Oracle Key Vault Interview Questions
How to check the existence of the persistence master key cache?
The documentation says: “The persistent master key cache is created in the same location as the configuration file okvclient.ora. The default location for the okvclient.ora file is the directory $OKV_HOME/conf. If the environment variable ORACLE_BASE is set, the persistent cache is created in **$ORACLE_HOME/okv/$ORACLE_SID**.”
The persistent master key cache is stored in the ewallet.p12 file. Example on a database where ORACLE_BASE is set:
$ ls -ltr total 12 lrwxrwxrwx. 1 oracle dba 39 Jan 18 11:45 okvclient.ora -> /home/oracle/okvutil/conf/okvclient.ora -rw-r-----. 1 oracle oracle 0 Jan 18 11:46 okv.pc.lck -rw-r--r--. 1 oracle oracle 9648 Jan 18 16:18 ewallet.p12
$ pwd /home/oracle/app/oracle/okv/db12c $ orapki wallet display -wallet . Oracle PKI Tool : Version 126.96.36.199 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. Enter wallet password: Requested Certificates: Subject: CN=oracle User Certificates: Oracle Secret Store entries: ORACLE.SECURITY.KM.ENCRYPTION.068BF5969804E94F9FBFACDDB4AE61C982 ORACLE.SECURITY.KM.ENCRYPTION.06DE90EB3460494F5FBFB59DA84CEB5FF4 ORACLE.SECURITY.OKV.ENCRYPTION.00.36324638363531432D364241452D303636452D453035332D303130303030374631314341 ORACLE.SECURITY.OKV.ENCRYPTION.00.36324638453145392D303545342D344244362D453035332D303130303030374630323737 ORACLE.SECURITY.OKV.ENCRYPTION.02.36324638363531432D364241452D303636452D453035332D303130303030374631314341 ORACLE.SECURITY.OKV.ENCRYPTION.02.36324638453145392D303545342D344244362D453035332D303130303030374630323737 ORACLE.TDE.HSM.MK.068BF5969804E94F9FBFACDDB4AE61C982 ORACLE.TDE.HSM.MK.06DE90EB3460494F5FBFB59DA84CEB5FF4
The endpoint upgrade requires downtime, is it mandatory to upgrade the endpoint software immediately after the OKV upgrade?
The downtime is needed because the PKCS#11 is loaded at DB startup; when there is a new version of the OKV endpoint software that matches the updated OKV server software, then the new OKV client software needs updating, too, and then the newly deployed PKCS#11 library needs to be loaded, hence the DB bounce.
The endpoint software does not need to be updated during the upgrade process, but when you do update the endpoint software you do need to stop the database using TDE direct connect first before the endpoint upgrade.
Why the old backups on the remote destination are not automatically deleted?
Oracle Key Vault doesn’t remove old backups from the remote backup destination since it is not aware of the retention policy. So the old backups from the remote destination have to be removed manually.
To do so remove the older zip files (based on timestamp in the file name) and this should clear up space. Make sure that the okvbackup.mgr file is not removed.
It is possible to use wget or curl to download the OKV REST jar file from the OKV server? This is for mass provisioning where we do not want an admin to have to point and click in a browser and SFTP the file.
There is a restriction so that OKV REST jar file cannot be downloaded directly by using wget or curl. In mass provisioning one needs to download the REST jar file one time and then it can be used by other endpoints with ftp. If they don’t need to install client S/W, it can be done from one station.
Is it possible to store the SEPS wallet on OKV and used it from there for the users instead on storing locally?
The database does not support a direct connection on the DB client-side (OCI/SQL*Plus/Thin JDBC) to retrieve the SEPS credentials from the OKV directly.
Besides syslog messages can other data be forwarded to enterprise monitoring servers like Splunk?
Currently, the following information can be sent to SYSLOG and nothing more:
“Syslog - All system-related alerts are sent to syslog. These include the following: Disk Utilization, System Backup, Failed System Backup, High Availability Role Change, High Availability Destination Failure, SSH Tunnel Failure”
How to increase the threshold of Fast-Start Failover from 60 seconds to 300 seconds?
The value of Fast Start Failover can be changed from OKV GUI as OKV admin -> System -> High Availability.
Is there any alternative to download and installing OKV aside from the ISO?
OKV should not be installed by rpm package. It has to be installed from iso due to many dependencies.
Is it supported to uninstall firmware packages and modules?
OKV is a software appliance and we do not allow or recommend any modifications to the underlying platform. If changes are made, they are their own risk and Oracle cannot guarantee the proper functioning of the software appliance.
Does okv supports one off patches
OKV is an appliance and one-off patches are not released for it. There are patches where the okv version can be upgraded for example from 18.3 to 18.4.