Glossary
appliance
You can deploy an Oracle Key Vault appliance as a standalone server, a member of a primary-standby configuration, or a node in a multi-master cluster.
Parent topic: Glossary
Audit Manager
An Oracle Key Vault administrative role that enables a user to manage audit lifecycle and policies and to separate the role of auditing from the role of managing the Oracle Key Vault server.
Parent topic: Glossary
auto-login wallet
An Oracle wallet file that can be accessed without a password. An auto-login wallet is stored in a cwallet.sso
file.
Parent topic: Glossary
candidate node
During node induction, an Oracle Key Vault server to be added to a multi-master cluster. A candidate node must be a freshly installed Oracle Key Vault appliance, except when it is the initial node, in which case it provides the entirety of the cluster's initial data. A candidate node must be at the same release and patch level as the multi-master cluster to which it is being added.
After the server has been inducted into a cluster, it is a called a node. After a successful node induction, you can configure the server to use the cluster-wide configuration settings. The cluster data set is then replicated to the node.
Parent topic: Glossary
cluster data set
The set of all security objects managed by the cluster. When creating the cluster, the initial node provides all of the security objects that will be part of the initial cluster data set.
Parent topic: Glossary
cluster link
A link that represents the outbound network connection (to the node) and the inbound replication process (from the node). You can enable or disable the link to manage node data replication.
Parent topic: Glossary
cluster subgroup
A group of one or more nodes that is a subgroup of a cluster. Each node in a cluster can belong to only one subgroup. The node is assigned to a subgroup when the node is added to the multi-master cluster. The assignment is for each node, and members of a read/write pair can be in different subgroups.
The subgroup implements a notion of endpoint affinity. Endpoints are also a part of subgroups. The endpoint's subgroup is assigned when the endpoint is created. It is used when you set the endpoint's node search order in the endpoint node scan list. Nodes in the same subgroup as the endpoint are considered local to the endpoint. The local subgroup is scanned first before communicating with nodes that are not in the local subgroup.
The cluster topology can change when you add or remove new nodes to and from the cluster. The endpoints get this information with the response messages for the operations the endpoint initiated. Oracle Key Vault periodically sends the updated endpoint node scan list back to the endpoint even if there is no change to cluster topology. This is to account for any lost messages.
Parent topic: Glossary
controller node
A node that controls or manages a cluster reconfiguration change, such as adding, enabling, disabling, or removing nodes. A node is only a controller node while the change is being made. During node induction, the controller node provides the server certificate and the data that is used to initialize the candidate node.
Each concurrent operation will have its own controller node. One controller node can only control one cluster configuration transaction at a time.
Parent topic: Glossary
credential file
A file that contains sensitive information such as user IDs, passwords, and keys. The file, such as a Kerberos keytab file, is stored as an opaque object, which means that its individual contents are not interpreted by Oracle Key Vault. The entire file is uploaded and downloaded as an object.
See also security object.
Parent topic: Glossary
default wallet
A special virtual wallet that is associated with an endpoint, into which all the endpoint's security objects can be automatically uploaded.
Parent topic: Glossary
deleted node
A node that has been disassociated from the cluster, either by using the Delete or Force Delete buttons on the Oracle Key Vault management console. If it has been disabled for longer than the Maximum Disable Node duration, then you must delete the node.
Once a node has been deleted, you cannot re-associate it with the cluster. If it is to be inducted into the cluster, then you must re-image it and then convert into a freshly installed server.
You can use the Delete option under normal operating circumstances. Only use the Force Delete option if the node is unreachable when the Delete option does not work.
Parent topic: Glossary
endpoint
A computer system such as a database server, an application server, and other information systems, where keys are used to access encrypted data and credentials are used to authenticate to other systems.
Parent topic: Glossary
endpoint administrator
Owner of an endpoint. Endpoint administrators can be typically system, security, or database administrators, but they can be any personnel charged with deploying, managing and maintaining security within an enterprise. They are responsible for enrolling endpoints and controlling endpoint access to security objects.
Parent topic: Glossary
endpoint group
A collection of endpoints that are created to share a set of security objects.
Parent topic: Glossary
heartbeat lag
A monitored metric that determines the health of the multi-master cluster. This is an indication of the node and network health. It is the time since the current node received a heartbeat message from a given node. A heartbeat is sent out from each node every two minutes. Every heartbeat should be received on each other node shortly thereafter.
A higher heartbeat lag indicates that the user operations that require conflict resolution like creating a wallet will take longer. Heartbeat lags between any two nodes affect the operations cluster wide. If the heartbeat lag is high, ensure that the cluster services are active and that replication is active. Disable and then re-enable the links between the two nodes between which the heartbeat lag is significant.
Parent topic: Glossary
initial node
The first, or initial, node of an Oracle Key Vault Multi-Master Cluster. You create a multi-master cluster by converting a single Oracle Key Vault server to become the initial node. The Oracle Key Vault server can be a clean installed Oracle Key Vault server, or it can already be in service with active data. A standalone server or a member of a primary-standby configuration can be converted to be the initial node of a cluster. If you want to use a member of a primary-standby configuration, then you must first break the primary-standby relationship splitting the pair.
If the initial node has been active and therefore has data, then Oracle Key Vault uses this data as the cluster data set to initialize the cluster.
Initialization can occur only once in the life of the cluster.
Parent topic: Glossary
installation passphrase
Parent topic: Glossary
JAVA_HOME
The environment variable that points to the location of Java files (JDK/JRE) in the system. This allows Java applications to look up the JAVA_HOME
variable in order to operate.
Parent topic: Glossary
Java keystore file
A file that can hold multiple security objects such as keys and certificates. It uses the Java Keystore File (JKS) format.
Parent topic: Glossary
Key Administrator
An Oracle Key Vault administrator role that enables a user to manage the key lifecycle and control access to all security objects within Oracle Key Vault. This is a highly sensitive role and should be granted with care.
Parent topic: Glossary
keystore
A generalized term for a container that stores encryption keys including but not limited to TDE master encryption keys.
Parent topic: Glossary
maximum disable node duration
The time, in hours, that a node may remain in the disabled state. If the node has been disabled for a longer duration, it can no longer be enabled.
The default maximum disable node duration is 24 hours.
Parent topic: Glossary
MIB
Management information base; a text file that, if Oracle Key Vault is monitored through SNMP, describes the variables that contain the information that SNMP can access. The variables described in a MIB, which are also called MIB objects, are the items that can be monitored using SNMP. There is one MIB for each element that is monitored.
Parent topic: Glossary
name resolution time
A monitored metric used to determine the health of the multi-master cluster. It is the average time taken to ascertain that there is no name conflict in the cluster or to resolve the name conflict after an attempt to use conflicting names took place.
Parent topic: Glossary
node
An Oracle Key Vault server that has been converted to be a member of an Oracle Key Vault multi-master cluster. It is known as an Oracle Key Vault cluster node or simply a node.
Parent topic: Glossary
node induction
The process of converting an Oracle Key Vault server to be a node in the multi-master cluster.
The initial node in a cluster provides the initial cluster data set. Subsequently, only new Oracle Key Vault servers can be inducted to the multi-master cluster, and the current data in the multi-master cluster is loaded into the new nodes.
Parent topic: Glossary
OKV_HOME
The environment variable that points to the location in which the Oracle Key Vault endpoint software will reside. It contains sub-directories for endpoint software such as the configuration files, log files, libraries, binaries, and other files that the endpoint software utility needs.
Parent topic: Glossary
online master encryption key
Parent topic: Glossary
Oracle Key Vault multi-master cluster
A distributed set of Oracle Key Vault nodes that are grouped together so that they all communicate with one another. Some pairs of nodes are configured as read/write pairs. In a read-write pair, an update to one node is replicated to the other node, and the update must be verified on the other node before the update is considered successful.
All nodes in the multi-master cluster connect to all other nodes. Data updated in a read-write pair is replicated to all nodes.
Parent topic: Glossary
Oracle Key Vault server
Parent topic: Glossary
Oracle wallet file
A container that can hold multiple security objects such as keys and certificates. It uses the PKCS#12 cryptographic standard.
You can manage Oracle wallets in Oracle Key Vault just like other security objects. Optionally, you can encrypt them and protect them with a password. An Oracle wallet that can be accessed without a password is called an auto-login wallet.
See also password-protected wallet.
Parent topic: Glossary
ORACLE_BASE
The environment variable that points to the root of the Oracle Database directory tree. The Oracle Base directory is the top level directory that you can use to install the various Oracle software products. You can use the same Oracle base directory for multiple installations. For example, /u01/app/oracle
is an Oracle base directory created by the oracle
user.
Parent topic: Glossary
ORACLE_HOME
The environment variable that points to the directory path to install Oracle components (for example, /u01/app/oracle/product/18.3.0/db_n
). You are prompted to enter an Oracle home in the Path field of the Specify File Locations window.
ORACLE_HOME
corresponds to the environment in which Oracle Database products run. If you install an OFA-compliant database, using Oracle Universal Installer defaults, then the Oracle home (known as $ORACLE_HOME
in this guide) is located beneath $ORACLE_BASE
. The default Oracle home is db_n
where n
is the Oracle home number. It contains subdirectories for Oracle Database software executable files and network files.
Parent topic: Glossary
ORACLE_SID
The environment variable that represents the Oracle System ID (SID), which uniquely identifies a particular database on a system. For this reason, you cannot have more than one database with the same SID on a computer system.
When using Oracle Real Application Clusters, you must ensure that all instances that belong to the same database have a unique SID.
Parent topic: Glossary
oraenv
Along with coraenv
, a Unix/ Linux command line utility that sets the required environment variables (ORACLE_SID
, ORACLE_HOME
and PATH
) to allow a user to connect to a given database instance. If these environment variables are not set, then commands such as sqlplus
, imp
, exp
will not work (or not be found).
Use coraenv
when using the C Shell and oraenv
when using a Bourne, Korn, or Bash shell.
Parent topic: Glossary
password-protected wallet
An encrypted Oracle wallet that has a user-defined password stored in an ewallet.p12
file.
Parent topic: Glossary
PKCS#11 library
A library that allows an Oracle TDE database to connect to Oracle Key Vault to manage the master encryption keys.
Parent topic: Glossary
PKCS#12 file
In cryptography, PKCS#12 defines an archive file format for storing many cryptographic objects as a single file. Wallet files are stored in PKCS#12 format.
Parent topic: Glossary
read-only node
A node that is not part of a replication pair. Most data cannot be directly updated using the Oracle Key Vault management console, or with Oracle Key Vault client software. Critical data such as keys, wallets, and certificates in a read-only node is only updated through replication from read-write nodes.
Parent topic: Glossary
read-only restricted mode
A node enters read-only restricted mode when it has no read/write pair, or if its read-write peer is unavailable. The Oracle Key Vault console displays a warning that the node is operating in read-only restricted mode. In read-only restricted mode, updates using the Oracle Key Vault management console, or Oracle Key Vault client software are restricted. However, you can still perform system configuration on the node.
When the node is a member of a read-write pair, this indicates the other node has been disabled but not deleted from the cluster, or the heartbeat is not detected for other reasons.
Parent topic: Glossary
read/write mode
A node is in read/write mode when it is available for endpoint and wallet data updates using the Oracle Key Vault management console, or Oracle Key Vault client software. The node must be a member of a read/write pair, and the read/write peer must be online and active.
When both nodes in the pair are available, both nodes can accept updates, and all updates to one node are synchronously replicated to the peer. If one of the nodes in the pair becomes unavailable, then the remaining node enters read-only restricted mode and will not accept any data updates until the peer is restored.
The node state is displayed on the Monitoring page of the Cluster tab of the node management console. The Cluster tab of the node management console displays the type and status of all nodes in the cluster.
Parent topic: Glossary
read/write pair
A pair of nodes that operates with bidirectional synchronous replication. You create the read/write pair by pairing a new node with a read-only node. You can update data, including the endpoint and wallet data, in either node by using the Oracle Key Vault management console, or Oracle Key Vault client software. The updates are replicated immediately to the other node in the pair. Updates are replicated asynchronously to all other nodes.
A node can be a member of at most one bidirectional synchronous pair.
A multi-master cluster requires at least one read-write pair to be fully operational. It can have a maximum of 8 read/write pairs.
Parent topic: Glossary
read/write peer
The specific member of one, and only one, read-write pair in the cluster. Each read-write pair consists of only two nodes. You configure nodes as peers by setting Add Candidate Node as Read-Write Peer to Yes on the controller node during induction of the candidate node. Peers are identified on the Cluster Management Configuration page.
If one member of the pair is deleted, then the peer automatically becomes a read-only node.
Parent topic: Glossary
recovery passphrase
A secret token that is created during the installation of an Oracle Key Vault appliance. The recovery passphrase created for the initial node is subsequently used by the cluster and propagated to all other nodes in the cluster.
You enter the existing recovery passphrase on both the controller page and the candidate page during induction of any nodes into the cluster. Because there is only one recovery passphrase, you must use that same recovery passphrase when the recovery passphrase is required.
Parent topic: Glossary
replication
The process of replicating data changes that were made to a read-write node to all other nodes. The read-write peer is updated immediately. Replication is used to distribute the data to all other nodes in the cluster.
Parent topic: Glossary
replication lag
A monitored metric that determines the health of the multi-master cluster. It is the time taken for an object to be replicated to another node.
A higher replication lag indicates that the Oracle Key Vault operations like changing the access permissions for an endpoint on the wallet will take longer to replicate. Depending on the operation, a replication lag may or may not have a cluster-wide impact. If the replication lag is significant between two notes, then you should disable and re-enable the cluster links.
Parent topic: Glossary
security object
An object that contains critical data provided by the user. A security object can be of the following types:
- private encryption key
- Oracle wallet
- Java keystore
- Java Cryptography Extension keystore
- certificate
- credential file
Parent topic: Glossary
software appliance
A self-contained preconfigured product that can be installed on supported hardware dedicated for a specific purpose.
Parent topic: Glossary
sqlnet.ora
An Oracle Database configuration file for the client or server. By default, the sqlnet.ora
file resides in $ORACLE_HOME/network/admin
directory. It specifies the following connection information:
-
Client domain to append to unqualified service names or net service names
-
Order of naming methods for the client to use when resolving a name
-
Logging and tracing features to use
-
Route of connections
-
External naming parameters
-
Oracle Advanced Security parameters
Parent topic: Glossary
System Administrator
An Oracle Key Vault administrator role that enables a user to create users, endpoints and their respective groups, configure system settings and alerts, and generally administer Oracle Key Vault. This is a highly sensitive role and should be granted with care.
Parent topic: Glossary
TDE master encryption key
A key that encrypts the data encryption keys for tables and tablespaces.
Parent topic: Glossary
template
A collection of attributes for security objects. When a security object is created using a template, then the attributes in the template are automatically assigned to the new object.
Parent topic: Glossary
user
A staff member who uses Oracle Key Vault. Users can be administrators, auditors, or ordinary users with no administrative roles.
Parent topic: Glossary
user group
A named collection of Oracle Key Vault users. A user group can collectively be granted privileges or roles.
Parent topic: Glossary
virtual wallet
A container for security objects such as public and private encryption keys, TDE master encryption keys, passwords, credentials, and certificates in Oracle Key Vault. The main purpose of a virtual wallet is to enable sharing of keys among endpoints.
Parent topic: Glossary