1. RESTful Services Administrator's Guide
  2. Security Object Commands

5 Security Object Commands

Endpoints can make use of the security object commands to operate on the managed objects.

5.1 okv managed-object attribute add Command

The okv managed-object attribute add command adds one or more attributes to a security object.

To find the existing attributes for the security object, run the okv managed-object attribute list command. If you want to create a custom attribute, then use the okv managed-object custom-attribute add command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute add --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE", 
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "processStartDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

attributes

Required

Array of attribute names. You must use the JSON syntax to add an attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name of the value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for more details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object attribute add command and save it as add-attrib.json. 
    okv managed-object attribute add --generate-json-input > add-attrib.json; more add-attrib.json

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE", 
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "processStartDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, add_attribute.json) and then edit it to include the attributes for the security object. For example:
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "add",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes" : {
        "contactInfo" : "psmith@example.com",
        "deactivationDate" : "2024-12-31 09:00:00",
        "name" : {
                   "value" : "prod-hrdb-mkey",
                   "type" : "text"
         },
        "protectStopDate" : "2024-09-30 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object attribute add command using the generated JSON file. 
    okv managed-object attribute add --from-json add_attribute.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "attributes" : {
      "contactInfo" : "Added",
      "deactivationDate" : "Added",
      "name" : "Added",
      "protectStopDate" : "Added"
    }
  }
}

Related Topics

Parent topic: Security Object Commands

5.2 okv managed-object attribute delete Command

The okv managed-object attribute delete command deletes one or more attributes associated with a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute delete --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "#VALUE",
      "attributes": {
        "name": {
          "value": "#VALUE"
        },
        "contactInfo": "#VALUE",
        "activationDate": "#VALUE",
        "deactivationDate": "#VALUE",
        "protectStopDate": "#VALUE",
        "processStartDate": "#VALUE"
      }
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

attributes

Required

Array of attribute names. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

Attributes that you can delete are as follows:

  • name (You must also specify the value of the name attribute instance that you want to delete.)
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

    You can use different ways to set the date and time. Examples are as follows: 

    "activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

    To display the time in UTC format, use the Linux date command. For example: 

    $ date --utc "+%F %T"
2021-03-15 20:31:37

JSON Example

  1. Generate JSON input for the okv managed-object attribute delete command. 
    okv managed-object attribute delete --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "#VALUE",
      "attributes": {
        "name": {
          "value": "#VALUE"
        },
        "contactInfo": "#VALUE",
        "activationDate": "#VALUE",
        "deactivationDate": "#VALUE",
        "protectStopDate": "#VALUE",
        "processStartDate": "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, del_attribute.json) and then edit it so that you can delete the attributes associated with a security object.
    {
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "delete",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes": {
        "name": {
          "value": "PROD-HRDB-MKEY"
        }
      }
    }
  }
}
  3. Run the okv managed-object attribute delete command using the generated JSON file. 
    okv managed-object attribute delete --from-json del_attribute.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "attributes": {
      "name": "Deleted"
    }
  }
}

Related Topics

Parent topic: Security Object Commands

5.3 okv managed-object attribute get Command

The okv managed-object attribute get command retrieves an attribute or list of attributes of a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute get --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME"],
      "customAttributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ]
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

attributes

Required

Array of attribute names. You must use the JSON syntax to specify the attributes. You cannot specify attributes at the command line. You can retrieve the value of multiple attributes by including additional optional ATTRIBUTE_NAME attributes. See the example.

To find the existing attributes for the managed object, run the okv managed-object attribute list command. To retrieve the values of all existing attributes for the managed object, run the okv managed-object attribute get-all command.

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

customAttributes

Optional

Array of custom attributes. You must use the JSON syntax to specify the custom attributes. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

JSON Example

  1. Generate JSON input for the okv managed-object attribute get command. 
    okv managed-object attribute get --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ],
      "customAttributes" : [ "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME", "#ATTRIBUTE_NAME" ]
    }
  }
}
  2. Save the generated input to a file (for example, get_attribute.json) and then edit it to retrieve the attributes associated with the security object.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get",
    "options" : {
       "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
       "attributes": [
         "activationDate",
         "contactInfo",
         "cryptoUsageMask",
         "cryptographicAlgorithm",
         "cryptographicLength",
         "name",
         "objectType",
         "state",
         "extractable",
         "neverExtractable"
      ],
      "customAttributes" : ["x-ApplicationTag"]
    }
  }
}
  3. Run the okv managed-object attribute get command using the generated JSON file. 
    okv managed-object attribute get --from-json get_attribute.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "attributes": {
      "activationDate": "2020-11-21 01:00:00",
      "contactInfo": "psmith@example.com",
      "cryptoUsageMask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "cryptographicAlgorithm": "AES",
      "cryptographicLength": "256",
      "extractable" : "false",
      "name": [
        {
          "type": "text",
          "value": "PROD-HRDB-MKEY"
        }
      ],
      "neverExtractable" : "TRUE",
      "objectType": "Symmetric Key",
      "state": "Active"
    },
    "customAttributes": [
      {
        "index": "1",
        "name": "x-ApplicationTag",
        "type": "Text String",
        "value": "HR-Production"
      }
    ]
  }
}

Parent topic: Security Object Commands

5.4 okv managed-object attribute get-all Command

The okv managed-object attribute get-all command retrieves all attributes of a security object.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute get-all --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object attribute get-all command. 
    okv managed-object attribute get-all --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_all_attributes.json) and then edit it to get all the attributes of the security object.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "get-all",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}
  3. Run the okv managed-object attribute get-all command using the generated JSON file. 
    okv managed-object attribute get-all --from-json get_all_attributes.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "attributes" : {
      "activationDate" : "2020-11-21 01:00:00",
      "contactInfo" : "psmith@example.com",
      "cryptoUsageMask" : [ "ENCRYPT", "DECRYPT" ],
      "cryptographicAlgorithm" : "AES",
      "cryptographicLength" : "256",
      "deactivationDate" : "2024-12-31 01:00:00",
      "digest" : {
       "algorithm" : "SHA-256",
       "digestValue" : "EA31657433D91BF79660525131772D838A1128FCE6B49471726EEF5844EFA3F7",
       "keyFormatType" : "RAW"
      },
      "extractable" : "FALSE",
      "fresh" : "Yes",
      "initialDate" : "2020-11-21 00:57:00",
      "lastChangeDate" : "2020-11-21 20:17:19",
      "name" : [ {
        "type" : "text",
        "value" : "PROD-HRDB-MKEY"
      } ],
      "neverExtractable" : "true"
      "objectType" : "Symmetric Key",
      "processStartDate" : "2020-11-21 00:57:00",
      "protectStopDate" : "2024-09-30 09:00:00",
      "state" : "Active"
    },
    "customAttributes" : [ {
      "index" : "1",
      "name" : "x-ApplicationTag",
      "type" : "Text String",
      "value" : "HR-Production"
    } ]
  }
}

Parent topic: Security Object Commands

5.5 okv managed-object attribute list Command

The okv managed-object attribute list command retrieves the names of attributes associated with a security object.

The okv managed-object attribute list command shows the key customAttributes if the object has one or more custom attributes. To find the custom attributes defined for the object, run the okv managed-object attribute get-all command.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object attribute list --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object attribute list command. 
    okv managed-object attribute list --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, list_attributes.json) and then edit it to retrieve the list of attributes for the security object.
    {
  "service": {
    "category": "managed-object",
    "resource": "attribute",
    "action": "list",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}
  3. Run the okv managed-object attribute list command using the generated JSON file. 
    okv managed-object attribute list --from-json list_attributes.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "attributes" : [
      "activationDate",
      "contactInfo",
      "cryptoUsageMask",
      "cryptographicAlgorithm",
      "cryptographicLength",
      "deactivationDate",
      "digest",
      "extractable",
      "fresh",
      "initialDate",
      "lastChangeDate",
      "name",
      "neverExtractable", 
      "objectType",
      "processStartDate",
      "protectStopDate",
      "state"
    ],
    "customAttributes" : [ "x-ApplicationTag" ]
  }
}

Parent topic: Security Object Commands

5.6 okv managed-object attribute modify Command

The okv managed-object attribute modify command modifies attributes that are associated with a security object.

To find the existing attributes for the managed object, run the okv managed-object attribute list command.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object attribute modify --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "newValue" : "#VALUE",
          "newType" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

attributes

Required

Attribute names and their values. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the existing name value.
    • newValue is the new name value.
    • newType is the new name value type. If you want to change the type only, then you must provide a value and newValue.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

  • extractable can be set as follows:

    • TRUE Allows the object to be extracted from Oracle Key Vault.

    • FALSE Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault.

    As a user who has the Key Administrator role, you can modify the extractable attribute setting of an existing symmetric key to either TRUE or FALSE. A user with read-modify access on an existing symmetric key can also modify its extractable attribute setting, however, this is allowed only to apply the stricter setting, that is, to set the value to FALSE to make the object non-extractable. Such users cannot modify the extractable attribute setting to make a symmetric key extractable if it is currently non-extractable. You can apply the extractable attribute setting to only symmetric keys, and not to other types of security objects.

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object attribute modify command. 
    okv managed-object attribute modify --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "newValue" : "#VALUE",
          "newType" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, modify_attributes.json) and then edit it to modify the attributes that are associated with the security object.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "attributes" : {
        "name" : {
          "value" : "PROD-HRDB-MKEY",
          "newValue" : "PROD-GLOBAL-HRDB-MKEY",
          "newType" : "text"
        },
        "contactInfo" : "jscott@example.com",
        "deactivationDate" : "2024-07-31 09:00:00",
        "protectStopDate" : "2024-04-30 09:00:00",
        "extractable" : "FALSE"
      }
    }
  }
}
  3. Run the okv managed-object attribute modify command using the generated JSON file. 
    okv managed-object attribute modify --from-json modify_attributes.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "attributes": {
      "contactInfo": "Modified",
      "deactivationDate": "Modified",
      "name": "Modified",
      "protectStopDate": "Modified",
      "extractable" : "Modified"
    }
  }
}

Related Topics

Parent topic: Security Object Commands

5.7 okv managed-object certificate get Command

The okv managed-object certificate get command retrieves a digital certificate.

Required Authorization

The endpoint must have read permission on the certificate object.

Syntax

okv managed-object certificate get --uuid UUID

JSON Input File Template Syntax

{
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the certificate.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object certificate get command. 
    okv managed-object certificate get --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_cert.json) and then edit it to retrieve the specified certificate.
    {
  "service": {
    "category": "managed-object",
    "resource": "certificate",
    "action": "get",
    "options": {
      "uuid": "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
    }
  }
}
  3. Run the okv managed-object certificate get command using the generated JSON file. 
    okv managed-object certificate get --from-json get_cert.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "object": "-----BEGIN CERTIFICATE-----\nMIIDdzCCAl+gAwIBAgICfVEwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCdXMx\nEzARB << output truncated >> AYP\n4vwrDwBdNdGtj36GqjuCpz/xCVM9ieSRxJU8\n-----END CERTIFICATE-----"
  }
}

Parent topic: Security Object Commands

5.8 okv managed-object certificate register Command

The okv managed-object certificate register command registers a certificate.

Required Authorization

None

Syntax

okv managed-object certificate register --object certificate_file_path --type certificate_type --sub-type certificate_sub_type --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --private-key-uuid private_key_uuid  --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "type" : "X_509",
      "subType" : "#USER_CERT|TRUSTPOINT",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--object / object

Required

File path to the certificate object.

--type / type

Required

Type of certificate. Enter the following value: X_509

--sub-type / sub-type

Optional

Sub-type of the certificate. Choose from the following values:

  • USER_CERT
  • TRUSTPOINT

--algorithm / algorithm

Optional

Cryptographic algorithm of the public key contained in the certificate. If you omit this parameter, then the algorithm is retrieved from the certificate file that is being uploaded. Enter the following value:

  • RSA

--length / length

Optional

Length of the public key contained in the certificate. If you omit this parameter, then the key length is retrieved from the certificate file that being uploaded. Choose from the following values:

  • 1024
  • 2048
  • 4096

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

--privateKeyUUID / privateKeyUUID

Optional

Universally unique ID (UUID) of the private key associated with the certificate object.

To find the unique identifier for the key, run the okv manage-access wallet list-objects command or the okv admin endpoint list-objects command.

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object certificate register command. 
    okv managed-object certificate register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "subType" : "#USER_CERT|TRUSTPOINT",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_cert.json) and then edit it to register the specified certificate. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate",
    "action" : "register",
    "options" : {
      "object" : "./cert.pem",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT"],
      "type" : "X_509",
      "subType" : "USER_CERT",
      "privateKeyUUID" : "D497994E-74CD-4F60-BF7C-52F254142705",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "FINDB-PROD-CERT",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object certificate register command using the generated JSON file. 
    okv managed-object certificate register --from-json reg_cert.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuid" : "EEED2C4F-33D7-4F9A-BF02-52DD2225A43A"
  }
}

Related Topics

Parent topic: Security Object Commands

5.9 okv managed-object certificate-request get Command

The okv managed-object certificate-request get  command retrieves a certificate request.

Required Authorization

The endpoint must have read permission on the certificate request object.

Syntax

okv managed-object certificate-request get  --uuid UUID

JSON Input File Template Syntax

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the certificate request.

To find the unique identifier for the certificate request, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object certificate-request get command. 
    okv managed-object certificate-request get  --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_cert_req.json) and then edit it to specify the UUID of the certificate request.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "get",
    "options" : {
      "uuid" : "BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64"
    }
  }
}
  3. Run the okv managed-object certificate-request get command using the generated JSON file. 
    okv managed-object certificate-request get  --from-json get_cert_req.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "object" : "-----BEGIN NEW CERTIFICATE REQUEST-----\nMIIC5TCCAc0CAQAwdDELMAkGA1UEBhMCdXMxEzARBgNVBAgTCkNhbGlmb3JuaWEx << output truncated >> \nDtWoeZfNYHcWPFmHK8aiLCgzeFG62xRdyg==\n-----END NEW CERTIFICATE REQUEST-----"
  }
}

Parent topic: Security Object Commands

5.10 okv managed-object certificate-request register Command

The okv managed-object certificate-request register command registers a certificate request object with Oracle Key Vault.

Required Authorization

None

Syntax

okv managed-object certificate-request register --object certificate_requeset_file_path --type certificate_requeset_type --private-key-uuid private_key_uuid --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "#CRMF,PKCS10,PEM,PGP",
      "object" : "#VALUE",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--object / object

Required

File path to the certificate request object.

--type / type

Required

Type of certificate request. Choose from the following values:

  • CRMF
  • PKCS10
  • PEM
  • PGP

--privateKeyUUID / privateKeyUUID

Optional

Universally unique ID (UUID) of the private key associated with the certificate request to be registered.

To find the unique identifier for the key, run the okv manage-access wallet list-objects command or the okv admin endpoint list-objects command.

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37
See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object certificate-request register command. 
    okv managed-object certificate-request register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "#CRMF,PKCS10,PEM,PGP",
      "object" : "#VALUE",
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_cert_req.json) and then edit it to specify the appropriate certificate request values.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "certificate-request",
    "action" : "register",
    "options" : {
      "type" : "PEM",
      "object" : "./cert_req.pem",
      "privateKeyUUID" : "D497994E-74CD-4F60-BF7C-52F254142705",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "FINDB-PROD-CERTREQ",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object certificate-request register command using the generated JSON file. 
    okv managed-object certificate-request register --from-json reg_cert_req.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuid" : "BC0E9004-82E0-4FFA-BFF2-29A67DDD5C64"
  }
}

Related Topics

Parent topic: Security Object Commands

5.11 okv managed-object custom-attribute add Command

The okv managed-object custom-attribute add command adds a custom attribute to a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute add --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

customAttribute

Required

Custom attribute name. Include the prefix x- in the attribute name. Do not use the prefix of x-OKV with custom attribute names. The custom attributes that start with the x-OKV prefix are reserved for use by Oracle Key Vault only. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You must specify these values for the custom attribute:

  • name is the name of the value that you want to add.
  • value is the value of the attribute.
  • type is either text or number.

See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

JSON Example

  1. Generate JSON input for the okv managed-object custom-attribute add command. 
    okv managed-object custom-attribute add --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "add",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      }
    }
  }
}
  2. Save the generated input to a file (for example, add_cust_attr.json) and then edit it to include the custom attribute to the security object. 
    {
  "service": {
    "category": "managed-object",
    "resource": "custom-attribute",
    "action": "add",
    "options": {
      "uuid": "3C695846-BB8D-4FD2-BFC4-E646ACB60404",
      "customAttribute": {
        "name": "x-ApplicationTag",
        "value": "HR-Production",
        "type": "TEXT"
      }
    }
  }
}
  3. Run the okv managed-object custom-attribute add command using the generated JSON file. 
    okv managed-object custom-attribute add --from-json add_cust_attr.json

    Output similar to the following appears: 

    {
  "result" : "Success"
}

Parent topic: Security Object Commands

5.12 okv managed-object custom-attribute delete Command

The okv managed-object custom-attribute delete command deletes a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute delete --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

customAttribute

Required

Custom attribute name and its index. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for a managed object, run the okv managed-object attribute get-all command.

You must specify these values for the attribute:

  • name is the name of the value.
  • index is the index of the value.

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object custom-attribute delete command. 
    okv managed-object custom-attribute delete --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, del_cust_attr.json) and then edit it so that you can delete the custom attribute. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "delete",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "customAttribute" : {
        "name" : "x-ApplicationTag",
        "index" : "1"
      }
    }
  }
}
  3. Run the okv managed-object custom-attribute delete command using the generated JSON file. 
    okv managed-object custom-attribute delete --from-json del_cust_attr.json

    Output similar to the following appears: 

    {
  "result" : "Success"
}

Parent topic: Security Object Commands

5.13 okv managed-object custom-attribute modify Command

The okv managed-object custom-attribute modify command modifies a custom attribute of a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

Uses JSON syntax only: okv managed-object custom-attribute modify --generate-json-input

You must use the JSON syntax for this command to specify the attributes. However, you can use the --uuid parameter at the command line with this command. This is useful for cases where you want to apply the same attribute values to multiple objects. You can re-use the same JSON file and specify different UUIDs at the command line.

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "newValue" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}

Parameters

Template Parameter Required? Description

uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

customAttribute

Required

Custom attribute name, value, and index. You must use the JSON syntax to specify the attribute. You cannot specify attributes at the command line. To find the existing attributes for the managed object, run the okv managed-object attribute get-all command.

You cannot specify attributes at the command line. You must use the JSON syntax to modify a custom attribute.

You must specify these values for the attribute:

  • name is the name of the attribute that you want to modify.
  • newValue is the new value for the attribute.
  • index is the index of the attribute that you want to modify.

See Key Management Interoperability Protocol Specification Version 1.1 for details about JSON attributes.

JSON Example

  1. Generate JSON input for the okv managed-object custom-attribute modify command. 
    okv managed-object custom-attribute modify --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "#VALUE",
      "customAttribute" : {
        "name" : "#VALUE",
        "newValue" : "#VALUE",
        "index" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, modify_cust_attr.json) and then edit it to modify the custom attribute. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "custom-attribute",
    "action" : "modify",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "customAttribute" : {
        "name" : "x-ApplicationTag",
        "newValue" : "Global-HR-Production",
        "index" : "1"
      }
    }
  }
}
  3. Run the okv managed-object custom-attribute modify command using the generated JSON file. 
    okv managed-object custom-attribute modify --from-json modify_cust_attr.json

    Output similar to the following appears: 

    {
  "result" : "Success"
}

Parent topic: Security Object Commands

5.14 okv managed-object key create Command

The okv managed-object key create command creates a symmetric key. 

Required Authorization

None

Syntax

okv managed-object key create --algorithm  cryptographic_algorithm --length key_length --mask crypographic_usage_mask --wallet wallet_name

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "#3DES|AES",
      "length": "#112,168(3DES)|128,192,256(AES)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet": "#VALUE",
      "attributes": {
         "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--algorithm / algorithm

Required

Cryptographic algorithm. Choose from the following values:

  • AES
  • 3DES

--length / length

Required

Key length for the algorithm. Choose from the following values:

  • For AES: 128, 192, 256
  • For 3DES: 112, 168

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Sets the extractable attribute.

  • TRUE Allows the object to be extracted from Oracle Key Vault.

  • FALSE Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault.

If you do not set the extractable attribute, then this value is inherited from the endpoint's configuration. In the command line, you can only specify the extractable attribute setting that is stricter than the endpoint's effective setting. For example, you cannot set the extractable attribute to TRUE if it is set to FALSE in the endpoint. However, you can always set the extractable attribute value to FALSE in the command line.

JSON Example

  1. Generate JSON input for the okv managed-object key create command. 
    okv managed-object key create --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "#3DES|AES",
      "length": "#112,168(3DES)|128,192,256(AES)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet": "#VALUE",
      "attributes": {
         "extractable" : "#TRUE|FALSE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, create_key.json) and then edit it to create the key. 
    {
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "create",
    "options": {
      "algorithm": "AES",
      "length": "256",
      "mask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "wallet": "hr_wallet",
      "attributes": {
         "extractable" : "FALSE"
      }
    }
  }
}
  3. Run the okv managed-object key create command using the generated JSON file. 
    okv managed-object key create --from-json create_key.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
  }
}

Parent topic: Security Object Commands

5.15 okv managed-object key get Command

The okv managed-object key get command retrieves a symmetric key.

Required Authorization

The endpoint must have read permission on the key object.

Syntax

okv managed-object key get --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the key.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object key get command. 
    okv managed-object key get --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_key.json) and then edit it to get the specified key. 
    {
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "get",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}
  3. Run the okv managed-object key get command using the generated JSON file. 
    okv managed-object key get --from-json get_key.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "object": "E7A641D77DDAF074C62E7A2C2355F2B8D9CD49486E6AF7F38A22CBDEC91630D0"
  }
}

    If the symmetric key is not extractable, then the following message appears: 

    {
  "result" : "Failure",
  "message" : "Operation Result Status: Operation Failed, Result Reason: Unavailable"
}

Parent topic: Security Object Commands

5.16 okv managed-object key register Command

The okv managed-object key register command registers a symmetric key.

Required Authorization

None

Syntax

okv managed-object key register --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --object key_file_path --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "register",
    "options" : {
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--algorithm / algorithm

Required

Cryptographic algorithm. Choose from the following values:

  • AES
  • 3DES

--length / length

Required

Key length for the algorithm. Choose from the following values:

  • For AES: 128, 192, 256
  • For 3DES: 112, 168

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

--object / object

Required

File path to the symmetric key object.

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

  • extractable can be set as follows:

    • TRUE Allows the object to be extracted from Oracle Key Vault.

    • FALSE Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault.

    If you do not set the extractable attribute, then this value is inherited from the endpoint's configuration. In the command line, you can only specify the extractable attribute setting that is stricter than the endpoint's effective setting. For example, you cannot set the extractable attribute to TRUE if it is set to FALSE in the endpoint. However, you can always set the extractable attribute value to FALSE in the command line.

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object key register command. 
    okv managed-object key register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "key",
    "action" : "register",
    "options" : {
      "length" : "#112,168(3DES)|128,192,256(AES)",
      "object" : "#VALUE",
      "algorithm" : "#3DES|AES",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_key.json) and then edit it to register the key. 
    {
  "service": {
    "category": "managed-object",
    "resource": "key",
    "action": "register",
    "options": {
      "length": "256",
      "object": "./object.txt",
      "algorithm": "AES",
      "mask": [
        "ENCRYPT",
        "DECRYPT"
      ],
      "wallet": "hr_wallet",
      "attributes": {
        "name": {
          "value": "FINDB-PROD-MKEY",
          "type": "text"
        },
        "contactInfo" : "pfitch@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00",
        "extractable" : "FALSE"
      }
    }
  }
}
  3. Run the okv managed-object key register command using the generated JSON file. 
    okv managed-object key register --from-json reg_key.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "uuid": "39BE0215-5D7B-4F38-BF5F-FC87C82AA004"
  }
}

Related Topics

Parent topic: Security Object Commands

5.17 okv managed-object object activate Command

The okv managed-object object activate command activates a security object.

See Oasis Key Management Interoperability Protocol Specification Version 1.1 Oasis Standard for various states that a security object can be in.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object activate --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object managed-object activate command. 
    okv managed-object object activate --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, activate_object.json) and then edit it to activate the security object. 
    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "activate",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}
  3. Run the okv managed-object managed-object activate command using the generated JSON file. 
    okv managed-object object activate --from-json activate_object.json

    Output similar to the following appears: 

    {
  "result": "Success"
}

Parent topic: Security Object Commands

5.18 okv managed-object object destroy Command

The okv managed-object object destroy command requests the server to destroy the key data for a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object destroy --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object object destroy command. 
    okv managed-object object destroy --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, destroy_obj.json) and then edit it so that you can destroy the security object data.
    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "destroy",
    "options": {
      "uuid": "B36F3AD1-0AC7-4FEB-BF32-79E6F727ECB2"
    }
  }
}
  3. Run the okv managed-object object destroy command using the generated JSON file. 
    okv managed-object object destroy --from-json destroy_obj.json

    Output similar to the following appears: 

    {
  "result": "Success"
}

Parent topic: Security Object Commands

5.19 okv managed-object object locate Command

The okv managed-object object locate command locates a security object.

Required Authorization

The endpoint must have read permission on the objects.

Syntax

okv managed-object object locate --max max_value  --object-group-member object_group_member_type --state state_value --name name_value

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "initialDate" : "#VALUE",
        "lastChangeDate" : "#VALUE",
        "compromiseDate" : "#VALUE",
        "compromiseOccurrenceDate" : "#VALUE",
        "destroyDate" : "#VALUE",
        "archiveDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--max / max

Required

Maximum number of objects that this command should return

--object-group-member / object-group-member

Optional

Enter one of the following group values:

  • DEFAULT
  • FRESH

--state / state

Optional

Enter one of the following states:

  • PREACTIVE
  • ACTIVE
  • DEACTIVATED
  • COMPROMISED
  • DESTROYED
  • DESTROYED_COMPROMISED

--name / name

Optional

Name of the object to locate.

--attributes / attributes

Required

Attributes names and their values of the object to locate. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes value.
  • state is the state of the object.
  • objectType, type of the object.
  • fresh indicates whether the object is fresh or not. Enter either YES or NO.
  • objectGroup is the object group or wallet name.
  • contactInfo is the contact information for the object.
  • cryptographicAlgorithm is the cryptographic algorithm of the object.
  • cryptographicLength is the cryptographic length of the object.
  • cryptoUsageMask is the usage mask of the object.
  • certificateType is the type of the certificate object.
  • x509CertificateSubject is the subject of the X.509 certificate.
  • x509CertificateIssuer is the issuer of the X.509 certificate.
  • digitalSigningAlgorithm is the digital signature algorithm of the object.
  • digest is digest of the object, which includes:
    • digestValue is the value of the digest.
    • algorithm is the hashing algorithm.
    • keyFormatType is the format of the object.
  • link is the link attribute of the object, and it includes:
    • linkType is the type of the link.
    • linkValue is the linked object UUID.
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate
    • activationDate
    • deactivationDate
    • processStartDate
    • protectStopDate
    • initialDate
    • lastChangeDate
    • compromiseDate
    • compromiseOccurrenceDate
    • destroyDate
    • archiveDate

  • extractable can be set as follows:

    • TRUE Allows the object to be extracted from Oracle Key Vault.

    • FALSE Prevents the key material within the object from being extracted from Oracle Key Vault. However, the metadata of the object (including object attributes, state, and so on) can still be retrieved from Oracle Key Vault.

  • neverExtractable tracks whether the extraction of the security object has always been restricted during its existence in the Oracle Key Vault server. Settings are as follows:
    • TRUE means that the security object was never extractable from Oracle Key Vault during the object's existence.
    • FALSE means the security object was extractable from Oracle Key Vault at least once during the object's existence.

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

customAttributes

Optional

List of custom attributes of the object to locate.

Custom attributes that you can enter are as follows:

  • name is the name of the custom attribute.
  • value is the value of the custom attribute.
  • type is either text or number.

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object object locate command. 
    okv managed-object object locate --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "#VALUE",
      "objectGroupMember" : "#FRESH|DEFAULT",
      "attributes" : {
        "name" : {
          "value" : "#VALUE"
        },
        "state" : "#PREACTIVE|ACTIVE|DEACTIVATED|COMPROMISED|DESTROYED|DESTROYED_COMPROMISED",
        "objectType" : "#VALUE",
        "fresh" : "#YES|NO",
        "objectGroup" : "#VALUE",
        "contactInfo" : "#VALUE",
        "cryptographicAlgorithm" : "#VALUE",
        "cryptographicLength" : "#VALUE",
        "cryptoUsageMask" : "#VALUE",
        "certificateLength" : "#VALUE",
        "certificateType" : "#VALUE",
        "x509CertificateSubject" : "#VALUE",
        "x509CertificateIssuer" : "#VALUE",
        "digitalSigningAlgorithm" : "#VALUE",
        "digest" : {
          "digestValue" : "#VALUE",
          "algorithm" : "#VALUE",
          "keyFormatType" : "#VALUE"
        },
        "link" : {
          "linkType" : "#VALUE",
          "linkValue" : "#VALUE"
        },
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE",
        "initialDate" : "#VALUE",
        "lastChangeDate" : "#VALUE",
        "compromiseDate" : "#VALUE",
        "compromiseOccurrenceDate" : "#VALUE",
        "destroyDate" : "#VALUE",
        "archiveDate" : "#VALUE",
        "extractable" : "#TRUE|FALSE",
        "neverExtractable" : "#TRUE|FALSE"
      },
      "customAttributes" : [ {
        "name" : "#VALUE",
        "value" : "#VALUE",
        "type" : "#TEXT|NUMBER"
      } ]
    }
  }
}
  2. Save the generated input to a file (for example, locate_obj.json) and then edit it to locate the security object. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "object",
    "action" : "locate",
    "options" : {
      "max" : "10",
      "objectGroupMember" : "FRESH",
      "attributes" : {
         "state": "ACTIVE",
         "name": {
            "value": "key8"
         },
         "fresh" : "Yes",
         "activationDate": "2021-04-10 07:16:00",
          "link" : {
            "linkType" : "Replaced Object Link",
            "linkValue" : "6B13B7B3-BE61-4FF6-BFB0-4108231392F8"
           },
          "extractable" : "FALSE",
          "neverExtractable" : "TRUE"
      },
     "customAttributes" : [{
        "name": "x-test_1",
        "value": "test_1",
        "type": "TEXT"
       },
       {
        "name": "x-number",
        "value": "1",
        "type": "NUMBER"
       }]
    }
  }
}
  3. Run the okv managed-object object locate command using the generated JSON file. 
    okv managed-object object locate --from-json locate_obj.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuids" : [ "6C51CC04-BFA5-4FBD-BFB4-12DCCECAA355" ]
  }
}

Related Topics

Parent topic: Security Object Commands

5.20 okv managed-object object query Command

The okv managed-object object query command identifies supported operations and objects.

Required Authorization

None

Syntax

okv managed-object object query

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "query"
  }
}

Parameters

None

JSON Example

  1. Generate JSON input for the okv managed-object object query command. 
    okv managed-object object query --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "query"
  }
}
  2. Save the generated input to a file (for example, query_obj.json).
  3. Run the okv managed-object object query command using the generated JSON file. 
    okv managed-object object query --from-json query_obj.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "objects": [
      "Symmetric Key",
      "Template",
      "Secret Data",
      "Opaque Object",
      "Certificate"
    ],
    "operations": [
      "Create",
      "Register",
      "Re-key",
      "Locate",
      "Check",
      "Get",
      "Get Attributes",
      "Get Attribute List",
      "Add Attribute",
      "Modify Attribute",
      "Delete Attribute",
      "Activate",
      "Revoke",
      "Destroy",
      "Query",
      "Discover Versions"
    ]
  }
}

Parent topic: Security Object Commands

5.21 okv managed-object object revoke Command

The okv managed-object object revoke command revokes a security object.

Required Authorization

The endpoint must have read-modify permission on the object.

Syntax

okv managed-object object revoke --code code --reason reason --compromiseDate date --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "revoke",
    "options": {
      "code": "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
      "reason": "#VALUE",
      "compromiseOccurrenceDate": "#VALUE",
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--code / code

Required

Enter one of the following values:

  • AFFILIATION_CHANGED
  • CA_COMPROMISE (Certificate authority compromise)
  • CESSATION_OF_OPERATION
  • KEY_COMPROMISE
  • PRIVILEGE_WITHDRAWN
  • SUPERSEDED
  • UNSPECIFIED

--reason / reason

Required

Description of the reason for the revocation

--compromise-occurrence-date / compromiseOccurrenceDate

Optional

Date the compromise took place. This setting is used only if KEY_COMPROMISE is selected for the --code / code parameter.

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object object revoke command. 
    okv managed-object object revoke --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "revoke",
    "options": {
      "code": "#UNSPECIFIED|KEY_COMPROMISE|CA_COMPROMISE|AFFILIATION_CHANGED|SUPERSEDED|CESSATION_OF_OPERATION|PRIVILEGE_WITHDRAWN",
      "reason": "#VALUE",
      "compromiseOccurrenceDate": "#VALUE",
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, revoke_obj.json) and then edit it so that you can revoke the security object privileges. 
    {
  "service": {
    "category": "managed-object",
    "resource": "object",
    "action": "revoke",
    "options": {
      "code": "KEY_COMPROMISE",
      "reason": "security incidence",
      "compromiseOccurrenceDate": "2020-11-20 10:34:29",
      "uuid": "E4CA6A16-B3CD-4F98-BF25-4A0EF482B8B8"
    }
  }
}
  3. Run the okv managed-object object revoke command using the generated JSON file. 
    okv managed-object object revoke --from-json revoke_obj.json

    Output similar to the following appears: 

    {
  "result": "Success"
}

Parent topic: Security Object Commands

5.22 okv managed-object opaque get Command

The okv managed-object opaque get command retrieves an object that contains opaque data.

Required Authorization

The endpoint must have read permission on the object.

Syntax

okv managed-object opaque get --uuid UUID

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object opaque get command. 
    okv managed-object opaque get --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_opaque_object.json) and then edit it to retrieve the data from the opaque object. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "get",
    "options" : {
      "uuid" : "2359E04F-DA61-4F7C-BF9F-913D3369A93A"
    }
  }
}
  3. Run the okv managed-object opaque get command using the generated JSON file. 
    okv managed-object opaque get --from-json get_opaque_object.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "object" : "2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A4D494945765149424144414E42676B71686B6947397730424151454641415343424B637767675363
<<<< Output Truncated>>>>
7067533170633634656D3630686C72336B786C593858665734317A594A450A724546334C652F4A4F4B4968674A754C367352734C67553D0A2D2D2D2D2D454E442050524956415445204B45592D2D2D2D2D0A"
  }
}

Parent topic: Security Object Commands

5.23 okv managed-object opaque register Command

The okv managed-object opaque register command registers an opaque security object.

Objects containing opaque data are not necessarily interpreted by the server.

Required Authorization

None

Syntax

okv managed-object opaque register --object object_name --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--object / object

Required

File path to the object.

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object opaque register command. 
    okv managed-object opaque register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "opaque",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_opaque.json) and then edit it to register the opaque key. 
    {
  "service": {
    "category": "managed-object",
    "resource": "opaque",
    "action": "register",
    "options": {
      "object": "./key.pem",
      "wallet": "hr_wallet",
      "attributes": {
        "name": {
          "value": "Opaque-Key-102",
          "type": "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object opaque register command using the generated JSON file. 
    okv managed-object opaque register --from-json reg_opaque.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuid" : "B44A99FD-F892-4F3E-BF7D-487B68159CC3"
  }
}

Related Topics

Parent topic: Security Object Commands

5.24 okv managed-object private-key get Command

The okv managed-object private-key get command retrieves a private key.

Required Authorization

The endpoint must have read permission on the private key.

Syntax

okv managed-object private-key get  --uuid UUID

JSON Input File Template Syntax

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the private key.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object private-key get command. 
    okv managed-object private-key get  --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_private_key.json) and then edit it to specify the UUID of the private key.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "get",
    "options" : {
      "uuid" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE"
    }
  }
}
  3. Run the okv managed-object private-key get command using the generated JSON file. 
    okv managed-object private-key get  --from-json get_private_key.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "object" : "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAg << output truncated >> /onTXJKf8A1kZwPW/Qa6IpPOGCfOJDtyM9F5X9REaJQr+1\nXw1sBm1Tjh4z/m6rsKK6A4YP\n-----END PRIVATE KEY-----"
  }
}

Parent topic: Security Object Commands

5.25 okv managed-object private-key register Command

The okv managed-object private-key register command registers a private key.

Required Authorization

None

Syntax

okv managed-object private-key register --object private_key_file_path --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--object / object

Required

File path to the private key object.

--algorithm / algorithm

Required

Cryptographic algorithm. The following value is valid: RSA

--length / length

Required

Key length for the algorithm. Choose from the following values:

  • 1024
  • 2048
  • 4096

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object private-key register command. 
    okv managed-object private-key register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_private_key.json) and then edit it to specify the appropriate private key settings.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "private-key",
    "action" : "register",
    "options" : {
      "object" : "./priv_key.pem",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT", "DECRYPT" ],
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "CERT-APPID-103",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object private-key register command using the generated JSON file. 
    okv managed-object private-key register --from-json reg_private_key.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuid" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE"
  }
}

Related Topics

Parent topic: Security Object Commands

5.26 okv managed-object public-key get Command

The okv managed-object public-key get command retrieves a public key.

Required Authorization

The endpoint must have read permission on the public key.

Syntax

okv managed-object public-key get  --uuid UUID

JSON Input File Template Syntax

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}

Parameters

Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the public key.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object public-key get command. 
    okv managed-object public-key get --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, get_public_key.json) and then edit it to specify the UUID of the public key.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "get",
    "options" : {
      "uuid" : "11652909-D019-4F3B-BFB9-791723095005"
    }
  }
}
  3. Run the okv managed-object public-key get command using the generated JSON file. 
    okv managed-object public-key get  --from-json get_public_key.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "object" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK4YrT6A/4tVnadRg0ZT\nprsdUwXrIdoqf1+ye/yVkN6RmtR7mthn6WIIrbTVX5MuAkLc6yyuMEc+nLDPZzrU\nFXkCAQeVR7sT/hQo74dQHebIfJxgx+uZrlzOgT4Il1qfmjR6y81RjTvAU8ZPdzPb\nuXKHZErZVQdoXUw5uFrTNzOegLbYJFI2dZnf3erB7Ho64DckFRoFP05cc3A0iLrL\ntzE8CcjAlBlXTGJD4kAtTEet/0TkvuHzBHr23zkfj0kWV3PHGYYC3O+/UzXg/nal\n3iTK5yRDkln45AyI/PkfzAFiZ/kX9C66H0WRMxgfaOn/uRNbikFOFK6IPOGcT+0S\n/QIDAQAB\n-----END PUBLIC KEY-----"
  }
}

Parent topic: Security Object Commands

5.27 okv managed-object public-key register Command

The okv managed-object public-key register command registers a public key.

Required Authorization

None

Syntax

okv managed-object public-key register --object public_key_file_path --algorithm cryptographic_algorithm --length key_length --mask cryptographic_usage_mask --private-key-uuid private_key_uuid --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--object / object

Required

File path to the public key object.

--algorithm / algorithm

Required

Cryptographic algorithm. The following value is valid: RSA

--length / length

Required

Key length for the algorithm. Choose from the following values:

  • 1024
  • 2048
  • 4096

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

--privateKeyUUID / privateKeyUUID

Optional

Universally unique ID (UUID) of the private key associated with the public key being registered.

To find the unique identifier for the key, run the okv manage-access wallet list-objects command or the okv admin endpoint list-objects command.

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

attributes

Optional

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object public-key register command. 
    okv managed-object public-key register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "algorithm" : "#RSA",
      "length" : "#1024,2048,4096(RSA)",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "privateKeyUUID" : "#VALUE",
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_public_key.json) and then edit it to specify the appropriate public key settings.
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "public-key",
    "action" : "register",
    "options" : {
      "object" : "./key.pub",
      "algorithm" : "RSA",
      "length" : "2048",
      "mask" : [ "ENCRYPT", "DECRYPT" ],
      "privateKeyUUID" : "2F9E2A31-D15A-4F5B-BFA0-761892021DBE ",
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : " FINDB-PROD-PUBKEY ",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object public-key register command using the generated JSON file. 
    okv managed-object public-key register --from-json reg_public_key.json

    Output similar to the following appears: 

    {
  "result" : "Success",
  "value" : {
    "uuid" : "11652909-D019-4F3B-BFB9-791723095005 "
  }
}

Related Topics

Parent topic: Security Object Commands

5.28 okv managed-object secret get Command

The okv managed-object secret get command retrieves the secret data from a security object of type secret.

Required Authorization

The endpoint must have read permission on the secret object.

Syntax

okv managed-object secret get --uuid UUID

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

  1. Generate JSON input for the okv managed-object secret get command. 
    okv managed-object secret get --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, secret_get.json) and then edit it to locate the secret object. 
    {
  "service": {
    "category": "managed-object",
    "resource": "secret",
    "action": "get",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC"
    }
  }
}
  3. Run the okv managed-object secret get command using the generated JSON file. 
    okv managed-object secret get --from-json secret_get.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "object": "ki3j&8slo73y2ls"
  }
}

Parent topic: Security Object Commands

5.29 okv managed-object secret register Command

The okv managed-object secret register command registers secret data such as passwords or random seeds.

Required Authorization

None

Syntax

okv managed-object secret register --object object_name type PASSWORD|SEED wallet wallet_name --mask cryptogrpahic_usage_mask

JSON Input File Template

{
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "type" : "#PASSWORD|SEED",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },
        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}

Parameters

Parameter/Template Required? Description

--object / object

Required

Path of the object file containing secret data.

--type / type

Required

Enter one of the following values:

  • PASSWORD
  • SEED

--wallet / wallet

Optional

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--mask / mask

Required

Cryptographic usage mask, enclosed in double quotation marks. Choose from the following values:

  • ENCRYPT
  • DECRYPT
  • DERIVE_KEY
  • EXPORT
  • GENERATE_CRYPTOGRAM
  • TRANSLATE_DECRYPT
  • TRANSLATE_ENCRYPT
  • TRANSLATE_UNWRAP
  • TRANSLATE_WRAP
  • UNWRAP_KEY
  • VALIDATE_CRYPTOGRAM
  • WRAP_KEY

attributes

Required

Attribute names and their values. Enclose this value in double quotation marks if the value contains spaces, slashes, or colons. To find the existing attributes for the managed object, run the okv managed-object attribute list command.

You cannot specify attributes at the command line. If you want to use attributes, then you must use the JSON syntax.

Attributes that you can enter are as follows:

  • name includes the following:
    • value is the name value.
    • type is either text or uri.
  • contactInfo
  • The following date and time attributes:
    • activationDate
    • deactivationDate
    • protectStopDate
    • processStartDate

You can use different ways to set the date and time. Examples are as follows: 

"activationDate" : "now" --starts immediately
"activationDate" : "now+PT10M" --starts 10 minutes from now
"activationDate" : "2021-12-20 10:30:00" --starts at this date and time
"activationDate" : "2021-12-20 10:30:00+PT10M" --starts 10 minutes after this date and time

To display the time in UTC format, use the Linux date command. For example: 

$ date --utc "+%F %T"
2021-03-15 20:31:37

See Key Management Interoperability Protocol Specification Version 1.1 for details about these attributes.

JSON Example

  1. Generate JSON input for the okv managed-object secret register command. 
    okv managed-object secret register --generate-json-input

    The generated input appears as follows: 

    {
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "#VALUE",
      "type" : "#PASSWORD|SEED",
      "mask": [ "#ENCRYPT", "#DECRYPT", "#WRAP_KEY", "#UNWRAP_KEY", "#EXPORT", 
         "#DERIVE_KEY", "#GENERATE_CRYPTOGRAM", "#VALIDATE_CRYPTOGRAM", 
         "#TRANSLATE_ENCRY PT", "#TRANSLATE_DECRYPT", "#TRANSLATE_WRAP",
         "#TRANSLATE_UNWRAP" ],
      "wallet" : "#VALUE",
      "attributes" : {
        "name" : {
          "value" : "#VALUE",
          "type" : "#text|uri"
        },

        "contactInfo" : "#VALUE",
        "activationDate" : "#VALUE",
        "deactivationDate" : "#VALUE",
        "processStartDate" : "#VALUE",
        "protectStopDate" : "#VALUE"
      }
    }
  }
}
  2. Save the generated input to a file (for example, reg_secret.json) and then edit it to register the secret object. 
    {
  "service" : {
    "category" : "managed-object",
    "resource" : "secret",
    "action" : "register",
    "options" : {
      "object" : "./hr_db_connect_password.txt",
      "type" : "PASSWORD",
      "mask" : [ "DERIVE_KEY" ],
      "wallet" : "hr_wallet",
      "attributes" : {
        "name" : {
          "value" : "HR-DB-CONNECT-PASSWORD",
          "type" : "text"
        },
        "contactInfo" : "psmith@example.com"
        "activationDate" : "2020-12-31 09:00:00",
        "deactivationDate" : "2024-12-31 09:00:00",
        "processStartDate" : "2020-12-31 09:00:00",
        "protectStopDate" : "2024-12-31 09:00:00"
      }
    }
  }
}
  3. Run the okv managed-object secret register command using the generated JSON file. 
    okv managed-object secret register --from-json reg_secret.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "uuid": "0F54D31A-ABA0-4F15-BF67-1B7513DD8634"
  }
}

Related Topics

Parent topic: Security Object Commands

5.30 okv managed-object wallet add-member Command

The okv managed-object wallet add-member command adds a security object to a wallet as its member.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet add-member --uuid UUID --wallet wallet_name

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the managed object that is being added to the wallet.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

JSON Example

  1. Generate JSON input for the okv managed-object wallet add-member command. 
    okv managed-object wallet add-member --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, add_wallet_member.json) and then edit it to add the security object to the wallet.
    {
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "add-member",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
      "wallet": "hr_wallet"
    }
  }
}
  3. Run the okv managed-object wallet add-member command using the generated JSON file. 
    okv managed-object wallet add-member --from-json add_wallet_member.json

    Output similar to the following appears: 

    {
  "result": "Success"
}

Parent topic: Security Object Commands

5.31 okv managed-object wallet delete-member Command

The okv managed-object wallet delete-member command deletes the membership of the managed-object from a wallet.

This command authenticates with the endpoint's client certificate.

Required Authorization

The endpoint must have read-modify permission on the object and manage-wallet access (MW) on the wallet.

Syntax

okv managed-object wallet delete-member --uuid UUID --wallet wallet_name

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--uuid / uuid

Required

Universally unique ID (UUID) of the managed object in the wallet.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

JSON Example

  1. Generate JSON input for the okv managed-object wallet delete-member command. 
    okv managed-object wallet delete-member --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "#VALUE",
      "wallet": "#VALUE"
    }
  }
}
  2. Save the generated input to a file (for example, delete_wallet_member.json) and then edit it to delete the security object from the wallet.
    {
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "delete-member",
    "options": {
      "uuid": "D69D2F32-2DBB-4FF3-BF52-95487526E6EC",
      "wallet": "hr_wallet"
    }
  }
}
  3. Run the okv managed-object wallet delete-member command using the generated JSON file. 
    okv managed-object wallet delete-member --from-json delete_wallet_member.json

    Output similar to the following appears: 

    {
  "result": "Success"
}

Parent topic: Security Object Commands

5.32 okv managed-object wallet list Command

The okv managed-object wallet list command lists wallets that have their access granted to the endpoint used to connect to Oracle Key Vault.

This command authenticates with the endpoint's client certificate.

Required Authorization

None, but this command returns only those wallets to which the current endpoint is granted access.

Syntax

JSON Input File Template

{
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "list"
  }
}
okv managed-object wallet list

Parameters

None

JSON Example

  1. Generate JSON input for the okv managed-object wallet list command. 
    okv managed-object wallet list --generate-json-input

    The generated input appears as follows: 

    {
  "service": {
    "category": "managed-object",
    "resource": "wallet",
    "action": "list"
  }
}
  2. Save the generated input to a file (for example, wallet_list.json).
  3. Run the okv managed-object wallet list command using the generated JSON file. 
    okv managed-object wallet list --from-json wallet_list.json

    Output similar to the following appears: 

    {
  "result": "Success",
  "value": {
    "wallets": [
      "HR_WALLET",
      "SALES_WALLET"
    ]
  }
}

Parent topic: Security Object Commands