6 Upgrading a Standalone Oracle Key Vault Server
This upgrade includes the Oracle Key Vault server software and utilities that control the associated endpoint software
- About Upgrading a Standalone Oracle Key Vault Server
To benefit from new features and security enhancements, Oracle recommends that you upgrade Oracle Key Vault server to the latest release. - Step 1: Back Up the Server Before You Upgrade
Before you upgrade the Oracle Key Vault server, perform a one-time backup to a remote destination so that you can recover data in case the upgrade fails. - Step 2: Perform Pre-Upgrade Tasks for the Standalone Oracle Key Vault
To ensure a smooth upgrade to Oracle Key Vault, you should prepare the server you are upgrading. - Step 3: Add Disk Space to Extend the vg_root for the Release 21.11 Upgrade
Before upgrading from Oracle Key Vault release 12.2 or 18 to 21, you need to extend thevg_root
to increase disk space. - Step 4: Upgrade the Oracle Key Vault Server
You can upgrade a standalone Oracle Key Vault server deployment. - Step 5: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space. Oracle Key Vault release 21.11 requires a hard disk size greater than or equal to 2 TB in size with approximately 64 GB of swap space. - Step 6: If Necessary, Remove Old Kernels
Oracle recommends that you clean up the older kernels that were left behind after the upgrade. - Step 7: If Necessary, Remove SSH-Related DSA Keys
You should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools. - Step 8: Upgrade the Endpoint Software
When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements. - Step 9: Back Up the Upgraded Oracle Key Vault Server
You must perform server backup and user password tasks after completing a successful upgrade.
6.1 About Upgrading a Standalone Oracle Key Vault Server
To benefit from new features and security enhancements, Oracle recommends that you upgrade Oracle Key Vault server to the latest release.
You must upgrade in the following order: first perform a full backup of Oracle Key Vault, upgrade the Oracle Key Vault server, upgrade the endpoint software, and lastly, perform another full backup of the upgraded server. Note that upgrading requires a restart of the Oracle Key Vault server.
Oracle recommends using a multi-master cluster deployment for production use. During upgrade of a multi-master cluster, there is no downtime of databases or business applications. A two-node cluster provides read-only availability, and four or more node clusters provide continuous read-write availability. You can enable the persistent cache feature to enable endpoints to continue operation during the upgrade process.
When you upgrade the Oracle Key Vault server software, to access the latest enhancements, also upgrade the endpoint software. While endpoint software from the previous Oracle Key Vault release will continue to function with the upgraded Oracle Key Vault server, new endpoint functionality may not work.
Before you begin the upgrade, refer to Oracle Key Vault Release Notes for additional information about performing upgrades.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.2 Step 1: Back Up the Server Before You Upgrade
Before you upgrade the Oracle Key Vault server, perform a one-time backup to a remote destination so that you can recover data in case the upgrade fails.
Caution:
Do not bypass this step. Back up the server before you perform the upgrade so that your data is safe and recoverable.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.3 Step 2: Perform Pre-Upgrade Tasks for the Standalone Oracle Key Vault
To ensure a smooth upgrade to Oracle Key Vault, you should prepare the server you are upgrading.
6.4 Step 3: Add Disk Space to Extend the vg_root for the Release 21.11 Upgrade
Before upgrading from Oracle Key Vault release 12.2 or 18 to 21, you need to extend the vg_root
to increase disk space.
vg_root
, then you can bypass this step.
Related Topics
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.5 Step 4: Upgrade the Oracle Key Vault Server
You can upgrade a standalone Oracle Key Vault server deployment.
- About Upgrading an Oracle Key Vault Server
In a standalone deployment you must upgrade a single Oracle Key Vault server. - Upgrading a Standalone Oracle Key Vault Server
A single Oracle Key Vault server in a standalone deployment is sometimes used in test and development environments for functional testing.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.5.1 About Upgrading an Oracle Key Vault Server
In a standalone deployment you must upgrade a single Oracle Key Vault server.
Note that persistent caching enables endpoints to continue to be operational during the upgrade process.
Note:
If you are upgrading from a system with 4 GB RAM, first add 12 GB or more of additional RAM, following instructions for your specific hardware, before upgrading. Ensure that the persistent cache is enabled and set to sufficiently large values before attempting such operations so as to not incur endpoint downtime.Related Topics
Parent topic: Step 4: Upgrade the Oracle Key Vault Server
6.5.2 Upgrading a Standalone Oracle Key Vault Server
A single Oracle Key Vault server in a standalone deployment is sometimes used in test and development environments for functional testing.
- Correct System Inconsistencies Before Upgrade
You can correct the system inconsistencies before upgrading to the latest Oracle Key Vault release.
Related Topics
Parent topic: Step 4: Upgrade the Oracle Key Vault Server
6.5.2.1 Correct System Inconsistencies Before Upgrade
You can correct the system inconsistencies before upgrading to the latest Oracle Key Vault release.
You get the following error on upgrade if FIPS mode is not consistent in Oracle Key Vault,
# ruby /images/upgrade.rb --confirm
Power loss during upgrade may cause data loss. Do not power
off during upgrade.
Verifying boot partition before upgrade
Failed to apply update:
The Oracle Key Vault upgrade has detected issues with FIPS mode.
Please consult the Oracle Key Vault upgrade documentation or contact Oracle Support.
Before you upgrade, follow the steps to fix the inconsistent state of FIPS.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.6 Step 5: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space. Oracle Key Vault release 21.11 requires a hard disk size greater than or equal to 2 TB in size with approximately 64 GB of swap space.
swapon -s
command. By default, Oracle Key Vault releases earlier than release 18.1 were installed with approximately 4 GB of swap space. After you complete the upgrade to release 18.1 or later, Oracle recommends that you increase the swap space allocation for the server on which you upgraded Oracle Key Vault. A new Oracle Key Vault installation is automatically configured with sufficient swap space. However, if you upgraded from a previous release, and your system does not have the desired amount of swap space configured, then you must manually add disk space to extend the swap space, particularly if the intention is to convert the upgraded server into the first node of a multi-master cluster.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.7 Step 6: If Necessary, Remove Old Kernels
Oracle recommends that you clean up the older kernels that were left behind after the upgrade.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.8 Step 7: If Necessary, Remove SSH-Related DSA Keys
You should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.9 Step 8: Upgrade the Endpoint Software
When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.
You can upgrade an endpoint by upgrading the endpoint software or
re-enrolling the endpoint. Upgrading the endpoint software does not affect the
existing endpoint certificate or okvclient.ora
, the endpoint
configuration file. Re-enrolling an endpoint invalidates an existing endpoint
certificate, and a new endpoint certificate as well as
okvclient.ora
are installed. Oracle recommends that you upgrade
the endpoint software for minor version upgrades (for example, from 21.x to 21.y)
and consider re-enrolling the endpoint when upgrading across major versions (for
example, from 18.x to 21.y).
Before an endpoint that uses Oracle Key Vault for TDE key management can take advantage of new Oracle Key Vault features, for example non-extractable TDE master keys, it must be upgraded to match the new Oracle Key Vault release.
Related Topics
Parent topic: Upgrading a Standalone Oracle Key Vault Server
6.10 Step 9: Back Up the Upgraded Oracle Key Vault Server
You must perform server backup and user password tasks after completing a successful upgrade.
Parent topic: Upgrading a Standalone Oracle Key Vault Server