Table of Contents
- Title and Copyright Information
- Preface
-
Changes in This Release for Oracle Key Vault
-
Changes for Oracle Key Vault
Release 21.10
- Key Management for DBMS_CRYPTO with Extensible Oracle Key Vault Integration Accelerator
- Configurable Oracle Key Vault Ports
- New Oracle Key Vault Endpoint Platforms - Linux for Arm (aarch64) Architecture and IBM: Linux on System z
- Manage SSH User Keys with Oracle Key Vault Endpoints on Windows
- Monitor Privilege for Users Monitoring Oracle Key Vault
- Automated Rotation of Platform Certificates
- List Recently Active or Inactive Endpoint using the RESTful Services Utility Command
- Raise Alert for Password Expiry of the Oracle Key Vault System Users (support and root)
- Monitoring CPU Usage and RESTful Services Memory Usage
- Changes for Oracle Key Vault Release 21.9
- Changes for Oracle Key Vault Release 21.8
-
Changes for Oracle Key Vault
Release 21.7
- Controlling Access to SSH Servers Centrally with Oracle Key Vault
- Improved SSH User Keys Management
- RESTful Services Utility Changes to Support SSH Keys Management
- Support Key Creation from Oracle Key Vault Management Console
- Support for Node or Cluster Scope for Alerts in Multi-Master Cluster
- Setting the Initial Password for the support and root User
-
Changes for Oracle Key Vault
Release 21.6
- Ability to Restrict the Extraction of Private Encryption Keys from Oracle Key Vault
- Ability to Create Asymmetric Key Pairs in Oracle Key Vault
- Ability to Clone an Oracle Key Vault VM
- Support the Ability to Provide an Alternate Host Name or an IP Address
- Support SAMLv2 Based Single Sign-On (SSO) Authentication for Oracle Key Vault
- Support for Unified Application-Level Tracing and Simplified Diagnostics Collection
- Aborting Oracle Audit Vault Integration with Oracle Key Vault
- Event ID Support in Auditing Records
- Support for Disk and Network I/O and Application Metrics in Oracle Key Vault Metrics Framework
- Support for Sign and Signature Verify Operations
- Oracle Key Vault Deployments in Microsoft Azure and Amazon AWS
- Endpoint IP Address Attribute Added to endpoint get RESTful Command
- Improved Audit Record Messages
- Support Endpoint Communication With Oracle Key Vault Using a Secondary IP address or Fully-Qualified Domain Name
-
Changes for Oracle Key Vault
Release 21.5
- Support for SSH Public Key Authentication using SSH User Keys from Oracle Key Vault
- Automatic Purging of Audit Records Based on a Retention Policy
- Ability to Rotate Endpoint Certificates
- Endpoint and Endpoint Group Privileges Support for LDAP Users
- User Account Management
- Severity based Alert Categorization
- Displaying Endpoint Group Membership Column in Endpoint Metadata Report
- Ability to Determine Time of Last Endpoint Activity

- UEFI Support for OCI marketplace Image
- Separate Alerts for CA Certificate Expiration and Server/Node Certificate Expiration
-
Changes for Oracle Key Vault Release 21.4
- Ability to Control the Extraction of Symmetric Encryption Keys from Oracle Key Vault
- Enhancements to Certificate Management
- Support for Policy Based Automatic Purging of Old Oracle Key Vault Backups
- Ability to Restrict Oracle Key Vault Administrative Role Grants
- Client IP Address in the Oracle Key Vault Audit Trail
- Support for Additional Monitoring Information Through SNMP
- Changes for Oracle Key Vault Release 21.3
-
Changes for Oracle Key Vault
Release 21.10
- Deprecated Features of Oracle Key Vault
-
1
Introduction to Oracle Key Vault
- About Key and Secrets Management in Oracle Key Vault
- Benefits of Using Oracle Key Vault
-
Oracle Key Vault Use Cases
- Centralized Management of TDE Master Encryption Keys Using Online Master Encryption Keys
- Remote Server Access Controls and Private Key Governance for Public Key Authentication
- Centralized Storage of Oracle Wallet Files and Java Keystores
- Storage of Credential Files
- Online Management of Endpoint Keys and Secret Data
- Who Should Use Oracle Key Vault
-
Major Features of Oracle Key Vault
- Centralized Storage and Management of Security Objects
- Centrally Managed Remote Server Access Controls and Improved Private Key Governance for SSH Public Key Authentication
- Management of the Key Lifecycle
- Reporting and Alerts
- Separation of Duties for Oracle Key Vault Users
- Persistent Master Encryption Key Cache
- Backup and Restore Functionality for Security Objects
- Management of Oracle Key Vault Using RESTful Services Utility
- Support for OASIS Key Management Interoperability Protocol (KMIP)
- Database Release and Platform Support
- Integration with External Audit and Monitoring Services
- Integration of MySQL with Oracle Key Vault
- Oracle Advanced Cluster File System Encryption
- Support for Cloud-Based Oracle Database Deployments
- Oracle Key Vault Hardware Security Module Integration
- Continuous Availability, Fault-tolerance, and High Availability through Oracle Key Vault Clustering
- Oracle Key Vault Interfaces
- Overview of an Oracle Key Vault Deployment
-
2
Oracle Key Vault Concepts
- Overview of Oracle Key Vault Concepts
- Oracle Key Vault Deployment Architecture
- Access Control Configuration
- Administrative Roles and Privilege within Oracle Key Vault
- Naming Guidelines for Objects
- Emergency System Recovery Process
- Root and Support User Accounts
- Endpoint Managers
- Endpoint Administrators
- FIPS Mode
-
3
Oracle Key Vault Multi-Master Cluster Concepts
- Oracle Key Vault Multi-Master Cluster Overview
- Benefits of Oracle Key Vault Multi-Master Clustering
- Multi-Master Cluster Architecture
- Building and Managing a Multi-Master Cluster
- Oracle Key Vault Multi-Master Cluster Deployment Scenarios
- Multi-Master Cluster Features
- Cluster Management Information
-
4
Managing Oracle Key Vault Multi-Master Clusters
- About Managing Oracle Key Vault Multi-Master Clusters
- Setting Up a Cluster
- Terminating the Pairing of a Node
- Disabling a Cluster Node
- Enabling a Disabled Cluster Node
- Deleting a Cluster Node
- Force Deleting a Cluster Node
- Managing Replication Between Nodes
- Cluster Management Information
- Cluster Monitoring Information
- Naming Conflicts and Resolution
- Multi-Master Cluster Deployment Recommendations
- Adding an Alternate Name or IP Address
-
5
Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance
- About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
- Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
- Provisioning an Oracle Key Vault Compute Instance
- General Management of an Oracle Key Vault Compute Instance
- Migrating Oracle Key Vault Deployments Between On-Premises and OCI
- Creating Oracle Key Vault Image in Microsoft Azure
- Creating Oracle Key Vault Image in Amazon AWS
- Creating Oracle Key Vault Image in Google Cloud
- Oracle Key Vault on Oracle VM Virtual Box
-
6
Oracle Database Instances in Oracle Cloud Infrastructure
- About Managing Oracle Cloud Infrastructure Database Instance Endpoints
- Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
-
Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
- Creating an SSH Tunnel Between Oracle Key Vault and a DBaaS Instance
- Managing a Reverse SSH Tunnel in a Multi-Master Cluster
- Managing a Reverse SSH Tunnel in a Primary-Standby Configuration
- Viewing SSH Tunnel Configuration Details
- Disabling an SSH Tunnel Connection
- How the Connection Works if the SSH Tunnel Is Not Active
- Deleting an SSH Tunnel Configuration
-
Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- About Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- Step 1: Register the Endpoint in the Oracle Key Vault Management Console
- Step 2: Prepare the Endpoint Environment
- Step 3: Install the Oracle Key Vault Software onto the Endpoint for Registration and Enrollment
- Step 4: Perform Post-Installation Tasks
- Suspending Database Cloud Service Access to Oracle Key Vault
- Resuming Database Cloud Service Access to Oracle Key Vault
- Resuming a Database Endpoint Configured with a Password-Based Keystore
-
7
Configuring Single Sign-On in
Oracle Key Vault
- About Single Sign-On Authentication in Oracle Key Vault
- Configuring SAML Single Sign-On (SSO) Authentication
- Managing Single Sign-On in Oracle Key Vault
- Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory
- Configuring Single Sign-On for Oracle Key Vault and ADFS
- Guidelines for Managing Single Sign-On Configuration
-
8
Managing LDAP User Authentication and Authorization in Oracle Key Vault
- About Managing LDAP User Authentication and Authorization in Oracle Key Vault
- Considerations for Granting Privileges to LDAP Users
- Configuring the LDAP Directory Server Connection to Oracle Key Vault
- Logins to Oracle Key Vault as an LDAP User
- Managing the LDAP Configuration
- Managing LDAP Groups
- Managing Oracle Key Vault-Generated LDAP Users
-
9
Managing Oracle Key Vault Users
-
Managing User Accounts
- About Oracle Key Vault User Accounts
- User Account Profile Parameters
-
How a Multi-Master Cluster Affects User Accounts
- Multi-Master Cluster Effect on User Account Profile Parameters
- Multi-Master Cluster Effect on System Administrator Users
- Multi-Master Cluster Effect on Key Administrator Users
- Multi-Master Cluster Effect on Audit Manager Users
- Multi-Master Cluster Effect on Administration Users
- Multi-Master Cluster Effect on System Users
- Creating an Oracle Key Vault User Account
- Viewing User Account Details
- Deleting an Oracle Key Vault User Account
-
Managing Administrative Roles and User Privileges
- About Managing Administrative Roles and User Privileges
- Granting or Changing an Administrative Role of a User
- Granting the Create Endpoint Privilege
- Granting the Manage Endpoint Privilege
- Granting the Create Endpoint Group Privilege
- Granting the Manage Endpoint Group Privilege
- Granting the Monitor Privilege
- Revoking an Administrative Role or Privilege from a User
- Granting a User Access to a Virtual Wallet
- Enforce Separation of Administrator Roles
- Managing User Passwords
- Managing User Email
- Managing User Groups
- Managing support and root Password
-
Managing User Accounts
-
10
Managing Oracle Key Vault Virtual Wallets and Security Objects
- Managing Virtual Wallets
- Managing Access to Virtual Wallets from Keys & Wallets Tab
- Managing Access to Virtual Wallets from User’s Menu
- Managing Security Objects
- Managing the State of a Key or a Security Object
- Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault
- Managing Details of Security Objects
-
11
Managing Oracle Key Vault Master Encryption Keys
-
Using the Persistent Master Encryption Key Cache
- About the Persistent Master Encryption Key Cache
- About Oracle Key Vault Persistent Master Encryption Key Cache Architecture
- Caching Master Encryption Keys in the In-Memory and Persistent Master Encryption Key Cache
- Storage Location of Persistent Master Encryption Key Cache
- Persistent Master Encryption Key Cache Modes of Operation
- Persistent Master Encryption Key Cache Refresh Window
- Persistent Master Encryption Key Cache Parameters
- Listing the Contents of the Persistent Master Key Cache
- Oracle Database Deployments and Persistent Master Encryption Key Cache
- Configuring an Oracle Key Vault to a New TDE-Enabled Database Connection
- Migrating Existing TDE Wallets to Oracle Key Vault
- Uploading and Downloading Oracle Wallets
- Uploading and Downloading JKS and JCEKS Keystores
- Using a User-Defined Key as the TDE Master Encryption Key
-
Using the Persistent Master Encryption Key Cache
-
12
Managing Oracle Key Vault Endpoints
- Overview of Managing Endpoints
- Managing Endpoints
- Managing Endpoint Details
- Managing Global and Per-Endpoint Configuration Parameters and Settings
- Default Wallets and Endpoints
- Managing Endpoint Access to a Virtual Wallet
- Managing Endpoint Groups
-
13
Enrolling and Upgrading Endpoints for Oracle Key Vault
- About Endpoint Enrollment and Provisioning
- Finalizing Enrollment and Provisioning
- Environment Variables and Endpoint Provisioning Guidance
- Endpoints That Do Not Use the Oracle Key Vault Client Software
- Transparent Data Encryption Endpoint Management
- Endpoint okvclient.ora Configuration File
- okvclient.ora Parameters That Must Not Be Modified
- Upgrading Endpoint Software
-
14
Managing Keys for Oracle Products
- Using a TDE-Configured Oracle Database in an Oracle RAC Environment
- Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
-
Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
- About Uploading Oracle Wallets in an Oracle Data Guard Environment
- Uploading Oracle Wallets in an Oracle Data Guard Environment
- Performing an Online Master Encryption Key Connection in an Oracle Data Guard Environment
- Migrating Oracle Wallets in an Oracle Data Guard Environment
- Reverse Migrating Oracle Wallets in an Oracle Data Guard Environment
- Migrating an Oracle TDE Wallet to Oracle Key Vault for a Logical Standby Database
- Checking the Oracle TDE Wallet Migration for a Logical Standby Database
- Uploading Keystores from Automatic Storage Management to Oracle Key Vault
- MySQL Integration with Oracle Key Vault
- Other Oracle Database Features That Oracle Key Vault Supports
-
15
SSH Keys Management
Concepts
- SSH Protocol
- SSH Public Key Authentication
- OpenSSH Implementation of the SSH Protocol
- Challenges with SSH Public Key Authentication
- Controlling Access to SSH Server Centrally with Oracle Key Vault
- Managing SSH User Keys with Oracle Key Vault
- Oracle Key Vault and SSH Integration
- Supported Platforms for SSH Server and Client Endpoints
- 16 Management of SSH Keys - Setup and Configuration
- 17 Managing Online and Offline Secrets
-
18
Oracle Key Vault General System Administration
- Overview of Oracle Key Vault General System Administration
-
Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
- Configuring the Network Details
- Configuring Network Access
- Configuring DNS
- Configuring the System Time
- Configuring FIPS Mode
- Configuring Syslog
- Changing the Network Interface Mode
- Configuring RESTful Services Utility
- Checking the Oracle Audit Vault Integration Status
- Configuring the Oracle Key Vault Management Console Web Session Timeout
- Restarting or Powering Off Oracle Key Vault
-
Configuring Oracle Key Vault in a Multi-Master Cluster Environment
- About Configuring Oracle Key Vault in a Multi-Master Cluster Environment
-
Configuring System Settings for Individual Multi-Master Cluster Nodes
- Configuring the Network Details for the Node
- Configuring Network Access for the Node
- Configuring DNS for the Node
- Configuring the System Time for the Node
- Configuring the FIPS Mode for the Node
- Configuring Syslog for the Node
- Changing the Network Interface Mode for the Node
- Configuring Auditing for the Node
- Configuring SNMP Settings for the Node
- Checking the Oracle Audit Vault Integration for the Node
- Restarting or Powering Off Oracle Key Vault from a Node
-
Configuring System Settings for an Entire Oracle Key Vault Multi-Master Cluster
- Configuring the System Time for the Cluster
- Configuring DNS for the Cluster
- Configuring the Maximum Disable Node Duration for the Cluster
- Configuring Syslog for the Cluster
- Configuring RESTful Services for the Cluster
- Configuring Auditing for the Cluster
- Configuring SNMP Settings for the Cluster
- Configuring the Oracle Key Vault Management Console Web Session Timeout for the Cluster
- Configuring the Service Ports
- Managing System Recovery
- Support for a Primary-Standby Environment
- Commercial National Security Algorithm Suite Support
- Minimizing Downtime
-
19
Managing Service
Certificates
- Overview of Oracle Key Vault Certificates
- Certificates Validity Period
-
Monitoring Certificates
Expiry
- Monitoring Certificates Expiry Using Certificate Expiration Alerts
- Finding the Expiration Date of Endpoint Certificates
- CA Certificate Expiration Date on Status Page
- Server and Node Certificate Expiration on Status Page
- Finding the Expiration Date of the CA Certificate
- Finding the Expiration Date of Server Certificates and Node Certificates
-
Managing CA Certificate
Rotation
- Steps for Managing CA Certificate Rotation
- Checking for Self-Signed Root CA or Intermediate CA Certificate
- Setting the Key Length of the CA Certificate
- Setting the Validity of Self-Signed Root CA Certificate
- Setting Up the Intermediate CA Certificate
- Rotating CA Certificate
- Setting the Endpoint Certificate Rotation Batch Size
- Setting the Endpoint Certificate Rotation Sequence
- Checking Overall Certificate Rotation Status
- Checking Certificate Rotation Status for Endpoints
- Post-CA Certificate Rotation Tasks
- Factors Affecting CA Certificate Rotation Process
- Guidelines for Managing CA Certificate Rotations
- Managing Server Certificates and Node Certificates Rotation
- Managing the Oracle Key Vault CA Certificate After Expiry
- Configuring Oracle Key Vault with an Alternate Hostname
- Managing Platform Certificates
- 20 Managing Console Certificates
-
21
Backup and Restore Operations
- About Backing Up and Restoring Data in Oracle Key Vault
- Oracle Key Vault Backup Destinations
- Scheduled Backups and States
- Scheduling and Managing Oracle Key Vault Backups
- Restoring Oracle Key Vault Data
-
Scheduling the Purging of Old Oracle Key Vault Backups
- About Scheduling the Purging of Old Oracle Key Vault Backups
- Creating a Backup Destination Policy
- Adding a Backup Destination Policy to a Remote Backup Destination
- Changing a Backup Destination Policy
- Suspending a Backup Destination Policy
- Resuming a Suspended Backup Destination Policy
- Deleting a Backup Destination Policy
- Finding Information about Backup Destination Policies
- Manually Deleting a Local Oracle Key Vault Backup
-
Configuring Oracle ZFS Storage Appliance to Store Oracle Key Vault Backups
- Step 1: Create a Storage Project in Oracle ZFS Storage Appliance
- Step 2: Copy the Oracle Key Vault Public Key to the Oracle ZFS Storage Appliance
- Step 3: Complete Creating the Oracle ZFS Storage Appliance Project
- Step 4: Configure Oracle Key Vault to Connect to the Oracle ZFS Storage Appliance Project
- Backup and Restore Best Practices
-
22
Monitoring and Auditing Oracle Key Vault
-
Managing System Monitoring
-
Configuring Remote Monitoring to Use SNMP
- About Using SNMP for Oracle Key Vault
- Granting SNMP Access to Users
- Changing the SNMP User Name and Password
- Changing SNMP Settings on the Standby Server
- Remotely Monitoring Oracle Key Vault Using SNMP
- SNMP Management Information Base Variables for Oracle Key Vault
- Example: Simplified Remote Monitoring of Oracle Key Vault Using SNMP
- Configuring SNMP to Work with Old SNMP Clients
- Configuring Email Notification
- Configuring the Syslog Destination for Individual Multi-Master Cluster Nodes
- Capturing System Diagnostics
- Monitoring System Metrics
-
Configuring Remote Monitoring to Use SNMP
- Configuring Oracle Key Vault Alerts
-
Managing System Auditing
- About Auditing in Oracle Key Vault
- Oracle Key Vault Audit Trail
- Oracle Key Vault Audit Configuration
- Viewing Audit Records
- Exporting and Deleting Audit Records Manually
- Deleting Audit Records Automatically
- Oracle Key Vault Audit Event IDs
-
Configuring Oracle Key Vault with Oracle Audit Vault
- Integrating Oracle Audit Vault with Oracle Key Vault
- Viewing Oracle Key Vault Audit Data Collected by Oracle Audit Vault
- Suspending an Oracle Audit Vault Monitoring Operation
- Resuming an Oracle Audit Vault Monitoring Operation
- Deleting an Oracle Audit Vault Integration
- Guidance for Integrating Oracle Audit Vault in a Multi-Master Cluster or Primary-Standby Environment
- Using Oracle Key Vault Reports
-
Managing System Monitoring
-
23
Managing an Oracle Key Vault Primary-Standby Configuration
-
Overview of the Oracle Key Vault Primary-Standby Configuration
- About the Oracle Key Vault Primary-Standby Configuration
- Benefits of an Oracle Key Vault Primary-Standby Configuration
- Difference Between Primary-Standby Configuration and Multi-Master Cluster
- Primary Server Role in a Primary-Standby Configuration
- Standby Server Role in a Primary-Standby Configuration
- Configuring the Primary-Standby Environment
- Switching the Primary and Standby Servers
- Restoring Primary-Standby After a Failover
- Disabling or Unpairing the Primary-Standby Configuration
-
Read-Only Restricted Mode in a Primary-Standby Configuration
- About Read-Only Restricted Mode in a Primary-Standby Configuration
- Primary-Standby with Read-Only Restricted Mode
- Primary-Standby without Read-Only Restricted Mode
- States of Read-Only Restricted Mode
- Enabling Read-Only Restricted Mode
- Disabling Read-Only Restricted Mode
- Recovering from Read-Only Restricted Mode
- Read-Only Restricted Mode Notifications
- Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
-
Overview of the Oracle Key Vault Primary-Standby Configuration
-
24
Oracle Key Vault Integration
Accelerator
-
Key Management for Oracle
DBMS_CRYPTO Integration Accelerator
- Downloading Key Management for Oracle DBMS_CRYPTO Integration Accelerator
-
Using Key Management for Oracle
DBMS_CRYPTO Integration Accelerator
- Prerequisites for Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator
- Preparing the Environment for Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator
- Using Key Management for Oracle DBMS_CRYPTO Integration Accelerator in a PL/SQL Application
- Extending the Functionality of Key Management for Oracle DBMS_CRYPTO Integration Accelerator
-
Key Management for Oracle
DBMS_CRYPTO Integration Accelerator
- A Oracle Key Vault Multi-Master Cluster Operations
- B Oracle Key Vault okvutil Endpoint Utility Reference
-
C
Troubleshooting Oracle Key Vault
- Before You Start Troubleshooting
- Common Oracle Key Vault Tasks
-
okvutil and Endpoint
Issues
- Database Wallet Status Not Open or Not Found, TDE HEARTBEAT Check Failed
- Oracle Key Vault Server Communication or Connection Failed Error
- Could Not Store Private Key Errors on Wallet Upload
- RESTful Services Endpoint Provisioning Command Failure
- Uploading Certificate File Failure
- Error in Uploading the Java Keystore
- SSL layer Error while migrating MYSQL Database Keys to Oracle Key Vault
- Rotation or Set Key Failure in Windows Environment
- Rotation or Set Key Fails with ORA-03113
- Multi-Master Cluster Issues
- Backup and Restore Issues
- Certificate Related Issues
-
Installation and Upgrade
Issues
- Oracle Key Vault Installation Failure
- Oracle Key Vault Upgrade Failure
- Oracle Key Vault Management Console is Not Accessible After Installation
- Oracle Key Vault Upgrade Failure
- Unable to boot after installation of Oracle Key Vault on VMWare VM
- Operation Failed on Network Information Screen After Upgrade from 21.x to 21.5 and Later.
- Primary-Standby Configuration Issues
- DBCS Endpoint Configuration Issues
- Server and Node Issues
- D Security Technical Implementation Guides Compliance Standards
-
E
Managing Oracle Key Vault Platform
Certificates
- Overview of Oracle Key Vault Platform Certificates
- Monitoring Oracle Key Vault Platform Certificate Expiration
-
Rotating Platform
Certificates
- Rotating Platform Certificates on a Standalone Oracle Key Vault Server
-
Rotating Platform Certificates in
a Multi-Master Cluster Environment
- Rotate Platform CA Certificate on Read/Write Multi-Master Cluster Nodes
- Rotate Platform CA Certificate on Read-Only Multi-Master Cluster Nodes
- Rotate Platform Certificate Used For Redo Shipping On Any One Multi-Master Cluster Node
- Transfer the Rotated Redo Shipping Platform Certificate to Other Multi-Master Cluster Nodes
- Glossary
- Index