Oracle Cloud Resources
Oracle Cloud Infrastructure (OCI) resources include vaults and keys. Manage OCI keys stored in vaults linked to your OCI accounts using CCKM.
Prerequisites
Before you can manage OCI resources on CCKM:
Click each link to view details.
Note
Currently, only commercial OCI regions are supported.
Get an OCI Account
Sign up with OCI. When signing up, you need to specify a name for your cloud account (referred to as tenancy in OCI) and OCI credentials (username and password). These are required to access the OCI resources.
Note
Steps on this page are documented for the username and password based authentication. If Single Sign-On (SSO) configured for your OCI accounts, steps to log on might differ.
To log on to OCI:
Open the Oracle Cloud Sign In page.
Enter your tenancy name in the Cloud Account Name field.
Click Next.
Enter your User Name and Password.
Click Sign In.
Access permissions on a compartment are controlled at the user group level. So, first of all, you need to add an OCI user group. Then, you can apply policy to this user group, and add new users to the group.
Create an OCI User Group
To create an OCI user group:
Open the navigation menu and click Identity & Security. The Identity & Security page is displayed.
Under Identity, click Groups.
Click Create Group. The Create Group dialog box is displayed.
Enter a unique Name for your group, for example, cckm-group.
Note
The name cannot contain spaces.
Enter a Description for your group.
Click Create.
The OCI group, cckm-group
is created. Now, you can apply appropriate policies to this group to grant it permissions to manage vaults and keys in your compartments.
Apply Policies to the User Group
Create the policy to give your group (cckm-group
, created above) permissions in your compartment.
Open the navigation menu and click Identity & Security. The Identity & Security page is displayed.
Under Identity, click Policies.
In the left, under List Scope, make sure that your compartment is selected. The Policies in
<your-compartment>
(root) Compartment page is displayed.Click Create Policy. The Create Policy page displayed.
Enter a unique Name for your policy, for example, cckm-policy.
Note
The name cannot contain spaces.
Enter a Description for your policy.
In the Policy Builder section, click Show manual editor.
In the text field under Policy Builder, enter the following:
Syntax
Allow group <group-name> to manage vaults in compartment <compartment-name> Allow group <group-name> to manage keys in compartment <compartment-name> Allow group <group-name> to read audit-events in <location> Allow group <group-name> to Inspect compartments IN TENANCY
These statements grant a user group the permissions to manage vaults and keys in the specified compartment.
Example
Allow group cckm-group to manage vaults in compartment cckm-compartment Allow group cckm-group to manage keys in compartment cckm-compartment Allow group cckm-group to read audit-events in us-ashburn-1 Allow group cckm-group to Inspect compartments IN TENANCY
These statements grant members of your user group (
cckm-group
) the access to manage vaults and keys in your compartment.Click Create.
Create a User in the User Group
To create an OCI user:
Open the navigation menu and click Identity & Security. The Identity & Security page is displayed.
Under Identity, click Users. The Users page is displayed.
Click Create User. The Create User dialog box is displayed.
Enter a unique Name for the user, for example, cckm-user.
Note
The name cannot contain spaces.
Enter a Description for the user.
(Optional) Specify and confirm email of the user.
Click Create.
The OCI user, cckm-user
is created and displayed on the Users page. Now, you can add this user to the user group you created earlier. The user will inherit the permissions granted to its user group.
To add the user to a group:
Click the Name link of your user. The user details are displayed.
Navigate to the Groups section.
Click Add User to Group. The Add User to Group dialog box is displayed.
From the Groups drop-down list, select the desired group (for example,
cckm-group
). The drop-down list shows the available user groups.Click Add.
The OCI user, cckm-user
is added to the selected user group. The user now inherits the permissions granted to the linked user group.
Create an OCI Vault
OCI keys reside inside vaults. Only the users of the group with permissions to manage vaults can create vaults.
To create an OCI vault:
Open the navigation menu.
Click Identity & Security > Vault.
In the left, under List Scope, in the Compartment list, click the name of the compartment where you want to create the vault.
Click Create Vault. The Create Vault dialog box is displayed.
Enter a display Name for the vault, for example, cckm-vault. Avoid entering confidential information.
Optionally, make the vault a virtual private vault by selecting the Make it a virtual private vault check box. For more information about vault types, refer to Key and Secret Management Concepts.
Note
You cannot change the vault type after the vault is created.
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, refer to Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
When you are finished, click Create Vault.
The newly created vault is displayed in the list of vaults.
Create an API Key for the User
Now, you need to create an API key for your user so that the user can add OCI connection and manage vaults and keys. When you create the key, you will get authentication information needed to add an OCI connection to the CipherTrust Manager.
To add an API key for the user:
Open the navigation menu and click Identity & Security. The Identity & Security page is displayed.
Under Identity, click Users. The Users page is displayed.
Click the Name link of your user. The user details are displayed.
Alternatively, click the Profile icon in the top right corner, and click the user name link.
In the left pane, under Resources, click API Keys. The API Keys section is displayed under the user details.
In the API Keys section, click Add API Key. The Add API Key screen is displayed.
An API key is an RSA key pair in PEM format used for signing API requests. You can generate the key pair here and download the private key. If you already have a key pair, you can choose to upload or paste your public key file instead. In this section, you will generate a new API key pair.
Select Generate API Key Pair.
Click Download Private Key. A private key file is downloaded in the PEM format.
Click the Download Public Key link to download the associated public key.
Click Add. The Configuration File Preview dialog box is displayed.
This configuration file snippet includes the authentication information such as OCID of the user and tenancy, fingerprint, and region. You will need this information when adding an OCI connection to the CipherTrust Manager.
Click Close to close the screen.
The newly added API key is displayed under the API Keys section. To view the key details later, visit the API Keys section, click the overflow icon corresponding to the key, and click View Configuration File.
Add OCI Connection on CipherTrust Manager
Before you can add an Oracle vault to the CCKM, a connection to your OCI account must exist on the CipherTrust Manager. After you have created an API key for the user, add a connection to the OCI account.
A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
What Next?
After completing the prerequisites, you can view linked Oracle vaults and manage keys on the CipherTrust Manager.