2 Oracle Key Vault Installation Requirements

The Oracle Key Vault installation requirements cover areas such as CPU, memory, disk space, network interfaces, and supported endpoint platforms.

• System Requirements
  System requirements include CPU, memory, disk, network interface, and hardware compatibility.
• Network Port Requirements
  Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.
• Supported Endpoint Platforms
  Oracle Key Vault supports both UNIX and Windows endpoint platforms.
• Endpoint Database Requirements
  Administrators can use online master keys and the Oracle Database COMPATIBLE initialization parameter to manage Oracle Database endpoints.

2.1 System Requirements

System requirements include CPU, memory, disk, network interface, and hardware compatibility.

The Oracle Key Vault installation removes existing software on a server.

You can install Oracle Key Vault on dedicated servers, as guests into your virtualization platform, or as a guest into a compute instance in your Oracle Clout Infrastructure (OCI) tenancy, deployed in minutes from the Oracle Cloud Marketplace. Visit the following site:

https://cloudmarketplace.oracle.com/marketplace/app/OracleKeyVault

However, virtual machines are useful for testing and proof of concept purposes.

The minimum hardware requirements for deploying the Oracle Key Vault software appliance are:

• CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI).

• Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.

• Disk: Both BIOS and UEFI boot mode. For a system with a boot disk size greater than 2 TB, Oracle Key Vault supports booting in UEFI mode only.

• Network interface: One or two network interfaces.

• Hardware Compatibility: Any Intel x86 64-bit hardware platform supported by Oracle Key Vault's embedded operating system. Oracle Key Vault uses Oracle Linux release 7 with the Unbreakable Enterprise Kernel (UEK) version 5. For a list of compatible hardware, refer to Hardware Certification List for Oracle Linux and Oracle VM in the Related Topics. This list contains the minimum version of Oracle Linux certified with the selected hardware. All Oracle Linux updates starting with Oracle Linux release 7 as the minimum are also certified unless otherwise noted. Refer to Oracle Linux documentation for more information on the operating system platform.

  Note:

  You can find the supported hardware from the hardware certification list for Oracle Linux and Oracle VM. Filter the results by selecting All Operating Systems and choosing Oracle Linux 7.9. However, be aware that Oracle Key Vault does not support the QLogic QL4* family of network cards.

  Oracle Key Vault supports both Legacy BIOS and UEFI BIOS boot modes. The support for UEFI BIOS mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI BIOS only, such as Oracle X7-2 Server.

• RESTful Services Utility: If you plan to automate the onboarding of endpoints into Oracle Key Vault with the RESTful services, then ensure that the Java version on the future endpoint where the RESTful script will be executed is at release 1.7.0.21 or later.

  The version of Java that is included in Oracle Database 12.2.0.1 and later is supported by Oracle Key Vault. For these releases, set JAVA_HOME to $ORACLE_HOME/jdk/jre and add JAVA_HOME/bin to your PATH.

  For Oracle databases that are earlier than release 12.2.0.1, find the current Java installation as follows:

  $ namei /usr/bin/java | grep "l java"

  The output is similar to the following:

   l java -> /etc/alternatives/java
     l java -> /usr/java/jdk1.8.0_131/jre/bin/java

  In this example, set JAVA_HOME=/usr/java/jdk1.8.0_131/jre and then add JAVA_HOME/bin to PATH: PATH=$PATH:$JAVA_HOME/bin.

  OpenJDK is not supported.

Note:

For deployment with a large number of endpoints, the hardware requirement may need to scale to meet the workload.

2.2 Network Port Requirements

Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.

Oracle Key Vault and its endpoints use a set of specific ports for communication. Network administrators must ensure that these ports are open in the network firewall.

The following table lists the required network ports for Oracle Key Vault:

Table 2-1 Ports Required for Oracle Key Vault

Port Number	Protocol	Descriptions
22	SSH/SCP port	Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault
161	SNMP port	Used by monitoring software to poll Oracle Key Vault for system information
443	HTTPS port	Used by web clients such as browsers and RESTful Administrative commands to communicate with Oracle Key Vault
5695	HTTPS port	Used by RESTful Key Management commands to communicate with Oracle Key Vault
1521 and 1522	Database TCPS listener ports	In a primary-standby configuration, listener ports used by Oracle Data Guard to communicate between the primary and standby server. In a cluster configuration, listener ports used to communicate between read-write peer nodes.
7443	HTTPS port	Listener port used in a primary-standby configuration to run OS commands like synchronizing wallets and configuration files through HTTPS. This port is also used when you add a new node to a cluster.
5696	KMIP port	Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP server
7093	TCP port	Used by Oracle GoldenGate for transmitting data in a multi-master cluster configuration

2.3 Supported Endpoint Platforms

Oracle Key Vault supports both UNIX and Windows endpoint platforms.

Oracle supports 64-bit Linux endpoints, and only 64-bit endpoints are supported for Oracle databases that use the online master key. The operating systems on which the endpoint runs must be compatible with Transport Layer Security (TLS) 1.2, either directly or with appropriate patches.

The supported endpoint platforms in this release are as follows:

• Oracle Linux (6 and 7)

• Oracle Solaris x86 (10 and 11)

• Oracle Solaris SPARC (10 and 11)

• RHEL 6 and 7

• IBM AIX (6.1, 7.1, and 7.2)

  If you used AIX 5.3 in the release that you are upgrading from, then you must move your endpoints off that platform, because it is no longer supported starting with Oracle Key Vault release 21.1.

• HP-UX (IA) (11.31)

• Windows Server 2012

2.4 Endpoint Database Requirements

Administrators can use online master keys and the Oracle Database COMPATIBLE initialization parameter to manage Oracle Database endpoints.

Administrators can use the online master key to manage TDE master encryption keys for endpoints that are Oracle Database 11.2 or later. Administrators who want to use Oracle Key Vault for wallet management only or who are migrating existing wallets deployments to Oracle Key Vault can use the okvutil upload command to upload Oracle wallets to Oracle Key Vault.

Administrators who manage endpoints that are Oracle Database may need to set the COMPATIBLE initialization parameter.

For an endpoint that is Oracle Database release 11.2 or later, set the COMPATIBLE initialization parameter to 11.2.0.0 or later. A COMPATIBLE setting of 11.2 or later enables Transparent Data Encryption to work with Oracle Key Vault. For example:

SQL> ALTER SYSTEM SET COMPATIBLE = '11.2.0.0' SCOPE=SPFILE;

This applies to an Oracle Database endpoint that use the online master key to manage TDE master encryption keys. This compatibility mode setting is not required for Oracle wallet upload or download operations.

Also note that after setting the COMPATIBLE parameter to 11.2.0.0, you cannot set it to a lower value such as 10.2. After you set the COMPATIBLE parameter, you must restart the database.

For Microsoft Windows endpoints, Oracle Key Vault supports the latest available database release versions at the time of the Oracle Key Vault release. For example, for Oracle Key Vault release 21.2, the MES libraries are upgraded in latest version of RDBMS (APRIL 2021 DBBP), so Oracle Key Vault has upgraded them as well.