Create Vault, Secrets, and Encrypt Values

Oracle Cloud Infrastructure Vault enables you to manage sensitive information when creating a server domain. A vault is a container for encryption keys and secrets.

In 21c and, you use secrets, created with the Vault UI. In your vault, you enter the password, and the latest version of it is stored as part of your key, in the Vault. You refer to it using the OCID of the secret. See Overview of Vault in Oracle Cloud Infrastructure documentation,


If you're using an existing vault and have an encryption key already created, you can skip Create a New Vault and Create a New Encryption Key sections and move to the Create a New Secret section. Otherwise, you must create a vault and key first.

When you use Vault to encrypt credentials during provisioning, you need to create a secret. Passwords chosen for Essbase administrator and Database must meet the Resource Manager password requirements.

Secrets need to be added for the following fields:
  • Essbase Administrator Password
  • IDCS application client secret
  • Database system administrator password
Create a New Vault:


These steps explain how to create a virtual Vault, which is a lower-cost option than a private vault. New entities are needed only if they have not already been created.
  1. Sign in to the Oracle Cloud Infrastructure Console.
  2. In the navigation menu, select Security, and click Vault.
  3. Select your Compartment, if not already selected.
  4. Click Create Vault.
  5. For Name, enter OracleEssbaseVault.
  6. For the lower-cost option, leave unchecked the option to make it a private vault.
  7. Click Create.


    The Vault Crypto Endpoint value can be retrieved for any future use, by clicking at any time on the newly created vault, as listed on the Vaults page.

Create a New Encryption Key

Go to the Vaults page, and create a new encryption key as follows.

  1. Select the newly created vault, for example, OracleEssbaseVault from the previous section.
  2. Select Master Encryption Keys in the left panel.
  3. Select Create Key and provide a name for the key, such as OracleEssbaseEncryptionKey.
  4. Click Create Key. This key is used during secret creation.

Create a New Secret

Go to the Vaults page. For each password, create a secret as follows.

  1. Click Secrets.
  2. Click Create Secrets.
  3. Enter the Name for the secret and a relevant Description.
  4. Select the new encryption key (created in the previous section), or an existing one. For example, OracleEssbaseEncryptionKey.
  5. Enter the password text in Secret Contents.
  6. Click Create Secret.
  7. For each created secret, click the related password and copy the OCID value for it, for later use in configuration.

To encrypt your Oracle Essbase Administrator password (for older versions):

  1. Convert the administrator password that you want to use for the Essbase domain to a base64 encoding.

    For example, from a Linux terminal, use this command:

    echo -n 'OracleEssbase_Password' | base64
  2. Run the encrypt oci command using Oracle Cloud Infrastructure command line interface. Provide the following parameters:
    • Vault Encryption Key OCID
    • Vault Crypto Endpoint
    • base64-encoded password
    oci kms crypto encrypt --key-id Key_OCID --endpoint Cryptographic_Endpoint_URL --plaintext Base64_OracleEssbase_Password
  3. From the output, copy the encrypted password value for use in the deploy process, as shown here:
    "ciphertext": "Encrypted_Password"

You also use vault encryption to encrypt your Database Password and your Client Secret.