- Install Oracle Key Vault on the Oracle Compute Cloud@Customer
- Learn About Configuring the Server and Cluster
Learn About Configuring the Server and Cluster
After you've installed and configured Oracle Key Vault, you need to configure both the server and cluster, as described in this article.
Configure the Server
On the server you will be using to perform the configuration download the RESTful OKV service package as follows:
Note:
You must do this once per server you are configuring as the download includes certificates for the OKV server.- At the server root (for example,
[root@c3bastion tmp]#) create and navigate to the directory/tmp/okv:mkdir /tmp/okvcd /tmp/okvcurl -Ok --tlsv1.2 https://10.122.56.16:5695/okvrestclipackage.zipThe system responds:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2740 100 2740 0 0 78 0 0:00:35 0:00:34 0:00:01 741 - Unzip
okvrestclipackage.zip:unzip okvrestclipackage.zipThe system responds:Archive: okvrestclipackage.zip creating: lib/ creating: bin/ inflating: bin/okv inflating: bin/okv.bat creating: conf/ inflating: conf/okvrestcli.ini inflating: conf/okvrestcli_logging.properties inflating: lib/okvrestcli.jarThen navigate tobin:cd bin - Edit
bin/okvto remove the pound sign (#) to enable the secondexportstatement:#!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. #export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini if [ -z "$JAVA_HOME" ] then echo "JAVA_HOME environment variable is not set." exit 1 fi if [ -z "$OKV_RESTCLI_CONFIG" ] then echo "OKV_RESTCLI_CONFIG environment variable is not set." exit 1 fi export OKV_RESTCLI_JAR=$OKV_RESTCLI_DIR/lib/okvrestcli.jar $JAVA_HOME/bin/java jar $OKV_RESTCLI_JAR "$@"The first three lines should now look like this:!/bin/bash export OKV_RESTCLI_DIR=$(dirname "${0}")/.. export OKV_RESTCLI_CONFIG=$OKV_RESTCLI_DIR/conf/okvrestcli.ini - Edit
conf/okvrestcli.iniand remove the pound sign at the beginning of the fourth through sixth lines, add the private IP address of the first server, add the username, and delete the line that starts withpassword:#Provide absolute path for log_property, okv_client_config properties [Default] #log_property=./conf/okvrestcli_logging.properties #server= #okv_client_config=./conf/okvclient.ora #user=name of an OKV-administrator with the SYSADMIN privilege client_wallet = .The file should now look something like this:#Provide absolute path for log_property, okv_client_config properties [Default] log_property=./conf/okvrestcli_logging.properties server=IP_address of OKV01 okv_client_config=./conf/okvclient.ora user=name of an OKV-administrator with the SYSADMIN privilege client_wallet = . - Next, set your JAVA_HOME variable. This must be done in
order for the
OKVREST command to work.- Identify your Java
version:
java -versionThe system responds:openjdk version "1.8.0_372" OpenJDK Runtime Environment (build 1.8.0_372-b07) OpenJDK 64-Bit Server VM (build 25.372-b07, mixed mode) - OpenJDK is not supported; the Linux program
nameifollows symbolic links and helps to confirm where OpenJDK is installed. Enter:which javaThe system responds:/usr/bin/javaThen enter:namei /usr/bin/java | grep " l "The system responds:l java --> /etc/alternatives/java l java --> /usr/lib/jvm/java 1.8.0 openjdk 1.8.0.372.b07 1.el7_9.x86_64/jre/bin/java - Now, use script-friendly commands to download Oracle Java; from the
server root (for example,
[root@c3bastion okv], enter:wget https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.rpmThe system responds (this example has been edited for brevity):Saving to: ‘jdk-17_linux-x64_bin.rpm’ 100%[============================================================================================================>] 182,170,753 22.3MB/s in 4.9s 2023-11-14 10:21:48 (35.5 MB/s) - ‘jdk-17_linux-x64_bin.rpm’ saved [182170753/182170753]Now, use the yum commandlocalinstallto install the JDK:yum localinstall ./jdk-17_linux-x64_bin.rpmThe system responds:Loaded plugins: ulninfo Examining ./jdk-17_linux-x64_bin.rpm: 2000:jdk-17-17.0.9-11.x86_64 Marking ./jdk-17_linux-x64_bin.rpm to be installed . . . Installed: jdk-17.x86_64 2000:17.0.9-11 Complete! - Confirm that “alternatives” has been updated by the java
installation
process:
namei /usr/bin/java | grep " l "The system responds:l java --> /etc/alternatives/java l java --> /usr/lib/jvm/jdk 17 oracle x64/bin/java - Note that the preceding output identifies
JAVA_HOME. Now, export theJAVA_HOMEvariable to the system:export JAVA_HOME=/usr/lib/jvm/jdk-17-oracle-x64 - Finally, to simplify the deployment process, store the
password of the OKV administrator with the
SYSADMINprivilege in a wallet:okv admin client-wallet add --client-wallet . --wallet-user name of an OKV-administrator with the SYSADMIN privilegeThe system prompts for a password:Password:Enter the password of an OKV-administrator with theSYSADMINprivilege and the system will confirm successful storage:{ "result" : "Success" }
- Identify your Java
version:
Configure the Cluster
Once the initial OKV software is installed and configured on the server, you can now configure the cluster.
Perform the following steps from the server root command line (for
example,
[root@c3bastion okv].
- Convert the stand alone OKV into a candidate node; enter:
bin/okv cluster node create --cluster-name OCEAN11 --cluster-subgroup WEST_COAST --node-name OKV04The system responds:{ "result" : "Success", "value" : { "requestId" : "26032" } } - Now check the cluster node status:
bin/okv cluster node status --pairing-request-id 26032The system responds:{ "result" : "Success", "value" : { "status" : "IN-PROGRESS" } }After a few moments, "IN-PROGRESS" changes to "SUCCEEDED":{ "result" : "Success", "value" : { "status" : "SUCCEEDED" } }Once this step is completed, the node should show up in the cluster management and monitoring tab.
- Now add a second stand-alone OKV server to first to build a read-write pair.
This command asks for a unique nodeID before adding a node and confirms which
nodeID has already been taken:
okv cluster info get | jq -r '.value.nodes[].nodeID'okv cluster node add --candidate-node-ip-address 172.20.0.33 --candidate-node-user sadmin --cluster-subgroup WEST_COAST --mode READ-WRITE --node-id 2 --node-name OKV06The system responds:Recovery Passphrase:Enter the password of first OKV node.
Candidate Node Password:Enter the password of an OKV-administrator who has the SYSADMIN privilege. The system responds:{ "result" : "Success", "value" : { "requestId" : "3060" } } - Now monitor the first node's configuration process:
bin/okv cluster node status --pairing-steps TRUE --node-name OKV04The system responds:{ "result" : "Success", "value" : { "stages" : [ { "step1" : "Open transport channel with the candidate node", "status" : "COMPLETED" }, { "step2" : "Verify the candidate node details", "status" : "COMPLETED" }, { "step4" : "Generate the controller node details", "status" : "COMPLETED" }, { "step5" : "Generate backup of the controller node for cloning", "status" : "COMPLETED" }, { "step6" : "Send clone bundle to the candidate node", "status" : "" }, { "step7" : "Enable data replication (downstream mining configuration) to the candidate node", "status" : "" }, { "step8" : "Enable data replication to other cluster nodes", "status" : "" }, { "step9" : "The candidate node successfully joins the cluster", "status" : "" } ] } } - Now check the progress of the second node:
bin/okv cluster node status --pairing-steps TRUE --candidate-node-ip-address 172.20.0.21 --candidate-node-user sadminThe system responds:Candidate Node PasswordEnter the password and the cluster configuration appears:{ "result" : "Success", "value" : { "stages" : [ { "step1" : "Send node details to the controller node", "status" : "COMPLETED" }, { "step2" : "Receive clone bundle from the controller node", "status" : "COMPLETED" }, { "step3" : "Restore backup on the candidate node", "status" : "COMPLETED" }, { "step4" : "Update credentials of the candidate node", "status" : "COMPLETED" }, { "step5" : "Tune the database on the candidate node", "status" : "COMPLETED" }, { "step6" : "Setup network configuration on the candidate node", "status" : "COMPLETED" }, { "step7" : "Enable data replication (downstream mining configuration) on the candidate node", "status" : "COMPLETED" }, { "step8" : "Enable data replication on the candidate node", "status" : "COMPLETED" } ] } } - Check the pairing status. If the configuration is successful, it will show as
No pairing status:
bin/okv cluster node status --pairing-steps TRUE --node-name OKV10The system responds:{ "result" : "Failure", "message" : "No pairing status" } - Finally, verify that the first two-node OKV read-write pair is ready to be
used:
bin/okv cluster info getThe system responds:{ "result" : "Success", "value" : { "clusterName" : "OCEAN11", "clusterSubgroups" : [ "WEST_COAST" ], "clusterVersion" : "21.7.0.0.0", "maximumDisableNodeDuration" : "24 hrs", "nodes" : [ { "nodeName" : "OKV04", "nodeID" : "1", "ipAddress" : "172.20.0.33", "mode" : "Read-Write", "status" : "ACTIVE", "readWritePeer" : "OKV05", "clusterSubgroup" : "WEST_COAST", "joinDate" : "2023-11-16 20:53:25", "disableDate" : "", "version" : "21.7.0.0.0" }, { "nodeName" : "OKV05", "nodeID" : "2", "ipAddress" : "172.20.0.21", "mode" : "Read-Write", "status" : "ACTIVE", "readWritePeer" : "OKV04", "clusterSubgroup" : "WEST_COAST", "joinDate" : "2023-11-16 21:02:24", "disableDate" : "", "version" : "21.7.0.0.0" } ] } }
Oracle Key Vault should now be fully installed and you can use it as described in the Oracle Key Vault
documentation.