1. Installation and Upgrade Guide
  2. Installing Oracle Key Vault

4 Installing Oracle Key Vault

You must download the Oracle Key Vault application software, and then you can perform the installation.

4.1 Downloading the Oracle Key Vault Appliance Software

You can download executable files for both a fresh Oracle Key Vault installation or an upgrade.

For a fresh installation, you can download the Oracle Key Vault appliance software from Software Delivery Cloud. You cannot use this package to upgrade Oracle Key Vault. For an upgrade, you can download the Oracle Key Vault upgrade software from the My Oracle Support website.

  1. Use a web browser to access the Oracle Software Delivery Cloud portal:
  2. Click Sign In, and if prompted, enter your User ID and Password.
  3. In the All Categories menu, select Release. In the next field, enter Oracle Key Vault and then click Search.
  4. From the list that is displayed, select Oracle Key Vault 21.8.0.0.0 or click the +Add to Cart button next to the Oracle Key Vault 21.8.0.0.0.
    The download is added to your cart. (To check the cart contents, click View Cart in the upper right of the screen.)
  5. Click Checkout.
  6. On the next page, verify the details of the installation package, and then click Continue.
  7. In the Oracle Standard Terms and Restrictions page, select I have reviewed and accept the terms of the Commercial License, Special Programs License, and/or Trial License, and click Continue.

    The download page appears, which lists the Vpart_number.zip Oracle Key Vault archive file.

  8. Click Download and select a location to save the Vpart_number.zip archive file. 
  9. Click Save.

    The size of the ISO file is approximately 20 GB, and will take time to download, depending on the network speed. The estimated download time and speed are displayed in the File Download dialog box.

  10. Unzip the downloaded Vpart_number.zip archive file.
  11. Transfer the Vpart_number.iso file by using one of the following methods:
    • Burn the .iso image onto a bootable DVD.
    • Copy the .iso image onto a bootable USB stick.
    • Mount the .iso image with your virtualization software, in order to run Oracle Key Vault as a virtual machine, booting from the .iso image.
You now can install Oracle Key Vault on the server.

Related Topics

Parent topic: Installing Oracle Key Vault

4.2 Installing the Oracle Key Vault Appliance Software

The Oracle Key Vault installation process installs all the required software components onto a dedicated server or virtual machine.

The installation process may take from 30 minutes or longer to complete, depending on the server resources where you are installing Oracle Key Vault.

If you are installing Oracle Key Vault on VMware, then set the VMX configuration parameter disk.EnableUUID to TRUE. In addition, you must set your virtual machine to use EFI boot. In some versions of VMware this is done by selecting the VM Options tab, then expanding Boot Options, and then setting the firmware to EFI. You must disable secure boot. Without this setting, the Oracle Key Vault installation on VMware will fail.

Caution:

The Oracle Key Vault installation wipes the server, repartitions the disk, and installs a hardened Oracle Linux 8. The installation erases existing software and data on the server.

Ensure that you have met the following prerequisites.

  • Ensure that the server meets the recommended requirements.

  • Request a fixed IP address, network mask, and gateway address from your network administrator. You will need this information to configure the network.

To install the Oracle Key Vault appliance:

  1. Make the .iso image available to the computer where you want to install it, and then restart the computer.

    The .iso image can be made available in any of these ways:

    • Burned onto a bootable DVD
    • Copied onto a bootable USB stick
    • Mounted with your site's virtualization software

    You may need to change the boot order of your server to boot from the USB-stick or the DVD. The initialization screen appears, showing the following options:

    Description of 218_initial_installation_screen.png follows
    Description of the illustration 218_initial_installation_screen.png

  2. Using the up and down arrow keys, select the desired installation option or the option to perform a memory test, and then press Enter.

    Choosing the first option, Press Enter to start the installation of Oracle Key Vault, does not enable FIPS mode on the system.

    Choosing the second option, Press Enter to install the Oracle Key Vault with FIPS mode enabled, automatically enables FIPS mode on the system.

    The installation begins, and after several minutes, you will be asked to set the root user password (with a second time to confirm it). It is important to store the root user password securely. You will need it later to authenticate yourself at the Oracle Key Vault management console and complete the post-installation tasks.

    Description of 21_set_root_user_password.png follows
    Description of the illustration 21_set_root_user_password.png

  3. After you set the root user password, when prompted, log in as the root to observe the installation status. At the following prompt, enter root , press Enter, enter the root user password, and then press Enter again.
  4. When prompted, re-insert the ISO disk.
    After you re-insert the ISO disk, the Select Network Mode window appears after a couple of minutes.

    Description of 21_select_network_mode.png follows
    Description of the illustration 21_select_network_mode.png

  5. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, used in previous releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. In a multi-master cluster configuration, to switch to dual NIC mode for a cluster node, you must first delete the node from the cluster, configure the node to use dual NIC mode, and then re-induct the node back into the cluster.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  6. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
  7. The installer installs and configures the operating system, database, and Oracle Key Vault on the server to make it a self-contained hardened appliance. The installation and configuration process can take an hour or longer.
  8. When the installation is complete, on the Oracle Key Vault terminal console, log in as root, and set the password of the support. 
    # passwd support
New password:
Retype new password
passwd: All authentication tokens updated successfully.

    Once SSH has been enabled, the support user is the only user who can ssh into Oracle Key Vault, .

    SSH should be disabled, unless upgrade patches are applied, or directed by Oracle Support.

    Note:

    • Oracle does not restrict customer to deploy Oracle Key Vault in virtual environment if the virtual environment reflects an Oracle Key Vault physical server. Some of the supported hypervisor products are Oracle VirtualBox, Hyper-V, VMware, and KVM.
    • For installing Oracle Key Vault on Hyper-V, see Hyper-V Installation on Windows.
    • Oracle key Vault does not support silent mode installation.

Parent topic: Installing Oracle Key Vault

4.3 Performing Post-Installation Tasks

After you install Oracle Key Vault, you must complete a set of post-installation tasks.

These tasks include configuring the administrative user accounts and their one-time passwords, the recovery passphrase, as well as DNS and NTP settings.

  1. Use a web browser to connect to the Oracle Key Vault server.

    For example, to connect in to an Oracle Key Vault server whose IP address is 192.0.2.254, enter the following in the address bar:

    https://192.0.2.254

  2. If the web browser displays a security warning message stating that you are connecting to a website with an untrusted or self-signed security certificate, accept the security warning message and proceed to connect to the Oracle Key Vault server.

    This message is only temporary. When you configure third-party certificates, this message will no longer appear. After completing the post-installation tasks, you can upload a custom certificate or certificate chain that is trusted by the browser, so that you can connect to the Oracle Key Vault server without encountering the security warning message. For more information about uploading a custom certificate, see Oracle Key Vault Administrator's Guide .

  3. In the root password screen, enter the root password.

    The root password screen is displayed when you connect to the Oracle Key Vault server for the first time, in order to complete the post-installation tasks. After you complete the post-installation tasks, the Oracle Key Vault login screen is displayed when you access the Oracle Key Vault management console through the web browser.

    After you log in with the root user password, the Post-Install Configuration screen is displayed.

  4. In the User Setup pane, create three administrative user accounts for the Key Administrator, System Administrator, and Audit Manager.
    Description of 214_user_setup.png follows
    Description of the illustration 214_user_setup.png

    • Enter the user name and password, the full name (optional), and email (optional) for each administrative user account.

      Note that the passwords are one-time use passwords which must be changed when the user logs in the first time.

    • Ideally, create a different user account for each of these administrative roles for a strict separation of duties, or combine roles as necessary.

    • Ensure that passwords have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, a number, and a special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), exclamation mark (!). In addition, the passphrase may include a space character ( ) provided it is not used as the first or last character of the passphrase.

    • If you want the user to be able to grant their role to other users, then select the Allow Forward Grant check box.

  5. In the Recovery Passphrase section, create the recovery password.

    Description of 21_recovery_password.png follows
    Description of the illustration 21_recovery_password.png

    The recovery passphrase has the same minimum requirements as user passwords. For greater security, Oracle recommends that you make the recovery passphrase longer and more complex. Because this is a critical password, you must properly secure and safeguard the recovery password. The recovery password is required in the following scenarios:

    • In an emergency, when there are no administrative users available to access Oracle Key Vault

    • To restore Oracle Key Vault data from a backup

    • To reset the recovery password

    • Induct a new node into a multi-master cluster

    • To configure a hardware security module (HSM)

    Caution:

    It is important to establish a secure process for the storage and retrieval of the recovery passphrase, including older recovery passphrases. The only way to recover from a lost recovery passphrase is to re-install Key Vault. Note also that the root and support user passwords expire after 365 days. If you log in to the Oracle Key Vault management console within 120 days before the expiration, you will see an alert that the password expires in remaining_number_of_days days. If you log in after the expiration date, then you can use the old password only to log in and change the password to a new one.
  6. Set the DNS IP addresses.
    Oracle recommends that you set this IP address at this stage. Your network administrator can supply this address. You can only set the NTP server names after you save the changes on this page, including the DNS addresses.
  7. Click Save in the upper right corner of the Post-Install Configuration screen.

    The Oracle Key Vault management console login screen is displayed:

    Description of 21_new_login.png follows
    Description of the illustration 21_new_login.png

  8. Configure the system time.
    Oracle recommends that when you configure the system time, to configure all three NTP servers, using their host names. When you do so, ensure that you select the Synchronize Periodically option.
  9. Configure system alerts, and if necessary, email so that the appropriate users can receive these alerts.
    Oracle recommends that users who receive these alerts take action on them as soon as possible. For example, critical alerts, such as the Oracle Key Vault server certificate expiration alert, can result in downtime if they are not addressed in a timely fashion.
You can now log in to the Oracle Key Vault management console with the credentials of any of the user accounts that were created during the post-installation process.

Related Topics

Parent topic: Installing Oracle Key Vault