Upgrading a Primary-Standby Oracle Key Vault Server

8 Upgrading a Primary-Standby Oracle Key Vault Server

This upgrade includes the Oracle Key Vault server software and utilities that control the associated endpoint software

About Upgrading a Primary-Standby Oracle Key Vault Server
When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.
Step 1: Back Up the Server Before You Upgrade
Before you upgrade the Oracle Key Vault server, perform a one-time backup to a remote destination so that you can recover data in case the upgrade fails.
Step 2: Perform Pre-Upgrade Tasks for the Primary-Standby Oracle Key Vault
To ensure a smooth upgrade to Oracle Key Vault, you should prepare the server you are upgrading.
Step 3: Add Disk Space to Extend the vg_root for the Release 21.9 Upgrade
Before upgrading to Oracle Key Vault release 21.9, you will need to extend the vg_root to increase disk space.
Step 4: Upgrade the Oracle Key Vault Primary-Standby Pair
You can upgrade a pair of Oracle Key Vault servers in a primary-standby deployment.
Step 5: If Necessary, Add Disk Space to Extend Swap Space
If necessary, extend the swap space on both the primary and standby servers.
Step 6: If Necessary, Remove Old Kernels
Oracle recommends that for both the primary and standby servers, you clean up the older kernels that were left behind after the upgrade.
Step 7: If Necessary, Remove SSH-Related DSA Keys
For both the primary and standby servers, you should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.
Step 8: Checking for Patch Updates
Check if additional patches are applicable to your environment. Oracle recommends that you check for patches after installing or upgrading to the Oracle Key Vault release.
Step 9: Upgrade the Endpoint Software
You must reenroll endpoints created in earlier releases of Oracle Key Vault, or update the endpoint software.
Step 9: Back Up the Upgraded Oracle Key Vault Server
You must perform server backup and user password tasks after completing a successful upgrade.

8.1 About Upgrading a Primary-Standby Oracle Key Vault Server

When you upgrade the Oracle Key Vault server software appliance, also upgrade the endpoint software to get access to the latest enhancements.

However, the endpoint software downloaded from the previous Oracle Key Vault release will continue to function with the upgraded Oracle Key Vault server. Be aware that while the old endpoint software will continue to work with the upgraded Oracle Key Vault server, the new endpoint functionality may not work.

You must upgrade in the order shown: first perform a full backup of Oracle Key Vault, upgrade the Oracle Key Vault primary-standby server pair, upgrade the endpoint software, and last, perform another full backup of the upgraded server. Note that upgrading requires a restart of the Oracle Key Vault server.

The Oracle Key Vault server is not available to endpoints for a limited duration during the upgrade. You can enable the persistent cache feature to enable endpoints to continue operation during the upgrade process.

Before you begin the upgrade, refer to Oracle Key Vault Release Notes for additional information about performing upgrades.

8.2 Step 1: Back Up the Server Before You Upgrade

Before you upgrade the Oracle Key Vault server, perform a one-time backup to a remote destination so that you can recover data in case the upgrade fails.

Caution:

Do not bypass this step. Back up the server before you perform the upgrade so that your data is safe and recoverable.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.3 Step 2: Perform Pre-Upgrade Tasks for the Primary-Standby Oracle Key Vault

To ensure a smooth upgrade to Oracle Key Vault, you should prepare the server you are upgrading.

In the server where Oracle Key Vault is installed, log in as user support, and then switch to the root user.
Ensure that the server meets the minimum disk space requirement, 6 GB of free disk space, for an upgrade. If the /usr/local/dbfw/tmp directory does not have sufficient free space, then delete any diagnostics .zip files that maybe stored in that directory.
Check the boot partition size. If any of the nodes in question have a boot partition that is less than 500 MB, then you cannot upgrade that system to the new release. You can check this size as follows:
1. Mount the /boot partition.
```
# mount /boot
```
2. Check the Size column given by the following command:
```
# df -h /boot
```
3. Unmount the /boot partition:
```
# umount /boot
```
If the boot partition given by this command shows less than 488 MB, then you cannot upgrade to the current release. Oracle recommends that you restore a backup of the current configuration to a freshly installed system of the same release as the current system, and upgrade that to the new release instead.
If Oracle Key Vault is using the BIOS boot mode, then ensure that the disk size is not greater than 2 TB. If this is the case, then you cannot upgrade to the current release. Oracle recommends that you restore a backup of the current configuration onto a system with a disk that is less than 2 TB in size, and upgrade that to the new release instead.
If you need to increase available disk space, then remove the temporary jar files located in /usr/local/okv/ssl. Be careful in doing so. If you accidentally delete any files other than the jar files in /usr/local/okv/ssl, then the Oracle Key Vault server becomes non-functional.
Increase your disk space by extending the vg_root size.
You must increase the disk space by extending vg_root before you perform the upgrade.
Ensure that no full or incremental backup jobs are running. Delete all scheduled full or incremental backup jobs before the upgrade.

Plan for downtime according to the following specifications:

Oracle Key Vault Usage	Downtime required
Wallet upload or download	NO
Java Keystore upload or download	NO
Transparent Data Encryption (TDE) direct connect	YES (NO with persistent cache)
Primary Server Upgrade in a primary-standby deployment	YES (NO with persistent cache)

Plan for downtimes.
- If Oracle Key Vault uses an online master encryption key, then plan for a downtime of 15 minutes during the Oracle Database endpoint software upgrades. Database endpoints can be upgraded in parallel to reduce total downtime.
- Plan for a downtime of a few hours. The persistent cache allows you to upgrade Oracle Key Vault servers without database downtime. The default duration of the persistent cache from the moment the Oracle Key Vault server becomes unavailable is 1,440 minutes (one day).
If the Oracle Key Vault system has a syslog destination configured, ensure that the remote syslog destination is reachable from the Oracle Key Vault system, and that logs are being correctly forwarded. If the remote syslog destination is not reachable from the Oracle Key Vault system, then the upgrade process can become much slower than normal.
If Oracle Audit Vault was integrated with Oracle Key Vault in Oracle Key Vault release 21.2 or earlier, then do the following on the primary server (but not the standby) to disable and remove the Oracle Audit Vault integration:
1. Disable the Oracle Audit Vault integration: Log into the Oracle Key Vault management console as a System Administrator, select the System tab and then Settings from the left navigation bar. In the Monitoring and Alerts pane, select Audit Vault. In the Audit Vault integration pane that appears, disable Oracle Audit Vault. Click Save.
2. Perform the remaining steps in this procedure on each server where the Oracle Audit Vault integration was configured.
3. Log in to the Oracle Key Vault server through SSH as user support, switch user su to root and then switch user su to oracle.
4. Stop the agent by executing the following command:
```
agent_installation_directory/bin/agentctl stop
```
5. Log in to the Oracle Audit Vault Server console as an Oracle Audit Vault administrator.
6. Delete the corresponding agent and target.
7. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
8. Delete the installation directory for the Oracle Audit Vault agent.
Ensure that the Oracle Key Vault server certificate has not expired, nor is close to expiry, before you begin the upgrade.
You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console.
If you are performing an upgrade while using an HSM as a Root of Trust, then consult Oracle Key Vault Root of Trust HSM Configuration Guide for any additional steps that may be needed.

8.4 Step 3: Add Disk Space to Extend the vg_root for the Release 21.9 Upgrade

Before upgrading to Oracle Key Vault release 21.9, you will need to extend the vg_root to increase disk space.

If you are upgrading from an earlier Oracle Key Vault release 21.x release and have already extended the vg_root, then you can bypass this step.

Before you start this procedure, ensure that all endpoints have persistent cache enabled and in use.

Log in to the server for which you will perform the upgrade and switch user as root.
Ensure that the persistent cache settings for Oracle Key Vault have been set.
You will need to ensure that the persistent cache has been enabled because in a later step in this procedure, you must shut down the server. Shutting down the Oracle Key Vault server will incur downtime. To avoid any downtime, Oracle recommends that you turn on persistent cache.
Run the vgs command to determine the free space
```
vgs
```
The VFree column shows how much free space you have (for example, 21 GB).
Power off the server in order to add a new disk
```
/sbin/shutdown -h now
```
Add a new disk to the server with a capacity of 100 GB or greater
Start the server.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```

Stop the Oracle Key Vault services.

service tomcat stop;
service httpd stop;
service kmipus stop;
service kmip stop;
service okvogg stop;
service javafwk stop;
service monitor stop;
service controller stop;
service dbfwlistener stop;
service dbfwdb stop;
service rsyslog stop;

Run the fdisk -l command to find if there are any available partitions on the new disk.
```
fdisk -l
```
At this stage, there should be no available partitions.
Run the fdisk disk_device_to_be_added command to create the new partition.
For example, to create a disk device named /dev/sdb:
```
fdisk /dev/sdb
```
In the prompts that appear, enter the following commands in sequence:
- n for new partition
- p for primary
- 1 for partition number
- Accept the default values for cylinder (press Enter twice).
- w to write and exit
Use the pvcreate disk_device_partition command to add the newly added disk to the physical volume.
For example, for a disk device named /dev/sdb1, which is the name of the disk partition that you created (based on the name used for the disk device that was added).
```
pvcreate /dev/sdb1
```
Output similar to the following appears:
```
Physical volume "/dev/sdb1" successfully created
```
Use the vgextend vg_root disk_device_partition command to extend the logical volume with this disk space that you just added.
For example, for the partition /dev/sdb1, you would run:
```
vgextend vg_root /dev/sdb1
```
Output similar to the following appears:
```
Volume group "vg_root" successfully extended
```
Run the vgs command again to ensure that VFree shows an increase of 100 GB.
```
vgs
```
Output similar to the following appears:
```
VG      #PV #LV #SN Attr   VSize   VFree
vg_root   2  12   0 wz--n- 598.75g <121.41g
```
Restart the Oracle Key Vault server.
```
/sbin/reboot
```
For primary-standby deployments, ensure that the primary and standby nodes sync up before proceeding further with next steps.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.5 Step 4: Upgrade the Oracle Key Vault Primary-Standby Pair

You can upgrade a pair of Oracle Key Vault servers in a primary-standby deployment.

About Upgrading an Oracle Key Vault Server Primary-Standby Pair
In a primary-standby deployment you must upgrade both primary and standby Oracle Key Vault servers.
Upgrading a Pair of Primary-Standby Oracle Key Vault Servers
You should allocate several hours to upgrade the primary server after upgrading the standby.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.5.1 About Upgrading an Oracle Key Vault Server Primary-Standby Pair

In a primary-standby deployment you must upgrade both primary and standby Oracle Key Vault servers.

Note that persistent caching enables endpoints to continue to be operational during the upgrade process.

Note:

If you are upgrading from a system with 4 GB RAM, first add an additional 12 GB memory to the system before upgrading.

Related Topics

Oracle Key Vault Administrator's GuideAbout the Persistent Encryption Master Key Cache

Parent topic: Step 4: Upgrade the Oracle Key Vault Primary-Standby Pair

8.5.2 Upgrading a Pair of Primary-Standby Oracle Key Vault Servers

You should allocate several hours to upgrade the primary server after upgrading the standby.

You must perform the upgrade of standby and primary servers in one session with as little time between the standby and primary upgrade. The upgrade time is approximate and a function of the volume of data stored and managed by Oracle Key Vault. For large volumes of data, the upgrade time may be longer than several hours.

For both primary and standby servers in the primary-standby configuration, prepare for upgrade.
- Ensure that both the primary and standby systems have at least 16 GB memory.
- Add disk space to extend the vg_root.
- While the upgrade is in progress, do not change any settings or perform any other operations that are not part of the upgrade instructions below.
- Upgrade the Oracle Key Vault server during a planned maintenance window because the upgrade process requires the endpoints to be shut down during the upgrade, if no persistent cache has been configured. With persistent cache enabled, endpoints will continue to be operational during the upgrade process.
Ensure that you have backed up the server you are upgrading so your data is safe and recoverable.
Ensure that in the time between the backup and shutting down the Oracle Key Vault servers for upgrade, that no databases perform a set or rekey operation (for example, using the ADMINISTER KEY MANAGEMENT statement), since these new keys will not be included in the backup.

Do not proceed without completing this step.
First, upgrade the standby server while the primary server is running.
1. Log into the Oracle Key Vault management console as a user who has the System Administrator role.
2. Ensure that SSH access is enabled.
3. Ensure you have enough space in the destination directory for the upgrade ISO files.
4. Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
  If the SSH connection times out while you are executing any step of the upgrade, then the operation will not complete successfully. Oracle recommends that you ensure that you use the appropriate values for the ServerAliveInterval and ServerAliveCountMax options for your SSH sessions to avoid upgrade failures.
  Using the tmux command prevents network disconnections interrupting the upgrade. If the session terminates, resume as follows:
```
root# tmux a
```
5. Copy the upgrade ISO file to the destination directory using Secure Copy Protocol or other secure transmission method.
  Note that the upgrade ISO file is not the installation ISO file that you downloaded from eDelivery. You can download the Oracle Key Vault upgrade software from the My Oracle Support website at https://support.oracle.com/portal/.
```
root# scp remote_host:remote_path/okv-upgrade-disc-new_software_release.iso /var/lib/oracle
```
  In this specification:
  - remote_host is the IP address of the computer containing the ISO upgrade file.
  - remote_path is the directory of the ISO upgrade file. Do not copy this file to any location other than the /var/lib/oracle directory.
6. Make the upgrade accessible by using the mount command:
```
root# /bin/mount -o loop,ro /var/lib/oracle/okv-upgrade-disc-new_software_release.iso /images
```
7. Clear the cache using the clean all command:
```
root# yum -c /images/upgrade.repo clean all
```
8. Apply the upgrade with upgrade.rb command:
```
root# /usr/bin/ruby /images/upgrade.rb --confirm
```
  If the system is successfully upgraded, then the command will display the following message:
  
  Remove media and reboot now to fully apply changes.
  
  If you see an error message, then check the log file /var/log/messages for additional information.
9. Restart the Oracle Key Vault server by running reboot command:
```
root# /sbin/reboot
```
  On the first restart of the computer after the upgrade, the system will apply the necessary changes. This can take a few hours. Do not shut down the system during this time.
  
  The upgrade is completed when the screen with heading: Oracle Key Vault Server new_software_release appears. The revision should reflect the upgraded release.
Ensure that the upgraded standby Oracle Key Vault server is restarted and running.
Upgrade the primary Oracle Key Vault server following same steps that you followed for the standby server in Step 3.

After both the standby and primary Oracle Key Vault servers are upgraded, the two servers will automatically synchronize.
Log in to the Oracle Key Vault management console as a user with the System Administrator role.
Select the System tab, and then Status.
Verify that the Version field displays the new software version.
If your site uses the Commercial National Security Algorithm (CNSA) suite, then re-install these algrorithms onto the primary and standby servers.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Step 4: Upgrade the Oracle Key Vault Primary-Standby Pair

8.6 Step 5: If Necessary, Add Disk Space to Extend Swap Space

If necessary, extend the swap space on both the primary and standby servers.

Oracle Key Vault release 21.9 requires a hard disk size greater than or equal to 1 TB in size with approximately 64 GB of swap space. If your system does not meet this requirement, follow these instructions to extend the swap space. You can check how much swap space you have by running the swapon -s command. By default, Oracle Key Vault releases earlier than release 18.1 were installed with approximately 4 GB of swap space. After you complete the upgrade to release 18.1 or later, Oracle recommends that you increase the swap space allocation for the server on which you upgraded Oracle Key Vault. A new Oracle Key Vault installation is automatically configured with sufficient swap space. However, if you upgraded from a previous release, and your system does not have the desired amount of swap space configured, then you must manually add disk space to extend the swap space, particularly if the intention is to convert the upgraded server into the first node of a multi-master cluster.

Log in to the server in which you upgraded Oracle Key Vault and connect as root.
Check the current amount of swap space.
```
[root@my_okv_server support]# swapon -s
```
Output similar to the following appears. This example shows that the system has 4 GB of swap space.
```
Filename Type Size Used Priority
/dev/dm-0 partition 4194300 3368 -1
```
There must be 64 GB of swap space if the disk is greater than 1 TB in size.
Run the vgs command to determine how much free space is available.
```
vgs
```
The VFree column shows how much free space you have (for example, 21 GB).
Power off the server in order to add a new disk.
```
/sbin/shutdown -h now
```
Add a new disk to the server of a size that will bring the VFree value to over 64 GB.
Start the server.
Log in to the Oracle Key Vault server through SSH as user support, then switch user su to root.
```
ssh support@okv_server_IP_address
su - root
```
Run the fdisk -l command to find if there are any available partitions on the new disk.
```
fdisk -l
```
At this stage, there should be no available partitions.
Run the fdisk disk_device_to_be_added command to create the new partition.
For example, to create a disk device named /dev/sdc:
```
fdisk /dev/sdc
```
In the prompts that appear, enter the following commands in sequence:
- n for new partition
- p for primary (for primary partition)
- 1 for partition number
- Accept the default values for cylinder (press Enter twice).
- w to write and exit
Use the pvcreate disk_device_partition command to add the newly added disk to the physical volume.
For example, for a disk device named /dev/sdc1, which is the name of the disk partition that you created (based on the name used for the disk device that was added).
```
pvcreate /dev/sdc1
```
Output similar to the following appears:
```
Physical volume "/dev/sdc1" successfully created
```
Use the vgextend vg_root disk_device_partition command to extend the logical volume with this disk space that you just added.
For example, for the partition /dev/sdc1, you would run:
```
vgextend vg_root /dev/sdc1
```
Output similar to the following appears:
```
Volume group "vg_root" successfully extended
```
Run the vgs command again to ensure that VFree shows an increase of 64 GB.
```
vgs
```

Disable swapping.

[root@my_okv_server support]# swapoff -v /dev/vg_root/lv_swap

To extend the swap space, run the lvresize command.

[root@my_okv_server support]# lvresize -L +60G /dev/vg_root/lv_swap

Output similar to the following appears:

Size of logical volume vg_root/lv_swap changed from 4.00 GiB (128 extents) to 64.00 GiB (2048 extents)
Logical volume lv_swap successfully resized.

Format the newly added swap space.

[root@my_okv_server support]# mkswap /dev/vg_root/lv_swap

Output similar to the following appears:

mkswap: /dev/vg_root/lv_swap: warning: don't erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version 1, size = 67108860 KiB
no label, UUID=fea7fc72-0fea-43a3-8e5d-e29955d46891

Enable swapping again.

[root@my_okv_server support]# swapon -v /dev/vg_root/lv_swap

Verify the amount of swap space that is available.

[root@my_okv_server support]# swapon -s

Output similar to the following appears:

Filename Type Size Used Priority 
/dev/dm-0 partition 67108860 0 -1

Restart the Oracle Key Vault server.
```
/sbin/reboot
```
For primary-standby deployments, ensure that the primary and standby nodes sync up before proceeding further with next steps.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.7 Step 6: If Necessary, Remove Old Kernels

Oracle recommends that for both the primary and standby servers, you clean up the older kernels that were left behind after the upgrade.

While the older kernel is not in use, it may be marked as an issue by some code analysis tools.

Log in to the Oracle Key Vault server as the support user.
Switch to the root user.
```
su - root
```
Mount /boot if it was not mounted on the system.
1. Check if the /boot is mounted. The following command should display /boot information if it was mounted.
```
df -h /boot;
```
2. Mount it if /boot is not mounted.
```
/bin/mount /boot;
```
  For EFI-based systems, you may need to mount /boot/efi if it is not already mounted.
```
/bin/mount /boot/efi 
```
Check the installed kernels and the running kernel.
1. Search for any kernels that are installed.
```
rpm -q kernel-uek | sort;
```
  The following example output shows that two kernels are installed:
```
kernel-uek-4.1.12-103.9.4.el6uek.x86_64
kernel-uek-4.1.12-112.16.7.el6uek.x86_64
```
2. Check the latest kernel.
```
uname -r;
```
  The following output shows an example of a kernel version that was installed at the time:
```
4.1.12-112.16.7.el6uek.x86_64
```
  This example assumes that 4.1.12-112.16.7.el6uek.x86_64 is the latest version, but newer versions may be available by now. Based on this output, you will need to remove the kernel-uek-4.1.12-103.9.4.el6uek.x86_64 kernel. You should remove all kernels that are older than the latest kernel.

Remove the older kernel and its associated RPMs.

For example, to remove the kernel-uek-4.1.12-103.9.4.el6uek.x86_64 kernel:

yum --disablerepo=* remove `rpm -qa | grep 4.1.12-103.9.4.el6uek`;

Output similar to the following appears:

Loaded plugins: security
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package kernel-uek.x86_64 0:4.1.12-103.9.4.el6uek will be erased
---> Package kernel-uek-devel.x86_64 0:4.1.12-103.9.4.el6uek will be erased
---> Package kernel-uek-firmware.noarch 0:4.1.12-103.9.4.el6uek will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================
 Package               Arch    Version                Repository                                            Size
=================================================================================================================
Removing:
 kernel-uek            x86_64  4.1.12-103.9.4.el6uek  @anaconda-OracleLinuxServer-201410181705.x86_64/6.6  241 M
 kernel-uek-devel      x86_64  4.1.12-103.9.4.el6uek  @anaconda-OracleLinuxServer-201410181705.x86_64/6.6   38 M
 kernel-uek-firmware   noarch  4.1.12-103.9.4.el6uek  @anaconda-OracleLinuxServer-201410181705.x86_64/6.6  2.9 M

Transaction Summary
=================================================================================================================
Remove        3 Package(s)

Installed size: 282 M
Is this ok [y/N]:

Enter y to accept the deletion output.
Repeat these steps starting with Step 4 for all kernels that are older than the latest kernel.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.8 Step 7: If Necessary, Remove SSH-Related DSA Keys

For both the primary and standby servers, you should remove SSH-related DSA keys left behind after the upgrade, because they can cause problems with some code analysis tools.

Log in to the Oracle Key Vault management console as a user with the System Administrator role.
Enable SSH.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select IP address(es) and then enter only the IP addresses that you need, or select All. Click Save.
Login to the Oracle Key Vault support account using SSH.
```
ssh support@OracleKeyVault_serverIPaddress
```
Switch to the root user.
```
su - root
```
Change directory to /etc/ssh.
```
cd /etc/ssh
```

Rename the following keys.

mv ssh_host_dsa_key.pub ssh_host_dsa_key.pub.retire
mv ssh_host_dsa_key ssh_host_dsa_key.retire

Disable SSH access.

Log in to the Oracle Key Vault management console as a user who has the System Administrator role. Select the System tab, then Settings. In the Network Details area, click SSH Access. Select Disabled. Click Save.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.9 Step 8: Checking for Patch Updates

Check if additional patches are applicable to your environment. Oracle recommends that you check for patches after installing or upgrading to the Oracle Key Vault release.

To download and update the patches for Oracle Key Vault:

Log in to https://support.oracle.com
Select the Patches & Updates tab.
Select Product or Family (Advanced) tab.

Note:
By default, the Number/Name or Bug Number (simple) option is selected.
Select Oracle Key Vault from the Product is drop-down list.
Select the current release number from the Release is drop-down list.
Click Search. The search results are displayed.
In the Patch Name column, click the applicable patch number to your release.

Note:
You can check for the release in the Release column.

A corresponding Patch number page appears.
Click Read Me to open the readme file in a browser.
Click Download to open the File Download page.
Click the Download File Metadata link.
Click Download to download the XML metadata file.

Note:

Oracle recommends that you apply the patch 37492574 after you upgrade to Oracle Key Vault release 21.9. This patch corrects the configuration of certain processes internal to Oracle Key Vault, which may be operating with incorrect settings after you upgrade to release 21.9. This patch also prevents future upgrades (from release 21.9 to later versions of Oracle Key Vault) from failing. Apply this patch after all systems in the Oracle Key Vault deployment have been successfully upgraded to 21.9.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.10 Step 9: Upgrade the Endpoint Software

You must reenroll endpoints created in earlier releases of Oracle Key Vault, or update the endpoint software.

If you are upgrading from an earlier release to the latest release of Oracle Key Vault, then you must reenroll the endpoint instead of upgrading the endpoint software. Reenrolling the endpoint automatically updates the endpoint software.

Before an endpoint that uses online TDE master encryption key management by Oracle Key Vault can take advantage of the ability to control the extraction of objects from Oracle Key Vault during cryptographic operations, it must be upgraded to Oracle Key Vault release 21.10.

Ensure that you have completely upgraded both the primary and standby servers that are configured Oracle Key Vault. If you are upgrading the endpoint software for an Oracle database configured for online TDE master encryption key management, then shut down the database.
Download the endpoint software (okvclient.jar) for your platform from the Oracle Key Vault server as follows:
1. Go to the Oracle Key Vault management console login screen.
2. Click the Endpoint Enrollment and Software Download link.
3. In the Download Endpoint Software Only section, select the appropriate platform from the drop-down list.
4. Click the Download button.
Identify the path to your existing endpoint installation that you are about to upgrade (for example, /etc/ORACLE/KEYSTORES/okv (where /etc/ORACLE/KEYSTORES is WALLET_ROOT of your database, or the softlink in $ORACLE_BASE/okv/$ORACLE_SID points to).

Install the endpoint software by executing the following command:

java -jar okvclient.jar -d existing_endpoint_directory_path

For example:

java -jar okvclient.jar -d /etc/ORACLE/KEYSTORES/okv

java -jar okvclient.jar -d c:\etc\ORACLE\KEYSTORES\okv

Install the updated PKCS#11 library file.
This step is needed only for online TDE master encryption key management by Oracle Key Vault. If an endpoint uses online TDE master encryption key management by Oracle Key Vault, then you must upgrade the PKCS#11 library while upgrading the endpoint software.
- On UNIX/Linux platforms: Run root.sh from the bin directory of endpoint installation directory to copy the latest liborapkcs.so file for Oracle Database endpoints.
```
$ sudo /etc/ORACLE/KEYSTORES/okv/bin/root.sh
```
  Or
```
$ su - root
# /etc/ORACLE/KEYSTORES/okv/bin/root.sh
```
- On Windows platforms: Run root.bat from the bin directory of endpoint installation directory to copy the latest liborapkcs.dll file for Oracle Database endpoints. You will be prompted for the version of the database in use.
```
bin\root.bat
```
Update the SDK software.
If you have already deployed the SDK software, Oracle recommends that you redeploy the SDK software in the same location after you complete the upgrade to Oracle Key Vault release 21.10. This enables you to have access to the new SDK APIs that were introduced since the Oracle Key Vault version that you are upgrading from.
1. Go to the Oracle Key Vault management console login screen.
2. Click the Endpoint Enrollment and Software Download link.
3. In the Download Software Development Kit section, select the appropriate language and platform for your site.
4. Click the Download button to get the SDK zip file.
5. Identify the existing location where SDK software was already deployed.
6. Navigate to the directory in which you saved the SDK zip file.
7. Unzip the SDK zip file.
  For example, on Linux, to unzip the Java SDK zip file, use the following command:
```
unzip -o okv_jsdk.zip -d existing_endpoint_sdk_directory_path
```
  For the C SDK zip file, use this command:
```
unzip -o okv_csdk.zip -d existing_endpoint_sdk_directory_path
```
8. Do not exit this page.
If you had deployed the RESTful services utility in the previous release, then re-deploy the latest okvrestclipackage.zip file.
The latest okvrestclipackage.zip file enables you to have access to the new RESTful services utility commands that were introduced since the Oracle Key Vault version that you are upgrading from.
You can use wget or curl to download okvrestclipackage.zip.
```
wget --no-check-certificate https://Oracle_Key_Vault_IP_address:5695/okvrestclipackage.zip

curl -O -k https://Oracle_Key_Vault_IP_address:5695/okvrestservices.jar
```
Start the Oracle databases if the upgrade of Oracle Key Vault endpoints for all of the TDE-enabled databases on this host machine is complete.
At this stage, the endpoint will be fully upgraded.
If your site requires that you restrict TDE master encryption keys from leaving Oracle Key Vault and if you are using an Oracle Real Application Clusters (Oracle RAC) environment, then perform the following steps on each Oracle RAC node:
1. Perform the endpoint upgrade on each Oracle RAC node.
2. Set the extractable attribute value for symmetric keys.
  By default, the extractable attribute value is true, which means that the key material of symmetric keys can be extracted from Oracle Key Vault during certain operations. If you want to prevent symmetric keys from being extracted, then you must set this value to false. You can set an extractable attribute value as follows:
  - Set the default value for the extractable attribute of new symmetric keys in the endpoint settings. Endpoint-specific setting overrides the global endpoint settings.
  - Explicitly specify the value of the extractable attribute when creating or registering a new symmetric key.
  - Modify the extractable attribute of an existing symmetric key.
  See Oracle Key Vault Administrator's Guide.
3. As a user who has the SYSDBA or SYSKM administrative privilege, perform a rekey operation in the Oracle RAC node. Use the following syntax:
```
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY 
[FORCE KEYSTORE]
[USING TAG 'tag_name'] 
IDENTIFIED BY [EXTERNAL STORE | keystore_password] 
[WITH BACKUP [USING 'backup_identifier']];
```
  See Oracle Database Advanced Security Guide for more information about rekeying a TDE master encryption key.
If your site requires that you restrict TDE master encryption keys from leaving Oracle Key Vault and if you are using an Oracle Data Guard environment, then do the following on the primary and standby databases:
1. Perform the endpoint upgrade on the primary and standby databases.
2. Set the extractable attribute value for symmetric keys.
  By default, the extractable attribute value is true, which means that the key material of symmetric keys can be extracted from Oracle Key Vault during certain operations. If you want to prevent symmetric keys from being extracted, then you must set this value to false. You can set an extractable attribute value as follows:
  - Set the default value for the extractable attribute of new symmetric keys in the endpoint settings. Endpoint-specific setting overrides the global endpoint settings.
  - Explicitly specify the value of the extractable attribute when creating or registering a new symmetric key.
  - Modify the extractable attribute of an existing symmetric key.
  See Oracle Key Vault Administrator's Guide.
3. As a user who has the SYSDBA or SYSKM administrative privilege, perform a rekey operation in the primary and standby databases.
```
ADMINISTER KEY MANAGEMENT SET [ENCRYPTION] KEY 
[FORCE KEYSTORE]
[USING TAG 'tag_name'] 
IDENTIFIED BY [EXTERNAL STORE | keystore_password] 
[WITH BACKUP [USING 'backup_identifier']];
```
  See Oracle Database Advanced Security Guide for more information about rekeying a TDE master encryption key.
Note:

Note the following before executing script:
- You must run root.sh or root.bat script to install the latest Oracle Key Vault PKCS#11 library only once on a host machine that has multiple TDE-enabled Oracle databases that use Oracle Key Vault for master encryption key management.
- Ensure that you execute the root.sh or root.bat script only after the upgrade of Oracle Key Vault endpoints for all of the TDE-enabled databases on the same host machine is complete.
- Ensure that all of the TDE-enabled Oracle databases on this host have been shutdown.

Related Topics

Oracle Key Vault Administrator's Guide

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server

8.11 Step 9: Back Up the Upgraded Oracle Key Vault Server

You must perform server backup and user password tasks after completing a successful upgrade.

Take a full backup of the upgraded Oracle Key Vault Server Database to a new remote destination. Avoid using the old backup destination for the new backups.
Schedule a new periodic incremental backup to the new destination defined in the preceding step.
Change the Oracle Key Vault administrative passwords.
Password hashing has been upgraded to a more secure standard than in earlier releases. This change affects the operating system passwords, support and root. You must change Oracle Key Vault administrative passwords after the upgrade to take advantage of the more secure hash.

Parent topic: Upgrading a Primary-Standby Oracle Key Vault Server