1. Administrator's Guide
  2. Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5 Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

You can install Oracle Key Vault on an Oracle Cloud Infrastructure (OCI) VM compute instance from Oracle Cloud Marketplace.

5.1 About Deploying Oracle Key Vault on an Oracle Cloud Infrastructure Compute Instance

Oracle Key Vault on Oracle Cloud Marketplace is the cloud-based version of Oracle Key Vault and provides flexible, continuous and scalable key management.

Oracle Key Vault is quick and easy to launch on a VM compute instance of any shape or size in your OCI tenancy. This eliminates the need to procure hardware and drastically shortens the time to provision a fully functional Oracle Key Vault deployment. Oracle Key Vault deployed on an OCI VM compute instance (referred to as an Oracle Key Vault compute instance) is private to your tenancy and is managed by you. After the launch, an Oracle Key Vault compute instance has the same look and feel as an on-premises Oracle Key Vault installation, with the same flexibility in configuration.

An Oracle Key Vault server that is deployed on Oracle Cloud Infrastructure (OCI) VM compute instance can operate in the following situations:

  • A standalone environment
  • Be paired with other nodes in OCI or on-premises to form a multi-master cluster

The Oracle Key Vault multi-master cluster nodes could be entirely in OCI forming a cloud-only Oracle Key Vault cluster or some of the nodes can exist on-premises, thus forming a hybrid Oracle Key Vault cluster. This flexible deployment provides scalability regardless of whether Oracle Key Vault nodes are deployed in on-premises or cloud environments.

The Oracle Key Vault compute instance deployment enables the use of Oracle Key Vault to manage the encryption keys of your OCI-based database deployments. This enables you to maintain control over your encryption keys in a cloud environment. You can have up to 16 Oracle Key Vault compute instances in a multi-master cluster, distributed across any of the Oracle Cloud regions, to provide key management services to your globally distributed, on-premises, hybrid, or cloud-only Oracle database deployments.

When you enroll endpoints with the Oracle Key Vault compute instance, you must ensure that they are in the same VCN as the Oracle Key Vault compute instance itself. The endpoints will communicate with the Oracle Key Vault compute instance using the private IP of the instance. You can optionally configure the Oracle Key Vault compute instance to have a public IP address that can be used to access the Oracle Key Vault management console.

You can configure Oracle Key Vault to allow endpoints to use this public IP address to communicate with it, by configuring the public IP as an alternate hostname. The Oracle Key Vault instance can also be configured with a fully-qualified domain name (FQDN) as an alternate hostname. Each Oracle Key Vault instance can have up to two alternate hostnames, and endpoints can communicate with the instance using one of them. You must choose which of the two should be used for endpoint communications. You must configure the network to ensure that connectivity exists between Oracle Key Vault compute instances, as well as between endpoints and the Oracle Key Vault compute instances.

Related Topics

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.2 Benefits of Using Oracle Key Vault in Oracle Cloud Infrastructure

Quick deployments and ease of use are among the benefits of using an Oracle Key Vault Oracle Cloud Infrastructure (OCI) compute instance.

  • Key management for OCI-based database environment: The Oracle Key Vault compute instance deployment provides key management to your OCI-based database environments (ExaDB-D) as well as on-premises and hybrid database environments, including ExaDB-C@C and ADB-C@C). This enables you to own, manage, and maintain control over encryption keys of your database environments in the cloud.

  • Quick deployment: You can launch the Oracle Key Vault compute instance within minutes, see Launch Oracle Key Vault Compute Instance and without the need to manage hardware or set up virtual machines. After it is launched, the Oracle Key Vault compute instance can run stand-alone or be added to a multi-master cluster. You can enroll endpoints with an Oracle Key Vault compute instance. This way, you can quickly set up a production environment. You can also use Oracle Key Vault compute instances to quickly set up a test and development environment to validate and experiment with various use-cases and deployment scenarios of Oracle Key Vault.

  • Scaling out a production environment during peak load or hardware unavailability: If you use FastConnect or IPSec VPN in OCI, then you can extend the Oracle Key Vault cloud deployments to an on-premises environment. Using FastConnect or IPSec VPN, you can pair Oracle Key Vault nodes on-premises with Oracle Key Vault compute instances in OCI to form a hybrid cluster. You can use a hybrid cluster to run production Oracle Key Vault servers in OCI, or use them to expand the Oracle Key Vault cluster temporarily. Oracle Key Vault compute instances can be added quickly as new nodes to an on-premises, OCI or hybrid Oracle Key Vault cluster. This type of deployment provides spontaneous elasticity to the Oracle Key Vault cluster, and can be used to address any temporary increase of load on nodes of the Oracle Key Vault cluster.

  • Reduced latency for hybrid database environments: For use cases where the data is shared between on-premises and cloud databases, managing the keys in a hybrid Oracle Key Vault cluster provides for locality of reference. Because the keys are available on all nodes of the cluster, the cluster subgroups can be setup in such a way that the databases in the cloud can primarily fetch the keys from the cluster nodes in OCI and the on-premises databases can primarily fetch the keys from cluster nodes that are provisioned on-premises.

  • Simplified transition of on-premises to OCI-based Oracle Key Vault clusters: If you are connected to OCI using FastConnect or IPSec VPN, then you can extend your on-premises Oracle Key Vault cluster by adding Oracle Key Vault compute instances to that cluster. The IP addresses of the Oracle Key Vault nodes in OCI are added to the scan lists of your database endpoints. Once you have the appropriate number of Oracle Key Vault nodes in your OCI tenancy, you can remove the on-premises Oracle Key Vault nodes from the cluster. Following the same procedure, it is possible to seamlessly transition from an Oracle Key Vault cluster in OCI back to an on-premises Oracle Key Vault cluster.

  • Engaging OCI infrastructure and services: You can take advantage of the unique benefits of the Oracle Cloud Infrastructure. If you install multiple Oracle Key Vault compute instances in the same region, you can choose to deploy them in different availability domains (fault domains are selected automatically, but can be changed) to guarantee the highest possible availability of your key management service. Services such as DNS and NTP are also natively available in OCI. You do not have to set them up, thereby simplifying Oracle Key Vault provisioning.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.3 Provisioning an Oracle Key Vault Compute Instance

The provisioning process for an Oracle Key Vault compute instance entails launching the compute instance and performing post-launch and post-installation tasks.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.3.1 About Provisioning an Oracle Key Vault Compute Instance

To provision the Oracle Key Vault compute instance, you choose an Oracle Key Vault image as your custom image.

You will launch this image from the OCI Marketplace on a compute shape. After you complete the process, the Oracle Key Vault compute image becomes unique to your environment. The disk size of this image is 4 TB.

After you complete the launch, you can begin to use the Oracle Key Vault compute image immediately. The steps that you must perform after the launch are similar to the steps that you would perform for an on-premises Oracle Key Vault installation.

Parent topic: Provisioning an Oracle Key Vault Compute Instance

5.3.2 Launching the Oracle Key Vault Compute Instance

The launching process for the Oracle Key Vault compute instance should take roughly two to five minutes.

Parent topic: Provisioning an Oracle Key Vault Compute Instance

5.3.2.1 About Launching the Oracle Key Vault Compute Instance

The launch process requires some minor preparation work on your system.

Before you begin the launch process, ensure that the endpoints that you plan to use are in the same VCN as the Oracle Key Vault instance will be. The endpoints will communicate with Oracle Key Vault using the private IP of the compute instance. Optionally, the Oracle Key Vault compute instance can have a public IP that can be used to access the Oracle Key Vault management console. You can also optionally configure Oracle Key Vault to allow endpoints to use this public IP address (or an associated fully-qualified domain name) to communicate with it. You will also set up the network and configure it to ensure that network connectivity will exist between the endpoints and the OCI compute instances.

5.3.2.2 Step 1: Ensure That You Have Prerequisites in Place

Before you can launch an Oracle Key Vault compute instance, you must ensure that you have prerequisites in place in the Oracle cloud.

Ensure that the following are in place:
  • You have an Oracle cloud account.
  • You have access to your assigned Oracle cloud tenant.
  • You have enough Service Limits and Quotas to create new compute resources within Oracle cloud tenant.
5.3.2.3 Step 2: Find the Oracle Key Vault Image

The Oracle Key Vault image is available on the Oracle Cloud Marketplace web site.

  1. Go to the Oracle Cloud Marketplace web site.
  2. Log into your OCI tenancy and click Launch Instance.
  3. From within your OCI tenancy, do the following:
    1. Click All Applications.
    2. Enter Key Vault in the search bar to find the available Oracle Key Vault releases.
    3. Select the release of Oracle Key Vault that you want from the menu.
5.3.2.4 Step 3: Launch the Oracle Key Vault VM Compute Instance

You should perform the entire launching process in the Oracle Cloud Marketplace.

  1. In the Oracle Key Vault page, select Launch Instance.
  2. In the NAME field, replace the automatically generated instance name with something more meaningful for your deployments, for example OKV01, OKV02, and so on.
    The VMStandard 2.2 shape has been pre-selected. Larger shapes are recommended for production deployments.
  3. For the shape, select VM.Standard 2.2 or bigger. Then click Select Shape.
    Next, you are ready to configure the network.
  4. Select the Virtual Cloud Network (VCN).
  5. Select the subnet.
  6. Optionally, assign a public IP address, only for access to the Web Interface of Oracle Key Vault.
    All communication (including the RESTful services) between endpoints and Oracle Key Vault uses the private IP address. After all post-launch and post-installation steps are completed, you can optionally configure Oracle Key Vault to allow endpoints to communicate with it using its public IP address (or an associated fully-qualified domain name).
  7. Click Advanced Options, and then choose the Network tab.
    Here you can replace the default private address with another one. Both of these addresses must be within the range of your current subnet. In addition, you can change the host name to match your naming convention. Otherwise, the host name will be constructed from okv|MAC-address-of-NIC.
  8. Upload your SSH public key.
  9. In the Boot Volume area, do not select any settings.
  10. Click Create to complete the instance creation.
    In a moment, the Oracle Key Vault compute image starts and is made available as an Oracle Key Vault server.
At this stage, you must perform the post-launch and post-installation steps.
5.3.2.5 Step 4: Perform Post-Launch and Post-Installation Tasks

After you launch Oracle Key Vault in an OCI compute instance, you first perform the post-launch task, followed by post-installation tasks.

The post-launch task is to set the passwords for the root and support users. After you set these passwords, you must perform the post-installation tasks, which are the same tasks that are required for an on-premises deployment. After you complete the post-installation tasks, you can start building your Oracle Key Vault cluster or leave Oracle Key Vault in stand-alone mode.
  1. Set the passwords for the root and support users.
    1. In a command prompt, log in as the opc user. 
      ssh opc@Oracle_Key_Vault_OCI_IP_address
    2. Set the passwords for the root and support users
      set_password
      When prompted, enter and confirm the root password. After you successfully enter the root password, choose yes to also set the password of the support user. After both passwords have been set, the opc account is deleted and SSH into Oracle Key Vault is disabled.
      Only during upgrades, or when directed by Oracle Support, you can temporarily enable SSH from the Oracle Key Vault management console. You can then use SSH to log into the Oracle Key Vault server as the support user using the same SSH public key as the opc user.
  2. Perform the following post-installation tasks. For more information, see Performing Post-Installation Tasks .

    • Create the Oracle Key Vault administrator accounts and set the recovery passphrase.

    • Enter the NTP and DNS addresses, using one of the following choices:
      • Use the NTP server address as 169.254.169.254 in Oracle Cloud Infrastructure. Leave the remaining NTP fields empty.

      For the DNS settings, consult with your network team because there are multiple options depending how DNS is configured in your subnet and tenancy.

5.4 General Management of an Oracle Key Vault Compute Instance

You can perform many of the Oracle Key Vault compute instance general management tasks in the Oracle Key Vault management console.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.4.1 Starting, Restarting, or Stopping an Oracle Key Vault Compute Instance

Depending on the action you need, you can use the Oracle Key Vault management console or the OCI console.

You can use the Oracle Key Vault management console or OCI console to restart and stop an Oracle Key Vault compute instance, but to start an already stopped instance, you must use the OCI console.
Select one of the following methods to restart or stop an Oracle Key Vault compute instance:
  • From the Oracle Key Vault management console, you can restart or stop the Oracle Key Vault compute instance:
    1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
    2. Select System, then Status from the left navigation bar.
    3. In the Status page, do one of the following:
      • To restart, click Reboot.
      • To stop, click Power Off.

      Note:

      After powering off the Oracle Key Vault from management console, you need to stop the instance from OCI console too as the status on OCI console remain in running state.
  • From the OCI console, you can start, restart, or stop the Oracle Key Vault compute instance:
    1. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances.
    2. Select the Oracle Key Vault compute instance that you want to stop or start.
    3. Click one of the following actions:
      • To start a stopped instance, click Start.
      • To gracefully shut down the instance by sending a shutdown command to the operating system, click Stop.

        If the Oracle Key Vault compute instance takes a long time to shut down, it could be improperly stopped, resulting in data corruption. To avoid this, shut down the instance using the commands available in the operating system before you stop the instance using the console.

      • To gracefully restart the Oracle Key Vault compute instance by sending a shutdown command to the operating system, and then power the instance back on, click Reboot.

Parent topic: General Management of an Oracle Key Vault Compute Instance

5.4.2 System Settings in an Oracle Key Vault Compute Instance

Most system settings in an Oracle Key Vault compute instance are the same as an on-premises deployment, with a few exceptions.

Settings for system features such as auditing, email, RESTful services, integration Oracle Key Vault with Oracle Audit Vault is the same in both on-premises and OCI deployments.

  • You can configure an Oracle Key Vault host name in either the OCI console or in the Oracle Key Vault management console. However, remember that if you set the IP address of the host in the OCI console, later on, you cannot change it in either the OCI console or the Oracle Key Vault management console.
  • The SSH tunnel (deprecated) settings are used when on-premises Oracle Key Vault clusters provide key management services to Oracle databases that are deployed in OCI. Do not establish an SSH tunnel in OCI-based Oracle Key Vault deployments.

Parent topic: General Management of an Oracle Key Vault Compute Instance

5.4.3 Backup and Restore Operations for Oracle Key Vault Compute Instances

You can back up and restore Oracle Key Vault data between OCI environments and on-premises environments.

You can back up an Oracle Key Vault compute instance that is stored in an on-premises host: this is the same backup that will be restored. Another on-premises Oracle Key Vault server can be a backup location for a server that is being restored into an Oracle Key Vault compute instance.

Requirements are as follows:

  • If you are performing a backup or restore operation from Oracle Key Vault compute instances to an OCI compute instance, then persistent network connectivity to the OCI compute instance from Oracle Key Vault compute instance must exist.
  • If you want to perform a backup or restore operation between an Oracle Key Vault compute instance and an on-premises host, ensure that the VCN can span the on-premises hosts.

Parent topic: General Management of an Oracle Key Vault Compute Instance

5.4.4 Terminating an Oracle Key Vault Compute Instance

You terminate an Oracle Key Vault compute instance from the OCI console.

When you terminate the compute instance, all data, including keys that protect endpoints, are permanently lost and cannot be recovered except from a backup. Even backups may not have the most recent keys. Terminating the instances can lead to loss of data for all endpoints. Exercise extreme caution before terminating an instance. Terminate the Oracle Key Vault compute instance only if you are sure that you have a copy of the keys in another, safe location or that you do not need them.
  1. Log in to the OCI console.
  2. Under Core Infrastructure, go to Compute, and then click Instances.
  3. Select the name of the Oracle Key Vault compute instance that you want to remove.
  4. Click Terminate, and then respond to the confirmation prompt.
Terminated instances temporarily remain in the list of instances with the status Terminated.

Parent topic: General Management of an Oracle Key Vault Compute Instance

5.5 Migrating Oracle Key Vault Deployments Between On-Premises and OCI

You can migrate an Oracle Key Vault standalone, primary-standby or cluster deployment from an on-premises environment to OCI or back.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.5.1 About Performing Migrations with Oracle Key Vault Compute Instance Data

You can transition an Oracle Key Vault deployment from on-premises to OCI, and from OCI back to on-premises.

You can quickly set up a production Oracle Key Vault deployment in OCI to address your immediate key management needs and then transition to the on-premises deployment. Alternately, Oracle Key Vault compute instances require little to no overhead of hardware and VM management. To eliminate this overhead, you may want to transition your on-premises Oracle Key Vault deployment to OCI.

You can use the Oracle Key Vault backup and restore features to migrate an Oracle Key Vault cluster from on-premises to OCI, and back. You can transition an on-premises Oracle Key Vault cluster deployment to OCI by adding Oracle Key Vault compute instances to the cluster and removing on-premises Oracle Key Vault nodes from the cluster. The cluster is fully transitioned to OCI when no on-premises Oracle Key Vault node is left in the cluster. Similarly, you can also transition an Oracle Key Vault cluster in OCI to on-premises.

Parent topic: Migrating Oracle Key Vault Deployments Between On-Premises and OCI

5.5.2 Migrating Oracle Key Vault Deployments into OCI Using Backup and Restore

A user who has the System Administrator role can transition the Oracle Key Vault deployment from on-premises to OCI using backup and restore.

  1. Log in to the on-premises Oracle Key Vault server as a user who has the System Administrator role.
  2. Configure an OCI compute instance as the backup destination.
  3. Back up the on-premises Oracle Key Vault server to an OCI compute instance.
  4. Launch an Oracle Key Vault compute instance with same Oracle Key Vault version as the on-premises Oracle Key Vault server.
  5. Log in to the Oracle Key Vault compute instance as a user who has the System Administrator role.
  6. Restore the backup from the OCI compute instance to the newly installed Oracle Key Vault compute instance.
  7. To set up an Oracle Key Vault multi-master cluster, convert the restored Oracle Key Vault compute instance as the first (initial) node of the cluster.
  8. Configure additional Oracle Key Vault compute instances and add them to the cluster as needed.

Related Topics

Parent topic: Migrating Oracle Key Vault Deployments Between On-Premises and OCI

5.5.3 Migrating Oracle Key Vault Deployments Out of OCI Using Backup and Restore

A user who has the System Administrator role can transition the Oracle Key Vault deployment from OCI to on-premises.

  1. Log in to the Oracle Key Vault compute instance as a user who has the System Administrator role.
  2. Back up the Oracle Key Vault compute instance to an on-premises system.
  3. Install a new Oracle Key Vault server on-premises with same Oracle Key Vault version as the Oracle Key Vault compute instance.
  4. Log in to the on-premise Oracle Key Vault server as a user who has the System Administrator role.
  5. Restore the backup from the on-premises backup destination to the newly installed on-premises Oracle Key Vault server.
  6. To set up an Oracle Key Vault multi-master cluster, convert the restored on-premises Oracle Key Vault server as the first (initial) node of the cluster.
  7. Configure additional Oracle Key Vault compute instances and add them to the cluster as needed.

Related Topics

Parent topic: Migrating Oracle Key Vault Deployments Between On-Premises and OCI

5.6 Creating Oracle Key Vault Image in Microsoft Azure

Oracle Key Vault provides deployment and provisioning in Azure.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.6.1 About Provisioning Oracle Key Vault in Microsoft Azure

You can provision Oracle Key Vault in Microsoft Azure.

To provide familiar, continuously available, extremely scalable, and fault-tolerant key management for your Oracle databases in Azure (including ExaDB-D@Azure), you can install and create an Oracle Key Vault multi-master cluster in Microsoft Azure, or extend on-premises Oracle Key Vault deployments with Oracle Key Vault cluster nodes in Microsoft Azure. You can also move an on-premises Oracle Key Vault cluster to Microsoft Azure by removing the on-premises nodes from the cluster.

Parent topic: Creating Oracle Key Vault Image in Microsoft Azure

5.6.2 Create an Oracle Key Vault Base Image for Microsoft Azure

You can create an Oracle Key Vault cluster in Microsoft Azure by first creating a Base Image, and then creating Oracle Key Vault cluster nodes from it.

  • Ensure that you have installed and configured Azure CLI.
  • Ensure that you have setup a container under Storage Accounts to store the VM disk used for preparing the Oracle Key Vault image for Azure.
  1. On a separate machine outside, install Oracle VM VirtualBox.
  2. Create a virtual machine on Oracle VM VirtualBox, with Linux 8, Oracle (64 bit) as the Operating System.
    1. The minimum RAM for the Base Image is 8 GB.
    2. The minimum disk size for production deployments is 2 TB (recommended 4 TB); ensure to create the virtual hard disk as Fixed size and in the VHD format.
  3. Create the empty VM shell with the settings from above (OL8, RAM, disk size). Do not install anything at this point.
  4. Mount the installer.iso image to the virtual machine and boot the virtual machine.

    Note:

    Do not go to the post-install steps; instead, run the script that makes this Oracle Key Vault a template to clone.
  5. Install an Oracle Key Vault instance on the virtual machine. Do not complete any post installation steps.
  6. Log in as root on the virtual machine console.
  7. Re-attach the Oracle Key Vault installation iso image to the first drive of the virtual machine before running the script in the next step.
  8. Run the following command: /usr/local/okv/bin/okv_export_cloud_image azure. This script prepares the system to be exported as a base image that will be later uploaded to Microsoft Azure.
  9. Shutdown the virtual machine.
  10. Upload the virtual machine’s disk file to a container under storage accounts using azure CLI: az storage blob upload --account-name <storage_account_name> --container-name <container_name> --name <blob_name>.vhd --file <VM_DISK_FILE>.vhd
  11. Create Image from the VHD file using these steps:
    1. Login to Azure portal and navigate to Images.
    2. Click Create.
    3. On the Create an image page, complete the information as applicable. The required options include:
      • Storage blob: Specify blob_name.vhd from the storage accounts container uploaded before this step.
      • OS Type: Linux
      • VM generation: Select Gen1 (BIOS) or Gen2 (UEFI) to match your VirtualBox virtual machine setting.
    4. Click Create + Review. Review the details of the image before it is created.
    5. Click Create.
      Once the deployment is complete, the image is ready for use.

Parent topic: Creating Oracle Key Vault Image in Microsoft Azure

5.6.3 Launching an Oracle Key Vault Cluster Node (Instance) from the Base Image

Perform the steps to launch an Oracle Key Vault instance.

  1. Login to Azure portal and navigate to Images
  2. Click the Oracle Key Vault image.
    Consider these settings for the options.
    • Size : Select a VM size with at least 16 GB RAM (recommended 32 GB).
    • Authentication type: Select SSH public key.
    • Username: Enter opc. Do not use the default user name azureuser.
    • Public inbound ports: Select Allow selected ports.
    • Select inbound ports:Under Network settings, configure security group that allows HTTPS (443) and SSH (22). The required ports are open for external connection. You may need to open additional ports, see Network Port Requirements to allow access of additional services or functionality of Oracle Key Vault instance externally.
  3. Complete post-installation steps. For more information, see Step 4: Perform Post-Launch and Post-Installation Tasks.

Parent topic: Creating Oracle Key Vault Image in Microsoft Azure

5.7 Creating Oracle Key Vault Image in Amazon AWS

Oracle Key Vault provides deployment and provisioning in AWS.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.7.1 About Provisioning Oracle Key Vault in Amazon AWS

You can provision Oracle Key Vault in Amazon AWS.

Oracle Key Vault deployments in your on-premises data centers can be extended with Oracle Key Vault cluster nodes in Amazon AWS. You can also move an on-premises Oracle Key Vault cluster to Amazon AWS by removing the on-premises nodes from the cluster.

Parent topic: Creating Oracle Key Vault Image in Amazon AWS

5.7.2 Creating Oracle Key Vault Image on AWS

Create a Base Image first to launch Oracle Key Vault cluster nodes (instances).

  • Before proceeding make sure that you have installed AWS CLI. You are also required to create user roles. For more information, see Create User Roles
  • Ensure that you have setup an Amazon S3 bucket to store the VM disk used for preparing the Oracle Key Vault image for AWS.
  • Ensure the AWS user has the vmimport role.
  1. On a separate machine outside, install Oracle VM VirtualBox.
  2. Create a virtual machine on Oracle VM VirtualBox, with Linux 8, Oracle (64 bit) as the Operating System.
    1. The minimum RAM for the Base Image is 8 GB.
    2. The minimum disk size for production deployments is 2 TB (recommended 4 TB); ensure to create the virtual hard disk as the VHD format.
  3. Create the empty VM shell with the settings from above (OL8, RAM, disk size). Do not install anything at this point.
  4. Mount the installer.iso image to the virtual machine and boot the virtual machine.

    Note:

    Do not go to the post-install steps; instead, run the script that makes this Oracle Key Vault a template to clone.
  5. Install an Oracle Key Vault instance on the virtual machine. Do not complete any post installation steps.
  6. Log in as root on the virtual machine console.
  7. Re-attach the Oracle Key Vault installation iso image to the first drive of the virtual machine before running the script in the next step.
  8. Run the following command: /usr/local/okv/bin/okv_export_cloud_image aws. This script prepares the system to be exported as a base image that will be later uploaded to Amazon Azure.
  9. Shutdown the virtual machine.
  10. Upload the VM’s disk file to an Amazon S3 bucket using AWS CLI: aws s3 cp <VM_DISK_FILE>.vhd s3://<s3_bucket_name>/<VM_DISK_FILE>.vhd
  11. Create a disk container JSON file. The following is an example of container.json :
    {
    "Description": "<image_description>”,
    "Format": "vhd",
    "UserBucket": {
        "S3Bucket": “<s3_bucket_name>”,
        "S3Key": "<VM_DISK_FILE>.vhd"
    }
}
  12. Import the disk as a snapshot, use the command, aws ec2 import-snapshot --disk-container file://container.json.

    The output appears similar to the following example:

    {
    "ImportTaskId": "import-snap-031f7b5abe599ae94",
    "SnapshotTaskDetail": {
        "DiskImageSize": 0.0,
        "Progress": "0",
        "Status": "active",
        "StatusMessage": "pending",
        "UserBucket": {
            "S3Bucket": "<s3_bucket_name>",
            "S3Key": "<VM_DISK_FILE>.vhd"
        }
    },
    "Tags": []
}
  13. You can monitor the status of the snapshot import by using the ImportTaskId from the output of the previous command. 
    aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-031f7b5abe599ae94
    {
    "ImportSnapshotTasks": [
        {
            "ImportTaskId": "import-snap-031f7b5abe599ae94",
            "SnapshotTaskDetail": {
                "DiskImageSize": 7654604800.0,
                "Format": “VHD",
                "Progress": "43",
                "Status": "active",
                "StatusMessage": "downloading/converting",
                "UserBucket": {
                    "S3Bucket": "<s3_bucket_name>",
                    "S3Key": "<VM_DISK_FILE>.vhd"
                }
            },
            "Tags": []
        }
    ]
}
  14. Create an AMI image from the imported snapshot.
    1. Go to the AWS EC2 Dashboard.
    2. Select Snapshots, under Elastic Block Store.
    3. Search for the snapshot ID, for example, snap-031f7b5abe599ae94.
    4. Click the snapshot ID.
    5. Under Actions, select Create image from snapshot.
    6. Specify image settings.
      1. Enter Image name.
      2. Under Virtualization type, choose Hardware-assisted virtualization.
      3. Choose Boot mode to match your VM setting provided.
      4. Maintain the default settings for remaining fields.
    7. Click Create. After successful creation, a note with a link to the image appears.

Parent topic: Creating Oracle Key Vault Image in Amazon AWS

5.7.3 Launching an Oracle Key Vault Cluster Node (Instance) from the Base Image

Perform the steps to launch an Oracle Key Vault cluster node (instance).

  1. Go to the AWS EC2 dashboard.
  2. Select AMIs under the Images folder from the left window pane.
  3. Click the Oracle Key Vault image to launch.
  4. Click Launch Instance from the AMI.
  5. Provide the details in Launch an Instance page.
    Consider these settings for the options:
    1. Instance type: Make sure that the selected instance type has enough memory space as configured in the Oracle Key Vault image.
    2. Under Network settings, configure security group that allows HTTPS (443) and SSH (22). The required ports are open for external connection. You may need to open additional ports, see Network Port Requirements to allow access of additional services or functionality of Oracle Key Vault instance externally.
  6. Click Launch Instance.
  7. Complete post-installation steps. for more information , see Step 4: Perform Post-Launch and Post-Installation Tasks.

Parent topic: Creating Oracle Key Vault Image in Amazon AWS

5.8 Creating Oracle Key Vault Image in Google Cloud

Oracle Key Vault provides deployment and provisioning in Google Cloud.

Parent topic: Deploying Oracle Key Vault on an Oracle Cloud Infrastructure VM Compute Instance

5.8.1 About Provisioning Oracle Key Vault in Google Cloud

You can provision Oracle Key Vault in Google Cloud.

To provide familiar, continuously available, extremely scalable, and fault-tolerant key management for your Oracle Databases in Google Cloud (including ExaDB-D@GCP), you can install and create an Oracle Key Vault multi-master cluster in Google Cloud, or extend on-premises Oracle Key Vault deployments with Oracle Key Vault cluster nodes in Google Cloud. You can also move an on-premises Oracle Key Vault cluster to Google Cloud by removing the on premises nodes from the cluster.

Parent topic: Creating Oracle Key Vault Image in Google Cloud

5.8.2 Creating Oracle Key Vault Image for Google Cloud

You can create an Oracle Key Vault cluster in Google Cloud by first creating a Base Image, and then creating Oracle Key Vault cluster nodes from it.

  • Ensure that you have installed and configured Google Cloud CLI.
  • Ensure that you have set up a bucket under Cloud Storage to store the VM disk used for preparing the Oracle Key Vault image for Google Cloud.
  1. On a separate machine outside, install Oracle VM VirtualBox.
  2. Create a virtual machine on Oracle VM VirtualBox, with Linux 8, Oracle (64 bit) as the Operating System.
    1. The minimum RAM for the Base Image is 8 GB.
    2. The minimum disk size for production deployments is 2 TB (recommended 4 TB); ensure to create the virtual hard disk in the VMDK format.
    3. Unified Extensible Firmware Interface (UEFI) is required if disk size is greater than 2 TB.
  3. Create the empty VM shell with the settings from above (Oracle Linux 8, RAM, disk size). Do not install anything at this point.
  4. Mount the installer.iso image to the virtual machine and boot the virtual machine.

    Note:

    Do not run the post-install steps; instead, run the script that makes this Oracle Key Vault a template to clone.
  5. Install an Oracle Key Vault instance on the virtual machine. Do not complete any post-installation steps.
  6. Log in as root on the virtual machine console.
  7. Reattach the Oracle Key Vault installation iso image to the first drive of the virtual machine before running the script in the next step.
  8. Run the following commands: 
    /usr/local/okv/bin/okv_export_cloud_image oci
/usr/local/okv/bin/okv_enable_vm_clone_utility set_cloud_platform_flag "GCP"

    Note:

    This script prepares the system to be exported as a base image that will be later uploaded to Google Cloud Platform (GCP).
  9. Shut down the virtual machine.
  10. Upload the disk file of the virtual machine to a bucket under cloud storage using the following Google Cloud CLI command: 
    gcloud storage cp <VM_DISK_FILE>.vmdk gs://<bucket_name>
  11. Create an image from the VMDK file using Google Cloud CLI:
    1. Run the following command: 
      gcloud compute images import <image_name> --source-file gs://<bucket_name>/<VM_DISK_FILE>.vmdk 
--guest-os-features=UEFI_COMPATIBLE --data-disk --async --timeout=12h

    Note:

    You can monitor the import progress using the link available in the output of the command.

Parent topic: Creating Oracle Key Vault Image in Google Cloud

5.8.3 Launching an Oracle Key Vault Instance from the Image

Perform the steps to launch an Oracle Key Vault cluster node (instance).

  1. Go to the Google Cloud dashboard.
  2. Select Compute Engine, Images from the left navigation menu.
  3. Click the Oracle Key Vault image.
  4. Click CREATE INSTANCE from the menu bar.
  5. Select the required options to create the instance in CREATE INSTANCE.
    Use the following settings to configure the SSH access:
    1. From the Advanced options drop-down list, select Security and then MANAGE ACCESS.
    2. Click ADD ITEM to add the SSH key.
    3. The SSH key must have opc user name at the end. For example, 
      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZpsXjpc1KJO4i2XZKOTTSL/F5r9ZKU+i5aHgcSFngj opc

    Consider these settings for the options.

    • Machine configuration: Make sure that the selected Machine type has enough RAM as configured in the Oracle Key Vault image.
    • In the Firewall settings, allow HTTPS traffic.
    • Verify if the required ports are open for external connection. You may need to open additional ports, see Network Port Requirements to allow access of additional services or functionality of Oracle Key Vault instance externally.
  6. Click CREATE.
  7. Complete post-installation steps. For more information, see Step 4: Perform Post-Launch and Post-Installation Tasks.

Parent topic: Creating Oracle Key Vault Image in Google Cloud