1. Installation and Upgrade Guide
  2. Oracle Key Vault Installation Requirements

2 Oracle Key Vault Installation Requirements

The Oracle Key Vault installation requirements cover areas such as CPU, memory, disk space, network interfaces, and supported endpoint platforms.

  • System Requirements
    System requirements include CPU, memory, disk, network interface, and hardware compatibility.
  • Network Port Requirements
    Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.
  • Supported Endpoint Platforms
    Oracle Key Vault supports both UNIX and Windows endpoint platforms.
  • Endpoint Database Requirements
    Administrators can use online master encryption keys and the Oracle Database COMPATIBLE initialization parameter to manage Oracle Database endpoints.

System Requirements

System requirements include CPU, memory, disk, network interface, and hardware compatibility.

The Oracle Key Vault installation removes existing software on a server.

You can install Oracle Key Vault on dedicated servers, as guests into your virtualization platform, or as a guest into a compute instance in your Oracle Cloud Infrastructure (OCI) tenancy, deployed in minutes from the Oracle Cloud Marketplace. Visit the following site:

https://cloudmarketplace.oracle.com/marketplace/app/OracleKeyVault

The minimum hardware requirements for deploying Oracle Key Vault on dedicated hardware or as VM guests are:

  • CPU: Minimum: x86-64 16 cores. Recommended: 24-48 cores with cryptographic acceleration support (Intel AESNI).

  • Memory: Minimum 16 GB of RAM. Recommended: 32–64 GB.

    Note:

    • Oracle Key Vault does not support fiber channel storage with multipath for the boot disk.
    • You can add more RAM to the Oracle Key Vault systems, but you cannot reduce the RAM size lower than the original system configuration. System memory reduction is not supported in Oracle Key Vault.

  • Disk: Minimum 2 TB. Recommended: 6 TB.

    Both BIOS and UEFI boot mode. For a system with a disk size greater than 2 TB, Oracle Key Vault supports booting in UEFI mode only.

  • Network interface: One or two network interfaces.

  • Hardware Compatibility: Any Intel x86 64-bit hardware platform supported by Oracle Key Vault's embedded operating system. Oracle Key Vault uses Oracle Linux 8 with the Unbreakable Enterprise Kernel (UEK) version 6. For a list of compatible hardware, refer to Hardware Certification List for Oracle Linux and Oracle VM in the Related Topics. This list contains the minimum version of Oracle Linux certified with the selected hardware. All Oracle Linux updates starting with Oracle Linux release 8 as the minimum are also certified unless otherwise noted. Refer to Oracle Linux documentation for more information on the operating system platform.

    Oracle Key Vault supports both Legacy BIOS and UEFI boot modes. The support for UEFI boot mode allows the installation of Oracle Key Vault on servers that exclusively support UEFI, or when disks larger than 2 TB are used.

    Note:

    • You can find the supported hardware from the hardware certification list for Oracle Linux and Oracle VM. Filter the results by selecting All Operating Systems and choosing Oracle Linux 8. However, be aware that Oracle Key Vault does not support the QLogic QL4* family of network cards.
    • For deployment with a large number of endpoints, the hardware requirement may need to scale to meet the workload.
  • RAID: Oracle Key Vault does not support software RAID installations. If you require a RAID configuration, enable hardware RAID that presents one disk to Oracle Key Vault.

  • RESTful Services Utility: If you plan to automate the onboarding of endpoints into Oracle Key Vault with the RESTful services, then ensure that the Java version on the future endpoint where the RESTful script will be executed is at release 1.7.0.21 or later.

    The version of Java that is included in Oracle Database 12.2.0.1 and later is supported by Oracle Key Vault. For these releases, set JAVA_HOME to $ORACLE_HOME/jdk/jre and add JAVA_HOME/bin to your PATH.

    For Oracle databases that are earlier than release 12.2.0.1, find the current Java installation as follows: 

    $ namei /usr/bin/java | grep "l java"

    The output is similar to the following: 

     l java -> /etc/alternatives/java
   l java -> /usr/java/jdk1.8.0_131/jre/bin/java

    In this example, set JAVA_HOME=/usr/java/jdk1.8.0_131/jre and then add JAVA_HOME/bin to PATH: PATH=$PATH:$JAVA_HOME/bin.

    OpenJDK is not supported.

  • Browser : Oracle Key Vault supports English as the browser display language.

Other Installation Considerations:

  • Oracle recommends that you do not install a third-party software on an Oracle Key Vault appliance. For more information, see Additional or Third-Party Software .
  • Oracle does not recommend to decrease CPU and RAM allocated to Oracle Key Vault as it is a software appliance. For the multi-master cluster deployment, if you need to decrease RAM or CPU without database endpoint downtime, add the new nodes with the required system configuration to the existing multi-master cluster, and then delete the old nodes. For other deployments, take the backup of Oracle Key Vault server, rebuild the server with required system configuration and restore using the backup with the recommended system configuration.

Related Topics

Parent topic: Oracle Key Vault Installation Requirements

Additional or Third-Party Software

Oracle does not support Oracle Key Vault installations with any third-party software.

  • Oracle recommends that you do not install a third-party software on an Oracle Key Vault appliance. Oracle Key Vault is a security appliance and installing a third-party software interferes with the security of Oracle Key Vault. Installing a third-party software may also affect the operational integrity of the Oracle Key Vault appliance. For example:
    • Installing third-party software may cause an upgrade to fail.
    • Reboot or upgrade of the Oracle Key Vault may override the configuration changes made by a third-party software.
    • Third party software may affect the configuration and operations of Oracle Key Vault in unexpected ways.

Parent topic: System Requirements

Network Port Requirements

Network port requirements includes requirements for SSH/SCP, SNMP, HTTPS, listeners, KMIP, and TCP ports.

Oracle Key Vault and its endpoints use a set of specific ports for communication. Network administrators must ensure that these ports are open.

The following table lists the required network ports for Oracle Key Vault:

Table 2-1 Ports Required for Oracle Key Vault

Port Number Protocol Port Type Descriptions

22

SSH/SCP port

TCP

Used by Oracle Key Vault administrators and support personnel to remotely administer Oracle Key Vault. Note: You can change the default value of the port. After you change the default value on one node, apply the new port number to all the nodes of the cluster one-by-one.

161

SNMP port

UDP

Used by monitoring software to poll Oracle Key Vault for system information.

443

HTTPS port

TCP

Used by web clients such as browsers and RESTful Administrative commands to communicate with Oracle Key Vault.

5695

HTTPS port

TCP

Used by RESTful Key Management commands to communicate with Oracle Key Vault.

1522

Database TCPS listener ports

TCP

In a cluster configuration, listener ports used to communicate between read/write peer nodes.

Note: You can change the default value of this port. Oracle Key Vault automatically applies the new port number to all the cluster nodes.

7443

HTTPS port

TCP

The listener port used in a primary-standby configuration to run operating system commands. This port is also used when you add a new node to a cluster.

5696

KMIP port

TCP

Used by Oracle Key Vault endpoints and third party KMIP clients to communicate with the Oracle Key Vault KMIP server.

7093

TCP port

TCP

Used by Oracle GoldenGate for transmitting data in a multi-master cluster configuration.

If you are installing Oracle Key Vault in an OCI Marketplace instance or if you are creating a hybrid multi-master cluster between on-premises and OCI nodes, then consider the following network configuration:
  1. Add rules to open the ports listed in the table.
  2. Add the following ingress rules:
    • ICMP Type 3, Code 4 (destination unreachable, fragmentation required and Don't Fragment flag is set).
    • ICMP Type 8, Code 0 (echo request, destination network is unreachable).
  3. If you are using a site-to-site VPN or fastConnect, then ensure that your router allows traffic between the nodes of the multi-master cluster:
    • Add rules to open the ports.
    • In case of highly secured routers, add URL exceptions for your on-premises subnet at layers 3, 4, and 7.
    • Ensure that no packets are interpreted as threats by your routers.

Note:

Oracle Key Vault allows the configuration of network ports only for SSH/SCP (default port 22) and Database TCPS listener (default port 1522).

Parent topic: Oracle Key Vault Installation Requirements

Supported Endpoint Platforms

Oracle Key Vault supports both UNIX and Windows endpoint platforms.

Oracle supports 64-bit Linux endpoints, and only 64-bit endpoints are supported for Oracle databases that use the online master encryption key. The operating systems on which the endpoint runs must be compatible with Transport Layer Security (TLS) 1.2, either directly or with appropriate patches.

The supported endpoint platforms in this release are as follows:

  • Oracle Linux (6, 7, 8, and 9)

  • ARM64: Oracle Linux (7 and 8)

  • Oracle Solaris x86 (10 and 11)

  • Oracle Solaris SPARC (10 and 11)

  • SUSE Linux Enterprise Server 15

  • Red Hat Enterprise Linux 6, 7, and 8

  • IBM AIX (7.1, 7.2, and 7.3)

  • IBM zLinux (Red Hat Enterprise Server 7, 8, 9; SUSE Linux Enterprise Server 12, 15)

  • HP-UX (IA) (11.31)

  • Windows Server 2016, and 2019

Parent topic: Oracle Key Vault Installation Requirements

Endpoint Database Requirements

Administrators can use online master encryption keys and the Oracle Database COMPATIBLE initialization parameter to manage Oracle Database endpoints.

Administrators can use the online master encryption key to manage TDE master encryption keys for endpoints that are Oracle Database 12.1.0.2 or later. Administrators who want to use Oracle Key Vault for wallet management only or who are migrating existing wallets deployments to Oracle Key Vault can use the okvutil upload command to upload Oracle wallets to Oracle Key Vault.

Administrators who manage endpoints that are Oracle Database may need to set the COMPATIBLE initialization parameter.

For an endpoint that is Oracle Database release 12.1 or later, set the COMPATIBLE initialization parameter to 12.1.0.0 or later. A COMPATIBLE setting of 12.1.0.0 or later enables Transparent Data Encryption to work with Oracle Key Vault. For example: 

SQL> ALTER SYSTEM SET COMPATIBLE = '12.1.0.0' SCOPE=SPFILE;

This applies to an Oracle Database endpoint that use the online master encryption key to manage TDE master encryption keys. This compatibility mode setting is not required for Oracle wallet upload or download operations.

Also note that after setting the COMPATIBLE parameter to 12.1.0.0, you cannot set it to a lower value such as 10.2. After you set the COMPATIBLE parameter, you must restart the database.

For Microsoft Windows endpoints, Oracle Key Vault supports the latest available database release versions at the time of the Oracle Key Vault release, including any associated Manufacturing Execution Systems (MES) libraries that may have been upgraded.

Parent topic: Oracle Key Vault Installation Requirements