1. Administrator's Guide
  2. Troubleshooting Oracle Key Vault
  3. Common Oracle Key Vault Tasks

Common Oracle Key Vault Tasks

Review these tasks for resolving common issues encountered when working with Oracle Key Vault.

Parent topic: Troubleshooting Oracle Key Vault

How to Re-Enroll an Endpoint on an Endpoint Database

You can re-enroll an endpoint again on an endpoint database using these steps.

  1. Log in to the Oracle Key Vault management console as a user who has either the system administrator role or privilege to manage the endpoint.
  2. Navigate to the Endpoints tab.
  3. Select the endpoint and re-enroll the endpoint.
  4. Download the okvclient.jar file using the endpoint enrollment token.
  5. Securely transfer okvclient.jar using SCP to the endpoint database server.
  6. Set the ORACLE_BASE, ORACLE_HOME, ORACLE_SID, JAVA_HOME, and OKV_HOME environment variables as required.
  7. Back up the $OKV_HOME directory and delete the files under $OKV_HOME:
    $cp -R $OKV_HOME $OKV_HOME_bkp_date +%Y%m%d
  8. Go to the $OKV_HOME directory and remove all the files.
  9. Verify if the okvclient.ora file exists in $ORACLE_BASE/okv/$ORACLE_SID. If the file exists, rename it.
    cd $ORACLE_BASE/okv/$ORACLE_SID
ls -ltr 
mv okvclient.jar okvclient.jar_bkp_date +%Y%m%d
rm okvclient.lck
rm okv.pc.lck
  10. Install the new okvclient.jar file:
    $JAVA_HOME/bin/java -jar okvclient.jar -d $OKV_HOME -v -o

Parent topic: Common Oracle Key Vault Tasks

How To Download Diagnostics From Oracle Key Vault Server

Downloading the Oracle Key Vault diagnostics log for 21.5 or previous versions provides troubleshooting information for Oracle Key Vault issues.

To download the Oracle Key Vault diagnostics log requested by Oracle Support:
  1. SSH into the Oracle Key Vault system as user support, then switch to user root:
    ssh support@<OKV_IP_Address> 
su - root
  2. Install the diagnostics package:
    /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --install
  3. Modify the diagnostics configuration to allow the utility to collect information about the appliance. Enable collection of all elements and files:
    /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --enable ALL
  4. Copy the diagnostics file outside Oracle Key Vault before deleting them.
    scp/usr/local/dbfw/tmp/diagnostics_okv*.zip user@hostname:/tmp
  5. Collect the diagnostic logs:
    /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb

    For example, a diagnostics file looks like:

    /usr/local/dbfw/tmp/diagnostics_okv0039f6043e9a_2017_06_08_17_48_07_75F4728E5644D781A215200EAAEADF3B.zip
  6. Delete the generated diagnostics zip file and remove the package using the following commands:
    /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --clean
/usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb --remove

Parent topic: Common Oracle Key Vault Tasks

How to Recover the root User Password

You can reset the Oracle Key Vault's root user password when the current root password is forgotten using Oracle Key Vault server's terminal console.

To reset the root user password of Oracle Key Vault Server:
  1. Reboot the Oracle Key Vault server.

    On the terminal console, when the GRUB2 menu appears with the menu item for the Oracle Key Vault server entry, enter the edit mode by pressing e key.


    Description of 218_root_user_password.png follows
    Description of the illustration 218_root_user_password.png

    The GRUB edit mode interrupts the boot process to display the kernel boot parameters as shown in the following image:


    Description of 218_kernel_boot_params.png follows
    Description of the illustration 218_kernel_boot_params.png

  2. Go to the end of the line that starts at linuxefi. Press Ctrl-e to jump to the end of a line.
  3. Enter rd.break to the end of the line that starts with linux16.
  4. Press Ctrl-x to continue the boot process with changed kernel parameters. The switch_root:/# prompt displays.
  5. Remount the file system with read write access to change the root password. By default, the file system is mounted as read-only at /sysroot.
  6. Run the given command on the switch_root:/# prompt to make /sysroot writable:
    mount -o remount,rw /sysroot
  7. To enter chroot environment, run the following command:
    chroot /sysroot
  8. Use the passwd command to set the new root password. Follow the prompts to complete the password change.
    passwd
  9. Force SELinux file system relabeling process on the next system reboot:
    touch /.autorelabel

    Make sure the dot appears after the forward-slash.

  10. Exit the chroot environment.
    exit
  11. Exit the switch_root prompt.
    exit

    The boot process continues. Wait for few minutes to complete the SELinux relabeling process. The system reboots automatically when the relabelling process is completed.

  12. Once the system reboots, the root password resetting is completed.
  13. Login with your new root password.

Parent topic: Common Oracle Key Vault Tasks

How to Reset the support User Password

You can reset the Oracle Key Vault support user password when the current password is forgotten using Oracle Key Vault server's console terminal.

To change the OS user support password on the Oracle Key Vault console terminal:
  1. Login as root user.

    Note:

    You can login as root using console terminal.
  2. Run the passwd support command to reset the support user password. 
    [root@okvserver ~]# passwd support
Changing password for user support.
New password:
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@okvserver ~]#

    There are no consequence in changing the support password.

    After the password is set successfully, the following message is displayed on the console:
    All authentication tokens updated successfully.
  3. Login as support.

Parent topic: Common Oracle Key Vault Tasks

How to Add SAN Details to the Console Certificate

You can add SAN details in console certificate using these steps.

Example

In Oracle Key Vault, after uploading the console certificate, the browser displays Invalid Certificate due to no SAN details.

Probable Cause

  • Currently, you cannot add the SAN details while generating console certificate from the Oracle Key Vault Management web console.
  • SAN details cannot be added into console certificate in Oracle Key Vault 21.7 or previous versions.
Solution
  1. Login with support user to the Oracle Key Vault server through ssh and switch to root user.
  2. Create a temporary directory under/tmp directory like, mkdir /tmp/console_cert.
    chmod 755 /tmp/console_cert
cp/etc/pki/tls/private/user_uploaded_ui.key public.key
  3. Copy the configuration code.
    consolecrt.conf:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 70

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = [eg. oracle.com]
IP.1     = [ip address]
  4. Create consolecrt.conf in /tmp/console_cert.
  5. Edit the consolecrt.conf file and add the alt_names under alt_name record.
  6. Generate the csr using the given command.
    openssl req -new -key public.key -out console_cert_okvname.csr –config consolecrt.conf
    1. Sign the generated csr,
  7. Go to the console certificate page in the Oracle Key Vault management console.
  8. Click Upload Certificate to upload the signed certificate.

Parent topic: Common Oracle Key Vault Tasks

How to Check for the Patch Updates

Check if additional patches are applicable to your environment. Oracle recommends that you check for patches after installing or upgrading to the Oracle Key Vault release.

To download and update the patches for Oracle Key Vault:
  1. Log in to https://support.oracle.com
  2. Select the Patches & Updates tab.
  3. Select Product or Family (Advanced) tab.

    Note:

    By default, the Number/Name or Bug Number (simple) option is selected.
  4. Select Oracle Key Vault from the Product is drop-down list.
  5. Select the current release number from the Release is drop-down list.
  6. Click Search. The search results are displayed.
  7. In the Patch Name column, click the applicable patch number to your release.

    Note:

    You can check for the release in the Release column.

    A corresponding Patch number page appears.

  8. Click Read Me to open the readme file in a browser.
  9. Click Download to open the File Download page.
  10. Click the Download File Metadata link.
  11. Click Download to download the XML metadata file.

Parent topic: Common Oracle Key Vault Tasks