How to Configure Oracle Key Vault to use Luna HSM?

Oracle Key Vault Integration with Luna HSM

The Oracle Key Vault is a phenomenal solution used by enterprises to store and manage the keys. Security firms highly recommend it due to its effortless configuration, advanced features, and compliance with industry standards.

In addition, it works seamlessly with every HSM. But, in this blog, we are going to understand the procedure for using Luna HSM with Oracle Key Vault.

What is Oracle Key Vault?

Oracle Key Vault or OKV is software that is available as an ISO image. You are required to install it on its dedicated servers to leverage its features and functionalities.

Under the OKV ISO image, you avail of the following components:

  • Oracle Database
  • Oracle Key Vault
  • Pre-configure OS

Let’s specifically talk about the Oracle Key Vault. It’s a full-stack platform that helps you centralize the management of encryption/decryption, cryptographic, and other keys in an organization. In addition, it supports preventing illegitimate activities aligned with the required industry standards, such as FIPS 140-2 Level 3.

The Prerequisites for Using Luna HSM with Oracle Key Vault

Before you start with the Luna HSM configuration on the Oracle Key Vault platform, you should fulfill the below requirements:

  • An Oracle Key Vault account
  • Availability of Luna Cloud HSM Service (Configure the requirement of FIPS and number of slots per your business needs)

Complete Process To Configure Oracle Key Vault To Use Luna HSM

To configure the Oracle Key Vault for using Luna HSM, you are required to follow the below procedure:

Step 1: Create an account on the Oracle Key Vault management platform and access the console as a user with administrative controls.

You can access the console using the URL: https://<Oracle_Key_Vault_Server_IP>

Step 2: Use left-click on “System” and choose “Settings

Step 3: Under “Settings”, choose “Hardware Security Module”.

Step 4: Click on the “Initialize” to open the “Initialize HSM” dialog window.

Step 5: From the “Vendor” menu, choose “Thales Luna

Step 6: Fill out the “HSM Credentials” and the “Recovery Password/Passphrase

Step 7: Choose the “Use Token Label” checkbox and input the “Token Label

Step 8: Click on “Initialize

Step 9: Wait for the process to complete and check the HSM status.

If the Luna HSM is configured accurately, a green arrow in an upward direction will be displayed. In addition, to check the master encryption key, you can execute “partition content” under “lunacm.”

The Oracle Key Vault Backup Procedure For Maximum Availability

It’s always recommended to back up the Oracle Key Vault. It enables us to be sure of private key availability in case of system failure and data loss.

To execute the backup, you are required to execute the following steps:

Step 1: Access the console of your Oracle Key Vault management platform with an administrative user account.

Step 2: Go to “System” and choose “Settings

Step 3: Click on the “System Configuration” and choose “Backup and Restore

Step 4: Click on “Manage Backup Destination” to view the backup destination list.

Step 5: Click on the “Create” option.

Step 6: Input the information listed in the following table and click on “Save.”

Information RequiredWhat To Fill?
Destination NameInput a destination of your choice
Transfer MethodThe default value is set to SCP for secure file transfer
HostnameInput the destination’s IP address. If DNS is configured, provide the hostname.
PortEnter the default SCP port number, i.e., 22.
Destination PathProvide the path to reach the destination.
UsernameInput the username of the account with read and write permission at the destination.
Authentication MethodChoose the method of your choice: key-based or password-based. For key-based, provide a public key, and for password-based, configure a passphrase.

Step 7: Click on “System Backup” and choose “Backup” Here, you need to input the “Name“, “Start Time” “Destination” and the “Type” All these details will help you configure the initiation and recurrence of the backup.  

Step 8: Lastly, click on “Schedule” As a result, the backup will be initiated as configured, and you can also check the status. In progress, the status will be “ONGOING” and after completion, it will be “DONE“.

Furthermore, to Restore from the Backup, you should undergo the following process:

Step 1: Open your console with an account with administrative privileges.

Step 2: Go to “System” and choose “Settings

Step 3: Click on “Network Services” and choose “HSM

Step 4: Click on “Set Credentials” to open the “Prepare for HSM Restore” dialog window.

Step 5: Click on the “Vendor” menu and choose “Thales Luna

Step 6: Input the “HSM Credential“, choose “Use Token Label“, and input the “Token Label

Step 7: Click on “Set Credentials” and then go to “System” again and choose “Settings.”

Step 8: Click on “System Configuration” and choose “Backup and Restore

Step 9: Click on “Restore” and choose the source where your backup is stored. It will ask you to input the recovery password. Once you input the correct password, again click on “Restore” to let the process begin. Simultaneously, you can check the live status.

How do you Enable Oracle Key Vault Multi-Master Cluster?

 In a multi-master cluster, any HSM can be used in any key vault node. However, each is secured with different RoT keys, HSM credentials, and TDE wallet passcodes. Primarily, you can configure a multi-master cluster in two ways: single node and multiple nodes.

Let’s look at both configurations.

Single Node Multi-Master Cluster Configuration

For the single-node configuration, you are required to complete the four main parts as follows:

Part 1: Single OKV (Oracle Key Vault) conversion to cluster’s first node

Part 2: Making the first node HSM-enable

Part 3: Making the candidate node HSM-enable before cluster addition

Part 4: Adding of HSM-enabled candidate node into the HSM-enabled controller node cluster

The above-listed Parts 2 and 3 can be completed by following the process in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM

For the completion of Part 1 and Part 4, you should follow the procedures below.

Part 1: Single OKV (Oracle Key Vault) conversion to cluster’s first node

The steps to convert are as follows:

Step 1: Use an account with administrative privileges and access the console.

Step 2: Choose the “Cluster” tab and then “Configure as Candidate Node.” You will see the logical (IP) address of the server in the field with the name “Current Server IP

Step 3: Stay on the “Configure as Candidate Node” page and input the details as listed in the following table.

ParameterWhat To Fill?
First Node of ClusterChoose the “Yes” option
Node NameType a node name of your choice
Cluster NameInput a cluster name of your choice. Remember that it can’t be changed afterward.
Cluster SubgroupInput a name for the subgroup, and it cannot be changed either.

Part 4: Adding of HSM-enabled Candidate Node into the HSM-enabled Controller Node Cluster

Before you start this process, ensure that you have a good network with higher bandwidth and speed. In addition, if any firewall or access control list is configured, it must permit the Oracle Key Vault packets. Also, the OKV ports should be open.

Once the network requirements are completed, start with the below process.

Step 1: Use the administrator’s account and access the controller OKV node.

Step 2: Go to the “Cluster” tab and click on “Add.”

Step 3: In the “Recovery Passphrase of the Cluster” field, input the recovery password, as it will be utilized to pair the candidate node.

Step 4: Choose the “Yes” value for the “Add Node as Read-Write Peer“.

Step 5: Under “Add Candidate Node Details”, enter the details as listed.

ParameterWhat To Fill?
Node IDInput any unique ID for your node, and remember that it cannot be modified.
Node NameSet a name of your choice, and it cannot be modified afterward.
Cluster SubgroupInput the name of a cluster subgroup. If a new name is entered, a new subgroup will be generated.
IP AddressInput the candidate node’s logical address.

Step 6: With the help of a browser, access the candidate node’s OKV management console using a user account with an admin role.

Step 7: Go to the “Cluster” tab to open the “Configure as Cluster Candidate” page.

Step 8: Choose “No” for the “First Node of Cluster

Step 9: Input the controller nod recovery password for the “Recovery Passphrase of the Cluster

Step 10: Input the “IP address” in its respective field.

Step 11: Go to the browser tab with the controller node and scroll to its bottom, and copy the complete node certification.

Step 12: Paste the copied controller node certification in the candidate node tab, where an input field is available with the title “Certificate of the Controller Node.”

Step 13: Click on the “Convert to Candidate Node” and wait until the process completes and the “Adding Candidate Node to Cluster” page is showcased.

Step 14: Now, copy the complete “Candidate Node Certification” and navigate to the controller node browser tab.

Step 15: Paste the copied candidate node certificate at “Certificate of Candidate Node.”

Step 16: Click on “Add Node” and then on “OK” for final confirmation.

Now, the process will run for approx. an hour, less, or more according to your network capabilities. Also, the nodes can restart during the process, and you will see the status as “PAIRING” and “ACTIVE” as it progresses.

Multiple Node Multi-Master Cluster Configuration

For multiple nodes, three main parts are required to be completed, which are as follows:

Part 1: Making the first node HSM-enable

Part 2: Copying of the bundle

Part 3: Remaining nodes configuration

To complete Part 1, you can follow the procedure in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM.”

Now, complete Parts 2 and 3 by following the below procedures respectively.

Part 2: Copying of the Bundle

Step 1: Login to the console of OKV management with the admin privileges account.

Step 2: Go to the “System” tab, and under it, choose “Hardware Security Module.”

Step 3: Click on the “Create Bundle” option on the node with HSM enabled.

Step 4: Input the required details, such as recovery password and HSM credentials, and click on “Create Bundle.”

Step 5: Use SSH to log to the HSM-enabled node with the command: “ssh support@hsm_enabled_node

Step 6: Change the user to root with the command: “su root

Step 7: Run the command to copy the bundle to the /usr/local/okv/hsm location: “scp /usr/local/okv/hsm/hsmbundle support@ip_address:/tmp”

Part 3: Remaining Nodes Configuration

Step 1: Use the SSH to log in and access the remaining nodes in the cluster. Command: ssh support@ip_address

Step 2: On every node, take root user access. Command: su root

Step 3: Copy the bundle using the command: cp /tmp/hsmbundle /usr/local/okv/hsm/

Step 4: Modify the bundle ownership to Oracle and group oinstall. Command: chown oracle:oinstall /usr/local/okv/hsm/hsmbundle

Step 5: Excluding the HSM-enabled node, click on “Apply Bundle” on the remaining nodes. Also, input the recovery password when required.

Step 6: Follow the steps in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM” for the remaining nodes.

Step 7: Check and confirm that every node now has HSM enabled.

Step 8: Once the nodes are HSM-enabled, delete the hsmbundle file from the nodes.

Concluding Up

To use the Oracle Key Vault with Luna HSM, you will require an OKV account and the Luna HSM provision. Once the requirements are completed, access the management console and start executing the process as mentioned above.

Furthermore, it’s recommended always to configure the backup, as it helps during unexpected crashes and data loss. You can also use the single and multiple node configuration process according to your needs. But, always verify the results, once the processing completes.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.