Title and Copyright Information
Preface
- Audience
- Documentation Accessibility
- Diversity and Inclusion
- Related Documents
- Conventions
Changes in This Release for Oracle Key Vault
- Changes for Oracle Key Vault Release 21.9
- Changes for Oracle Key Vault Release 21.8
- Changes for Oracle Key Vault Release 21.7
- Changes for Oracle Key Vault Release 21.6
- Changes for Oracle Key Vault Release 21.5
- Changes for Oracle Key Vault Release 21.4
- Changes for Oracle Key Vault Release 21.3
Deprecated Features of Oracle Key Vault
- Deprecated Features Oracle Key Vault 21.8
  - Vendor Specific HSM Root of Trust Configuration
- Deprecated Features Oracle Key Vault 21.5
1 Introduction to Oracle Key Vault
- 1.1 About Key and Secrets Management in Oracle Key Vault
- 1.2 Benefits of Using Oracle Key Vault
- 1.3 Oracle Key Vault Use Cases
- 1.4 Who Should Use Oracle Key Vault
- 1.5 Major Features of Oracle Key Vault
- 1.6 Oracle Key Vault Interfaces
- 1.7 Overview of an Oracle Key Vault Deployment
2 Oracle Key Vault Concepts
- 2.1 Overview of Oracle Key Vault Concepts
- 2.2 Oracle Key Vault Deployment Architecture
- 2.3 Access Control Configuration
- 2.4 Administrative Roles and Endpoint Privileges within Oracle Key Vault
- 2.5 Naming Guidelines for Objects
- 2.6 Emergency System Recovery Process
- 2.7 Root and Support User Accounts
- 2.8 Endpoint Managers
- 2.9 Endpoint Administrators
- 2.10 FIPS Mode
3 Oracle Key Vault Multi-Master Cluster Concepts
- 3.1 Oracle Key Vault Multi-Master Cluster Overview
- 3.2 Benefits of Oracle Key Vault Multi-Master Clustering
- 3.3 Multi-Master Cluster Architecture
- 3.4 Building and Managing a Multi-Master Cluster
- 3.5 Oracle Key Vault Multi-Master Cluster Deployment Scenarios
- 3.6 Multi-Master Cluster Features
- 3.7 Cluster Management Information
4 Managing Oracle Key Vault Multi-Master Clusters
- 4.1 About Managing Oracle Key Vault Multi-Master Clusters
- 4.2 Setting Up a Cluster
- 4.3 Terminating the Pairing of a Node
- 4.4 Disabling a Cluster Node
- 4.5 Enabling a Disabled Cluster Node
- 4.6 Deleting a Cluster Node
- 4.7 Force Deleting a Cluster Node
- 4.8 Managing Replication Between Nodes
- 4.9 Cluster Management Information
- 4.10 Cluster Monitoring Information
- 4.11 Naming Conflicts and Resolution
- 4.12 Multi-Master Cluster Deployment Recommendations
- 4.13 Adding an Alternate Name or IP Address
5 Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance
- 5.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance
- 5.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure
- 5.3 Provisioning an Oracle Key Vault Compute Instance
  - 5.3.1 About Provisioning an Oracle Key Vault Compute Instance
  - 5.3.2 Launching the Oracle Key Vault Compute Instance
- 5.4 General Management of an Oracle Key Vault Compute Instance
- 5.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI
- 5.6 Creating Oracle Key Vault Image in Microsoft Azure
- 5.7 Creating Oracle Key Vault Image in Amazon AWS
- 5.8 Creating Oracle Key Vault Image in Google Cloud
6 Oracle Database Instances in Oracle Cloud Infrastructure
- 6.1 About Managing Oracle Cloud Infrastructure Database Instance Endpoints
- 6.2 Preparing a Database Instance on OCI to be an Oracle Key Vault Endpoint
- 6.3 Using an SSH Tunnel Between Oracle Key Vault and Database as a Service
- 6.4 Registering and Enrolling a Database as a Service Instance as an Oracle Key Vault Endpoint
- 6.5 Suspending Database Cloud Service Access to Oracle Key Vault
  - 6.5.1 About Suspending Database Cloud Service Access to Oracle Key Vault
  - 6.5.2 Suspending Access for a Database Cloud Service to Oracle Key Vault
- 6.6 Resuming Database Cloud Service Access to Oracle Key Vault
- 6.7 Resuming a Database Endpoint Configured with a Password-Based Keystore
7 Configuring Single Sign-On in Oracle Key Vault
- 7.1 About Single Sign-On Authentication in Oracle Key Vault
- 7.2 Configuring SAML Single Sign-On (SSO) Authentication
- 7.3 Managing Single Sign-On in Oracle Key Vault
- 7.4 Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory
  - 7.4.1 Adding User for Oracle Key Vault in Azure Active Directory (AD)
- 7.5 Configuring Single Sign-On for Oracle Key Vault and ADFS
- 7.6 Guidelines for Managing Single Sign-On Configuration
8 Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 8.1 About Managing LDAP User Authentication and Authorization in Oracle Key Vault
- 8.2 Considerations for Granting Privileges to LDAP Users
- 8.3 Configuring the LDAP Directory Server Connection to Oracle Key Vault
- 8.4 Logins to Oracle Key Vault as an LDAP User
  - 8.4.1 About Logins to Oracle Key Vault as an LDAP User
  - 8.4.2 Logging in to Oracle Key Vault as an LDAP User
- 8.5 Managing the LDAP Configuration
- 8.6 Managing LDAP Groups
- 8.7 Managing Oracle Key Vault-Generated LDAP Users
9 Managing Oracle Key Vault Users
- 9.1 Managing User Accounts
- 9.2 Managing Administrative Roles and User Privileges
- 9.3 Managing User Passwords
- 9.4 Managing User Email
  - 9.4.1 Changing the User Email Address
    - 9.4.1.1 Changing Your Own Email
    - 9.4.1.2 Changing Another User’s Email
  - 9.4.2 Disabling Email Notifications for a User
- 9.5 Managing User Groups
- 9.6 Managing support and root Password
  - 9.6.1 Changing the root User Password
  - 9.6.2 Changing the support User Account Password
10 Managing Oracle Key Vault Virtual Wallets and Security Objects
- 10.1 Managing Virtual Wallets
- 10.2 Managing Access to Virtual Wallets from Keys & Wallets Tab
- 10.3 Managing Access to Virtual Wallets from User’s Menu
- 10.4 Managing Security Objects
  - 10.4.1 Creating Keys
- 10.5 Managing the State of a Key or a Security Object
- 10.6 Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault
  - 10.6.1 About Managing the Extraction of Symmetric or Private Keys from Oracle Key Vault
  - 10.6.2 Configuring the Extractable Attribute Value of Existing Symmetric or Private Keys
- 10.7 Managing Details of Security Objects
11 Managing Oracle Key Vault Master Encryption Keys
- 11.1 Using the Persistent Master Encryption Key Cache
- 11.2 Configuring an Oracle Key Vault to a New TDE-Enabled Database Connection
- 11.3 Migrating Existing TDE Wallets to Oracle Key Vault
- 11.4 Uploading and Downloading Oracle Wallets
- 11.5 Uploading and Downloading JKS and JCEKS Keystores
- 11.6 Using a User-Defined Key as the TDE Master Encryption Key
12 Managing Oracle Key Vault Endpoints
- 12.1 Overview of Managing Endpoints
  - 12.1.1 About Managing Endpoints
  - 12.1.2 How a Multi-Master Cluster Affects Endpoints
- 12.2 Managing Endpoints
- 12.3 Managing Endpoint Details
  - 12.3.1 About Endpoint Details
  - 12.3.2 Modifying Endpoint Details
- 12.4 Managing Global and Per-Endpoint Configuration Parameters and Settings
- 12.5 Default Wallets and Endpoints
  - 12.5.1 Associating a Default Wallet with an Endpoint
  - 12.5.2 Setting the Default Wallet for an Endpoint
- 12.6 Managing Endpoint Access to a Virtual Wallet
- 12.7 Managing Endpoint Groups
13 Enrolling and Upgrading Endpoints for Oracle Key Vault
- 13.1 About Endpoint Enrollment and Provisioning
- 13.2 Finalizing Enrollment and Provisioning
- 13.3 Environment Variables and Endpoint Provisioning Guidance
- 13.4 Endpoints That Do Not Use the Oracle Key Vault Client Software
- 13.5 Transparent Data Encryption Endpoint Management
- 13.6 Endpoint okvclient.ora Configuration File
- 13.7 okvclient.ora Parameters That Must Not Be Modified
- 13.8 Upgrading Endpoint Software
14 Managing Keys for Oracle Products
- 14.1 Using a TDE-Configured Oracle Database in an Oracle RAC Environment
- 14.2 Using a TDE-Configured Oracle Database in an Oracle GoldenGate Environment
- 14.3 Using a TDE-Configured Oracle Database in an Oracle Data Guard Environment
- 14.4 Uploading Keystores from Automatic Storage Management to Oracle Key Vault
- 14.5 MySQL Integration with Oracle Key Vault
- 14.6 Other Oracle Database Features That Oracle Key Vault Supports
15 SSH Keys Management Concepts
- 15.1 SSH Protocol
- 15.2 SSH Public Key Authentication
- 15.3 OpenSSH Implementation of the SSH Protocol
- 15.4 Challenges with SSH Public Key Authentication
- 15.5 Controlling Access to SSH Server Centrally with Oracle Key Vault
  - 15.5.1 Deployment
    - 15.5.1.1 Limiting Access Control to Root User
- 15.6 Managing SSH User Keys with Oracle Key Vault
  - 15.6.1 Deployment
- 15.7 Oracle Key Vault and SSH Integration
- 15.8 Supported Platforms for SSH Server and Client Endpoints
16 Management of SSH Keys - Setup and Configuration
- 16.1 Setup SSH Admin
- 16.2 Controlling Access to SSH Server Centrally with Oracle Key Vault
- 16.3 Managing SSH User Keys with Oracle Key Vault
- 16.4 Oracle Key Vault and SSH Integration
  - 16.4.1 SSH Administrators Managing both the SSH User's Keys and the SSH Server Access
  - 16.4.2 SSH Client Managing SSH User Keys and SSH Admin Managing the SSH Server Access
- 16.5 Migrating Existing SSH Deployments to Oracle Key Vault
- 16.6 Guidelines for OpenSSH SSHD Configuration
- 16.7 Reports
17 Managing Online and Offline Secrets
- 17.1 Uploading and Downloading Credential Files
- 17.2 Managing Secrets and Credentials for SQL*Plus
- 17.3 Managing Secrets and Credentials for SSH
- 17.4 Integrating Oracle Key Vault with SSH Public Key Authentication
- 17.5 Centrally Managing Passwords in Oracle Key Vault
18 Oracle Key Vault General System Administration
- 18.1 Overview of Oracle Key Vault General System Administration
- 18.2 Configuring Oracle Key Vault in a Non-Multi-Master Cluster Environment
- 18.3 Configuring Oracle Key Vault in a Multi-Master Cluster Environment
- 18.4 Managing System Recovery
- 18.5 Support for a Primary-Standby Environment
- 18.6 Commercial National Security Algorithm Suite Support
- 18.7 Minimizing Downtime
19 Managing Service Certificates
- 19.1 Overview of Oracle Key Vault Certificates
- 19.2 Certificates Validity Period
- 19.3 Monitoring Certificates Expiry
- 19.4 Managing CA Certificate Rotation
- 19.5 Managing Server Certificates and Node Certificates Rotation
- 19.6 Managing the Oracle Key Vault CA Certificate After Expiry
- 19.7 Configuring Oracle Key Vault with an Alternate Hostname
20 Managing Console Certificates
- 20.1 About Managing Console Certificates
- 20.2 Step 1: Download the Certificate Request
- 20.3 Step 2: Have the Certificate Signed
- 20.4 Step 3: Upload the Signed Certificate to Oracle Key Vault
- 20.5 Console Certificates in Special Use Case Scenarios
21 Backup and Restore Operations
- 21.1 About Backing Up and Restoring Data in Oracle Key Vault
- 21.2 Oracle Key Vault Backup Destinations
- 21.3 Scheduled Backups and States
- 21.4 Scheduling and Managing Oracle Key Vault Backups
- 21.5 Restoring Oracle Key Vault Data
- 21.6 Scheduling the Purging of Old Oracle Key Vault Backups
- 21.7 Manually Deleting a Local Oracle Key Vault Backup
- 21.8 Configuring Oracle ZFS Storage Appliance to Store Oracle Key Vault Backups
- 21.9 Backup and Restore Best Practices
22 Monitoring and Auditing Oracle Key Vault
- 22.1 Managing System Monitoring
- 22.2 Configuring Oracle Key Vault Alerts
- 22.3 Managing System Auditing
- 22.4 Using Oracle Key Vault Reports
23 Managing an Oracle Key Vault Primary-Standby Configuration
- 23.1 Overview of the Oracle Key Vault Primary-Standby Configuration
- 23.2 Configuring the Primary-Standby Environment
- 23.3 Switching the Primary and Standby Servers
- 23.4 Restoring Primary-Standby After a Failover
- 23.5 Disabling (Unpairing) the Primary-Standby Configuration
- 23.6 Read-Only Restricted Mode in a Primary-Standby Configuration
- 23.7 Best Practices for Using Oracle Key Vault in a Primary-Standby Configuration
A Oracle Key Vault Multi-Master Cluster Operations
B Oracle Key Vault okvutil Endpoint Utility Reference
- B.1 About the okvutil Utility
- B.2 okvutil Command Syntax
- B.3 okvutil changepwd Command
- B.4 okvutil diagnostics Command
- B.5 okvutil download Command
- B.6 okvutil list Command
- B.7 okvutil upload Command
- B.8 okvutil sign Command
- B.9 okvutil sign-verify Command
- B.10 okvutil show Command
- B.11 okvutil Common Errors
C Troubleshooting Oracle Key Vault
- C.1 Before You Start Troubleshooting
  - C.1.1 Endpoint Related Issues
- C.2 Common Oracle Key Vault Tasks
- C.3 okvutil and Endpoint Issues
- C.4 Multi-Master Cluster Issues
- C.5 Backup and Restore Issues
- C.6 Certificate Related Issues
  - C.6.1 Updating to Current Certificate Issuer
- C.7 Installation and Upgrade Issues
- C.8 Primary-Standby Configuration Issues
- C.9 DBCS Endpoint Configuration Issues
  - C.9.1 SSH Tunnel Add Failure
- C.10 Server and Node Issues
D Security Technical Implementation Guides Compliance Standards
- D.1 About Security Technical Implementation Guides
- D.2 Enabling and Disabling STIG Rules on Oracle Key Vault
  - D.2.1 Enabling STIG Rules on Oracle Key Vault
  - D.2.2 Disabling STIG Rules on Oracle Key Vault
- D.3 Current Implementation of STIG Rules on Oracle Key Vault
- D.4 Current Implementation of Database STIG Rules
  - D.4.1 Additional STIG Guidelines Notes
    - D.4.1.1 DG0116-ORACLE11 STIG Guideline
- D.5 Current Implementation of Operating System STIG Rules
E Managing Oracle Key Vault Platform Certificates
- E.1 Overview of Oracle Key Vault Platform Certificates
- E.2 Monitoring Oracle Key Vault Platform Certificate Expiration
  - E.2.1 Finding the Expiration Date of Platform Certificates
  - E.2.2 Monitoring Platform Certificates Expiration Using Platform Certificate Expiration Alerts
- E.3 Rotating Platform Certificates
  - E.3.1 Rotating Platform Certificates on a Standalone Oracle Key Vault Server
  - E.3.2 Rotating Platform Certificates in a Multi-Master Cluster Environment
Glossary
Index