Oracle Key Vault and Recovery Appliance

The Oracle Key Vault (OKV) stores the TDE master keys and also keeps track of all enrolled endpoints.

Endpoints are the database servers, application servers, and computer systems where actual cryptographic operations such as encryption or decryption are performed. Endpoints request OKV to store and retrieve security objects.

A brief overview of the Oracle Key Vault (OKV) configurations:

• All compute nodes of the Recovery Appliance are registered and enrolled as OKV endpoints.

• A single OKV endpoint group contains all the endpoints corresponding to all of the compute nodes of the Recovery Appliance.

• A single wallet is shared and configured as 'Default Wallet' for all endpoints corresponding to all of the compute nodes of the Recovery Appliance.

• The OKV endpoint group is configured with read/write/manage access to the shared virtual wallet.

• If more than one Recovery Appliance is involved, each Recovery Appliance has its own end point group and wallet.

• The host-specific okvclient.jar is created and saved during the enrollment process of each endpoint to the staging path on its respective node. If the root user is performing the operation, the /radump is the staging path. If a named user (such as raadmin) is performing the operation, then the staging has to be in /tmp. The staged file has to be named either as-is okvclient.jar or <myHost>-okvclient.jar, where <myHost> matches what hostname returns.

Note:

Refer to Oracle Key Vault Administrator's Guide for more information.

• Overview of Oracle Key Vault Concepts
• Managing Oracle Key Vault Endpoints