2 Oracle Key Vault Installation Requirements
The Oracle Key Vault installation requirements cover areas such as CPU, memory, disk space, network interfaces, and supported endpoint platforms.
- System Requirements
 System requirements include CPU, memory, disk, network interface, and hardware compatibility.
- Network Port Requirements
 Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.
- Supported Endpoint Platforms
 Oracle Key Vault supports both UNIX and Windows endpoint platforms.
- Endpoint Database Requirements
 Administrators can use online master encryption keys and the Oracle DatabaseCOMPATIBLEinitialization parameter to manage Oracle Database endpoints.
2.1 System Requirements
System requirements include CPU, memory, disk, network interface, and hardware compatibility.
The Oracle Key Vault installation removes existing software on a server.
You can install Oracle Key Vault on dedicated servers, as guests into your virtualization platform, or as a guest into a compute instance in your Oracle Cloud Infrastructure (OCI) tenancy, deployed in minutes from the Oracle Cloud Marketplace. Visit the following site:
https://cloudmarketplace.oracle.com/marketplace/app/OracleKeyVault
The minimum hardware requirements for deploying Oracle Key Vault on dedicated hardware or as VM guests are:
- 
                        
                        CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI). 
- 
                        
                        Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.Note: - Oracle Key Vault does not support fiber channel storage with multipath for the boot disk.
- You can add more RAM to the Oracle Key Vault systems, but you cannot reduce the RAM size lower than the original system configuration. System memory reduction is not supported in Oracle Key Vault.
 
- 
                        
                        
                        Disk: Minimum 2 TB. Recommended: 6 TB. Both BIOS and UEFI boot mode. For a system with a disk size greater than 2 TB, Oracle Key Vault supports booting in UEFI mode only. 
- 
                        
                        Network interface: One or two network interfaces. 
- 
                        
                        Hardware Compatibility: Any Intel x86 64-bit hardware platform supported by Oracle Key Vault's embedded operating system. Oracle Key Vault uses Oracle Linux 8 with the Unbreakable Enterprise Kernel (UEK) version 6. For a list of compatible hardware, refer to Hardware Certification List for Oracle Linux and Oracle VM in the Related Topics. This list contains the minimum version of Oracle Linux certified with the selected hardware. All Oracle Linux updates starting with Oracle Linux release 8 as the minimum are also certified unless otherwise noted. Refer to Oracle Linux documentation for more information on the operating system platform. Oracle Key Vault supports both Legacy BIOS and UEFI boot modes. The support for UEFI boot mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI, or when disks larger than 2 TB are used. Note: - You can find the supported hardware from the hardware certification list for Oracle Linux and Oracle VM. Filter the results by selecting All Operating Systems and choosing Oracle Linux 8. However, be aware that Oracle Key Vault does not support the QLogic QL4* family of network cards.
- For deployment with a large number of endpoints, the hardware requirement may need to scale to meet the workload.
 
- RAID: Oracle Key Vault does not support software RAID installations. If you require a RAID configuration, enable hardware RAID that presents one disk to Oracle Key Vault.
- 
                        
                        RESTful Services Utility: If you plan to automate the onboarding of endpoints into Oracle Key Vault with the RESTful services, then ensure that the Java version on the future endpoint where the RESTful script will be executed is at release 1.7.0.21 or later. The version of Java that is included in Oracle Database 12.2.0.1 and later is supported by Oracle Key Vault. For these releases, set JAVA_HOMEto$ORACLE_HOME/jdk/jreand addJAVA_HOME/binto yourPATH.For Oracle databases that are earlier than release 12.2.0.1, find the current Java installation as follows: $ namei /usr/bin/java | grep "l java"The output is similar to the following: l java -> /etc/alternatives/java l java -> /usr/java/jdk1.8.0_131/jre/bin/javaIn this example, set JAVA_HOME=/usr/java/jdk1.8.0_131/jreand then addJAVA_HOME/bintoPATH: PATH=$PATH:$JAVA_HOME/bin.OpenJDK is not supported. 
- Browser : Oracle Key Vault supports English as the browser display language.
Other Installation Considerations:
- Oracle recommends that you do not install a third-party software on an Oracle Key Vault appliance. For more information, see Additional or Third-Party Software .
- Oracle does not recommend to decrease CPU and RAM allocated to Oracle Key Vault as it is a software appliance. If you want to increase or decrease the CPU and RAM take the backup of Oracle Key Vault server, rebuild the server with required system configuration and restore using the backup with the recommended system configuration.
- Additional or Third-Party Software
 This section provides information for additional or third-party software.
Related Topics
Parent topic: Oracle Key Vault Installation Requirements
2.1.1 Additional or Third-Party Software
This section provides information for additional or third-party software.
- 
                           
                           Oracle recommends that you do not install a third-party software on an Oracle Key Vault appliance. Oracle Key Vault is a security appliance and installing a third-party software interferes with the security of Oracle Key Vault. Installing a third-party software may also affect the operational integrity of the Oracle Key Vault appliance. For example:- Installing third-party software may cause an upgrade to fail.
- Reboot or upgrade of the Oracle Key Vault may override the configuration changes made by a third-party software.
- Third party software may affect the configuration and
                            operations of Oracle Key Vault in unexpected ways.
                                    Oracle does not support Oracle Key Vault installations with any third-party software. 
 
Parent topic: System Requirements
2.2 Network Port Requirements
Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.
Oracle Key Vault and its endpoints use a set of specific ports for communication. Network administrators must ensure that these ports are open.
The following table lists the required network ports for Oracle Key Vault:
Table 2-1 Ports Required for Oracle Key Vault
| Port Number | Protocol | Port Type | Descriptions | 
|---|---|---|---|
| 
 | SSH/SCP port | TCP | Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault | 
| 
 | SNMP port | UDP | Used by monitoring software to poll Oracle Key Vault for system information | 
| 
 | HTTPS port | TCP | Used by web clients such as browsers and RESTful Administrative commands to communicate with Oracle Key Vault | 
| 
 | HTTPS port | TCP | Used by RESTful Key Management commands to communicate with Oracle Key Vault | 
| 
 | Database TCPS listener ports | TCP | In a primary-standby configuration, listener ports used by Oracle Data Guard to communicate between the primary and standby server. In a cluster configuration, listener ports used to communicate between read-write peer nodes. | 
| 
 | HTTPS port | TCP | Listener port used in a primary-standby configuration to run OS commands like synchronizing wallets and configuration files through HTTPS. This port is also used when you add a new node to a cluster. | 
| 
 | KMIP port | TCP | Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP server | 
| 
 | TCP port | TCP | Used by Oracle GoldenGate for transmitting data in a multi-master cluster configuration | 
- Add rules to open the ports listed in the table above.
- Add the following ingress rules:
                           - ICMP Type 3, Code 4 (destination unreachable, fragmentation
                            required and Don't Fragmentflag is set).
- ICMP Type 8, Code 0 (echo request, destination network is unreachable).
 
- ICMP Type 3, Code 4 (destination unreachable, fragmentation
                            required and 
- If you are using a site-to-site VPN or fastConnect, ensure that your
                    router allows traffic between the nodes of the multi-master cluster:
                           - Add rules to open the ports.
- In case of highly secured routers, add URL exceptions for your on-premises sub-net at layers 3, 4, and 7.
- Ensure that no packets are interpreted as threats by your routers.
 
Note:
Oracle Key Vault does not allow customization of network ports.Parent topic: Oracle Key Vault Installation Requirements
2.3 Supported Endpoint Platforms
Oracle Key Vault supports both UNIX and Windows endpoint platforms.
Oracle supports 64-bit Linux endpoints, and only 64-bit endpoints are supported for Oracle databases that use the online master encryption key. The operating systems on which the endpoint runs must be compatible with Transport Layer Security (TLS) 1.2, either directly or with appropriate patches.
The supported endpoint platforms in this release are as follows:
- 
                        Oracle Linux (6, 7, and 8) 
- 
                        Oracle Solaris x86 (10 and 11) 
- 
                        Oracle Solaris SPARC (10 and 11) 
- 
                        
                        SUSE Linux Enterprise Server 15 
- 
                        Red Hat Enterprise Linux 6, 7, and 8 
- 
                        IBM AIX (6.1, 7.1, 7.2, and 7.3) If you used AIX 5.3 in the release that you are upgrading from, then you must move your endpoints off that platform, because it is no longer supported starting with Oracle Key Vault release 21.1. 
- 
                        HP-UX (IA) (11.31) 
- 
                        Windows Server 2012, 2016, and 2019 
Parent topic: Oracle Key Vault Installation Requirements
2.4 Endpoint Database Requirements
Administrators can use online master encryption keys and the Oracle Database COMPATIBLE initialization parameter to manage Oracle Database endpoints.
                  
Administrators can use the online master encryption
            key to manage TDE master encryption keys for endpoints that are Oracle Database 12.1.0.2
            or later. Administrators who want to use Oracle Key Vault for wallet management only or
            who are migrating existing wallets deployments to Oracle Key Vault can use the
                okvutil upload command to upload Oracle wallets to Oracle Key
            Vault.
                  
Administrators who manage endpoints that are Oracle Database may need to set the COMPATIBLE initialization parameter. 
                  
For an endpoint that is Oracle Database release 12.1 or later, set the
                COMPATIBLE initialization parameter to 12.1.0.0 or
            later. A COMPATIBLE setting of 12.1.0.0 or later enables Transparent
            Data Encryption to work with Oracle Key Vault. For example: 
                  
SQL> ALTER SYSTEM SET COMPATIBLE = '12.1.0.0' SCOPE=SPFILE;
This applies to an Oracle Database endpoint that use the online master encryption key to manage TDE master encryption keys. This compatibility mode setting is not required for Oracle wallet upload or download operations.
Also note that after setting the COMPATIBLE parameter to
                12.1.0.0, you cannot set it to a lower value such as
                10.2. After you set the COMPATIBLE parameter, you
            must restart the database.
                  
For Microsoft Windows endpoints, Oracle Key Vault supports the latest available database release versions at the time of the Oracle Key Vault release, including any associated Manufacturing Execution Systems (MES) libraries that may have been upgraded.
Parent topic: Oracle Key Vault Installation Requirements