when the backup was taken.
For more information about enrolling Oracle Key Vault as a client of the HSM, see Enrolling Oracle Key Vault as a Client of the HSM.
Parent topic: General Troubleshooting
4.2 Vendor Specific Notes for Thales
Oracle Key Vault supports integration with Thales (formerly Safenet Luna) NetworkHSM version 7000, but does not support Host Trust Link (HTL) for Thales HSM.
- Installing the HSM Client Software on the Oracle Key Vault Server for Thales
You must use the Luna Universal Client version 6.2.2 for Linux x64 for the installation when integrating Oracle Key Vault with Thales. If you must use a different client version, consult your vendor and use the infrastructure provided to integrate Oracle Key Vault with other HSMs. - HSM Credential for Thales
The HSM credential is the Thales partition password. - Token Label for Thales
The token label for Thales is the name of the partition. - Enrolling Oracle Key Vault as a Client of a Thales HSM
To perform the enrollment, you use the Oracle Key Vault management console and the command-line interface. - HSM Provider Value for Thales
For Thales, the provider value is 1. - HSM Vendor Specific Checks for Thales
You should check the Thales vendor-specific settings.
Parent topic: Oracle Key Vault HSM Support Guidance
4.2.1 Installing the HSM Client Software on the Oracle Key Vault Server for Thales
You must use the Luna Universal Client version 6.2.2 for Linux x64 for the installation when integrating Oracle Key Vault with Thales. If you must use a different client version, consult your vendor and use the infrastructure provided to integrate Oracle Key Vault with other HSMs.
Parent topic: Vendor Specific Notes for Thales
4.2.2 HSM Credential for Thales
The HSM credential is the Thales partition password.
If you are using Thales as your HSM, then you can use the Thales assignPassword
command to assign a password for a partition. However, do not do this when a partition is currently in use by an Oracle Key Vault server, because Oracle Key Vault will no longer be able to access the Root of Trust key as its stored credential will no longer be correct.
Parent topic: Vendor Specific Notes for Thales
4.2.3 Token Label for Thales
The token label for Thales is the name of the partition.
Parent topic: Vendor Specific Notes for Thales
4.2.4 Enrolling Oracle Key Vault as a Client of a Thales HSM
To perform the enrollment, you use the Oracle Key Vault management console and the command-line interface.
Parent topic: Vendor Specific Notes for Thales
4.2.5 HSM Provider Value for Thales
For Thales, the provider value is 1.
If you are setting this value manually for a primary-standby configuration, then set HSM_PROVIDER="1"
in the okv_security.conf
file. For more information about enabling HSM in a primary-standby deployment, see Enabling HSM in a High Availability Deployment.
Parent topic: Vendor Specific Notes for Thales
4.2.6 HSM Vendor Specific Checks for Thales
You should check the Thales vendor-specific settings.
Parent topic: Vendor Specific Notes for Thales
4.3 Vendor Specific Notes for Entrust
You can integrate Oracle Key Vault release 12.2 BP 3 and later with the HSM from Entrust nShield Connect + and XC models.
- Installing the HSM Client Software on the Oracle Key Vault Server for Entrust
The Entrust HSM requires a separate non-HSM computer on the network to use as the remote file system. - HSM Credential for Entrust
The HSM credential for Entrust is the password that is associated with the Operator Card Set or Softcard. - Token Label for Entrust
The token label for Entrust is the name of the Operator Card Set or Softcard. - Enrolling Oracle Key Vault as a Client of an Entrust HSM
You use both the Entrust user interface and the command line to enroll Oracle Key Vault as a client of an Entrust HSM. - HSM Provider Value for Entrust
For Entrust, the provider value is 2.
Parent topic: Oracle Key Vault HSM Support Guidance
4.3.1 Installing the HSM Client Software on the Oracle Key Vault Server for Entrust
The Entrust HSM requires a separate non-HSM computer on the network to use as the remote file system.
Parent topic: Vendor Specific Notes for Entrust
4.3.2 HSM Credential for Entrust
The HSM credential for Entrust is the password that is associated with the Operator Card Set or Softcard.
The HSM-credential if they use an Operator Card Set is the Operator Card Set password. If they use a Softcard, then the password is the Softcard password.
Parent topic: Vendor Specific Notes for Entrust
4.3.3 Token Label for Entrust
The token label for Entrust is the name of the Operator Card Set or Softcard.
Parent topic: Vendor Specific Notes for Entrust
4.3.4 Enrolling Oracle Key Vault as a Client of an Entrust HSM
You use both the Entrust user interface and the command line to enroll Oracle Key Vault as a client of an Entrust HSM.
Parent topic: Vendor Specific Notes for Entrust
4.3.5 HSM Provider Value for Entrust
For Entrust, the provider value is 2.
If you are setting this value manually for the primary-standby, then set HSM_PROVIDER="2"
. For more information about enabling HSM in a primary-standby deployment, see Enabling HSM in a High Availability Deployment.
Parent topic: Vendor Specific Notes for Entrust
4.4 Vendor Specific Notes for Utimaco
Oracle Key Vault supports Oracle Key Vault integration with Utimaco SecurityServer 4.31.1.
- Installing the HSM Client Software on the Oracle Key Vault Server for Utimaco
The setup files for Utimaco are provided in theSecurityServerEvaluation-V4.31.1.0.zip
file from Utimaco. - HSM Credential for Utimaco
The HSM credential for Utimaco is the PIN that was initialized when the token was configured. - Token Label for Utimaco
The token label for Utimaco is the name of the token that was set up for the HSM. - HSM Provider Value for Utimaco
For Utimaco, the provider value is 3. - HSM Vendor Specific Checks for Utimaco
You should check the Utimaco vendor-specific settings.
Parent topic: Oracle Key Vault HSM Support Guidance
4.4.1 Installing the HSM Client Software on the Oracle Key Vault Server for Utimaco
The setup files for Utimaco are provided in the SecurityServerEvaluation-V4.31.1.0.zip
file from Utimaco.
Parent topic: Vendor Specific Notes for Utimaco
4.4.2 HSM Credential for Utimaco
The HSM credential for Utimaco is the PIN that was initialized when the token was configured.
See the Utimaco documentation for more details.
Parent topic: Vendor Specific Notes for Utimaco
4.4.3 Token Label for Utimaco
The token label for Utimaco is the name of the token that was set up for the HSM.
Parent topic: Vendor Specific Notes for Utimaco
4.4.4 HSM Provider Value for Utimaco
For Utimaco, the provider value is 3.
If you are setting this value manually for primary-standby, set HSM_PROVIDER="3"
in the okv_security.conf
file. For more information about enabling HSM in a primary-standby deployment, see Enabling HSM in a High Availability Deployment.
Parent topic: Vendor Specific Notes for Utimaco
4.4.5 HSM Vendor Specific Checks for Utimaco
You should check the Utimaco vendor-specific settings.
p11tool2 GetSlotInfo
and csadm ListUsers
commands, you can also check to see that a key was created after completing the HSM Initialize operation. Note that more keys may be created after subsequent HSM initialize commands.root# /opt/utimaco/bin/p11tool2 LoginUser=HSM_Credential ListObjects
The output should look similar to the following output:CKO_DATA:
+ 1.1
CKA_LABEL = OKV 18.1 HSM Key Number
CKO_SECRET_KEY:
+ 2.1
CKA_KEY_TYPE = CKK_AES
CKA_SENSITIVE = CK_TRUE
CKA_EXTRACTABLE = CK_FALSE
CKA_LABEL = OKV 18.1 HSM Root Key
CKA_ID = 0x00000001 ()
Parent topic: Vendor Specific Notes for Utimaco
4.5 Vendor Specific Notes for Other HSMs
For HSMs other than Thales Luna Network HSM version 7000, Entrust nShield Connect + and XC models, or Utimaco’s SecurityServer 4.31.1, Oracle Key Vault supports an integration with HSM vendors that meet the Oracle Key Vault requirements.
- About Vendor Specific Notes for Other HSMs
Oracle Key Vault provides a set of configuration files and upgrade scripts that you can use to enable Oracle Key Vault to use HSMs other than Thales Luna Network HSM version 7000, Entrust nShield Connect + and XC models, or Utimaco’s SecurityServer 4.31.1. - Installing the HSM Client Software on the Oracle Key Vault Server for Other Vendors
The vendor that you are working with should provide instructions for installing the HSM client software. - Configuring the okv_hsm.conf Parameters
The Oracle Key Vault configuration fileokv_hsm.conf
defines information such as the vendor name and the location of the PKCS#11 library file. - Configuring the okv_hsm_env Environment File
The Oracle Key Vault environment fileokv_hsm_env
specifies environment variables that Oracle Key Vault needs when it uses the PKCS#11 library. - Configuring the okv_hsm_mid_upgrade Script
The Oracle Key Vault scriptokv_hsm_mid_upgrade
can help to recreate information such as operating system user accounts, operating system user groups, or services. - Executing Pre- or Post-Upgrade Validation Scripts
If the vendor has provided pre- or post-upgrade scripts, then you can run them before and after the upgrade process to ensure that the HSM configuration is correct.
Parent topic: Oracle Key Vault HSM Support Guidance
4.5.1 About Vendor Specific Notes for Other HSMs
Oracle Key Vault provides a set of configuration files and upgrade scripts that you can use to enable Oracle Key Vault to use HSMs other than Thales Luna Network HSM version 7000, Entrust nShield Connect + and XC models, or Utimaco’s SecurityServer 4.31.1.
If your site requires that you use a different HSM vendor, then you can perform your own integration of their HSM with your Oracle Key Vault installation. To perform this integration, you will need to work with the vendor whose HSM you want to integrate with Oracle Key Vault. In general, you will perform the following steps:
- Install the HSM client software onto your Oracle Key Vault server using the instructions that the HSM vendor provides.
- Configure parameters in the
okv_hsm.conf
file to define information such as the vendor name and the location of the vendor's PKCS#11 library file. - If the HSM vendor requires special environment variables, then configure them in the
okv_hsm_env
environment file. - Configure the
okv_hsm_mid_upgrade
script, which helps to recreate information such as OS user accounts, OS user groups, or services that may be lost during the installation process. - Execute any pre- or post-upgrade validation scripts the vendor may have provided.
The vendor will need to do the following:
- Meet the requirements for enabling their HSM to be integrated with Oracle Key Vault.
- Provide documentation for configuring any of the parameters, environment variables, upgrade scripts, or pre- and post-upgrade scripts the Oracle Key Vault administrator will need, including updating this documentation for subsequent releases.
- Confirm the success of the integration (that is, with the standalone, multi-master cluster, and primary-standby environments) with the procedures that are provided in this guide.
- Validate the HSM as a RoT for Oracle Key Vault with the standalone, multi-master cluster, and primary-standby environments.
Parent topic: Vendor Specific Notes for Other HSMs
4.5.2 Installing the HSM Client Software on the Oracle Key Vault Server for Other Vendors
The vendor that you are working with should provide instructions for installing the HSM client software.
Parent topic: Vendor Specific Notes for Other HSMs
4.5.3 Configuring the okv_hsm.conf Parameters
The Oracle Key Vault configuration file okv_hsm.conf
defines information such as the vendor name and the location of the PKCS#11 library file.
- Ensure that the vendor has documented the correct way to configure the
okv_hsm.conf
file. - Follow the vendor's instructions for configuring the
okv_hsm.conf
file.
Related Topics
Parent topic: Vendor Specific Notes for Other HSMs
4.5.4 Configuring the okv_hsm_env Environment File
The Oracle Key Vault environment file okv_hsm_env
specifies environment variables that Oracle Key Vault needs when it uses the PKCS#11 library.
- Ensure that the vendor has documented the correct way to configure the
okv_hsm_env
file. - Follow the vendor's instructions for configuring the
okv_hsm_env
file.
Related Topics
Parent topic: Vendor Specific Notes for Other HSMs
4.5.5 Configuring the okv_hsm_mid_upgrade Script
The Oracle Key Vault script okv_hsm_mid_upgrade
can help to recreate information such as operating system user accounts, operating system user groups, or services.
- Ensure that the vendor has documented the correct way to configure the
okv_hsm_mid_upgrade
file. - Modify the
okv_hsm_mid_upgrade
script (located in the/usr/local/okv/hsm/generic/
directory) to include information such as operating system users, operating system user groups, and services that Oracle Key Vault will need for the next time an upgrade takes place.
Related Topics
Parent topic: Vendor Specific Notes for Other HSMs
4.5.6 Executing Pre- or Post-Upgrade Validation Scripts
If the vendor has provided pre- or post-upgrade scripts, then you can run them before and after the upgrade process to ensure that the HSM configuration is correct.
- Ensure that the vendor has documented the correct way to configure the pre- or post-upgrade scripts.
- Store these scripts in the
/opt
directory. - Execute the scripts as necessary.
Related Topics
Parent topic: Vendor Specific Notes for Other HSMs