E Managing Oracle Key Vault Platform Certificates
This chapter describes how to manage Oracle Key Vault Platform certificates by monitoring and rotating platform certificates before they expire.
- Overview of Oracle Key Vault Platform Certificates
Oracle Key Vault platform certificates are used when adding a new node to an Oracle Key Vault multi-master cluster, or when adding systems to a primary-standby deployment. - Monitoring Oracle Key Vault Platform Certificate Expiration
You can proactively set alerts and monitor the expiration dates of the Oracle Key Vault platform certificates and rotate them before they expire. - Rotating Platform Certificates
You must rotate the platform certificates by logging in to the Oracle Key Vault system and running a series of commands.
E.1 Overview of Oracle Key Vault Platform Certificates
Oracle Key Vault platform certificates are used when adding a new node to an Oracle Key Vault multi-master cluster, or when adding systems to a primary-standby deployment.
They are also used when shipping redo between read/write nodes in the cluster. These certificates are different from the Oracle Key Vault service certificates and have different expiration dates. They are also managed using a different process than Oracle Key Vault service certificates. If you do not rotate the Oracle Key Vault platform certificates before they expire, you cannot add a new node to the Oracle Key Vault multi-master cluster. The redo shipping between Oracle Key Vault read/write nodes may also be impacted, causing each node of the read/write pair to go into read-only restricted mode. You cannot upgrade an Oracle Key Vault system with expired platform certificates. You must rotate the Oracle Key Vault platform certificates before they expire.
Rotating the Oracle Key Vault platform certificates does not rotate the Oracle Key Vault service certificates and does not impact endpoint communication with Oracle Key Vault. Similarly, rotating Oracle Key Vault service certificates does not rotate the platform certificates.
Parent topic: Managing Oracle Key Vault Platform Certificates
E.2 Monitoring Oracle Key Vault Platform Certificate Expiration
You can proactively set alerts and monitor the expiration dates of the Oracle Key Vault platform certificates and rotate them before they expire.
- Finding the Expiration Date of Platform Certificates
You can find the expiration date of platform certificates on the Oracle Key Vault management console. - Monitoring Platform Certificates Expiration Using Platform Certificate Expiration Alerts
You can set the expiration alerts as reminders to rotate the platform certificates before they expire.
Parent topic: Managing Oracle Key Vault Platform Certificates
E.2.1 Finding the Expiration Date of Platform Certificates
You can find the expiration date of platform certificates on the Oracle Key Vault management console.
E.2.2 Monitoring Platform Certificates Expiration Using Platform Certificate Expiration Alerts
You can set the expiration alerts as reminders to rotate the platform certificates before they expire.
Expiration of the platform certificates could result in redo shipping failures between read/write nodes in a multi-master cluster or between the primary and standby of a primary-standby deployment, resulting in the systems going into read-only restricted mode. It may also prevent the addition of a new node to the Oracle Key Vault cluster and prevent upgrade of the Oracle Key Vault system. Ensure that you rotate the Oracle Key Vault platform certificates before their expiration date. To avoid this scenario, Oracle recommends that you configure the Platform Certificate Expiration alert as a reminder to rotate the Oracle Key Vault platform certificates before they expire. This alert is separate from those monitoring expiration of the Oracle Key Vault service certificates (CA, server/node, and endpoint certificates).
E.3 Rotating Platform Certificates
You must rotate the platform certificates by logging in to the Oracle Key Vault system and running a series of commands.
In the case of a multi-master cluster, different steps may need to be run on different nodes of the cluster. In the case of a primary-standby environment, the steps may need to be run on both primary and standby.
- Rotating Platform Certificates on a Standalone Oracle Key Vault Server
Rotate the platform certificates on a standalone Oracle Key Vault server to replace the existing certificates near their expiration date with the new ones. - Rotating Platform Certificates in a Multi-Master Cluster Environment
Learn how to rotate platform certificates in a multi-master cluster environment.
Parent topic: Managing Oracle Key Vault Platform Certificates
E.3.1 Rotating Platform Certificates on a Standalone Oracle Key Vault Server
Rotate the platform certificates on a standalone Oracle Key Vault server to replace the existing certificates near their expiration date with the new ones.
Parent topic: Rotating Platform Certificates
E.3.2 Rotating Platform Certificates in a Multi-Master Cluster Environment
Learn how to rotate platform certificates in a multi-master cluster environment.
- Rotate Platform CA Certificate on Read/Write Multi-Master Cluster Nodes
Rotate the platform certificates on Read/Write Multi-Master Cluster Nodes to replace the existing certificates near their expiration date with the new ones. - Rotate Platform CA Certificate on Read-Only Multi-Master Cluster Nodes
Learn how to rotate platform certificates on each read-only Oracle Key Vault multi-master cluster node. - Rotate Platform Certificate Used For Redo Shipping On Any One Multi-Master Cluster Node
In a multi-master cluster environment, you must rotate the platform certificate used for redo shipping on one node of the multi-master cluster, and then transfer the certificate to all of the other multi-master cluster nodes. - Transfer the Rotated Redo Shipping Platform Certificate to Other Multi-Master Cluster Nodes
Learn how to transfer the redo shipping platform certificate to other multi-master cluster node after rotating it on one multi-master cluster node.
Parent topic: Rotating Platform Certificates
E.3.2.1 Rotate Platform CA Certificate on Read/Write Multi-Master Cluster Nodes
Rotate the platform certificates on Read/Write Multi-Master Cluster Nodes to replace the existing certificates near their expiration date with the new ones.
In this section, Node A and Node B refer to the two nodes of a given read/write pair. Implement these steps on each set of read/write pairs in turn.
E.3.2.2 Rotate Platform CA Certificate on Read-Only Multi-Master Cluster Nodes
Learn how to rotate platform certificates on each read-only Oracle Key Vault multi-master cluster node.
E.3.2.3 Rotate Platform Certificate Used For Redo Shipping On Any One Multi-Master Cluster Node
In a multi-master cluster environment, you must rotate the platform certificate used for redo shipping on one node of the multi-master cluster, and then transfer the certificate to all of the other multi-master cluster nodes.
Perform these steps to rotate the redo shipping platform certificates on one node of the multi-master cluster.