Create Vault, Secrets, and Encrypt Values

Oracle Cloud Infrastructure Vault enables you to manage sensitive information when creating a server domain. A vault is a container for encryption keys and secrets.

In Essbase 21c and 19.3.0.5.6, you use secrets, created with the Vault in the Identity & Security area of Oracle Cloud Infrastructure Console. In your vault, you enter the password, and the latest version of it is stored as part of your key, in the vault. You refer to it using the OCID of the secret. Refer to Overview of Vault in Oracle Cloud Infrastructure documentation.

Note:

If you're using an existing vault and have an encryption key already created, you can skip Create a New Vault and Create a New Encryption Key sections and move to the Create a New Secret section. Otherwise, you must create a vault and key first.

When you use Vault to encrypt credentials during provisioning, you need to create a secret. Passwords chosen for Essbase administrator and Database must meet the Resource Manager password requirements.

Secrets need to be added for the following fields:

• Essbase Administrator Password

• IAM or IDCS application client secret

• Database system administrator password

Create a New Vault:

Note:

These steps explain how to create the lower-cost valut option. New entities are needed only if they have not already been created.

1. Sign in to the Oracle Cloud Infrastructure Console.

2. In the navigation menu, select Identity & Security, and under the Key Management & Secret Management section, click Vault.

3. Under List scope, select your compartment for Essbase, if not already selected.

4. Click Create Vault.

5. Under Create in Compartment, ensure your Essbase compartment is selected.

6. For Name, enter a name, such as OracleEssbaseVault.

7. For the lower-cost option, leave unchecked the virtual private vault option.

8. Click Create Vault.

   Note:

   The Vault Crypto Endpoint value can be retrieved for any future use, by clicking at any time on the newly created vault, as listed on the Vaults page.

Create a New Encryption Key

Go to the Vaults page, and create a new encryption key as follows.

1. Click the name of the newly created vault; for example, OracleEssbaseVault from the previous section.

2. Under Master Encryption Keys , click Create Key.

3. Provide a name for the key, such as OracleEssbaseEncryptionKey.

4. Click Create Key. This key is used during secret creation.

Create a New Secret

Go to the Vaults page. For each password, create a secret as follows.

1. Click Secrets.

2. Click Create Secrets.

3. Enter the Name for the secret and a relevant Description.

4. Select the new encryption key (created in the previous section), or an existing one. For example, OracleEssbaseEncryptionKey.

5. Enter the password text in Secret Contents.

6. Click Create Secret.

7. For each created secret, click the related password and copy the OCID value for it, for later use in configuration.

To encrypt your Oracle Essbase Administrator password (for older versions):

1. Convert the administrator password that you want to use for the Essbase domain to a base64 encoding.

   For example, from a Linux terminal, use this command:

   echo -n 'OracleEssbase_Password' | base64

2. Run the encrypt oci command using Oracle Cloud Infrastructure command line interface. Provide the following parameters:

   • Vault Encryption Key OCID

   • Vault Crypto Endpoint

   • base64-encoded password

   Example:

   oci kms crypto encrypt --key-id Key_OCID --endpoint Cryptographic_Endpoint_URL --plaintext Base64_OracleEssbase_Password

3. From the output, copy the encrypted password value for use in the deploy process, as shown here:

   "ciphertext": "Encrypted_Password"

You also use vault encryption to encrypt your Database Password and your Client Secret.