1. Administrator's Guide
  2. Oracle Key Vault Integration Accelerator

24 Oracle Key Vault Integration Accelerator

Oracle Key Vault provides accelerators to quickly spin up integration of use-cases with Key Vault. The accelerators can be used as provided or extended to suit application needs.

You can download an integration accelerator from the Oracle Key Vault management console. Oracle Key Vault provides an integration accelerator for:

Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Starting with release 21.10, Oracle Key Vault provides the Key Management for Oracle DBMS_CRYPTO integration accelerator to manage encryption keys used with DBMS_CRYPTO operations in Oracle Key Vault.

Oracle DBMS_CRYPTO package provides a PL/SQL interface to perform encrypt and decrypt operations. PL/SQL applications need to securely manage encryption keys used with DBMS_CRYPTO operations. Using this integration accelerator, you can manage the symmetric keys used with Oracle DBMS_CRYPTO operations in Oracle Key Vault. This integration accelerator package provides a PL/SQL wrapper built over an Oracle Key Vault JAVA SDK program.

Parent topic: Oracle Key Vault Integration Accelerator

Downloading Key Management for Oracle DBMS_CRYPTO Integration Accelerator

You can download the Key Management in Oracle DBMS_CRYPTO integration accelerator from the Oracle Key Vault management console.

  1. Connect to the Oracle Key Vault management console.

    For example:

    https://192.0.2.254
    The login page to the Oracle Key Vault management console appears. Do not log in.
  2. In the lower-right corner of the login page under Login, click Endpoint Enrollment and Software Download.
    The Enroll Endpoint & Download Software page appears.

    Description of 2110_dbms_crypto.png follows
    Description of the illustration 2110_dbms_crypto.png

  3. At the top of the page, click the Download Integration Accelerator tab.
  4. In the Download Integration Accelerator page, select Key Management for DBMS_CRYPTO package from the Integration Accelerator drop-down menu.
  5. Click Download.
  6. Save the okv_key_management_dbms_crypto.zip file to a desired location.

Parent topic: Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Learn how to use Key Management for DBMS_CRYPTO integration accelerator.

Parent topic: Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Prerequisites for Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Before you start working with the Key Management for Oracle DBMS_CRYPTO Integration Accelerator, ensure that you meet these prerequisites.

  • Enroll Oracle Database as an endpoint to Oracle Key Vault 21.10 or later, on which you intend to run the sample Oracle DBMS_CRYPTO application.

    Note:

    For more information see, About Endpoint Enrollment and Provisioning
  • Ensure that you have Java 8 or later.
  • Ensure that Oracle Database is patched with the latest Oracle JVM.

  • Set the OKV_HOME environment variable appropriately.

    Note:

    The $OKV_HOME is the destination directory for the endpoint software that you specified with the -d option during the endpoint installation.
  • Check if the okvclient.ora file is available and created as part of the endpoint enrollment. The okvclient.ora file is usually located at $OKV_HOME/conf/okvclient.ora.

  • Ensure that okv_jsdk.zip is unzipped under $OKV_HOME.

    In Bash UNIX shell:
     $ cd $OKV_HOME
 $ unzip -o okv_jsdk.zip

    Note:

    For information about downloading the Oracle Key Vault Java SDK, see Oracle Key Vault Developer's Guide
  • Extract the contents of okv_key_management_dbms_crypto.zip to a separate folder.

    The okv_key_management_dbms_crypto.zip file contains the following:

    • setup_java_permissions.sql: This SQL script sets up the required Java security permissions and database privileges to access the resources stored within the database.
    • KeyManager.java: This program creates and fetches a symmetric key from the Oracle Key Vault server using APIs from Oracle Key Vault Java SDK.
    • okv_key_mgmt.pkb: A PL/SQL wrapper that invokes the Oracle Key Vault Java SDK API (through KeyManager.java) to perform create and fetch operations of symmetric key in Oracle Key Vault.
    • dbms_crypto_using_okv_keymgmt.sql: Oracle DBMS_CRYPTO use case for demonstrating key management in Oracle Key Vault using Java SDK.
    • README.txt: Instructions to set up and run the sample Oracle DBMS_CRYPTO application.
Preparing the Environment for Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator

Ensure that you prepare the Oracle Database environment with the necessary permissions to run the Key Management for Oracle DBMS_CRYPTO Integration Accelerator.

  1. Ensure that the JAVA_HOME environment variable points to the Java Development Toolkit (JDK) location.
  2. Set the CLASSPATH to contain the Oracle Key Vault Java SDK jar $OKV_HOME/jsdk/lib/okvjsdk.jar.
    Set the CLASSPATH in Bash UNIX:
    $ export CLASSPATH=$CLASSPATH:$OKV_HOME/jsdk/lib/okvjsdk.jar
  3. Ensure that the current directory '.' is also part of CLASSPATH. If not, then add the current directory at the beginning of CLASSPATH.

    In Bash UNIX shell, set as follows:

    $ export CLASSPATH=.:$CLASSPATH
  4. Compile the KeyManager.java file.
    Set the current directory to the directory where you extracted the okv_key_management_dbms_crypto.zip file.
    Compile the KeyManager.java in Bash UNIX:
    $ cd folder_path
$ javac KeyManager.java
  5. Log in to Oracle Database as the sys user and set up the database user.
    Determine the default table space default_tablespace of the database user db_username using the following query: 
    SQL> select default_tablespace from dba_users where username = db_username;

    Note:

    Ensure db_username is in upper case.
    Grant the following permissions to db_username:
    SQL> grant execute on sys.dbms_crypto to db_username;
SQL> grant create session to db_username;
SQL> grant create procedure, create table to db_username;
SQL> alter user db_username quota 100M on default_tablespace;
SQL> commit;
SQL> exit;
  6. Ensure that you add the $ORACLE_HOME/bin directory to the PATH environment variable.
  7. Load the Java class file KeyManager.class and the dependent JAR file okvjsdk.jar to Oracle Database as the database user db_username, database user password db_pswd, and database name db_name.
    $ loadjava -user db_username/db_pswd@db_name -verbose $OKV_HOME/jsdk/lib/okvjsdk.jar
$ cd folder_path
$ loadjava -user db_username/db_pswd@db_name -verbose KeyManager.class
  8. Log in to the database as the sys user and run the following SQL file by passing the database user db_username and actual value of OKV_HOME as arguments.
     SQL> @folder_path/setup_java_permissions.sql db_username OKV_HOME;
  9. Log in to the database as the sys user and grant permissions required to allow the database user db_username to establish a secure socket connection with Oracle Key Vault:
    SQL> exec dbms_java.grant_permission( db_username, 'SYS:java.net.SocketPermission', 'Oracle Key Vault IP Address:Port#', 'connect,resolve' );
SQL> commit;
SQL> exit;

    Note:

    In a multi-master cluster deployment, grant the permission for each cluster node using the IP address and port-number. Ensure that the input db_username is in upper case for these commands.

    The IP address and port-number information is available in the $OKV_HOME/conf/okvclient.ora file.

    For example, the endpoint configuration file $OKV_HOME/conf/okvclient.ora for a 3-node Oracle Key Vault cluster with IP addresses 100.100.100.101, 100.100.100.102 and 100.100.100.103 for the respective nodes is similar to the following: 

    SERVER=100.100.100.101:5696/CN=server_cert,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us,100.100.100.102:5696/CN=node_2_cert,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us
READ_SERVER=100.100.100.103:5696/CN=node_3_cert,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us

    Extract the IP address and port details from the previous configuration file and run SQL commands as the sys user for the previous example cluster as follows: 

    SQL> exec dbms_java.grant_permission( db_username, 'SYS:java.net.SocketPermission', '100.100.100.101:5696', 'connect,resolve' );
SQL> exec dbms_java.grant_permission( db_username, 'SYS:java.net.SocketPermission', '100.100.100.102:5696', 'connect,resolve' );
SQL> exec dbms_java.grant_permission( db_username, 'SYS:java.net.SocketPermission', '100.100.100.103:5696', 'connect,resolve' );
SQL> commit;
SQL> exit;

    Ensure that you change these permissions whenever there are changes to the Oracle Key Vault cluster node configuration, such as adding or deleting cluster nodes.

    For example, when a new cluster node 100.100.100.104 is added: 

    SQL> exec dbms_java.grant_permission( db_username,'SYS:java.net.SocketPermission', '100.100.100.104:5696', 'connect,resolve' ); 
SQL> commit; 
SQL> exit;

    When the cluster node 100.100.100.103 is removed: 

    SQL> exec dbms_java.revoke_permission( db_username, 'SYS:java.net.SocketPermission','100.100.100.103:5696', 'connect,resolve' );
SQL> commit;
SQL> exit;
  10. Log in to the database with your database user name and password and grant the following permissions to the database user db_username to enable the database user to load the endpoint wallet under $OKV_HOME/ssl file when establishing a secure connection with Oracle Key Vault.
    SQL> exec dbms_java.grant_policy_permission( db_username, db_username, 'oracle.security.pki.OracleWalletPermission', 'load' );
SQL> exec dbms_java.grant_permission( db_username, 'db_username:oracle.security.pki.OracleWalletPermission', 'load', '' );
SQL> commit;
SQL> exit;

    Note:

    Ensure that the input db_username is in upper case for these commands.
  11. Connect to the database with your database user name and password and load the package okv_key_mgmt.pkb.
    SQL> @folder_path/okv_key_mgmt.pkb;
SQL> exit;
Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator in a PL/SQL Application

You can now use the PL/SQL package okv_key_mgmt supplied by the integration accelerator in your PL/SQL applications.

The okv_key_mgmt package provides the following functions to integrate key management with Oracle Key Vault.
  • create_key: Creates a symmetric key in Oracle Key Vault. This is a wrapper function calling KeyManager.java:createKey() which makes use of the Oracle Key Vault Java SDK APIs to create a symmetric key in Oracle Key Vault.
  • fetch_key: Fetches a symmetric key from Oracle Key Vault. This is a wrapper function calling KeyManager.java:fetchKey() which makes use of the Oracle Key Vault Java SDK APIs to fetch a symmetric key in Oracle Key Vault.

You can modify PL/SQL applications that perform symmetric key based crypto operations using DBMS_CRYPTO to fetch and use the keys from Oracle Key Vault using okv_key_mgmt package. This way, you can simplify the key management for your PL/SQL applications.

Review the supplied sample application dbms_crypto_using_okv_keymgmt.sql included with the integration accelerator to learn how to use key management functions of the okv_key_mgmt package.

You can run the sample application dbms_crypto_using_okv_keymgmt.sql included with the Key Management for DBMS_CRYPTO integration accelerator package.

  1. Log in to database with your user name and password to the configured database.
  2. Run the dbms_crypto_using_okv_keymgmt.sql file using the following command:
    SQL> @folder_path/dbms_crypto_using_okv_keymgmt.sql;

    Note:

    • This SQL script works only for auto-login wallet of the installed Oracle Key Vault endpoint software. If your endpoint is password-protected, then enter the password of your endpoint in 'endpt_pswd' variable present in this SQL file.
    • If you want to give a name for the key created in Oracle Key Vault, then enter the key name value in 'key_name' variable present in this SQL file.

The Key Management for DBMS_CRYPTO integration accelerator provides basic functions to demonstrate the management of keys for PL/SQL application in Oracle Key Vault. You can modify the supplied Java SDK program KeyManager.java and PL/SQL wrapper package okv_key_mgmt.pkb to extend its functionality to cover more advanced usage.

Extending the Functionality of Key Management for Oracle DBMS_CRYPTO Integration Accelerator

You can extend functionality of the Key Management for Oracle DBMS_CRYPTO Integration Accelerator to suite your application needs.

The available PL/SQL wrapper package okv_key_mgmt.pkb provides only the basic functions create_key() and fetch_key() to create and fetch a key respectively. The function fetch_key() requires the unique identifier of the key (key ID) as input.

In many cases, you may find it easier to associate human-friendly names to the keys. That way, you must first retrieve the ID of the key by locating the key using its name and then pass the retrieved key ID to fetch_key() to obtain the key to use with DBMS_CRYPTO operations. The available create_key() function already accepts a name to associate with the newly created key. However, the function to locate a key by its name is not available.

To extend the Key Management for Oracle DBMS_CRYPTO integrator accelerator to support a function to locate a key by its name, you must modify the available Java SDK program KeyManager.java and PL/SQL wrapper package okv_key_mgmt.pkb using the following procedure:
  1. Add the function locateKey() for locating the key using Oracle Key Vault Java SDK APIs in KeyManager.java:
    public static String locateKey(String epPswd, String nameAttrValue) 
                                                  throws OKVException {

        /* Create a connection to Oracle Key Vault */
        char[] endpointPswd = null;

        if ((epPswd != null) && !(epPswd.trim().isEmpty())) {
            endpointPswd = epPswd.toCharArray();
        }
        OKVService service = setupOKVConnection(endpointPswd);

        /* Locate the key */
        System.out.println("\nLocate a key on Oracle Key Vault");

        /* Create the attribute list for locate operation */
        OKVTTLV attrList = OKVTTLV.okvEnvGetOpRequestObj();
        OKVTTLV nameAttr = attrList.okvAddAttributeObject(OKVTag.NAME, 0);
        nameAttr.okvAttrAddName(nameAttrValue,
                             OKVTagEnum.NAME_TYPE_UNINTERPRETED_TEXT_STRING);
        OKVTTLV stateAttr = attrList.okvAddAttributeObject(OKVTag.STATE, 0);
        stateAttr.okvAttrAddState(OKVTagEnum.STATE_ACTIVE);

        OKVUidListResponse result = service.okvLocate(null, 0, null, 
                                                      attrList);

        /* Verify if the key is located */
        int count = result.getUidCnt();
        String uniqueId = null;
        if (count == 1) {
            uniqueId = result.getUids().get(0);
            System.out.println("\tSuccessfully located the key. " + 
                               "Unique ID of the key: " + uniqueId);
        }
        else {
            System.out.println("\tUnable to locate the key, " + 
                               "number of unique ID's got: " + count);
        }

        /* Release the connection from Oracle Key Vault */
        releaseOKVConnection(service);

        return uniqueId;
   }
  2. Add the wrapper function locate_key() in okv_key_mgmt.pkb:
    1. Declaration:
      function locate_key(ep_pswd varchar2, key_name varchar2) return varchar2;
    2. Definition: 
      function locate_key(ep_pswd varchar2, key_name varchar2) return varchar2 as language java name 'KeyManager.locateKey (java.lang.String,java.lang.String) return java.lang.String';
  3. Add the call to okv_key_mgmt.locate_key() before calling okv_key_mgmt.fetch_key() in dbms_crypto_using_okv_keymgmt.sql similar to the following:
    key_id := okv_key_mgmt.locate_key(endpt_pswd, key_name);
key_value := okv_key_mgmt.fetch_key(endpt_pswd, trim(key_id));

    Note:

    Ensure that 'key_name' is not an empty string or null in the dbms_crypto_using_okv_keymgmt.sql file.
  4. Recompile modified KeyManager.java:
    $ cd folder_path        
$ javac KeyManager.java
  5. Reload KeyManager.class to Oracle Database to include the new changes:
    $ cd folder_path
$ loadjava -user db_username/db_pswd@db_name -verbose KeyManager.class
  6. Connect to the database with your user name and password and reload okv_key_mgmt.pkb to include the new locate_key() functionality:
    SQL> @folder_path/okv_key_mgmt.pkb;
SQL> exit;
  7. To verify the newly included Locate operation, connect to the database with your user name and password and run the dbms_crypto_using_okv_keymgmt.sql file using the following command: 
    SQL> @folder_path/dbms_crypto_using_okv_keymgmt.sql;