Managing External Vaults
This section describes how to manage external vaults on CCKM. Before proceeding, an identity provider must be created.
External vaults can be added, viewed, modified, or deleted on the External Vaults tab of the Oracle Vaults page of the CipherTrust Cloud Key Manager (CCKM) GUI.
Adding External Vaults
You can add external vaults linked to an Oracle connection to the CipherTrust Manager. An external vault can only be added just once.
To add an external vault:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults. The Vaults tab of the Oracle Vaults page is displayed.
Click the External Vaults tab.
Click Add External Vault. The Add External Vault wizard is displayed.
Enter a unique Vault Name.
Select one of the Methods for choosing Oracle Tenancy. The options are:
Oracle Connection: Select to specify an Oracle connection. The Select a Connection drop-down list is displayed.
Refer to Connection Manager to create an Oracle Connection if needed.
Oracle Tenancy (no connection): Select to specify a tenancy. The Tenancy drop-down list is displayed.
Depending on the method selected in the previous step, Select a Connection or Tenancy from the drop-down list.
(Optional) Select a Source Key Tier. The options are:
CipherTrust
Luna HSM, also Select a Luna Partition. FM-enabled Luna HSM is not supported as a key source.
If you want to clear the selected Source Key Tier, click Clear.
Select an Issuer from the drop-down list.
Enter Client Application ID of the OCI KMS application as registered in Register OCI KMS Application.
In Endpoint URL Hostname, specify the IP address for the OCI external vault endpoint URL. Specify the IP address of the CipherTrust Manager or Load Balancer. In case of FDQN connectivity, specify the IP address of the OCI API gateway.
(Optional) In Endpoint URL Port, specify the port number for the OCI external vault endpoint URL. Specify the port of the CipherTrust Manager or Load Balancer. The default port is
443
.Note
The web interface port within CipherTrust Manager can be changed from the default port of
443
to another port. If you plan to change the default port for the CipherTrust Manager web interface, ensure to change it before configuring the OCI EKMS (HYOK) on CCKM. Also, reflect this port change when creating an external vault on CCKM. Changing the default port after configuring OCI EKMS is not supported. Refer to Support for Changing the Default Port of Web Interface Setting for instructions on changing the port when configuring OCI EKMS.(Optional) Enter Policy.
Click Add.
Click Close.
The selected vault is displayed on the External Vaults tab of the Oracle Vaults page.
The vault is available for adding external keys.
Viewing External Vaults
To view the list of the external vaults added to the CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab. The External Vaults tab of the Oracle Vaults page shows the list of external vaults added to the CipherTrust Manager.
The page displays the following details:
Column Description Name Name of the external vault. External Vault URL URL of the external vault. Status Status of the external vault, BLOCKED or UNBLOCKED. Tenancy Name of the Oracle tenancy. Identity Provider Name of the identity provider. Connection Name of the Oracle connection added to the CipherTrust Manager. Source Key Tier Name of the Source Key Tier, Luna HSM and CipherTrust. Date Added Date and time when the external vault was added.
To view/hide columns, click the Customize View () icon, select/clear the desired option, and click OK to display the column.
Viewing or Editing Details of an External Vault
To view or edit the details of an external vault on CCKM:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
On the External Vaults tab, click the Name link of the desired vault.
Alternatively, click the overflow icon () corresponding to the desired vault, and click View/Edit Details.
The ORACLE VAULT DETAILS page shows additional details of the selected vault under the GENERAL INFO and ACCESS CONTROL sections. Expand each section to view and edit their details.
The GENERAL INFO section provides details of Endpoint URL Hostname, Identity Provider, and Policy. If needed, you can edit these details, as appropriate.
Editing Details of an External Vault
You can change the endpoint URL hostname, identity provider, and policy of an external vault on the CipherTrust Manager.
Expand GENERAL INFO.
Update the Endpoint URL Hostname. Specify the IP address of the CipherTrust Manager or Load Balancer. FQDNs are not supported.
Update the Endpoint URL Port. Specify the port number for the OCI external vault endpoint URL. Specify the port of the CipherTrust Manager or Load Balancer. The default port is 443.
Update the Identity Provider from the drop-down list.
Update the Policy. Specify a valid Rego policy.
Click Update.
Managing User Permissions on External Vaults
To work with the external resources, users/groups must have the minimum set of permissions that allow them to use the external resources such as external keys and vaults. Initially, the CCKM user only has permission to view the external keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on external vaults.
Users with the following characteristics can perform operations on external keys and vaults:
Users in the
CCKM Admins
groupUsers in the
Admin
groupUsers who are administrators for a domain
Users who are in the
CCKM Users
group and which have had a CCKM Admin assign permissions through the UI or the/v1/cckm/oci/vaults/{id}/update-acls
endpoint in the REST API.
Adding Permissions for a User/Group
To add permissions for a user/group:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
On the External Vaults tab, click the Name link of the desired vault.
Alternatively, click the overflow icon () corresponding to the desired vault, and click View/Edit Details.
Expand the ACCESS CONTROL section.
Click Assign User/Group. The Assign User/Group dialog box is displayed.
Select the desired user or group from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the ACCESS CONTROL section. You can now grant additional permissions to the user/group, as appropriate. Refer to Granting Permission to Perform an Operation for details.
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
In the ACCESS CONTROL section, select the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
To revoke permissions from a user/group, refer to Removing a Permission for details.
Removing a Permission
To remove a permission assigned to a user or group:
In the ACCESS CONTROL section, clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
In the ACCESS CONTROL section, under Unassign, click the X button corresponding to the desired user/group.
On the Remove User / Remove Group screen, click Remove.
Note
Removing this user/group will remove all permissions currently assigned to the user/group.
Click Remove to confirm the action. To cancel the action, click Keep It.
A success message is displayed on the screen.
Removing External Vaults
External vaults can be removed on the Oracle Vaults page. Search for existing external vaults using Vault Name, Tenant, or Compartment.
Note
Removing an external vault is an irreversible operation which permanently deletes unique identifiers required by the corresponding OCI vaults under External Key Manager (EKM).
Before deleting an external vault from the CipherTrust Manager, ensure that the vault contains no external keys. Delete all external keys stored in the vault.
To remove an external vault from the CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
On the External Vaults tab, click the overflow icon () corresponding to the vault you want to remove.
Click Remove Vault.
Select I wish to delete the vault.
Click Delete.
The external vault is deleted successfully. It is removed from the list of external vaults.
Blocking External Vaults
External vaults can be blocked on the Oracle Vaults page. Search for existing external vaults using Vault Name, Tenant, or Compartment.
When you block an external vault, all the external keys in the vault will be blocked. Any subsequent requests to the keys will fail. Blocking an external vault will also prevent any cryptographic operations on the key from the OCI KMS as well.
To block an external vault from CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
On the External Vaults tab, click the overflow icon () corresponding to the external vault you want to block.
Click Block.
All keys in the vault will be blocked. Any subsequent requests to the keys will fail.
Click Confirm.
The external vault is blocked successfully. The status of external vault changes to BLOCKED.
Unblocking External Vaults
Blocked external vaults can be unblocked on the Oracle Vaults page. Search for blocked external vaults using Vault Name, Tenant, or Compartment.
To unblock an external vault from the CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
On the External Vaults tab, click the overflow icon () corresponding to the external vault you want to unblock.
Click Unblock.
All keys in the vault will be unblocked.
Click Confirm.
The external vault is unblocked successfully. The status of external vault changes to UNBLOCKED.