Access Management Commands

4 Access Management Commands

You can use the access management commands to manage wallets and endpoint groups.

okv manage-access endpoint-group add-endpoint Command
The okv manage-access endpoint-group add-endpoint command adds an existing endpoint to an endpoint group.
okv manage-access endpoint-group check-status Command
The okv manage-access endpoint-group check-status command checks the naming conflict resolution status of an endpoint group in a multi-master cluster.
okv manage-access endpoint-group create Command
The okv manage-access endpoint-group create command creates a new endpoint group.
okv manage-access endpoint-group delete Command
The okv manage-access endpoint-group delete command deletes an endpoint group.
okv manage-access endpoint-group get Command
The okv manage-access endpoint-group get command retrieves detailed information about an endpoint group, such as its member endpoints and wallet access.
okv manage-access endpoint-group list Command
The okv manage-access endpoint-group list command retrieves a list of endpoint groups and their associated information.
okv manage-access endpoint-group remove-endpoint Command
The okv manage-access endpoint-group remove-endpoint command removes an endpoint from an endpoint group.
okv manage-access endpoint-group update Command
The okv manage-access endpoint-group update command changes the name and description of an endpoint group, and can be used to ensure that the endpoint group name is unique.
okv manage-access wallet add-access Command
The okv manage-access wallet add-access command grants an endpoint or an endpoint group a level of access to a wallet.
okv manage-access wallet add-object Command
The okv manage-access wallet add-object command adds a security object to a wallet.
okv manage-access wallet check-status Command
The okv manage-access wallet check-status command checks the naming conflict resolution status of a wallet in a multi-master cluster.
okv manage-access wallet create Command
The okv manage-access wallet create command creates a wallet.
okv manage-access wallet delete Command
The okv manage-access wallet delete command deletes a wallet.
okv manage-access wallet get Command
The okv manage-access wallet get command retrieves information about a specified wallet, such as the default wallet name and the wallet access.
okv manage-access wallet get-default Command
The okv manage-access wallet get-default command gets the default wallet that has been associated with an endpoint.
okv manage-access wallet list Command
The okv manage-access wallet list command lists wallets on which some level of access is granted to the user.
okv manage-access wallet list-objects Command
The okv manage-access wallet list-objects command retrieves the security objects that are members of the specified wallet.
okv manage-access wallet list-endpoint-wallets Command
The okv manage-access wallet list-endpoint-wallets command lists the wallets that are associated with an endpoint.
okv manage-access wallet remove-access Command
The okv manage-access wallet remove-access command removes the access that an endpoint or an endpoint group has to a wallet.
okv manage-access wallet remove-object Command
The okv manage-access wallet remove-object command removes a security object from a wallet.
okv manage-access wallet set-default Command
The okv manage-access wallet set-default command sets the default wallet for an endpoint.
okv manage-access wallet update Command
The okv manage-access wallet update command updates a wallet.
okv manage-access wallet update-access Command
The okv manage-access wallet update-access command updates the level of access that an endpoint or an endpoint group has to a wallet.

4.1 okv manage-access endpoint-group add-endpoint Command

The okv manage-access endpoint-group add-endpoint command adds an existing endpoint to an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group add-endpoint --endpoint-group endpoint_group_name --endpoint endpoint_member

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command.
`--endpoint` / `endpoint`	Required	Name of the endpoint. To find existing endpoints, run the `okv admin endpoint list` command.

--endpoint-group / endpointGroup

Required

Name of the endpoint group.

To find existing endpoint groups, run the okv manage-access endpoint-group list command.

--endpoint / endpoint

Required

Name of the endpoint.

To find existing endpoints, run the okv admin endpoint list command.

JSON Example

Generate JSON input for the okv manage-access endpoint-group add-endpoint command.

okv manage-access endpoint-group add-endpoint --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, add_ep_to_group.json) and then edit it to add the endpoint to an endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "add-endpoint",
    "options" : {
      "endpointGroup" : "epg_hr",
      "endpoint" : "hr_db_ep"
    }
  }
}

Run the okv manage-access endpoint-group add-endpoint command using the generated JSON file.
```
okv manage-access endpoint-group add-endpoint --from-json add_ep_to_group.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.2 okv manage-access endpoint-group check-status Command

The okv manage-access endpoint-group check-status command checks the naming conflict resolution status of an endpoint group in a multi-master cluster.

This command is meant primarily for multi-master cluster environments. However, it is valid for other deployments and can be used to check the existence of an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group check-status --endpoint-group endpoint_group_name|--locator-id UUID

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "endpointGroup" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint_group` / `-endpointGroup` or `--locator-id` / `locatorID`	Required	The name of the endpoint group or the locator ID (universally unique ID (UUID)) of the endpoint group that you want to check. The `--locator-id` / `locatorID` is required only if you are using a multi-master cluster environment. You must specify either the `--endpoint-group` / `endpointGroup` value or the `--locator-id` / `locatorID` value, not both. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command. To find the locator ID, check the output from the `okv manage-access endpoint-group create` command that was used to create this endpoint group.

--endpoint_group / -endpointGroup or --locator-id / locatorID

Required

The name of the endpoint group or the locator ID (universally unique ID (UUID)) of the endpoint group that you want to check. The --locator-id / locatorID is required only if you are using a multi-master cluster environment.

You must specify either the --endpoint-group / endpointGroup value or the --locator-id / locatorID value, not both.

To find existing endpoint groups, run the okv manage-access endpoint-group list command.

To find the locator ID, check the output from the okv manage-access endpoint-group create command that was used to create this endpoint group.

JSON Example

Generate JSON input for the okv manage-access endpoint-group check-status command.

okv manage-access endpoint-group check-status --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "endpointGroup" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, check-status_epg.json) and then edit it so that you can check the endpoint group's status. Specify either the endpointGroup value or the locatorID value, but not both.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "check-status",
    "options" : {
      "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
    }
  }
}
```
Run the okv manage-access endpoint-group check-status command using the generated JSON file.
```
okv manage-access endpoint-group check-status --from-json check-status_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "ACTIVE",
    "endpointGroup" : "EPG_HR"
  }
}
```
Output includes the name of the endpoint group if the endpoint group object is in ACTIVE state. The endpoint group name shown here may be different from what was specified at the endpoint group creation time. If the endpoint groups with the same name are created on multiple cluster nodes, then Oracle Key Vault performs naming conflict resolution and it renames all but one endpoint groups by appending _OKVnode-id to the endpoint group name. For example, if you named the endpoint group EPG_HR, and there is a naming conflict, then the name could be EPG_HR_OKV01.

On deployments other than multi-master cluster, this command returns Success if the endpoint group exists and output does not include entries showing the endpoint group name and its state.

Parent topic: Access Management Commands

4.3 okv manage-access endpoint-group create Command

The okv manage-access endpoint-group create command creates a new endpoint group.

Required Authorization

Key Administrator role or Create Endpoint Group system privilege

Syntax

okv manage-access endpoint-group create --endpoint-group endpoint_group_name --description "endpoint group description" --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. See Naming Guidelines for Objects. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command.
`--description` / `description`	Optional	A user-friendly description of the endpoint group enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: `given_epg_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable. `FALSE` (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is `ACTIVE`, then the endpoint group is usable. To check the status, run the `okv admin endpoint-group check-status` command. If the name that you provided is already used in another node, then the name for this endpoint group will have `_OKVxx` appended to it. For example, if you named the endpoint group `epg12`, and there is a naming conflict, the name could be `EPG12_OKV01`.

--endpoint-group / endpointGroup

Required

Name of the endpoint group. See Naming Guidelines for Objects.

To find existing endpoint groups, run the okv manage-access endpoint-group list command.

--description / description

Optional

A user-friendly description of the endpoint group enclosed within double quotation marks

--unique / unique

Optional

Applies to a multi-master cluster environment only. This --unique parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: given_epg_name_OKVnode_id.

Valid settings are as follows:

TRUE appends _OKVnode_id to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable.
FALSE (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (PENDING) or complete (ACTIVE). If the status is PENDING, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is ACTIVE, then the endpoint group is usable. To check the status, run the okv admin endpoint-group check-status command. If the name that you provided is already used in another node, then the name for this endpoint group will have _OKVxx appended to it. For example, if you named the endpoint group epg12, and there is a naming conflict, the name could be EPG12_OKV01.

JSON Example

Generate JSON input for the okv manage-access endpoint-group create command.

okv manage-access endpoint-group create --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, create_epg.json) and then edit it so that you can create the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "create",
    "options" : {
      "endpointGroup" : "epg_hr",
      "description" : "HR endpoint group",
      "unique" : "FALSE"
    }
  }
}

Run the okv manage-access endpoint-group create command using the generated JSON file.
```
okv manage-access endpoint-group create --from-json create_epg.json
```
Output for a multi-master cluster environment appears similar to the following:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
  }
}
```
You can use the locatorID from this output with the okv manage-access endpoint-group check-status command to display the current state of the endpoint group object. If the object status is ACTIVE, then this command also displays the object name after the conflict-name resolution.

Parent topic: Access Management Commands

4.4 okv manage-access endpoint-group delete Command

The okv manage-access endpoint-group delete command deletes an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group delete --endpoint-group endpoint_group_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command.

--endpoint-group / endpointGroup

Required

Name of the endpoint group.

To find existing endpoint groups, run the okv manage-access endpoint-group list command.

JSON Example

Generate JSON input for the okv manage-access endpoint-group delete command.

okv manage-access endpoint-group delete --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, delete_epg.json) and then edit it so that you can delete the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "delete",
    "options" : {
      "endpointGroup" : "epg_hr"
    }
  }
}

Run the okv manage-access endpoint-group delete command using the generated JSON file.
```
okv manage-access endpoint-group delete --from-json delete_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.5 okv manage-access endpoint-group get Command

The okv manage-access endpoint-group get command retrieves detailed information about an endpoint group, such as its member endpoints and wallet access.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group get --endpoint-group endpoint_group_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "get",
    "options" : {
           "endpointGroup" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command.

--endpoint-group / endpointGroup

Required

Name of the endpoint group.

To find existing endpoint groups, run the okv manage-access endpoint-group list command.

JSON Example

Generate JSON input for the okv manage-access endpoint-group get command.

okv manage-access endpoint-group get --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "get",
    "options" : {
           "endpointGroup" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_ep_group.json) and then edit it to specify the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "get",
    "options" : {
           "endpointGroup" : "hr_ep_grp"
    }
  }
}

Run the okv manage-access endpoint-group get command using the generated JSON file.

okv manage-access endpoint-group get --from-json get_ep_group.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "createdBy" : "OKVADMIN",
    "creationTime" : "2021-07-14 13:09:14",
    "description" : "",
    "endpointGroup" : "HR_EP_GRP",
    "endpointGroupMembers" : [ {
      "description" : "",
      "endpoint" : "HR_DB_EP_1"
    }, {
      "description" : "",
      "endpoint" : "HR_DB_EP_2"
    } ],
    "walletAccess" : [ {
      "access" : "RO_MW",
      "wallet" : "HR_WALLET"
    } ]
  }
}

Parent topic: Access Management Commands

4.6 okv manage-access endpoint-group list Command

The okv manage-access endpoint-group list command retrieves a list of endpoint groups and their associated information.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group list --limit number_of_endpoints

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "list",
    "options" : {
           "limit" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--limit` / `limit`	Optional	Number of endpoint groups to list. Enter any whole number from `1` and higher. If the limit is specified, then Oracle Key Vault fetches the number of objects up to the specified limit. If the limit is not specified, then Oracle Key Vault fetches up to 10,000 objects. If you specify a value that is greater than 10,000, then Oracle Key Vault will attempt to fetch that value, depending on the server, client, and network resources. In the output that you retrieve, the `fetchedObjectCount` value lists the actual number of objects that are fetched. For example, if you specify `100` as the limit but there are only 50 objects fetched, then Oracle Key Vault sets `fetchedObjectCount` to `50`. If you omit this parameter, then Oracle Key Vault retrieves up to 10,000 objects. For another example, if the limit is 100 and `fetchedObjectCount` is `100`, then this means that there are more objects. To fetch all objects, you need to run this command with an increased value for the `--limit` parameter. If `fetchedObjectCount` is less than the specified limit, then it means that you have retrieved all the available objects.

--limit / limit

Optional

Number of endpoint groups to list.

Enter any whole number from 1 and higher. If the limit is specified, then Oracle Key Vault fetches the number of objects up to the specified limit. If the limit is not specified, then Oracle Key Vault fetches up to 10,000 objects. If you specify a value that is greater than 10,000, then Oracle Key Vault will attempt to fetch that value, depending on the server, client, and network resources. In the output that you retrieve, the fetchedObjectCount value lists the actual number of objects that are fetched. For example, if you specify 100 as the limit but there are only 50 objects fetched, then Oracle Key Vault sets fetchedObjectCount to 50. If you omit this parameter, then Oracle Key Vault retrieves up to 10,000 objects. For another example, if the limit is 100 and fetchedObjectCount is 100, then this means that there are more objects. To fetch all objects, you need to run this command with an increased value for the --limit parameter. If fetchedObjectCount is less than the specified limit, then it means that you have retrieved all the available objects.

JSON Example

Generate JSON input for the okv manage-access endpoint-group list command.

okv manage-access endpoint-group list --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "list",
    "options" : {
           "limit" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, list_ep_groups.json) and then edit it to specify the number of records for the output.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "list",
    "options" : {
           "limit" : "3"
    }
  }
}

Run the okv manage-access endpoint-group list command using the generated JSON file.

okv manage-access endpoint-group list --from-json list_ep_groups.json

Output similar to the following appears:

{
"result" : "Success",
"value" : {
     "endpointGroups" : [ {
          "createdBy" : "OKVADMIN",
          "creationTime" : "2021-07-14 13:09:14",
          "description" : "",
          "endpointGroup" : "EPG_HR"
     }, {
          "createdBy" : "OKVADMIN",
          "creationTime" : "2021-07-16 19:29:03",
          "description" : "",
          "endpointGroup" : "SALES_DB_EPG"
     }, {
          "createdBy" : "OKVADMIN",
          "creationTime" : "2021-07-16 19:29:17",
          "description" : "",
          "endpointGroup" : "ORDERS_DB_EPG"
     } ]
   }
}

Parent topic: Access Management Commands

4.7 okv manage-access endpoint-group remove-endpoint Command

The okv manage-access endpoint-group remove-endpoint command removes an endpoint from an endpoint group.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group remove-endpoint --endpoint-group endpoint_group_name --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Name of the endpoint group that you want to remove. To find existing endpoints, run the `okv admin endpoint list` command.
`--endpoint` / `endpoint`	Required	Name of the endpoint that is associated with the endpoint group. To find existing endpoints, run the `okv admin endpoint list` command.

--endpoint-group / endpointGroup

Required

Name of the endpoint group that you want to remove.

To find existing endpoints, run the okv admin endpoint list command.

--endpoint / endpoint

Required

Name of the endpoint that is associated with the endpoint group.

To find existing endpoints, run the okv admin endpoint list command.

JSON Example

Generate JSON input for the okv manage-access endpoint-group remove-endpoint command.

okv manage-access endpoint-group remove-endpoint --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, remove_ep_from_epg.json) and then edit it to remove the endpoint from the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "remove-endpoint",
    "options" : {
      "endpointGroup" : "epg_hr",
      "endpoint" : "hr_db_ep"
    }
  }
}

Run the okv manage-access endpoint-group remove-endpoint command using the generated JSON file.
```
okv manage-access endpoint-group remove-endpoint --from-json remove_ep_from_epg.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.8 okv manage-access endpoint-group update Command

The okv manage-access endpoint-group update command changes the name and description of an endpoint group, and can be used to ensure that the endpoint group name is unique.

Required Authorization

Key Administrator role or the Manage Endpoint Group object privilege for the endpoint group

Syntax

okv manage-access endpoint-group update --endpoint-group endpoint_group_name --description "description" --name new_endpoint_group_name --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--endpoint-group` / `endpointGroup`	Required	Current name of the endpoint group. To find existing endpoint groups, run the `okv manage-access endpoint-group list` command.
`--description` / `description`	Optional	A user-friendly description of the endpoint group enclosed within double quotation marks
`--name` / `name`	Optional	New endpoint group name. See Naming Guidelines for Objects.
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the endpoint group as a unique endpoint group. In a multi-master cluster, it is possible that an endpoint group with the same name could be created from two different nodes. If that happens, then the endpoint group names may conflict. The Oracle Key Vault conflict resolution scheme will keep one endpoint group with the given name and rename other endpoint groups with the conflicting names to a name using this format: `given_epg_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The endpoint group is immediately usable. `FALSE` (default) causes Oracle Key Vault to begin a checking process to find if the endpoint group name is unique. A unique ID is returned. You can use this ID to check the status of the endpoint group creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the endpoint group will fail. If the status is `ACTIVE`, then the endpoint group is usable. To check the status, run the `okv admin endpoint-group check_status` command. If the name that you provided is already used in another node, then the name for this endpoint group will have `_OKVxx` appended to it. For example, if you named the endpoint group `epg12`, and there is a naming conflict, the name could be `EPG12_OKV01`.

JSON Example

Generate JSON input for the okv manage-access endpoint-group update command.

okv manage-access endpoint-group update --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, epg_update.json) and then edit it so that you can update the endpoint group.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "endpoint-group",
    "action" : "update",
    "options" : {
      "endpointGroup" : "epg_hr",
      "name" : "epg_hr_global",
      "description" : "Global HR Endpoint Group",
      "unique" : "FALSE"
    }
  }
}

Run the okv manage-access endpoint-group update command using the generated JSON file.
```
okv manage-access endpoint-group update --from-json epg_update.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "67E0906F-95EE-4A95-A496-D7DAEA5EDC5F"
  }
}
```
This example shows the output for renaming an endpoint group in a multi-master cluster. On renaming, an endpoint group is placed into the PENDING state for the duration of the naming conflict resolution.

You can use the locatorID from this output with the okv manage-access endpoint-group check-status command to display the current state of the endpoint group object. If the object status is ACTIVE, then this command also displays the object name after the conflict-name resolution.

Unless you renamed the endpoint group in a multi-master cluster, the status and locatorID entries are not included in the output.

Parent topic: Access Management Commands

4.9 okv manage-access wallet add-access Command

The okv manage-access wallet add-access command grants an endpoint or an endpoint group a level of access to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet add-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name --access RO|RM|RO_MW|RM_MW

JSON Input File Template

{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "#VALUE",
      "endpointGroup": "#VALUE",
      "endpoint": "#VALUE",
      "access": "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group. You can only specify either an endpoint or an endpoint group, but not both.

To find registered endpoints, run the okv admin endpoint list command. To find endpoint groups, run okv manage-access endpoint-group list.

--access / access

Required

Enter one of the following values:

RO for read-only access
RM for read-and-modify access
RO_MW for read-only and manage-wallet access
RM_MW for read-and-modify and manage-wallet access

JSON Example

Generate JSON input for the okv manage-access wallet add-access command.

okv manage-access wallet add-access --generate-json-input

The generated input appears as follows. This output includes wallet access settings for both endpoints and endpoint groups. When you edit it, you must include either the endpoint settings or the endpoint group settings, but not both.

{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "#VALUE",
      "endpointGroup": "#VALUE",
      "endpoint": "#VALUE",
      "access": "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Save the generated input to a file (for example, add_access_wallet.json) and then edit it so that you can add wallet access to the endpoint or endpoint group. The following example is for the wallet access to an endpoint only.
```
{
  "service": {
    "category": "manage-access",
    "resource": "wallet",
    "action": "add-access",
    "options": {
      "wallet": "hr_wallet",
      "endpoint": "hr_db_ep",
      "access": "RO"
    }
  }
}
```
Run the okv manage-access wallet add-access command using the generated JSON file.
```
okv manage-access wallet add-access --from-json add_access_wallet.json
```
Output similar to the following appears:
```
{
  "result": "Success"
}
```

Parent topic: Access Management Commands

4.10 okv manage-access wallet add-object Command

The okv manage-access wallet add-object command adds a security object to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or have read-modify permission on the object and manage wallet (MW) permission on the wallet.

Syntax

okv manage-access wallet add-object --wallet wallet_name --uuid uuid

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "add-object",
    "options" : {
           "wallet" : "#VALUE",
           "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.

JSON Example

Generate JSON input for the okv manage-access wallet add-object command.

okv manage-access wallet add-object --generate-json-input

The generated input appears as follows.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "add-object",
    "options" : {
           "wallet" : "#VALUE",
           "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, add_obj_wallet.json) and then edit it to specify the object to add to the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "add-object",
    "options" : {
           "wallet" : "hr_wallet",
           "uuid" : "7432AED6-6628-4F43-BF7C-9D30023A4301"
    }
  }
}

Run the okv manage-access wallet add-object command using the generated JSON file.
```
okv manage-access wallet add-object --from-json add_object_wallet.json
```
Output similar to the following appears:
```
{
  "result": "Success"
}
```

Parent topic: Access Management Commands

4.11 okv manage-access wallet check-status Command

The okv manage-access wallet check-status command checks the naming conflict resolution status of a wallet in a multi-master cluster.

This command is meant primarily for multi-master cluster environments. However, it is valid for other deployments and can be used to check the existence of a wallet.

This command uses a user name and password for the authentication.

Required Authorization

None, but the user only gets the status for the wallets to which he or she has access.

Syntax

okv manage-access wallet check-status --wallet wallet_name|--locator-id UUID

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "wallet" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet` or `--locator-id` / `locatorID`	Optional	The name of the wallet or the locator ID (universally unique ID (UUID)) of the wallet that you want to check. The `--locator-id` / `locatorID` is required only if you are using a multi-master cluster environment. You must specify either the `--wallet` / `wallet` value or the `--locator-id` / `locatorID` value, not both. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command. To find the locator ID, check the output of the `okv manage-access wallet create` command that was used to create this endpoint.

--wallet / wallet or --locator-id / locatorID

Optional

The name of the wallet or the locator ID (universally unique ID (UUID)) of the wallet that you want to check. The --locator-id / locatorID is required only if you are using a multi-master cluster environment.

You must specify either the --wallet / wallet value or the --locator-id / locatorID value, not both.

To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

To find the locator ID, check the output of the okv manage-access wallet create command that was used to create this endpoint.

JSON Example

Generate JSON input for the okv manage-access wallet check-status command.

okv manage-access wallet check-status --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "wallet" : "#VALUE",
      "locatorID" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, check_wallet.json) and then edit it so that you can check the status of the wallet. Specify either the wallet value or the locatorID value, but not both.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "check-status",
    "options" : {
      "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
    }
  }
}

Run the okv manage-access wallet check-status command using the generated JSON file.
```
okv manage-access wallet check-status --from-json check_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "ACTIVE",
    "wallet" : "hr_wallet"
  }
}
```
Output includes the name of the wallet if the wallet object is in ACTIVE state. The wallet name shown here may be different from what was specified at the wallet creation time. If the wallets with the same name are created on multiple cluster nodes, Oracle Key Vault performs naming conflict resolution and it renames all but one wallets by appending _OKVnode-id to the wallet name. For example, if you named the wallet HR_WALLET, and there is a naming conflict, the name could be HR_WALLET_OKV01.

On deployments other than multi-master cluster, this command returns Success if the wallet exists and output does not include entries showing the wallet name and its state.

Parent topic: Access Management Commands

4.12 okv manage-access wallet create Command

The okv manage-access wallet create command creates a wallet.

This command uses a user name and password for the authentication.

Required Authorization

None

Syntax

okv manage-access wallet create --wallet wallet_name --description "wallet_description" --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command. Ensure that you follow the naming guidelines for objects.
`--description` / `description`	Optional	A user-friendly description for the wallet, enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: `given_wallet_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevents the conflict for this wallet name. The wallet is immediately usable. `FALSE` causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the wallet will fail. If the status is `ACTIVE`, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the `okv manage-access wallet check-status` command. If the name that you provided is already used in another node, then the name for this wallet will have `_OKVxx` appended to it. For example, if you named the wallet `wallet12`, and there is a naming conflict, the name could be `WALLET12_OKV01`. If the name that you provided has no naming conflicts, then it will be accepted as the wallet name without any changes.

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

Ensure that you follow the naming guidelines for objects.

--description / description

Optional

A user-friendly description for the wallet, enclosed within double quotation marks

--unique / unique

Optional

Applies to a multi-master cluster environment only. This --unique parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: given_wallet_name_OKVnode_id.

Valid settings are as follows:

TRUE appends _OKVnode_id to the given name and thus prevents the conflict for this wallet name. The wallet is immediately usable.
FALSE causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (PENDING) or complete (ACTIVE). If the status is PENDING, then it is not yet usable, so any actions performed on the wallet will fail. If the status is ACTIVE, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the okv manage-access wallet check-status command. If the name that you provided is already used in another node, then the name for this wallet will have _OKVxx appended to it. For example, if you named the wallet wallet12, and there is a naming conflict, the name could be WALLET12_OKV01. If the name that you provided has no naming conflicts, then it will be accepted as the wallet name without any changes.

JSON Example

Generate JSON input for the okv manage-access wallet create command.

okv manage-access wallet create --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, create_wallet.json) and then edit it so that you can create the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "create",
    "options" : {
      "wallet" : "hr_wallet",
      "description" : "wallet for HR endpoint",
      "unique" : "FALSE"
    }
  }
}

Run the okv manage-access wallet create command using the generated JSON file.
```
okv manage-access wallet create --from-json create_wallet.json
```
Output for a multi-master cluster environment appears similar to the following:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
  }
}
```
You can use the locatorID from this output with the okv manage-access wallet check-status command to display the current state of the wallet object. If the object status is ACTIVE, then this command also displays the object name after the conflict-name resolution.

Related Topics

Parent topic: Access Management Commands

4.13 okv manage-access wallet delete Command

The okv manage-access wallet delete command deletes a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet delete --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.

JSON Example

Generate JSON input for the okv manage-access wallet delete command.

okv manage-access wallet delete --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, del_wallet.json) and then edit it to specify the wallet to delete from Oracle Key Vault.

{
  "service" : {
    "category" : "manage-access",
    "resource ": "wallet",
    "action" : "delete",
    "options" : {
      "wallet" : "hr_wallet"
    }
  }
}

Run the okv manage-access wallet delete command using the generated JSON file.
```
okv manage-access wallet delete --from-json del_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.14 okv manage-access wallet get Command

The okv manage-access wallet get command retrieves information about a specified wallet, such as the default wallet name and the wallet access.

This command uses a user name and password for the authentication.

Required Authorization

None

Syntax

okv manage-access wallet get --wallet wallet_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get",
    "options" : {
      "wallet" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.

JSON Example

Generate JSON input for the okv manage-access wallet get command.

okv manage-access wallet get --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get",
    "options" : {
           "wallet" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_wallet.json) and then edit it to specify the name of the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get",
    "options" : {
           "wallet" : "hr_wallet"
    }
  }
}

Run the okv manage-access wallet get command using the generated JSON file.

okv manage-access wallet get --from-json get_wallet.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "createdBy" : "OKVADMIN",
    "creationTime" : "2021-07-30 19:40:59",
    "description" : "",
    "wallet" : "HR_WALLET",
    "walletAccess" : {
      "endpointAccess" : [ {
        "access" : "RO_MW",
        "defaultWallet" : "",
        "subjectName" : "HR_DB_EP1",
        "type" : "Direct"
      }, {
        "access" : "RO",
        "defaultWallet" : "TRUE",
        "subjectName" : "HR_DB_EP2",
        "type" : "Direct"
      } ],
      "endpointGroupAccess" : [ {
        "access" : "RO_MW",
        "subjectName" : "HR_DB_EPG"
      } ],
      "userAccess" : [ {
        "access" : "RO",
        "subjectName" : "Paul Hill"
      } ],
      "userGroupAccess" : [ {
        "access" : "RO",
        "subjectName" : "HR_GROUP_1"
      } ]
    }
  }
}

Parent topic: Access Management Commands

4.15 okv manage-access wallet get-default Command

The okv manage-access wallet get-default command gets the default wallet that has been associated with an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

None, but the default wallet information for the endpoint is returned if the user has some level of access on that wallet.

Syntax

okv manage-access wallet get-default --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint` / `endpoint`	Required	Name of the endpoint. To find existing endpoints, run the `okv admin endpoint list` command.

--endpoint / endpoint

Required

Name of the endpoint.

To find existing endpoints, run the okv admin endpoint list command.

JSON Example

Generate JSON input for the okv manage-access wallet get-default command.

okv manage-access wallet get-default --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, get_def_wallet.json) and then edit it to retrieve the default wallet that is associated with the specified endpoint.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "get-default",
    "options" : {
      "endpoint" : "hr_db_ep"
    }
  }
}

Run the okv manage-access wallet get-default command using the generated JSON file.

okv manage-access wallet get-default --from-json get_def_wallet.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "defaultWallet" : "HR_WALLET"
  }
}

Parent topic: Access Management Commands

4.16 okv manage-access wallet list Command

The okv manage-access wallet list command lists wallets on which some level of access is granted to the user.

Required Authorization

None

Syntax

okv manage-access wallet list --limit number_of_wallets

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list",
    "options" : {
           "limit" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--limit` / `limit`	Optional	Number of wallets to list. Enter any whole number from `1` and higher. If the limit is specified, then Oracle Key Vault fetches the number of objects up to the specified limit. If the limit is not specified, then Oracle Key Vault fetches up to 10,000 objects. If you specify a value that is greater than 10,000, then Oracle Key Vault will attempt to fetch that value, depending on the server, client, and network resources. In the output that you retrieve, the `fetchedObjectCount` value lists the actual number of objects that are fetched. For example, if you specify `100` as the limit but there are only 50 objects fetched, then Oracle Key Vault sets `fetchedObjectCount` to `50`. If you omit this parameter, then Oracle Key Vault retrieves up to 10,000 objects. For another example, if the limit is 100 and `fetchedObjectCount` is `100`, then this means that there are more objects. To fetch all objects, you need to run this command with an increased value for the `--limit` parameter. If `fetchedObjectCount` is less than the specified limit, then it means that you have retrieved all the available objects.

--limit / limit

Optional

Number of wallets to list.

JSON Example

Generate JSON input for the okv manage-access wallet list command.

okv manage-access wallet list --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list",
    "options" : {
           "limit" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, list_wallets.json) and then edit it to specify the number of records.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list",
    "options" : {
           "limit" : "3"
    }
  }
}

Run the okv manage-access wallet list command using the generated JSON file.

okv manage-access wallet list --from-json list_wallets.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "fetchedObjectCount" : "3",
    "wallets" : [ {
      "createdBy" : "OKVADMIN",
      "creationTime" : "2021-07-13 15:22:02",
      "description" : "",
      "wallet" : "HR_WALLET"
    }, {
      "createdBy" : "OKVADMIN",
      "creationTime" : "2021-07-30 19:40:59",
      "description" : "",
      "wallet" : "sales_wallet"
    }, {
      "createdBy" : "OKVADMIN",
      "creationTime" : "2021-09-13 04:55:06",
      "description" : "",
      "wallet" : "ORDERS_WALLET"
    } ]
  }
}

Parent topic: Access Management Commands

4.17 okv manage-access wallet list-objects Command

The okv manage-access wallet list-objects command retrieves the security objects that are members of the specified wallet.

Required Authorization

The user must have some level of access on the wallet.

Syntax

okv manage-access wallet list-objects --wallet wallet_name --limit number_of_objects --exclude-wallet-membership TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-objects",
    "options" : {
           "wallet" : "#VALUE",
           "limit" : "#VALUE",
           "excludeWalletMembership" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--limit / limit

Optional

Number of objects to list for the specified wallet.

--exclude-wallet-membership / excludeWalletMembership

Optional

Controls whether wallet membership information for each object is include in the output.

TRUE excludes the wallet membership information for each object. Excluding the wallet membership information may improve the performance of this command if the wallet has large number of objects.
FALSE (default) includes the wallet membership information for each object.

JSON Example

Generate JSON input for the okv manage-access wallet list-objects command.

okv manage-access wallet list-objects --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-objects",
    "options" : {
           "wallet" : "#VALUE",
           "limit" : "#VALUE",
           "excludeWalletMembership" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, list_wallet_obj.json) and then edit it to specify a number of objects for the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-objects",
    "options" : {
           "wallet" : "hr_wallet",
           "limit" : "2"
           "excludeWalletMembership" : "FALSE"
    }
  }
}

Run the okv manage-access wallet list-objects command using the generated JSON file.

okv manage-access wallet list-objects --from-json list_wallet_obj.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "fetchedObjectCount" : "2",
    "managedObjects" : [ {
      "creatingEndpoint" : "HR_DB_EP",
      "creationDate" : "2021-07-26 20:19:32",
      "deactivationDate" : "2029-12-25 15:11:11",
      "displayName" : "X.509 Certificate: DN EMAILADDRESS=psmith@example.com, CN=vienna, OU=Security, O=Oracle, L=Reston, ST=VA, C=US",
      "name" : "ps1009",
      "protectStopDate" : "2029-12-25 15:11:11",
      "state" : "Pre-Active",
      "type" : "Certificate",
      "uuid" : "975F17DF-11C1-4F16-BFBC-28E9C200C99F"
    }, {
      "creatingEndpoint" : "EMP_DB_EP",
      "creationDate" : "2021-06-30 21:01:48",
      "deactivationDate" : "",
      "displayName" : "Symmetric Key: Name psc7",
      "name" : "ps100,ps3,psa5,psb6,psc7",
      "protectStopDate" : "",
      "state" : "Active",
      "type" : "Symmetric Key",
      "uuid" : "7432AED6-6628-4F43-BF7C-9D30023A4301"
    } ]
  }
}

Parent topic: Access Management Commands

4.18 okv manage-access wallet list-endpoint-wallets Command

The okv manage-access wallet list-endpoint-wallets command lists the wallets that are associated with an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

None, but this command returns information about only those wallets on which user has some level of access.

Syntax

okv manage-access wallet list-endpoint-wallets --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

Parameter/Template Parameter	Required?	Description
`--endpoint` / `endpoint`	Required	The name of the endpoint. To find existing endpoints, run the `okv admin endpoint list` command.

--endpoint / endpoint

Required

The name of the endpoint.

To find existing endpoints, run the okv admin endpoint list command.

JSON Example

Generate JSON input for the okv manage-access wallet list-endpoint-wallets command.

okv manage-access wallet list-endpoint-wallets --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, list_ep_wallets.json) and then edit it so that you can find the wallets that are associated with the specified endpoint.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "list-endpoint-wallets",
    "options" : {
      "endpoint" : "hr_db_ep"
    }
  }
}

Run the okv manage-access wallet list-endpoint-wallets command using the generated JSON file.

okv manage-access wallet list-endpoint-wallets --from-json list_ep_wallets.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "wallets" : [ "WALLET10", "WALLET11" ]
  }
}

Parent topic: Access Management Commands

4.19 okv manage-access wallet remove-access Command

The okv manage-access wallet remove-access command removes the access that an endpoint or an endpoint group has to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet remove-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group.

To find existing endpoints, run the okv admin endpoint list command. To find endpoint groups, run okv manage-access endpoint-group list.

JSON Example

Generate JSON input for the okv manage-access wallet remove-access command.
```
okv manage-access wallet remove-access --generate-json-input
```
The generated input appears as follows. This output includes the entire output, for both the endpoint and endpoint group. When you edit it, you must include the entry for either the endpoint or the endpoint group, but not both.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}
```
Save the generated input to a file (for example, remove_wallet_access_ep.json) and then edit it so to remove wallet access from the endpoint or an endpoint group. The following example shows how to remove access from an endpoint.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-access",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep"
    }
  }
}
```
Run the okv manage-access wallet remove-access command using the generated JSON file.
```
okv manage-access wallet remove-access --from-json remove_wallet_access_ep.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.20 okv manage-access wallet remove-object Command

The okv manage-access wallet remove-object command removes a security object from a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or have read-modify permission on the object and manage wallet (MW) permission on the wallet.

Syntax

okv manage-access wallet remove-object --wallet wallet_name --uuid uuid

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-object",
    "options" : {
           "wallet" : "#VALUE",
           "uuid" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--uuid / uuid

Required

Universally unique ID (UUID) of the security object.

JSON Example

Generate JSON input for the okv manage-access wallet remove-object command.

okv manage-access wallet remove-object --generate-json-input

The generated input appears as follows.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-object",
    "options" : {
           "wallet" : "#VALUE",
           "uuid" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, remove_wallet_obj.json) and then edit it to specify the object to be removed from the wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "remove-object",
    "options" : {
           "wallet" : "hr_wallet",
           "uuid" : "7432AED6-6628-4F43-BF7C-9D30023A4301"
    }
  }
}

Run the okv manage-access wallet remove-object command using the generated JSON file.
```
okv manage-access wallet remove-object --from-json remove_wallet_obj.json
```
Output similar to the following appears:
```
{
  "result": "Success"
}
```

Parent topic: Access Management Commands

4.21 okv manage-access wallet set-default Command

The okv manage-access wallet set-default command sets the default wallet for an endpoint.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or Manage Endpoint privilege for the endpoint and Full Wallet privileges on the wallet

Syntax

okv manage-access wallet set-default --wallet wallet_name --endpoint endpoint_name

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--endpoint / endpoint

Required

Name of the endpoint.

To find existing endpoints, run the okv admin endpoint list command.

Example

Generate JSON input for the okv manage-access wallet set-default command.

okv manage-access wallet set-default --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "#VALUE",
      "endpoint" : "#VALUE"
    }
  }
}

Save the generated input to a file (for example, set_def_wallet.json) and then edit it to set the default wallet for the endpoint.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "set-default",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep"
    }
  }
}

Run the okv manage-access wallet set-default command using the generated JSON file.
```
okv manage-access wallet set-default --from-json set_def_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands

4.22 okv manage-access wallet update Command

The okv manage-access wallet update command updates a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet update --wallet wallet_name --name new_wallet_name --description description --unique TRUE|FALSE

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--wallet` / `wallet`	Required	Wallet name. To find the names of existing wallets to which you have access, run the `okv manage-access wallet list` command.
`--name` / `name`	Optional	A new name for the wallet. See Naming Guidelines for Objects.
`--description` / `description`	Optional	A user-friendly description for the wallet, enclosed within double quotation marks
`--unique` / `unique`	Optional	Applies to a multi-master cluster environment only. This `--unique` parameter creates the wallet as a unique wallet. In a multi-master cluster, it is possible that a wallet with the same name could be created from two different nodes. If that happens, then the wallet names may conflict. The Oracle Key Vault conflict resolution scheme will keep one wallet with the given name and rename other wallets with the conflicting names to a name using this format: `given_wallet_name_OKVnode_id`. Valid settings are as follows: `TRUE` appends `_OKVnode_id` to the given name and thus prevent the conflict for this wallet name. The wallet is immediately usable. `FALSE` causes Oracle Key Vault to begin a checking process to find if the wallet name is unique. A unique ID is returned. You can use this ID to check the status of the wallet creation, whether it is in progress (`PENDING`) or complete (`ACTIVE`). If the status is `PENDING`, then it is not yet usable, so any actions performed on the wallet will fail. If the status is `ACTIVE`, then confirm the name of the wallet after Oracle Key Vault performs name resolution for this name by executing the `okv manage-access wallet check-status` command. If the name that you provided is already used in another node, then the name for this wallet will have `_OKVxx` appended to it. For example, if you named the wallet `wallet12`, and there is a naming conflict, the name could be `WALLET12_OKV01`.

JSON Example

Generate JSON input for the okv manage-access wallet update command.

okv manage-access wallet update --generate-json-input

The generated input appears as follows:

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "#VALUE",
      "name" : "#VALUE",
      "description" : "#VALUE",
      "unique" : "#TRUE|FALSE"
    }
  }
}

Save the generated input to a file (for example, update_wallet.json) and then edit it to update the name and description of a wallet. This example shows how to update the name of a wallet.

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update",
    "options" : {
      "wallet" : "hr_wallet",
      "name" : "global_hr_wallet",
      "unique" : "false"
    }
  }
}

Run the okv manage-access wallet update command using the generated JSON file.
```
okv manage-access wallet update --from-json update_wallet.json
```
Output similar to the following appears:
```
{
  "result" : "Success",
  "value" : {
    "status" : "PENDING",
    "locatorID" : "81800CE6-6AAF-4EF5-A0FD-446ED6625F6A"
  }
}
```
This example shows the output for renaming a wallet in a multi-master cluster. On renaming, a wallet is placed into the PENDING state for the duration of the naming conflict resolution.

Unless you renamed the wallet in a multi-master cluster, the status and locatorID entries are not included in the output.

Related Topics

okv manage-access wallet check-status Command

Parent topic: Access Management Commands

4.23 okv manage-access wallet update-access Command

The okv manage-access wallet update-access command updates the level of access that an endpoint or an endpoint group has to a wallet.

This command uses a user name and password for the authentication.

Required Authorization

Key Administrator role or manage wallet (MW) permission on the wallet

Syntax

okv manage-access wallet update-access --wallet wallet_name --endpoint endpoint_name|--endpoint-group endpoint_group_name --access RO|RM|RO_MW|RM_MW

JSON Input File Template

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE",
      "access" : "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Parameters

Parameter/Template Parameter Required? Description

--wallet / wallet

Required

Wallet name. To find the names of existing wallets to which you have access, run the okv manage-access wallet list command.

--endpoint / endpoint

--endpoint-group / endpointGroup

Required

Name of the endpoint or endpoint group. You can only specify either an endpoint or an endpoint group, but not both. To find existing endpoints, run the okv admin endpoint list command. To find endpoint groups, run okv manage-access endpoint-group list.

--access / access

Required

Enter one of the following values:

RO for read-only access
RM for read-and-modify access
RO_MW for read-only and manage-wallet access
RM_MW for read-and-modify and manage-wallet access

JSON Example

Generate JSON input for the okv manage-access wallet update-access command.

okv manage-access wallet update-access --generate-json-input

{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "#VALUE",
      "endpointGroup" : "#VALUE",
      "endpoint" : "#VALUE",
      "access" : "#RO|RM|RO_MW|RM_MW"
    }
  }
}

Save the generated input to a file (for example, update_wallet_access_ep.json) and then edit it to update the wallet access to an endpoint or an endpoint group. This example shows how to update access of a wallet to an endpoint.
```
{
  "service" : {
    "category" : "manage-access",
    "resource" : "wallet",
    "action" : "update-access",
    "options" : {
      "wallet" : "hr_wallet",
      "endpoint" : "hr_db_ep",
      "access" : "RM"
    }
  }
}
```
Run the okv manage-access wallet update-access command using the generated JSON file.
```
okv manage-access wallet update-access --from-json update_wallet_access_ep.json
```
Output similar to the following appears:
```
{
  "result" : "Success"
}
```

Parent topic: Access Management Commands