15 Oracle Key Vault General System Administration

General system administration refers to system management tasks for the Oracle Key Vault system, such as configuring network details and services.

15.1 Overview of Oracle Key Vault General System Administration

System administrators can perform most general administration tasks in the Oracle Key Vault management console, including finding the current status of the overall system.

15.1.1 About Oracle Key Vault General System Administration

System administrators configure the Oracle Key Vault system settings.

The Oracle Key Vault system settings include administration, local and remote monitoring, email notification, backup and recovery operations, and auditing. You must have the appropriate role for performing these tasks. Users who have the System Administrator role can perform most of the administrative tasks, and users with the Audit Manager role can configure audit settings and export audit records. In most cases, you will perform these tasks in the Oracle Key Vault management console.

To quickly find information about the current status of the Oracle Key Vault system, you can view the Oracle Key Vault dashboard.

15.1.2 Viewing the Oracle Key Vault Dashboard

The dashboard presents the current status of the Oracle Key Vault at a high level and is visible to all users.

The Home tab of the management console displays the dashboard when you log into the management console.

Alerts and Managed Content are the first sections you will see on logging in.

Figure 15-1 Alerts and Managed Content Panes

Description of Figure 15-1 follows
Description of "Figure 15-1 Alerts and Managed Content Panes"

The Data Interval, Operations, Endpoint Activity, and User Activity panes of the Home page follow Alerts and Managed Content.

Figure 15-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes

Description of Figure 15-2 follows
Description of "Figure 15-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes"

15.1.3 Using the Status Panes in the Dashboard

The status panes on the dashboard provide useful high level information, such as links to alerts and an overview of current user activity.

  1. Log in to the Oracle Key Vault management console.
    The dashboard appears in the Home tab.
  2. To take corrective action on a particular alert:
    1. Click the link in the Details column that corresponds to the alert. The appropriate page appears.
    2. Take the corrective action for the alert as necessary.
  3. To configure the alerts that you want to see on the dashboard:
    1. Click the Reports tab, and then click Alerts from the left side bar to display the Alerts page.
    2. Click Configure from the top right, or Configure Alerts from the left sidebar under ALERTS, to display the Configure Alerts page.
    3. Select the Alert Type and then click Save.
  4. To view managed content, click the Managed Content button, which appears below the Alerts pane, along with the Show All and Activity buttons.

    The Managed Content pane of the dashboard displays aggregated information about security objects that are currently stored and managed in Oracle Key Vault.

    This status pane categorizes the aggregate information based on the item type such as keys, certificates, opaque objects, private keys, and TDE master encryption keys, as well as the item state such as pre-active, active, and deactivated.

    In the Managed Content pane, the item type and item state are displayed at the last time refreshed, which is set by the refresh interval described in the Data Interval status pane.

  5. To view information about from a specific time (data interval) about operations and endpoint activity, click the Show All button.

    Data Interval: This pane shows the length of the time period. You can set the time period to Last 24 hours, Last week, or Last Month, or a user-defined date range. It also shows the refresh interval for the Operations, Endpoint Activity, and User Activity panes.

    Operations: The Operations pane contains a bar graph with bars for key-related operations such as locate, activate, add endpoint, and assign default wallet.

    Endpoint Activity: The Endpoint Activity pane contains a bar graph for tracking the number of operations performed by each endpoint.

    User Activity: The User Activity pane contains a three-dimensional bar graph for tracking the number of operations performed by each user.

15.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment

On the system Settings page, you can configure the network settings for either a standalone environment or a primary-standby environment.

15.2.1 Configuring the Network Details

In a non-multi-master cluster environment, you can configure the network details from any Oracle Key Vault management console.

If you have a high availability configuration, then you must unpair the primary and standby Oracle Key Vault servers before changing the IP address. After you have changed the IP address of the primary or standby Oracle Key Vault server, pair the two servers again. After you complete the pairing process, re-enroll the Oracle Key Vault endpoints to ensure that they are updated with the new IP addresses for both the primary and the standby Oracle Key Vault servers.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the Network Details area.
  4. Update the values for the following fields:
    • Host Name: Enter the name of the server.
    • IP Address: Enter the IP address of the server.
    • Network Mask: Enter the network mask of the server.
    • Gateway: Enter the network gateway of the server.
    The fields in this pane are automatically populated with the IP address and host name of your Oracle Key Vault server. But if you want, then you can update the Host Name, IP Address, Network Mask, and the Gateway for the Oracle Key Vault installation. You cannot change the MAC Address setting, because this is the hard-wired address of the network interface.
  5. Click Save.

15.2.2 Configuring the Network Services

In a non-multi-master cluster, you can configure the network services from any Oracle Key Vault management console.

You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the Network Services area.
  4. For Web Access, select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    As a best practice, enable SSH access for short durations, solely for diagnostic, troubleshooting, or upgrade purposes, and then disable it as soon as you are done.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

  5. Click Save.

15.2.3 Configuring the System Time

In a non-multi-master cluster environment, you can set the system time for the Oracle Key Vault system.

You can configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. (Fields for up to three servers are provided.) If an NTP server is not available, then you can set the current time manually. You should use the calendar icon to set the date and time so that these values are stored in the correct format. In a primary-standby deployment, you must set the primary and standby servers to the same time. If you want to save an NTP server using its host name, then ensure that you have already configured DNS.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the System Time area.
  4. Enter up to three NTP server IP addresses, and then click Save.
    If you plan to use host names for the NTP servers, then you must configure DNS beforehand.
  5. If necessary, return to the System Settings page by select System Settings under the System tab.
  6. Choose Use Network Time Protocol.
  7. Enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  8. Click Save.

Related Topics

15.2.4 Configuring DNS

In a non-multi-master cluster environment, you can enter up to three DNS server IP addresses.

You can configure up to three domain name service (DNS) servers with IP addresses that Oracle Key Vault will use to resolve host names. This is useful if you only know the host name and not the IP address of a server you need access to. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP address, after you set up DNS.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the DNS area.
  4. Enter up to three IP addresses for DNS servers.
    You must at minimum configure the DNS setting for Server 1.
  5. Click Save.

15.2.5 Configuring FIPS Mode

In a non-multi-master cluster environment, you can enable or disable FIPS mode for Oracle Key Vault.

In a primary-standby environment, ensure that both servers are consistent in their FIPS mode setting: either both are enabled, or both are disabled.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the FIPS mode section.
  4. Do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  5. Click Save.
    After you click Save, a confirmation dialog box will appear.
  6. In the confirmation dialog box, click OK to apply the changes and restart the Oracle Key Vault system.
    If you click OK, be aware that the operation cannot be canceled. The restart operation takes place immediately.

15.2.6 Configuring Syslog

In a non-multi-master cluster environment, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

All system related alerts are sent to syslog.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the Syslog area.
  4. Select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  5. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  6. Click Save.

15.2.7 Configuring RESTful Services

In a non-multi-master cluster environment, you can enable or disable RESTful services.

RESTful services allow you to automate endpoint enrollment and provisioning. RESTful services also support regular key management activities.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the RESTful Services area.
  4. Select the Enable checkbox in the RESTful Services section.
    To disable RESTful services, clear the Enable checkbox.
  5. Click Save.

15.2.8 Configuring Oracle Audit Vault Integration

In a non-multi-master cluster environment, you can enable Oracle Key Vault to send data to Oracle Audit Vault for centralized audit reporting and alerting.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the Oracle Audit Vault Integration area.
  4. Select the Enable check box.
  5. When prompted, enter the Oracle Audit Vault Super Administrator password.
  6. Click Save.

15.2.9 Configuring the Oracle Key Vault Management Console Web Session Timeout

In a non-multi-master cluster environment, you can configure a timeout value in minutes for the Oracle Key Vault management console Web session.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the System Settings page, navigate to Management Console Timeout.
  4. Enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save.
    After you click Save, the setting takes effect in the currently active user Web session. For other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, the user will be notified, starting earlier if the timeout value is larger, and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

15.2.10 Restarting or Powering Off Oracle Key Vault

You can manually restart or power off Oracle Key Vault as required for maintenance or for patch and upgrade procedures.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Go to the top of the Settings page.
  4. Do one of the following:
    • To restart, click Reboot.
    • To power off, click Power Off.

15.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment

When you configure Oracle Key Vault in a multi-master cluster environment, you can configure either individual nodes or the entire multi-master cluster environment.

15.3.1 Configuring System Settings for Individual Multi-Master Cluster Nodes

You can set or change settings that apply to the cluster node.

Examples of these settings are the network details, network services, system time, DNS, FIPS mode, syslog, and Oracle Audit Vault integration. Values set for the node override the cluster setting.  However, you can clear any individual node setting to revert to the cluster setting.

15.3.1.1 Configuring the Network Details for the Node

In a multi-master cluster, you can change the host name for a node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Host Name field, enter the name of the host name for the node.
    You cannot modify the IP Address, Network Mask, Gateway, and MAC Address fields, which are automatically populated.
  4. Click Save.
15.3.1.2 Configuring the Network Services for the Node

In a multi-master cluster, you can configure the network services for a node.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the Settings page, go to the Network Services area.
  4. For Web Access, select one of the following options:
    • All to select all IP addresses
    • IP Address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.
    Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation. SSH access is used only under the direction of Oracle Support, or when you upgrade.

    As a best practice, enable SSH access for short durations, solely for diagnostic, troubleshooting, or upgrade purposes, and then disable it as soon as you are done.

    Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

  5. Click Save.
15.3.1.3 Configuring the System Time for the Node

In a multi-master cluster, you can set the system time for a node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar. (Alternatively, you can select Cluster System Settings.)
  3. If you want to configure NTP servers using their host names, then ensure that DNS is configured first.
  4. If necessary, return to the System Settings page by select System Settings under the System tab.
  5. Choose Use Network Time Protocol.
    In cluster mode, you must use the Network Time Protocol (NTP), so you cannot change the selection from Use Network Time Protocol to Set Manually.
  6. Enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time for the node to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time for the node at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  7. Click Save (or Save to Cluster).
15.3.1.4 Configuring DNS for the Node

When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar. (Alternatively, you can select Cluster System Settings.)
  3. In the DNS section of the System Settings pages, enter up to three DNS server IP addresses.
    While only the first value is required, two entries are recommended for fault tolerance.
  4. Click Save (or Save to Cluster).
15.3.1.5 Configuring the FIPS Mode for the Node

All multi-master cluster nodes must use the same FIPS mode setting or you will receive an alert.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the FIPS Mode section, do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes and will also restart the system automatically.
  4. Click Save.
    After you click Save, Oracle Key Vault will restart automatically.
15.3.1.6 Configuring Syslog for the Node

In a node, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar. (Alternatively, you can select Cluster System Settings.)
  3. In the Syslog section, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  4. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  5. Click Save (or Save to Cluster).
15.3.1.7 Configuring Oracle Audit Vault Integration for the Node

You can configure the integration of Oracle Audit Vault (but not the Database Firewall component) for a node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Select the Enable check box to Oracle Audit Vault Integration for the node.
  4. In the Password and Reenter password fields that appear after you click Enable, enter the password of the user in the database that Audit Vault and Database Firewall will use to extract the audit records.
  5. Click Save.
15.3.1.8 Restarting or Powering Off Oracle Key Vault from a Node

You can manually restart or power off an Oracle Key Vault node as required for maintenance or for patch and upgrade procedures.

When you restart or power-off Oracle Key Vault nodes, only the current node is restarted or powered-off. The other nodes in the cluster are unable to send information to and from the nodes that are powered off. When the nodes are restarted, there will be a period needed for the restarted nodes to catch up on activities that took place while they were down.
  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Go to the top of the Settings page.
  4. Do one of the following to restart or power off the node:
    • To restart, click Reboot.
    • To power off, click Power Off.

15.3.2 Managing Oracle Key Vault Multi-Master Clusters

You can create, configure, manage, and administer an Oracle Key Vault multi-master cluster by using the Oracle Key Vault management console.

15.3.2.1 About Configuring Cluster System Settings

You can set or change settings that apply to an entire multi-master cluster. 

You can set the system time, DNS, the maximum time a server can be disabled before it is evicted from the cluster, enable RESTful services, the protocol to use for syslog, the syslog destination, and monitoring settings for the cluster. Any values that are set and saved to an individual node will not be overridden by cluster settings. It may take several minutes for changes to propagate to other nodes.

15.3.2.2 Configuring the System Time for the Cluster

When you configure the system time, you can set it for multiple servers and also set the synchronization.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Choose the User Network Time Protocol option.
    Only the first value is required.
  4. Enter values for the following fields:
    • Synchronize After Save: This synchronizes the time across the cluster after you save the settings.

    • Synchronize Periodically: This synchronizes the time across the cluster at a predetermined interval. Once selected and applied, this option cannot be deselected.

    • Server 1: Enter the IP address of a NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 2: Enter the IP address of a second NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 3: Enter the IP address of a third NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

  5. In the System Time section, click Save to Cluster.
15.3.2.3 Configuring DNS for the Cluster

When you configure the DNS for a cluster, you can enter up to three DNS server IP addresses.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the DNS section of the Cluster System Settings page, enter up to three DNS Server IP addresses.
  4. In the DNS section, click Save to Cluster.
15.3.2.4 Configuring Maximum Disable Node Duration for the Cluster

You can set the Configuring Maximum Node Duration time for the cluster in hours.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Maximum Disable Node Duration section, enter a value, in hours, for the duration that a node can be disabled before it is evicted from the cluster.
  4. In the Maximum Disable Node Duration section, click Save to Cluster.
15.3.2.5 Configuring RESTful Services for the Cluster

You can enable or disable RESTful Services for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Select the Enable checkbox in the RESTful Services section.
  4. In the RESTful Services section, click Save to Cluster.
15.3.2.6 Configuring Syslog for the Cluster

In a multi-master cluster environment, you can enable syslog for specific destinations and transmit the records either using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Syslog section, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  4. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  5. In the Syslog section, click Save to Cluster.
15.3.2.7 Configuring SNMP Settings for the Cluster

You can enable or disable SNMP access for a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Monitoring Settings from the left navigation bar.
  3. For Scope, select Cluster.
  4. Select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  5. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  6. Click Save to Cluster.
15.3.2.8 Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster

You can configure a timeout value in minutes for the Oracle Key Vault management console for all nodes in a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Cluster System Settings page, navigate to Management Console Timeout.
  4. Enter the value in minutes for the timeout.
    The default value is 10. The range you can enter is 1 through 100.
  5. Click Save to Cluster.
    After you click Save to Cluster, the setting takes effect in the currently active user Web session and is applied to all nodes in the cluster. For other active sessions, this setting takes effect when the session is extended, the user refreshes the page, or the user navigates to another page. The user session remains active as long as the user clicks a button, moves the mouse or presses a key, or is performing other activities. If the user session is idle for more than the management console timeout duration, then the user is logged out and the login screen appears.
Just before the Web session ends, the user will be notified, starting earlier if the timeout value is larger, and is given the option to extend the session for the same length of time that was set for timeout value. For example, if the timeout was set to 20 minutes, then the user can extend the session for another 20 minutes.

15.4 Managing System Recovery

System recovery includes tasks such as recovering lost administrative passwords.

15.4.1 About Managing System Recovery

To perform system recovery, you use the recovery passphrase.

In an emergency when no administrative users are available, or you must change the password of administrative users, you can recover the system with the recovery passphrase that was created during Oracle Key Vault installation. In addition, you can change the recovery passphrase to keep up with security best practices.

15.4.2 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault installation.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the page.
  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. In the Administrator Recovery page, fill out the fields in the Key Administrator, System Administrator, and Audit Manager panes to assign these roles to new or existing user accounts.
  6. Click Save.

15.4.3 Changing the Recovery Passphrase in a Non-Clusters Environment

Periodically changing the recovery passphrase is a good security practice.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. From a web browser, enter the IP address of your Oracle Key Vault installation.
  3. In the Oracle Key Vault login page, do not log in.
  4. Click the System Recovery link.

    A new login page appears with a single field: Recovery Passphrase.

  5. Enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  6. Click Recovery Passphrase.

    The Recovery Passphrase page appears with two fields to enter and reenter the new passphrase.

  7. Enter the new recovery passphrase in the two fields.
  8. Click Submit.

15.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster

Changing the recovery passphrase in a multi-master cluster is a two-step process.

To change the recovery passphrase for a multi-master cluster, you must first initiate the change throughout the nodes in the multi-master cluster environment before changing the recovery passphrase.

15.4.4.1 Step 1: Initiate the Recovery Passphrase Change Across the Nodes

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes.

This is so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data. First, you must initiate the change for the recovery passphrase so that all nodes in the multi-master cluster will be notified of the impending change.
  1. Perform a server backup.
  2. Ensure that all nodes are in the ACTIVE state and replication has been verified between all nodes. Ensure that there are no cluster operations going on (such as adding a node).
  3. From a web browser, enter the IP address of the Oracle Key Vault installation that is not in read-only restricted mode.
  4. In the Oracle Key Vault login page, do not log in.
  5. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  6. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  7. Click the Recovery Passphrase tab.
  8. Click the Initiate Change button.
  9. Log out.
  10. Wait 3 to 4 minutes before continuing.

    During this time, all nodes will be notified that a passphrase change will be performed. To cancel a passphrase change, click the Reset button.

    All nodes will determine if more than one passphrase change has been initiated. If more than one passphrase change has been initiated, conflict resolution will be performed.

    After you cancel a passphrase change by using the Reset button, Oracle recommends that you remedy the issue and again initiate a passphrase change, making sure to then change the passphrase on every node in the cluster.

15.4.4.2 Step 2: Change the Recovery Passphrase

After the multi-master cluster nodes have been notified of the impending recovery passphrase change, you can change the recovery passphrase.

  1. From a Web browser, enter the IP address of a multi-master cluster node in the Oracle Key Vault installation.
    You can find a list of available nodes in the Oracle Key Vault management console by selecting the Clusters tab and then checking the Cluster Details section.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  4. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. Click the Recovery Passphrase tab.

    The Recovery Passphrase page appears with two fields to enter and re-enter the new passphrase.

  6. Enter the new recovery passphrase in the two fields.
  7. Click Submit.
  8. Repeat these steps for each node in the cluster.

    Note:

    HSM reverse migrate cannot run when the recovery passphrase is being changed.

    Caution:

    It is your responsibility to keep the recovery passphrase the same on all nodes in the cluster. If you set the recovery passphrase differently on cluster nodes it will negatively impact cluster functionality, such as adding nodes and HSM-enabling nodes. In addition to the addition of nodes and nodes being HSM-enabled, certificate rotation in a multi-master cluster depends on all nodes having the same recovery passphrase.

15.4.5 Changing the Installation Passphrase

You can change the installation passphrase from the system console.

15.4.5.1 About Changing the Installation Passphrase

You can only change the installation passphrase during a specific window of time.

The installation passphrase is specified during installation. You must use the installation passphrase to log in to Oracle Key Vault and complete the post-installation tasks. The installation passphrase can only be changed on the console after installation but before post-installation. After the post-installation tasks are completed, this option no longer appears on the console.

If you forget the installation passphrase, then you can create a new installation passphrase. As with all Oracle Key Vault passphrases, it is important to store the installation passphrase securely.

15.4.5.2 Changing an Installation Passphrase

You must change the installation passphrase in the system console.

  1. Access the system console of the server where Oracle Key Vault is installed.
  2. Select Change Installation Passphrase and press Enter.

    The New Passphrase screen appears.

    Description of os_user_pwd_change3.png follows
    Description of the illustration os_user_pwd_change3.png

  3. Enter the new installation passphrase in the New Passphrase and Confirm fields.
    The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.
  4. Select OK and then press Enter.

    The Installation Passphrase screen appears.

    Description of os_user_pwd_change4.png follows
    Description of the illustration os_user_pwd_change4.png

  5. Enter the old installation passphrase and then press Enter.

15.5 Support for a Primary-Standby Environment

To ensure that Oracle Key Vault can always access security objects, you can deploy Oracle Key Vault in a primary-standby (highly available) configuration.

This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault servers in a primary-standby configuration. The primary server services the requests that come from endpoints. If the primary server fails, then the standby server takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

The primary-standby configuration was previously known as the high availability configuration. The primary-standby configuration and the multi-master cluster configuration are mutually exclusive.

Oracle Key Vault supports primary-standby read-only restricted mode. When the primary server is affected by server, hardware, or network failures, primary-standby read-only restricted mode ensures that an Oracle Key Vault server is available to service endpoints, thus ensuring operational continuity. However, key and sensitive operations, such as generation of keys are disabled, while operations such as generation of audit logs are unaffected.

When an unplanned shutdown makes the standby server unreachable, the primary server is still available to the endpoints in read-only mode.

15.6 Commercial National Security Algorithm Suite Support

You can use scripts to perform Commercial National Security Algorithm (CNSA) operations for Oracle Key Vault HSM backup and upgrade operations.

15.6.1 About Commercial National Security Algorithm Suite Support

You can configure Oracle Key Vault for compliance with the Commercial National Security Algorithm (CNSA) Suite.

This compliance applies to TLS connections to and from the Oracle Key Vault appliance.

The CNSA suite is a list of strong encryption algorithms and key lengths, that offer greater security and relevance into the future.

Oracle Key Vault release 12.2 BP3 and later do not provide complete compliance across every component in the system. You will be able to switch to the CNSA algorithms, where available by means of the following scripts that are packaged with the Oracle Key Vault ISO:

  • /usr/local/okv/bin/okv_cnsa makes configuration file changes to update as many components as possible to use the enhanced algorithms.

  • /usr/local/okv/bin/okv_cnsa_cert regenerates CNSA compliant public key pairs and certificates.

    Note:

    The /usr/local/okv/bin/okv_cnsa and /usr/local/okv/bin/okv_cnsa_cert scripts are both disruptive because they replace the old key pairs with new ones. This has consequences for the following operations:
    • Endpoint Enrollment: Enroll endpoints after running this script when possible. If you had endpoints enrolled before running the CNSA script, you must re-enroll them so that fresh CNSA compliant keys are generated using CNSA algorithms.

    • Primary-Standby: Run the CNSA scripts on both Oracle Key Vault instances before pairing them in a primary-standby configuration when possible. If you had primary-standby before you run the CNSA scripts, then you must re-configure primary-standby as follows: unpair the primary and standby servers, reinstall the standby server, run the CNSA scripts individually on each server, and then pair them again.

Limitations:

  • CNSA compliance is not supported for all components in the Oracle Key Vault infrastructure (for example, SSH or Transparent Data Encryption (TDE)).

  • The Firefox browser is not supported for use with the Oracle Key Vault management console when CNSA is enabled. This is because the Firefox browser does not support CNSA-approved cipher suites.

15.6.2 Running the Commercial National Security Algorithm Scripts

The Commercial National Security Algorithm (CNSA) scripts update the okv_security.conf file.

  1. Back up Oracle Key Vault.
  2. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select SSH Access. Select IP address(es) and then enter only the IP addresses that you need. Click Save.

  3. SSH into the Oracle Key Vault server as the support user, entering the support user password that was created during post-installation, when prompted.
     $ ssh support@okv_instance
  4. Change to the root user:
    $  su root
  5. Run the scripts as follows:
    root#  /usr/local/okv/bin/okv_cnsa
    root#  /usr/local/okv/bin/okv_cnsa_cert
  6. Disable SSH access and then restart the Oracle Key Vault server.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select Disabled. Click Save. Restart the Oracle Key Vault server by clicking Reboot on the top right.

The scripts update the /usr/local/okv/etc/okv_security.conf with the following line:
USE_ENHANCED_ALGORITHMS_ONLY="1"

15.6.3 Performing Backup and Restore Operations with CNSA

After you back up and restore Oracle Key Vault, use /usr/local/okv/bin/okv_cnsa to use the enhanced Commercial National Security Algorithm (CNSA) Suite.

  1. Perform the backup and restore operation.
  2. Wait until the restore operation is complete and the system has restarted.
    Do not proceed without completing this step.
  3. SSH into the Oracle Key Vault server as the support user:
     $ ssh support@okv_instance
  4. Switch to the root user:
    $ su root
  5. Run the following CNSA script :
     root#  /usr/local/okv/bin/okv_cnsa
    

15.6.4 Upgrading a Standalone Oracle Key Vault Server with CNSA

You can upgrade a standalone Oracle Key Vault while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

  1. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    Do not proceed without completing this step.
  2. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
  3. If necessary, enable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select SSH Access. Select IP address(es) and then enter only the IP addresses that you need. Click Save.

  4. Ensure you have enough space in the destination directory for the upgrade ISO files.
  5. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
  6. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
    scp remote_host:remote_path/okv-upgrade-disc-18.4.0.0.0.iso /var/lib/oracle/destination_directory_for_iso_file

    In this specification:

    • remote_host is the IP address of the computer containing the ISO upgrade file.
    • remote_host is the IP address of the computer containing the ISO upgrade file.
  7. Make the upgrade accessible by using the mount command:
    root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-18.4.0.0.0.iso /images
  8. Clear the cache using the clean all command:
    root# yum -c /images/upgrade.repo clean all
  9. Execute the following upgrade ruby script:
    root# /usr/bin/ruby/images/upgrade.rb --confirm

    If the system is successfully upgraded, then the command will display the following message:

    Remove media and reboot now to fully apply changes

    If you see an error message, then check the log file /var/log/messages for additional information.

  10. Run the first CNSA script, which is available from the Oracle Key Vault ISO files location:
     root#  /usr/local/okv/bin/okv_cnsa
  11. Restart the Oracle Key Vault database server:
    root# /sbin/reboot

    On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.

    The upgrade is completed when the screen with heading: Oracle Key Vault Server 18.4.0.0.0 appears. The revision should reflect the upgraded release. Following the heading appears the menu item Display Appliance Info. Select Display Appliance Info and press the Enter key to see the IP address settings for the appliance.

  12. Confirm that Oracle Key Vault has been upgraded to the correct version.
    1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    2. Select the System tab, and then select Status.
    3. Verify that the version displayed is 18.4.0.0.0.
      The release number is also at the bottom of each page, to the right of the copyright information.
  13. Disable SSH access.

    Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System Settings tab, then under Network Services, select Disabled. Click Save.

15.6.5 Upgrading Primary-Standby Oracle Key Vault Servers to Use CNSA

You can upgrade Oracle Key Vault primary-standby servers while using Commercial National Security Algorithm (CNSA) compliance by upgrading and then executing the okv_cnsa script.

You must perform the upgrade standby and primary servers in one session with as little time between the standby and primary upgrade as possible. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.
  1. Prepare for the upgrade.
    • While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.

    • Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.

    • Ensure that both the primary and standby systems have 8 GB memory.

  2. Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
    You can use Oracle Backup and Recovery (Oracle RMAN) to perform this backup. Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not included in the backup.
    Do not proceed without completing this step.
  3. First, upgrade the standby server while the primary server is running.

    Follow Steps 2 through Step 11 of the standalone server upgrade process for CNSA.

  4. Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
  5. Upgrade the primary Oracle Key Vault server following Steps 1 through 11 of the standalone server upgrade.

    After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.

  6. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  7. Select the System tab, and then Status.
  8. Verify that the Version field displays the new software version 18.4.0.0.0.

15.7 Minimizing Downtime

Business-critical operations require data to be accessible and recoverable with minimum downtime.

You can configure Oracle Key Vault to ensure minimum downtime in the following ways:

  • Configuring a multi-master cluster: You can configure a multi-master cluster by adding redundancy in the form of additional nodes. The client can access any available node. In the event of a failure of any node, a client will automatically connect to another node in the endpoint node scan list. This reduces and potentially eliminates downtime.

  • Configuring a primary-standby environment: A primary-standby environment is configured by adding redundancy in the form of a standby server. The standby server takes over from the primary server in the event of a failure, thus eliminating single points of failure, and minimizing downtime.

  • Enabling read-only restricted mode: Primary-standby read-only restricted mode ensures endpoint operational continuity when primary or standby Oracle Key Vault servers are affected by server, hardware, or network failures. When an unplanned shutdown causes the standby server to become unreachable, the primary server is still available to the endpoints.

    If primary-standby read-only restricted mode is disabled, then the primary server will become unavailable and stop accepting requests in the event of a standby failure. Endpoints connected to Oracle Key Vault are unable to retrieve keys until connectivity is restored between primary and standby servers.

    To ensure endpoint operational continuity in the event of a primary or standby server failure, enable read-only restricted mode.

  • Enabling persistent master encryption key cache: The persistent master encryption key cache ensures that the endpoints can access keys in the event of a primary or standby server failure. While the surviving server is taking over from the failed peer, the endpoints can retrieve keys from the persistent cache and continue operations normally.

  • Apply the TDE heartbeat database patch on endpoints: Apply the database patch for Bug 22734547 to tune the Oracle Key Vault heartbeat.

Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and enable it to be fully operational with minimum downtime and data loss.

If the Oracle Key Vault installation uses an online master key (formerly known as TDE direct connect), then during an upgrade, ensure that you upgrade database endpoints in parallel to reduce total downtime.