Oracle Key Vault and Recovery Appliance

The Oracle Key Vault (OKV) stores the TDE master keys and also keeps track of all enrolled endpoints.

Endpoints are the database servers, application servers, and computer systems where actual cryptographic operations such as encryption or decryption are performed. Endpoints request OKV to store and retrieve security objects.

A brief overview of the Oracle Key Vault (OKV) configurations:

  • All compute nodes of the Recovery Appliance are registered and enrolled as OKV endpoints.

  • A single OKV endpoint group contains all the endpoints corresponding to all of the compute nodes of the Recovery Appliance.

  • A single wallet is shared and configured as 'Default Wallet' for all endpoints corresponding to all of the compute nodes of the Recovery Appliance.

  • The OKV endpoint group is configured with read/write/manage access to the shared virtual wallet.

  • If more than one Recovery Appliance is involved, each Recovery Appliance has its own end point group and wallet.

  • The host-specific okvclient.jar is created and saved during the enrollment process of each endpoint to the staging path on its respective node. If the root user is performing the operation, the /radump is the staging path. If a named user (such as raadmin) is performing the operation, then the staging has to be in /tmp. The staged file has to be named either as-is okvclient.jar or <myHost>-okvclient.jar, where <myHost> matches what hostname returns.

Note:

Refer to Oracle Key Vault Administrator's Guide for more information.

Review: Oracle Key Vault

This reference section employs concepts from the Oracle Key Vault Administrator's Guide (OKV).

The OKV administrator performs these tasks, and are a pre-requisite for the operations performed by the Recovery Appliance administrator. The OKV administrator configures the OKV Endpoints.

Creating the Endpoints

These operations for created an Endpoint are performed from the Key Vault Server Web Console.

  1. Log into the Oracle Key Vault Server.
  2. Click Endpoints tab.
  3. Click Add button in right corner of the Endpoints page.
  4. Enter the information specific to the Recovery Appliance node that the endpoint is to be associated with. (Name/Type/Platform/Desc/Email)
  5. Click Register button on the right.
  6. Repeat the above steps to create an endpoint for every Recovery Appliance node.

Creating the Endpoint Group

These operations for creating an Endpoint Group are performed from the Key Vault Server Web Console.

  1. Click Endpoints tab.
  2. Click Endpoint Groups option on the left.
  3. Click Create Endpoint Group button on top right.
  4. Enter name and description, and select all endpoints created in the previous operations.
  5. Click Save button on the right.

Creating a Wallet

These operations for created an Wallet are performed from the Key Vault Server Web Console.

  1. Click Keys & Wallets tab.
  2. Click Create button at top right.
  3. Enter name and description specific to the first node/endpoint.
  4. Click on the Save button on the right.

Associating Default Wallet with Endpoints

These operations for associating the virtual wallet with an Endpoint are performed from the Key Vault Server Web Console.

  1. Click Endpoints tab.
  2. Click on the specific name for the endpoint being associated with a wallet.
  3. In Default Wallet section, click Choose Wallet button.
  4. Click on the name of the wallet created above, and click Select to assign endpoints.
  5. Click Save button on the right.
  6. Repeat wallet assignment for other endpoints. The same wallet is assigned to those endpoints.

Acquiring the Enrollment Tokens

These operations for acquiring the enrollment tokens are performed from the Key Vault Server Web Console.

  1. Click Endpoints tab.

    The page now includes enrollment tokens specific to each endpoint/node.

    Description of okv_03_endpoitns.jpg follows
    Description of the illustration okv_03_endpoitns.jpg
  2. Copy and retain (in a file) the enrollment token specific to each endpoint, because it is used in a later enrollment step.
  3. Logout of the web interface. This step is required in order for other steps to display refreshed information.