2 Oracle Key Vault Installation Requirements
The Oracle Key Vault installation requirements cover areas such as CPU, memory, disk space, network interfaces, and supported endpoint platforms.
- System Requirements
System requirements include CPU, memory, disk, network interface, and hardware compatibility. - Network Port Requirements
Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports. - Supported Endpoint Platforms
Oracle Key Vault supports both UNIX and Windows endpoint platforms. - Endpoint Database Requirements
Administrators can use online master encryption keys and the Oracle DatabaseCOMPATIBLE
initialization parameter to manage Oracle Database endpoints.
2.1 System Requirements
System requirements include CPU, memory, disk, network interface, and hardware compatibility.
The Oracle Key Vault installation removes existing software on a server.
You can install Oracle Key Vault on dedicated servers, as guests into your virtualization platform, or as a guest into a compute instance in your Oracle Cloud Infrastructure (OCI) tenancy, deployed in minutes from the Oracle Cloud Marketplace. Visit the following site:
https://cloudmarketplace.oracle.com/marketplace/app/OracleKeyVault
However, virtual machines are useful for testing and proof of concept purposes.
The minimum hardware requirements for deploying the Oracle Key Vault software appliance are:
-
CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI).
-
Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.
-
Disk: Minimum 2 TB. Recommended: 4 TB.
Oracle Key Vault does not support fiber channel based storage with multipath for the boot disk.
Both BIOS and UEFI boot mode. For a system with a boot disk size greater than 2 TB, Oracle Key Vault supports booting in UEFI mode only.Note:
Oracle Key Vault does not support fiber channel storage with multipath for the boot disk. -
Network interface: One or two network interfaces.
-
Hardware Compatibility: Any Intel x86 64-bit hardware platform supported by Oracle Key Vault's embedded operating system. Oracle Key Vault uses Oracle Linux release 7 with the Unbreakable Enterprise Kernel (UEK) version 5. For a list of compatible hardware, refer to Hardware Certification List for Oracle Linux and Oracle VM in the Related Topics. This list contains the minimum version of Oracle Linux certified with the selected hardware. All Oracle Linux updates starting with Oracle Linux release 7 as the minimum are also certified unless otherwise noted. Refer to Oracle Linux documentation for more information on the operating system platform.
Note:
You can find the supported hardware from the hardware certification list for Oracle Linux and Oracle VM. Filter the results by selecting All Operating Systems and choosing Oracle Linux 7.9. However, be aware that Oracle Key Vault does not support the QLogic QL4* family of network cards.Oracle Key Vault supports both Legacy BIOS and UEFI boot modes. The support for UEFI BIOS mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI BIOS only, such as Oracle X7-2 Server.
- RAID: Oracle Key Vault does not support software RAID installations. If you require a RAID configuration, enable hardware RAID that presents one disk to Oracle Key Vault.
-
RESTful Services Utility: If you plan to automate the onboarding of endpoints into Oracle Key Vault with the RESTful services, then ensure that the Java version on the future endpoint where the RESTful script will be executed is at release 1.7.0.21 or later.
The version of Java that is included in Oracle Database 12.2.0.1 and later is supported by Oracle Key Vault. For these releases, set
JAVA_HOME
to$ORACLE_HOME/jdk/jre
and addJAVA_HOME/bin
to yourPATH
.For Oracle databases that are earlier than release 12.2.0.1, find the current Java installation as follows:
$ namei /usr/bin/java | grep "l java"
The output is similar to the following:
l java -> /etc/alternatives/java l java -> /usr/java/jdk1.8.0_131/jre/bin/java
In this example, set
JAVA_HOME=/usr/java/jdk1.8.0_131/jre
and then addJAVA_HOME/bin
toPATH: PATH=$PATH:$JAVA_HOME/bin
.OpenJDK is not supported.
Note:
For deployment with a large number of endpoints, the hardware requirement may need to scale to meet the workload.Related Topics
Parent topic: Oracle Key Vault Installation Requirements
2.2 Network Port Requirements
Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.
Oracle Key Vault and its endpoints use a set of specific ports for communication. Network administrators must ensure that these ports are open in the network firewall.
The following table lists the required network ports for Oracle Key Vault:
Table 2-1 Ports Required for Oracle Key Vault
Port Number | Protocol | Descriptions |
---|---|---|
|
SSH/SCP port |
Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault |
|
SNMP port |
Used by monitoring software to poll Oracle Key Vault for system information |
|
HTTPS port |
Used by web clients such as browsers and RESTful Administrative commands to communicate with Oracle Key Vault |
|
HTTPS port |
Used by RESTful Key Management commands to communicate with Oracle Key Vault |
|
Database TCPS listener ports |
In a primary-standby configuration, listener ports used by Oracle Data Guard to communicate between the primary and standby server. In a cluster configuration, listener ports used to communicate between read-write peer nodes. |
|
HTTPS port |
Listener port used in a primary-standby configuration to run OS commands like synchronizing wallets and configuration files through HTTPS. This port is also used when you add a new node to a cluster. |
|
KMIP port |
Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP server |
|
TCP port |
Used by Oracle GoldenGate for transmitting data in a multi-master cluster configuration |
- Add rules to open the ports listed in the table above.
- Add the following ingress rules:
- ICMP Type 3, Code 4 (destination unreachable, fragmentation required and
Don't Fragment
flag is set). - ICMP Type 8, Code 0 (echo request, destination network is unreachable).
- ICMP Type 3, Code 4 (destination unreachable, fragmentation required and
- If you are using a site-to-site VPN or fastConnect, ensure that your router
allows traffic between the nodes of the multi-master cluster:
- Add rules to open the ports.
- In case of highly secured routers, add URL exceptions for your on-premises sub-net at layers 3, 4, and 7.
- Ensure that no packets are interpreted as threats by your routers.
Parent topic: Oracle Key Vault Installation Requirements
2.3 Supported Endpoint Platforms
Oracle Key Vault supports both UNIX and Windows endpoint platforms.
Oracle supports 64-bit Linux endpoints, and only 64-bit endpoints are supported for Oracle databases that use the online master encryption key. The operating systems on which the endpoint runs must be compatible with Transport Layer Security (TLS) 1.2, either directly or with appropriate patches.
The supported endpoint platforms in this release are as follows:
-
Oracle Linux (6 and 7)
-
Oracle Solaris x86 (10 and 11)
-
Oracle Solaris SPARC (10 and 11)
-
RHEL 6 and 7
-
IBM AIX (6.1, 7.1, and 7.2)
If you used AIX 5.3 in the release that you are upgrading from, then you must move your endpoints off that platform, because it is no longer supported starting with Oracle Key Vault release 21.1.
-
HP-UX (IA) (11.31)
-
Windows Server 2012
Parent topic: Oracle Key Vault Installation Requirements
2.4 Endpoint Database Requirements
Administrators can use online master encryption keys and the Oracle Database COMPATIBLE
initialization parameter to manage Oracle Database endpoints.
Administrators can use the online master encryption key to manage TDE master encryption keys for endpoints that are Oracle Database 11.2 or later. Administrators who want to use Oracle Key Vault for wallet management only or who are migrating existing wallets deployments to Oracle Key Vault can use the okvutil upload
command to upload Oracle wallets to Oracle Key Vault.
Administrators who manage endpoints that are Oracle Database may need to set the COMPATIBLE
initialization parameter.
For an endpoint that is Oracle Database release 11.2 or later, set the COMPATIBLE
initialization parameter to 11.2.0.0
or later. A COMPATIBLE
setting of 11.2 or later enables Transparent Data Encryption to work with Oracle Key Vault. For example:
SQL> ALTER SYSTEM SET COMPATIBLE = '11.2.0.0' SCOPE=SPFILE;
This applies to an Oracle Database endpoint that use the online master encryption key to manage TDE master encryption keys. This compatibility mode setting is not required for Oracle wallet upload or download operations.
Also note that after setting the COMPATIBLE
parameter to 11.2.0.0
, you cannot set it to a lower value such as 10.2
. After you set the COMPATIBLE
parameter, you must restart the database.
For Microsoft Windows endpoints, Oracle Key Vault supports the latest available database release versions at the time of the Oracle Key Vault release, including any associated Manufacturing Execution Systems (MES) libraries that may have been upgraded.
Parent topic: Oracle Key Vault Installation Requirements