How to Configure Oracle Key Vault to use Luna HSM?
The Oracle Key Vault is a phenomenal solution used by enterprises to store and manage the keys. Security firms highly recommend it due to its effortless configuration, advanced features, and compliance with industry standards.
In addition, it works seamlessly with every HSM. But, in this blog, we are going to understand the procedure for using Luna HSM with Oracle Key Vault.
What is Oracle Key Vault?
Oracle Key Vault or OKV is software that is available as an ISO image. You are required to install it on its dedicated servers to leverage its features and functionalities.
Under the OKV ISO image, you avail of the following components:
- Oracle Database
- Oracle Key Vault
- Pre-configure OS
Let’s specifically talk about the Oracle Key Vault. It’s a full-stack platform that helps you centralize the management of encryption/decryption, cryptographic, and other keys in an organization. In addition, it supports preventing illegitimate activities aligned with the required industry standards, such as FIPS 140-2 Level 3.
The Prerequisites for Using Luna HSM with Oracle Key Vault
Before you start with the Luna HSM configuration on the Oracle Key Vault platform, you should fulfill the below requirements:
- An Oracle Key Vault account
- Availability of Luna Cloud HSM Service (Configure the requirement of FIPS and number of slots per your business needs)
Complete Process To Configure Oracle Key Vault To Use Luna HSM
To configure the Oracle Key Vault for using Luna HSM, you are required to follow the below procedure:
Step 1: Create an account on the Oracle Key Vault management platform and access the console as a user with administrative controls.
You can access the console using the URL: https://<Oracle_Key_Vault_Server_IP>
Step 2: Use left-click on “System” and choose “Settings”
Step 3: Under “Settings”, choose “Hardware Security Module”.
Step 4: Click on the “Initialize” to open the “Initialize HSM” dialog window.
Step 5: From the “Vendor” menu, choose “Thales Luna”
Step 6: Fill out the “HSM Credentials” and the “Recovery Password/Passphrase”
Step 7: Choose the “Use Token Label” checkbox and input the “Token Label”
Step 8: Click on “Initialize”
Step 9: Wait for the process to complete and check the HSM status.
If the Luna HSM is configured accurately, a green arrow in an upward direction will be displayed. In addition, to check the master encryption key, you can execute “partition content” under “lunacm.”
The Oracle Key Vault Backup Procedure For Maximum Availability
It’s always recommended to back up the Oracle Key Vault. It enables us to be sure of private key availability in case of system failure and data loss.
To execute the backup, you are required to execute the following steps:
Step 1: Access the console of your Oracle Key Vault management platform with an administrative user account.
Step 2: Go to “System” and choose “Settings”
Step 3: Click on the “System Configuration” and choose “Backup and Restore”
Step 4: Click on “Manage Backup Destination” to view the backup destination list.
Step 5: Click on the “Create” option.
Step 6: Input the information listed in the following table and click on “Save.”
| Information Required | What To Fill? |
| Destination Name | Input a destination of your choice |
| Transfer Method | The default value is set to SCP for secure file transfer |
| Hostname | Input the destination’s IP address. If DNS is configured, provide the hostname. |
| Port | Enter the default SCP port number, i.e., 22. |
| Destination Path | Provide the path to reach the destination. |
| Username | Input the username of the account with read and write permission at the destination. |
| Authentication Method | Choose the method of your choice: key-based or password-based. For key-based, provide a public key, and for password-based, configure a passphrase. |
Step 7: Click on “System Backup” and choose “Backup” Here, you need to input the “Name“, “Start Time” “Destination” and the “Type” All these details will help you configure the initiation and recurrence of the backup.
Step 8: Lastly, click on “Schedule” As a result, the backup will be initiated as configured, and you can also check the status. In progress, the status will be “ONGOING” and after completion, it will be “DONE“.
Furthermore, to Restore from the Backup, you should undergo the following process:
Step 1: Open your console with an account with administrative privileges.
Step 2: Go to “System” and choose “Settings”
Step 3: Click on “Network Services” and choose “HSM”
Step 4: Click on “Set Credentials” to open the “Prepare for HSM Restore” dialog window.
Step 5: Click on the “Vendor” menu and choose “Thales Luna”
Step 6: Input the “HSM Credential“, choose “Use Token Label“, and input the “Token Label“
Step 7: Click on “Set Credentials” and then go to “System” again and choose “Settings.”
Step 8: Click on “System Configuration” and choose “Backup and Restore”
Step 9: Click on “Restore” and choose the source where your backup is stored. It will ask you to input the recovery password. Once you input the correct password, again click on “Restore” to let the process begin. Simultaneously, you can check the live status.
How do you Enable Oracle Key Vault Multi-Master Cluster?
In a multi-master cluster, any HSM can be used in any key vault node. However, each is secured with different RoT keys, HSM credentials, and TDE wallet passcodes. Primarily, you can configure a multi-master cluster in two ways: single node and multiple nodes.
Let’s look at both configurations.
Single Node Multi-Master Cluster Configuration
For the single-node configuration, you are required to complete the four main parts as follows:
Part 1: Single OKV (Oracle Key Vault) conversion to cluster’s first node
Part 2: Making the first node HSM-enable
Part 3: Making the candidate node HSM-enable before cluster addition
Part 4: Adding of HSM-enabled candidate node into the HSM-enabled controller node cluster
The above-listed Parts 2 and 3 can be completed by following the process in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM”
For the completion of Part 1 and Part 4, you should follow the procedures below.
Part 1: Single OKV (Oracle Key Vault) conversion to cluster’s first node
The steps to convert are as follows:
Step 1: Use an account with administrative privileges and access the console.
Step 2: Choose the “Cluster” tab and then “Configure as Candidate Node.” You will see the logical (IP) address of the server in the field with the name “Current Server IP“
Step 3: Stay on the “Configure as Candidate Node” page and input the details as listed in the following table.
| Parameter | What To Fill? |
| First Node of Cluster | Choose the “Yes” option |
| Node Name | Type a node name of your choice |
| Cluster Name | Input a cluster name of your choice. Remember that it can’t be changed afterward. |
| Cluster Subgroup | Input a name for the subgroup, and it cannot be changed either. |
Part 4: Adding of HSM-enabled Candidate Node into the HSM-enabled Controller Node Cluster
Before you start this process, ensure that you have a good network with higher bandwidth and speed. In addition, if any firewall or access control list is configured, it must permit the Oracle Key Vault packets. Also, the OKV ports should be open.
Once the network requirements are completed, start with the below process.
Step 1: Use the administrator’s account and access the controller OKV node.
Step 2: Go to the “Cluster” tab and click on “Add.”
Step 3: In the “Recovery Passphrase of the Cluster” field, input the recovery password, as it will be utilized to pair the candidate node.
Step 4: Choose the “Yes” value for the “Add Node as Read-Write Peer“.
Step 5: Under “Add Candidate Node Details”, enter the details as listed.
| Parameter | What To Fill? |
| Node ID | Input any unique ID for your node, and remember that it cannot be modified. |
| Node Name | Set a name of your choice, and it cannot be modified afterward. |
| Cluster Subgroup | Input the name of a cluster subgroup. If a new name is entered, a new subgroup will be generated. |
| IP Address | Input the candidate node’s logical address. |
Step 6: With the help of a browser, access the candidate node’s OKV management console using a user account with an admin role.
Step 7: Go to the “Cluster” tab to open the “Configure as Cluster Candidate” page.
Step 8: Choose “No” for the “First Node of Cluster”
Step 9: Input the controller nod recovery password for the “Recovery Passphrase of the Cluster“
Step 10: Input the “IP address” in its respective field.
Step 11: Go to the browser tab with the controller node and scroll to its bottom, and copy the complete node certification.
Step 12: Paste the copied controller node certification in the candidate node tab, where an input field is available with the title “Certificate of the Controller Node.”
Step 13: Click on the “Convert to Candidate Node” and wait until the process completes and the “Adding Candidate Node to Cluster” page is showcased.
Step 14: Now, copy the complete “Candidate Node Certification” and navigate to the controller node browser tab.
Step 15: Paste the copied candidate node certificate at “Certificate of Candidate Node.”
Step 16: Click on “Add Node” and then on “OK” for final confirmation.
Now, the process will run for approx. an hour, less, or more according to your network capabilities. Also, the nodes can restart during the process, and you will see the status as “PAIRING” and “ACTIVE” as it progresses.
Multiple Node Multi-Master Cluster Configuration
For multiple nodes, three main parts are required to be completed, which are as follows:
Part 1: Making the first node HSM-enable
Part 2: Copying of the bundle
Part 3: Remaining nodes configuration
To complete Part 1, you can follow the procedure in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM.”
Now, complete Parts 2 and 3 by following the below procedures respectively.
Part 2: Copying of the Bundle
Step 1: Login to the console of OKV management with the admin privileges account.
Step 2: Go to the “System” tab, and under it, choose “Hardware Security Module.”
Step 3: Click on the “Create Bundle” option on the node with HSM enabled.
Step 4: Input the required details, such as recovery password and HSM credentials, and click on “Create Bundle.”
Step 5: Use SSH to log to the HSM-enabled node with the command: “ssh support@hsm_enabled_node”
Step 6: Change the user to root with the command: “su root”
Step 7: Run the command to copy the bundle to the /usr/local/okv/hsm location: “scp /usr/local/okv/hsm/hsmbundle support@ip_address:/tmp”
Part 3: Remaining Nodes Configuration
Step 1: Use the SSH to log in and access the remaining nodes in the cluster. Command: ssh support@ip_address
Step 2: On every node, take root user access. Command: su root
Step 3: Copy the bundle using the command: cp /tmp/hsmbundle /usr/local/okv/hsm/
Step 4: Modify the bundle ownership to Oracle and group oinstall. Command: chown oracle:oinstall /usr/local/okv/hsm/hsmbundle
Step 5: Excluding the HSM-enabled node, click on “Apply Bundle” on the remaining nodes. Also, input the recovery password when required.
Step 6: Follow the steps in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM” for the remaining nodes.
Step 7: Check and confirm that every node now has HSM enabled.
Step 8: Once the nodes are HSM-enabled, delete the hsmbundle file from the nodes.
Concluding Up
To use the Oracle Key Vault with Luna HSM, you will require an OKV account and the Luna HSM provision. Once the requirements are completed, access the management console and start executing the process as mentioned above.
Furthermore, it’s recommended always to configure the backup, as it helps during unexpected crashes and data loss. You can also use the single and multiple node configuration process according to your needs. But, always verify the results, once the processing completes.
