Changes in This Release for Oracle Key Vault

This Oracle Key Vault release introduces new features that enhance the use of Oracle Key Vault in a large enterprise.

• Changes for Oracle Key Vault Release 21.4
  Oracle Key Vault release 21.4 introduces several new features that affect this guide.
• Changes for Oracle Key Vault Release 21.3
  Oracle Key Vault release 21.3 introduces one new feature that affects this guide.

Changes for Oracle Key Vault Release 21.4

Oracle Key Vault release 21.4 introduces several new features that affect this guide.

• RESTful Services Utility Commands to Support the Extractable Attribute for Symmetric Encryption Keys
  Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric keys, you now can restrict these keys from leaving Oracle Key Vault by setting the extractable attribute.
• Support for Cryptographic Operations in RESTful Services Utility
  Oracle Key Vault release 21.4 adds the support for performing cryptographic operations within Oracle Key Vault.
• Support for Policy Based Automatic Purging of Old Oracle Key Vault Backups in RESTful Services Utility
  Starting in Oracle Key Vault release 21.4, you can create a policy to schedule the removal of one or more remote backups.
• Enhancements to Endpoint, Endpoint Group, and Wallet-Related RESTful Services Utility Commands
  Starting in Oracle Key Vault release 21.4, additional commands are available to enable you to perform more operations with endpoints, endpoint groups, and wallets.
• Support Endpoint Configuration Using the RESTful Services Utility
  Starting in Oracle Key Vault release 21.4, you can update the endpoint configuration parameters and endpoint settings for keys and secrets of an endpoint using the RESTful service utility command okv admin endpoint update.
• RESTful Commands to Set Date and Time Accommodate ISO 8601 Standard
  Starting in Oracle Key Vault release 21.4, the duration time interval settings will follow the ISO 8601 standard, and the fixed format for date and time settings are compatible with ISO 8601 when using RESTful commands.
• Support for Command Line Help for the RESTful Services Utility
  Starting in Oracle Key Vault release 21.4, you can find the command line help information about the RESTful services utility commands.

RESTful Services Utility Commands to Support the Extractable Attribute for Symmetric Encryption Keys

Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric keys, you now can restrict these keys from leaving Oracle Key Vault by setting the extractable attribute.

The following commands have been updated to accommodate this enhancement:

• okv managed-object attribute get
• okv managed-object attribute get-all
• okv managed-object attribute list
• okv managed-object attribute modify
• okv managed-object key create
• okv managed-object key register
• okv managed-object object locate

Support for Cryptographic Operations in RESTful Services Utility

Oracle Key Vault release 21.4 adds the support for performing cryptographic operations within Oracle Key Vault.

You can use either RESTful services utility commands or C and Java SDK to perform encryption and decryption operations.

This enhancement accommodates the use of symmetric keys that have been configured to not be extracted from Oracle Key Vault.

The new commands are as follows:

• okv crypto data decrypt
• okv crypto data encrypt

Support for Policy Based Automatic Purging of Old Oracle Key Vault Backups in RESTful Services Utility

Starting in Oracle Key Vault release 21.4, you can create a policy to schedule the removal of one or more remote backups.

The following commands have been updated:

• okv backup destination create
• okv backup destination update

The following commands are new:

• okv backup destination delete-backup
• okv backup destination-policy create
• okv backup destination-policy delete
• okv backup destination-policy get
• okv backup destination-policy list
• okv backup destination-policy list-purged-backups
• okv backup destination-policy update
• okv backup destination resume-policy
• okv backup destination suspend-policy

Enhancements to Endpoint, Endpoint Group, and Wallet-Related RESTful Services Utility Commands

Starting in Oracle Key Vault release 21.4, additional commands are available to enable you to perform more operations with endpoints, endpoint groups, and wallets.

The new commands are as follows:

• okv admin endpoint get
• okv admin endpoint list
• okv admin endpoint list-objects
• okv admin endpoint resume
• okv admin endpoint suspend
• okv manage-access endpoint-group get
• okv manage-access endpoint-group list
• okv manage-access wallet add-object
• okv manage-access wallet get
• okv manage-access wallet list
• okv manage-access wallet list-objects
• okv manage-access wallet remove-object

The commands to list objects for an endpoint (okv admin endpoint list-objects) and a wallet (okv admin wallet list-objects) provide an option to show or hide the wallet membership of the objects. Omitting wallet membership information of objects can improve command's performance.

Support Endpoint Configuration Using the RESTful Services Utility

Starting in Oracle Key Vault release 21.4, you can update the endpoint configuration parameters and endpoint settings for keys and secrets of an endpoint using the RESTful service utility command okv admin endpoint update.

The endpoint configuration parameters includes various PKCS#11 settings and endpoint settings for keys and secrets includes the extractable attribute setting for the new symmetric keys.

RESTful Commands to Set Date and Time Accommodate ISO 8601 Standard

Starting in Oracle Key Vault release 21.4, the duration time interval settings will follow the ISO 8601 standard, and the fixed format for date and time settings are compatible with ISO 8601 when using RESTful commands.

You can specify the following formats:

• duration (follows the ISO 8601 standard)
• timestamp (is in a format that is compatible with the ISO 8601 standard)
• now (represents the current time when a command is run)

You can use these formats in the following combinations:

• timestamp
• now
• timestamp + duration
• now + duration

The timestamp format that has been used in previous releases is still supported.

The following commands have been updated for this enhancement:

• okv backup schedule create
• okv backup schedule update
• okv managed-object attribute add
• okv managed-object attribute delete
• okv managed-object attribute modify
• okv managed-object certificate-request register
• okv managed-object key register
• okv managed-object object locate
• okv managed-object opaque register
• okv managed-object private_key register
• okv managed-object public-key register
• okv managed-object secret register

Support for Command Line Help for the RESTful Services Utility

Starting in Oracle Key Vault release 21.4, you can find the command line help information about the RESTful services utility commands.

This enhancement enables you to find the detailed help information about the various categories, resources, and actions that are supported for all Oracle Key Vault RESTful services utility commands. The help information shows the command's syntax, and definitions for the available categories, resources, and actions as well as the configuration parameters that are applicable to all the commands.

Changes for Oracle Key Vault Release 21.3

Oracle Key Vault release 21.3 introduces one new feature that affects this guide.

• Enhancements for RESTful Services Utility Commands Used for Registration
  In Oracle Key Vault release 21.3, RESTful services utility commands that are used for the registration of managed objects will have additional attributes.

Enhancements for RESTful Services Utility Commands Used for Registration

In Oracle Key Vault release 21.3, RESTful services utility commands that are used for the registration of managed objects will have additional attributes.

The affected commands are as follows:

• okv managed-object certificate register
• okv managed-object certificate-request register
• okv managed-object key register
• okv managed-object opaque register
• okv managed-object private-key register
• okv managed-object public-key register
• okv managed-object secret register

In previous releases, these commands provided two attributes, name and contactInfo. In this release, in addition to these two attributes, the following new attributes are included:

• activationDate
• deactivationDate
• processStartDate
• protectStopDate