Managing Oracle Vaults
This section describes how to manage Oracle vaults on CCKM. Before proceeding, a connection to your Oracle account must exist on the CipherTrust Manager. Refer to Oracle Cloud Infrastructure (OCI) for details.
After the connection is configured, you can add vaults to the CipherTrust Manager. Oracle vaults can be added, viewed, modified, or deleted on the Vaults tab of the Oracle Vaults page.
Adding Existing Oracle Vaults
You can add existing vaults linked to an Oracle connection to the CipherTrust Manager. An existing vault can only be added just once.
To add an existing Oracle vault:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults. The Vaults tab of the Oracle Vaults page is displayed.
-
Click Add Existing Vault. The Select Connection Information and Vaults screen of the Add Existing Vault wizard is displayed.
Select Connection Information and Vaults
Filter vaults based on Oracle compartments and then by regions.
-
Select a Connection from the drop-down list. The list of existing compartments linked with the selected connection is displayed.
-
Select a Compartment from the drop-down list. The list of regions where the selected compartment is available is displayed.
-
Select Region from the drop-down list. The list of key vaults in the selected region is is displayed.
-
Under Key Vault Name, select the desired vaults.
-
Click Next. The Add Bucket Name, Bucket Namespace screen is displayed.
Add Bucket Name, Bucket Namespace
The bucket name and namespace are required for creating key backups of HSM-protected keys for Virtual Private Vaults. Without these parameters, the Key Backup functionality while syncing vaults will cease.
-
Specify the Bucket Name.
-
Specify the Bucket Namespace.
-
Click Add.
The selected vault is displayed on the Vaults tab of the Oracle Vaults page. Now, you can manage the vault from CCKM on the CipherTrust Manager.
The vault is available to upload Oracle keys and view Oracle reports.
Viewing Oracle Vaults
The Vaults tab of the Oracle Vaults page shows the list of vaults added to the CipherTrust Manager. Search for the vaults by Vault Name, Tenant, or Compartment.
To view the list of vaults added to the CipherTrust Manager:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults. The Vaults tab of the Oracle Vaults page shows the list of vaults added to the CipherTrust Manager.
The page displays the following details:
Column Description Vault Name Name of the vault. Tenancy Name of the Oracle tenancy. Compartment Name of the Oracle compartment. Region Region of the vault. Virtual Private Whether the vault is a Virtual Private vault. State State of the vault. Connection Name of the Oracle connection added to the CipherTrust Manager. Last Refreshed Date and time when the vault was refreshed the last.
To view/hide columns, click the Customize View () icon, select/clear the desired option, and click OK to display the column.
Refreshing Oracle Vaults
Refreshing is the process to download keys created in Oracle vaults to the CCKM. You can refresh keys from individual or all Oracle vaults.
The backup of Oracle keys is created only when the vaults are refreshed. The backup can only be created for keys that:
-
Are stored in Virtual Private Vaults (VPVs)
-
Are stored in vaults that have associated bucket credentials
-
Have the HSM protection mode
Refreshing Specific Oracle Vaults
To refresh a vault:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults.
-
On the Vaults tab, click the overflow icon () corresponding to the desired vault and click Refresh Now.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Oracle > Oracle Keys page. Refer to Viewing Oracle Keys for details.
Refreshing All Oracle Vaults
To refresh all Oracle vaults:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults.
-
On the Vaults tab, click Refresh All. The This may take a while... message is displayed.
Note
Refresh all vaults is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
-
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > Oracle > Oracle Keys page. Refer to Viewing Oracle Keys for details.
Viewing Details of a Vault
To view the details of a vault on CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults.
-
On the Vaults tab, click the Name link of the desired vault.
Alternatively, click the overflow icon () corresponding to the desired vault, and click View/Edit Details.
The edit view of the Oracle Vaults page shows additional details of the selected vault under the GENERAL INFO and ACCESS CONTROL sections. Expand each section to view more details.
The GENERAL INFO section provides details of linked Oracle connection, Bucket Name, and Bucket Namespace. If needed, you can modify these settings, as appropriate.
Changing the Oracle Connection
To change the Oracle connection of a vault:
-
Expand GENERAL INFO.
-
From the Connection drop-down list, select the desired Oracle connection.
-
Click Update.
The connection of the Oracle vault is changed.
Modifying the Bucket Details
To modify the bucket details of a vault:
-
Expand GENERAL INFO.
-
Update the Bucket Name.
-
Update the Bucket Namespace.
-
Click Update.
The bucket name and bucket namespace of the Oracle vault is modified.
Managing User Permissions on Oracle Vaults
To work with the Oracle cloud, users/groups must have the minimum set of permissions that allow them to use the Oracle resources such as keys and vaults. Initially, the CCKM user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on Oracle vaults.
Users with the following characteristics can perform operations for Oracle keys and vaults:
-
Users in the
CCKM Admins
group -
Users in the
Admin
group -
Users who are in the
CCKM Users
group and which have had a CCKM Admin assign permissions through the UI or the/v1/cckm/oci/vaults/{id}/update-acls
endpoint in the REST API.
Adding Permissions for a User/Group
To add permissions for a user/group:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults.
-
On the Vaults tab, click the Name link of the desired vault.
Alternatively, click the overflow icon () corresponding to the desired vault, and click View/Edit Details.
-
Expand the ACCESS CONTROL section.
-
Click Assign User/Group. The Assign User/Group dialog box is displayed.
-
Select the desired user or group from the User/Group drop-down list.
-
Click Save.
The newly added user/group is displayed under Name in the ACCESS CONTROL section. You can now grant additional permissions to the user/group, as appropriate. Refer to Granting Permission to Perform an Operation for details.
Allowed Operations
CCKM allows the following operations on Oracle vaults:
-
View Keys, Add Native Key, Add BYOK Key, Edit Key
-
Rotate Key, Delete Key, Cancel Delete, Remove Key Backup, Remove Key
-
Rotate to Native Key, Rotate to BYOK Key, Refresh Key
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
-
In the ACCESS CONTROL section, select the check box under the desired operation corresponding to the desired users or groups.
-
Click Update.
A success message is displayed on the screen.
To revoke permissions from a user/group, refer to Removing a Permission for details.
Removing a Permission
To remove a permission assigned to a user or group:
-
In the ACCESS CONTROL section, clear the check box under the desired operation corresponding to the desired users or groups.
-
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
-
In the ACCESS CONTROL section, under Unassign, click the X button corresponding to the desired user/group.
-
On the Remove User / Remove Group screen, click Remove.
Note
Removing this user/group will remove all permissions currently assigned to the user/group.
-
Click Remove to confirm the action. To cancel the action, click Keep It.
A success message is displayed on the screen.
Removing Oracle Vaults
Oracle vaults can be removed on the Oracle Vaults page. Search for existing vaults using Vault Name, Tenant, or Compartment.
To remove a vault from CCKM:
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > Oracle Vaults.
-
On the Vaults tab, click the overflow icon () corresponding to the vault you want to remove.
-
Click Remove Vault.
-
Select I wish to delete the vault.
-
Click Delete.
The Oracle vault is deleted successfully. The vault is removed from the list of Oracle vaults.