6 Oracle Database Instances in Oracle Cloud Infrastructure

Oracle Key Vault deployed on-premises can manage the TDE master encryption keys for Oracle Database instances running in Oracle Cloud Infrastructure (OCI).

6.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints

This type of Oracle Key Vault server deployment meets compliance standards for the management of encryption keys.

The Oracle Database instances running in Oracle Cloud Infrastructure (OCI) can be deployed on VMshape, bare metal, or Exadata. This type of deployment provides physical separation of keys from the encrypted data, and gives on-premises administrators control and visibility of how encryption keys are used to access encrypted data in the cloud. This also meets compliance requirements where encryption keys must be managed on-premises or separate from systems containing encrypted data.

6.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

Oracle Key Vault supports the use of Oracle database instances on Oracle Cloud Infrastructure (OCI).

6.2.1 About Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint

To prepare an Oracle database instance on OCI to be an Oracle Key Vault endpoint, you must first configure the instance, and then create a low-privileged user.

Oracle databases on Oracle Cloud Infrastructure (OCI) provide fully functional Oracle database instances that use computing and storage resources provided by Oracle Compute Cloud Service. It eliminates the need to purchase, build, and manage silos of server and storage systems. It also makes database resources and capabilities available online so users can consume them whenever and wherever they are needed.

6.2.2 Configuring a Database Cloud Service Instance

A Database as a Service (DBaaS) instance must have the correct network configuration.

You can find instructions for configuring an Oracle Base Database Service instance in the Oracle Base Database Service documentation.

After you have configured the DBaaS instance, it should have the following default values:

  • A public IP address

  • Two users: oracle and opc (Oracle Public Cloud)

  • SSH access to the oracle and opc users

6.2.3 Creating a Low Privileged Operating System User on Database as a Service

The low privileged user account, okv, will be responsible for configuring an SSH tunnel and communicating with the DBaaS instances.

By default, Database as a Service instances are provisioned with the oracle and opc users. These users have more privileges than necessary to create the SSH tunnel, so Oracle recommends that you create another low privileged operating system user named okv on the Database as a Service instance. Oracle Key Vault will use user okv to configure an SSH tunnel and communicate with the Database as a Service instances.
  1. Log in to the Oracle Cloud Infrastructure (OCI) instance using public key authentication (default for Oracle OCI) as user opc.
    $ ssh -i private_key_file opc@node_ip_address
    

    In this specification:

    • private_key_file is the path to your private key file (~/.ssh/id_rsa). This key is the counterpart to the public key that you uploaded when you provisioned the Oracle Cloud Infrastructure instance.
    • node_ip_address is the public IP address of the Database as a Service compute node in x.x.x.x format.
    If this is the first time you are connecting to the compute node, the SSH utility prompts you to confirm the public key.
  2. In response to the prompt asking you to confirm the public key, enter  yes.
  3. Create the Oracle Key Vault user.
    $ sudo adduser okv
    
  4. Append the Oracle Key Vault user okv to the AllowUsers parameter in the SSH sshd_config configuration file in the /etc/ssh/ directory.
    $ sudo vi /etc/ssh/sshd_config
  5. Add the following entry to the end of the file:
    AllowUsers oracle opc okv
  6. Restart the SSH daemon:
    $ sudo /sbin/service sshd restart
    
  7. Grant the Oracle Key Vault user okv permission to execute /sbin/fuser by following these steps:
    1. Change the file permission of the /etc/sudoers file.
      sudo chmod 740 /etc/sudoers
    2. Edit the /etc/sudoers file.
      sudo vi /etc/sudoers
    3. Add the following entry:
      okv     ALL=(root) NOPASSWD:/sbin/fuser
    4. Save the /etc/sudoers file. Change the file permission of the /etc/sudoers file.
      sudo chmod 440 /etc/sudoers
    5. The /etc/sudoers would look similar to the following:
      ## Allow root to run any commands anywhere 
      root    ALL=(ALL)       ALL  
      okv     ALL=(root) NOPASSWD:/sbin/fuser 
  8. Become the okv user.
    $ su okv
  9. Create the authorized_keys file and then set appropriate permissions for this file.
    $ cd $HOME
    $ mkdir ./.ssh
    $ chmod 700 ./.ssh
    $ touch ./.ssh/authorized_keys
    $ chmod 640 ./.ssh/authorized_keys
  10. Log in to the Oracle Key Vault instance as the support user, and switch to root, and then switch to oracle.
  11. Execute the following command to upload the Oracle Key Vault public key into the authorized_keys file in the Oracle Cloud Infrastructure that you just created.
    ssh-copy-id ./.ssh/id_rsa.pub okv@node_ip_address
  12. Confirm that the okv user in Oracle Key Vault can log in to the OCI instance without providing a password:
    $ ssh okv@node_ip_address

6.3 Using an SSH Tunnel Between Oracle Key Vault and Database as a Service

An on-premises Oracle Key Vault communicates with an Oracle Cloud Database as a Service instance using a secure SSH tunnel.

6.3.1 Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance

You can create a connection between Oracle Key Vault and a Database as a Service (DBaaS) instance by configuring an SSH tunnel.

You can configure the SSH tunnel only after you set up the Database as a Service instance. You must have the Database as a Service instance's public IP address and the name of the operating system user that you want to use to establish the tunnel.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings in the left navigation bar.
  3. In the Network Details area, select SSH Tunnel.

    The SSH Tunnel Settings page appears.

    Description of 21_ssh_tnl_setting.png follows
    Description of the illustration 21_ssh_tnl_setting.png

  4. Click Add.
  5. Copy the text in SSH Public Key field and save it.
    Remember that this is the public key that was copied into the OCI instance for user okv and was uploaded when you created a low privileged operating system user the Database as a Service instance. You will need to transport it to the Database as a Service instance and add it to the authorized_keys file of the Database as a Service user okv at /home/okv/.ssh/authorized_keys.
  6. In the Remote Host Details page, enter information in the following fields:
    • Tunnel Name: Choose a descriptive name that identifies the tunnel, based on the Database as a Service instance to be associated with it.

    • IP Address: Enter the public IP address of the Database as a Service instance.

    • Port: Enter a port number if you want to use a particular port number, or use the displayed default.

    • User Name: Enter okv for the user name.

    You can complete these fields only after you set up the Database as a Service instance and obtained the public IP address and user name.

  7. Click Add.

    The SSH Tunnel Settings page appears. It displays the SSH tunnel that you just created and any preexisting SSH tunnels.

    Description of 21_view_ssh.png follows
    Description of the illustration 21_view_ssh.png

    It lists the tunnels created with the name, IP address, port, and registration time of each.

  8. Click a tunnel name to see the SSH Tunnel Details page.
  9. To delete a tunnel, check the box by the tunnel that you want to delete and then click Delete.

    You can delete more than one tunnel by selecting multiple boxes.

    Description of 21_delete_ssh.png follows
    Description of the illustration 21_delete_ssh.png

  10. Click Disable to disable the tunnel.

    When you disable the tunnel, the endpoints that are associated with this tunnel will no longer be able to communicate with Oracle Key Vault.

    Description of 21_disable_ssh.png follows
    Description of the illustration 21_disable_ssh.png

  11. In the confirmation dialog box, click Yes.
    The Disable button is replaced by an Enable button.

6.3.2 Managing a Reverse SSH Tunnel in a Multi-Master Cluster

You can reverse an SSH tunnel in a multi-master cluster from more than one node to the cloud-based endpoint for redundancy.

Oracle recommends that you configure three tunnels. Ideally, the cloud-based reverse SSH tunnels should be from different read-write pairs. Multiple SSH tunnels to the same endpoint are distinguished by the port number used. Oracle Key Vault suggests unique port numbers based on node ID. If you want to specify different port numbers, make port numbers for SSH tunnels from different nodes to the same endpoint unique.

In a multi-master cluster, multiple SSH tunnels are created from multiple nodes to the same endpoint. However, when you register and enroll endpoints, you will only see the tunnel from that node.

Be aware of the following:

  • You should register and enroll the endpoint where there is a SSH tunnel created to that endpoint.
  • You only see the tunnel from that node to endpoint in the following places:
    • During the registration, the option to select the SSH tunnel.
    • After registration, when you view endpoint details, only that tunnel is displayed.
    • When you submit the enrollment token and download the endpoint software, only that tunnel is displayed. However, the endpoint software downloaded has information about all tunnels to the endpoint. This means that the endpoint is able to use all the tunnels that were created before the endpoint is created.

All nodes which have an SSH tunnel created display their tunnel to the endpoint on the Endpoint Details page. They also list all tunnels that were created from that node on the SSH Tunnels page in the Oracle Key Vault management console.

6.3.3 Managing a Reverse SSH Tunnel in a Primary-Standby Configuration

A reverse SSH tunnel in a primary-standby configuration is similar to a reverse SSH tunnel on a standalone Oracle Key Vault server.

The SSH key of the primary and standby servers are the same after pairing. Tunnels created on an Oracle Key Vault server before primary-standby pairing as well as tunnels created on the primary after the primary-standby pairing are valid after primary-standby operations such as switchover, and failover, although the tunnels may be unavailable during the execution of these operations.

6.3.4 Viewing SSH Tunnel Configuration Details

The Oracle Key Vault management console provides information about SSH tunnels that have been configured for Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings in the left navigation bar.
  3. In the Network Details area, select SSH Tunnel.

    The SSH Tunnel Settings page appears.

    Description of 21_view_ssh.png follows
    Description of the illustration 21_view_ssh.png

  4. Click a tunnel name to see the SSH Tunnel Details page.

6.3.5 Disabling an SSH Tunnel Connection

You can use the Oracle Key Vault management console to disable the Oracle Key Vault and Database as a Service instance connection.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings in the left navigation bar.
  3. In the Network Details area, select SSH Tunnel.

    The SSH Tunnel Settings page appears.

    Description of 21_view_ssh.png follows
    Description of the illustration 21_view_ssh.png

  4. Click a tunnel name to see the SSH Tunnel Details page.
  5. Click Disable to disable the tunnel.

    When you disable the tunnel, the endpoints that are associated with this tunnel will no longer be able to communicate with Oracle Key Vault. A red down arrow appears next to the SSH Tunnel Status label.

    Description of 21_disable_ssh.png follows
    Description of the illustration 21_disable_ssh.png

  6. In the confirmation dialog box, click Yes.
    The Disable button is replaced by an Enable button.

6.3.6 How the Connection Works if the SSH Tunnel Is Not Active

The SSH tunnel is kept alive even if there is no activity between Oracle Key Vault and the Database as a Service instance.

If the tunnel stops, then it is automatically restarted. An alert will be sent if the tunnel is not available for any reason. An administrative user may elect to receive these alerts by email by configuring SMTP settings on Oracle Key Vault.

6.3.7 Deleting an SSH Tunnel Configuration

You can use the Oracle Key Vault management console to delete the connection between Key Vault and a Database as a Service instance.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click System.

    The Status page appears.

  3. Select SSH Tunnel Settings from the left side bar.

    The SSH Tunnel Settings page appears.

    Description of 21_view_ssh.png follows
    Description of the illustration 21_view_ssh.png

  4. To delete a tunnel, check the box by the tunnel that you want to delete and then click Delete.

    You can delete more than one tunnel by selecting multiple boxes.

    Description of 21_delete_ssh.png follows
    Description of the illustration 21_delete_ssh.png

6.4 Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

You can use the command line and the Oracle Key Vault management console to complete this task.

6.4.1 About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint

You must enroll the Oracle Database as a Service instance before it can communicate with an Oracle Key Vault server.

The enrollment of Database as a Service endpoints is similar to the enrollment of on-premises endpoints with the following exceptions:

  • Database as a Service endpoints should be registered with an endpoint type of “Oracle Database Cloud Service".

  • Database as a Service endpoints have a primary tunnel IP associated with them. You must select the SSH tunnel with the same public IP address of the Database as a Service instance.

  • The platform must be Linux. This is automatically selected and cannot be modified.

  • You must download the jar file on-premises and transfer it to the Database as a Service instance using an out-of-band method like SCP or FTP.

6.4.2 Step 1: Register the Endpoint in the Oracle Key Vault Management Console

The endpoint registration process downloads an okvclient.jar file, which contains the Oracle Key Vault software that the endpoint needs, to the local system.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Endpoints tab, and then Endpoints in the left navigation bar.
  3. Click Add.

    The Register Endpoint page appears.

    Description of 21_dbcs_reg_endpoint.png follows
    Description of the illustration 21_dbcs_reg_endpoint.png

  4. Enter the following endpoint details:
    • Endpoint Name: Enter a unique name for the endpoint.
    • Make Unique: If you are using a multi-master cluster, then choose whether to select the Make Unique check box. Make Unique helps to control naming conflicts with endpoint names across the multi-master cluster environment.
      • If you select Make Unique, then the endpoint will be active immediately for Oracle Key Vault operations.
      • If you do not select Make Unique, then the endpoint account will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the endpoint name to a name that is unique across the clusters. If there is a naming collision, then you must recreate the endpoint with a unique name. An endpoint in the PENDING state cannot be used in any Oracle Key Vault operations.
    • Type: Select Oracle Database Cloud Service. When you select this option, the Click here to add a SSH tunnel link appears. Click this link to go to the Add SSH Tunnel page where you can add an SSH tunnel.
    • Platform: Linux is automatically selected.
    • Description: Enter a meaningful description to identify the endpoint.
    • Administrator Email Optionally, enter the email address of an administrator who should receive endpoint-related alerts.
    • Cluster Subgroup: For a multi-master cluster environment, select the cluster subgroup for this endpoint.
  5. Click Register.
    After a short delay the Endpoints page displays the new endpoint in the Registered state with an Enrollment Token.
  6. Click Endpoint Name. The Endpoint Details page appears.
    Associate a default wallet with the registered endpoint now before enrolling the endpoint.
  7. Copy the Enrollment Token.
    You will need it to download the endpoint software and then enroll the endpoint (next step).
  8. Log out of Oracle Key Vault and open a new session.
    The login page appears. Do not log in.
  9. Click Endpoint Enrollment and Software Download immediately below Login.

    The Enroll Endpoint & Download Software page appears.

    Description of 21_endpoint_download.png follows
    Description of the illustration 21_endpoint_download.png

    The fields are populated with the values that were chosen by the Oracle Key Vault system administrator while registering the endpoint. You can change these values while completing the enrollment of the endpoint. Note that you must select the Primary SSH Tunnel for Database as a Service endpoints from the drop-down list. This is the only difference in the enrollment process from on-premises endpoints.

  10. In the Enrollment Token field, enter the endpoint token and then click Submit Token to validate the token.
  11. Click Enroll to download the okvclient.jar file to your local system.
  12. Move the okvclient.jar file to a secure directory on the Cloud Database as a Service instance with appropriate permissions in place so it cannot be read or copied by others.
    $ scp -i path_to_private_key-file path_to_okvclient.jar_on_local_computer oracle@node_ip_address:path_to_okvclient.jar_on_cloud_db_instance
    

    In this specification:

    • path_to_okvclient.jar_on_local_computer refers to the location of okvclient.jar on an on-premises local computer.
    • path_to_okvclient.jar_on_cloud_db_instance refers to the location of okvclient.jar on the oracle cloud database as a service instance.

6.4.3 Step 2: Prepare the Endpoint Environment

The endpoint must have a compatible version of the Java Development Toolkit (JDK) and the Oracle Database environment variables must be set.

  1. Ensure that you have the necessary administrative privileges to install software on the endpoint.
  2. Ensure that you have JDK 1.6 or later installed, and that the PATH environment variable includes the java executable (in the JAVA_HOME/bin directory).
    Oracle Key Vault supports JDK versions, 1.6, 7, and 8. The 64-bit version of Java is required.
  3. Run the shell utility oraenv or source oraenv command to set the correct environment variables on Oracle Database servers.
  4. Check that the environment variables ORACLE_BASE and ORACLE_HOME are correctly set.
    • If you used oraenv to set these variables, then you must verify that ORACLE_BASE points to the root directory for Oracle Databases, and that ORACLE_HOME points to a sub-directory under ORACLE_BASE where an Oracle database is installed.
  5. Shut down the database if you are installing the endpoint software for an Oracle database configured for online TDE master encryption key management.
  6. As an endpoint administrator, shutdown the Oracle database server.

6.4.4 Step 3: Install the Oracle Key Vault Software onto the Endpoint for Registration and Enrollment

To install the Oracle Key Vault software installation, you run the okvclient.jar file on the endpoint.

  1. Ensure that you are logged in to the endpoint server as the endpoint administrator.
  2. Confirm that the target directory exists, and that it is empty.
  3. If you are installing the endpoint software for an Oracle database configured for online TDE master encryption key management, then shut down the database.
  4. Run the java command to install the okvclient.jar file.
    $ java -jar /tmp/okvclient.jar -d /etc/ORACLE/KEYSTORES/okv

    In this specification, -d specifies the directory location for the endpoint software and configuration files, in this case /home/oracle/okvutil.

    -o is an optional argument that enables you to overwrite the symbolic link reference to okvclient.ora when okvclient.jar is deployed in a directory other than the original directory. This argument is used only when you reenroll an endpoint.

    Later on, an administrator will need to set the WALLET_ROOT parameter to point to the /etc/ORACLE/KEYSTORES directory when the Oracle database must be configured to communicate with Oracle Key Vault.

  5. When you are prompted for a password, then perform either of the following two steps.
    The optional password goes into two places: okvutil and in ADMINISTER KEY MANAGEMENT. With okvutil, only users who know that password can upload or download content to and from Oracle Key Vault. With ADMINISTER KEY MANAGEMENT, it becomes the password that you must use in the IDENTIFIED BY password clause. If you choose not to give a password, then okvutil upload and download commands will not prompt for a password, and the password for ADMINISTER KEY MANAGEMENT becomes NULL.
    The choices for handling the password are as follows:
    • If you want to create a password-protected wallet, at minimum enter a password between 8 and 30 characters and then press Enter. For better security, Oracle recommends that you include uppercase letters, lowercase characters, special characters, and numbers in the password. The following special characters are allowed: (.), comma (,), underscore (_), plus sign (+), colon (:), space.
      Enter new Key Vault endpoint password (<enter> for auto-login): Key_Vault_endpoint_password
      Confirm new endpoint password: Key_Vault_endpoint_password
      

      A password-protected wallet is an Oracle wallet file that store the endpoint's credentials to access Oracle Key Vault. This password will be required whenever the endpoint connects to Oracle Key Vault.

    • Alternatively, enter no password and then press Enter.
    A successful installation of the endpoint software creates the following directories:
    • bin directory, with these contents:

      • okveps.x64 binary file
      • okvutil program
      • root.sh and root.bat scripts
    • conf directory, with these contents:

      • ewallet.p12 wallet file (Note that this wallet is the optional persistent cache. It is an auto-open wallet when the okvclient.jar file is installed without a password. It is protected with the Oracle Key Vault password if one is defined during the Oracle Key Vault client installation. It is protected with a random (unknown) password if that selection is made for this endpoint in the Oracle Key Vault management console.)
      • logging.properties configuration file
      • okvclient.lck lock file
      • okvclient.ora configuration file
      • okv.pc.lck lock file
    • csdk directory, with this subdirectory:
      • lib
    • jlib directory, with the following file:
      • okvutil.jar Java library jar file
    • lib directory with the following file:
      • liborapkcs.so library that the Oracle database uses to communicate with Oracle Key Vault
    • log directory, which contains the following file:
      • okvutil.deploy.log log file
    • ssl directory, with the following file:
      • ewallet.p12, which refers to a password-protected wallet. The cwallet.sso file refers to an auto-login wallet. These are TLS-related files and wallet files. The wallet files contain the endpoint credentials to connect to Oracle Key Vault.

6.4.5 Step 4: Perform Post-Installation Tasks

Post-installation tasks are important for a fully functioning Oracle Key Vault installation.

After you complete the installation, you can optionally configure a TDE connection for the endpoint, check the installation contents, and then delete the okvclient.jar file.
  1. Optionally, configure a TDE connection for the endpoint.
    The liborapkcs.so file contains the library that the Oracle database uses to communicate with Oracle Key Vault. If an endpoint uses online TDE master encryption key management by Oracle Key Vault, then you must install the PKCS#11 library by using root.sh or root.bat script.

    Note:

    • You must run root.sh or root.bat script to install the latest Oracle Key Vault PKCS#11 library only once on a host machine that has multiple TDE-enabled Oracle databases that use Oracle Key Vault for master encryption key management.
    • Ensure that you execute the root.sh or root.bat script only after the upgrade of the Oracle Key Vault endpoints for all of the TDE-enabled databases on the same host machine is complete.
    • Ensure that all of the TDE-enabled Oracle databases on this host are shutdown.
    Log in as the root user and then execute either of the following commands:
    $ sudo /etc/ORACLE/KEYSTORES/okv/bin/root.sh

    This command creates the directory tree /opt/oracle/extapi/64/hsm/oracle/1.0.0, changes ownership and permissions, then copies the PKCS#11 library into this directory.

  2. Use a command such as namei or ls -l to confirm that a softlink was created in $ORACLE_BASE/okv/$ORACLE_SID/okvclient.ora to point to the real file in the /conf subdirectory of the installation target directory.
    If the ORACLE_BASE environment variable has not been set, then the softlink was created in $ORACLE_HOME/okv/$ORACLE_SID.
  3. Start the Oracle databases if the upgrade of the Oracle Key Vault endpoints for all of the TDE-enabled databases on this host machine is complete.
  4. Run the okvutil list command to verify that the endpoint software installed correctly, and that the endpoint can connect to the Oracle Key Vault server.
    $ ./okvutil list
    If the endpoint is able to connect to Key Vault, then the No objects found message appears. If a Server connect failed message appears, then you must troubleshoot the installation for possible issues. Check that environment variables are correctly set. To get help on the endpoint software, execute the following command:
    $ java -jar okvclient.jar -h
    
    

    Output similar to the following appears:

    Production on Fri Apr 12 15:03:01 PDT 2019
    Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
    Usage:
      java -jar okvclient.jar [-h | -help] [[-v | -verbose] [-d <destination directory>] [-o]]
    
    Options:
      -h or -help : Display command help.
      -v or -verbose : Turn on the verbose mode. Logs will be written to files under
                       <destination directory>/log/ directory.
      -d <destination directory> : Specify the software installation directory.
      -o : Overwrite the current symbolic link to okvclient.ora.
    

6.5 Suspending Database Cloud Service Access to Oracle Key Vault

You can suspend one or more enrolled Database as a Service endpoints from access to Oracle Key Vault.

6.5.1 About Suspending Database Cloud Service Access to Oracle Key Vault

When the DBaaS service is suspended, the Oracle Key Vault Server rejects all requests from the suspended endpoints.

When you use an on-premises Oracle Key Vault to manage the online master encryption keys for Database as a Service endpoints, the master encryption keys are never stored persistently in Oracle Cloud. This way, the on-premises Oracle Key Vault administrator can control access to the encrypted data in the cloud.

An on-premises Oracle Key Vault administrator can suspend Database as a Service endpoints with a single click. This means that the Oracle Key Vault Server rejects all requests from the suspended endpoints. Because the endpoint cannot request keys from the Oracle Key Vault server, its ability to access encrypted data is lost after the key cached in memory times out. For Oracle Database Cloud Service endpoints, this time out is 5 minutes by default.

The on-premises Oracle Key Vault administrator can resume a suspended endpoint. This means that the Oracle Key Vault server can start servicing requests from the reinstated endpoint. The reinstated endpoint can now retrieve keys from the Oracle Key Vault server and access sensitive data.

In a multi-master cluster, when a node is being enabled or disabled, the information may not yet have reached all nodes in the cluster. If an endpoint attempts to contact a node whose information has not yet propagated throughout the cluster, an error may be returned.

Caution:

The suspend operation is a disruptive operation as it results in operational discontinuity. Therefore, you should use it with care. Usually, you should suspend the database only if there is a strong indication of abnormal activity in the Database as a Service instance.

You can only suspend enrolled endpoints. You cannot suspend endpoints that are in the Registered state. If you try to suspend endpoints that are already suspended, no operation will be performed. The endpoints will continue to be in suspended state.

6.5.2 Suspending Access for a Database Cloud Service to Oracle Key Vault

After you suspend the Database as a Service access to Oracle Key Vault, you can resume the access when needed.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Endpoints tab, and then Endpoints in the left navigation bar.
  3. In the Endpoints page, check the boxes by the endpoints that you want to suspend.
  4. Click Suspend.
  5. In the confirmation dialog box, click Yes.
  6. Click Endpoints to see the suspended endpoints.

    The status of suspended endpoints is highlighted in red.

    Description of 217_dbcs_suspend_endpoints.png follows
    Description of the illustration 217_dbcs_suspend_endpoints.png

6.6 Resuming Database Cloud Service Access to Oracle Key Vault

You can reinstate the connection between suspended Database Cloud Service endpoints and Oracle Key Vault.

When you resume these endpoints, their status will change to Enrolled. Resuming enrolled endpoints does not change their enrolled status.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Endpoints tab, and then Endpoints in the left navigation bar.
  3. In the Endpoints page, check the boxes by the endpoints that you want to resume.
  4. Click Resume.
  5. In the confirmation dialog box, click Yes.
  6. Click Endpoints to see the reenrolled endpoints. Their status is Enrolled.

6.7 Resuming a Database Endpoint Configured with a Password-Based Keystore

Depending on the configuration, a Database as a Service endpoint can resume either automatically or must be manually resumed.

A Database as a Service endpoint that is configured with auto-login keystore support will begin operations as soon as one of the nodes configured with reverse SSH access restores connectivity to the DBCS endpoint. On the other hand, the Database as a Service endpoint configured with password keystore will not resume operations after the endpoint is resumed on the Oracle Key Vault server. The keystore on the Database as a Service instance was closed because Oracle Key Vault suspended the endpoint. You should open the password-based keystore on the Database as a Service instance to resume operations.