About Installing and Configuring Oracle Key Vault

Oracle Key Vault Product Management can provide a link from which you can download an image and import it to your Compute Cloud@Customer. Once you have access to the Oracle Key Vault image, follow the steps in this article to install it.

Download the Oracle Key Vault Image From Marketplace

An Oracle Key Vault image for Compute Cloud@Customer is available on OCI Marketplace.

  1. Log in to your OCI account and go to OCI Marketplace.
  2. On the filters option, select Compute Cloud@Customer or Roving Edge compatible images.
  3. Select Oracle Key Vault image for Compute Cloud@Customer.

Download and Import Oracle Key Vault

To download and import Oracle Key Vault, use this procedure.

  1. Import the Oracle Key Vault image to the Compute Cloud@Customer and place the custom image in a location accessible via HTTP. This is often a utility VM somewhere on the same network as your Compute Cloud@Customer, or even a utility VM on your Compute Cloud@Customer. This example uses the bastion host for the Compute Cloud@Customer. Copy the OCI file into a directory and make it accessible via HTTP.
    cd /export/home/okv
    python -m SimpleHTTPServer 8088
    The system responds:
    Serving HTTP on 0.0.0.0 port 8088 ...
  2. On Compute Cloud@Customer, commence to import the custom image via the GUI by first navigating to the Custom Images section.

    Note:

    This process will take you to the listing of custom images in the selected compartment. If necessary, change to the appropriate compartment using the drop-down in the upper center of the page.
  3. Click Import Image (upper right) and complete these fields in the Import Image dialog box:
    • Name: the name of the image; for example, okv_21_7_oci.
    • Create in Compartment: the name of the compartment where the image will reside.
    • Source Type: the type of source from which you're importing the image. In this example, you would select Import from an Object Storage URL.
    • Object Storage URL: the URL from which you are importing the image.
    • Image Type: the type of image you're importing. In this example, you would select OCI.
    • Launch Mode: select Paravirtualized Mode.
    • Tag Namespace: select None (add a free-form tag).
  4. Select Import Image (lower right).
    Depending on the size of the image you imported and the available network bandwidth, the import may take some time. You can expect up to an hour or more for images exceeding 100GB.

    Note:

    This example exports the image by using a Python web server on port 8088, so port 8088 was specified in the URL. Ensure that you specify the correct port for you implementation.
Once the image import is complete, the status will change from Importing to Available and you can create your instance from the image.

Create an Oracle Key Vault Instance

Once the custom image becomes available, use this procedure to create the Key Vault instance.

  1. Click the three vertical dots to the far right of the image identifier to open the drop-down menu and click Create Instance from Image.
  2. Complete the dialog box by adding the following information:
    • Name: enter an instance name.
    • Create in Compartment: select the compartment wherein the instance will reside.
    • Shape: select the appropriate shape and include these parameters:
      • The number of OCPUs you want to use.
      • The size of the Boot Volume.
      • The number of public network interfaces.
    • SSH Keys: select Select the PUB file(s) to upload and either enter the PUB file name in the appropriate field or drag-and-drop the file from your file system.
  3. Select Create Instance in the lower right.
Once you select Create Instance, the system will create an instance by using the custom image you have provided. Wait for this instance to boot then log into the console and verify the instance is running. Once complete, repeat the process above to create the additional OKV node that you'll use to create a high availability cluster.

Configure the Oracle Key Vault Instance

Once the system has booted up, you must go through the post install steps to complete the initial configuration. These steps include setting the initial server password and completing the post-installation configuration. To complete these tasks, you'll need the following:

  • The IP address or fully-qualified domain name (FQDN) of a Linux or Mac system to perform the configuration from. This can be any Linux server on the same network as your OKV server(s) or a laptop. This example uses c3bastion.

    Note:

    Take note of the external and internal IP addresses assigned to the nodes you wish to add to your cluster. We will need both sets of addresses.
  • The IP address or FQDN of the OKV server(s) to be configured. This example uses 10.122.56.38/172.20.0.33 and 10.122.56.29/172.20.0.21.

Set Up the Initial Server Password

The first instance configuration task is to set up the initial server password. Do this from the command line

You are logged in as the opc user, a temporary user from which you set the root and support user passwords. Once you successfully set these passwords, the opc user will be deleted and login to the Oracle Key Vault instance by using SSH will be turned off. You can re-enable login to the Oracle Key Vault instance by using SSH from the Oracle Key Vault management console and log in as the support user.
  1. Run the command below to set the root and support user passwords.
    set_password
    The system responds:
    Setting root password
    Set root password:
    Confirm:
  2. Enter and confirm your root password.
    The system responds:
    Do you wish to set the support user password at this time.
    Enter 'y' or 'yes' to proceed:
  3. Enter y to proceed:
    Enter 'y' or 'yes' to proceed: y
    The system responds:
    Set support user password:
    Confirm:
  4. Enter and confirm your root password.
    The systems responds:
    Changing password for user support.
    passwd: all authentication tokens updated successfully.
    Successfully set the support user password..
    Deleted 'opc' user..
    You can re-enable login to the Oracle Key Vault instance using
    SSH from the Oracle Key Vault management console.
    Login as the 'support' user using the same ssh key as 'opc' user.
    Connection to 10.122.56.29 closed.
    my_laptop ~ $^D

Complete Post-Installation Configuration

Once you set the initial server passwords, log in via the Oracle Key Vault GUI by using the root password you created in the previous step and complete the post install configuration. This includes performing the user setup, system administrator setup, Time (NTP), and Domain Name System (DNS) setups. Then save this information.

  1. In the User Setup section of the Key Vault GUI, for the key administrator, system administrator, and the audit manager, enter, in their specific sections, a user name, a password (and password confirmation), their full name, and email address. For the system administrator and audit manager, if appropriate, also select a user source (New User, Same as Key Administrator, or Same as System Administrator). Also remember to select Allow Forward Grant for each role.
  2. Specify the recovery passphrase. This passphrase will allow you to recover your session if an emergency arises; for example, if you need to restore theOracle Key Vault server from a previous backup.

    Note:

    Do not lose the recovery passphrase. Oracle recommends that you store this passphrase in a secure location.
  3. Set up the NTP and DNS servers.
    These should always be set to the default for the Compute Cloud@Customer chassis. Specify only a single NTP server and a single DNS server. The IP address to be used for both is the same, in this example, it's 169.254.169.254.
    To set up these servers:
    • Under Time Setup section, select Use Network Time Protocol and enter an address for Server 1 Address. Then select OCI Default NTP server and enter the Server Time.
    • Under DNS Setup, enter the same IP address for Server 1 that you used for the NTP server. DNS and NTP are both provided redundantly inside the Compute Cloud@Customer and thus should only have the single entry.
  4. Click Save (upper right) and repeat this procedure for any additional servers you want to add to a cluster. Then log out, log back in as the Systems Admin user, and start the REST services:
    1. From the Oracle Key Vault GUI, open the System tab and select RESTful Services.
    2. Select Enable then Save the setting.
  5. Once complete, you can complete the configuration by using the RESTful service interface.