18 Oracle Key Vault General System Administration

General system administration refers to system management tasks for the Oracle Key Vault server, such as configuring network details and services.

18.1 Overview of Oracle Key Vault General System Administration

System administrators can perform most general administration tasks in the Oracle Key Vault management console, including finding the current status of the overall system.

18.1.1 About Oracle Key Vault General System Administration

System administrators configure the Oracle Key Vault system settings.

The Oracle Key Vault system settings include administration, local and remote monitoring, email notification, backup and recovery operations, and auditing. You must have the appropriate role for performing these tasks. Users who have the System Administrator role can perform most of the administrative tasks, and users with the Audit Manager role can configure audit settings, export audit records, and integrate Oracle Key Vault with Oracle Audit Vault. In most cases, you will perform these tasks in the Oracle Key Vault management console.

To quickly find information about the current state of the Oracle Key Vault system at a high level, you can view the Oracle Key Vault dashboard.

18.1.2 Viewing the Oracle Key Vault Dashboard

The dashboard presents the current state of the Oracle Key Vault at a high level and is visible to all users.

18.1.3 Using the Status Panes in the Dashboard

The status panes on the dashboard provide a high-level overview of the current state of Oracle Key Vault, including outstanding alerts, aggregated summary of managed contents, and also the state and status of various objects, entities and services.

Log in to the Oracle Key Vault management console.

The dashboard appears in the Home tab.

The dashboard is organized into different panes. These dashboard panes display aggregated information about alerts, managed entities, security objects, and overall system overview of Oracle Key Vault.

The dashboard consists of:
  1. Tabs at the top of the page for you to perform various administrative tasks. For example, to create a new endpoint, click the Endpoints tab.
  2. The Alerts pane allows you to access existing alerts. For more information, click Show Details or All Alerts.

    To take corrective action on an alert:

    1. Click Show Details to list a summary of the alerts.
    2. Click the link that corresponds to the alert to display the appropriate page.
    3. Take corrective action for the alert as necessary.

    To configure alerts that you want to see on the dashboard:

    1. Click the Reports tab, and then click Alerts in the left side bar to display the Alerts page.
    2. In the top right of the page, click Configure to display the Configure Alerts page.
    3. Select the Alert Type, check Enabled, set the Limit, and then click Save.
  3. The Managed Entities pane displays the aggregated information about these categories: Endpoints, Endpoint Groups, Users, User Groups, Keys & Secrets, and Wallets. For each category, the number of items that you configure for that respective category are shown.

    For example, if the system has 21 endpoints, then 21 is displayed above the Endpoints label. To find and modify the details of these endpoints, click the Endpoints label.

  4. The Managed Keys & Secrets pane dispalys the aggregated information about different types of supported security objects: TDE Master Encryption Keys, MySQL Master Encryption Keys, DB Passwords, Secret Data, Certificates, Private Keys, Symmetric Keys, Opaque Objects, GoldenGate Master Keys, and ACFS Volume Encryption Keys. Similar to the Managed Entities contents, to find and modify the details about a security object, click the corresponding label.
  5. The System Overview pane provides information about the installation: Deployment Mode, Service Status, Used Disk Space, and CPU Utilization. For a multi-master cluster, the System Overview pane also displays the Name Resolution Time information.
  6. The Endpoints pane provides a count of endpoints broken down by their Type (Oracle Database, Oracle Non-Database, or Non-Oracle) and Status (Registered, Enrolled, or Suspended).
  7. The Keys, Secrets State pane provides a count of objects broken down by their object state: Pre-Active, Active, Deactivated, Compromised, Destroyed, and Destroyed Compromised.

In the home page, the item type and item state are displayed as of the last time refreshed. The number and count of entities and objects displayed may vary for different users depending upon their authorization.

18.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment

On the system Settings page, you can configure settings for either a standalone environment or a primary-standby environment.

18.2.1 Configuring the Network Details

Learn how to configure the network details from the Oracle Key Vault management console.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In Network Details area, click Network Info.
    The information displayed in the Network Details area depends on whether you are using Classic mode or Dual NIC mode.


    Note:

    The Dual NIC screen displays the bonding mode and the current status of each interface.
  4. Update the values for the following fields:
    • Host Name: Enter the name of the server.
    • IP Address: Enter the IP address of the server.
    • Network Mask: Enter the network mask of the server.
    • Gateway: Enter the network gateway of the server.
    The fields in this pane are automatically populated with the IP address and host name of your Oracle Key Vault server. But if you want, then you can update the Host Name, IP Address, Network Mask, and the Gateway for the Oracle Key Vault installation.
    You cannot change the MAC Address settings. If you are using Dual NIC mode, then the same applies to Network Mode settings, that is, you cannot change the Bonding Mode, Active Interface, and Backup Interface settings, but these values are useful if you want to check their status.
  5. Click Save.

    If you have a high availability configuration, then you must unpair the primary and standby Oracle Key Vault servers before changing the IP address. After you have changed the IP address of the primary or standby Oracle Key Vault server, pair the two servers again. After you complete the pairing process, reenroll the Oracle Key Vault endpoints to ensure that they are updated with the new IP addresses for both the primary and the standby Oracle Key Vault servers.

18.2.2 Configuring Network Access

In a non-multi-master cluster, you can configure the network services from the Oracle Key Vault management console.

You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Web Access.
  4. Select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of IP addresses that you specify to meet your organizational needs.
  5. Click Save.
  6. To set the SSH access, in the Settings page under Network Details, select SSH Access.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

    Note:

    Oracle recommends that you always disable SSH access, except when you are applying an Oracle Key Vault Release Update (RU), or when directed by Oracle Support.

  7. In the SSH Access window, enter the following settings:
    • Disabled to disable all IP addresses SSH access
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space.
    • All to enable SSH access from all IP addresses.
  8. Click Save.

18.2.3 Configuring DNS

You can configure up to three domain name service (DNS) servers with IP addresses that Oracle Key Vault will use to resolve host names.

This configuration is useful if you only know the host name and not the IP address of a server that Oracle Key Vault needs to access. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP address, after you set up DNS.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.
  4. Enter up to three IP addresses for DNS servers.
    You must at minimum configure the DNS setting for Server 1. While only the first value is required, two entries are recommended for fault tolerance.
  5. Click Save.

18.2.4 Configuring the System Time

Oracle strongly recommends that you synchronize Oracle Key Vault with an NTP time source.

Synchronizing Oracle Key Vault with a time source is important for reliable time stamps in audit records, and the activation, deactivation, protectStop, and processStart dates for keys and secrets.

You can configure Oracle Key Vault to synchronize its system time with the NTP servers. Oracle Key Vault provides fields to enter information for up to three NTP servers. If an NTP server is not available, then set the current time manually. Use the calendar icon to set the date and time so that these values are stored in the correct format.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click NTP to display the System Time window.

    The following screen shows a partial view of the System Time window. For NTP servers, only use IP addresses and not host names. As a best practice, configure all three servers.

    Description of 217_ntp_settings.png follows
    Description of the illustration 217_ntp_settings.png
  4. Choose Use Network Time Protocol.
  5. Enter values for the following fields:
    • Server 1: Enter the IP address of an NTP server. You must supply an IP address for Server 1. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  6. Click Save.

    Note:

    To perform a synchronization of the Oracle Key Vault server with the NTP server, click the Apply Server button on the System Time page.

Related Topics

18.2.5 Configuring FIPS Mode

You can either enable or disable FIPS mode for Oracle Key Vault.

In a primary-standby environment, ensure that both servers are consistent in their FIPS mode setting: either both are enabled, or both are disabled.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click FIPS.
  4. Do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  5. Click Save.
    After you click Save, a confirmation dialog box will appear.
  6. In the confirmation dialog box, click OK to apply the changes and restart the Oracle Key Vault system.
    If you click OK, be aware that the operation cannot be canceled. The restart operation takes place immediately.

18.2.6 Configuring Syslog

You can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

All system related alerts are sent to syslog.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Syslog.
  4. Select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  5. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  6. Click Save.

    Note:

    You can use syslog forwarding to send syslog messages (including audit records, if audit records are sent to syslog) to SIEM ( Security Information and Event Management) solutions, such as Splunk.

18.2.7 Changing the Network Interface Mode

You can switch between dual NIC mode and classic mode for the network interface.

You can both switch the network mode and update the IP information of a standalone Oracle Key Vault server. In a primary-standby configuration, you cannot change the network mode and update the IP information. You need to first configure the network interface mode when you install the Oracle Key Vault appliance software.
  1. Log in to the Oracle Key Vault server as the support user.
  2. Switch to the root user.
    su - root
  3. At the command line, execute the following script:
    /usr/local/okv/bin/okv_configure_network
  4. In the Select Network Mode window, select the network interface that you want to use, and then select OK.
  5. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, the only mode available before 21.x releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. You cannot change the mode if you are using a multi-master cluster or primary-standby configuration. Choose this option if the server has only one network card.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  6. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
You do not need to restart Oracle Key Vault after changing the network mode.

18.2.8 Configuring RESTful Services Utility

RESTful services utility allows you to automate the management of endpoints, wallets, security objects, deployment operations, and backup operations.

RESTful services utility also supports regular key management activities.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click RESTful Services.
  4. Select the Enable checkbox in the RESTful Services section.
    To disable RESTful services, clear the Enable checkbox.
  5. Click Save.

Oracle Key Vault provides the management of endpoint operations, virtual wallet operations, downloading and provisioning operations as RESTful services.

Click Download to download the Oracle Key Vault RESTful Service Utility, okvrestclipackage.zip, to use these services. Click Download Classic Utility to download the classic utility, okvrestservices.jar.

18.2.9 Checking the Oracle Audit Vault Integration Status

Oracle Key Vault can send audit records to Oracle Audit Vault for centralized audit reporting and alerting.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role or the Audit Manager role.
  2. Depending on the roles that you have, navigate as follows:
    • If you have the System Administrator role but not the Audit Manager role, or if you have both the System Administrator role and the Audit Manager roles: Select the System tab, and then Settings from the left navigation bar. In the Monitoring and Alerts area, click Audit Vault.
    • If you only have the Audit Manager role: Select the System tab,and then in the left navigation bar, select Audit Vault Integration.
  3. Select the Monitoring tab.
    The Monitoring pane indicates if the monitoring is active. If Oracle Key Vault is not integrated with Oracle Audit Vault, then only the Deployment pane appears. If you want to have Audit Vault integrated, then log on as a user who has the Audit Manager role to perform the integration.

18.2.10 Configuring the Oracle Key Vault Management Console Web Session Timeout

You can configure a timeout value in minutes for the Oracle Key Vault management console Web session.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Console Timeout.
  4. Enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save.
    After you click Save, for the currently active user Web session as well as for other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, starting earlier if the timeout value is larger, the user will be notified and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

18.2.11 Restarting or Powering Off Oracle Key Vault

You can manually restart or power off Oracle Key Vault as required for maintenance or for patch and upgrade procedures.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Status from the left navigation bar.
  3. Go to the top of the Status page.
  4. Do one of the following:
    • To restart, click Reboot.
    • To power off, click Power Off.

18.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment

When you configure Oracle Key Vault in a multi-master cluster environment, you can configure either individual nodes or the entire multi-master cluster environment.

18.3.1 About Configuring Oracle Key Vault in a Multi-Master Cluster Environment

You have the option of configuring settings for individual nodes or the entire multi-master cluster.

Some settings are same for the entire multi-master cluster and they apply to all the cluster nodes. For such settings, you cannot configure different values for different nodes. Examples of such settings include Console Timeout and Maximum Disable Node Duration.

You can configure some settings only at the individual cluster node level. You must configure such settings on each cluster node individually. Examples of such settings include Network Info, and SSH Access.

You can configure some settings at both the individual cluster node level and the entire cluster level. If you configure the settings at both levels, values set at the cluster node level are effective. Examples of such settings include DNS, NTP, and SNMP

When you set a value for the entire cluster, it may take several minutes for changes to propagate to other nodes.

When you start the configuration from the Settings page, you can select the following View Settings menu options to filter the settings based on whether they can be set at the node level only, cluster level only, or both:

  • Node only Shows settings that can only be configured at the individual node level. You configure such settings on each node individually. Examples of such settings include Network Info, and SSH Access.

  • Cluster only Shows settings that are cluster-wide and updating them will change the settings for all cluster nodes. Examples of such settings include Alerts, Console Timeout, and Maximum Disable Node Duration.

  • Both Shows settings that can be set at both the node level and the cluster level. If you configure the settings at both levels, values set at the node level are effective for that node. Examples of such settings include DNS, NTP, and SNMP.

    You can navigate these settings between node and cluster settings using the right arrow button in the respective setting page. For example, if you select DNS, then you can configure DNS settings for either current node, or for the entire cluster, or both.

  • All shows all the available settings without any filter.

18.3.2 Configuring System Settings for Individual Multi-Master Cluster Nodes

You set or change the settings for an individual multi-master cluster node from the Oracle Key Vault management console for that node.

These include settings that can be set at the:

  • individual node level only
  • individual node level as well as the entire-cluster level.

    Values set for the individual node override the values set at the cluster level. You can clear any individual node level setting to revert to the cluster level setting.

Examples of these settings are network details, network access, system time, FIPS mode, syslog, and Oracle Audit Vault integration.

18.3.2.1 Configuring the Network Details for the Node

In a multi-master cluster, you can change the host name for a node.

  1. Log into any Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Network Info.
  4. In the Host Name field, enter the name of the host name for the node.
    You cannot modify the IP Address, Network Mask, Gateway, and MAC Address fields, which are automatically populated.
  5. Click Save.
18.3.2.2 Configuring Network Access for the Node

In a multi-master cluster, you can configure network access for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Details area, select Web Access.
  4. Select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of IP addresses that you specify to meet your organizational needs.
  5. Click Save.
  6. To set the SSH access, in the Settings page under Network Details, select SSH Access.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    As a best practice, enable SSH access for short durations, solely for diagnostic, troubleshooting, or upgrade purposes, and then disable it as soon as you are done.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

  7. In the SSH Access window, enter the following settings:
    • Disabled to disable all IP addresses SSH access
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space.
    • All to enable SSH access from all IP addresses.
  8. Click Save.
18.3.2.3 Configuring DNS for the Node

When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.
  4. In the DNS window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node window, enter up to three DNS server IP addresses.
    You must at minimum configure the DNS setting for Server 1. While only the first value is required, two entries are recommended for fault tolerance.
  6. Click Save.
18.3.2.4 Configuring the System Time for the Node

In a multi-master cluster, you must synchronize Oracle Key Vault with an NTP time source. All nodes of the cluster should operate on the same system time (or coordinated system time) for the inter node replication to work correctly.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click NTP.
    In cluster mode, you must use the Network Time Protocol (NTP), so you cannot change the selection from Use Network Time Protocol to Set Manually.
  4. In the System Time window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, enter values for the following fields:
    • Server 1: Enter the IP address of the first NTP server. To test the NTP server, click Test Server. To persist the changes to the NTP configuration, click Apply Server.
    • Server 2: Enter the IP address of the second NTP server. To test the NTP server, click Test Server. To persist the changes to the NTP configuration, click Apply Server.
    • Server 3: Enter the IP address of the third NTP server. To test the NTP server, click Test Server. To persist the changes to the NTP configuration, click Apply Server.
  6. Click Save (or Save to Cluster).
18.3.2.5 Configuring the FIPS Mode for the Node

All multi-master cluster nodes must use the same FIPS mode setting or you will receive an alert.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click FIPS.
  4. In the FIPS Mode window, do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  5. Click Save.
    After you click Save, Oracle Key Vault will restart automatically.
18.3.2.6 Configuring Syslog for the Node

In a multi-master cluster node, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Syslog.
  4. In the Syslog window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  6. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  7. Click Save.

    Note:

    You can use syslog forwarding to send syslog messages (including audit records, if audit records are sent to syslog) to SIEM ( Security Information and Event Management) solutions, such as Splunk.
18.3.2.7 Changing the Network Interface Mode for the Node

You can switch between dual NIC mode and classic mode for the network interface for a node in a multi-master cluster environment.

If you are using a primary-standby configuration, then you cannot change this mode. You first configured the network interface mode when you installed the Oracle Key Vault appliance software. Note that the cluster node must be disabled before you can change its network mode.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Disable the cluster node.
  3. Log in to the Oracle Key Vault server through SSH as support user.
  4. Switch the user su to root.
    ssh support@okv_server_IP_address
    su - root
  5. At the command line, execute the following script:
    /usr/local/okv/bin/okv_configure_network
  6. In the Select Network Mode window, select the network interface that you want to use, and then select OK.
  7. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, the only mode available before 21.x releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. You cannot change the mode if you are using a multi-master cluster or primary-standby configuration. Choose this option if the server has only one network card.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  8. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
  9. Re-enable the disabled cluster node.
You do not need to restart Oracle Key Vault after changing the network mode.
18.3.2.8 Configuring Auditing for the Node

You can enable or disable audit settings for a node.

  1. Log into the Oracle Key Vault management console for the node as a user who has the Audit Manager role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Audit.
    You can enable or disable the following auditing categories:
    • Auto Purge Audit Records: This setting will turn the auto purge of the auditing records on or off.

      Note:

      The cluster level setting does not apply for Auto Purge Audit Records.
    • Enable Auditing: This setting will turn the auditing on or off. Turning off this setting will not generate audit records.
    • Send Audit Records to Syslog: This setting writes the audit records to syslog. To enable this setting, you must first configure the syslog destination.
  4. In the Audit Settings window for each of these categories, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select Yes or No for each category.
  6. Click Save.
18.3.2.9 Configuring SNMP Settings for the Node

You can enable or disable SNMP access for a multi-master cluster node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click SNMP.
  4. In the SNMP window, ensure that you are on Node Details - Effective on this Node page.
    If you are on the Cluster Details page, then click the arrow on the right to toggle back to Node Details - Effective on this Node.
  5. In the Node Details - Effective on this Node page, select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  6. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  7. Click Save.
    Alternatively, you can select Delete to remove the SNMP setting.
18.3.2.10 Checking the Oracle Audit Vault Integration for the Node

Oracle Key Vault can send audit records from a node to Oracle Audit Vault for centralized audit reporting and alerting.

  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role or the Audit Manager.
  2. Depending on the roles that you have, navigate as follows:
    • If you have the System Administrator role but not the Audit Manager role, or if you have both the System Administrator role and the Audit Manager roles: Select the System tab, and then Settings from the left navigation bar. In the Monitoring and Alerts area, click Audit Vault.
    • If you only have the Audit Manager role: Select the System tab,and then in the left navigation bar, select Audit Vault Integration.
  3. Select the Monitoring tab.
    The Monitoring pane indicates if the monitoring is active. If Oracle Key Vault is not integrated with Oracle Audit Vault, then only the Deployment pane appears. If you want to have Audit Vault integrated, then log on as a user who has the Audit Manager role to perform the integration.
18.3.2.11 Restarting or Powering Off Oracle Key Vault from a Node

You can manually restart or power off an Oracle Key Vault node as required for maintenance or for patch and upgrade procedures.

When you restart or power-off Oracle Key Vault nodes, only the current node is restarted or powered-off. The other nodes in the cluster are unable to send information to and from the nodes that are powered off. When the nodes are restarted, there will be a period needed for the restarted nodes to catch up on activities that took place while they were down.
  1. Log into the Oracle Key Vault management console for the node as a user who has the System Administrator role.
  2. Select the System tab, and then Status from the left navigation bar.
  3. At the top of the Status page, do one of the following to restart or power off the node:
    • To restart, click Reboot.
    • To power off, click Power Off.

18.3.3 Configuring System Settings for an Entire Oracle Key Vault Multi-Master Cluster

You can set or change the settings for the entire multi-master cluster from the Oracle Key Vault management console of any node.

These include settings that can be set at the:

  • Entire cluster level only.
  • Individual node-level and the entire cluster level.

    Values set at the cluster level do not override the values set the node level. To use cluster level setting, you need to clear any individual node level settings.

Example of these settings are console timeout, SNMP, system time, DNS, and auditing.

18.3.3.1 Configuring the System Time for the Cluster

In a multi-master cluster, you can synchronize Oracle Key Vault with an NTP time source.

All nodes of the cluster should operate on the same system time (or coordinated system time) for the inter-node replication to work correctly.
  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click NTP.
  4. In the System Time page, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, enter values for the following fields:
    • Server 1: Enter the IP address of the first NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 2: Enter the IP address of the second NTP server. To test the NTP server, click Test Server. To persist the changes to the NTP configuration, click Apply Server.

    • Server 3: Enter the IP address of the third NTP server. To test the NTP server, click Test Server. To persist the changes to the NTP configuration, click Apply Server.

  6. Click Save.
18.3.3.2 Configuring DNS for the Cluster

When you configure the DNS for a cluster, you can enter up to three DNS server IP addresses.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Network Services area, click DNS.

    In the DNS window, ensure that you are on Cluster Details page.

  4. If you are on the Node Details - Effective on the Node page, click the arrow on the right to toggle back to Cluster Details page.
  5. In the Cluster Details page, enter up to three DNS Server IP addresses.
    You must at minimum configure the DNS setting for Server 1. While only the first value is required, two entries are recommended for fault tolerance.
  6. Click Save.
18.3.3.3 Configuring the Maximum Disable Node Duration for the Cluster

You can set the maximum disable node duration time for the cluster in hours.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Maximum Disable Node Duration.
  4. In the Maximum Disable Node Duration window, enter a value, in hours, for the duration that a node can be disabled before it is evicted from the cluster.
    Note that as this value is increased, the average amount of disk space consumed by cluster-related data also increases.
  5. Click Save.
18.3.3.4 Configuring Syslog for the Cluster

In a multi-master cluster environment, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitor and Alerts area, click Syslog.
  4. In the Syslog page, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  6. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  7. Click Save.

    Note:

    You can use syslog forwarding to send syslog messages (including audit records, if audit records are sent to syslog) to SIEM ( Security Information and Event Management) solutions, such as Splunk.
18.3.3.5 Configuring RESTful Services for the Cluster

You can enable or disable RESTful Services for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click RESTful Services.
  4. In the RESTful Services window, select the Enable check box.
  5. Click Save.
  6. Click Download to download the Oracle Key Vault RESTful Service Utility, okvrestclipackage.zip, to use these services.
  7. Click Download Classic Utility to download the classic utility, okvrestservices.jar.
18.3.3.6 Configuring Auditing for the Cluster

You can enable or disable audit settings for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the Audit Manager role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click Auditing.
    You can enable or disable the following auditing categories:
    • Enable Auditing: This setting will turn the auditing on or off. Turning off this setting will not generate audit records.
    • Replicate Audit Records: This setting applies only to a cluster configuration. It indicates if the audit records are replicated across the cluster nodes.
    • Send Audit Records to Syslog: This setting writes the audit records to syslog. To enable this setting, you must first configure the syslog destination.
    • Auto Purge Audit Records: This setting writes the auto purge audit records. The cluster level setting does not apply to Auto Purge Audit Records.
  4. In the Audit Settings page, for each of these categories, click the arrow to the left to toggle to the Cluster Details page.
  5. In the Cluster Details page, select Yes or No for each category.
  6. Click Save.
18.3.3.7 Configuring SNMP Settings for the Cluster

You can enable or disable SNMP access for a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Monitoring and Alerts area, click SNMP.
  4. Select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  5. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  6. Click Save.
    Alternatively, you can select Delete to remove the SNMP setting.
18.3.3.8 Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster

You can configure a timeout value in minutes for the Oracle Key Vault management console for all nodes in a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the System Configuration area, click Console Timeout.
  4. In the Management Console Timeout window, enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save.
    After you click Save,the setting is applied to all nodes in the cluster. For the currently active user Web session as well as for other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, the user will be notified, starting earlier if the timeout value is larger, and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

18.4 Managing System Recovery

System recovery includes tasks such as recovering lost administrative passwords.

18.4.1 About Managing System Recovery

To perform system recovery, you use the recovery passphrase.

In an emergency when no administrative users are available, or you must change the password of administrative users, you can recover the system with the current recovery passphrase of Oracle Key Vault. In addition, you can change the recovery passphrase to keep up with security best practices.

18.4.2 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault server.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.
  5. In the page that appears, select the Administrator Recovery tab to display the Administrator Management page.
  6. In the User Name field, enter the name of the Oracle Key Vault administrative user and then click Search.
    The Administrator Recovery page expands to show the Allow Forward Grant check box for each role that is currently granted to the user. For example: Description of 214_recover_admin_roles.png follows
    Description of the illustration 214_recover_admin_roles.png
  7. Select or deselect each role to be granted to the administrative user. For each selected role, if you want to allow the user to grant the role to other users, then select the Allow Forward Grant check box.
  8. Click Modify.

18.4.3 Changing the Recovery Passphrase in a Non-Multi-Master Cluster Environment

Periodically changing the recovery passphrase is a good security practice.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. From a web browser, enter the IP address of your Oracle Key Vault server.
  3. In the Oracle Key Vault login page, do not log in.
  4. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  5. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.
  6. In the page that appears, select the Administrator Recovery tab.
  7. Select the Recovery Passphrase tab.
  8. In the Recovery Passphrase page, enter and re-enter a new password for the recovery passphrase.
  9. Click Submit.
  10. Perform a server backup.

18.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster

Changing the recovery passphrase in a multi-master cluster is a two-step process.

18.4.4.1 About Changing the Recovery Passphrase for a Multi-Master Cluster

To change the recovery passphrase for a multi-master cluster, you must first initiate the recovery passphrase change from one of the cluster node. Other cluster nodes are notified of the impending passphrase change.

Before changing the Recovery Passphrase, ensure that the node is ready to accept the new passphrase. The presence of the fields on the System Recovery page indicates that the node is ready to accept the new password on the Recovery Passphrase tab. Set the new recovery passphrase on each node in below order:

  1. Set the new recovery passphrase on all nodes other than the one which initiated the recovery passphrase change.
  2. After the new recovery passphrase change on other nodes has been set, set the new recovery passphrase for the node that initiated the recovery passphrase change.
  3. Set the same passphrase on every node.
18.4.4.2 Step 1: Initiate the Recovery Passphrase Change Across the Nodes

You must initiate the change for the recovery passphrase so that all nodes in the multi-master cluster will be notified of the impending change.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes. This is so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. Ensure that all nodes are in the ACTIVE state and replication has been verified between all nodes. Ensure that there are no cluster operations going on (such as adding a node).
  3. From a web browser, enter the IP address of a multi-master cluster node that is not in read-only restricted mode.
  4. In the Oracle Key Vault login page, do not log in.
  5. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  6. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.
  7. Click the Recovery Passphrase tab.
  8. Click the Initiate Change button.
  9. Log out.
  10. Wait 3 to 4 minutes before continuing.

    During this time, all nodes will be notified that a passphrase change will be performed. To cancel a passphrase change, click the Reset button.

    All nodes will determine if more than one passphrase change has been initiated. If more than one passphrase change has been initiated, conflict resolution will be performed.

    After you cancel a passphrase change by using the Reset button, Oracle recommends that you remedy the issue and again initiate a passphrase change, making sure to then change the passphrase on every node in the cluster.

18.4.4.3 Step 2: Change the Recovery Passphrase

After the multi-master cluster nodes have been notified of the impending recovery passphrase change, you can change the recovery passphrase.

Follow the mentioned guidelines during the recovery passphrase change across the cluster.
  • The new recovery passphrase is set on each node.
  • The new recovery passpharse is set on all the nodes first other than the initiator node, that is, the node that has initiated the recovery passphrase change.
  • Set the new recovery passphrase on the initiator node in the end.
  • All the nodes are using the same Recovery passphrase.

Before changing the Recovery Passphrase, ensure that the node is ready to accept the new passphrase. This is indicated by the presence of the fields to accept the new password on the Recovery Passphrase tab of the System Recovery page.

  1. From a Web browser, enter the IP address of a multi-master cluster node in the Oracle Key Vault installation.
    You can find a list of available nodes in the Oracle Key Vault management console by selecting the Clusters tab and then checking the Cluster Details section.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.
  5. Click the Recovery Passphrase tab.
  6. Enter the new recovery passphrase in the two fields.
  7. Click Submit.
  8. Repeat these steps for each node in the cluster. Ensure that you perform these steps on the initiator node last.

    Note:

    HSM reverse migrate cannot run when the recovery passphrase is being changed.

    Caution:

    It is your responsibility to keep the recovery passphrase the same on all nodes in the cluster. If you set the recovery passphrase differently on cluster nodes it will negatively impact cluster functionality, such as adding nodes and HSM-enabling nodes. In addition to the addition of nodes and nodes being HSM-enabled, certificate rotation in a multi-master cluster depends on all nodes having the same recovery passphrase.

18.5 Support for a Primary-Standby Environment

To ensure that Oracle Key Vault can always access security objects, you can deploy Oracle Key Vault in a primary-standby (highly available) configuration.

This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault servers in a primary-standby configuration. The primary server services the requests that come from endpoints. If the primary server fails, then the standby server takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

The primary-standby configuration was previously known as the high availability configuration. The primary-standby configuration and the multi-master cluster configuration are mutually exclusive.

Oracle Key Vault supports primary-standby read-only restricted mode. When the primary server is affected by server, hardware, or network failures, primary-standby read-only restricted mode ensures that an Oracle Key Vault server is available to service endpoints, thus ensuring operational continuity. However, key and sensitive operations, such as generation of keys are disabled, while operations such as generation of audit logs are unaffected.

When an unplanned shutdown makes the standby server unreachable, the primary server is still available to the endpoints in read-only mode.

18.6 Commercial National Security Algorithm Suite Support

You can use scripts to perform Commercial National Security Algorithm (CNSA) operations for Oracle Key Vault HSM backup and upgrade operations.

18.6.1 About Commercial National Security Algorithm Suite Support

You can configure Oracle Key Vault for compliance with the Commercial National Security Algorithm (CNSA) Suite.

This compliance applies to TLS connections to and from the Oracle Key Vault appliance.

The CNSA suite is a list of strong encryption algorithms and key lengths, that offer greater security and relevance into the future.

Oracle Key Vault release 12.2 BP3 or later do not provide complete compliance across every component in the system. You will be able to switch to the CNSA algorithms, where available by means of the following scripts that are packaged with the Oracle Key Vault ISO:

  • /usr/local/okv/bin/okv_cnsa makes configuration file changes to update as many components as possible to use the enhanced algorithms.

  • /usr/local/okv/bin/okv_cnsa_cert regenerates CNSA compliant public key pairs and certificates.

    Note:

    The /usr/local/okv/bin/okv_cnsa and /usr/local/okv/bin/okv_cnsa_cert scripts are both disruptive because they replace the old key pairs with new ones. This has consequences for the following operations:
    • Endpoint Enrollment: Enroll endpoints after running this script when possible. If you had endpoints enrolled before running the CNSA script, you must reenroll them so that fresh CNSA compliant keys are generated using CNSA algorithms.

    • Primary-Standby: Run the CNSA scripts on both Oracle Key Vault instances before pairing them in a primary-standby configuration when possible. If you had primary-standby before you run the CNSA scripts, then you must re-configure primary-standby as follows: unpair the primary and standby servers, reinstall the standby server, run the CNSA scripts individually on each server, and then pair them again.

Limitations:

  • CNSA compliance is not supported for all components in the Oracle Key Vault infrastructure (for example, SSH or Transparent Data Encryption (TDE)).

  • The Firefox browser is not supported for use with the Oracle Key Vault management console when CNSA is enabled. This is because the Firefox browser does not support CNSA-approved cipher suites.

18.6.2 Running the Commercial National Security Algorithm Scripts

You configure Oracle Key Vault to use the Commercial National Security Algorithm (CNSA) suite by running CNSA scripts.

  1. Back up Oracle Key Vault.
  2. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.

  3. SSH into the Oracle Key Vault server as the support user, entering the support user password that was created during post-installation, when prompted.
     $ ssh support@okv_instance
  4. Change to the root user:
    $  su root
  5. Run the scripts as follows:
    root#  /usr/local/okv/bin/okv_cnsa
    root#  /usr/local/okv/bin/okv_cnsa_cert
  6. Disable SSH access and then restart the Oracle Key Vault server.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save. Restart the Oracle Key Vault server by selecting the System tab, then Status.

The scripts update the /usr/local/okv/etc/okv_security.conf with the following line:
USE_ENHANCED_ALGORITHMS_ONLY="1"

18.6.3 Performing Backup Restore Operations with CNSA

After you restore a backup of the Oracle Key Vault that was configured to use the enhanced Commercial National Security Algorithm (CNSA) Suite, use /usr/local/okv/bin/okv_cnsa to reconfigure CNSA compliance.

  1. Perform the backup restore operations.
  2. Wait until the restore operation is complete and the system has restarted.
    Do not proceed without completing this step.
  3. SSH into the Oracle Key Vault server as the support user:
     $ ssh support@okv_instance
  4. Switch to the root user:
    $ su root
  5. Run the following CNSA script :
     root#  /usr/local/okv/bin/okv_cnsa
    

18.6.4 Upgrading a Standalone Oracle Key Vault Server with CNSA

You can upgrade a standalone Oracle Key Vault while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

  1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Do not proceed without completing this step.
  2. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  3. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.

  4. Ensure you have enough space in the destination directory for the upgrade ISO files.
  5. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
  6. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
    scp remote_host:remote_path/okv-upgrade-disc-new_software_release_number.iso /var/lib/oracle/destination_directory_for_iso_file

    In this specification:

    • remote_host is the IP address of the computer containing the ISO upgrade file.
    • remote_path is the location of the ISO upgrade file.
  7. Make the upgrade accessible by using the mount command:
    root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-new_software_release_number.iso /images
  8. Clear the cache using the clean all command:
    root# yum -c /images/upgrade.repo clean all
  9. Execute the following upgrade ruby script:
    root# /usr/bin/ruby/images/upgrade.rb --confirm

    If the system is successfully upgraded, then the command will display the following message:

    Remove media and reboot now to fully apply changes

    If you see an error message, then check the log file /var/log/messages for additional information.

  10. Run the first CNSA script, which is available from the Oracle Key Vault ISO files location:
     root#  /usr/local/okv/bin/okv_cnsa
  11. Restart the Oracle Key Vault server:
    root# /sbin/reboot

    On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.

    The upgrade is completed when the screen with heading: Oracle Key Vault Server release_number installation has completed. The release_number value should reflect the upgraded release.

  12. Confirm that Oracle Key Vault has been upgraded to the correct version.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select Status.
    3. Verify that the version displayed is that of the new software release.
      The release number is also at the bottom of each page, to the right of the copyright information.
  13. Disable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.

18.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA

You can upgrade Oracle Key Vault primary-standby servers while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

You must perform the upgrade standby and primary servers in one session with as little time between the standby and primary upgrade as possible. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.
  1. Prepare for the upgrade.
    • While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

    • Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.

    • Ensure that both the primary and standby systems have 8 GB memory.

  2. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not included in the backup.
    Do not proceed without completing this step.
  3. First, upgrade the standby server while the primary server is running.

    Follow Steps 2 through Step 11 of the standalone server upgrade process for CNSA.

  4. Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
  5. Upgrade the primary Oracle Key Vault server following Steps 1 through 11 of the standalone server upgrade.

    After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.

  6. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  7. Select the System tab, and then Status.
  8. Verify that the Version field displays the new software version release number.

18.7 Minimizing Downtime

Business-critical operations require data to be accessible and recoverable with minimum downtime.

You can configure Oracle Key Vault to ensure minimum downtime in the following ways:

  • Configuring a multi-master cluster: You can configure a multi-master cluster by adding redundancy in the form of additional nodes. The client can access any available node. In the event of a failure of any node, a client will automatically connect to another node in the endpoint node scan list. This reduces and potentially eliminates downtime.

  • Configuring a primary-standby environment: A primary-standby environment is configured by adding redundancy in the form of a standby server. The standby server takes over from the primary server in the event of a failure, thus eliminating single points of failure, and minimizing downtime.

  • Enabling read-only restricted mode: Primary-standby read-only restricted mode ensures endpoint operational continuity when primary or standby Oracle Key Vault servers are affected by server, hardware, or network failures. When an unplanned shutdown causes the standby server to become unreachable, the primary server is still available to the endpoints.

    If primary-standby read-only restricted mode is disabled, then the primary server will become unavailable and stop accepting requests in the event of a standby failure. Endpoints connected to Oracle Key Vault are unable to retrieve keys until connectivity is restored between primary and standby servers.

    To ensure endpoint operational continuity in the event of a primary or standby server failure, enable read-only restricted mode.

  • Enabling persistent master encryption key cache: The persistent master encryption key cache ensures that the endpoints can access keys in the event of a primary or standby server failure. While the surviving server is taking over from the failed peer, the endpoints can retrieve keys from the persistent cache and continue operations normally.

  • Apply the TDE heartbeat database patch on endpoints: Apply the database patch for Bug 22734547 to tune the Oracle Key Vault heartbeat.

Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and enable it to be fully operational with minimum downtime and data loss.

If the Oracle Key Vault installation uses an online master encryption key (formerly known as TDE direct connect), then during an upgrade, ensure that you upgrade database endpoints in parallel to reduce total downtime.