Starting with Oracle Key Vault release 21.10, you can provision Oracle Key Vault endpoints on the Linux for Arm (aarch64) architecture and IBM: Linux on System z.

Oracle Databases running on Linux for Arm (aarch64) or IBM: Linux on System z can also be enrolled as Oracle Key Vault endpoints for TDE key management. You can set up endpoints for SSH servers or clients on both these platforms. All the endpoint software like okvutil, PKCS#11 library, the RESTful services utility, Java, and C SDK are available on these platforms.

The new endpoint platforms are supported with the Oracle Key Vault 21 RESTful services utility but not available with the deprecated classic RESTful services utility.

Starting with Oracle Key Vault release 21.10, you can list the endpoints that were active or inactive recently using the RESTful services utility.

You can use the commands to check how often the endpoints connect to the Oracle Key Vault server. You can also use the commands to identify the defunct endpoints for house-keeping.

Starting with Oracle Key Vault release 21.9, you can now list all the wallet memberships of a given managed object.

okv manage-access wallet list-object-wallets --uuid <uuid>

The RESTful services utility command is run by a user. Only those wallets that this user has access to, will be listed. The object may be a member of the wallets that the user running the command has no access to. These wallets are not listed.

Starting with Oracle Key Vault release 21.9, you can enable access to RESTful services utility from the allowed IP addresses only.

With this new feature, only the configured list of IP addresses can use the RESTful services utility. In earlier Oracle Key Vault releases, you could either enable or disable the RESTful services utility only.

Starting in Oracle Key Vault release 21.8, you can now specify options to do server-side filtering for the RESTful services utility commands that list endpoints or wallets, list objects that endpoints have access to, list objects in wallet and for those that list completed backups.

You can filter the list of endpoints by platform, type, or registration status. You can filter the list of wallets by their type, either general or SSH server wallets. You can filter the list of objects that endpoints have access to or list objects in the wallet by type such as, secret or certificate, or state like active or compromised. You can filter the list of completed backups for a specific backup destination or filter them by type, that is, one-time or periodic, or simply filter by the backup name. You can specify more than one option for filtering and can also specify more than one value for the filtering option. For example, you can list all endpoints on Linux and Microsoft Windows platforms by using the following command with the filter options:

--platform "LINUX64, WINDOWS"

Starting with Oracle Key Vault Release 21.8, you can specify custom-attributes and KMIP-attributes of security objects as command line options when using RESTful services utility commands, such as add, modify, delete, and get. The fetch and locate commands also support additional attributes on the command line.

KMIP attributes like activation date and deactivation date are now available as command line options --activation-date and --deactivation-date respectively. You can pass the custom-attributes using the new command line option --custom-attribute.

Starting with release 21.7, you can use the Oracle Key Vault RESTful services utility to create and register SSH keys and manage SSH Server wallets and SSH Server endpoints.

A new option --ssh-user is added to these commands. Use of this option makes the underlying public and private key objects identified as the SSH keys.

Oracle Key Vault supports endpoint IP address in the endpoint get RESTful command.

The endpoint IP address that was used at enrollment time is now recorded, and displayed with the okv admin endpoint get --endpoint endpoint_name command.

Starting with Oracle Key Vault release 21.6, sign and verify operations can be performed using Oracle Key Vault's RESTful services, or the Oracle Key Vault client tool okvutil:

Both of the Oracle Key Vault RESTful API and Oracle Key Vault client utility okvutil provide sign and verify functionality.

Starting in Oracle Key Vault release 21.5, you can deploy, manage, and monitor the multi-master cluster using RESTful services utility.

Using the RESTful Services Utility, you can now perform several cluster management operations including creating a cluster, adding or deleting a node, enabling or disabling a node. You can also monitor and manage the cluster services and replication links between nodes using RESTful services utility.

The new commands are as follows:

• okv cluster node create
• okv cluster node status
• okv cluster node add
• okv cluster node abort-pairing
• okv cluster node enable
• okv cluster node disable
• okv cluster node cancel-disable
• okv cluster node update
• okv cluster service start
• okv cluster service stop
• okv cluster service monitor
• okv cluster link enable
• okv cluster link disable
• okv cluster link monitor

Starting in Oracle Key Vault release 21.5, you can obtain the current and historical utilization metrics of the system resources such as CPU and memory using RESTful services utility. These system metrics would help you appropriately configure system resources for the Oracle Key Vault servers to meet the performance and scalability requirements of your deployment.

The new or updated commands are as follows:

• okv metrics server get
• okv server status get
• okv server info get

Starting in Oracle Key Vault release 21.5, you can specify custom-attributes and certain KMIP attributes as the command line options when using RESTful services utility to create, register, fetch and locate security objects.

In earlier releases, commands that use the attributes or custom-attributes could only be executed using the JSON input method only. The RESTful services utility is enhanced to support the passing of attributes and custom-attributes as the command line options for the commands to create or register security objects. These commands also support simplified variants of the complex input.

The KMIP attributes "activation date" and "deactivation date" are exposed as the command line options --activation-date and --deactivation-date respectively. You can pass the custom-attributes using the new command line option --custom-attribute. Several RESTful services utility commands also support simplified and complex format on name and custom attribute.

The following commands have been updated to accommodate this enhancement:

• okv managed-object key create
• okv managed-object key register
• okv managed-object secret register
• okv managed-object certificate register
• okv managed-object certificate-request register
• okv managed-object opaque register
• okv managed-object public-key register
• okv managed-object private-key register
• okv managed-object object fetch
• okv managed-object object locate

Starting in Oracle Key Vault release 21.5, several RESTful services utility commands are enhanced to support the output in the text format.

In previous releases, the RESTful services utility commands always produced output in the JSON format. Now, you can use the new command line option –output_format to generate the command output in the text format. The text output format helps simplify the creation of automation scripts such as when the output of a command serves as input for another command.

The following commands have been updated to accommodate this enhancement:

• okv managed-object certificate get
• okv managed-object certificate register
• okv managed-object certificate-request get
• okv managed-object certificate-request register
• okv managed-object key create
• okv managed-object key get
• okv managed-object key register
• okv managed-object object activate
• okv managed-object object destroy
• okv managed-object object locate
• okv managed-object object revoke
• okv managed-object opaque get
• okv managed-object private-key register
• okv managed-object public-key get
• okv managed-object public-key register
• okv managed-object secret get
• okv managed-object secret register
• okv managed-object wallet add-member
• okv managed-object wallet delete-member
• okv managed-object wallet list

Starting in Oracle Key Vault release 21.4, to strengthen the protection of symmetric keys, you now can restrict these keys from leaving Oracle Key Vault by setting the extractable attribute.

The following commands have been updated to accommodate this enhancement:

• okv managed-object attribute get
• okv managed-object attribute get-all
• okv managed-object attribute list
• okv managed-object attribute modify
• okv managed-object key create
• okv managed-object key register
• okv managed-object object locate

Oracle Key Vault release 21.4 adds the support for performing cryptographic operations within Oracle Key Vault.

You can use either RESTful services utility commands or C and Java SDK to perform encryption and decryption operations.

This enhancement accommodates the use of symmetric keys that have been configured to not be extracted from Oracle Key Vault.

The new commands are as follows:

• okv crypto data decrypt
• okv crypto data encrypt

Starting in Oracle Key Vault release 21.4, you can create a policy to schedule the removal of one or more remote backups.

The following commands have been updated:

• okv backup destination create
• okv backup destination update

The following commands are new:

• okv backup destination delete-backup
• okv backup destination-policy create
• okv backup destination-policy delete
• okv backup destination-policy get
• okv backup destination-policy list
• okv backup destination-policy list-purged-backups
• okv backup destination-policy update
• okv backup destination resume-policy
• okv backup destination suspend-policy

Starting in Oracle Key Vault release 21.4, additional commands are available to enable you to perform more operations with endpoints, endpoint groups, and wallets.

The new commands are as follows:

• okv admin endpoint get
• okv admin endpoint list
• okv admin endpoint list-objects
• okv admin endpoint resume
• okv admin endpoint suspend
• okv manage-access endpoint-group get
• okv manage-access endpoint-group list
• okv manage-access wallet add-object
• okv manage-access wallet get
• okv manage-access wallet list
• okv manage-access wallet list-objects
• okv manage-access wallet remove-object

The commands to list objects for an endpoint (okv admin endpoint list-objects) and a wallet (okv admin wallet list-objects) provide an option to show or hide the wallet membership of the objects. Omitting wallet membership information of objects can improve command's performance.

Starting in Oracle Key Vault release 21.4, you can update the endpoint configuration parameters and endpoint settings for keys and secrets of an endpoint using the RESTful service utility command okv admin endpoint update.

The endpoint configuration parameters includes various PKCS#11 settings and endpoint settings for keys and secrets includes the extractable attribute setting for the new symmetric keys.

Starting in Oracle Key Vault release 21.4, the duration time interval settings will follow a subset of the ISO 8601 standard, and the fixed format for date and time settings are compatible with ISO 8601 when using RESTful commands.

You can specify the following formats:

• duration (follows a subset of the ISO 8601 standard)
• timestamp (is in a format that is compatible with the ISO 8601 standard)
• now (represents the current time when a command is run)

You can use these formats in the following combinations:

• timestamp
• now
• timestamp + duration
• now + duration

The timestamp format that has been used in previous releases is still supported.

The following commands have been updated for this enhancement:

• okv backup schedule create
• okv backup schedule update
• okv managed-object attribute add
• okv managed-object attribute delete
• okv managed-object attribute modify
• okv managed-object certificate-request register
• okv managed-object key register
• okv managed-object object locate
• okv managed-object opaque register
• okv managed-object private_key register
• okv managed-object public-key register
• okv managed-object secret register

Starting in Oracle Key Vault release 21.4, you can find the command line help information about the RESTful services utility commands.

This enhancement enables you to find the detailed help information about the various categories, resources, and actions that are supported for all Oracle Key Vault RESTful services utility commands. The help information shows the command's syntax, and definitions for the available categories, resources, and actions as well as the configuration parameters that are applicable to all the commands.

In Oracle Key Vault release 21.3, RESTful services utility commands that are used for the registration of managed objects will have additional attributes.

The affected commands are as follows:

• okv managed-object certificate register
• okv managed-object certificate-request register
• okv managed-object key register
• okv managed-object opaque register
• okv managed-object private-key register
• okv managed-object public-key register
• okv managed-object secret register

In previous releases, these commands provided two attributes, name and contactInfo. In this release, in addition to these two attributes, the following new attributes are included:

• activationDate
• deactivationDate
• processStartDate
• protectStopDate