This configuration process is crucial for using external keystores to manage and secure encryption keys for your databases on Exadata systems. Ensure proper installation, password configuration, and communication setup for seamless operation.

Work with your external keystore vendor for detailed configuration steps. The details outlined below provides a high-level overview of the generic steps required to configure an external keystore.

External Keystore Server Installation: You are responsible for installing and configuring the external keystore server using the documentation provided by the vendor.

External Keystore Password Format: The format of the external keystore password varies depending on the provider.

Network Configuration: Ensure that a connection is established between the Guest VM and the external keystore server by:

• Setting up the required network.
• Opening the necessary ports.
• Enabling the protocol specified by the external keystore vendor.

PKCS#11 Library Installation: Install the PKCS#11-related software and configure the PKCS#11 library on the VMs according to the external keystore vendor's documentation.

Limitations:

• Only one vendor PKCS#11 library can be present on a Guest VM at a time.
• External keystore interfaces cannot be used to associate keys with Oracle Databases on Oracle Exadata Database Service on Cloud@Customer.
• While the external keystore interface allows you to view the keys associated with the databases, it may not support performing key management operations directly from the interface.

Communication Validation: Verify that the PKCS#11 library can successfully communicate with the external keystore. Note that cloud automation does not perform prechecks to validate this connection. If the key is inaccessible, the database will return an error with the relevant details.

You can now encrypt Oracle Databases on Oracle Exadata Database Service on Cloud@Customer by storing the keys in an external keystore.

Applicable Database Versions: 23ai and 19c

When provisioning a database, you have the option to choose from different key management solutions: Oracle Software Keystore, Oracle Key Vault (OKV), or an External Keystore.

• The selected key management solution applies to the entire Container Database (CDB) and all Pluggable Databases (PDBs) contained within it. If a CDB is configured to use an external keystore, all associated PDBs will also use the external keystore. You cannot select different key management solutions at the PDB level.
• While the key management solution must be consistent across the CDB and its PDBs, different PDBs within the same CDB can use distinct encryption keys, providing flexibility in key usage across the PDBs.

This functionality ensures that sensitive encryption keys are securely stored in an external keystore, offering an added layer of security for your databases.

When a database is protected by an external keystore, adding a new virtual machine (VM) to the cluster is restricted.

If one or more databases on a VM cluster are configured with an external keystore, the following message is displayed:

"While you should be able to add the virtual machine to the existing VM cluster, the database instance will not be extended to the newly created VM. This is because one or more databases on this VM cluster are configured with an external keystore. You must configure the external keystore on the newly created VM, then run the dbaascli command to extend the database instances to the new VM."