Title and Copyright Information
Preface
- Audience
- Documentation Accessibility
- Diversity and Inclusion
- Related Documents
- Conventions
Changes in This Release for Oracle Key Vault
- Changes for Oracle Key Vault Release 21.4
- Changes for Oracle Key Vault Release 21.3
1 Introduction to Oracle Key Vault
- 1.1 About Key and Secrets Management in Oracle Key Vault
- 1.2 Benefits of Using Oracle Key Vault
- 1.3 Oracle Key Vault Use Cases
- 1.4 Who Should Use Oracle Key Vault
- 1.5 Major Features of Oracle Key Vault
- 1.6 Oracle Key Vault Interfaces
- 1.7 Overview of an Oracle Key Vault Deployment
2 Oracle Key Vault Concepts
- 2.1 Overview of Oracle Key Vault Concepts
- 2.2 Oracle Key Vault Deployment Architecture
- 2.3 Access Control Configuration
- 2.4 Administrative Roles and Endpoint Privileges within Oracle Key Vault
- 2.5 Naming Guidelines for Objects
- 2.6 Emergency System Recovery Process
- 2.7 Root and Support User Accounts
- 2.8 Endpoint Administrators
- 2.9 FIPS Mode
3 Oracle Key Vault Multi-Master Cluster Concepts
- 3.1 Oracle Key Vault Multi-Master Cluster Overview
- 3.2 Benefits of Oracle Key Vault Multi-Master Clustering
- 3.3 Multi-Master Cluster Architecture
- 3.4 Building and Managing a Multi-Master Cluster
- 3.5 Oracle Key Vault Multi-Master Cluster Deployment Scenarios
- 3.6 Multi-Master Cluster Features
- 3.7 Cluster Management Information
4 Configuring System Settings for an Entire Oracle Key Vault Multi-Master Cluster
- 4.1 About Managing Oracle Key Vault Multi-Master Clusters
- 4.2 Setting Up a Cluster
- 4.3 Terminating the Pairing of a Node
- 4.4 Disabling a Cluster Node
- 4.5 Enabling a Disabled Cluster Node
- 4.6 Deleting a Cluster Node
- 4.7 Force Deleting a Cluster Node
- 4.8 Managing Replication Between Nodes
- 4.9 Cluster Management Information
- 4.10 Cluster Monitoring Information
- 4.11 Naming Conflicts and Resolution
- 4.12 Multi-Master Cluster Deployment Recommendations
5 Managing an Oracle Key Vault Primary-Standby Configuration
- 5.1 Overview of the Oracle Key Vault Primary-Standby Configuration
- 5.2 Configuring the Primary-Standby Environment
- 5.3 Switching the Primary and Standby Servers
- 5.4 Restoring Primary-Standby After a Failover
- 5.5 Disabling (Unpairing) the Primary-Standby Configuration
- 5.6 Read-Only Restricted Mode in a Primary-Standby Configuration
- 5.7 Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
6 Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance
- 6.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
- 6.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
- 6.3 Provisioning an Oracle Key Vault Compute Instance
  - 6.3.1 About Provisioning an Oracle Key Vault Compute Instance
  - 6.3.2 Launching the Oracle Key Vault Compute Instance
- 6.4 General Management of an Oracle Key Vault Compute Instance
- 6.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI
7 Oracle Database Instances in Oracle Cloud Infrastructure
- 7.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints
- 7.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
- 7.3 Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
- 7.4 Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 7.5 Suspending Database Cloud Service Access to Oracle Key Vault
  - 7.5.1 About Suspending Database Cloud Service Access to Oracle Key Vault
  - 7.5.2 Suspending Access for a Database Cloud Service to Oracle Key Vault
- 7.6 Resuming Database Cloud Service Access to Oracle Key Vault
- 7.7 Resuming a Database Endpoint Configured with a Password-Based Keystore
8 Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 8.1 About Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 8.2 Privilege Grants and Revokes for LDAP Users
- 8.3 Configuring the LDAP Directory Server Connection to Oracle Key Vault
- 8.4 Logins to Oracle Key Vault as an LDAP User
  - 8.4.1 About Logins to Oracle Key Vault as an LDAP User
  - 8.4.2 Logging in to Oracle Key Vault as an LDAP User
- 8.5 Managing the LDAP Configuration
- 8.6 Managing LDAP Groups
- 8.7 Managing Oracle Key Vault-Generated LDAP Users
9 Managing Oracle Key Vault Users
- 9.1 Managing User Accounts
- 9.2 Managing Administrative Roles and User Privileges
- 9.3 Managing User Passwords
- 9.4 Managing User Email
  - 9.4.1 Changing the User Email Address
  - 9.4.2 Disabling Email Notifications for a User
- 9.5 Managing User Groups
10 Managing Oracle Key Vault Virtual Wallets and Security Objects
- 10.1 Managing Virtual Wallets
- 10.2 Managing Access to Virtual Wallets from Keys & Wallets Tab
- 10.3 Managing Access to Virtual Wallets from User’s Menu
- 10.4 Managing the State of a Key or a Security Object
- 10.5 Managing the Extraction of Symmetric Keys from Oracle Key Vault
  - 10.5.1 About Managing the Extraction of Symmetric Keys from Oracle Key Vault
  - 10.5.2 Configuring the Extractable Attribute Value of Existing Symmetric Keys
- 10.6 Managing Details of Security Objects
11 Managing Oracle Key Vault Master Encryption Keys
- 11.1 Using the Persistent Master Encryption Key Cache
- 11.2 Configuring an Oracle Key Vault to a New TDE-Enabled Database Connection
- 11.3 Migrating Existing TDE Wallets to Oracle Key Vault
- 11.4 Uploading and Downloading Oracle Wallets
- 11.5 Uploading and Downloading JKS and JCEKS Keystores
- 11.6 Using a User-Defined Key as the TDE Master Encryption Key
12 Managing Oracle Key Vault Endpoints
- 12.1 Overview of Managing Endpoints
  - 12.1.1 About Managing Endpoints
  - 12.1.2 How a Multi-Master Cluster Affects Endpoints
- 12.2 Managing Endpoints
- 12.3 Managing Endpoint Details
  - 12.3.1 About Endpoint Details
  - 12.3.2 Modifying Endpoint Details
- 12.4 Managing Global and Per-Endpoint Configuration Parameters and Settings
- 12.5 Default Wallets and Endpoints
  - 12.5.1 Associating a Default Wallet with an Endpoint
  - 12.5.2 Setting the Default Wallet for an Endpoint
- 12.6 Managing Endpoint Access to a Virtual Wallet
- 12.7 Managing Endpoint Groups
13 Enrolling and Upgrading Endpoints for Oracle Key Vault
- 13.1 About Endpoint Enrollment and Provisioning
- 13.2 Finalizing Enrollment and Provisioning
- 13.3 Environment Variables and Endpoint Provisioning Guidance
- 13.4 Endpoints That Do Not Use the Oracle Key Vault Client Software
- 13.5 Transparent Data Encryption Endpoint Management
- 13.6 Endpoint okvclient.ora Configuration File
- 13.7 okvclient.ora Parameters That Must Not Be Modified
- 13.8 Upgrading Endpoint Software from an Endpoint
14 Managing Keys for Oracle Products
- 14.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
- 14.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
- 14.3 Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
- 14.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
- 14.5 MySQL Integration with Oracle Key Vault
- 14.6 Other Oracle Database Features That Oracle Key Vault Supports
15 Managing Online and Offline Secrets
- 15.1 Uploading and Downloading Credential Files
- 15.2 Managing Secrets and Credentials for SQL*Plus
- 15.3 Managing Secrets and Credentials for SSH
- 15.4 Centrally Managing Passwords in Oracle Key Vault
16 Oracle Key Vault General System Administration
- 16.1 Overview of Oracle Key Vault General System Administration
- 16.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
- 16.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment
- 16.4 Managing System Recovery
- 16.5 Support for a Primary-Standby Environment
- 16.6 Commercial National Security Algorithm Suite Support
- 16.7 Minimizing Downtime
17 Managing Service Certificates
- 17.1 Overview of Oracle Key Vault Certificates
- 17.2 Certificates Validity Period
- 17.3 Monitoring Certificates Expiry
- 17.4 Managing CA Certificate Rotation
- 17.5 Managing Server Certificates and Node Certificates Rotation
18 Managing Console Certificates
- 18.1 About Managing Console Certificates
- 18.2 Step 1: Download the Certificate Request
- 18.3 Step 2: Have the Certificate Signed
- 18.4 Step 3: Upload the Signed Certificate to Oracle Key Vault
- 18.5 Console Certificates in Special Use Case Scenarios
19 Backup and Restore Operations
- 19.1 About Backing Up and Restoring Data in Oracle Key Vault
- 19.2 Oracle Key Vault Backup Destinations
- 19.3 Scheduled Backups and States
- 19.4 Scheduling and Managing Oracle Key Vault Backups
- 19.5 Restoring Oracle Key Vault Data
- 19.6 Scheduling the Purging of Old Oracle Key Vault Backups
- 19.7 Manually Deleting a Local Oracle Key Vault Backup
- 19.8 Configuring Oracle ZFS Storage Appliance to Store Oracle Key Vault Backups
- 19.9 Backup and Restore Best Practices
20 Monitoring and Auditing Oracle Key Vault
- 20.1 Managing System Monitoring
- 20.2 Configuring Oracle Key Vault Alerts
- 20.3 Managing System Auditing
- 20.4 Using Oracle Key Vault Reports
A Oracle Key Vault Multi-Master Cluster Operations
B Oracle Key Vault okvutil Endpoint Utility Reference
- B.1 About the okvutil Utility
- B.2 okvutil Command Syntax
- B.3 okvutil changepwd Command
- B.4 okvutil diagnostics Command
- B.5 okvutil download Command
- B.6 okvutil list Command
- B.7 okvutil upload Command
C Troubleshooting Oracle Key Vault
- C.1 Finding Log File Errors
- C.2 Directory Permissions for Oracle Key Vault Migration
- C.3 Error: Cannot Open Keystore Message
- C.4 KMIP Error: Invalid Field
- C.5 WARNING: Could Not Store Private Key Errors
- C.6 Errors After Upgrading Oracle Key Vault
- C.7 Error: Failed to Open Wallet
- C.8 Transaction Check Error: Diagnostics Generation Utility
- C.9 Fast-Start Failover (FSFO) Suspended (ORA-16818)
- C.10 SSH Tunnel Add Failure
- C.11 Error: Provision Command Fails if /usr/bin/java Does Not Exist
- C.12 TDE Endpoint Integration Issues
- C.13 Failover Situations in Primary-Standby Mode
- C.14 Performing a Planned Shutdown
  - C.14.1 Primary Server Planned Shutdown
    - C.14.1.1 Performing a Primary Server Planned Shutdown During an Upgrade
    - C.14.1.2 Performing a Primary Server Planned Shutdown During Maintenance
  - C.14.2 Standby Server Planned Shutdown
    - C.14.2.1 Performing a Standby Server Planned Shutdown During an Upgrade
    - C.14.2.2 Performing a Standby Server Planned Shutdown During Maintenance
D Security Technical Implementation Guides Compliance Standards
- D.1 About Security Technical Implementation Guides
- D.2 Enabling and Disabling STIG Rules on Oracle Key Vault
  - D.2.1 Enabling STIG Rules on Oracle Key Vault
  - D.2.2 Disabling STIG Rules on Oracle Key Vault
- D.3 Current Implementation of STIG Rules on Oracle Key Vault
- D.4 Current Implementation of Database STIG Rules
- D.5 Current Implementation of Operating System STIG Rules
Glossary
Index