2 Configuring an HSM for Oracle Key Vault

The HSM can be configured to protect keys, or work in a classic primary-standby configuration or in a multi-master cluster.

• Protecting the Oracle Key Vault TDE Master Key with the HSM
  You can use the Oracle Key Vault management console to configure protection for the TDE master encryption key.
• Enabling HSM in a High Availability Key Vault Installation
  In a primary-standby Oracle Key Vault installation, you must enable the HSM separately on the primary and standby servers.
• HSMs in a Multi-Master Cluster
  You can configure HSMs in a multi-master cluster with a single node or multiple nodes.
• Backup and Restore Operations in an HSM-Enabled Oracle Key Vault Instance
  You can back up and restore an HSM-enabled Oracle Key Vault instance.
• Reverse Migration Operation
  Reverse migrating an HSM-enabled Oracle Key Vault server reverts the Key Vault server to using the recovery passphrase to protect the TDE wallet.

2.1 Protecting the Oracle Key Vault TDE Master Key with the HSM

You can use the Oracle Key Vault management console to configure protection for the TDE master encryption key.

If you plan to use a multi-master cluster, then Oracle recommends that you perform this procedure before you configure the cluster environment. Ensure that you complete the following steps on this server before you perform these steps on another Oracle Key Vault server.

1. If you have implemented nCipher Hardware Security Module (HSM), then run the following command as user oracle:

   oracle$ /opt/nfast/bin/rfs-sync --update

2. Log into the Oracle Key Vault management console as a user with the System Administrator role.
   If you are using a multi-master cluster environment, then log into the Oracle Key Vault node that you want to HSM-enable.
3. Click the System tab.
   The Status page appears.
4. Click Hardware Security Module in the left sidebar.
   The Hardware Security Module page appears. The red downward arrow shows the non-initialized Status. The Type field displays None.

   
   
   Description of the illustration hsm_page.png
   

5. Click Initialize.
   The Initialize HSM dialog box appears.

   
   
   Description of the illustration hsm_init_bp3.png
   

6. Enter the HSM credential two times: first in HSM Credential and second in Re-enter HSM Credential.
   Consult the HSM documentation for this credential. The HSM credential for SafeNet is the SafeNet partition password. For nCipher, the credential is the Operator Card Set password.
7. Enter the Recovery Passphrase for Oracle Key Vault.
8. Click Initialize.
   At the end of a successful initialize operation, the Hardware Security Module page appears. The initialized Status is indicated by an upward green arrow. The Type field displays details of the HSM in use.

   
   
   Description of the illustration hsm_post_init.png
   

9. If you have implemented nCipher HSM, then run the following command as user oracle:

   oracle$ /opt/nfast/bin/rfs-sync --commit 

   If you do not perform this step after each initialization when using nCipher, then multiple features will break, including restoring backups and using the primary-standby configuration.

10. Verify that the operation was successful by checking the most recent initialization log files in the /var/okv/log/hsm/ directory.

If the initialize operation fails, then you will be redirected to the Hardware Security Module page with non-initialized Status and Type None.

Note:

If you change the HSM credential on the HSM after initialization, then you must also update the HSM credential on the Oracle Key Vault server using the Set Credential command.

2.2 Enabling HSM in a High Availability Key Vault Installation

In a primary-standby Oracle Key Vault installation, you must enable the HSM separately on the primary and standby servers.

You must perform this task before pairing these two servers in a primary-standby configuration. If you have already HSM-enabled either the primary or the standby server, or both, but do not follow these steps and then do a primary-standby pairing, then the configuration will fail. If the servers are already paired but neither are HSM-enabled, then you must unpair them, reinstall the standby server, and the follow these steps.

1. Install two separate Oracle Key Vault instances.
2. Choose one to be the primary node and the other to be the standby node.
3. Install the HSM client software on both the primary and the standby node.
4. Enroll the primary and standby nodes as clients of HSM.
5. Initialize HSM use on the primary.
   Log in to the designated primary server through SSH as user support, switch user (su) to root, then switch user (su) to oracle.

   $ ssh support@okv_primary_instance_ip_address
   support$ su root
   root# su oracle

6. Perform the following manual steps on the primary server as user oracle:

   oracle$ cd /usr/local/okv/hsm/wallet
   oracle$ scp cwallet.sso support@okv_standby_instance_ip_address:/tmp
   oracle$ scp enctdepwd support@okv_standby_instance_ip_address:/tmp
   oracle$ cd /usr/local/okv/hsm/restore
   oracle$ scp ewallet.p12 support@okv_standby_instance_ip_address:/tmp

7. Log in to the designated standby server through SSH as user support, then switch user (su) to root.

   $ ssh support@okv_standby_instance_ip_address
   support$ su root
   

8. Open the okv_security.conf file.

   A sample okv_security.conf file before enabling HSM in the node appears as follows:

   SNMP_ENCRYPTION_PWD="snmp_encryption_password" 
   SNMP_AUTHENTICATION_PWD="snmp_auth_password" 
   SNMP_USERNAME="snmpuser" 
   SMTP_TRUSTSTORE_PWD="smtp_truststore_password" 
   HSM_ENABLED="0" 
   FIPS_ENABLED="fips_value" 
   HSM_FIPS_ENABLED="1"

   Versions of Oracle Key Vault earlier than release 18 may not contain the FIPS_ENABLED or the HSM_FIPS_ENABLED parameter in the okv_security.conf file. Consult the documentation for earlier releases for more information.

9. Set up the HSM-related files and in the okv_security.conf file, set the HSM_ENABLED and HSM_PROVIDER parameters.

   root# cd /usr/local/okv/hsm/wallet
   root# mv /tmp/enctdepwd .
   root# mv /tmp/cwallet.sso .
   root# chown oracle *
   root# chgrp oinstall *
   root# cd /usr/local/okv/hsm/restore
   root# mv /tmp/ewallet.p12 .
   root# chown oracle *
   root# chgrp oinstall *
   root# vi /usr/local/okv/etc/okv_security.conf
      Set HSM_ENABLED="1"
      Set HSM_PROVIDER="provider_value"
   

   In this specification:

   • HSM_ENABLED is set in this example to 1 to enable the HSM for this node. Setting it to 0 disables the HSM.
   • HSM_PROVIDER refers to the HSM provider. For SafeNet, set this value to 1. For nCipher, set it to 2.
10. Save and quit by entering the following sequence of characters in the vi file: :wq!

    After you enable the HSM, the okv_security.conf file will be similar to the following:

    SNMP_ENCRYPTION_PWD="snmp_encryption_password" 
    SNMP_AUTHENTICATION_PWD="snmp_auth_password" 
    SNMP_USERNAME="snmpuser" 
    SMTP_TRUSTSTORE_PWD="smtp_truststore_password" 
    HSM_ENABLED="1" 
    FIPS_ENABLED="fips_value"
    HSM_PROVIDER="2"

    Versions of Oracle Key Vault earlier than release 18 may not contain the FIPS_ENABLED or the HSM_FIPS_ENABLED parameter in the okv_security.conf file. Consult the documentation for earlier releases for more information.

11. Without restarting the Oracle Key Vault instances, navigate to the primary and standby Oracle Key Vault management consoles and configure primary-standby environment.

2.3 HSMs in a Multi-Master Cluster

You can configure HSMs in a multi-master cluster with a single node or multiple nodes.

• About HSMs in a Multi-Master Cluster
  An HSM in Oracle Key Vault stores a top level master encryption key that acts as a Root of Trust (RoT).
• Configuring an HSM for a Multi-Master Cluster Starting with Single Node (Recommended)
  Oracle recommends that to use an HSM with a multi-master cluster, you start with a single HSM-enabled node and add additional HSM-enabled nodes using the node induction process.
• Configuring an HSM for a Multi-Master Cluster with Multiple Nodes
  You can configure HSM for multiple nodes by copying a bundle from the first HSM-enabled node to the other nodes in the cluster before configuring HSM for the other nodes.

2.3.1 About HSMs in a Multi-Master Cluster

An HSM in Oracle Key Vault stores a top level master encryption key that acts as a Root of Trust (RoT).

This RoT protects master encryption keys that Oracle Key Vault uses. HSMs are built with specialized tamper-resistant hardware which is harder to access than normal servers. This protects the RoT and makes it difficult to extract encrypted data, lowering the risk of compromise. In addition, you can use HSMs in FIPS 140-2 level 3 mode, which enables you to meet certain compliance requirements.

Note:

An existing Oracle Key Vault deployment cannot be migrated to use an HSM as a RoT.

In a multi-master Oracle Key Vault installation, any Key Vault node in the cluster can use any HSM. The nodes in the multi-master cluster can use different TDE wallet passwords, RoT keys, and HSM credentials.

Note:

To ensure complete security, you must HSM-enable all Oracle Key Vault nodes in the cluster.

2.3.2 Configuring an HSM for a Multi-Master Cluster Starting with Single Node (Recommended)

Oracle recommends that to use an HSM with a multi-master cluster, you start with a single HSM-enabled node and add additional HSM-enabled nodes using the node induction process.

Oracle recommends the following steps to configure an HSM for a multi-master cluster with a single node:

1. Convert an Oracle Key Vault server into the first node of the cluster.
2. HSM-enable the first node before adding any new nodes.
3. HSM-enable the candidate node before adding it to the cluster.
4. Add the HSM-enabled candidate node to the cluster using a controller node that is also HSM-enabled.

   Note the following:

   • If any node in the cluster is already HSM-enabled, you cannot add a new node that is not HSM-enabled.
   • The Add Node to Cluster page will require the controller node's HSM credential.

2.3.3 Configuring an HSM for a Multi-Master Cluster with Multiple Nodes

You can configure HSM for multiple nodes by copying a bundle from the first HSM-enabled node to the other nodes in the cluster before configuring HSM for the other nodes.

• About Configuring an HSM for a Multi-Master Cluster with Multiple Nodes
  The general procedure is to perform steps first on the original node, then on the nodes that you want to add to the cluster.
• Step 1: Configure the First HSM-Enabled Node
  After configuring the HSM on the first node in the multi-master cluster, you must create the bundle and copy it to the other nodes in the cluster.
• Step 2: Configure the Remaining Nodes
  After you configure the first node, you are ready to install the bundle on the remaining nodes.

2.3.3.1 About Configuring an HSM for a Multi-Master Cluster with Multiple Nodes

The general procedure is to perform steps first on the original node, then on the nodes that you want to add to the cluster.

The instructions for configuring an HSM for a multi-master cluster starting with a single node explain how to configure an HSM for a multi-master cluster, starting with a single node of the cluster and is the recommended way to configure a cluster to use HSM(s). However, if you have already configured a multi-master cluster, you can still configure the cluster to use HSMs. However, there are extra steps needed, involving manually copying a bundle from the first HSM-enabled node to all of the other nodes in the cluster and applying it before proceeding to HSM-enable any other node. Note that if the first node that is HSM-enabled has a read-write peer node, then the read-write peer will not be able to decrypt the replicated information from the HSM-enabled node until the bundle is copied and applied successfully to the read-write peer. This could result in data loss if the bundle is not immediately successfully created and applied to the read-write peer.

After you HSM-enable the first node in the cluster, use the following steps to create the bundle on the HSM-enabled node and copy and apply it on all other nodes in the cluster before you proceed to HSM-enable any other node.

2.3.3.2 Step 1: Configure the First HSM-Enabled Node

After configuring the HSM on the first node in the multi-master cluster, you must create the bundle and copy it to the other nodes in the cluster.

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Ensure that you have followed the instructions in Oracle Key Vault Administrator's Guide to create the first (initial) node of a cluster.
3. Click the System tab.
4. On the left side of the System page, click Hardware Secure Module.
5. On the HSM-enabled node, click Create Bundle on the HSM page.
6. Log in to the HSM-enabled node through SSH as user support.

   $ ssh support@hsm_enabled_node

7. Switch to the root user.

   support$ su root

8. To copy the bundle to the /usr/local/okv/hsm location on each of the other nodes using the IP address, use SCP.
   Ensure that you perform this step using the IP address of all other nodes in the cluster.

   root# scp /usr/local/okv/hsm/hsmbundle support@ip_address:/tmp

2.3.3.3 Step 2: Configure the Remaining Nodes

After you configure the first node, you are ready to install the bundle on the remaining nodes.

Complete this procedure as soon as possible after you have HSM-enabled the first node and copied the bundle to all other nodes.

1. Log in to each node in the cluster using the IP address (except the original HSM-enabled node):.

   $ ssh support@ip_address

2. On each node, switch to the root user.

   support$ su root

3. Perform the following steps on each node:

   root# cp /tmp/hsmbundle /usr/local/okv/hsm/
   root# chown oracle:oinstall /usr/local/okv/hsm/hsmbundle

4. On each node except the original HSM-enabled node, click Apply Bundle on the HSM page.
   You must apply the bundle immediately on all nodes before you reverse-migrate the original HSM-enabled node.
5. Proceed to HSM-enable each of these nodes in the same way that you HSM-enabled the first node.
6. After you have HSM-enabled all nodes and verified the replication between all nodes, remove the hsmbundle file from all of the nodes.

2.4 Backup and Restore Operations in an HSM-Enabled Oracle Key Vault Instance

You can back up and restore an HSM-enabled Oracle Key Vault instance.

• Backup Operations in an HSM-Enabled Oracle Key Vault Instance
  Backing up Oracle Key Vault data in an HSM-enabled instance is the same as backing up an instance that has not been HSM enabled.
• Restore Operations in an HSM-Enabled Oracle Key Vault Instance
  Only backups made to an HSM-enabled Oracle Key Vault instance can be restored onto an HSM-enabled Oracle Key Vault instance.

2.4.1 Backup Operations in an HSM-Enabled Oracle Key Vault Instance

Backing up Oracle Key Vault data in an HSM-enabled instance is the same as backing up an instance that has not been HSM enabled.

You can use the Oracle Key Vault management console to perform a backup operation.

2.4.2 Restore Operations in an HSM-Enabled Oracle Key Vault Instance

Only backups made to an HSM-enabled Oracle Key Vault instance can be restored onto an HSM-enabled Oracle Key Vault instance.

Before you restore a backup onto a system, you must ensure that the system can access both the HSM and the Root of Trust (RoT) that was used to make the backup. You must therefore have installed the HSM on the Oracle Key Vault server and enrolled Oracle Key Vault as a client of HSM before this step. If the backup was taken on an HSM-enabled cluster node, then when you restore the backup to a standalone server, you must ensure that the server has access to the same HSM as the node on which the backup was taken.

1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
   The Oracle Key Vault Home page appears.
2. Click the System tab.
   The Status page appears.
3. Click Hardware Security Module in the left sidebar.
   The Hardware Security Module page appears. On restore, the Status is disabled first, then enabled after the restore completes.
4. Click Set Credential.
   The Prepare for HSM Restore screen appears.

   
   
   Description of the illustration hsm_set_cred_bp3.png
   

5. Enter the HSM credential two times: first in HSM Credential and second in Re-enter HSM Credential.
   Consult the HSM documentation for this credential. The HSM credential for SafeNet is the SafeNet partition password. For nCipher, the credential is the Operator Card Set password.
6. Click Set Credential.

   Caution:

   If you enter an incorrect credential for the HSM, the previous credential will continue to be stored and used. If the node is not HSM enabled, and you enter an incorrect credential for the HSM, the incorrect credential is not stored.

   The HSM credential will be stored in the system. You must manually enter this HSM credential to perform an HSM restore because it is not stored in the backup itself.
7. In the Oracle Key Vault management console, go to the Restore page and then restore the backup.

2.5 Reverse Migration Operation

Reverse migrating an HSM-enabled Oracle Key Vault server reverts the Key Vault server to using the recovery passphrase to protect the TDE wallet.

This operation is necessary if the HSM that protects Oracle Key Vault must be decommissioned.

• Reverse Migrating a Standalone Deployment
  You can reverse migrate a standalone deployment by using the Oracle Key Vault management console.
• Reverse Migrating a Primary-Standby Deployment
  To reverse migrate a primary-standby deployment, use both the Oracle Key Vault management console and the command line.
• Reverse Migrating a Multi-Master Cluster
  You can reverse migrate a multi-master cluster by using the Oracle Key Vault management console.

2.5.1 Reverse Migrating a Standalone Deployment

You can reverse migrate a standalone deployment by using the Oracle Key Vault management console.

1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
   The Oracle Key Vault Home page appears.
2. Click the System tab.
   The Status page appears.
3. Click Hardware Security Module in the left sidebar.
   The Hardware Security Module page appears.
4. Click Reverse Migrate.

   The HSM Reverse Migrate screen is displayed.

   
   
   Description of the illustration hsm_reverse_migrate.png
   

   On the HSM Reverse Migrate screen, enter the following details:

   • Enter the HSM credential in the HSM Credential field. Consult the HSM documentation for this credential. The HSM credential for SafeNet is the SafeNet partition password. For nCipher, the credential is the Operator Card Set password.

   • Enter the old recovery passphrase in the Old Recovery Passphrase field.

   • Enter the new recovery passphrase in the New Recovery Passphrase and Re-enter New Recovery Passphrase fields.

5. Click Reverse Migrate
   The Hardware Security Module page appears. The red downward arrow indicates the Status.

2.5.2 Reverse Migrating a Primary-Standby Deployment

To reverse migrate a primary-standby deployment, use both the Oracle Key Vault management console and the command line.

1. On the primary server, log into the Oracle Key Vault management console as a user with system administrative privileges.
   The Oracle Key Vault Home page appears.
2. Click the System tab.
   The Status page appears.
3. Click Hardware Security Module in the left sidebar.
   The Hardware Security Module page appears.
4. Click Reverse Migrate.

   The HSM Reverse Migrate screen is displayed.

   
   Description of the illustration hsm_reverse_migrate.png

   On the HSM Reverse Migrate screen, enter the following details:

   • Enter the HSM credential in the HSM Credential field. Consult the HSM documentation for this credential. The HSM credential for SafeNet is the SafeNet partition password. For nCipher, the credential is the Operator Card Set password.

   • Enter the old recovery passphrase in the Old Recovery Passphrase field.

   • Enter the new recovery passphrase in the New Recovery Passphrase and Re-enter New Recovery Passphrase fields.

5. Click Reverse Migrate
   The Hardware Security Module page appears. The red downward arrow indicates the Status.
6. On the standby server, log in to the Oracle Key Vault Server through SSH as user support, then switch user (su) to root.

   $ ssh support@okv_standby_instance
   support$ su root

7. Modify the okv_security.conf file.

   root# vi /usr/local/okv/etc/okv_security.conf

   • Delete the line HSM_PROVIDER="provider_value".

   • Change the value of the parameter HSM_ENABLED to "0".

   Save and quit by entering the following sequence of characters in the vi file: :wq!

8. On the standby server, remove the following files:

   root# cd /usr/local/okv/hsm/wallet
   root# rm -f cwallet.sso enctdepwd
   root# cd /usr/local/okv/hsm/restore
   root# rm -f cwallet.sso ewallet.p12
   root# cd /mnt/okvram
   root# rm -f cwallet.sso ewallet.p12
   root# cd /mnt/okvram/restore
   root# rm -f cwallet.sso ewallet.p12
   root# cd /usr/local/okv/tde
   root# rm -f cwallet.sso

9. Switch user (su) to oracle:

   root# su oracle

10. Run the following command:

    oracle$ /var/lib/oracle/dbfw/bin/orapki wallet create -wallet /usr/local/okv/tde -auto_login

11. Enter the new recovery passphrase that you specified in Step 4.

The primary-standby deployment is successfully reverse migrated.

2.5.3 Reverse Migrating a Multi-Master Cluster

You can reverse migrate a multi-master cluster by using the Oracle Key Vault management console.

1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
   The Oracle Key Vault Home page appears.
2. Click the System tab.
   The Status page appears.
3. Click Hardware Security Module in the left sidebar.
   The Hardware Security Module page appears.
4. Click Reverse Migrate.

   The HSM Reverse Migrate dialog box is displayed.

   
   
   Description of the illustration hsm_reverse_migrate_mmc.png
   

   In the HSM Reverse Migrate dialog box, enter the following details:

   • Enter the HSM credential. Consult the HSM documentation for this credential. The HSM credential for SafeNet is the SafeNet partition password. For nCipher, the credential is the Operator Card Set password.

   • Enter the recovery passphrase.

5. Click Reverse Migrate
   The Hardware Security Module page appears. The red downward arrow indicates the Status.