1. Administrator's Guide
  2. Managing Oracle Key Vault Users

9 Managing Oracle Key Vault Users

Oracle Key Vault users administer the system, enroll endpoints, manage users and endpoints, control access to security objects, and grant other users administrative roles.

  • Managing User Accounts
    You can create Oracle Key Vault user accounts, grant these users Key Vault administrative roles, endpoint and endpoint group privileges, and add the users to user groups. You can also grant users privileges for managing endpoints and endpoint groups.
  • Managing Administrative Roles and User Privileges
    Oracle Key Vault has predefined roles and privileges that you can grant to (or change) or revoke from users.
  • Managing User Passwords
    You or the user can change the user's password. You also can have passwords reset automatically.
  • Managing User Email
    Oracle Key Vault users should have their current email on file so that they can receive alerts such as system changes.
  • Managing User Groups
    You can organize users who have a common purpose into a named user group.
  • Managing support and root Password
    Using SSH on Oracle Key Vault server, you can change the support or root password.

9.1 Managing User Accounts

You can create Oracle Key Vault user accounts, grant these users Key Vault administrative roles, endpoint and endpoint group privileges, and add the users to user groups. You can also grant users privileges for managing endpoints and endpoint groups.

Parent topic: Managing Oracle Key Vault Users

9.1.1 About Oracle Key Vault User Accounts

Oracle Key Vault user functionality provides multiple functionalities, such as registering and enrolling endpoints.

An important user function is to register and enroll Oracle Key Vault endpoints, enabling the user to manage his or her security objects by using Oracle Key Vault.

There are three types of Oracle Key Vault users:

  • Administrative users who have one or more of the three administrative roles: System Administrator, Key Administrator, or Audit Manager
  • Users who have any of the following privileges: Create Endpoint, Manage Endpoint, Create Endpoint Group, Manage Endpoint Group
  • Ordinary users who have none of the administrative roles, but who have access to security objects

Separation of duties in Oracle Key Vault means that users with an administrative role or privilege have access to functions pertaining to their role or privilege, but not other roles or privileges. For example, only a user with the System Administrator role has access to the full System tab, not users with the Key Administrator or Audit Manager roles. A user who has the Key Administrator role or a user with the Manage Endpoint Group privilege can create endpoint groups (but cannot create endpoints). The user interface elements required to create endpoint groups are visible only to the users who have the privileges for creating endpoint groups.

Users who have no administrative role can be granted access to security objects that are specific to their function. For example, you can grant a user access to a specific virtual wallet. This user can log into the Oracle Key Vault management console and add, manage, and delete his or her own security objects, but he or she cannot see system menus, details of other users and endpoints, their wallets, or audit reports.

Although the separation of user duties is recommended, you can have a single user perform all the administrative functions by granting that user all the administrative roles.

Note:

You can enable the Enforce Separation of Administrator Roles option if you wish to enforce the separation of user duties.

Oracle Key Vault does not permit the user name to be the same as the name of another user or an endpoint. If you are creating users in a multi-master cluster environment, then there is a chance that user with the same name will be created in another node at the same time. In that case, Oracle Key Vault checks for naming conflicts and will automatically rename the user account that was created after the first user account of that name. You must either accept the generated name for the second user or drop the user and then recreate it with a different name.

Oracle Key Vault allows you to configure certain parameters affecting the user passwords and user lockout behavior.

Parent topic: Managing User Accounts

9.1.2 User Account Profile Parameters

You can configure user account profile parameters to apply certain rules for the user passwords and user account lockout behavior of Oracle Key Vault local users. For LDAP users, the user account management policies are managed in the LDAP directory server.

Parent topic: Managing User Accounts

9.1.2.1 About User Account Profile Parameters

User account profile parameters govern the rules and requirements for the user passwords, and account lockout behavior of Oracle Key Vault local users.

You can configure user account profile parameters, as described in the following table, to best meet your corporate security requirements:

Table 9-1 User Account Profile Parameters

Parameter Description Default Value

Failed Login Attempts

Number of consecutive failed attempts to log in to the user account before the account is locked.

 3

Password Life Time (in days)

Number of days the same password can be used for authentication.

180

Password Grace Time (in days)

Number of days after the grace period begins during which a warning is issued, and login is allowed.

5

Password Reuse Max

Number of password changes required before the current password can be reused.

20

Password Reuse Time (in days)

Number of days before which a password cannot be reused.

365

Password Lock Time (in days)

Number of days an account will be locked after the specified number of consecutive failed login attempts. After the time passes, then the account becomes unlocked.

1
9.1.2.2 Managing User Account Profile Parameters

You can manage the user account profile parameters in Oracle Key Vault.

You can modify the User Accounts profile parameters using Oracle Key Vault management console.
  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault server.
  2. Do not log in to Oracle Key Vault.
  3. Click the System Recovery link at the lower right corner of the login page.
    A new login page appears with a single field: Recovery Passphrase.
  4. In the Recovery Passphrase field, enter the recovery passphrase .
  5. Click Login.
  6. Select the Account Management tab from the page displayed.
    The User Account Profile Parameters pane appears along with the Administrator Management and Manage User Administrator Roles pane.
  7. Enter the desired parameter values for the required fields.
  8. Click Save.

    Clicking Save Defaults in the User Account Profile Parameters pane restores the profile parameters to their default values.

    Note:

    Profile parameter values cannot be modified when the recovery passphrase change is in progress.

9.1.3 How a Multi-Master Cluster Affects User Accounts

An Oracle Key Vault multi-master cluster environment affects users in various ways.

These can include expanding the activities that they can perform and ensuring that their names do not conflict with other objects in the cluster environment.

Parent topic: Managing User Accounts

9.1.3.1 Multi-Master Cluster Effect on User Account Profile Parameters

In a multi-master cluster environment, when you modify user account profile parameters from the Oracle Key Vault management console, the change is applied to all the cluster nodes.

User account profile parameters govern the rules and requirements for the user passwords, and account lockout behavior of Oracle Key Vault local users.

In a multi-master cluster environment, when you modify user account profile parameters from the Oracle Key Vault management console, the change is applied to all the cluster nodes. However, these account profile settings are enforced on each cluster node independently. When a user account status changes on a cluster node, the user account status on other nodes remains unaffected. For example, if a user account gets locked on a cluster node, it may still remain unlocked on other cluster nodes.

This behavior applies only to the Oracle Key Vault local users. For LDAP users, the account status is managed externally in the LDAP Directory and remains consistent across cluster nodes.

Note:

You cannot modify user account profile parameters when the cluster upgrade is in-progress.
9.1.3.2 Multi-Master Cluster Effect on System Administrator Users

The user who is granted the System Administrator role is responsible for managing the cluster configuration.

The System Administrator role in a multi-master cluster includes the following responsibilities:

  • All system administrator responsibilities for a single Oracle Key Vault server
  • Cluster initialization, converting the first Oracle Key Vault server to the initial node
  • Adding and removing nodes from the cluster
  • Disabling and enabling nodes in the cluster
  • Managing cluster-wide system settings
  • Monitoring cluster operations and cluster health indicators
  • Enabling and disabling replication between nodes
  • Monitoring and resolving data and naming conflicts
  • Monitoring and reacting to cluster alerts
  • Managing cluster settings

The user who has the System Administrator privilege can also create and then manage endpoints. A user with the Create Endpoint privilege can create his or her own endpoints, and a user with the Manage Endpoint privilege can manage his or her own endpoints.

9.1.3.3 Multi-Master Cluster Effect on Key Administrator Users

The user who is granted the Key Adminstrator role manages endpoint groups, user groups, wallets, and objects.

In a multi-master cluster, when these items are uploaded in separate nodes and in separate data centers, name conflicts can occur. The  key administrator provides input to the system administrator to resolve these conflicts for wallets, KMIP objects, endpoint groups, and user groups.

A user with the Create Endpoint Group privilege can create his or her own endpoint groups, and a user with the Manage Endpoint Group privilege can manage his or her own endpoint groups.

9.1.3.4 Multi-Master Cluster Effect on Audit Manager Users

The user who is granted the Audit Manager role is responsible for configuring audit settings and integration with Oracle Audit Vault.

In a multi-master cluster environment, this user can configure audit settings for the entire cluster and for individual nodes. The audit manager user can use different setting for different nodes, if necessary. However, this user can also unify audit settings across the entire cluster.

The audit manager can replicate audit trails between nodes, if necessary. However, this can result in significant traffic between nodes, so the audit manager can turn on or off the audit trail replication. By default, the audit trails replication is turned off.

9.1.3.5 Multi-Master Cluster Effect on Administration Users

Administrative users can have any combination of the administration roles, including the System Administrator, Key Administrator, and Audit Manager roles.

Administrative user information created in the Oracle Key Vault server that is used as the initial node seeds the cluster.

New servers added to a cluster will get administrative user information from the cluster. Administrator information that is created on the server for the purpose of inducting the server into the cluster will be removed.

Administrative users that are created in a node after the node joins an Oracle Key Vault cluster will have a cluster-wide presence. New administrative users that are added to the Oracle Key Vault cluster on different Oracle Key Vault nodes may have name conflicts. When the user account is created, Oracle Key Vault automatically resolves the administrative user name conflicts. User and endpoint conflicts will be displayed in the Conflicts Resolution page and administrators can choose to rename endpoint conflicts. If there is a user name conflict, then you must either accept the automatically generated user name, or delete and recreate the user. User accounts will not be available for use and will be placed in a PENDING state until the name resolution is completed. You cannot delete the user accounts in PENDING state.

9.1.3.6 Multi-Master Cluster Effect on System Users

System users are responsible for the operating system of each Oracle Key Vault appliance, server, and node.

Oracle Key Vault servers are first installed or later configured to become nodes of an Oracle Key Vault cluster. As part of the server configuration, the operating system users (support and root) are created. Those users will remain unchanged after the server joins a cluster.

Unless security requirements specify otherwise, the same support and root passwords should be used for all the Oracle Key Vault nodes. Unlike Oracle Key Vault administrative accounts that are replicated, the support and root accounts are operating system users, and their passwords are not automatically synchronized across the cluster. Therefore, each node can potentially have a different support or root user password, making it difficult to manage multiple nodes of the cluster.

9.1.4 Creating an Oracle Key Vault User Account

A user with the System Administrator role can create user accounts from the Oracle Key Vault management console.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears with a list of existing users.

  3. In the Manage Users page, click Create.
  4. Enter a user name in User Name.
    See Naming Guidelines for Objects. Ensure that the user name is not the same as an Oracle Key Vault endpoint name.
  5. If you are using a multi-master cluster, then choose whether to select the Make Unique check box.
    Make Unique helps to control naming conflicts with user names across the multi-master cluster environment. When a server is converted to a cluster node, then the character limit for user names drops from 128 to 120 to allow for automatic renaming in case of a conflict. Users that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.
    • If you select Make Unique, then the user account will be active immediately and this user can perform operations.
    • If you do not select Make Unique, then the user account will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the user account to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The user account will then be renamed to a unique name. You will need to go to a read/write node of the cluster and either accept the renamed user account or change the user account name. If you change the user account name, then this will restart the name resolution operation and the user account will return to a PENDING state. A user account in the PENDING state cannot be used to perform most operations.
  6. Optionally, add the user's full name in Full Name.
  7. For the password, do one of the following:

    • Auto Generate Password: Select this option to have a password automatically generated and sent to the user. The user will receive an email message with Oracle Key Vault: System Generated User Password in the subject line. When the user logs in to the Oracle Key Vault management console for the first time, he or she will be asked to change the password.

      The SMTP server configuration must be configured to use this option.

    • Password and Re-enter password: Enter a valid password. Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and special character. The special characters allowed are period (.), comma (,), underscore (_), plus sign (+), colon (:), and space.

  8. Click Save.

    The Manage Users page appears and lists the new user. If the user is in the PENDING state, then it remains in the Users being created section until it transitions to the ACTIVE state, similar to the following example.


    Description of 21_pending_users.png follows
    Description of the illustration 21_pending_users.png

Related Topics

Parent topic: Managing User Accounts

9.1.5 Viewing User Account Details

All administrative users can view the list of Oracle Key Vault user accounts and their details.

Users without any of the three administrative roles can only see their own user details. The User Details page provides a consolidated view of the Oracle Key Vault user. This is the page where all user management tasks are performed.

  1. Log in to the Oracle Key Vault management console.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears with a list of existing users. You can sort and search the list by the column user name, full name, or roles.

  3. Click on a user name to display the User Details page.

Related Topics

Parent topic: Managing User Accounts

9.1.6 Deleting an Oracle Key Vault User Account

Deleting an Oracle Key Vault user removes the user from any user groups the user was part of in Oracle Key Vault.

The operation does not delete any security objects managed by the user. Administrators can only delete users that are not in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user with the System Administrator role and the same roles as the user being deleted, should that user have any administrative roles.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears with a list of existing users.

  3. Select the check boxes for the users that you want to delete.
  4. Click Delete.
  5. In the confirmation dialog box, click OK.
  6. Click Save.

Parent topic: Managing User Accounts

9.2 Managing Administrative Roles and User Privileges

Oracle Key Vault has predefined roles and privileges that you can grant to (or change) or revoke from users.

Parent topic: Managing Oracle Key Vault Users

9.2.1 About Managing Administrative Roles and User Privileges

You can grant or change an administrative role or user privileges for a user account that you have added.

You must be a user with the System administrative role to grant, change, or revoke the Create Endpoint and Manage Endpoint privileges to or from other users. You must be a user with the Key Administrative role to grant, change, or revoke the Create Endpoint Group and Manage Endpoint Group privileges to or from other users. You can also revoke the privilege when it is no longer needed. Users with the Create Endpoint, Manage Endpoint, Create Endpoint Group, or Manage Endpoint Group privilege cannot grant this privilege to other users.

If you are using a multi-master cluster environment, then you cannot grant, change, and revoke administrative roles for users in the PENDING state.

If you are using a multi-master cluster environment, then you cannot grant, change, and revoke user privileges for users in the PENDING state.

Note:

If the Enforce Separation of Administrator Roles option is enabled in your Oracle Key Vault environment, then you cannot grant more than one administrative role to a user. You must revoke all but one administrative role from any user who holds multiple roles when this option is enabled. Users who hold multiple administrative roles while the Enforce Separation of Administrator Roles option is enabled cannot exercise any of those roles until all but one have been revoked. The Enforce Separation of Administrator Roles option is disabled by default.

Parent topic: Managing Administrative Roles and User Privileges

9.2.2 Granting or Changing an Administrative Role of a User

You can use the Manage Users page to grant or change a user administrative role.

  1. Log in to the Oracle Key Vault management console as a user who has the same role that was granted to them with the Allow Forward Grant option.

    For example, if the user needs the System Administrator role, the granting user should have the same role with the Allow Forward Grant option.

  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

    Description of 218_manage_users.png follows
    Description of the illustration 218_manage_users.png

  3. Click the name of the user in the User Name column.

    The User Details page appears. The User Details page provides a consolidated view of the Oracle Key Vault user. It displays the following user information: user name, email, administrative role, user privileges, membership in user groups, endpoints that the user has the Manage Endpoint privilege on, endpoint groups that the user has Manage Endpoint Group privilege on, and access to wallets.

    Description of 21_user_details.png follows
    Description of the illustration 21_user_details.png

  4. To grant a role, check the Roles box for the role that you want to grant.

    To change a role, uncheck the box for the previous role and check the box by the new role. If you do not see the role listed that you want to grant, then you are logged in as a user who does not have that role and therefore do not have the privilege to grant it.

  5. To allow this user to grant the role to other users, check the Allow Forward Grant box. This option only shows after you select the role.

    By default, a user cannot grant roles to or revoke roles from other users. In order for a user to grant or revoke a role from another user, you must select the Allow Forward Grant option.

  6. Click Save.

    You cannot grant or revoke administrator roles to an LDAP user directly. LDAP users can be granted administrative roles only through LDAP group mappings.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.3 Granting the Create Endpoint Privilege

The Create Endpoint privilege enables a user to create the user's own endpoints.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    Users who have the Create Endpoint privilege cannot grant it to other users.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Select the user to whom you want to grant the Create Endpoint privilege.
  4. Under User Details, select the Create Endpoint check box.
  5. Click Save.

Note:

When a local Oracle Key Vault user with the Create Endpoint privilege creates an endpoint, Oracle Key Vault grants the Manage Endpoint privilege on that endpoint to the local user.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.4 Granting the Manage Endpoint Privilege

The Manage Endpoint privilege enables a user to manage the user's own endpoints.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    Users who have the Manage Endpoint privilege cannot grant it to other users.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Select the user to whom you want to grant the Manage Endpoint privilege.
  4. In the Access on Endpoints area, click Add.
  5. In the Add Endpoint Access to User page, under Select Endpoint, select the endpoint for which you want to grant the user the Manage Endpoint privilege.
  6. Click Save.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.5 Granting the Create Endpoint Group Privilege

The Create Endpoint Group privilege enables a user to create the user's own endpoint groups.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
    Users who have the Create Endpoint Group privilege cannot grant it to other users.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Select the user to whom you want to grant the Create Endpoint Group privilege.
  4. Under User Details, select the Create Endpoint Group check box.
  5. Click Save.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.6 Granting the Manage Endpoint Group Privilege

The Manage Endpoint Group privilege enables a user to manage the user's own endpoint groups.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
    Users who have the Manage Endpoint Group privilege cannot grant it to other users.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Select the user to whom you want to grant the Manage Endpoint Group privilege.
  4. In the Access on Endpoint Groups area, click Add.
  5. In the Add Endpoint Group Access to User page, in the Select Endpoint Group area, select the endpoint group to which you want to grant the user the Manage Endpoint Group privilege.
  6. Click Save.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.7 Revoking an Administrative Role or Endpoint Privilege from a User

You can use the Manage User page to revoke a role or an endpoint privilege from a user.

  1. Depending on the administrative role or privilege that you want to revoke, log in to the Oracle Key Vault management console as follows:
    • Administrative roles: Log in as a user who has the same role with the Allow Forward Grant option. You can only grant and revoke roles for which you are an administrator and were given the Allow Forward Grant option.
    • Create Endpoint or Manage Endpoint privilege: Log in as a user who has the System Administrator role.
    • Create Endpoint Group or Manage Endpoint Group privilege: Log in as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

    Description of 218_manage_users.png follows
    Description of the illustration 218_manage_users.png

  3. Click the user name whose role or endpoint privilege you want to revoke.

    The User Details page appears.

  4. Revoke privileges as follows:
    • Administrative roles or the Create Endpoint or Create Endpoint Group privileges: Deselect the box for the role or endpoint privilege.
    • Manage Endpoint privilege: When logged in as a user with the System Administrator role, scroll down to the Access on Endpoint area, select the check box for the endpoint, and then click Remove.
    • Manage Endpoint Group privilege: When logged in as a user with the Key Administrator role, scroll down to the Access on Endpoint Group area, select the check box for the endpoint group, and then click Remove.
  5. Click Save.

    If you upgraded Oracle Key Vault from a version prior to release 21.4, all administrative users (users with the Audit Manager, Key Administrator, or System Administrator roles) will have the Allow Forward Grant option selected. If you do not want these users to have the ability to grant their role to other users, you should immediately revoke this option from that user. From the normal user management pages, you can remove the Allow Forward Grant option from all users but one. You must use the Administrative Management page to remove the Allow Forward Grant option from the last user. The Administrative Management page can be accessed using the System Recovery option which requires the recovery passphrase.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.8 Granting a User Access to a Virtual Wallet

A user with the Key Administrator role controls access to security objects for users, endpoints, and their respective groups.

Any user can be granted access to security objects in Oracle Key Vault at a level that is appropriate to their function in the organization.

You cannot grant access to a virtual wallet if the wallet is in the PENDING state.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Click the name of the user you want to grant access.

    The User Details page appears.

  4. Click Add in the Access to Wallets section.

    The Add Access to User page appears.

  5. Select the wallet under Select Wallet.
  6. Set the access level to the selected wallet under Select Access Level: Read Only, Read and Modify, or Manage Wallet.

    Set access levels when you grant access to the wallet, if you know the level to grant. You can also set or modify access levels from the wallet menu.

  7. Click Save.

Related Topics

Parent topic: Managing Administrative Roles and User Privileges

9.2.9 Enforce Separation of Administrator Roles

You can use the recovery passphrase option to enforce the separation of administrator roles.

You can enforce separation of administrator roles and limit users to holding at most one administrator role using the Oracle Key Vault management console.
  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault server.
  2. Do not log in to Oracle Key Vault.
  3. Click the System Recovery link at the lower right corner of the login page.
    A new login page appears with a single field: Recovery Passphrase.
  4. In the Recovery Passphrase field, enter the recovery passphrase .
  5. Click Login.
  6. Select the Account Management tab from the page displayed.
    The Enforce Separation of Administrator Roles pane appears.
  7. Select the Enforce Separation of Administrator Roles option to enable or disable this option.
  8. Click Save.

Parent topic: Managing Administrative Roles and User Privileges

9.3 Managing User Passwords

You or the user can change the user's password. You also can have passwords reset automatically.

Parent topic: Managing Oracle Key Vault Users

9.3.1 About Changing User Passwords

Any valid Oracle Key Vault user can change his or her own password.

You can reset the password of another user if you have at a minimum the same administrative roles as that user. For example, if you want to change the password of a user who has the Audit Manager role, then you also must have the Audit Manager role before you can change the password.

Consider the following users and roles:

User System Admin Key Admin Audit Manager

OKV_ALL_JANE

Yes

Yes

Yes

OKV_SYS_KEYS_JOE

Yes

Yes

-

OKV_SYS_SEAN

Yes

-

-

OKV_KEYS_KATE

-

Yes

-

OKV_AUD_AUDREY

-

-

Yes

OKV_OLIVER

-

-

-

Suppose that user OKV_SYS_KEYS_JOE, who has the System Administrator and Key Administrator roles, is logged in and wants to change the other users' passwords. The following happens:

  • OKV_KEYS_KATE: OKV_SYS_KEYS_JOE can change the password for OKV_KEYS_KATE because they have the Key Administrator role in common.

  • OKV_AUD_AUDREY: OKV_SYS_KEYS_JOE cannot change OKV_AUD_AUDREY's password because OKV_SYS_KEYS_JOE does not have the Audit Manager role.

  • OKV_ALL_JANE: OKV_SYS_KEYS_JOE cannot change the password for user OKV_ALL_JANE because he does not have the Audit Manager role.

  • OKV_OLIVER: OKV_SYS_KEYS_JOE can change the password for user OKV_OLIVER, who has no roles at all.

Any user can change his or her own password.

Assuming you have privileges to do so, you can change the password of another user by using either of the following methods:

  • Specify a new password for the other user and then notify this user of the new password by using any out-of-band method.
  • Send the user a randomly generated one-time password to their email account.

Related Topics

Parent topic: Managing User Passwords

9.3.2 Changing Your Own Password

Any user can change his or her own Oracle Key Vault account password.

  1. Log in to the Oracle Key Vault management console.
  2. Select the Users tab, and then Change Password in the left navigation bar.

    The Change Password page appears for your account.

    Description of 21_change_password.png follows
    Description of the illustration 21_change_password.png

  3. Enter your current password in Current Password.
  4. Enter the new password in New Password and Re-enter New Password.
  5. Click Save.

Parent topic: Managing User Passwords

9.3.3 Changing Another User's Password

You can change another user's password if you have the System Administrator role or the identical administrative roles (at a minimum) as the user whose password you want to reset.

Parent topic: Managing User Passwords

9.3.3.1 Changing a Password Manually

You can change the password manually for a user and then use any out-of-band method to notify the user of the new password.

This method of changing a password is available only when the Reset passwords using email only option in the User Password Recovery tab of the System Recovery page is not selected.
  1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page displays the list of users.

  3. Click the user name whose password you want to change.

    The User Details page appears.

  4. Click Reset Password.

    By default, the Auto Generate Password option is selected. Deselect it so that you can manually change the password.

    Description of 21_change_password_manually.png follows
    Description of the illustration 21_change_password_manually.png

    If the Email Address field appears instead of the password prompts, then the system has been configured to change passwords through email notification only.

  5. Enter the new password in New Password and Re-enter New Password.
  6. Click Save.
9.3.3.2 Changing a Password Through Email Notification

You can change a user's password by sending them a randomly generated one-time password to their email account.

This one-time password can be sent directly from Oracle Key Vault to the user. You must configure SMTP in email settings in order to use this feature. Oracle recommends that you restrict the password recovery functionality to use this method by selecting the Reset passwords using email only option in the User Password Recovery tab of the System Recovery page.
  1. Log in to the Oracle Key Vault management console.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Click the user name of the user whose password you want to change.

    The User Details page appears.

  4. Click Reset Password.

    The Reset User Password page appears.

  5. Check the box by Auto Generate Password.

    If SMTP is configured, then an email address field appears.

  6. Enter the email address of the user.
  7. Click Send One-Time Password.

If you check Auto Generate Password without configuring SMTP, the link Click here to configure SMTP appears. Click the link to configure email settings and repeat the steps in this topic.

9.3.4 Controlling the Use of Password Reset Methods

You can restrict the ability of users to reset another user's password manually so that only password reset operations through email notifications are allowed.

Parent topic: Managing User Passwords

9.3.4.1 About Controlling the Use of Password Reset Methods

You can configure Oracle Key Vault to allow users to change another user's password only by sending them a randomly generated one-time password through email.

The user performing a password change for another user must be either an Oracle Key Vault administrator or have the same or higher privileges as the user whose password needs to be reset.

By default, there are two ways to change another user's password:

  • Manually, in which you create a new password for the user. In this scenario, both you and the user will know the password (until this user manually changes his or her own password)
  • Automatically, in which you trigger an automatically-generated password for the user, who is then emailed the new password on a one-time basis. In this scenario, only the user knows his or her new password.

You can enable automatic password generation only through email notification and disable manual password reset operations. The email notification uses the email ID that is associated with the user's account. The benefit of this feature is that the newly generated password is known only to the user whose password was reset, not to the user who initiated the user's password change. Users can still change their own passwords when this feature is enabled.

When this feature is disabled, then both methods of user creation are allowed: manual password reset operations and automatic password reset operations.

9.3.4.2 Configuring the Use of Password Reset Operations

A user who has access to the system recovery passphrase can configure the use of password reset operations

  1. Navigate to the Oracle Key Vault management console, but do not log in.
  2. Click the System Recovery button.
  3. When prompted, enter the system recovery passphrase.
  4. Select the User Password Recovery tab.
  5. In the User Password Recovery page, select the Reset passwords using email only option to enable or disable this option.
  6. Click Save.

9.3.5 Unlocking a User Account

You can unlock a user account by resetting the user's password.

A user account may become locked after multiple failed login attempts.

In a multi-master cluster, the user account profile parameter Failed Login Attempts is enforced at each node separately. If a user account becomes locked on a cluster node, the user account may still remain unlocked on other cluster nodes. The user or an administrator can reset the locked node password from another node. Resetting the user password unlocks the user account on all the cluster nodes. You can consider configuring an LDAP directory server to centrally manage the Oracle Key Vault users.

Related Topics

Parent topic: Managing User Passwords

9.4 Managing User Email

Oracle Key Vault users should have their current email on file so that they can receive alerts such as system changes.

Parent topic: Managing Oracle Key Vault Users

9.4.1 Changing the User Email Address

After creating a user account, you can add or change the user's email address.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.

    The Manage Users page appears displaying the list of users.

  3. Click the user's name in the User Name column.

    The User Details page appears.

  4. Enter the email address in Email.
  5. Click Save.

Parent topic: Managing User Email

9.4.2 Disabling Email Notifications for a User

You can disable email notifications for a user on the User Details page.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, and then Manage Users in the left navigation bar.
    The Manage Users page appears displaying the list of users.
  3. Click the user's name in the User Name column.

    The User Details page appears:

  4. Select the Do not receive email alerts check box.
  5. Click Save.

Parent topic: Managing User Email

9.5 Managing User Groups

You can organize users who have a common purpose into a named user group.

Parent topic: Managing Oracle Key Vault Users

9.5.1 About Managing User Groups

Users who have the Key Administrator role can create, modify, and delete user groups.

This enables them to manage their access to virtual wallets. After a user group is created, you can modify its details.

The main purpose of a user group is to simplify access control to security objects. If a set of users need access to a common set of security objects, then you can assign these users to a group and grant the group access instead of granting access to each user or each security object. When certain users do not need access to the security objects any longer, you can remove them from the group. You can add new users to the group. You can modify the group's access level to security objects at any time.

Parent topic: Managing User Groups

9.5.2 How a Multi-Master Cluster Affects User Groups

User groups are used at the Oracle Key Vault server and cluster level to group user roles and permissions.

When new servers are introduced into the cluster, Oracle Key Vault replicates any user group information that is in the cluster. You can create new user groups in the cluster from a read/write pair.

User groups created in a node after the node is added to an Oracle Key Vault cluster will have a cluster-wide presence. User groups created on two different nodes could have name conflicts. Oracle Key Vault automatically resolves the user group name conflicts. These conflicts will be displayed in the Conflicts Resolution page and administrators can choose to rename them.

Note:

  • You cannot change membership by adding or removing users when the user group is in a PENDING state. Similarly, users in a pending state cannot be added to, or removed from a user group in the ACTIVE state.
  • You cannot change access mapping for users and user groups if a wallet is in the PENDING state. Similarly, users and user groups in a PENDING state cannot be added to, or removed from a wallet access mapping even when the wallet is in the ACTIVE state.

Related Topics

Parent topic: Managing User Groups

9.5.3 Creating a User Group

You can create a user group when a set of users must manage a set of common security objects.

You can add users to the group when you create the group or later after creating the group.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Access in the left navigation bar.

    The User Groups page appears displaying existing user groups.

    Description of 21_user_groups.png follows
    Description of the illustration 21_user_groups.png

  3. Click Create.

    The Create User Group page appears.

    Description of 21_create_user_group.png follows
    Description of the illustration 21_create_user_group.png

  4. In the Name field, enter the name of the new group.
  5. If you are using a multi-master cluster, then choose whether to select the Make Unique check box.
    Make Unique helps to control naming conflicts with names across the multi-master cluster environment. User groups that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.
    • If you select Make Unique, then the group name will be active immediately and this user group can be used in user operations. Clicking Make Unique also displays a list of users that you can add to the group.
    • If you do not select Make Unique, then the user group will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the user group to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The user group will then be renamed to a unique name. You will need to go to a read/write node of the cluster and either accept the renamed user group or change the user group name. If you change the user group name, then this will restart the name resolution operation and the user group will return to a PENDING state. A user group in the PENDING state cannot be used to perform most operations.
  6. In Description, optionally, enter a description for the user group.
  7. Click Save.

Related Topics

Parent topic: Managing User Groups

9.5.4 Adding a User to a User Group

You can add an existing user to a user group if that user must manage the same security objects as the group.

If both the user and user group are in the ACTIVE state, then you can add users to a group when you create the group or later after creating the groups.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Access in the left navigation bar.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Edit for the user group.

    The User Group Details page appears.

  4. Click Add in the User Group Members pane.
    The Add User Group Members page appears displaying the list of existing users who are not in the user group.
  5. Check the boxes for the users you want to add.
  6. Click Save.

Parent topic: Managing User Groups

9.5.5 Granting a User Group Access to a Virtual Wallet

You can modify the access level to a virtual wallet for a user group as functional needs change.

However, you can only modify the access level if the user group and wallet are in the ACTIVE state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Access in the left navigation bar.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Edit column, for the user group that you want to modify.

    The User Group Details page appears.

  4. Click Add in the Access to Wallets section.

    The Add Access to User Group page appears.

  5. Select the wallet in Select Wallet.
  6. Set the access level to the selected wallet in Select Access Level.
    Select Read Only, Read and Modify, or Manage Wallet.
  7. Click Save.

Related Topics

Parent topic: Managing User Groups

9.5.6 Renaming a User Group

Depending on its status, you can change the name of a user group.

In a multi-master cluster, if the user group is in the PENDING state, then only the creator user can rename the user group.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Access in the left navigation bar.
    The User Groups page appears.
  3. On the User Groups page, select the pencil icon in the Edit column for the user group that you want to modify.
    The User Group Details page appears.
  4. Enter a new name in the Name field.
    See Naming Guidelines for Objects. If this node is part of a multi-master cluster and you do not select Make Unique, then the user group will enter the PENDING state after being renamed.
  5. Click Save.

Parent topic: Managing User Groups

9.5.7 Changing a User Group Description

A group description is useful for identifying the purpose of the group.

You can change this description at any time to match the purpose of the group. In a multi-master cluster, if the user group is in the PENDING state, then only the creator can modify the user group description.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then Manage Access in the left navigation bar.
    The User Groups page appears.
  3. On the User Groups page, select the pencil icon in the Edit column, for the user group that you want to modify.
    The User Group Details page appears.
  4. Enter a new description in the Description field.
  5. Click Save.

Parent topic: Managing User Groups

9.5.8 Removing a User from a User Group

Depending on the requirement, you can remove a user from a user group.

In a multi-master cluster, if both the user and the user group are in the ACTIVE state, then you can remove users from a user group. You may want to remove these users when their function in the organization changes and they no longer need to manage the same security objects as the group.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab and then Manage Access in the left navigation bar.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Edit for the user group.

    The User Group Details page appears.

  4. In the User Group Members area, select the users that you want to remove.
  5. Click Remove.
  6. Click OK to confirm.

Parent topic: Managing User Groups

9.5.9 Deleting a User Group

You can delete a user group when the users in the group do not need to access the same security objects.

Removing a user group automatically deletes the group's access to wallets and security objects. In a multi-master cluster, if a user group is in the PENDING state, then only the creator can delete it.
  1. Log in to the Oracle Key Vault management console to Oracle Key Vault as a user who has been granted the Key Administrator role.
  2. Select the Users tab and then Manage Access in the left navigation bar.

    The User Groups page appears.

  3. Select the users groups that you want to delete.
  4. Click Delete.
  5. Click OK to confirm.

Parent topic: Managing User Groups

9.6 Managing support and root Password

Using SSH on Oracle Key Vault server, you can change the support or root password.

Parent topic: Managing Oracle Key Vault Users

9.6.1 Changing the root User Password

You can change the root user password using the provided information.

To change the operating system user root password:
  1. Enable SSH.
    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.
  2. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
    ssh support@okv_server_IP_address
su - root
  3. Use passwd command.
  4. Enter and then reenter the new password for the support user when prompted.
    [root@okvserver ~]# passwd
Changing password for user root.
New password:
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@okvserver ~]#
root password changed
    Once the password is set successfully, the following message is displayed on the console:
    All authentication tokens updated successfully.

Parent topic: Managing support and root Password

9.6.2 Changing the support User Account Password

Before you perform the post-installation configuration task after the Oracle Key Vault installation, you can change the password for the support account in the server terminal console.

After setting the password for the support account during the post-installation task, you can use SSH to change the support password. (When you install Oracle Key Vault, you create this account as part of the process.) The support user will be prompted to change their password when the next time they log in is past the expiration time of their passwords. The expiration times are 365 days with a warning at 120 days, and with STIG enabled, it is 60 days with a warning at 60 days.

To change the support user password:

  1. Enable SSH.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.

  2. Log in to the Oracle Key Vault server through SSH as user support.
    ssh support@okv_server_IP_address
  3. Use passwd command.
  4. Enter and then re-enter the new password for the support user when prompted.
    [support@okvserver ~]# passwd
Changing password for user support.
New password:
Retype new password: 
passwd: all authentication tokens updated successfully.
[support@okvserver ~]#
support password changed
    After the password is set successfully, the following message is displayed on the console:
    All authentication tokens updated successfully.

Parent topic: Managing support and root Password