7 Upgrading Oracle Key Vault from an Earlier 21.x Release in a Multi-Master Cluster Environment
Similar to a standalone or primary-standby upgrade for release 21.x, this type of upgrade includes the Oracle Key Vault server software and endpoint software-related utilities.
- About Upgrading Oracle Key Vault from an Earlier 21.x Release in a Multi-Master Cluster Environment
To perform this upgrade, you must upgrade each multi-master cluster node. - Step 1: Perform Pre-Upgrade Tasks for the Upgrade from the Earlier 21.x Release
Similar to a standalone or primary-standby environment, you must perform pre-upgrade tasks such as backing up the Oracle Key Vault server. - Step 2: Upgrade Each Multi-Master Cluster Node
To upgrade the multi-master cluster, you must upgrade each multi-master cluster node, one after the other. - Step 3: If Necessary, Change the Network Interface for Upgraded Nodes
Nodes that were created in Oracle Key Vault releases earlier than release 21.1 use Classic mode, in which only one network interface was used. - Step 4: Check the Node Version and the Cluster Version
After you complete the upgrade of at least one node, you can log into any of the upgraded nodes to check the node and cluster versions. - Step 5: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space on each node. Oracle Key Vault release 21.11 requires a hard disk size greater than or equal to 1 TB in size with approximately 64 GB of swap space. - Step 6: If Necessary, Remove Old Kernels
For each multi-master cluster node, Oracle recommends that you clean up the older kernels that were left behind after the upgrade. - Step 7: If Necessary, Remove SSH-Related DSA Keys
For each multi-master cluster node, you should remove SSH-related DSA keys left behind after the upgrade. - Step 8: Upgrade the Endpoint Software
When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.
7.1 About Upgrading Oracle Key Vault from an Earlier 21.x Release in a Multi-Master Cluster Environment
To perform this upgrade, you must upgrade each multi-master cluster node.
For Oracle Key Vault 21.11 you need to upgrade to 21.x. If you are using the version earlier than 21.x, make sure to upgrade the version to 21.x first before proceeding with the version update to 21.11.
The upgrade process involves performing the upgrade on each multi-master cluster node. After you have begun a cluster upgrade, ensure that you upgrade all the nodes in the cluster one after the other, without too much intervening time between upgrades of two nodes.
Upgrading an Oracle Key Vault multi-master cluster includes upgrading each cluster node to the new later version. You must upgrade all nodes to the same Oracle Key Vault version. You should first upgrade the read-only nodes of the cluster, and then upgrade the read-write pairs. As each cluster node is upgraded, its node version is updated to the new version of the Oracle Key Vault. After you complete the upgrade of all cluster nodes, the cluster version is updated to the new version of the Oracle Key Vault. You can check the node version or the cluster version by selecting the Cluster tab, then in the left navigation bar, selecting Management. Oracle Key Vault multi-master cluster upgrade is considered complete when node version and cluster version at each cluster node is updated to the latest version of Oracle Key Vault.
Before you perform the upgrade, note the following:
- Perform the entire upgrade process on all multi-master cluster nodes, without interruption. That is, after you have started the cluster upgrade process, ensure that you try and upgrade all nodes, individually one after the other or in read-write pairs. Do not perform any critical operations or make configuration changes to Oracle Key Vault until you have completed upgrading all the nodes in your environment.
- Be aware that you cannot use any new features that were introduced in this release until you have completed upgrading all of the multi-master cluster nodes. An error is returned when such features are used from the node that has been upgraded. Oracle recommends that you plan the upgrade of all cluster nodes close to each other to ensure availability of the new features sooner.
- Starting in Oracle Key Vault release 21.2, expiration alerts for deactivated or destroyed objects are not generated. If you are upgrading from Oracle Key Vault release 21.1 or earlier, then the following behavior is expected:
- As each cluster node is upgraded, Oracle Key Vault deletes all expiration alerts for any certificate and secret objects, as well as for key objects that have been revoked or destroyed.
- Cluster nodes that have not been upgraded yet will continue to generate alerts for these same objects, and also send email notifications for these alerts. This behavior that results in deletion and recreation of alerts may repeat until the last cluster node is upgraded.
- After the upgrade is complete, expiration alerts for the certificate and secret objects will have the alert type of
Certificate Object Expiration
andSecret Object Expiration
, respectively.
7.2 Step 1: Perform Pre-Upgrade Tasks for the Upgrade from the Earlier 21.x Release
Similar to a standalone or primary-standby environment, you must perform pre-upgrade tasks such as backing up the Oracle Key Vault server.
Related Topics
7.3 Step 2: Upgrade Each Multi-Master Cluster Node
To upgrade the multi-master cluster, you must upgrade each multi-master cluster node, one after the other.
7.4 Step 3: If Necessary, Change the Network Interface for Upgraded Nodes
Nodes that were created in Oracle Key Vault releases earlier than release 21.1 use Classic mode, in which only one network interface was used.
If you prefer to use dual NIC network mode, which supports the use two network interfaces, then you can switch the node to use this mode, from the command line.
7.5 Step 4: Check the Node Version and the Cluster Version
After you complete the upgrade of at least one node, you can log into any of the upgraded nodes to check the node and cluster versions.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the Cluster tab.
- In the left navigation bar, select Management.
- Check the following areas:
- To find the node version, check the Cluster Details area.
- To find the cluster version, check the Cluster Information area.
7.6 Step 5: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space on each node. Oracle Key Vault release 21.11 requires a hard disk size greater than or equal to 1 TB in size with approximately 64 GB of swap space.
swapon -s
command. By default, Oracle Key Vault releases earlier than release 18.1 were installed with approximately 4 GB of swap space. After you complete the upgrade to release 18.1 or later, Oracle recommends that you increase the swap space allocation for the server on which you upgraded Oracle Key Vault. A new Oracle Key Vault installation is automatically configured with sufficient swap space. However, if you upgraded from a previous release, and your system does not have the desired amount of swap space configured, then you must manually add disk space to extend the swap space, particularly if the intention is to convert the upgraded server into the first node of a multi-master cluster.
7.7 Step 6: If Necessary, Remove Old Kernels
For each multi-master cluster node, Oracle recommends that you clean up the older kernels that were left behind after the upgrade.
7.8 Step 7: If Necessary, Remove SSH-Related DSA Keys
For each multi-master cluster node, you should remove SSH-related DSA keys left behind after the upgrade.
7.9 Step 8: Upgrade the Endpoint Software
When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.
You can upgrade an endpoint by upgrading the
endpoint software or re-enrolling the endpoint. Upgrading the endpoint software does
not affect the existing endpoint certificate or okvclient.ora
, the
endpoint configuration file. Re-enrolling an endpoint invalidates an existing
endpoint certificate, and a new endpoint certificate as well as
okvclient.ora
are installed. Oracle recommends that you upgrade
the endpoint software for minor version upgrades (for example, from 21.x to 21.y)
and consider re-enrolling the endpoint when upgrading across major versions (for
example, from 18.x to 21.y).
Before an endpoint that uses Oracle Key Vault for TDE key management can take advantage of new Oracle Key Vault features, for example non-extractable TDE master keys, it must be upgraded to match the new Oracle Key Vault release.