Introduction

This document describes the integration of Oracle MySQL Enterprise Server with the Entrust KeyControl Vault Solution. Entrust KeyControl Vault can serve as a KMS in Oracle MySQL using the open standard Key Management Interoperability Protocol (KMIP). It is deployed as a cluster of virtual appliances that integrate with FIPS 140-2-compliant third-party hardware security modules (HSM) to securely store keys.

Documents to read first

This guide describes how to configure the Entrust KeyControl Vault server as a KMS in Oracle MySQL.

To install and configure the Entrust KeyControl Vault server as a KMIP server, see the Entrust KeyControl nShield HSM Integration Guide. You can access it from the Entrust Document Library and from the nShield Product Documentation website.

Requirements

  • Entrust KeyControl Vault version 10.3.1 or later.

    An Entrust KeyControl Vault license is required for the installation. You can obtain this license from your Entrust KeyControl Vault and Oracle MySQL account team or through Entrust KeyControl Vault customer support.

  • MySQL Enterprise Server 8.4.2 or later.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

High-availability considerations

The Entrust KeyControl Vault solution uses an active-active deployment, which provides high-availability capability to manage encryption keys. Entrust recommends this deployment configuration. In an active-active cluster, changes made to any KeyControl node in the cluster are automatically reflected on all nodes in the cluster. For information about the Entrust KeyControl solution, see the Entrust KeyControl Product Overview.

Product configuration

The integration between the Oracle MySQL Enterprise Server, Entrust KeyControl Vault, and nShield HSM has been successfully tested in the following configurations:

Product Version

Red Hat Linux 9

9.4 (Plow) - 5.14.0-427.35.1.el9_4.x86_64

Oracle MySQL Enterprise Server

8.4.2

Entrust KeyControl

10.3.1

MySQL Keyring_okv library

1.11