Oracle Kye-vault Installation (Version 21.4 ) ( Chapter -II )

-

 

Chapter -2: (End point Configuration)

After the installation is complete. The next important thing is to configure our all target servers as "End-Points".

Below are the steps will detailed you how to configure the 1st end-point. 

But 1st few gyans (concepts) need to know. 😄

1.


 

This figure illustrates how a multi-master cluster environment can be used to manage different kinds of encrypted data. It has the following components:

  • Oracle Database refers to Oracle databases that are connected to the Oracle Key Vault. Typically, these databases are protected with Transparent Data Encryption (TDE).
  • Oracle wallets and Java keystores are containers for keys and sensitive objects that you upload and download between Oracle Key Vault and endpoints.
  • Secrets Management refers to other keystore files, which are security objects like certificates, and credential files like Kerberos keytab files, SSH key files, and server password files, that you upload to Oracle Key Vault from endpoints.
  • ZDLRA, MongoDB, MySQL, GoldenGate, Solaris Crypto Keys, and ACFS are all sources of encrypted key data that can be protected by Oracle Key Vault.

You can deploy Oracle Key Vault in the following types of environments:

  • Single Oracle Database instance
  • Multiple Oracle databases on the same server
  • Oracle Database using a multitenant environment
  • Oracle GoldenGate
  • Oracle Data Guard
  • Oracle Exadata, engineered systems
  • Oracle Exadata Cloud@Customer
  • Oracle Autonomous Database (dedicated)

I will show here a simple deployment of stand-alone end point for Oracle DB server.

Below are the different types of roles you can define for maintenance but for creating end point we should use SYSADMIN role only.

  • System Administrator role provides privileges for creating and managing users, creating and managing endpoints, configuring system settings and alerts, and generally administering Oracle Key Vault. This is the most powerful role.
  • Key Administrator role provides privileges for managing the key life cycle and controlling access to all security objects in Oracle Key Vault.
  • Audit Manager role provides privileges for managing the audit life cycle and audit policies.

 

1st add an end point using the DB name & OS details.



Then keep the enrollment token copied for the registration phase.



 

Now open the UI & don’t login yet. Click the indicated link



Now put the token when prompted.



After pressing submit token it will validate the token & will show you all info.

Then press the enroll button.

okvclient.jar contains the following:

·         A Transport Layer Security (TLS) certificate and private key that the endpoint uses to authenticate itself to Oracle Key Vault

·         A TLS certificate for Oracle Key Vault that serves as the root CA

·         Endpoint libraries and utilities

·         Additional information such as the Oracle Key Vault IP address that is used by okvutil to create the okvclient.ora configuration file

In an Oracle Real Application Clusters (RAC) environment, you must enroll and provision each Oracle RAC node as an endpoint. Each Oracle RAC-enabled database corresponds to one virtual wallet in Oracle Key Vault. Each Oracle RAC instance of that database corresponds to an endpoint in Oracle Key Vault. All endpoints for each database share the same wallet as their default wallet. You must download one distinct okvclient.jar for each instance.

 



Then it will download the okvclient.jar file.



Now copy this to your DB server. And then do the following things.

 

Create dir parallel to ORACLE_HOME as okv_home

Set the JAVA path to $ORACLE_HOME/jdk/bin.

Copy the okvclient.jar file to the okv_home


Now install it by the following command.

java -jar okvclient.jar -d /u01/app/oracle/product/19.0.0/okv_home -v




It will ask for pw for login, you can skip it for auto login also.

After successful installation it will automatically delete the .jar file for security reasons. And it will create the following files in the okv_home DIR.



And then you can login to your Key-vault console to verify your server end point details. You should notice the IP address which was blank now have been updated with the end point server details.



So, your end-point configuration with sysadmin privileged user has been successful. You can now start transferring your wallets, keys, etc.. 

*********************************************************************************

Chapter -3 (Transferring / retrieving keys) .... continues...!!!



Comments

Post a Comment

Popular posts from this blog

R12.2 Log file locations

-
Few Logfile location on EBS R12.2.X Admin server   -   $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/AdminServer/logs/AdminServer.log oacore logfile  -  $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oacore_server1/logs/oacore_server1.log oacore out file  -  $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oacore_server1/logs/oacore_server1.out oacore diagnostic log -  $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oacore_server1/logs/oacore_server1-diagnostic.log oafm logfile -  $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oafm_server1/logs/oafm_server1.log oafm outfile -  $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oafm_server1/logs/oafm_server1.out oafm diagnostic log  - $FMW_HOME/user_projects/domains/EBS_domain_$TWO_TASK/servers/oafm_server1/logs/oafm_server1-diagnostic.log form server log  - $FMW_HOME/user_projects/domain...
Read more

Cloning

-
Apps 11i Multinode to single node To see if your environment is ready for the Cloning with Rapid Clone, please check the Metalink Note   230672.1. NOTE: The initial system has ONE APPL_TOP on one node (apps.localdomain) and the DB tier on another node (db.localdomain).     These easy to follow steps will allow you to move or clone Oracle applications from one location to another. This can be essential when moving from a multi-node system to single-node system. It may seem complex, but by approaching such a task one stage at a time it will become much easier under understand this technical process. 1.   Maintain Snapshot information (on the APPS node)     adadmin -> 2. Maintain Applications Files menu -> 5. Maintain snapshot information -> 2. Update current view snapshot 2. Prepare the source system database tier for cloning       cd <RDBMS ORACLE_HOME>/appsutil/scripts/<CONTEXT_NAME...
Read more

Oracle Kye-vault Installation (Version 21.4 ) ( Chapter -I )

-
Image
Interesting story behind this: I have received a customer requirement for a DBA position, and the main criteria was: the DBA must know oracle key vault, for their security solution project. I have received around 25/30 resumes where everyone has written, they know Oracle key-vault. While interviewing, someone saying it's a security file 😆, someone saying it's a parameter that exists since 12c on-words 😀, others saying it's a tool like oracle wallet & TDE 😟. Everyone disappointed me, although it's just a matter of little more detail reading of  (https://docs.oracle.com/en/database/oracle/key-vault/21.4/).   So thought of writing this blog and share it across for quick understanding.  Note: I have done this installation/deployment of  appliance image in my VM ware server. Created a 300Gigs vm with 8 GB of RAM & 2 vCPUs, and deployed it. Very simple.  Oracle Kye-vault is a security solution soft appliance from Oracle . It comes as an ISO image from...
Read more