3 Downloading and Installing Oracle Key Vault

You must download the Oracle Key Vault application software, and then you can install or upgrade Oracle Key Vault.

3.1 Downloading the Oracle Key Vault Software for Fresh Installation

To install Oracle Key Vault, download the Oracle Key Vault appliance software from Oracle Software Delivery Cloud.

  1. Launch the Oracle Software Delivery Cloud portal:
  2. Click Sign In, and if prompted, type your User ID and Password.
  3. In the All Categories menu, select Release. In the next field, type Oracle Key Vault and then click Search.
  4. Click the current Oracle Key Vault release.
    The download is added to your cart. To check the cart contents, click View Items in the upper right corner.
  5. Click Continue.
  6. On the next page, verify the details of the installation package, and then click Continue.
  7. Read the license agreement on the Oracle Standard Terms and Restrictions page, select I reviewed and accept the Oracle License Agreement, and then click Continue.

    The Oracle Software Delivery Cloud page is displayed, which displays the Oracle Key Vault ISO file.

  8. Click the ISO file, select a location to save it, and then click Save.
  9. Transfer the ISO file by using one of the following methods:
    • Burn the .iso image onto a bootable DVD.
    • Copy the .iso image onto a bootable USB stick.
    • Mount the .iso image with your virtualization software to run Oracle Key Vault as a virtual machine, booting from the .iso image.
You can now install Oracle Key Vault.

Parent topic: Downloading and Installing Oracle Key Vault

3.2 Downloading the Oracle Key Vault Software for Upgrade

Perform the following steps to upgrade Oracle Key Vault.

  1. Click https://updates.oracle.com/download/38854753.html.
  2. If prompted, type your user name or email address, and your password.
  3. Click Download, and then select a location to save the .zip file.
  4. After unzipping the file, the following files are displayed:
    • okv-upgrade-21.14.0.0.0.iso: Includes all files required to upgrade to the current version.
    • Readme_OKV_2114.html: The readme file.

    Note:

    Oracle Key Vault should be upgraded using the .iso package only (not the rpm package) due to the rpm package's numerous dependencies.
  5. If you downloaded the .zip file from https://support.oracle.com, and also selected Download File Metadata, you can use the accompanying XML metadata file to verify the checksum of the .iso file.
  6. On your Linux computer, generate a sha256 checksum for the .iso file:
    sha256sum okv-upgrade-21.14.0.0.0.iso
    Ensure that the file checksum matches the following value:
    079bb9cd5f65ea2e5e826f60c74dec6825d987e9fb30e4a22d0a747012257af3  okv-upgrade-21.14.0.0.0.iso

Parent topic: Downloading and Installing Oracle Key Vault

3.3 Installing the Oracle Key Vault Appliance Software

The Oracle Key Vault installation process installs all the required software components onto a dedicated server or virtual machine.

The installation process may take from 30 minutes or longer to complete, depending on the server resources where you are installing Oracle Key Vault.

If you are installing Oracle Key Vault on VMware, then set the VMX configuration parameter disk.EnableUUID to TRUE. In addition, you must set your virtual machine to use EFI boot. In some versions of VMware this is done by selecting the VM Options tab, then expanding Boot Options, and then setting the firmware to EFI. You must disable secure boot. Without this setting, the Oracle Key Vault installation on VMware will fail.

Caution:

The Oracle Key Vault installation wipes the server, repartitions the disk, and installs a hardened Oracle Linux 8. The installation erases existing software and data on the server.

Ensure that you meet the following prerequisites.

  • Ensure that the server meets the recommended requirements.

  • Request a fixed IP address, network mask, and gateway address from your network administrator. You will need this information to configure the network.

To install the Oracle Key Vault appliance:

  1. Make the .iso image available to the computer where you want to install it, and then restart the computer.

    The .iso image can be made available in any of these ways:

    • Burned onto a bootable DVD
    • Copied onto a bootable USB stick
    • Mounted with your site's virtualization software

    You may need to change the boot order of your server to boot from the USB-stick or the DVD. The initialization screen appears, showing the following options:


    Description of 2114_initial_install_screen.png follows
    Description of the illustration 2114_initial_install_screen.png

  2. Using the up and down arrow keys, select the desired installation option or the option to perform a memory test, and then press Enter.

    Choosing the first option, Press Enter to start the installation of Oracle Key Vault, does not enable FIPS mode on the system.

    Choosing the second option, Press Enter to install the Oracle Key Vault with FIPS mode enabled, automatically enables FIPS mode on the system.

    The installation begins, and after several minutes, you will be asked to set the root user password (with a second time to confirm it). It is important to store the root user password securely. You will need it later to authenticate yourself at the Oracle Key Vault management console and complete the post-installation tasks.

    Description of 21_set_root_user_password.png follows
    Description of the illustration 21_set_root_user_password.png

  3. After you set the root user password, when prompted, log in as the root to observe the installation status. At the following prompt, enter root , press Enter, enter the root user password, and then press Enter again.
  4. When prompted, re-insert the ISO disk.
    After you re-insert the ISO disk, the Select Network Mode window appears after a couple of minutes.

    Description of 21_select_network_mode.png follows
    Description of the illustration 21_select_network_mode.png

  5. For the network mode, if you want Classic mode, then follow these steps:
    Classic mode, used in previous releases of Oracle Key Vault, allows one network interface to be used. If you later decide to switch to dual NIC mode, then you can do so, but only if you are using a standalone configuration. In a multi-master cluster configuration, to switch to dual NIC mode for a cluster node, you must first delete the node from the cluster, configure the node to use dual NIC mode, and then re-induct the node back into the cluster.
    1. Select 1 to choose Classic mode and then select OK.
    2. In the Select default network interface screen, select from the available options, and then select OK.
    3. In the Network settings screen, enter the IP address, Network mask, and Gateway settings for the default network interface. The network administrator for your site can provide this information.
    4. Select OK.
  6. If you want the dual NIC network mode, then follow these steps:
    Dual NIC mode enables you to configure Oracle Key Vault to use two network interfaces, or ethernet ports. It is useful as a guard against physical or software failures and adds redundancy to the network layer. Select the dual NIC mode if there is a greater need for operational continuity and to avoid eviction from the cluster due to prolonged unavailability of the network. Dual NIC mode helps to prevent situations where a node may lose connectivity and risk missing changes that have been made to data in the cluster.
    1. Select 2 to select Dual-NIC mode and then select OK.
    2. In the Select Bond Mode screen, select from the bond mode choices for the two network interfaces that you plan to use, and then select OK.
      • Round Robin configures the network interfaces such that network packets are transmitted and received sequentially from the first available interface through the last. This bonding mode is the default. This mode provides fault tolerance and load balancing and requires the links to be connected to a network switch with EtherChannel support.
      • Active-Backup configures the network interfaces as active and backup. Only one interface in the bond is active. A different interface becomes active if, and only if, the active interface fails. The network communication happens over the active interface. This mode provides fault tolerance and does not require any switch support.
      • 802.3ad creates aggregation groups that share the same speed and duplex settings. Network packets are transmitted and received on all interfaces. This mode provides fault tolerance and load balancing and requires a switch that supports IEEE 802.3ad dynamic link aggregation.
    3. In the Select two network interfaces screen, select the two network interfaces that you want, and then select OK.
    4. In the Network settings screen, enter the IP address, Network mask, Gateway, and Hostname settings for the default network interface. The network administrator for your site can provide this information. For the host name, use only lowercase characters. The host name can be the fully qualified host name or the short host name.
    5. Select OK.
  7. The installer installs and configures the operating system, database, and Oracle Key Vault on the server to make it a self-contained hardened appliance. The installation and configuration process can take an hour or longer.
  8. When the installation is complete, on the Oracle Key Vault terminal console, log in as root, and set the password of the support. 
    passwd support
New password:
Retype new password
passwd: All authentication tokens updated successfully.

    Once SSH has been enabled, the support user is the only user who can ssh into Oracle Key Vault, .

    SSH should be disabled, unless upgrade patches are applied, or directed by Oracle Support.

    Note:

    • Oracle does not restrict customer to deploy Oracle Key Vault in virtual environment if the virtual environment reflects an Oracle Key Vault physical server. Some of the supported hypervisor products are Oracle VirtualBox, Hyper-V, VMware, and KVM.
    • For installing Oracle Key Vault on Hyper-V, see Hyper-V Installation on Windows.
    • Oracle key Vault does not support silent mode installation.
  9. If the IP address was not set during installation, then log in as the root user on the Oracle Key Vault terminal console, and run the following command to set the IP address and other details.
    /usr/local/okv/bin/okv_configure_network

Related Topics

Parent topic: Downloading and Installing Oracle Key Vault

3.3.1 Requirements for root and support User Passwords

Ensure that you meet these requirements for root and support user passwords.

  • The password must have at least 15 characters.
  • The password must contain at least one uppercase letter, one lowercase letter, one digit, and one special character.
  • The same character cannot repeat consecutively more than 3 times in the password.
  • Characters from the same class cannot repeat consecutively more than 4 times in the password. For example, more than 4 lowercase letters in a row.
  • The new password must have at least 8 characters that are different from the old password.

Parent topic: Installing the Oracle Key Vault Appliance Software

3.4 Performing Post-Installation Tasks

After you install Oracle Key Vault, you must complete a set of post-installation tasks.

These tasks include configuring the administrative user accounts and their one-time passwords, the recovery passphrase, as well as DNS and NTP settings.

  1. Use a web browser to connect to the Oracle Key Vault server.

    For example, to connect in to an Oracle Key Vault server whose IP address is 192.0.2.254, enter the following in the address bar:

    https://192.0.2.254

  2. If the web browser displays a security warning message stating that you are connecting to a website with an untrusted or self-signed security certificate, accept the security warning message and proceed to connect to the Oracle Key Vault server.

    This message is only temporary. When you configure third-party certificates, this message will no longer appear. After completing the post-installation tasks, you can upload a custom certificate or certificate chain that is trusted by the browser, so that you can connect to the Oracle Key Vault server without encountering the security warning message. For more information about uploading a custom certificate, see Oracle Key Vault Administrator's Guide .

  3. In the root password screen, enter the root password.

    The root password screen is displayed when you connect to the Oracle Key Vault server for the first time, in order to complete the post-installation tasks. After you complete the post-installation tasks, the Oracle Key Vault login screen is displayed when you access the Oracle Key Vault management console through the web browser.

    After you log in with the root user password, the Post-Install Configuration screen is displayed.

  4. In the User Setup pane, create three administrative user accounts for the Key Administrator, System Administrator, and Audit Manager.
    Description of 214_user_setup.png follows
    Description of the illustration 214_user_setup.png

    • Enter the user name and password, the full name (optional), and email (optional) for each administrative user account.

      Note that the passwords are one-time use passwords which must be changed when the user logs in the first time.

    • Ideally, create a different user account for each of these administrative roles for a strict separation of duties, or combine roles as necessary.

    • Ensure that passwords are between 8 and 30 characters in length and contain at least one of each of the following: an uppercase letter, a lowercase letter, a number, and a special character from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), exclamation mark (!). In addition, the passphrase may include a space character ( ) provided it is not used as the first or last character of the passphrase.

    • If you want the user to be able to grant their role to other users, then select the Allow Forward Grant check box.

  5. In the Recovery Passphrase section, create the recovery password.

    Description of 21_recovery_password.png follows
    Description of the illustration 21_recovery_password.png

    The recovery passphrase must be between 8 and 30 characters in length and may only contain uppercase letters, lowercase letters, numbers, and special characters from the set: period (.), comma (,), underscore (_), plus sign (+), colon (:), exclamation mark (!). Recovery passphrase must contain at least one of each of the following: an uppercase letter, a lowercase letter, a number, and a special character from the allowed set of special characters.

    For greater security, Oracle recommends that you make the recovery passphrase longer and more complex. Because this is a critical password, you must properly secure and safeguard the recovery password. The recovery password is required in the following scenarios:

    • In an emergency, when there are no administrative users available to access Oracle Key Vault

    • To restore Oracle Key Vault data from a backup

    • To reset the recovery password

    • Induct a new node into a multi-master cluster

    • To configure a hardware security module (HSM)

    Caution:

    It is important to establish a secure process for the storage and retrieval of the recovery passphrase, including older recovery passphrases. The only way to recover from a lost recovery passphrase is to re-install Key Vault. Note also that the root and support user passwords expire after 365 days. If you log in to the Oracle Key Vault management console within 120 days before the expiration, you will see an alert that the password expires in remaining_number_of_days days. If you log in after the expiration date, then you can use the old password only to log in and change the password to a new one.
  6. Set the DNS IP addresses.
    Oracle recommends that you set this IP address at this stage. Your network administrator can supply this address. You can only set the NTP server names after you save the changes on this page, including the DNS addresses.
  7. Click Save in the upper right corner of the Post-Install Configuration screen.

    The Oracle Key Vault management console login screen is displayed:


    Description of 21_new_login.png follows
    Description of the illustration 21_new_login.png

  8. Configure the system time.
    Oracle recommends that when you configure the system time, to configure all three NTP servers, using their host names. When you do so, ensure that you select the Synchronize Periodically option.
  9. Configure system alerts, and if necessary, email so that the appropriate users can receive these alerts.
    Oracle recommends that users who receive these alerts take action on them as soon as possible. For example, critical alerts, such as the Oracle Key Vault server certificate expiration alert, can result in downtime if they are not addressed in a timely fashion.
You can now log in to the Oracle Key Vault management console with the credentials of any of the user accounts that were created during the post-installation process.

Related Topics

Parent topic: Downloading and Installing Oracle Key Vault