The Oracle Key Vault is a phenomenal solution used by enterprises to store and manage the keys. Security firms highly recommend it due to its effortless configuration, advanced features, and compliance with industry standards.<\/p>\n\n\n\n
In addition, it works seamlessly with every HSM. But, in this blog, we are going to understand the procedure for using Luna HSM with Oracle Key Vault.<\/p>\n\n\n\n
Oracle Key Vault or OKV is software that is available as an ISO image. You are required to install it on its dedicated servers to leverage its features and functionalities. <\/p>\n\n\n\n
Under the OKV ISO image, you avail of the following components:<\/strong><\/p>\n\n\n\n Let’s specifically talk about the Oracle Key Vault. It’s a full-stack platform that helps you centralize the management of encryption\/decryption, cryptographic, and other keys in an organization. In addition, it supports preventing illegitimate activities aligned with the required industry standards, such as FIPS 140-2 Level 3.<\/p>\n\n\n\n Before you start with the Luna HSM configuration on the Oracle Key Vault platform, you should fulfill the below requirements:<\/p>\n\n\n\n To configure the Oracle Key Vault for using Luna HSM, you are required to follow the below procedure:<\/p>\n\n\n\n Step 1:<\/mark><\/strong> Create an account on the Oracle Key Vault management platform<\/strong> and access the console as a user with administrative controls<\/strong>.<\/p>\n\n\n\n You can access the console using the URL: https:\/\/<Oracle_Key_Vault_Server_IP><\/p>\n\n\n\n Step 2:<\/mark><\/strong> Use left-click<\/strong> on \u201cSystem<\/strong>\u201d and choose \u201cSettings<\/strong>\u201d<\/p>\n\n\n\n Step 3:<\/mark><\/strong><\/strong> Under \u201cSettings<\/strong>\u201d, choose \u201cHardware Security Module<\/strong>\u201d.<\/p>\n\n\n\n Step 4:<\/mark><\/strong><\/strong> Click on the \u201cInitialize<\/strong>\u201d to open the \u201cInitialize HSM<\/strong>\u201d dialog window.<\/p>\n\n\n\n Step 5:<\/mark><\/strong><\/strong> From the \u201cVendor<\/strong>\u201d menu, choose \u201cThales Luna<\/strong>\u201d<\/p>\n\n\n\n Step 6:<\/mark><\/strong><\/strong> Fill out the \u201cHSM Credentials<\/strong>\u201d and the \u201cRecovery Password\/Passphrase<\/strong>\u201d<\/p>\n\n\n\n Step 7:<\/mark><\/strong><\/strong> Choose the \u201cUse Token Label<\/strong>\u201d checkbox and input the \u201cToken Label<\/strong>\u201d<\/p>\n\n\n\n Step 8:<\/mark><\/strong><\/strong> Click on \u201cInitialize<\/strong>\u201d<\/p>\n\n\n\n Step 9:<\/mark><\/strong> <\/strong>Wait for the process to complete<\/strong> and check the HSM status<\/strong>. It’s always recommended to back up the Oracle Key Vault. It enables us to be sure of private key availability in case of system failure and data loss. <\/p>\n\n\n\n To execute the backup, you are required to execute the following steps:<\/strong><\/p>\n\n\n\n Step 1:<\/mark><\/strong> Access the console of your Oracle Key Vault management platform with an administrative user account<\/strong>.<\/p>\n\n\n\n Step 2:<\/mark><\/strong><\/strong> Go to \u201cSystem<\/strong>\u201d and choose \u201cSettings<\/strong>\u201d<\/p>\n\n\n\n Step 3:<\/mark><\/strong> Click on the \u201cSystem Configuration<\/strong>\u201d and choose \u201cBackup and Restore<\/strong>\u201d<\/p>\n\n\n\n Step 4:<\/mark><\/strong><\/strong> Click on \u201cManage Backup Destination<\/strong>\u201d to view the backup destination list<\/strong>.<\/p>\n\n\n\n Step 5:<\/mark><\/strong><\/strong> Click on the “Create<\/strong>” option.<\/p>\n\n\n\n Step 6:<\/mark><\/strong> Input the information listed in the following table and click on \u201cSave.\u201d<\/p>\n\n\n\n Step 7:<\/mark><\/strong><\/strong> Click on \u201cSystem Backup<\/strong>\u201d and choose \u201cBackup<\/strong>\u201d Here, you need to input the “Name<\/strong>“, “Start Time<\/strong>” “Destination<\/strong>” and the “Type<\/strong>” All these details will help you configure the initiation and recurrence of the backup. <\/p>\n\n\n\n Step 8:<\/mark><\/strong><\/strong> Lastly, click on \u201cSchedule<\/strong>\u201d As a result, the backup will be initiated as configured, and you can also check the status. In progress, the status will be “ONGOING<\/strong>” and after completion, it will be “DONE<\/strong>“.<\/p>\n\n\n\n Step 1:<\/mark><\/strong><\/strong> Open your console with an account<\/strong> with administrative privileges.<\/p>\n\n\n\n Step 2:<\/mark><\/strong> Go to \u201cSystem<\/strong>\u201d and choose \u201cSettings<\/strong>\u201d<\/p>\n\n\n\n Step 3:<\/mark><\/strong> Click on \u201cNetwork Services<\/strong>\u201d and choose \u201cHSM<\/strong>\u201d<\/p>\n\n\n\n Step 4:<\/mark><\/strong> <\/strong>Click on \u201cSet Credentials<\/strong>\u201d to open the \u201cPrepare for HSM Restore<\/strong>\u201d dialog window.<\/p>\n\n\n\n Step 5:<\/mark><\/strong> Click on the \u201cVendor<\/strong>\u201d menu and choose \u201cThales Luna<\/strong>\u201d<\/p>\n\n\n\n Step 6:<\/mark><\/strong><\/strong> Input the “HSM Credential<\/strong>“, choose “Use Token Label<\/strong>“, and input the “Token Label<\/strong>“<\/p>\n\n\n\n Step 7:<\/mark><\/strong> Click on “Set Credentials<\/strong>” and then go to “System<\/strong>” again and choose “Settings<\/strong>.”<\/p>\n\n\n\n Step 8:<\/mark><\/strong><\/strong> Click on \u201cSystem Configuration<\/strong>\u201d and choose \u201cBackup and Restore<\/strong>\u201d<\/p>\n\n\n\n Step 9:<\/mark><\/strong><\/strong> Click on \u201cRestore<\/strong>\u201d and choose the source where your backup is stored. It will ask you to input the recovery password. Once you input the correct password, again click on \u201cRestore<\/strong>\u201d to let the process begin. Simultaneously, you can check the live status.<\/p>\n\n\n\n In a multi-master cluster, any HSM can be used in any key vault node. However, each is secured with different RoT keys, HSM credentials, and TDE wallet passcodes. Primarily, you can configure a multi-master cluster in two ways: single node and multiple nodes.<\/p>\n\n\n\n Let’s look at both configurations.<\/p>\n\n\n\n For the single-node configuration, you are required to complete the four main parts as follows:<\/p>\n\n\n\n Part 1:<\/strong> Single OKV (Oracle Key Vault) conversion to cluster\u2019s first node<\/p>\n\n\n\n Part 2: <\/strong>Making the first node HSM-enable<\/p>\n\n\n\n Part 3:<\/strong> Making the candidate node HSM-enable before cluster addition<\/p>\n\n\n\n Part 4:<\/strong> Adding of HSM-enabled candidate node into the HSM-enabled controller node cluster<\/p>\n\n\n\n The above-listed Parts 2 and 3 can be completed by following the process in the section “Complete Process To Configure Oracle Key Vault To Use Luna HSM<\/strong>\u201d<\/p>\n\n\n\n For the completion of Part 1 and Part 4, you should follow the procedures below.<\/p>\n\n\n\n The steps to convert are as follows:<\/p>\n\n\n\n Step 1:<\/mark><\/strong> Use an account with administrative privileges and access the console<\/strong>.<\/p>\n\n\n\n Step 2:<\/mark><\/strong><\/strong> Choose the \u201cCluster<\/strong>\u201d tab and then \u201cConfigure as Candidate Node.<\/strong>\u201d You will see the logical (IP) address of the server in the field with the name “Current Server IP<\/strong>“<\/p>\n\n\n\n Step 3:<\/mark><\/strong> <\/strong>Stay on the \u201cConfigure as Candidate Node<\/strong>\u201d page and input the details as listed in the following table.<\/p>\n\n\n\n Before you start this process, ensure that you have a good network with higher bandwidth and speed. In addition, if any firewall or access control list is configured, it must permit the Oracle Key Vault packets. Also, the OKV ports should be open.<\/p>\n\n\n\n Once the network requirements are completed, start with the below process.<\/strong><\/p>\n\n\n\n Step 1:<\/mark><\/strong><\/strong> Use the administrator\u2019s account and access the controller OKV node<\/strong>.<\/p>\n\n\n\n Step 2:<\/mark><\/strong><\/strong> Go to the “Cluster<\/strong>” tab and click on “Add<\/strong>.”<\/p>\n\n\n\n Step 3:<\/mark><\/strong><\/strong> In the \u201cRecovery Passphrase of the Cluster<\/strong>\u201d field, input the recovery password, as it will be utilized to pair the candidate node.<\/p>\n\n\n\n\n
The Prerequisites for Using Luna HSM with Oracle Key Vault<\/h2>\n\n\n\n
\n
Complete Process To Configure Oracle Key Vault To Use Luna HSM<\/h2>\n\n\n\n
If the Luna HSM is configured accurately, a green arrow in an upward direction will be displayed. In addition, to check the master encryption key, you can execute \u201cpartition content<\/strong>\u201d under \u201clunacm<\/strong>.\u201d<\/p>\n\n\n\nThe Oracle Key Vault Backup Procedure For Maximum Availability<\/h2>\n\n\n\n
Information Required<\/strong><\/td> What To Fill?<\/strong><\/td><\/tr> Destination Name<\/strong><\/td> Input a destination of your choice<\/td><\/tr> Transfer Method<\/strong><\/td> The default value is set to SCP for secure file transfer<\/td><\/tr> Hostname<\/strong><\/td> Input the destination’s IP address. If DNS is configured, provide the hostname.<\/td><\/tr> Port<\/strong><\/td> Enter the default SCP port number, i.e., 22.<\/td><\/tr> Destination Path<\/strong><\/td> Provide the path to reach the destination.<\/td><\/tr> Username<\/strong><\/td> Input the username of the account with read and write permission at the destination.<\/td><\/tr> Authentication Method<\/strong><\/td> Choose the method of your choice: key-based or password-based. For key-based, provide a public key, and for password-based, configure a passphrase.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Furthermore, to Restore from the Backup, you should undergo the following process:<\/h3>\n\n\n\n
How do you Enable Oracle Key Vault Multi-Master Cluster?<\/h2>\n\n\n\n
Single Node Multi-Master Cluster Configuration<\/h3>\n\n\n\n
Part 1: Single OKV (Oracle Key Vault) conversion to cluster\u2019s first node<\/h4>\n\n\n\n
Parameter<\/strong><\/td> What To Fill?<\/strong><\/td><\/tr> First Node of Cluster<\/strong><\/td> Choose the “Yes” option<\/td><\/tr> Node Name<\/strong><\/td> Type a node name of your choice<\/td><\/tr> Cluster Name<\/strong><\/td> Input a cluster name of your choice. Remember that it can’t be changed afterward.<\/td><\/tr> Cluster Subgroup<\/strong><\/td> Input a name for the subgroup, and it cannot be changed either.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Part 4: Adding of HSM-enabled Candidate Node into the HSM-enabled Controller Node Cluster<\/h4>\n\n\n\n