1. Administrator's Guide
  2. Managing Oracle Key Vault Virtual Wallets and Security Objects

10 Managing Oracle Key Vault Virtual Wallets and Security Objects

You can create a virtual wallet to store security objects, and then share this wallet with trusted peers at different access levels.

10.1 Managing Virtual Wallets

A virtual wallet is a container for security objects that you can create and then grant access to users.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.1.1 About Virtual Wallets

A virtual wallet is a container for security objects.

These security objects can be public and private encryption keys, including Transparent Data Encryption (TDE) keystores, Oracle wallets, Java keystores, certificates, secret data, and credential files. You can use a virtual wallet to group security objects for sharing with multiple users who need them to access encrypted data.

Any user can create a virtual wallet. After you create a virtual wallet, you can add keys and other security objects to the wallet. You can then grant other users, endpoints, user groups, and endpoint groups access to the virtual wallet at various levels of access. You can modify a virtual wallet and its wallet contents at any time. You can also modify virtual wallet user lists and their respective access level.

Other than the Key Administrator, access to the virtual wallet must be granted explicitly to users. Read, modify, and manage wallet permissions are required to add and remove objects from the wallet, and to grant or modify wallet access to other users and groups.

Parent topic: Managing Virtual Wallets

10.1.2 Creating a Virtual Wallet

You can create a virtual wallet and add security objects to it at the same time.

However, you can also create an empty virtual wallet, and add security objects to it later. You can modify access mappings on a virtual wallet at any time.
  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets page, click Create.
  4. Enter a name for the wallet in the Name field and an identifying description in Description.
  5. Select the Wallet Type as General or SSH Server.

    You need to provide SSH Server Host User name as well if you select SSH Server. SSH Server Host User name is the user on the SSH server host for whom this wallet is intended to authorize SSH access.

  6. If you are using a multi-master cluster, then choose whether to select the Make Unique check box.

    Make Unique helps to control naming conflicts with virtual wallet names across the multi-master cluster environment. Virtual wallets that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.

    • If you select Make Unique, then the virtual wallet will be active immediately and this wallet can be used in operations.
    • If you do not select Make Unique, then the wallet will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the wallet to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The wallet will then be renamed to a unique name. You will need to go to a read-write node of the cluster and either accept the renamed wallet name or change the wallet name. If you change the wallet name, then this will restart the name resolution operation and the wallet will return to a PENDING state. A wallet in the PENDING state cannot be used to perform most operations.
  7. In the Add Wallet Contents pane, check the boxes by the names of the listed security objects that you want to add to the wallet.
    The Add Wallet Contents pane lists the security objects you have Read and Modify access to. If the list is empty, then you have no access to the security objects already in Oracle Key Vault. In this case, you would add security objects to the wallet after you upload them to Oracle Key Vault.
    You can modify the columns in the table in the Wallet Contents pane to show more information. From the Actions menu, select Select Columns. In the Select Columns dialog box, move the columns that you want to see to the Display in Report list, and then click Apply.
  8. Click Save to create the new wallet with any associated security objects.

    A Wallet created successfully message appears. The Wallets page appears and displays the new wallet in the list.

    To see the contents in the wallet click the wallet name as the following figure shows.


    Description of 217_wallet_contents.png follows
    Description of the illustration 217_wallet_contents.png

Related Topics

Parent topic: Managing Virtual Wallets

10.1.3 Modifying a Virtual Wallet

You can modify a virtual wallet and add security objects to it at the same time.

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets page, click the Edit button for the wallet that you want to modify.
  4. In the Wallet Overview pane, enter a new name for the wallet in the Name field and an identifying description in Description.
  5. If you are using a multi-master cluster, then choose whether to select the Make Unique check box.

    Make Unique helps to control naming conflicts with virtual wallet names across the multi-master cluster environment. Virtual wallets that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.

    • If you select Make Unique, then the virtual wallet will be active immediately and this wallet can be used in operations.
    • If you do not select Make Unique, then the wallet will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the wallet to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The wallet will then be renamed to a unique name. You will need to go to a read-write node of the cluster and either accept the renamed wallet name or change the wallet name. If you change the wallet name, then this will restart the name resolution operation and the wallet will return to a PENDING state. A wallet in the PENDING state cannot be used to perform most operations.
  6. To modify endpoint access settings, in the Wallet Access Settings pane, click Add to add new endpoints or click Remove to remove existing endpoints.
  7. In the Wallet Contents pane, check the boxes by the names of the listed security objects that you want to remove from the wallet.
    The Wallet Contents pane lists the security objects you have added to the wallet. If the list is empty, then you have no access to the security objects already in Oracle Key Vault. In this case, you would add security objects to the wallet after you upload them to Oracle Key Vault.
    You can modify the columns in the table in the Wallet Contents pane to show more information. From the Actions menu, select Select Columns. In the Select Columns dialog box, move the columns that you want to see to the Display in Report list, and then click Apply.
    Select Add Objects or Remove Objects.
  8. Click Save to create the new wallet with any associated security objects.
  9. To view the status of the modified wallet, click Wallets in the left navigation bar.

    The Wallets page appears and displays the modified wallet in the list, with the status of PENDING.

Related Topics

Parent topic: Managing Virtual Wallets

10.1.4 Adding Security Objects to a Virtual Wallet

You can add new security objects to a virtual wallet at any time as needed.

In a multi-master cluster, you cannot add security objects to a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets page, click the pencil icon in the Edit column corresponding to the wallet you want to work with.
    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.
  4. In the Wallet Contents page, click Add Objects to display the Add Wallet Contents pane.
    The Add Wallet Contents page lists the security objects you have Read and Modify access to. If the list is empty, then you have no access to the security objects already in Oracle Key Vault. In this case, you would add security objects to the wallet after you upload them to Oracle Key Vault.
    You can modify the columns in the table in the Add Wallet Contents page to show more information. From the Actions menu, select Select Columns. In the Select Columns dialog box, move the columns that you want to see to the Display in Report list, and then click Apply.
  5. Check the boxes by the security objects that you want to add to the wallet.
  6. Click Save.
    A confirmation message appears, then the Wallet Overview page appears. Wallet Contents lists the new security objects added.

Parent topic: Managing Virtual Wallets

10.1.5 Removing Security Objects from a Virtual Wallet

You cannot remove security objects from virtual wallets at any time as needed.

In a multi-master cluster, you can remove security objects from a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets pane, click the pencil icon in the Edit column corresponding to the wallet that you want to work with.
    The Wallet Overview page appears. The Wallet Contents pane lists the security objects already in the wallet.
  4. Check the boxes by the security objects you want to remove from the wallet.
  5. Click Remove Objects.
    The Wallet Contents pane in the Wallet Overview page displays the revised list.
  6. Click OK to confirm.

Parent topic: Managing Virtual Wallets

10.1.6 Deleting a Virtual Wallet

Deleting a virtual wallet removes the wallet as a container, but does not delete the security objects that were contained in it.

These security objects will continue to remain in Oracle Key Vault. Endpoints that have downloaded this virtual wallet will continue to retain their local copy. In a multi-master cluster, you cannot delete a virtual wallet when it is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets page, check the boxes next to the name of the wallet that you want to delete.
    You can delete more than one virtual wallet at the same time.
  4. Click Delete.
  5. Click OK to confirm.

Parent topic: Managing Virtual Wallets

10.2 Managing Access to Virtual Wallets from Keys & Wallets Tab

You can grant virtual wallet access to and revoke virtual wallet access from endpoint by using the Keys & Wallets tab.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.2.1 About Managing Access to Virtual Wallets from the Keys & Wallets Tab

Access control is deciding which users and endpoints share virtual wallets and security objects, and what operations they can perform on those virtual wallets.

You must have Manage Wallet access to a virtual wallet or be a Key Administrator to manage access control for users, endpoints, and their respective groups.

To manage access to virtual wallets, you can use the Keys & Wallets tab, where you select the wallet, you grant an endpoint, endpoint group, user, or user group access to the wallet.

Related Topics

Parent topic: Managing Access to Virtual Wallets from Keys & Wallets Tab

10.2.2 Granting Access to Users, User Groups, Endpoints, and Endpoint Groups

You can grant the Read Only, Read and Modify, and Manage Wallet access levels to users, user groups, endpoints, and endpoint groups.

After they have access to the wallet, they will have access to all the security objects in the wallet. In a multi-master cluster, you cannot grant access to endpoints, endpoint groups, users, or user groups while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets pane, click the pencil icon in the Edit column corresponding to the wallet to which you want to grant access.
    The Wallet Overview page appears.
  4. In the Wallet Access Settings pane, click Add.
  5. In the Add Access to Wallet page, under Select Endpoint/User Group, from the Type menu, select the entity type you want to grant access.
    Possible values for Type are Endpoint Groups, Endpoints, User Groups, and Users.

    The type you select determines the list that is displayed. For example, if you select Endpoint Groups as the Type, the list of Oracle Key Vault endpoint groups is displayed under the heading Endpoint Groups. If you select Users, the list of Oracle Key Vault users are displayed under the heading Users.

  6. Select the check box in the Name table corresponding to the entity you want to grant access.
  7. In the Select Access Level pane, select one of the following access levels: in the Select Access Level pane.
    • Read Only or Read and Modify
    • Manage Wallet
  8. Click Save.
    The Wallet Access Settings pane displays the new entity.

Parent topic: Managing Access to Virtual Wallets from Keys & Wallets Tab

10.2.3 Modifying Access to Users, User Groups, Endpoints, and Endpoint Groups

You can modify access settings on a virtual wallet for users, user groups, endpoints, and endpoint groups from the Keys & Wallets tab.

In a multi-master cluster, you cannot modify access to endpoints, endpoint groups, users, or user groups while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet or as a user with the Key Administrator role.
  2. Select the Keys & Wallets tab, then Wallets in the left navigation bar.
  3. In the Wallets pane, click the pencil icon in the Edit column corresponding to the wallet name.
    The Wallet Overview page appears, with Wallet Access Settings listing the entities that have access to the wallet and their access levels.
  4. In Wallet Access Settings, click the pencil icon corresponding to the entity under Subject Name.
    A Modify Access window appears. Wallet Access Settings lists all the entities that have access to this wallet under Subject Name, and can include users, endpoints, user groups, and endpoint groups.
  5. Select the access settings that you want to modify, then click Save.
    A message appears: Successfully updated. The Wallet Overview page appears and Wallet Access Settings displays the new access mapping for the entity.
  6. Click Save in the Wallet Overview page.

Parent topic: Managing Access to Virtual Wallets from Keys & Wallets Tab

10.3 Managing Access to Virtual Wallets from User’s Menu

To manage access control on virtual wallets for users, endpoints, and their respective groups, you can use the Users menu or Endpoints menu.

Related Topics

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.3.1 Granting a User Access to a Virtual Wallet

You can grant access to a virtual wallet by using the Users tab.

In a multi-master cluster, you cannot grant a user access to a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet permission on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab, then Manage Users in the left navigation bar.
  3. In the Manage Users pane, click the user's name in the User Name column.
  4. In the Access to Wallets pane, click Add.
    The Add Access to User page appears.
  5. Select a virtual wallet from the available list.
  6. In the Select Access Level pane select the desired access levels.
  7. Click Save.
    A message appears: Access mapping successfully added. You can check Access to Wallets in User Details for the user to see the wallet added.

Related Topics

Parent topic: Managing Access to Virtual Wallets from User’s Menu

10.3.2 Revoking User Access from a Virtual Wallet

You can revoke access to a virtual wallet for a user by using the Users tab.

In a multi-master cluster, you cannot revoke user access from a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Manage Wallet access on the virtual wallet, or as a user with the Key Administrator role.
  2. Select the Users tab, then Manage Users in the left navigation bar.
  3. In the Manage Users pane, click the user's name under the User Name column.
  4. In the Access to Wallets pane, check the box by the virtual wallet that you want to revoke access to.
  5. Click Remove.
  6. In the confirmation window, click OK.
    A message appears: Access Mapping(s) deleted successfully. You can check Access to Wallets in User Details for the user to see the wallet deleted.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

10.3.3 Granting a User Group Access to a Virtual Wallet

You can grant user group access to a virtual wallet by using the Users tab.

When you grant a user group access to a virtual wallet all members of the group will have access to the security objects within the wallet. In a multi-master cluster, you cannot grant a user group access to a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage Access in the left navigation bar.
  3. Click the pencil icon in the Edit column corresponding to the user group.
  4. In the Access to Wallets pane, click Add.
    The Add Access to User Group page appears.
  5. In the Select Wallet pane, select the check boxes for one or more wallets.
  6. In the Select Access Level pane, select the desired access levels.
  7. Click Save.
    A message appears: Access mapping successfully added. You can check Access to Wallets in User Groups for the user to see the wallet added.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

10.3.4 Revoking User Group Access from a Virtual Wallet

You can remove user group access to a virtual wallet by using the Users tab.

In a multi-master cluster environment, you cannot revoke user group access from a virtual wallet while the virtual wallet is in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access in the left sidebar.
    The User Groups page appears.
  3. Click the pencil icon in the Edit column corresponding to the user group.
    The User Group Details page appears.
  4. In the Access to Wallets pane, check the box by the virtual wallet you want to revoke access to.
  5. Click Remove.
  6. Click OK to confirm.
    A message appears: Access Mapping(s) deleted successfully. You can check Access to Wallets in User Groups to see the wallet removed from the list.

Parent topic: Managing Access to Virtual Wallets from User’s Menu

10.4 Managing Security Objects

You can manage the security objects in Oracle Key Vault using the Oracle Key Vault management console.

  • Creating Keys
    You can create a regular or application specific keys and key pairs.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.4.1 Creating Keys

You can create a regular or application specific keys and key pairs.

  • About Creating Keys
    As an Oracle Key Vault user, you can create keys for Oracle TDE and Oracle GoldenGate, and key pairs for SSH key management.
  • Application Keys
    You can create feature specific keys called application keys from the Oracle Key Vault management console. You can create keys for TDE, keys for Oracle GoldenGate and key pairs for SSH key management.
  • Creating Symmetric Keys
    You can create symmetric keys from the Oracle Key Vault management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. Symmetric keys can be used for custom applications using Java, C SDK, or RESTful API.
  • Create Public-Private Key Pair
    You can create public-private key pairs from the Oracle Key Vault management console. The public-private key pairs can be used for sign and verify operations besides encryption and decryption by custom applications using Java, C SDK. or RESTful API
  • Create TDE Master Encryption Key
    You can create a TDE master encryption key from the Oracle Key Vault management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. The key has to be put into use on the database for which it was created.
  • Create GoldenGate Master Key
    You can create a GoldeGate master encryption key from the management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. The user must configure and create the key for the GoldenGate deployment.
  • Creating SSH Key Pair
    You can create an Secure Shell (SSH) key pair from the Oracle Key Vault management console. The keys can be granted access to SSH endpoint to setup connections to SSH deployment or they can be used to rotate the SSH keys of endpoints of an existing deployment.

Parent topic: Managing Security Objects

10.4.1.1 About Creating Keys

As an Oracle Key Vault user, you can create keys for Oracle TDE and Oracle GoldenGate, and key pairs for SSH key management.

You can define the life time of the key using the activation and de-activation dates and control whether a key is extractable or not.

Based on how your alerts and emails are configured, you will be notified when the keys are expiring. You must also specify the usage for the key. If necessary, you can add the name attribute. Name attribute would be unique in the system so should be used only if the object needs to have a unique human readable name in the Oracle Key Vault cluster.

You can also add custom attributes to the key. You can use the custome attributes to attach the tags to the keys. For example, if you are creating the keys for a specific department, you can add the department name as the custom attribute for those keys.

For endpoints to exercise these keys, you need to add them to the wallets where the endpoints can access them.

To enable endpoints to use the key, you can add the keys to the wallet where the endpoint has at least the read access.

10.4.1.2 Application Keys

You can create feature specific keys called application keys from the Oracle Key Vault management console. You can create keys for TDE, keys for Oracle GoldenGate and key pairs for SSH key management.

Applications require keys have certain basic or customer attributes set with pre-defined names and formats, like TDE keys should have the name attribute with TDE master key identifier in hex format or the cryptographic algorithms for Oracle GoldenGate keys are set to AES and cryptographic length to 256.

Application keys are preset to work with the specific features. The Oracle Key Vault management console supports creation of these application keys:
  • TDE master encryption key
  • GoldenGate master key
  • SSH key pair

In each case, once the key is created the corresponding application needs to be setup to make use of the keys in Oracle Key Vault. In case of TDE master encryption key, the database needs to use or activate the key. And for that the database must be setup with Oracle Key Vault and have read and write access on the created key. Similarly, the key management service (KMS) global parameters need to be setup appropriately besides the Oracle Key Vault endpoints to consume the Oracle GoldenGate keys from Oracle Key Vault.
Description of 217_create_keys.png follows
Description of the illustration 217_create_keys.png

Parent topic: Creating Keys

10.4.1.3 Creating Symmetric Keys

You can create symmetric keys from the Oracle Key Vault management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. Symmetric keys can be used for custom applications using Java, C SDK, or RESTful API.

You can create AES and 3DES keys and the keys can be marked extractable or non-extractable. You can either bring your own key material or let the system generate the key material.
To enable the use of the keys by endpoints, you add them to the wallets that the endpoints can access.

Creating Symmetric Keys

  1. Log in to the Oracle Key Vault management console.
  2. Select Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click Create.
  4. Under the Keys area of the page that appears, click Symmetric Keys. The Create Symmetric Key page appears.
    Description of 217_create_symmetric_keys.png follows
    Description of the illustration 217_create_symmetric_keys.png

  5. From the Cryptographic Algorithm drop-down list, select the algorithm AES or 3DES.
  6. Select the Cryptographic Length.
  7. Choose System-Generated, if you want the key material to be system generated or Bring Your Own Key if you are supplying the key material for the key. If you choose the Bring Your Own Key option, choose a file that includes the key material in hex.
  8. Select the Extractable setting from the drop-down list:
    1. Selecting FALSE prevents the key from leaving the Oracle Key Vault cluster boundary.
    2. Selecting TRUE allows the key to leave Oracle Key Vault cluster boundary. Default value is FALSE.
  9. Enter the Date of Activation.
  10. Enter the Date of Deactivation.
  11. Enter an existing wallet name for the Wallet Membership. The newly created key gets added to this wallet. You can also click on Select Wallet and then select the wallet from the pop-up.
  12. Click Create to create the key.

    You can set advanced attributes for the symmetric keys. You can set the human readable Name attribute which is unique across the cluster. You can also set three custom attributes of type text or number. You can edit the key usage as well.

Advanced Attributes for Symmetric Keys

Before you click Create to create the key, you can set the advanced attributes of the key.
  1. Expand the Advanced section.
    Description of 217_advanced_attributes_for_symmetric_keys.png follows
    Description of the illustration 217_advanced_attributes_for_symmetric_keys.png

  2. Enter the following information in the Advanced section,
    • Key Usage: Select operations for the key usage.
    • Name: Add the Name Value to identify the key. Add the Name Type.
    • Custom Attribute 1: Add Name, Value , and Type for the custom attribute. Name should begin with x- and cannot begin with x-OGG and x-OKV.
    • Custom Attribute 2: Set the custom attribute like Custom Attribute 1.
    • Custom Attribute 3: Set the custom attribute like Custom Attribute 1.
  3. After adding the details, click Create to create the key with advanced attributes.

Parent topic: Creating Keys

10.4.1.4 Create Public-Private Key Pair

You can create public-private key pairs from the Oracle Key Vault management console. The public-private key pairs can be used for sign and verify operations besides encryption and decryption by custom applications using Java, C SDK. or RESTful API

You can create RSA key pairs of length 2048, 3072 and 4096 bits and the private keys can be marked extractable or non-extractable.
You can either bring your own key material or let the system generate the key material.

Creating Public-Private Key Pair

  1. Log in to the Oracle Key Vault management console.
  2. Select Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click Create.
  4. Under the Keys area of the page that appears, click Public-Private Key Pair. The Public-Private Key Pair page appears.
    Description of 218_create-public-private-key-pair.png follows
    Description of the illustration 218_create-public-private-key-pair.png

  5. From the Cryptographic Algorithm drop-down list, select the algorithm RSA.
  6. Select the Cryptographic Length.
  7. Select the Private Key Extractable setting from the drop-down list:
    1. Selecting FALSE prevents the key from leaving the Oracle Key Vault cluster boundary.
    2. Selecting TRUE allows the key to leave Oracle Key Vault cluster boundary.

    Default value is FALSE.

  8. Enter the Date of Activation.
  9. Enter the Date of Deactivation.
  10. Enter an existing wallet name for the Wallet Membership. The newly created keys gets added to this wallet. You can also click on Select Wallet and then select the wallet from the pop-up.
  11. Click Create to create the key pair.

You can set advanced attributes that are common to both public and private keys and attributes specific to either the public or private key. You can set the human readable Name attribute which is unique across the cluster for the private key and for the public key. You can set the key usage for public and private key as well. You can also set up to two custom attributes of type text or number that is for public, private keys and for both (common attributes).

Advanced Creating Public-Private Key Pair

Before you click Create to create the key pair, you can set the advanced attributes of the public and private keys.

  1. Expand the Advanced section.
    Description of 217_advanced_attributes_for_public_private_key_pair.png follows
    Description of the illustration 217_advanced_attributes_for_public_private_key_pair.png

  2. Enter the following information for the Common Attributes in the Advanced section.
    • Custom Attribute 1: Add Name, Value and Type for the custom attribute of the common attributes. Name should begin with x- and cannot begin with x-OGG and x-OKV.
    • Custom Attribute 2: Set the custom attribute like Custom Attribute 1.
  3. Enter the following information for the Private Key Attributes in the Advanced section,
    • Key Usage: Select operations for the key usage.
    • Name: Add the Name Value to identify the private key. Add the Name Type.
    • Custom Attribute 1: Add Name, Value , and Type for the custom attribute of the private key. Name should begin with x- and cannot begin with x-OGG and x-OKV.
    • Custom Attribute 2: Set the custom attribute like Custom Attribute 1.
  4. Enter the following information for the Public Key Attributes in the Advanced section,
    • Key Usage: Select operations for the key usage.
    • Name: Add the Name Value to identify the public key. Add the Name Type.
    • Custom Attribute 1: Add Name, Value and Type for the custom attribute of the public key. Name should begin with x- and cannot begin with x-OGG and x-OKV.
    • Custom Attribute 2: Set the custom attribute like Custom Attribute 1.
  5. Click Create to create the key pair with advanced attributes.

Parent topic: Creating Keys

10.4.1.5 Create TDE Master Encryption Key

You can create a TDE master encryption key from the Oracle Key Vault management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. The key has to be put into use on the database for which it was created.

You need to supply the master key identifier when creating the TDE master encryption key. The master key identifier is a 32 byte random string that should be unique in the database ecosystem. Either you can use the one that Oracle Key Vault has generated for you or can supply your own.
Activation and deactivation dates are preset to activate the key as soon as it is created and expire the key in 2 years. You can choose to activate the key at a later date and also clear the de-activation dates so the TDE master encryption keys never expires. You can bring in your own key material or have the key material system generated by Oracle Key Vault. You can make the TDE master encryption key not extractable.

Note:

Setting the TDE master encryption key to non-extractable may cause scale and performance issues.
You should add the TDE master encryption key to the wallet of the database endpoint where it will be activated.
  1. Log in to the Oracle Key Vault management console.
  2. Select Keys & Wallets, then Keys & Secrets in the left navigation bar.
  3. Click Create.
  4. In the Create Keys page, click Public-Private Key Pair. The The Create TDE Master Encryption Key page appears.
  5. Under the Application Keys area of the page that appears, click TDE Master Encryption Key.
  6. Enter the Master Encryption Key Identifier or choose the one that is system generated.
  7. Choose System-Generated if you want the key material to be system generated or Bring Your Own Key if you are supplying the key material for the key. If you choose the Bring Your Own Key option, choose a file that includes the key material in hex.
  8. Select the Extractable setting from the drop-down list:
    1. Selecting FALSE prevents the key from leaving the Oracle Key Vault cluster boundary.
    2. Selecting TRUE allows the key to leave Oracle Key Vault cluster boundary.

      Default value is FALSE.

  9. Enter the Date of Activation. Activation date is auto-populated to current date and time. You can edit the activation date.
  10. Enter the Date of Deactivation. Deactivation date is set to 2 years from current date.
  11. Enter an existing wallet name for the Wallet Membership. The newly created key gets added to this wallet. You can also click on Select Wallet and then select the wallet from the pop-up.
  12. Click Create to create the TDE master encryption key.

Parent topic: Creating Keys

10.4.1.6 Create GoldenGate Master Key

You can create a GoldeGate master encryption key from the management console. The key material can be system generated in Oracle Key Vault or can be uploaded from a file. The user must configure and create the key for the GoldenGate deployment.

For the Oracle GoldenGate Master Key you will need to supply the master key name and the master key version. The user must ensure that the master key name is unique within the cluster. And the key version supplied is numeric and larger than a previous value for the given master key name. See Configuring an Encryption Profile
As with the TDE master encryption keys, the activation and deactivation dates are preset to activate the key as soon as it is created and expire the key in 2 years. You can choose to activate the key at a later date and also clear the de-activation dates so the Oracle GoldenGate master keys never expires. As before you can bring in your own key material or have the key material system generated by Oracle Key Vault. You can make the GoldenGate master encryption key not extractable if you are using GoldenGate deployment of version or higher.
Rotating the GoldenGate master key is as easy setting a new version larger than any previous version for the given master key name.
You should add the GoldenGate master key to the wallet of all the endpoints of a given GoldenGate deployment.
  1. Log in to the Oracle Key Vault management console.
  2. Select Keys & Wallets, then Keys & Secrets in the left navigation bar.
  3. Click Create.
  4. In the Create Keys page, click GoldenGate Master Key. The Create GoldenGate Master Key page appears.
  5. Under the Application Keys area of the page that appears, click GoldenGate Master Key.
    Description of 217_create_goldengate_master_key.png follows
    Description of the illustration 217_create_goldengate_master_key.png

  6. Enter the Master Key Name.
  7. Enter the Master Key Version.
  8. Choose System-Generated, if you want the key material to be system generated or Bring Your Own Key if you are supplying the key material for the key. If you choose the Bring Your Own Key option, choose a file that includes the key material in hex.
  9. Select the Extractable setting from the drop-down list:
    1. Selecting FALSE prevents the key from leaving the Oracle Key Vault cluster boundary.
    2. Selecting TRUE allows the key to leave Oracle Key Vault cluster boundary.

      Default value is FALSE.

  10. Enter the Date of Activation. Activation date is auto-populated to current date and time. You can edit it or clear it.
  11. Enter the Date of Deactivation. Deactivation date is set to 2 years from now.
  12. Enter an existing wallet name for the Wallet Membership. The newly created key will be added to this wallet. You can also click on Select Wallet and then select the wallet from the pop-up.
  13. Click Create to create the GoldenGate master key.
10.4.1.7 Creating SSH Key Pair

You can create an Secure Shell (SSH) key pair from the Oracle Key Vault management console. The keys can be granted access to SSH endpoint to setup connections to SSH deployment or they can be used to rotate the SSH keys of endpoints of an existing deployment.

You can create SSH key pairs that are RSA key pairs of length 2048, 3072 and 4096 bits and the private keys can be marked extractable or not extractable. You should mark the private key SSH private key as not extractable. You must supply the name of the SSH client for which these keys are created in the SSH user field and at the time of creation the SSH key pairs should be added to the SSH users general wallet. The public key may be added to the 'SSH Server' wallet of the hosts where you want to give the client access.
As with the TDE master encryption keys, the activation and deactivation dates are preset to activate the key as soon as it is created and expire the key in 2 years. You can choose to activate the key at a later date and also clear the de-activation dates so the SSH keys do not expire. This is not recommended.
  1. Log in to the Oracle Key Vault management console.
  2. Select Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. Click Create.
  4. In the Create Keys page, click SSH Key Pair. The Create SSH Key Pair page appears.
  5. Under the Application Keys area of the page that appears, click SSH Key Pair.
    Description of 217_create_ssh_key_pairs.png follows
    Description of the illustration 217_create_ssh_key_pairs.png

  6. Enter the SSH User. The SSH User is intended to track the actual consumer of the SSH keys, a human, an application, or a machine.
  7. Enter the name or the identity of the SSH User.
  8. Enter the Cryptographic Algorithm drop-down list, select the algorithm RSA.
  9. Select the Cryptographic Length.
  10. Select the Private Key Extractable setting from the drop-down list:
    1. Selecting FALSE prevents the private key from leaving the Oracle Key Vault cluster boundary.
    2. Selecting TRUE allows the private key to leave Oracle Key Vault cluster boundary.

      Default value is FALSE.

  11. Enter the Date of Activation. Activation date is auto-populated to current date and time. You can edit it or clear it.
  12. Enter the Date of Deactivation. Deactivation date is set to 2 years from now.
  13. Enter an existing wallet name for the Wallet Membership. The newly created keys will be added to this wallet. You can also click on Select Wallet and then select the wallet from the pop-up.
  14. Click Create to create the SSH key pair.

10.5 Managing the State of a Key or a Security Object

You can set the date to activate or deactivate keys or security objects, and change the state of some virtual wallet security objects.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.5.1 About Managing the State of a Key or a Security Object

You can control the dates when a key or a security object is active, that is, when it can be used.

You also can revoke and destroy keys and security objects. Be aware that a multi-master cluster affects the activation or deactivation times of keys and security objects on different nodes, and that naming conflicts can arise.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

10.5.2 How a Multi-Master Cluster Affects Keys and Security Objects

Keys that you create on one node of a multi-master cluster will take some time to appear on other nodes in the cluster.

The time is defined by the replication lag between nodes. The replication lag value is displayed on the Cluster Link State pane of the Monitoring page, which can be accessed by choosing the Cluster tab.

If you add a Transparent Data Encryption (TDE) master encryption key to two different keystores on two different nodes, then it will be shown in both keystores.

Adjusting the activation date, deactivation date, process start date, and protect stop date has restrictions. For these dates, if changes are made to the security object very close to the current time, then state changes can happen because of replication lag.

As with the creation of any object in a multi-master cluster, a security object can have a name conflict with an object created on a different node. If there is a conflict, then Oracle Key Vault will suggest a unique name or allow you to rename it.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

10.5.3 Activating a Key or Security Object

Keys can be in the Active or Pre-Active state.

Keys are in the Pre-Active state when they are created. However, for a key that will be used for securing data at a date later than its creation date, you can set the Process Start Date. Currently, keys uploaded with a third-party KMIP clients, RESTful service utility, C and Java SDKs are in a Pre-Active state and do not have the Date of Activation field set. For all other keys, the Date of Activation is system generated and cannot be set.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click the edit pencil icon under Edit corresponding to the item for which you want to set.
  4. On the Object Details page for the item, click Activate.
  5. Click OK to confirm.

    Note:

    • You can set the activation date at the time of creating the security object from Oracle Key Vault 21.3 onwards.
    • You can set the date of activation of a security object after its creation by setting the activation date attribute of the security object using third-party KMIP clients, RESTful services utility, C and Java SDKs.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

10.5.4 Deactivating a Key or Security Object

A key deactivates or expires when it passes the date that has been set for deactivation.

  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click the edit pencil icon under Edit corresponding to the item to be deactivated.
  4. In the Object Details page for the item, set the Date of Deactivation to the date by which you want the key to be deactivated.
  5. Click Save.

    Note:

    • You can set the deactivation date at the time of creating the security object from Oracle Key Vault 21.3 onwards.
    • You can set the date of deactivation of a security object after its creation by setting the deactivation date attribute of the security object using third-party KMIP clients, RESTful services utility, C and Java SDKs.

Related Topics

Parent topic: Managing the State of a Key or a Security Object

10.5.5 Revoking a Key or Security Object

When you revoke a key, you can set its state to Deactivated or Compromised.

At this point, the key should no longer be used to encrypt new data. However, you can download and use the deactivated keys to decrypt old data.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click the edit pencil icon under Edit corresponding to the item that you want to revoke.
  4. In the Object Details page, click Revoke.
  5. In the Revoke Object page, from the Revocation Reason drop-down list, select a reason for the revocation.
  6. Optionally, add more details in Revocation Message
  7. Click Save.

Parent topic: Managing the State of a Key or a Security Object

10.5.6 Destroying a Key or Security Object

When a key is no longer used or compromised in some way, then you can destroy it.

Metadata for destroyed keys and security objects are kept in Oracle Key Vault even after they have been destroyed.
  1. Log in to the Oracle Key Vault management console as a user who has read and modify access on this key.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
  3. In the Keys & Secrets page, click the edit pencil icon under Edit corresponding to the item that you want to destroy.
  4. On the Object Details page, click Destroy.
  5. In the confirmation window, click OK.

Parent topic: Managing the State of a Key or a Security Object

10.6 Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault

You can restrict symmetric or private keys from leaving Oracle Key Vault.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.6.1 About Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault

The ability to restrict symmetric or private keys (extraction) from leaving Oracle Key Vault ensures a higher level of security for these objects.

Many operations that use symmetric and private keys perform these operations outside of Oracle Key Vault and by default, symmetric and private keys within Oracle Key Vault can be extracted for this purpose. Consider the example with Transparent Database Encryption (TDE) master encryption keys that are stored in Oracle Key Vault. When an Oracle Database endpoint needs to decrypt the data encryption key, the PKCS#11 library fetches the TDE master encryption key from Oracle Key Vault to perform the decryption. If your site requires that symmetric or private keys to never leave Oracle Key Vault, then you can configure the symmetric and private keys to remain within Oracle Key Vault by setting their extractable attribute value to false. Setting the extractable attribute value to false prevents the key material of the symmetric and private key from being extracted from Oracle Key Vault, but still allows other object metadata (including object attributes, state, and so on) to be retrieved from Oracle Key Vault. If the TDE master encryption key is restricted from leaving Oracle Key Vault, the PKCS#11 library sends a request to Oracle Key Vault to decrypt the encrypted data encryption key. Decryption is then performed within Oracle Key Vault and afterward, the plaintext data encryption key is returned to the PKCS#11 library. To allow a symmetric or private key to leave Oracle Key Vault, you would set its extractable attribute value to true.

You can set the extractable attribute of symmetric or private keys in the following ways:

  • Setting the extractable attribute value for an existing symmetric or private key: A user who has the Key Administrator role can modify the extractable attribute value of an existing symmetric or private key to be either true or false. A user or an endpoint with read-write access on an existing symmetric or private key can also modify its extractable attribute setting. However, this is allowed only to apply the stricter setting (that is, to set the value to false to make the symmetric or private key non-extractable). Such users or endpoints cannot modify the extractable attribute setting to make a symmetric or private key extractable if it is currently non-extractable.
  • Setting the default value of the extractable attribute globally for all endpoints: You can set the default value of the extractable attribute in the global endpoint settings. This setting applies to all endpoints. This setting is used when an endpoint creates or registers a new symmetric or private key unless either of the following conditions occur:
    • The extractable attribute is set for the symmetric or private key at the time of its creation or registration.
    • The default extractable attribute value has been set for that endpoint specifically (that is, the endpoint does not inherit this setting from the global endpoint).

    This global endpoint setting does not apply to existing symmetric or private keys; it only applies to new symmetric or private keys that are created or registered after this setting has been configured.

  • Setting the default value of the extractable attribute for an individual endpoint: You can set the default value of the extractable attribute for an individual endpoint. The endpoint specific setting takes precedence over the global endpoint setting. This endpoint specific extractable attribute setting applies when the endpoint creates or registers a new symmetric or private key unless the extractable attribute is set for the key at the time of its creation or registration itself.

    This individual endpoint setting does not apply to existing symmetric or private keys; it only applies to new symmetric or private keys that are created or registered by the endpoint after this setting has been configured.

  • Setting the extractable attribute value when you create or register a symmetric or private key: You can set the extractable attribute value for a new symmetric key or private key at the time of its creation or registration using the C SDK, the Java SDK, or the RESTful services utility. The extractable attribute value specified at the time of key creation takes precedence over the endpoint’s effective setting for the extractable attribute. However, this is subject to an additional restriction: You cannot set the extractable attribute of a new symmetric or private key to true, that is, create the new key as extractable, if the endpoint’s effective setting for the extractable attribute is set to false (that is, the new symmetric keys or private are not extractable).

Be aware that setting the extractable attribute value to false may affect the performance of Oracle Key Vault. The performance impact may not be limited to Oracle Key Vault. The endpoint performance may be impacted as well.

Related Topics

Parent topic: Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault

10.6.2 Configuring the Extractable Attribute Value of Existing Symmetric or Private Keys

You can configure the extractable attribute value of existing symmetric or private keys.

  1. Log in to the Oracle Key Vault management console as one of the following types of users:
    • A user who has the Key Administrator role can modify the extractable attribute value of any symmetric or private key.
    • A user with read-modify access on a symmetric or private key can modify its extractable attribute value to only apply a stricter setting (that is, to set the value to false to make the object non-extractable).
  2. Select the Keys & Wallets tab, and then Keys & Secrets from the left navigation bar.
    The Keys & Secrets page appears.
  3. For the key whose extraction that you want to configure, click the Edit icon, and then scroll down the Object Details page to the Advanced section.
  4. In the Extractable menu, select True or False.

    • True allows the object value to be extracted from Oracle Key Vault.

    • False prevents the object value from being extracted from Oracle Key Vault.

  5. Select Save.

Parent topic: Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault

10.7 Managing Details of Security Objects

You can manage details about security objects, such as find details about these objects and modifying these details.

Parent topic: Managing Oracle Key Vault Virtual Wallets and Security Objects

10.7.1 About Managing the Details of Security Objects

You can search for security objects within a virtual wallet, and add, modify, or remove these security objects.

Security objects are managed by Oracle Key Vault administrative users with a clear separation of duties. You must be an administrative user with the Key Administrator role to manage wallet privilege on the virtual wallet containing the security objects. A user with the Audit Manager role can view security objects, but cannot modify them, whereas individual security objects are not even viewable to a user with the System Administrator role.

You can set the deactivation date for security objects and have an alert notify you when the security object will expire. For example, if you configure an alert for an object expiration with a threshold of 7 days, its expiration alert will be raised when object’s deactivation date is within the 7 days of its deactivation date. An email notification will be sent every 24 hours during this threshold period. The alert is raised only when the security object is in the PRE-ACTIVE or ACTIVE state. Oracle Key Vault deletes the expiration alerts for the security objects when the security object is revoked or destroyed.

Related Topics

Parent topic: Managing Details of Security Objects

10.7.2 Searching for Security Object Items

You can search for individual security objects if you have privileges to view these objects.

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role, an Audit Manager role, or as a user with access to a virtual wallet.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
    The Keys & Secrets page appears displaying all the security objects in a table.

    Description of 212_keys_and_secrets.png follows
    Description of the illustration 212_keys_and_secrets.png

    By default, the table has the following columns for each security object:

    • Display Name lists the name of the object.

    • Type: Indicates the object type of security object. Valid values are Symmetric Key, Public Key, Private Key, Template, Opaque Object, Certificate, and Secret Data.

    • Wallet Membership: The virtual wallet that contains the security object.

    • Creating Endpoint: The endpoint that owns the security object.

    • State: Indicates the state of the object. Valid values are Active, Compromised, Deactivated, Destroyed, Destroyed Compromised, and Pre-Active.

    • Extractable: The extractable attribute setting of the security object.

    • Creation Date: Date and time that the security object was added to Oracle Key Vault.

    • Deactivation Date: Date and time that the security object was deactivated.

    • Name: Actual name of the object.

    • Unique Identifier: A globally unique ID that identifies an item.

    • Edit: A pencil icon links to the Object Details page for the security object.

    You can modify these columns to show more information. From the Actions menu, select Select Columns. In the Select Columns window, move the columns that you want to see to the Display in Report list, and then click Apply.
  3. If the security object does not appear, then search for it using the Search bar or the Actions menu.

Parent topic: Managing Details of Security Objects

10.7.3 Viewing the Details of a Security Object

An administrative user with the Key Administrator role can view, add, and modify the details of a security object.

The administrative user can perform these actions on the security object from its corresponding Object Details page. Object details are attributes of a specific security object and depend on the type of security object.

  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role or as a user with access to the virtual wallet.

  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.

  3. In the Keys & Secrets page, search for the security object that you want.

    The Keys & Secrets page shows a table that displays the security objects in Key Vault.

    You can modify the columns in this table to show more information. From the Actions menu, select Select Columns. In the Select Columns dialog box, move the columns that you want to see to the Display in Report list, and then click Apply.

  4. Click the pencil icon in the Edit column corresponding to the security object.

    The Object Details page appears displaying the attributes of the security object. The following screen shows a partial view of all the activities that you can perform on this object.

    Description of 21_object_details.png follows
    Description of the illustration 21_object_details.png

    You can set the dates when the security object should be deactivated or not used on the Object Details page. The attributes shown in Object Details depend on the type of security object. The attributes for a Symmetric Key are different from those of Private Key or Opaque Object.

    You can revoke or destroy a security object, and add or remove it to and from a wallet from the Object Details page.

    The Wallet Membership pane in the Object Details page enables you to add the security object to a wallet or delete the security object from a wallet.

    The Object Details page contains the following attributes:

    • Display Name: A summary description to help identify the item to the user. For example, if the item is a TDE master encryption key, then the Identifier shows the prefix TDE master encryption key followed by the identifier used by the database to identify the key.

    • Unique Identifier: This is a globally unique ID that identifies an item.

    • Type: Indicates the object type of the item. Valid values are Symmetric Key, Public Key, Private Key, Template, Opaque Object, Certificate, and Secret Data.

    • State: Indicates the status of the security objects. Values are as follows:

      • Pre-active: The object exists but is not yet usable for any cryptographic purpose.

      • Active: The object is available for use. Endpoints should examine the Cryptographic Usage Mask attribute to determine which uses are appropriate for this object.

      • Deactivated: The object is no longer active and should not be used to apply cryptographic protection (for example, encryption or signing). It may still be appropriate to use for decrypting or verifying previously protected data.

      • Compromised: The object is believed to be compromised and should not be used.

      • Destroyed: The object is no longer usable for any purpose.

      • Destroyed Compromised: The object was compromised and destroyed. It is no longer usable for any purpose.

    • Creator: The endpoint that created the security object.

    • Last Modified: The date last modified.

    • Date of Creation: The date created.

    • Date of Activation: The date of activation.

    • Process Start Date: The date when the key may start to be used to encrypt data. It can be equal or later than the Date of Activation setting but cannot precede it.

    • Protect Stop Date: When this date is passed, the key should not be used to encrypt any more data. It cannot be later than the Date of Deactivation setting.

    • Date of Deactivation: The date of deactivation.

  5. Click Advanced to view the attributes of the security object.

    Attribute information and queries will vary depending on the item type. Examples of attributes are as follows:

    • Cryptographic Algorithms: The encryption algorithm used by the item

    • Key Usage: Operations that the key can be used for. Clients may or may not use these attributes. For example, Transparent Data Encryption does not consult the key usage attributes.

    • Extractable: Indicates if the symmetric or private key security object can be extracted. TRUE means that it can be extracted; FALSE means that it cannot be extracted.

    • Never Extractable: Indicates if a security object (in this case, symmetric or private keys only) was never allowed to be extracted from Oracle Key Vault. TRUE means that the extractable attribute of the symmetric key has always been set to FALSE. If the Extractable attribute was ever (even once) set to TRUE, then the Never Extractable attribute becomes (and remains set to) FALSE.

    • Names: Labels attached by a user or endpoint to identify the key

    • Custom Attributes: Additional attributes defined by the endpoint and not interpreted by Oracle Key Vault

    • Cryptographic Parameters: Optional parameters for the encryption algorithm used by the item, such as block cipher mode and padding method

    • Cryptographic Length: The length in bits of the key

    • Retrieved at Least Once: Indicates if the object has been served to the client

    • Contact Information: Used for contact purposes only

    • Digests: Digest values of the security object

    • Link Details: Links to related objects

Related Topics

Parent topic: Managing Details of Security Objects

10.7.4 Adding or Modifying Details of a Security Object

Only users who have the appropriate privileges can add or modify the details of a security object.

To modify the attributes of a security object you must be a user with the Key Administrator role, or you must have Read and Modify access on the security object. For example, a user who has the Key Administrator role can modify the extractable attribute to apply its settings to all security objects in Oracle Key Vault. A user who has Read and Modify can set the extractable attribute for only objects that they create. You can get Read and Modify access on a security object if you own the security object or if you have access to a virtual wallet that contains the security object.
  1. Log in to the Oracle Key Vault management console as a user with the Key Administrator role or as a user with access to a virtual wallet.
  2. Select the Keys & Wallets tab, then Keys & Secrets in the left navigation bar.
    The Keys & Secrets page shows a table listing all the security objects in a table. You can modify the columns in this table to show more information. From the Actions menu, select Select Columns. In the Select Columns dialog box, move the columns that you want to see to the Display in Report list, and then click Apply.
  3. Click the pencil icon corresponding to the security object.
    The Object Details page appears.
  4. In the Advanced pane, make the necessary changes.
  5. Click Save in the top right corner of the pane.

    Note:

    Setting the date-time attributes (such as Activation Date, Deactivation Date, Process Start Date, and Protect Stop Date) for a security object to the epoch time (January 1st, 1970 at UTC) has the same effect of not setting the attribute at all. For example, if you set the Activation Date attribute of a security object to the epoch time to immediately activate the object, then the object remains in the Pre-Active state. This is because Oracle Key Vault treats the epoch value of the attribute as if the attribute is not set at all.

Parent topic: Managing Details of Security Objects