What is Oracle Key Vault server configuration?

Oracle Key Vault server configuration is an Oracle Database Appliance entity which represents the metadata about the Oracle Key Vault server such as the IP address, host name, the user name, and a brief description about the Oracle Key Vault server. The Oracle Key Vault user password must be provided while creating the Oracle Key Vault server configuration object. The client auto-login wallets are generated with the specified passwords.

What are the two different ways of creating a TDE-enabled database on Oracle Database Appliance which uses Oracle Key Vault to store TDE keys?

How do I get to know the keystore type of my TDE database?

How do I identify whether a TDE-enabled database is using software keystore or Oracle Key Vault for TDE configuration?

If the keystoreType attribute of the database has value software, then it means software keystore was used to configure TDE. Else, if the same attribute has OKV as its value, then it means Oracle Key Vault was used to configure TDE.

When should I choose the option of creating TDE-enabled databases using Oracle Key Vault with endpoints in Oracle Key Vault?

If you do not want to use Oracle Key Vault user credentials in Oracle Database Appliance, then you can use the option of creation of TDE-enabled databases that use pre-created virtual wallet and endpoints.

When should I choose the option of creating TDE-enabled databases using Oracle Key Vault with credentials of the user on Oracle Key Vault?

If you want Oracle Database Appliance to interact with Oracle Key Vault directly using the credentials of the Oracle Key Vault user to create virtual wallets and endpoints, then use this option.

Which user can create Oracle Key Vault server configuration?

In multi-user access or multi-user access-passwordless enabled systems, the odaadmin user and users with the ODA-OKVCONFIGADMIN role can create the Oracle Key Vault server configuration. The Oracle Key Vault server configuration can then be shared with the required DB user, that is, user with the ODA-DB role, with only odaadmin so that DB user can create TDE database using the shared Oracle Key Vault server configuration object. This ensures that the Oracle Key Vault server credentials used in creating the Oracle Key Vault server configuration object is not shared with the DB user. However, in case of multi-user access enabled systems, the Oracle Key Vault server configuration is created by the same user who creates the database.

Can a TDE database that uses software keystore be converted to use Oracle Key Vault?

No, Oracle Database Appliance does not support keystore migration from software keystore to Oracle Key Vault in this release.

What is the Oracle Key Vault Server port number that must be opened for Oracle Database Appliance to communicate with it?

Oracle Database Appliance relies on port number 5695 to communicate with Oracle Key Vault server. Ensure that port number 5695 is opened on the Oracle Key Vault server so that Oracle Database Appliance can communicate with it.

What is minimum version of Oracle Key Vault server that Oracle Database Appliance recommends?

Oracle Database Appliance recommends the minimum version of the Oracle Key Vault server to be 21.7.

What are the database versions that support Oracle Key Vault feature on Oracle Database Appliance?

The Oracle Key Vault feature on Oracle Database Appliance is supported with Oracle Database 19c, on both bare metal and DB systems.

What are the database lifecycle management operations available on Oracle Database Appliance, but not supported for TDE databases that use Oracle Key Vault to store TDE keys?

Database lifecycle management operations such as cloning, upgrading, and registering databases are currently not supported for TDE databases that use Oracle Key Vault to store TDE keys.

Should I provide TDE password while creating the database that uses Oracle Key Vault to store TDE keys?

No, the TDE password is not required. The TDE password is randomly generated by Oracle Database Appliance tooling. The TDE password must be provided while creating the database with endpoints and wallet manually created on Oracle Key Vault.

Once the user with ODA-DB role is granted access to the Oracle Key Vault server configuration object, can they delete the Oracle Key Vault server configuration object?

No, the Oracle Key Vault server configuration object can only be deleted by the user who created it or the odaadmin user. The user with ODA-DB role can only use the shared Oracle Key Vault server configuration object and create TDE database but not delete the shared Oracle Key Vault server configuration object. Also, the database that used the Oracle Key Vault server configuration object during creation, must be deleted before deleting the Oracle Key Vault server configuration object.

Does Oracle Database Appliance tooling support backup and recovery of TDE wallet of a database which uses Oracle Key Vault to store TDE keys?

No, Oracle Database Appliance tooling does not support backup and recovery of TDE wallet since the TDE wallet is present outside the Oracle Database Appliance system, in an Oracle Key Vault server. The OKV ADMIN of the Oracle Key Vault server have to manage the backup and recovery of TDE wallet. When you select Oracle Key Vault server, you have the option of TDE wallet management outside the client, in an Oracle Key Vault server.

Does Oracle Database Appliance tooling identify whether the given Oracle Key Vault credentials belong to a user who has the least privilege of Create Endpoint on Oracle Key Vault server ?

No, Oracle Database Appliance tooling does not identify whether the given Oracle Key Vault credentials belong to a user who has the least privilege of Create Endpoint on Oracle Key Vault server. Ensure that you use the credentials of the least privileged user. This least privilege of Create Endpoint is recommended so that the given credentials can only be used to onboard the database on to the Oracle Key Vault server and no other operations are performed on the Oracle Key Vault server.

Why do I need to create a copy of the TDE wallet before restoring a TDE database with Oracle Key Vault keystore?

Oracle Database Appliance tooling does not support backup, recovery, and restore of the TDE wallet if the wallet is stored in the Oracle Key Vault server because the wallet is present outside the appliance. However, if you are restoring the database as a standby in an Oracle Data Guard configuration, then you must specify the wallet of the primary database.

Is NTP configuration required on Oracle Database Appliance to create a database with TDE configuration using Oracle Key Vault?

It is recommended to set up NTP on Oracle Database Appliance because the database creation or restore operation may fail if the clock on Oracle Database Appliance and the Oracle Key Vault server are not synchronized. Hence, you must ensure that the time is consistent across the servers or use NTP on Oracle Database Appliance. While using an NTP server, ensure that the server is reachable from the appliance and that the chrony settings in the /etc/chrony.conf file are the same on Oracle Database Appliance and the Oracle Key Vault server.

Why does re-key of TDE wallet fail with ORA-28353: failed to open wallet error?

The error code ORA-28353 could be due to incorrect TDE password. Retry the operation with the correct TDE password to resolve the issue. For more information about this error, see the Oracle Database Error Messages Guide at https://docs.oracle.com/en/database/oracle/oracle-database/19/errmg/ORA-24280.html.

Why does creation of a database with TDE configuration using Oracle Key Vault as keystore fail with an error?

Internal error encountered: PL/SQL procedure successfully completed.begin
*
ERROR at line 1:
ORA-00600: internal error code, arguments: [kcbtse_populate_tbskey_1], [The
request operation was denied.], [], [], [], [], [], [], [], [], [], []
ORA-06512: at line 2.

systemctl stop chronyd

cat /etc/chrony.conf
server Enter NTP server IP address iburst  
driftfile /var/lib/chrony/drift
makestep 1.0 -1
rtcsync
logdir /var/log/chrony

systemctl start chronyd

systemctl enable chronyd

Why does creation of a database with TDE configuration using Oracle Key Vault as keystore fail with an error?

{ "result" : "Failure", "message" : "Error occurred during install of Oracle Key Vault endpoint software. Check log files for more information. Please cleanup all of the files and directories created by the failed installation attempt before re-install" }.

systemctl stop chronyd

cat /etc/chrony.conf
server Enter NTP server IP address iburst  
driftfile /var/lib/chrony/drift
makestep 1.0 -1
rtcsync
logdir /var/log/chrony

systemctl start chronyd

systemctl enable chronyd