Encryption at Rest for Essbase Applications
To prevent unauthorized access to Essbase applications, you can encrypt them at rest using the Oracle Cloud Infrastructure (OCI) Vault.
Encryption at rest prevents non-authorized users from accessing Essbase application data or metadata by copying files. Only authorized and logged in Essbase users can read or use the application.
By default, the security feature is enabled in Essbase Marketplace instances. However, applications are not encrypted by default.
Encryption Terms
The following terminology is helpful for understanding application encryption:
OCI Vault - a service that securely stores and manages master encryption keys and secrets. As a prerequisite to Essbase stack deployment on OCI, an administrator must create the Vault and keys. You can find the Vault in the OCI Console, in the Identity & Security section.
Data Encryption Key (DEK) - A data encryption key is a piece of information that securely encrypts or decrypts data.
Master Encryption Key (MEK) - A master encryption key encrypts the DEK. As a prerequisite to Essbase stack deployment on OCI, an administrator must create the MEK in the Vault, to be used for storing required secrets.
Encryption Precautions for the Essbase Administrator or Application Manager
Before encrypting or decrypting any Essbase application, back it up. A pre-encrypted backup is essential, because if the encryption request fails to complete, the application may become corrupted.
Refer to: Back Up and Restore Applications
If the master encryption key is deleted from the Vault, there is no way to recover the encrypted application. Therefore, it is important to fully review and understand key management practices in OCI before making the decision to encrypt Essbase applications.
Refer to: Backing Up and Restoring Vaults and Keys in Oracle Cloud Infrastructure documentation.
Policies Required for Encryption of Applications
Review Set Up Policies for the minimum required Oracle Cloud Infrastructure policies that must be implemented to encrypt Essbase applications.Encryption Tasks for the Essbase Administrator or Application Manager
Using the REST API, you can encrypt applications on Essbase instances deployed to OCI using the Marketplace listing.
You must be an Essbase system administrator or application manager to use the REST API endpoints.
-
Use Get Encryption Info to list the types of encryption that are supported by Essbase and available for the application.
-
Use Encrypt Application to encrypt an application.
-
Use Decrypt Application to decrypt an application.
Migration of Encrypted Applications
Encrypted applications can be migrated using Lifecycle Management (LCM) export/import, as well as Migration Utility. If you migrate encrypted applications to a different Essbase instance, the target instance must have access to the MEK and its corresponding Vault.
To migrate applications using LCM export and import,
-
Download and set up the Command-Line Interface (CLI). Refer to Download and Use the Command-Line Interface.
-
Issue the lcmexport command to back up the application from your source Essbase instance to an LCM zip file, providing a password to protect the encrypted application. The password must be between 6-15 characters, and should not contain any of the following special characters:
?=.,*!@#&()[{}]:;'/~$^+<>-Caution:
If this password is forgotten, there is no way to retrieve it, and the application cannot be imported.Example:
esscs lcmexport -a Sample -z Sample_lcmexport.zip -v -restEncryPassword enCrYpa55123% -
Issue the lcmimport command to restore the application from the LCM zip file to your target Essbase instance, providing the password you selected on lcmexport to protect the encrypted application.
Example:
esscs lcmimport -z Sample_lcmexport.zip -o -ta Sample2 -restEncryPassword enCrYpa55123%
If you need to migrate users and groups as well as applications, use a different utility. Refer in that case to Migrate Applications Using Migration Utility.