1. Administrator's Guide
  2. Oracle Key Vault General System Administration

14 Oracle Key Vault General System Administration

General system administration refers to system management tasks for the Oracle Key Vault system, such as configuring network details and services.

14.1 Overview of Oracle Key Vault General System Administration

System administrators can perform most general administration tasks in the Oracle Key Vault management console, including finding the current status of the overall system.

Parent topic: Oracle Key Vault General System Administration

14.1.1 About Oracle Key Vault General System Administration

System administrators configure the Oracle Key Vault system settings.

The Oracle Key Vault system settings include administration, local and remote monitoring, email notification, backup and recovery operations, and auditing. You must have the appropriate role for performing these tasks. Users who have the System Administrator role can perform most of the administrative tasks, and users with the Audit Manager role can configure audit settings and export audit records. In most cases, you will perform these tasks in the Oracle Key Vault management console.

To quickly find information about the current status of the Oracle Key Vault system, you can view the Oracle Key Vault dashboard.

Related Topics

Parent topic: Overview of Oracle Key Vault General System Administration

14.1.2 Viewing the Oracle Key Vault Dashboard

The dashboard presents the current status of the Oracle Key Vault at a high level and is visible to all users.

The Home tab of the management console displays the dashboard when you log into the management console.

Alerts and Managed Content are the first sections you will see on logging in.

Figure 14-1 Alerts and Managed Content Panes

Description of Figure 14-1 follows
Description of "Figure 14-1 Alerts and Managed Content Panes"

The Data Interval, Operations, Endpoint Activity, and User Activity panes of the Home page follow Alerts and Managed Content.

Figure 14-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes

Description of Figure 14-2 follows
Description of "Figure 14-2 Data Interval, Operations, Endpoint Activity, and User Activity Panes"

Parent topic: Overview of Oracle Key Vault General System Administration

14.1.3 Using the Status Panes in the Dashboard

The status panes on the dashboard provide useful high level information, such as links to alerts and an overview of current user activity.

  1. Log in to the Oracle Key Vault management console.
    The dashboard appears in the Home tab.
  2. To take corrective action on a particular alert:
    1. Click the link in the Details column that corresponds to the alert. The appropriate page appears.
    2. Take the corrective action for the alert as necessary.
  3. To configure the alerts that you want to see on the dashboard:
    1. Click the Reports tab, and then click Alerts from the left side bar to display the Alerts page.
    2. Click Configure from the top right, or Configure Alerts from the left sidebar under ALERTS, to display the Configure Alerts page.
    3. Select the Alert Type and then click Save.
  4. To view managed content, click the Managed Content button, which appears below the Alerts pane, along with the Show All and Activity buttons.

    The Managed Content pane of the dashboard displays aggregated information about security objects that are currently stored and managed in Oracle Key Vault.

    This status pane categorizes the aggregate information based on the item type such as keys, certificates, opaque objects, private keys, and TDE master encryption keys, as well as the item state such as pre-active, active, and deactivated.

    In the Managed Content pane, the item type and item state are displayed at the last time refreshed, which is set by the refresh interval described in the Data Interval status pane.

  5. To view information about from a specific time (data interval) about operations and endpoint activity, click the Show All button.

    Data Interval: This pane shows the length of the time period. You can set the time period to Last 24 hours, Last week, or Last Month, or a user-defined date range. It also shows the refresh interval for the Operations, Endpoint Activity, and User Activity panes.

    Operations: The Operations pane contains a bar graph with bars for key-related operations such as locate, activate, add endpoint, and assign default wallet.

    Endpoint Activity: The Endpoint Activity pane contains a bar graph for tracking the number of operations performed by each endpoint.

    User Activity: The User Activity pane contains a three-dimensional bar graph for tracking the number of operations performed by each user.

Related Topics

Parent topic: Overview of Oracle Key Vault General System Administration

14.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment

On the system Settings page, you can configure the network settings.

These settings include settings such as DNS connection information, SSH, FIPS mode, and performing restart or shut down operations on Oracle Key Vault.
  1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
  2. Select System, then System Settings from the left sidebar.

    The Settings page appears.

    Description of system_settings.png follows
    Description of the illustration system_settings.png

    The system Settings page has the following panes:

    • Network Details: Fields in this pane are automatically populated with the IP address and host name of your Oracle Key Vault server. But if anything changes, then you can update the Host Name, IP Address, Network Mask and the Gateway for the Oracle Key Vault installation. You cannot change the MAC Address, because this is the hard-wired address of the network interface.

    • Network Services: You can enable services for Web Access and SSH Access (Secure Shell Access) for all, none, or a subset of clients, determined by their IP addresses by selecting one of the following options:

      • All to select all IP addresses

      • IP address(es) to select a set of IP addresses that you specify in the next field, separating each IP address by a space. The IP address(es) web access option enables you to restrict access to the Oracle Key Vault management console to a limited set of users that you specify to meet your organizational needs.

      Enabling SSH Access gives you access to Oracle Key Vault from the command line. This helps you diagnose problems not immediately apparent from the management console. You must log in as the user support, with the support password that you created during installation.

      If you are using the Bash shell, then you may need to download patch sets or security fixes that work with SSH Access. Instructions on downloading and enabling patch sets or security fixes come with the patch set release notes.

      As a best practice, enable SSH access for short durations, solely for diagnostics and troubleshooting purposes, and then disable it as soon as you are done.

      Enabling or disabling SSH access will enable or disable the inbound SSH connection to the Oracle Key Vault server. Enabling or disabling SSH access in this manner has no bearing on the SSH Tunnel settings or any other outbound SSH connections that the Oracle Key Vault server itself establishes. SSH connections can still be established by the Oracle Key Vault to other servers as in the case of SSH Tunnel settings.

    • System Time: You can configure Oracle Key Vault to use an NTP server to remain synchronized with the current time. (Fields for up to three servers are provided.) If an NTP server is not available, then you can set the current time manually. You should use the calendar icon to set the date and time so that these values are stored in the correct format. In a primary-standby deployment, you must set the primary and standby servers to the same time. If you want to use an NTP server, then ensure that you have already configured and saved a DNS server IP address for it.

    • DNS: You can configure Domain Name Service (DNS) to translate host names to up to three IP addresses. This is useful if you only know the host name and not the IP address of a server you need access to. For example, while configuring the SMTP server for email notifications, you can optionally enter the host name instead of the IP Address, after you set up DNS.

    • FIPS mode: Select the check box by Enable to use FIPS mode, or clear this check box to disable FIPS mode. In a primary-standby environment, ensure that both servers are consistent in their FIPS mode setting: either both are enabled, or both are disabled.

    • Syslog: All system related alerts are sent to syslog. Select the protocol to transfer syslog files: TCP or UDP.

      You can set the destination computer for syslog files by entering the IP address (and port number for TCP) in the format shown in the Syslog Destinations field. For more than one destination computer add the IP address (and port number for TCP) of each destination computer separated by a space.

      For TCP, specify the IP address and the port number. For UDP, specify only the IP address.

    • RESTful Services: First, ensure that the Web Access options in Network Services are set. Next, check the box after Enable to enable RESTful Services. RESTful services allow you to automate endpoint enrollment and provisioning. RESTful services also support regular key management activities.

    • Oracle Audit Vault Integration: Check the box after Enable to send audit data from Oracle Key Vault to Oracle Audit Vault for centralized audit reporting and alerting. It will prompt you to enter and confirm the password.

  3. Click Save.
  4. Manually restart or power off the Oracle Key Vault server by clicking Reboot or Power Off in the top right.
    This is available specifically for manual restart or power off situations as required for maintenance or as a documented step in patch and upgrade procedures, A manual restart is not required for changing system settings.

Parent topic: Oracle Key Vault General System Administration

14.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment

When you configure Oracle Key Vault in a multi-master cluster environment, you can configure either individual nodes or the entire multi-master cluster environment.

Parent topic: Oracle Key Vault General System Administration

14.3.1 Configuring System Settings for Individual Multi-Master Cluster Nodes

You can set or change settings that apply to the cluster node.

Examples of these settings are the network details, network services, system time, DNS, FIPS mode, syslog, and Oracle Audit Vault integration. Values set for the node override the cluster setting.  However, you can clear any individual node setting to revert to the cluster setting.

Parent topic: Configuring Oracle Key Vault in a Multi-Master Cluster Environment

14.3.1.1 Configuring the Network Details for the Node

In a multi-master cluster, you can configure the network details from any Oracle Key Vault management console.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Update the values for the following fields:
    • Host Name: Enter the name of the node.
    • IP Address: Enter the IP address of the node. Note that this value cannot be changed after it is saved.
    • Network Mask: Enter the network mask of the node.
    • Gateway: Enter the network gateway of the node.
  4. Click Save.
14.3.1.2 Configuring the Network Services for the Node

In a multi-master cluster, you can configure the network services from any Oracle Key Vault management console.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. For Web Access, select one of the following options:
    • All: Allows all IP addresses to access the management console of this node.
    • IP Address(es): Restricts management console access to the space separated list of IP addresses entered in the address box.
  4. Click Save.
14.3.1.3 Configuring the System Time for the Node

You can set and clear the time for individual nodes.

Parent topic: Configuring System Settings for Individual Multi-Master Cluster Nodes

14.3.1.3.1 Setting the System Time for the Node

In a multi-master cluster, you can set the system time for a node.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the DNS section of the System Settings page, enter up to three DNS server IP addresses, and then click Save.
    Before you can configure the necessary NTP servers for the system time, you must have the DNS servers configured and saved.
  4. If necessary, return to the System Settings page by select System Settings under the System tab.
  5. Choose Use Network Time Protocol.
  6. Enter values for the following fields:
    • Synchronize After Save: This setting immediately synchronizes the system time for the node to one of the given NTP servers after you save the settings.
    • Synchronize Periodically: This setting synchronizes the system time for the node at a predetermined interval.
    • Server 1: Enter the IP address of a NTP server. You must supply an address for Server 1. To immediately synchronize the system time with this server, click Apply Server.
    • Server 2: Enter the IP address of a second NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
    • Server 3: Enter the IP address of a third NTP server. This value is optional. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.
  7. Click Save.
14.3.1.3.2 Clearing the System Time for the Node

In a multi-master cluster, you can clear the time setting for the node and reset it to use the cluster time setting.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Click the Use Cluster Settings button in the System Time section.
    Clicking Use Cluster Settings is immediate for this setting. You do not need to click Save afterward.
14.3.1.4 Configuring DNS for the Node

You can set and clear the DNS for individual nodes.

  • Setting DNS for the Node
    When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.
  • Clearing DNS for the Node
    In a multi-master cluster, you can clear DNS for the node, which resets it to the use the cluster DNS.

Parent topic: Configuring System Settings for Individual Multi-Master Cluster Nodes

14.3.1.4.1 Setting DNS for the Node

When you configure the DNS for a multi-master cluster node, you should enter more than one DNS IP address.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the DNS section of the System Settings pages, enter up to three DNS server IP addresses.
    While only the first value is required, two entries are recommended for fault tolerance.
  4. Click Save.
14.3.1.4.2 Clearing DNS for the Node

In a multi-master cluster, you can clear DNS for the node, which resets it to the use the cluster DNS.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. Click the Use Cluster Settings button in the DNS section.
    Clicking Use Cluster Settings is immediate for this setting. You do not need to click Save afterwards.
14.3.1.5 Setting the FIPS Mode for the Node

All multi-master cluster nodes must use the same FIPS mode setting or you will receive an alert.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then System Settings from the left navigation bar.
  3. In the FIPS Mode section, do one of the following:
    • To enable FIPS mode, select the Enable check box.
    • To disable FIPS mode, clear the Enable check box.
    Enabling or disabling FIPS mode will take a few minutes.
  4. Click Save.
    After you click Save, Oracle Key Vault will restart automatically.

14.3.2 Managing Oracle Key Vault Multi-Master Clusters

You can create, configure, manage, and administer an Oracle Key Vault multi-master cluster by using the Oracle Key Vault management console.

Parent topic: Configuring Oracle Key Vault in a Multi-Master Cluster Environment

14.3.2.1 About Configuring Cluster System Settings

You can set or change settings that apply to an entire multi-master cluster. 

You can set the system time, DNS, the maximum time a server can be disabled before it is evicted from the cluster, enable RESTful services, the protocol to use for syslog, the syslog destination, and monitoring settings for the cluster. Any values that are set and saved to an individual node will not be overridden by cluster settings. It may take several minutes for changes to propagate to other nodes.

14.3.2.2 Configuring the System Time for the Cluster

When you configure the system time, you can set it for multiple servers and also set the synchronization.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Choose the User Network Time Protocol option.
    Only the first value is required.
  4. Enter values for the following fields:

    • Synchronize After Save: This synchronizes the time across the cluster after you save the settings.

    • Synchronize Periodically: This synchronizes the time across the cluster at a predetermined interval. Once selected and applied, this option cannot be deselected.

    • Server 1: Enter the IP address of a NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 2: Enter the IP address of a second NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

    • Server 3: Enter the IP address of a third NTP server. To test the NTP server, click Test Server. To immediately synchronize the system time with this server, click Apply Server.

  5. In the System Time section, click Save to Cluster.
14.3.2.3 Configuring DNS for the Cluster

When you configure the DNS for a cluster, you can enter up to three DNS server IP addresses.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the DNS section of the Cluster System Settings page, enter up to three DNS Server IP addresses.
  4. In the DNS section, click Save to Cluster.
14.3.2.4 Configuring Maximum Disable Node Duration for the Cluster

You can set the Configuring Maximum Node Duration time for the cluster in hours.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Maximum Disable Node Duration section, enter a value, in hours, for the duration that a node can be disabled before it is evicted from the cluster.
  4. In the Maximum Disable Node Duration section, click Save to Cluster.
14.3.2.5 Configuring RESTful Services for the Cluster

You can enable or disable RESTful Services for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. Select the Enable checkbox in the RESTful Services section.
  4. In the RESTful Services section, click Save to Cluster.
14.3.2.6 Configuring Syslog for the Cluster

You can enable syslog for either the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) for the cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Cluster System Settings from the left navigation bar.
  3. In the Syslog section, select one of the following protocols:
    • TCP: Enables syslog using the TCP protocol.
    • UDP: Enables syslog using the UDP protocol.
  4. Enter the syslog destination IP addresses and port numbers in the Syslog Destinations field, in the format IP_address:port.
    You can enter multiple destinations, separated by a space.
  5. In the Syslog section, click Save to Cluster.
14.3.2.7 Configuring SNMP Settings for the Cluster

You can enable or disable SNMP access for a multi-master cluster.

  1. Log into any Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Monitoring Settings from the left navigation bar.
  3. For Scope, select Cluster.
  4. Select who has SNMP access to the multi-master cluster by choosing one of the options:
    • All: Allows SNMP access from all IP addresses.
    • Disabled: Allows no SNMP access.
    • IP address(es): Allows SNMP access from the list of IP addresses supplied in the address box.  Enter a space-separated list of IP addresses.
  5. Enter values for the following fields:
    • Username: Enter the SNMP user name.
    • Password: Enter the SNMP password.
    • Reenter Password: Enter the SNMP password again.
  6. Click Save to Cluster.

14.4 Managing System Recovery

System recovery includes tasks such as recovering lost administrative passwords.

Parent topic: Oracle Key Vault General System Administration

14.4.1 About Managing System Recovery

To perform system recovery, you use the recovery passphrase.

In an emergency when no administrative users are available, or you must change the password of administrative users, you can recover the system with the recovery passphrase that was created during Oracle Key Vault installation. In addition, you can change the recovery passphrase to keep up with security best practices.

Parent topic: Managing System Recovery

14.4.2 Recovering Credentials for Administrators

You can recover the system by adding credentials for administrative users.

  1. From a web browser using HTTPS, enter the IP address of the Oracle Key Vault installation.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the page.
  4. In the Recovery Passphrase field, enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. In the Administrator Recovery page, fill out the fields in the Key Administrator, System Administrator, and Audit Manager panes to assign these roles to new or existing user accounts.
  6. Click Save.

Related Topics

Parent topic: Managing System Recovery

14.4.3 Changing the Recovery Passphrase in a Non-Clusters Environment

Periodically changing the recovery passphrase is a good security practice.

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes, so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data.
  1. Perform a server backup.
  2. From a web browser, enter the IP address of your Oracle Key Vault installation.
  3. In the Oracle Key Vault login page, do not log in.
  4. Click the System Recovery link.

    A new login page appears with a single field: Recovery Passphrase.

  5. Enter the recovery passphrase and then click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  6. Click Recovery Passphrase.

    The Recovery Passphrase page appears with two fields to enter and reenter the new passphrase.

  7. Enter the new recovery passphrase in the two fields.
  8. Click Submit.

Related Topics

Parent topic: Managing System Recovery

14.4.4 Changing the Recovery Passphrase in a Multi-Master Cluster

Changing the recovery passphrase in a multi-master cluster is a two-step process.

To change the recovery passphrase for a multi-master cluster, you must first initiate the change throughout the nodes in the multi-master cluster environment before changing the recovery passphrase.

Parent topic: Managing System Recovery

14.4.4.1 Step 1: Initiate the Recovery Passphrase Change Across the Nodes

A user with the System Administrator role should perform a new backup whenever the recovery passphrase changes.

This is so that there is always a backup protected with the current recovery passphrase. This ensures that you will have at least one backup with the latest data. First, you must initiate the change for the recovery passphrase so that all nodes in the multi-master cluster will be notified of the impending change.
  1. Perform a server backup.
  2. Ensure that all nodes are in the ACTIVE state and replication has been verified between all nodes.
  3. From a web browser, enter the IP address of the Oracle Key Vault installation that is not in read-only restricted mode.
  4. In the Oracle Key Vault login page, do not log in.
  5. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  6. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  7. Click the Recovery Passphrase tab.
  8. Click the Initiate Change button.
  9. Log out.
  10. Wait 3 to 4 minutes before continuing.

    During this time, all nodes will be notified that a passphrase change will be performed. To cancel a passphrase change, click the Reset button.

    All nodes will determine if more than one passphrase change has been initiated. If more than one passphrase change has been initiated, conflict resolution will be performed.

14.4.4.2 Step 2: Change the Recovery Passphrase

After the multi-master cluster nodes have been notified of the impending recovery passphrase change, you can change the recovery passphrase.

  1. From a Web browser, enter the IP address of a multi-master cluster node in the Oracle Key Vault installation.
    You can find a list of available nodes in the Oracle Key Vault management console by selecting the Clusters tab and then checking the Cluster Details section.
  2. In the Oracle Key Vault login page, do not log in.
  3. Click the System Recovery link at the lower right corner of the login page.

    A new login page appears with a single field: Recovery Passphrase.

  4. Enter the recovery passphrase and click Login.

    The Administrator Recovery page appears with two tabs above it: Administrator Recovery and Recovery Passphrase.

  5. Click the Recovery Passphrase tab.

    The Recovery Passphrase page appears with two fields to enter and re-enter the new passphrase.

  6. Enter the new recovery passphrase in the two fields.
  7. Click Submit.
  8. Repeat these steps for each node in the cluster.

    Note:

    HSM reverse migrate cannot run when the recovery passphrase is being changed.

    Caution:

    It is your responsibility to keep the recovery passphrase the same on all nodes in the cluster. If you set the recovery passphrase differently on cluster nodes it will negatively impact cluster functionality, such as adding nodes and HSM-enabling nodes.

14.4.5 Changing the Installation Passphrase

You can change the installation passphrase from the system console.

Parent topic: Managing System Recovery

14.4.5.1 About Changing the Installation Passphrase

You can only change the installation passphrase during a specific window of time.

The installation passphrase is specified during installation. You must use the installation passphrase to log in to Oracle Key Vault and complete the post-installation tasks. The installation passphrase can only be changed on the console after installation but before post-installation. After the post-installation tasks are completed, this option no longer appears on the console.

If you forget the installation passphrase, then you can create a new installation passphrase. As with all Oracle Key Vault passphrases, it is important to store the installation passphrase securely.

14.4.5.2 Changing an Installation Passphrase

You must change the installation passphrase in the system console.

  1. Access the system console of the server where Oracle Key Vault is installed.

    The Oracle Key Vault Server <Release Number> screen appears.

    Description of installation_02_18100.png follows
    Description of the illustration installation_02_18100.png

  2. Select Change Installation Passphrase and press Enter.
  3. Enter the new installation passphrase in the New Passphrase and Confirm fields.
    The installation passphrase must have 8 or more characters and contain at least one of each of the following: an uppercase letter, a lowercase letter, number, and special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), space.
  4. Select OK and then press Enter.

    The Installation Passphrase screen appears.

    Description of reset_os_user_password_03_18100.png follows
    Description of the illustration reset_os_user_password_03_18100.png

  5. Enter the old installation passphrase and then press Enter.

14.5 Support for a Primary-Standby Environment

To ensure that Oracle Key Vault can always access security objects, you can deploy Oracle Key Vault in a highly available configuration.

This configuration also supports disaster recovery scenarios.

You can deploy two Oracle Key Vault servers in a primary-standby configuration. The primary server services the requests that come from endpoints. If the primary server fails, then the standby server takes over after a configurable preset delay. This configurable delay ensures that the standby server does not take over prematurely in case of short communication gaps.

The primary-standby configuration was previously known as the high availability configuration. The primary-standby configuration and the multi-master cluster configuration are mutually exclusive.

Oracle Key Vault supports primary-standby read-only restricted mode. When the primary server is affected by server, hardware, or network failures, primary-standby read-only restricted mode ensures that an Oracle Key Vault server is available to service endpoints, thus ensuring operational continuity. However, key and sensitive operations, such as generation of keys are disabled, while operations such as generation of audit logs are unaffected.

When an unplanned shutdown makes the standby server unreachable, the primary server is still available to the endpoints in read-only mode.

Related Topics

Parent topic: Oracle Key Vault General System Administration

14.6 Managing Third-Party Certificates

You can use the Oracle Key Vault management console to manage third-party certificates.

Parent topic: Oracle Key Vault General System Administration

14.6.1 About Managing Third-Party Certificates

Oracle Key Vault enables you to install a certificate signed by a third-party Certificate Authority (CA) for more secure connections.

You can upload upload a certificate that was signed by a third-party CA to Oracle Key Vault to prove its identity, encrypt the communication channel, and protect the data that is exchanged throughout the Oracle Key Vault system.

To install a third-party certificate, you must generate a certificate request, get it signed by a CA, and then upload the signed certificate back to Oracle Key Vault.

Parent topic: Managing Third-Party Certificates

14.6.2 Step 1: Download the Certificate Request

When you request the certificate, you can suppress warning messages.

These warning messages appear when the browser detects a mismatch between the attributes of the server certificate and the attributes of the login session to the Oracle Key Vault management console.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click the System tab, then Console Certificate from the System menu to display the Console Certificate page.
  3. Click Generate Certificate Request on the top right to display the Generate Certificate Request page.
  4. If you need to change the host name of the Oracle Key Vault server, which appears next to Common Name, then click Change.
    The System Settings page appears. Change the host name in the Network page.
  5. Check the box to the left of text Suppress warnings for IP based URL access if you want to suppress browser warnings for server IP address changes.
  6. Enter the required fields marked with an asterisk, Organization Name and Country/Region.
    You must enter values for these fields in order to proceed without errors. You may enter values in the rest of the optional fields as needed.
  7. Click Submit and Download to the top right.
    A directory window appears, where you can save the certificate.csr file. Select a directory and save the file to a secure location.

Parent topic: Managing Third-Party Certificates

14.6.3 Step 2: Have the Certificate Signed

After you download the Oracle Key Vault certificate.csr file, you can have it signed.

To have the certificate signed, you can use any out-of-band method to have it signed by a CA of your choice.

Afterward, you can then upload the signed certificate back to Oracle Key Vault using the management console.

Parent topic: Managing Third-Party Certificates

14.6.4 Step 3: Upload the Signed Certificate to Oracle Key Vault

In addition to uploading the signed certificate, you can optionally choose to deactivate and re-activate the certificate.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click the System tab and then click Console Certificate in the left System menu to display the Console Certificate page.
  3. Click Upload Certificate at the top right to display the Upload Certificate page.
  4. Click Choose File to display a directory window on your local system.
  5. Navigate to the directory where you stored the signed certificate and select it. When you are done, you will see the file name to the right of text Choose File.
    After you select the certificate, you will see the file name to the right of Choose File.
  6. Click Upload.
    If the certificate is installed with no errors, then you will see its details appear in a new Uploaded Certificate Details panel just below Console Certificate.
At this stage, if you need to, you can deactivate the certificate by clicking Deactivate on the top right of the Uploaded Certificate Details section. When you deactivate the certificate, the Deactivate button is replaced by an Apply Certificate button. You can click this button to re-activate the certificate.

Parent topic: Managing Third-Party Certificates

14.6.5 Third-Party Certificates in Special Use Case Scenarios

Depending on the situation, you must perform additional steps when you use third-party certificates.

  • Primary-standby environments: If you want to use a third-party certificate in a primary-standby configuration, then you must install it on the primary and standby servers first, and then pair them.

  • RESTful services: When you install a third-party certificate, you must download the RESTful software utility again before you can use the new certificate.

  • Restored data from a backup: If you install a third-party certificate, perform a backup, and then restore another Oracle Key Vault appliance from that backup, you must re-install the third-party certificate on the new server before you can use it. The restore process does not copy the third-party certificate.

Parent topic: Managing Third-Party Certificates

14.7 Minimizing Downtime

Business-critical operations require data to be accessible and recoverable with minimum downtime.

You can configure Oracle Key Vault to ensure minimum downtime in the following ways:

  • Configuring a multi-master cluster: You can configure a multi-master cluster by adding redundancy in the form of additional nodes. The client can access any available node. In the event of a failure of any node, a client will automatically connect to another node in the endpoint node scan list. This reduces and potentially eliminates downtime.

  • Configuring a primary-standby environment: A primary-standby environment is configured by adding redundancy in the form of a standby server. The standby server takes over from the primary server in the event of a failure, thus eliminating single points of failure, and minimizing downtime.

  • Enabling read-only restricted mode: Primary-standby read-only restricted mode ensures endpoint operational continuity when primary or standby Oracle Key Vault servers are affected by server, hardware, or network failures. When an unplanned shutdown causes the standby server to become unreachable, the primary server is still available to the endpoints.

    If primary-standby read-only restricted mode is disabled, then the primary server will become unavailable and stop accepting requests in the event of a standby failure. Endpoints connected to Oracle Key Vault are unable to retrieve keys until connectivity is restored between primary and standby servers.

    To ensure endpoint operational continuity in the event of a primary or standby server failure, enable read-only restricted mode.

  • Enabling persistent master encryption key cache: The persistent master encryption key cache ensures that the endpoints can access keys in the event of a primary or standby server failure. While the surviving server is taking over from the failed peer, the endpoints can retrieve keys from the persistent cache and continue operations normally.

  • Apply the TDE heartbeat database patch on endpoints: Apply the database patch for Bug 22734547 to tune the Oracle Key Vault heartbeat.

Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and enable it to be fully operational with minimum downtime and data loss.

If the Oracle Key Vault installation uses an online master key (formerly known as TDE direct connect), then during an upgrade, ensure that you upgrade database endpoints in parallel to reduce total downtime.

Related Topics

Parent topic: Oracle Key Vault General System Administration