Procedures

The high-level procedure to install and configure one or more Oracle Key Vault servers with one or more nShield HSMs is as follows:

Install the required number of instances of Oracle Key Vault. For instructions, see the Oracle Key Vault documentation.
Install and configure the required number of HSMs and the Security World software, including setting up the Remote File System (RFS) or Remote Administration. For instructions, see the Installation Guide for your HSM.
- nShield HSMs require a separate non-HSM machine on the network to use as the RFS. You must set up this machine and copy the nShield Security World Software files to it before you install the HSM client software on Oracle Key Vault servers.
- All enrolled HSMs must be in the same Security World and must have access to the OCS in slot 0 if OCS-protection is used. If the HSM whose slot 0 is used is enrolled on each of the Key Vault servers, the Key Vault web user interface has access to all of the HSMs, as long as they are in the same Security World.
- If dynamic slots are to be used on the HSMs, set up Remote Administration and configure slot mapping.
Install the HSM client software on the Oracle Key Vault server(s).
Enroll the Key Vault(s) as client(s) of the HSM(s).
Enable HSM mode in the Oracle Key Vault web user interface.
For a high-availability Oracle Key Vault environment, enroll your HSM and configure initialization of the HSM in each of the nodes.

Install HSM client software on the Key Vault server

Perform these steps on the Oracle Key Vault server.

For a high-availability Oracle Key Vault environment, perform these steps:

In a primary-standby architecture, on both the primary and the standby.
In a cluster architecture, on each Key Vault instance to be added to the cluster.

Primary-Standby configuration is deprecated in Oracle Key Vault version 21.5. Oracle recommends the use of an multi-master cluster deployment instead. See https://docs.oracle.com/en/database/oracle/key-vault/21.5/okvag/deprecated-features-oracle-key-vault-21.5.html.

To install HSM client software on the Key Vault server:

Log into the Oracle Key Vault server as the support user using SSH:

$ ssh support@<okv_instance>
<Enter the support user password when prompted>

Switch to root:
```
$ su root
```
Install the latest version of the Security World software as described in the Installation Guide for the HSM.

Entrust recommends that you uninstall any existing nShield software before installing the new nShield software.
Create the Security World as described in the User Guide, creating the ACS and OCS that you require.
As root on the Key Vault server, add the nfast group to the oracle user:
```
root# usermod -a -G nfast oracle
```

Switch to the oracle user and verify the installation:

root# su oracle
oracle$ PATH=/opt/nfast/bin:$PATH
oracle$ export PATH
oracle$ enquiry

The mode should say operational in the output. For example:

Server:
enquiry reply flags  none
enquiry reply level  Six
serial number        nnnn-nnnn-nnnn
mode                 operational
version              12.60.7
speed index          15843

Restart the Oracle Key Vault server for the group change to take effect.

To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.
As the root user, set firewall rules to enable port 9004 for the hardserver (the client process in the nShield Security World software that communicates with the HSM).

Enroll Key Vault as a client of the HSM

To enroll Key Vault as a client of the HSM:

Add the Key Vault server IP address to the client list on the HSM using the front panel or via an update to the Connect configuration file. For instructions, see the User Guide for your HSM.
1. Select privileged on any port.
2. For a high-availability Oracle Key Vault environment, add the IP addresses of all Key Vault servers to the client list on all HSMs.

Switch to the oracle user:

root# su oracle
oracle$ PATH=/opt/nfast/bin:$PATH
oracle$ export PATH

To obtain the ESN and keyhash for the nethsmenroll command in the next step, run the anonkneti command:
```
anonkneti <HSM IP address>
```

On the Key Vault server, enroll with the HSM:

oracle$ nethsmenroll --privileged <HSM IP address> <HSM ESN> <HSM keyhash>

Run the following command:
```
enquiry
```
Verify that the HSM mode is operational and the hardware status is OK.

Configure TCP sockets:

oracle$ config-serverstartup --enable-tcp --enable-privileged-tcp

Switch to root and restart the hardserver:

oracle$ su root
root# /opt/nfast/sbin/init.d-ncipher restart

On the Remote File System machine, run the following command:

rfs-setup --gang-client --write-noauth <IP address of your Key Vault server>

If OCS protection is intended but the Security World has not been created yet, edit the cardlist file to enable Java Cards for use through dynamic slots. If the Security World has been created with this RFS, this configuration is already enabled.
1. Go to the following directory on the RFS:
  #/opt/nfast/kmdata/config
2. Open the cardlist file in a text editor.
3. Add an asterisk (*) to authorize all Java Cards for dynamic slots.
  
  If only certain Java Cards are authorized for this use, list them by their serial number. For example:
  4286005559064791 4286005559064792 4286005559064793
4. Copy the updated cardlist file from the RFS to all clients.

On the Key Vault server as the oracle user, run the following commands:

oracle$ rfs-sync --setup <IP address of Remote File System machine>
oracle$ rfs-sync --update

As the root user, create the /opt/nfast/cknfastrc configuration file for PKCS#11 variables. For information on these variables, see the User Guide for your HSM.
1. OCS protection.
  
  If you are using OCS or Module protection, set cknfastrc:
  CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm
2. Softcard Protection.
  
  If you are using Softcard protection, then CKNFAST_LOADSHARING must be set. This is not supported alongside the Module-only Key protection settings.
  CKNFAST_LOADSHARING=1 CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm
3. Module Protection.
  
  If you are using Module-Only protection, set cknfastrc:
  CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm CKNFAST_FAKE_ACCELERATOR_LOGIN=1

On the Key Vault Server, test PKCS#11 access as follows:

oracle$ /opt/nfast/bin/ckcheckinst

Select a slot number to run a library test. Various slots are displayed, depending on your configuration.

Example 1:

0 Fixed token "accelerator"
1 Operator card "OKV_OCS"

Example 2:

0  Operator card     "OKV_OCS"
1  Soft token        "OKV_Softcard"

Test execution:

Test                      Pass/Failed
----                      -----------

1 Generate RSA key pair   Pass
2 Generate DSA key pair   Pass
3 Encryption/Decryption   Pass
4 Signing/Verification    Pass

Deleting test keys         ok

PKCS#11 library test successful.

Enable HSM mode in Key Vault

After installing HSM software and enrolling Key Vault as an HSM client, you can enable HSM mode with nShield HSM(s) from the Key Vault web user interface. This will protect the Oracle Key Vault Root of Trust key with the HSM.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
Select Settings on the Left menu.
Under Network Services, select HSM.

The Hardware Security Module page appears.

The red downward arrow shows the non-initialized Status. The Type field displays None.
Select Initialize.

The Initialize HSM dialog appears.
From the Vendor list, select Entrust.
Enter a password two times: first in HSM Credential and second in Re-enter HSM Credential.
- If you are using OCS protection, then your OCS passphrase needs to be entered twice with your card presented in slot 0.
- If you are using Softcard protection, then the Softcard passphrase needs to be entered twice.
- If you are using Module-Only protection, enter a password that you set up for this credential check.
  
  The password will be needed in the future, for example for reverse migration.
Enter the recovery passphrase for Oracle Key Vault.
If you are using token labels, used for OCS protection and Softcards for instance, check the Use Token Label checkbox and enter the name of the token.
Select Initialize.

At the end of a successful initialize operation, the Hardware Security Module page appears. The initialized Status is indicated by an green upward arrow. The Type field shows details of the HSM in use.

The Token label is accelerator if Module-Only protection is used.

Only the first two numbers of the firmware are included.
After a successful initialize operation of the nShield HSM, run the following command as the oracle user on the Key Vault server:
```
oracle$ /opt/nfast/bin/rfs-sync --commit
```

If you change the HSM credential on the HSM after initialization, you must also update the HSM credential on the Oracle Key Vault server: In the Vendor list select Entrust, then select Set Credential.

Enable the HSM in a Primary-Standby high availability deployment

In a high availability Oracle Key Vault installation, you must enable the HSM(s) separately on the servers that you plan to designate as primary and standby before pairing them in a high availability configuration. On the primary server, the HSM(s) will be enabled through the Oracle Key Vault web user interface. On the standby server, the command line interface with SSH will be used to enable the HSM(s).

Install Oracle Key Vault on two servers that you mean to designate as primary and standby.
Install the nShield Security World software on each Oracle Key Vault server, see Install HSM client software on the Key Vault server.
Enroll the primary and standby nodes as clients of the HSM, see Enroll Key Vault as a client of the HSM.
From the Oracle Key Vault web user interface, initialize the intended primary server for HSM mode with nShield HSM(s), see Enable HSM mode in Key Vault.

On the primary server, run the following commands as the oracle user:

$ ssh support@<okv_primary_instance>
<Enter password when prompted>
$ su root
root# su oracle
oracle$ rfs-sync --commit
oracle$ cd /usr/local/okv/hsm/wallet
oracle$ scp cwallet.sso support@<okv_standby_instance>:/tmp
oracle$ scp enctdepwd support@<okv_standby_instance>:/tmp
oracle$ cd /usr/local/okv/hsm/restore
oracle$ scp ewallet.p12 support@<okv_standby_instance>:/tmp

On the standby server, run the following commands as the root user:

$ ssh support@<okv_standby_instance>
<Enter password when prompted>
$ su root
root# cd /usr/local/okv/hsm/wallet
root# mv /tmp/enctdepwd .
root# mv /tmp/cwallet.sso .
root# chown oracle *
root# chgrp oinstall *
root# cd /usr/local/okv/hsm/restore
root# mv /tmp/ewallet.p12 .
root# chown oracle *
root# chgrp oinstall *

Continuing as the root user, open the okv_security.conf file for writing:

root# vi /usr/local/okv/etc/okv_security.conf

A sample okv_security.conf file before enabling HSM mode:

SNMP_ENCRYPTION_PWD="01:10:bf3f58671448a5ac2dba1682daf22a92235382c1f9f5b1ab28b3815a70bf2dc3:AlMBqgMWi4PtI2cY1j4Y7Q=="
SNMP_AUTHENTICATION_PWD="01:10:e4dc49617faca046e7e3585f27dbfbe282f16123b762fda17dba6233cab815ec:1a+Gnv9+uF6HsV7peDhm/g=="
SNMP_USERNAME="root"
SMTP_TRUSTSTORE_PWD="changeit"
HSM_ENABLED="0"
FIPS_ENABLED="0"
HSM_FIPS_ENABLED="1"
OKV_OCI_INSTALL="DISABLED"
HSM_TOKEN_LABEL=""
HSM_KEY_EXTRACTABLE="0"
OKVAG_LINK_UI="https://docs.oracle.com/en/database/oracle/key-vault/21.5/okvag/"
LDAP_TRACE_LEVEL="1"
OKV_AVS_STATUS="DISABLED"
OKV_AVS_OKV_HOST_ID=""
OKV_AVS_AVDF_IP_ADDRESS=""
HSM_REVERSE_MIGRATE_ENABLED="1"

Make updates to the okv_security.conf file as follows:
1. Set the HSM_ENABLED variable to 1. If the variable does not exist, add it and set its value to 1:
  HSM_ENABLED="1"
2. Add the following line:
  HSM_PROVIDER="2"
3. If using Softcards or OCS cards, enter the name of the Card Set:
  HSM_TOKEN_LABEL="card_set_name"
On the standby server, run rfs-sync --update as the oracle user:
```
root# su oracle
oracle$ /opt/nfast/bin/rfs-sync --update
```
Without restarting the Oracle Key Vault instances, navigate to the web user interfaces of the primary and standby servers and configure primary-standby via the Oracle Key Vault web user interface. For information on the configuration and settings, see the Oracle documentation.

Configure an HSM for a multi-master cluster

You can configure HSMs in a multi-master cluster with a single node or multiple nodes. In a multi-master Oracle Key Vault installation, any Key Vault node in the cluster can use any HSM. The nodes in the multi-master cluster can use different TDE wallet passwords (recovery passwords), RoT keys, and HSM credentials.

To ensure complete security, you must HSM-enable all Oracle Key Vault nodes in the cluster.

Entrust recommends that you read https://docs.oracle.com/en/database/oracle/key-vault/21.5/okvag/managing_multimaster.html for details on how to set up clusters.

This guide will set up the cluster from scratch. If you already have a cluster in place, read the documentation above.

To use an HSM within a cluster, start with a single node and add additional nodes as required.

There are two different procedures for configuring an HSM for a multi-master cluster. The first is configuring an HSM for a multi-master cluster starting with a single node and the second is configuring an HSM for a multi-master cluster starting with multiple nodes. Both will be described in this document but Oracle recommends the first method.

Oracle recommendation to configure an HSM for a multi-master cluster starting with a single node

Oracle recommends the following steps to configure an HSM for a multi-master cluster starting with a single node:

Convert an Oracle Key Vault server into the first node of the cluster.
1. Create the cluster by configuring the first node of the cluster.
2. Select the Cluster tab.
3. On the left menu, select Configure.
  
  The Configure as a Candidate Node page appears. For example:
  - For Current Server IP, enter the server IP address.
  - For First Node of Cluster, select Yes if this is the first node, otherwise set it to No.
  - Node Name is pre-populated with the host name of the OKV server.
  - For Cluster Name, enter the name for the cluster.
  - For Cluster SubGroup, enter the name of the group.
    
    If any node in the cluster is already HSM-enabled, you cannot add a new node that is not HSM-enabled.
4. Select Convert Candidate Node. The Cluster Information page appears.
HSM-enable the first node before adding any new nodes, see Enable HSM mode in Key Vault.
HSM-enable the candidate node before adding it to the cluster, see Enable HSM mode in Key Vault.
Add the HSM-enabled candidate node to the cluster using a controller node that is also HSM-enabled. Note the following:
1. If any node in the cluster is already HSM-enabled, you cannot add a new node that is not HSM-enabled.
2. The Add Node to Cluster page on the controller node will require the controller node’s HSM credential.

Refer to https://docs.oracle.com/en/database/oracle/key-vault/21.5/okvag/managing_multimaster.html for details on how to add a candidate node to the cluster.

Oracle recommendation to configure an HSM for a multi-master cluster with multiple nodes

Oracle recommends the following steps to configure an HSM for a multi-master cluster with multiple nodes:

Convert an Oracle Key Vault server into the first node (the controller node) of the cluster. The steps for this are described above.
Add the candidate nodes to the cluster using the controller node.

Refer to https://docs.oracle.com/en/database/oracle/key-vault/21.5/okvag/managing_multimaster.html for details on how to add a candidate node to the cluster.
HSM-enable the controller node (first node).

Follow instructions to enable HSM mode on the first node of the cluster, see Enable HSM mode in Key Vault.
If multiple nodes are being used in the cluster, create an HSM bundle from the controller node and apply it to the candidate node(s).
You can configure HSM for the other nodes by copying information from the HSM-enabled controller node in the cluster. You do that by creating a bundle and applying the bundle to the candidate nodes in the cluster.
1. On the controller node of the cluster (first node), log into the Oracle Key Vault web user interface as a Key Administrator.
2. Select the System tab.
3. On the left side of the System page, select Settings.
4. Under Network Services, select HSM. The Hardware Security Module page appears.
  
  The controller node must be HSM enabled first.
5. Select Create Bundle.
6. Enter the HSM Credentials.
7. Enter the recovery passphrase.
8. Select Create Bundle.
  
  A message indicating the bundle was created successfully appears.
9. Log into the controller (first node) HSM-enabled node through SSH as the support user:
  
  % ssh support@HSMENABLEDNODEIP
10. Copy the bundle to the candidate node using the node IP addresses:
  
  % sudo scp /usr/local/okv/hsm/hsmbundle support@CANDIDATENODEIPADDRESS:/tmp
11. Log into the candidate node in the cluster, except the original HSM-enabled node, using the node IP address:
  
  % ssh support@CANDIDATENODEIPADDRESS
12. Perform the following steps to copy the bundle to the /usr/local/okv/hsm location and apply user and group ownership:
  
  % sudo cp /tmp/hsmbundle /usr/local/okv/hsm/ % sudo chown oracle:oinstall /usr/local/okv/hsm/hsmbundle
13. On the candidate node, select Apply Bundle on the Hardware Security Module page in the Web interface. Enter the recovery passphrase.
  
  If you plan on reverse-migrating the original HSM-enabled node, you must apply the bundle immediately on all nodes first.
HSM-enable the candidate node.

Follow instructions to enable HSM mode on the candidate node of the cluster when using multiple nodes, see Enable HSM mode in Key Vault.

Verify that each HSM is enabled in the cluster:

In the Oracle Key Vault web user interface, select the Cluster tab.
Select Monitoring in the left sidebar.
Check that the Cluster Settings State has all green ticks for HSM:

An enabled HSM does not mean that the HSM is active. The status only indicates whether the HSM is enabled for these nodes. To check whether the HSM is active, use the status information on the Hardware Security Module page of the web user interface.

The FIPS column is specific to Oracle Key Vault and does not indicate nShield HSM FIPS compliance. Entrust nShield HSM’s are FIPS 140 Level 2 and 3 compliant.

After you have HSM-enabled all nodes and verified the replication between all nodes, remove the hsmbundle file from all of the nodes.

Reverse migration operations to a local wallet

Reverse migrating an HSM-enabled Oracle Key Vault server reverts the Key Vault server to using the recovery passphrase to protect the TDE wallet. This operation is necessary if the HSM that protects Oracle Key Vault must be decommissioned.

Reverse migrating a standalone deployment

You can reverse migrate a standalone deployment by using the Oracle Key Vault web user interface.
Reverse migrating a primary-standby deployment

To reverse migrate a primary-standby deployment, use both the Oracle Key Vault web user interface and the command line.
Reverse migrating a multi-master cluster

You can reverse migrate a multi-master cluster by using the Oracle Key Vault web user interface.

Reverse migrate a standalone deployment

You can reverse migrate a standalone deployment by using the Oracle Key Vault web user interface.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings.
Under Network Services, select HSM.
Select Reverse Migrate.

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential, enter the HSM credential. For nShield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase, enter the old recovery passphrase.
3. For New Recovery Passphrase, enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase.
Select Reverse Migrate.
The Hardware Security Module page appears. The red downward arrow indicates the Status.

Reverse migrate a primary-standby deployment

To reverse migrate a primary-standby deployment, use both the Oracle Key Vault web user interface and the command line.

On the primary server, log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings.
Under Network Services, select HSM.
Select Reverse Migrate.

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential, enter the HSM credential. For nShield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase, enter the old recovery passphrase.
3. For New Recovery Passphrase, enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase.
Select Reverse Migrate.

The Hardware Security Module page appears. The red downward arrow indicates the Status.
On the standby server, log in using SSH as the support user, then, with the su command, switch to the root user:
```
$ ssh support@<okv_standby_instance>
$ su root
```
Modify the okv_security.conf file:
$ vi /usr/local/okv/etc/okv_security.conf
1. Delete the line HSM_PROVIDER="2".
2. Change the value of the HSM_ENABLED parameter to 0.
3. Check that the HSM_TOKEN_LABEL parameter is set to "".

On the standby server, remove the following files:

$ cd /usr/local/okv/hsm/wallet
$ rm -f cwallet.sso enctdepwd
$ cd /usr/local/okv/hsm/restore
$ rm -f cwallet.sso ewallet.p12
$ cd /mnt/okvram
$ rm -f cwallet.sso ewallet.p12
$ cd /mnt/okvram/restore
$ rm -f cwallet.sso ewallet.p12
$ cd /usr/local/okv/tde
$ rm -f cwallet.sso

Switch user to oracle:
```
$ su oracle
```

Run the following command:

/var/lib/oracle/dbfw/bin/orapki wallet create -wallet /usr/local/okv/tde -auto_login

Enter the new recovery passphrase that you specified above. For example:
```
Enter wallet password:
Operation is successfully completed.
```

The primary-standby deployment is successfully reverse migrated.

Reverse migrate a multi-master cluster

You can reverse migrate a multi-master cluster by using the Oracle Key Vault web user interface. This is required on each of the nodes in the cluster.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings.
Under Network Services, select HSM.

The Hardware Security Module page appears.
Select Reverse Migrate.

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential, enter the HSM credential. For nShield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase, enter the old recovery passphrase.
3. For New Recovery Passphrase, enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase.
Select Reverse Migrate.

The Hardware Security Module page appears. The red downward arrow indicates the Status.

Configure backup of the Key Vault server in HSM mode

To configure backup of the Key Vault server in HSM mode:

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings.
Under the System Configuration, select Backup and Restore.
Add the backup destination on the System Backup page, just as you would in non-HSM mode.
Perform a backup as usual from the user interface on the web user interface.

Restore from a Key Vault backup in HSM mode

To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.

Only backups taken in HSM mode can be restored onto an HSM-enabled Oracle Key Vault. Before you restore a backup onto a system, you must ensure that the system can access both the HSM and the Root of Trust used to take the backup. You must therefore have installed the HSM on the Oracle Key Vault server and enrolled Oracle Key Vault as a client of the HSM prior to this step.

If OCS protection is used, present the OCS card to the HSM.
Log into the Oracle Key Vault web user interface as a user with system administrative privileges.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings.
Under Network Services, select HSM.

The Hardware Security Module page appears. On restore, the Status is disabled first, then enabled after the restore completes.
Select Set Credential.

The Prepare for HSM Restore screen appears.
From the Vendor list, select Entrust and enter the HSM credential twice as requested.
Select Set Credential.

The HSM credential will be stored in the system. This HSM credential must be entered manually to do an HSM restore because it is not stored in the backup itself.
On the left side of the page, select Settings.
Under the System Configuration, select Backup and Restore.
Select Restore and restore the Key Vault backup.

Restart or restore in HSM mode using nShield Remote Administration

To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.

The raserv package of nShield software is only available on the nShield RFS machine, it is not supported on Oracle Key Vault servers. When the Oracle Key Vault server restarts or restores from a backup and Java Cards cannot be presented to the HSMs that are enrolled to that server, the restart or restore will fail.

If the HSM is also enrolled to the RFS, you can present Java Cards there when the RFS is operational. As a result, when the Oracle Key Vault server comes back up, it can still access the keys from the HSM using the OCS in slot 0.