3 Administration Commands
You can use the administration commands to manage client wallets and endpoints.
- Client Wallet Management Commands
You can use the client wallet management commands to manage client wallets that store user credentials. - Endpoint Management Commands
The endpoint management commands enable you to perform endpoint-related tasks such as creating or provisioning endpoints.
3.1 Client Wallet Management Commands
You can use the client wallet management commands to manage client wallets that store user credentials.
- okv admin client-wallet add Command
Theokv admin client-wallet add
command adds the user's credentials to the client wallet. Oracle Key Vault creates the client walletsewallet.p12
andcwallet.sso
if they do not exist. - okv admin client-wallet delete Command
Theokv admin client-wallet delete
command deletes a user's credentials from a client wallet. - okv admin client-wallet list Command
Theokv admin client-wallet list
command lists the users whose credentials are stored in the client wallet. - okv admin client-wallet update Command
Theokv admin client-wallet update
command updates the user's password in the client wallet.
Parent topic: Administration Commands
3.1.1 okv admin client-wallet add Command
The okv admin client-wallet add
command adds the user's credentials to the client wallet. Oracle Key Vault creates the client wallets ewallet.p12
and cwallet.sso
if they do not exist.
Required Authorization
None
Syntax
okv admin client-wallet add --client-wallet client_wallet_location --wallet-user user_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "add", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Location of the client wallet (that is, the directory where client wallet is created) |
|
Required |
User name |
JSON Example
- Generate JSON input for the
okv admin client-wallet add
command.okv admin client-wallet add --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "add", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
- Save the generated input to a file (for example,
client_wallet_add.json
) and then edit it so that you can specify the client wallet location and the user whose password you want to add to the wallet.{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "add", "options" : { "clientWallet" : "/home/oracle/okv_client_wallet", "walletUser" : "psmith" } } }
- Run the
okv admin client-wallet add
command using the generated JSON file.okv admin client-wallet add --from-json client_wallet_add.json
When prompted, enter the password for the user. After you enter the password, output similar to the following appears:
Password: password { "result" : "Success" }
Parent topic: Client Wallet Management Commands
3.1.2 okv admin client-wallet delete Command
The okv admin client-wallet delete
command deletes a user's credentials from a client wallet.
Required Authorization
Read-write permissions on the client wallet
Syntax
okv admin client-wallet delete client-wallet client_wallet_location --wallet-user wallet_user_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "delete", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Location of the client wallet (that is, the directory where client wallet is created) |
|
Required |
User name |
JSON Example
- Generate JSON input for the
okv admin client-wallet delete
command.okv admin client-wallet delete --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "delete", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
- Save the generated input to a file (for example,
client_wallet_delete.json
) and then edit it so that you can specify the name of the user to remove from the wallet and the client wallet location.{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "delete", "options" : { "clientWallet" : "/home/oracle/okv_client_wallet", "walletUser" : "psmith" } } }
- Run the
okv admin client-wallet delete
command using the generated JSON file.okv admin client-wallet delete --from-json client_wallet_delete.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Client Wallet Management Commands
3.1.3 okv admin client-wallet list Command
The okv admin client-wallet list
command lists the users whose credentials are stored in the client wallet.
Required Authorization
Read file permissions on the client wallet
Syntax
okv admin client-wallet list --client-wallet client_wallet_location
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "list", "options" : { "clientWallet" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Location of the client wallet (that is, the directory where client wallet is created) |
JSON Example
- Generate JSON input for the
okv admin client-wallet list
command.okv admin client-wallet list --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "list", "options" : { "clientWallet" : "#VALUE" } } }
- Save the generated input to a file (for example,
client_wallet_list.json
) and then modify it to include the client wallet location.{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "list", "options" : { "clientWallet" : "/home/oracle/okv_client_wallet" } } }
- Run the
okv admin client-wallet list
command using the generated JSON file.okv admin client-wallet list --from-json client_wallet_list.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "walletUsers" : [ "psmith", "psmith" ] } }
Parent topic: Client Wallet Management Commands
3.1.4 okv admin client-wallet update Command
The okv admin client-wallet update
command updates the user's password in the client wallet.
Required Authorization
Read-write file permissions on the wallet
Syntax
okv admin client-wallet update --client-wallet client_wallet_location --wallet-user user_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "update", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
Parameters
Parameter | Required? | Description |
---|---|---|
|
Required |
Location of the client wallet (that is, the directory where client wallet is created) |
|
Required |
User name |
JSON Example
- Generate JSON input for the
okv admin client-wallet update
command.okv admin client-wallet update --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "update", "options" : { "clientWallet" : "#VALUE", "walletUser" : "#VALUE" } } }
- Save the generated input to a file (for example,
client_wallet_update.json
) and then edit it so that you can specify the user whose password you want to update to the wallet and the client wallet location.{ "service" : { "category" : "admin", "resource" : "client-wallet", "action" : "update", "options" : { "clientWallet" : "/home/oracle/okv_client_wallet", "walletUser" : "psmith" } } }
- Run the
okv admin client-wallet update
command using the generated JSON file.okv admin client-wallet update --from-json client_wallet_update.json
When prompted, enter the password for the user. After you enter the password, output similar to the following appears:
Password: password { "result" : "Success" }
Related Topics
Parent topic: Client Wallet Management Commands
3.2 Endpoint Management Commands
The endpoint management commands enable you to perform endpoint-related tasks such as creating or provisioning endpoints.
- okv admin endpoint check-status Command
Theokv admin endpoint check-status
command displays the current state of an endpoint. The state will be eitherACTIVE
orPENDING
. - okv admin endpoint create Command
Theokv admin endpoint create
command adds a new endpoint to Oracle Key Vault. - okv admin endpoint delete Command
Theokv admin endpoint delete
command removes an endpoint from Oracle Key Vault. - okv admin endpoint download Command
Theokv admin endpoint download
command downloads the endpoint software (okvclient.jar
) to the specified directory. - okv admin endpoint get Command
Theokv admin endpoint get
command retrieves detailed information for an endpoint, such as its endpoint group and associated wallets. - okv admin endpoint get-enrollment-token Command
Theokv admin endpoint get-enrollment-token
command retrieves an enrollment token for a registered endpoint. - okv admin endpoint list Command
Theokv admin endpoint list
command lists the endpoints along with their associated information such as creation time, certificate expiry, and default wallet. - okv admin endpoint list-objects Command
Theokv admin endpoint list-objects
command lists security objects that are associated with a specified endpoint. - okv admin endpoint provision Command
Theokv admin endpoint provision
command downloads and installs the endpoint software in the specified directory. - okv admin endpoint re-enroll Command
Theokv admin endpoint re-enroll
command re-enrolls a previously enrolled endpoint. - okv admin endpoint re-enroll-all Command
Theokv admin endpoint re-enroll-all
command re-enrolls all previously enrolled endpoints. - okv admin endpoint resume Command
Theokv admin endpoint resume
command resumes a suspended endpoint. - okv admin endpoint suspend Command
Theokv admin endpoint suspend
command suspends an endpoint. - okv admin endpoint update Command
Theokv admin endpoint update
command updates the settings of an endpoint.
Parent topic: Administration Commands
3.2.1 okv admin endpoint check-status Command
The okv admin endpoint check-status
command displays the current state of an endpoint. The state will be either ACTIVE
or PENDING
.
This command is meant primarily for multi-master cluster environments. However, it is still valid for other deployments and can be used to check the existence of an endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint check-status --endpoint endpoint_name|--locator-id UUID
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "check-status", "options" : { "endpoint" : "#VALUE", "locatorID" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Optional |
The name of the endpoint or the locator ID (universally unique ID (UUID)) of the endpoint that you want to check. The You must specify either the To find existing endpoints, run the To find the locator ID, check the output of the |
JSON Example
- Generate a JSON input template for the
okv admin endpoint check-status
command.okv admin endpoint check-status --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "check-status", "options" : { "endpoint" : "#VALUE", "locatorID" : "#VALUE" } } }
- Save the generated input to a file (for example,
check-status_ep.json
) and then edit it to so that you can check the endpoint. Specify either theendpoint
value or thelocatorID
value, but not both.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "check-status", "options" : { "locatorID" : "1AC9B321-6540-4F2B-809B-95FD7416999E" } } }
- Run the
okv admin endpoint check-status
command using the generated JSON file.okv admin endpoint check-status --from-json check-status_ep.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "status" : "ACTIVE", "endpoint" : "HR_DB_EP" } }
The output includes the name of the endpoint if the endpoint object is in
ACTIVE
state. The endpoint name shown here may be different from what was specified at the endpoint creation time. If the endpoints with the same name are created on multiple cluster nodes, then Oracle Key Vault performs naming conflict resolution and it renames all but one endpoints by appending_OKVnode-id
to the endpoint name. For example, if you named the endpointhr_db_ep
, and there is a naming conflict, then the name could behr_db_ep_okv01
.On deployments other than multi-master cluster, this command returns
Success
if the endpoint exists and output does not include entries showing the endpoint name and its state.
Parent topic: Endpoint Management Commands
3.2.2 okv admin endpoint create Command
The okv admin endpoint create
command adds a new endpoint to Oracle Key Vault.
After you add the endpoint, the endpoint will be in the Registered state.
Required Authorization
System Administrator role or the Create Endpoint system privilege
Syntax
okv admin endpoint create --endpoint endpoint_name --description "description" --email email_address --platform platform --type type --subgroup subgroup_value --strictIpCheck #TRUE|FALSE --unique TRUE|FALSE
JSON Input File Template
{
"service" : {
"category" : "admin",
"resource" : "endpoint",
"action" : "create",
"options" : {
"endpoint" : "#VALUE",
"description" : "#VALUE",
"email" : "#VALUE",
"platform" : "#LINUX64|SOLARIS64|SOLARIS_SPARC|HP-UX|AIX|WINDOWS",
"type" : "#ORACLE_DB|ORACLE_NON_DB|ORACLE_ACFS|MYSQL_DB|OTHER",
"subgroup" : "#VALUE|NO SUBGROUP|USE CREATOR SUBGROUP",
"strictIpCheck" : "#TRUE|FALSE",
"unique" : "#TRUE|FALSE"
}
}
}
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
The name of the endpoint that you want to add. See Naming Guidelines for Objects. To find existing endpoints, run the |
|
Optional |
A user-friendly description of the endpoint. If the description contains spaces, then you must enclose it within double quotation marks. |
|
Optional |
Email address of the endpoint administrator. Enclose this value in double quotation marks. |
|
Required |
The endpoint platform. Allowed values are:
|
|
Required |
Type of the endpoint. Allowed values are:
|
|
Optional |
For multi-master cluster environments, defines the affinity that an endpoint will have to a specific Oracle Key Vault cluster subgroup. Values are as follows:
|
|
Optional |
Controls whether the Oracle Key Vault server checks the incoming IP address for a given endpoint.
|
|
Optional |
In a multi-master cluster environment, creates the endpoint as a unique endpoint. In a multi-master cluster, it is possible that an endpoint with the same name could be created from two different nodes. If that happens, then endpoint names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint with the given name and rename other endpoints with the conflicting names to a name using this format: Valid settings are as follows:
|
JSON Example
- Generate JSON input for the
okv admin endpoint create
command.okv admin endpoint create --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "create", "options" : { "endpoint" : "#VALUE", "description" : "#VALUE", "email" : "#VALUE", "platform" : "#LINUX64|SOLARIS64|SOLARIS_SPARC|HP-UX|AIX|WINDOWS", "type" : "#ORACLE_DB|ORACLE_NON_DB|ORACLE_ACFS|MYSQL_DB|OTHER", "subgroup" : "#VALUE|NO SUBGROUP|USE CREATOR SUBGROUP", "strictIpCheck" : "#TRUE|FALSE", "unique" : "#TRUE|FALSE" } } }
- Save the generated input to a file (for example,
create_ep.json
) and then edit it so that you can create the endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "create", "options" : { "endpoint" : "hr_db_ep", "description" : "HR database endpoint", "email" : "psmith@example.com", "platform" : "LINUX64", "type" : "ORACLE_DB", "subgroup" : "USE CREATOR SUBGROUP", "strictIpCheck" : "TRUE", "unique" : "FALSE" } } }
- Run the
okv admin endpoint create
command using the generated JSON file.okv admin endpoint create --from-json create_ep.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "status" : "PENDING", "locatorID" : "1AC9B321-6540-4F2B-809B-95FD7416999E" } }
You can use the
locatorID
from above output with theokv admin endpoint check-status
command to display the current state of the endpoint object. If the object status isACTIVE
, this command also displays the object name after the conflict-name resolution.
Parent topic: Endpoint Management Commands
3.2.3 okv admin endpoint delete Command
The okv admin endpoint delete
command removes an endpoint from Oracle Key Vault.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint delete --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "delete", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint. To find existing endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint delete
command.okv admin endpoint delete --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "delete", "options" : { "endpoint" : "#VALUE" } } }
- Save the generated input to a file (for example,
delete_ep.json
) and then edit it so that you can delete the endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "delete", "options" : { "endpoint" : "sales_db_ep" } } }
- Run the
okv admin endpoint delete
command using the generated JSON file.okv admin endpoint delete --from-json delete_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Endpoint Management Commands
3.2.4 okv admin endpoint download Command
The okv admin endpoint download
command downloads the endpoint software (okvclient.jar
) to the specified directory.
If you want to both download and then install the endpoint software, then use the okv admin endpoint provision
command.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint download --endpoint endpoint_name --location download_location
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "download", "options" : { "endpoint" : "#VALUE", "location" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
endpoint |
Required |
Name of the endpoint. To find existing endpoints, run the |
|
Required |
Absolute path to the download directory for the endpoint software. For example, if you specify |
JSON Example
- Generate JSON input for the
okv admin endpoint download
command.okv admin endpoint download --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "download", "options" : { "endpoint" : "#VALUE", "location" : "#VALUE" } } }
- Save the generated input to a file (for example,
download_ep.json
) and then edit it so that you can create the endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "download", "options" : { "endpoint" : "hr_db_ep", "location": "/opt/downloads/okv" } } }
- Run the
okv admin endpoint download
command using the generated JSON file.okv admin endpoint download --from-json download_ep.json
A successful download of the
okvclient.jar
file displays the following output:{ "result" : "Success" }
Related Topics
Parent topic: Endpoint Management Commands
3.2.5 okv admin endpoint get Command
The okv admin endpoint get
command retrieves detailed information for an endpoint, such as its endpoint group and associated wallets.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint get --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint. To find existing endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint get
command.okv admin endpoint get --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get", "options" : { "endpoint" : "#VALUE" } } }
- Save the generated input to a file (for example,
get_ep.json
) and then edit it to specify an endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get", "options" : { "endpoint" : "hr_db_ep" } } }
- Run the
okv admin endpoint get
command using the generated JSON file.okv admin endpoint get --from-json get_ep.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "administratorEmail" : "", "certificateExpirationTime" : "2023-10-29 14:48:46", "creationTime" : "2021-11-02 14:48:46", "defaultWallet" : "", "description" : "", "effectiveEndpointConfiguration" : { "expirePkcs11PersistentCacheOnDatabaseShutdown" : "FALSE", "serverPollTimeout" : "PT0.3S", "pkcs11ConfigurationParameterRefreshInterval" : "PT10M", "pkcs11InMemoryCacheTimeout" : "PT1H", "pkcs11PersistentCacheRefreshTimeout" : "PT30M", "pkcs11PersistentCacheTimeout" : "PT24H", "pkcs11TraceDirectoryPath" : "/tmp" }, "effectiveEndpointSettingsForManagedObjects" : { "extractableAttribute" : { "symmetricKey" : "TRUE" } }, "endpoint" : "HR_DB_EP", "endpointConfiguration" : { "expirePkcs11PersistentCacheOnDatabaseShutdown" : "FALSE", "serverPollTimeout" : "", "pkcs11ConfigulationParameterRefreshInterval" : "", "pkcs11InMemoryCacheTimeout" : "", "pkcs11PersistentCacheRefreshTimeout" : "", "pkcs11PersistentCacheTimeout" : "", "pkcs11TraceDirectoryPath" : "" }, "endpointGroupMembership" : [ { "endpointGroup" : "EPG_HR", "description" : "" } ], "endpointSettingsForManagedObjects" : { "extractableAttribute" : { "symmetricKey" : "" } }, "platform" : "LINUX", "selfEnrolled" : "FALSE", "status" : "ENROLLED", "strictIpCheck" : "TRUE", "type" : "ORACLE DATABASE", "walletAccess" : [ { "access" : "RO", "type" : "VIA ENDPOINT GROUP", "wallet" : "HR_WALLET" } ] } }
The output under
effectiveEndpointConfiguration
andeffectiveEndpointSettingsForManagedObjects
represents the settings that are used for the endpoint configuration (hence, the use ofeffectiveEndpoint...
in the name). They are determined based on the endpoint-specific settings and the global endpoint specific settings.
Parent topic: Endpoint Management Commands
3.2.6 okv admin endpoint get-enrollment-token Command
The okv admin endpoint get-enrollment-token
command retrieves an enrollment token for a registered endpoint.
The enrollment token is a one-time token that is generated during the endpoint creation (registration). Oracle Key Vault uses this token to download the software and install the endpoint. The okv admin endpoint get-enrollment-token
is useful for the cases where the endpoint administrator (and not the Oracle Key Vault administrator) must download and provision the endpoint. These endpoint administrators, who generally are not Oracle Key Vault users, use the Oracle Key Vault management console to download the endpoint software by providing the token. The okv admin endpoint get-enrollment-token
command enables the Oracle Key Vault administrator to retrieve the token using the RESTful services utility, and then pass it securely to an endpoint administrator through an out-of-band channel (for example, email).
This command will work only for endpoints that are in the Registered state.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint get-enrollment-token --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get-enrollment-token", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the registered endpoint. To find existing endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint get-enrollment-token
command.okv admin endpoint get-enrollment-token --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get-enrollment-token", "options" : { "endpoint" : "#VALUE" } } }
- Save the generated input to a file (for example,
get_token.json
) and then edit it so that you can get the enrollment token.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "get-enrollment-token", "options" : { "endpoint" : "hr_db_ep" } } }
- Run the
okv admin endpoint get-enrollment-token
command using the generated JSON file.okv admin endpoint get-enrollment-token --from-json get_token.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "token" : "Si71duR2mGQ8naSZ" } }
Parent topic: Endpoint Management Commands
3.2.7 okv admin endpoint list Command
The okv admin endpoint list
command lists the endpoints along with their associated information such as creation time, certificate expiry, and default wallet.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint list --limit number_of_endpoints
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list", "options" : { "limit" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Optional |
Number of endpoint objects to list. Enter any whole number from |
JSON Example
- Generate a JSON input template for the
okv admin endpoint list
command.okv admin endpoint list --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list", "options" : { "limit" : "#VALUE" } } }
- Save the generated input to a file (for example,
list_ep.json
) and then edit it to specify the number of objects to fetch.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list", "options" : { "limit" : "2" } } }
- Run the
okv admin endpoint list
command using the generated JSON file.okv admin endpoint list --from-json list_ep.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "endpoints" : [ { "commonNameOfCertificateIssuer" : "CA", "createdBy" : "OKVADMIN", "creationTime" : "2021-07-13 15:26:47", "defaultWallet" : "HR_WALLET", "description" : " ", "endpoint" : "HR_DB_EP_1", "endpointCertificateExpiration" : "2023-07-13 15:26:47", "enrollmentToken" : "", "ipAddress" : "", "platform" : "LINUX", "status" : "ENROLLED", "type" : "ORACLE DATABASE" }, { "commonNameOfCertificateIssuer" : "CA", "createdBy" : "OKVADMIN", "creationTime" : "2021-06-25 19:22:36", "defaultWallet" : "", "description" : "", "endpoint" : "HR_DB_EP_2", "endpointCertificateExpiration" : "2023-06-25 19:22:36", "enrollmentToken" : "", "ipAddress" : "192.0.2.143", "platform" : "LINUX", "status" : "ENROLLED", "type" : "ORACLE DATABASE" } ], "fetchedObjectCount" : "2" } }
Parent topic: Endpoint Management Commands
3.2.8 okv admin endpoint list-objects Command
The okv admin endpoint list-objects
command lists security objects that are associated with a specified endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint list-objects --endpoint endpoint_name --limit number_of _objects --exclude-wallet-membership TRUE|FALSE
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list-objects", "options" : { "endpoint" : "#VALUE", "limit" : "#VALUE", "excludeWalletMembership" : "#TRUE|FALSE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Optional |
Name of the endpoint. To find existing endpoints, run the |
|
Optional |
Number of objects to list. Enter any whole number from |
|
Optional |
Controls whether wallet membership is shown for each object.
|
JSON Example
- Generate a JSON input template for the
okv admin endpoint list-objects
command.okv admin endpoint list-objects --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list-objects", "options" : { "endpoint" : "#VALUE", "limit" : "#VALUE" } } }
- Save the generated input to a file (for example,
list-obj_ep.json
) and then edit it to specify an endpoint the number of records.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "list-objects", "options" : { "endpoint" : "sales-ep, "limit" : "8" } } }
- Run the
okv admin endpoint list-objects
command using the generated JSON file.okv admin endpoint list-objects --from-json list-obj_ep.json
Output similar to the following appears:
{ "result" : "Success", "value" : { "fetchedObjectCount" : "8", "managedObjects" : [ { "creatingEndpoint" : "HR_DB_EP", "creationDate" : "2021-08-04 18:34:52", "deactivationDate" : "2051-10-10 10:10:10", "displayName" : "X.509 Certificate: DN EMAILADDRESS=psmith@example.com, CN=vienna, OU=Security, O=Oracle, L=Reston, ST=VA, C=US", "name" : "ps30090", "protectStopDate" : "2053-10-10 10:10:10", "state" : "PRE-ACTIVE", "type" : "CERTIFICATE", "uuid" : "847D1538-915D-4FD7-BF14-829B1A11FAF9" }, { "creatingEndpoint" : "SALES_DB_EP", "creationDate" : "2021-08-03 21:40:25", "deactivationDate" : "2029-12-25 15:11:11", "displayName" : "Symmetric Key: Name Sales Key 1", "name" : "sales_key_1", "protectStopDate" : "", "state" : "Pre-Active", "type" : "Symmetric Key", "uuid" : "670B600E-1667-4FD1-BF94-C35C4BC81E8B" }, { "creatingEndpoint" : "ORDERS_DB_EP", "creationDate" : "2021-08-03 21:21:33", "deactivationDate" : "2029-12-25 15:11:11", "displayName" : "X.509 Certificate: DN EMAILADDRESS=psmith@example.com, CN=vienna, OU=Security, O=Oracle, L=Reston, ST=VA, C=US", "name" : "orders_key_1", "protectStopDate" : "2029-12-25 15:11:11", "state" : "Pre-Active", "type" : "Certificate", "uuid" : "0C11B125-B17A-4F90-BF16-F876E5E20A21" }, { "creatingEndpoint" : "REC_DB_EP", "creationDate" : "2021-08-03 13:36:01", "deactivationDate" : "", "displayName" : "rec_key_1", "protectStopDate" : "", "state" : "Pre-Active", "type" : "Symmetric Key", "uuid" : "780608F6-0CA6-4FC5-BF46-A7B8A36074F7" }, { "creatingEndpoint" : "EMP_DB1_EP", "creationDate" : "2021-08-02 15:41:38", "deactivationDate" : "2029-12-25 15:11:11", "displayName" : "X.509 Certificate: DN EMAILADDRESS=psmith@example.com, CN=vienna, OU=Security, O=Oracle, L=Reston, ST=VA, C=US", "name" : "cert_key_1", "protectStopDate" : "2029-12-25 15:11:11", "state" : "Pre-Active", "type" : "Certificate", "uuid" : "72EA8183-98BA-4F5A-BF31-CE7256E29496" }, { "creatingEndpoint" : "EMP2_DB_EP", "creationDate" : "2021-07-26 20:19:32", "deactivationDate" : "2029-12-25 15:11:11", "displayName" : "X.509 Certificate: DN EMAILADDRESS=psmith@example.com, CN=vienna, OU=Security, O=Oracle, L=Reston, ST=VA, C=US", "name" : "emp_key_1", "protectStopDate" : "2029-12-25 15:11:11", "state" : "Pre-Active", "type" : "Certificate", "uuid" : "975F17DF-11C1-4F16-BFBC-28E9C200C99F" }, { "creatingEndpoint" : "EMP3_DB_EP", "creationDate" : "2021-07-23 17:22:14", "deactivationDate" : "2041-10-10 10:10:10", "displayName" : "emp_key_2", "protectStopDate" : "", "state" : "Active", "type" : "Symmetric Key", "uuid" : "330F5527-0DB2-4FD1-BF54-1FA189C8A765" }, { "creatingEndpoint" : "EMP4_DB_EP", "creationDate" : "2021-06-30 21:01:48", "deactivationDate" : "", "displayName" : "Symmetric Key: Name psc7", "name" : "emp_key_2,emp_key_3,emp_key_5,emp_key_6,emp_key_7", "protectStopDate" : "", "state" : "Active", "type" : "Symmetric Key", "uuid" : "7432AED6-6628-4F43-BF7C-9D30023A4301" } ] } }
Parent topic: Endpoint Management Commands
3.2.9 okv admin endpoint provision Command
The okv admin endpoint provision
command downloads and installs the endpoint software in the specified directory.
This directory should have read, write, and execute permissions for the owner and its group. For example, if the Oracle Key Vault endpoint software is installed in an Oracle Database server, then this endpoint installation directory should have read, write, and execute permissions by the oracle
user and the oinstall
group. This ensures that processes can access directories appropriately at run time.
-
You must be a user with System Administrator role or the Manage Endpoint object privilege for the endpoint.
-
You must ensure that the soft link
/usr/bin/java
points to$ORACLE_HOME/jdk/jre/bin/java
. -
You must know how the installation process determines the location of the
okvclient.ora
file.
If you only want to download the endpoint software but not install it, then use the okv admin endpoint download
command.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint provision --endpoint endpoint_name --location software_location --auto-login TRUE|FALSE
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "provision", "options" : { "endpoint" : "#VALUE", "location" : "#VALUE", "autoLogin" : "#TRUE|FALSE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint. To find existing endpoints, run the |
|
Required |
Path to the location where to install the endpoint software. For Transparent Data Encryption (TDE) environments, specify |
|
Optional |
Enter one of the following values:
|
JSON Example
- Generate JSON input for the
okv admin endpoint provision
command.okv admin endpoint provision --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "provision", "options" : { "endpoint" : "#VALUE", "location" : "#VALUE", "autoLogin" : "#TRUE|FALSE" } } }
- Save the generated input to a file (for example,
provision_ep.json
) and then edit it so that you can download and install the endpoint software.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "provision", "options" : { "endpoint" : "hr_db_ep", "location" : "/u01/opt/oracle/product/okv", "autoLogin" : "TRUE" } } }
- Run the
okv admin endpoint provision
command using the generated JSON file.okv admin endpoint provision --from-json provision_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Related Topics
Parent topic: Endpoint Management Commands
3.2.10 okv admin endpoint re-enroll Command
The okv admin endpoint re-enroll
command re-enrolls a previously enrolled endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint re-enroll --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "re-enroll", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint. To find existing endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint re-enroll
command.okv admin endpoint re-enroll --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "re-enroll", "options" : { "endpoint" : "#VALUE" } } }
- Save the generate input to a file (for example,
re-enroll_ep.json
) and then edit it so that you can re-enroll the endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "re-enroll", "options" : { "endpoint" : "hr_db_ep" } } }
- Run the
okv admin endpoint re-enroll
command using the generated JSON file.okv admin endpoint re-enroll --from-json re-enroll_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Endpoint Management Commands
3.2.11 okv admin endpoint re-enroll-all Command
The okv admin endpoint re-enroll-all
command re-enrolls all previously enrolled endpoints.
Required Authorization
System Administrator role
Syntax
okv admin endpoint re-enroll-all
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "re-enroll-all" } }
Parameters
None
JSON Example
- Generate JSON input for the
okv admin endpoint re-enroll-all
command.okv admin endpoint re-enroll-all --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "re-enroll-all" } }
- Save the generate input to a file (for example,
re-enroll-all_ep.json
). - Run the
okv admin endpoint re-enroll-all
command using the generated JSON file.okv admin endpoint re-enroll-all --from-json re-enroll-all_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Endpoint Management Commands
3.2.12 okv admin endpoint resume Command
The okv admin endpoint resume
command resumes a suspended endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint resume --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "resume", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the suspended endpoint. To find the names of suspended endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint resume
command.okv admin endpoint resume --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "resume", "options" : { "endpoint" : "#VALUE" } } }
- Save the generated input to a file (for example,
resume_ep.json
) and then edit it to specify the suspended endpoint.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "resume", "options" : { "endpoint" : "hr_db_ep" } } }
- Run the
okv admin endpoint resume
command using the generated JSON file.okv admin endpoint resume --from-json resume_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Endpoint Management Commands
3.2.13 okv admin endpoint suspend Command
The okv admin endpoint suspend
command suspends an endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint suspend --endpoint endpoint_name
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "suspend", "options" : { "endpoint" : "#VALUE" } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint. To find existing endpoints, run the |
JSON Example
- Generate JSON input for the
okv admin endpoint suspend
command.okv admin endpoint suspend --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "suspend", "options" : { "endpoint" : "#VALUE" } } }
- Save the generated input to a file (for example,
suspend_ep.json
) and then edit it to specify the endpoint to suspend.{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "suspend", "options" : { "endpoint" : "hr_db_ep" } } }
- Run the
okv admin endpoint suspend
command using the generated JSON file.okv admin endpoint suspend --from-json suspend_ep.json
Output similar to the following appears:
{ "result" : "Success" }
Parent topic: Endpoint Management Commands
3.2.14 okv admin endpoint update Command
The okv admin endpoint update
command updates the settings of an endpoint.
Required Authorization
System Administrator role or the Manage Endpoint object privilege for the endpoint
Syntax
okv admin endpoint update --endpoint current_endpoint_name --name new_endpoint_name --description "description" --email email_address --platform platform --type type --subgroup "subgroup_value" --unique #TRUE|FALSE --strictIpCheck #TRUE|FALSE
JSON Input File Template
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "update", "options" : { "endpoint" : "#VALUE", "name" : "#VALUE", "description" : "#VALUE", "email" : "#VALUE", "platform" : "#LINUX64|SOLARIS64|SOLARIS_SPARC|HPUX|HP-UX|AIX|AIX_53", "type" : "#ORACLE_DB|ORACLE_NON_DB|ORACLE_ACFS|MYSQL_DB|OTHER", "subgroup" : "#VALUE", "unique" : "#TRUE|FALSE", "strict-ip-check" : "#TRUE|FALSE, "endpointConfiguration" : { "expirePkcs11PersistentCacheOnDatabaseShutdown" : "#TRUE|FALSE", "serverPollTimeout" : "#VALUE", "pkcs11ConfigurationParameterRefreshInterval" : "#VALUE", "pkcs11InMemoryCacheTimeout" : "#VALUE", "pkcs11PersistentCacheRefreshTimeout" : "#VALUE", "pkcs11PersistentCacheTimeout" : "#VALUE", "pkcs11TraceDirectoryPath" : "#VALUE" }, "endpointSettingsForManagedObjects" : { "extractableAttribute" : { "symmetricKey" : "#TRUE|FALSE" } } } } }
Parameters
Parameter/Template Parameter | Required? | Description |
---|---|---|
|
Required |
Name of the endpoint that you want to update. To find existing endpoints, run the |
|
Optional |
A new name for the endpoint. Ensure that you follow the naming guidelines for objects. See Naming Guidelines for Objects. |
|
Optional |
A user-friendly description of the endpoint. If the description contains spaces, then you must enclose it within double quotation marks. |
|
Optional |
Email address of the endpoint administrator. Enclose this value in double quotation marks. |
|
Optional |
The endpoint platform. Allowed values are:
|
|
Optional |
Type of the endpoint. Allowed values are:
|
|
Optional |
For multi-master cluster environments, defines the affinity that an endpoint will have to a specific Oracle Key Vault cluster subgroup. Values are as follows:
|
|
Optional |
In a multi-master cluster environment, creates the endpoint as a unique endpoint. In a multi-master cluster, it is possible that an endpoint with the same name could be created from two different nodes. If that happens, then endpoint names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint with the given name and rename other endpoints with the conflicting names to a name using this format: Valid settings are as follows:
|
|
Optional |
Controls whether the Oracle Key Vault server checks the incoming IP address for a given endpoint.
|
|
Optional |
Each Values that you can enter are as follows:
|
|
Optional |
|
JSON Example
- Generate JSON input for the
okv admin endpoint update
command.okv admin endpoint update --generate-json-input
The generated input appears as follows:
{ "service" : { "category" : "admin", "resource" : "endpoint", "action" : "update", "options" : { "endpoint" : "#VALUE", "name" : "#VALUE", "description" : "#VALUE", "email" : "#VALUE", "platform" : "#LINUX64|SOLARIS64|SOLARIS_SPARC|HPUX|HP-UX|AIX|AIX_53", "type" : "#ORACLE_DB|ORACLE_NON_DB|ORACLE_ACFS|MYSQL_DB|OTHER", "subgroup" : "#VALUE", "unique" : "#TRUE|FALSE", "exclude-wallet-membership #TRUE|FALSE, "strict-ip-check" : "#TRUE|FALSE", "endpointConfiguration" : { "expirePkcs11PersistentCacheOnDatabaseShutdown" : "#TRUE|FALSE", "pkcs11ConfigurationParameterRefreshInterval" : "#VALUE", "pkcs11InMemoryCacheTimeout" : "#VALUE", "pkcs11PersistentCacheRefreshTimeout" : "#VALUE", "pkcs11PersistentCacheTimeout" : "#VALUE", "pkcs11TraceDirectoryPath" : "#VALUE" }, "endpointSettingsForManagedObjects" : { "extractableAttribute" : { "symmetricKey" : "#TRUE|FALSE", } } } } }
- Save the generated input to a file (for example,
update_ep.json
) and then edit it to update the endpoint.{ "service": { "category": "admin", "resource": "endpoint", "action": "update", "options": { "endpoint": "hr_db_ep", "description": "", "platform": "LINUX64", "email": "", "type": "ORACLE_DB", "exclude-wallet-membership false, "strictIpCheck" : "TRUE", "endpointConfiguration" : { "expirePkcs11PersistentCacheOnDatabaseShutdown" : "TRUE", "serverPollTimeout" : "PT5M", "pkcs11ConfigurationParameterRefresh" : "PT11M", "pkcs11InMemoryCacheTimeout" : "PT20M", "pkcs11PersistentCacheRefreshTimeout" : "PT30M", "pkcs11PersistentCacheTimeout" : "PT40M", "pkcs11TraceDirectoryPath" : "/users/psmith/work" }, "endpointSettingsForManagedObjects" : { "extractableAttribute" : { "symmetricKey" : "FALSE" } } } } }
- Run the
okv admin endpoint update
command using the generated JSON file.okv admin endpoint update --from-json update_ep.json
Output similar to the following appears:
{ "result" : "Success", }