Customer-Managed Keys for Oracle Break Glass
Secure Fusion Applications environments with Oracle Break Glass and customer-managed keys.
By default, Fusion Applications environments are protected by Oracle-managed encryption keys. By subscribing to the Oracle Break Glass service, you're offered the customer-managed keys feature that allows you to provide and manage the encryption keys that protect your environments. You can also purchase this option as an add-on subscription.
With customer-managed keys, you use keys, stored in an OCI vault, to secure the data stored at rest in your production and non-production environments. You can enable the customer-managed keys option on your environment either during environment creation or after you create the environment.
Best Practices for Setting Up and Managing Vaults and Keys
The best practice is to create separate vaults for production and non-production environments. Within the non-production vault, create separate keys for your test and development environments. For example, you might create the following:
| Environment | Vault | Master encryption key |
|---|---|---|
| Production | my-production-vault | my-production-key |
| Test | my-nonproduction-vault | my-test-environment-key |
| Development | my-development-environment-key |
Benefits of separate vaults for production and non-production:
- Maintaining separate vaults allows for independent rotation of keys for production and non-production environments.
- There's a limit to the number of keys per vault. Having separate vaults provides a separate count for production and non-production.
Production-to-test refreshes where the test environment uses customer-managed keys also consume key versions. Therefore, frequent P2Ts reduce the number of remaining key versions more quickly in a vault.
You can verify key limits and usage by viewing the Limits, Quotas and Usage page where resource limits, quotas, and usage for the specific region are displayed, listed by service:
- Open the navigation menu and select Governance & Administration. Under Tenancy Management, select Limits, Quotas and Usage.
- Next to Service, select Edit filters.
- In the Service list, select Key Management and then select Update.
Verify the key limits for Key Version Count for Virtual Vaults or Software Key Version Count for Virtual Vaults, as appropriate for the key type you chose to use.
Setting Up Customer-Managed Keys
Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure production and non-production environments. You can set up keys on your environment either during environment creation, or you can add the key to an existing environment.
Overview of Setup Tasks and Roles
Managing customer-managed keys involves tasks that need to be performed by different roles in your organization. Here's a summary of the roles and tasks performed by each:
| Role | Set up tasks | Maintenance tasks |
|---|---|---|
| Tenancy Administrator |
|
|
| Security Administrator |
|
|
| Fusion Applications Administrator |
|
|
Setup Tasks for the Tenancy Administrator
The tenancy administrator performs the tasks to set up the tenancy so that the security administrator and Fusion Applications administrator can enable and manage customer-managed keys.
We recommend that you create a distinct security administrator group to limit access to the security features of your Fusion Applications environments.
The policy for the security administrator group allows the group to manage vaults and keys but doesn't allow deletion. The policy is:
allow group '<identity-domain-name'/'<your-group-name>' to manage keys in <location> where request.permission not in ('KEY_DELETE')
allow group '<identity-domain-name'/'<your-group-name>' to manage vaults in <location> where request.permission not in ('VAULT_DELETE')
See Managing Oracle Cloud Users with Specific Job Functions for the procedures to create groups and policies to define roles, including the specific required permissions for the security administrator role.
read permissions for vaults and keys. The read permission enables the FA administrator to:- Select the vault and key during configuration.
- Verify key rotation.
- View the vault and keys in the OCI Vault service for troubleshooting.
To add the permissions for the Fusion Applications administrator:
- See Managing Oracle Cloud Users with Specific Job Functions, which describes creating the Fusion Applications administrator role.
- Add the following statements to the Fusion Applications Environment Administrator role, if not already present:
Allow group '<identity-domain-name'/'<your-group-name>' to read vaults in compartment <location> Allow group '<identity-domain-name'/'<your-group-name>' to read keys in compartment <location> Allow group '<identity-domain-name'/'<your-group-name>' to use key-delegate in compartment <location>
Ensure that you replace all <location> variables with the name of the compartment where the vault and keys were created.
The policy to enable customer-managed keys must be added before you add the vault and key to your environment. If this policy isn't added:
- Your environment doesn't complete provisioning.
- Maintenance for your existing environment doesn't complete.
- Enablement of the customer-managed key doesn't complete.
This policy is for tenancies in the Commercial Cloud (OC1 realm) only. If your Fusion Applications environment is in any other realm (for example, Oracle US Government Cloud or United Kingdom Government Cloud), then you must open a support request to get the correct policy.
Create a policy in the OC1 realm with the following statements:
define tenancy fusionapps1 as ocid1.tenancy.oc1..aaaaaaaau5s6lj67ia5vy6qjglhvquqdszjqlmvlmsetu4jrtjni4mng6hea
define tenancy fusionapps2 as ocid1.tenancy.oc1..aaaaaaaajgaoycccrtt3l3vnnlave6wkc2zbf6kkksq66begstczxrmxjlia
define dynamic-group fusionapps1_environment as ocid1.dynamicgroup.oc1..aaaaaaaa5wcbybhxa5vqcvniefoihlvnidty4fk77fitn2hjhd7skhzaadqq
define dynamic-group fusionapps2_environment as ocid1.dynamicgroup.oc1..aaaaaaaaztbusgx23a3jdpvgxqx6tkv2nedgxld6pj3w7hcvhfzvw5ei7fiq
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to manage keys in tenancy
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to use vaults in tenancy
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to manage keys in tenancy
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to use vaults in tenancy
allow service keymanagementservice to manage vaults in tenancy
allow any-user to read keys in tenancy where all {request.principal.type = 'fusionenvironment'}
allow any-user to read vaults in tenancy where all {request.principal.type = 'fusionenvironment'}As a best practice, we recommend that you copy the preceding policy in the OC1 realm using these exact statements. Before doing so, review these statements with your organization's security team to ensure alignment with internal security requirements and best practices.
Setup Tasks for the Security Administrator
The security administrator sets up the vaults and keys and gives the information to the Fusion Applications administrator to add them to the environment.
Follow the procedure for Creating a Vault in the Vault documentation. To create an external vault, see External Key Management Service.
The basic vault type is included in your Break Glass service subscription. When you create a vault, if you select the option Make it a virtual private vault or select to create an external vault, you'll incur additional charges. For more information about vault types, see Key and Secret Management Concepts.
We recommend that you create 2 vaults: one for the production environment keys and one for the non-production environment keys.
After you create the vaults, replicate the vault you created for the production environment. The replicated vault is used for disaster recovery.
- Verify the disaster recovery region pairing for the region where the production Fusion Applications environment is located. See Disaster Recovery Support for the list of region pairings.
- Subscribe to the region listed as the pairing for your region. To subscribe to a region, see Subscribing to an Infrastructure Region.
- Replicate the vault you created for your production environment by following the steps at Replicating Vaults and Keys. When you select the destination region for replication, ensure to select the disaster recovery region you subscribed to in the previous step.
Follow the procedure Creating a Master Encryption Key in the Vault documentation or, to import your own keys, follow the procedures in Importing Keys and Key Versions.
With the HSM (Hardware Security Module) Key Protection Mode, your encryption keys are stored and protected within FIPS 140-2 Level 3-certified hardware security modules.
You must make the following selections when creating keys for Fusion Applications:
- For Key Shape: Algorithm, select AES (Symmetric key used for Encrypt and Decrypt. (You must select this option for Fusion Applications customer-managed keys.)
- For Key Shape: Length, select 256 bits.
We recommend that you create one key in the production vault for your production environment and one key for each non-production environment in your non-production vault.
After you create the vault and keys, give the vault compartment name, vault name, and key name (and key compartment name, if different) to the Fusion Applications administrator.
Adding Customer-Managed Keys to New and Existing Environments
The Fusion Applications administrator adds the customer-managed keys to the environments. This can be performed either during environment creation or after the environment has already been created. For existing environments, Oracle provides the administrator a choice of time windows to schedule the update. For new environments, the keys are added at the time of environment provisioning, and no scheduling is required.
After customer-managed keys have been enabled, the administrator can also change a key in an environment. See Changing and Rotating Keys.
Don't add or change a customer-managed key more than twice within a 24 hour period.
Prerequisites:
- The subscription has been added to the environment family. If the subscription hasn't been added, you won't see the option to select a customer-managed key.
- The Security Administrator has created the vault and key. Note
The basic vault type is included in your Break Glass service subscription. When you create a vault, if you select the option Make it a virtual private vault or select to create an external vault, you'll incur additional charges. For more information about vault types, see Key and Secret Management Concepts. - The Tenancy Administrator has set up the system policy to enable customer-managed keys in the tenancy.
- The Tenancy Administrator has created a policy for the Fusion Applications Administrator to read vaults and keys and associate them to Fusion Applications environments.
This procedure includes only the steps for enabling the customer-managed key. See Environment Management Tasks for the full procedure for creating an environment.
On the environment creation page:
- Under Advanced options, expand the Encryption section.
- Select Customer-managed key (recommended).
If you don't see this option, the subscription hasn't been added to the environment family.
- Confirm that the policies are created.
- Select the vault.
If your vault isn't in the same compartment that you're creating your environment in, select the appropriate compartment.
- Select the key.
If your key isn't in the same compartment that you're creating your environment in, select the appropriate compartment. Only AES-256-bit keys are displayed.
After you complete all the steps to set up the environment, the provisioning process begins. Adding the customer-managed key adds time to the provisioning process. While the key is being enabled, a message displays alerting you that the environment is unavailable.
- When you enable a customer-managed key on an existing environment, the encryption isn't performed immediately. Rather, Oracle gives you a choice of time windows to schedule the update. These options are displayed in the OCI Console when you open the Edit encryption dialog to request the update. See To enable a customer-managed key for an existing environment in this topic for details.
-
You can reschedule or cancel this update in the OCI Console without contacting Oracle Support, as long as the update is in the Scheduled state. If the update is in progress or complete, you can't cancel or undo the update.
- Ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer-managed keys while the refresh is taking place.
- Until the update is made to enable customer-managed keys, the environment continues to be encrypted by the Oracle-managed key.
To enable a customer-managed key for an existing environment:
On the Environments list page, select the environment that you want to work with. If you need help finding the list page, see To list environments.
- On the environment details page, select Security.
- Under Encryption, the Type is Oracle-managed, by default. Select Edit encryption to add your vault and key.
If you don't see the edit option, either you haven't added the appropriate options or the environment is updating.
- Select Customer-managed key (recommended).
- Confirm that the policies are created.
- Select the vault.
If your vault isn't in the same compartment that you're creating your environment in, select the appropriate compartment.
If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to determine if a virtual vault supports replication.
- Select the key.
If your key isn't in the same compartment that you're creating your environment in, select the appropriate compartment. Only AES-256-bit keys are displayed.
- Under Encryption update schedule, select the time window when you would like the encryption management update to begin. Up to three dates are displayed.
- Select Submit to request the update that enables customer-managed keys in your environment.
A message at the bottom of the window displays when the encryption is scheduled to occur. The encryption is performed during the time window you specified. Until the update occurs, the environment remains encrypted by the Oracle-managed key.
If you need to reschedule or cancel the update for customer-managed keys, see To Reschedule or Cancel an Update to Enable Customer-Managed Keys.
Rescheduling or Canceling an Update to Enable Customer-Managed Keys
You can reschedule or cancel an update to switch to customer-managed keys as long as the update status is Scheduled. If the update is in progress or complete, the update can't be canceled or undone.
You can cancel or reschedule the update yourself in the OCI Console, using the instructions in this topic.
The status for the update must be Scheduled to use these instructions.
On the Environments list page, select the environment that you want to work with. If you need help finding the list page, see To list environments.
- On the environment details page, select Security.
- Under Encryption, find the Customer-managed row. Select the and then select Reschedule or Cancel.
- Reschedule only: If you're rescheduling the update for customer-managed keys, select a new date and then select Submit. Note
Ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer-managed keys while the refresh is taking place.Cancel only: If you're canceling the update, type in the environment name to confirm that you want to cancel the update, and then select Cancel scheduled key.
Viewing Key Status and Details
To view key status and details:
On the Environments list page, select the environment that you want to work with. If you need help finding the list page, see To list environments.
- On the environment details page, select Security.
Under Encryption, select the Vault and Key names to navigate to these resources for more information.
Working with Customer-Managed Keys
After adding customer-managed keys to Fusion Applications environments, you can:
Don't add or change a customer-managed key, or rotate a key, more than twice within a 24 hour period.
Changing and Rotating Keys
You can change the master encryption key and rotate key versions as needed.
Don't rotate keys more than once every 15 minutes. Otherwise, key rotation will take longer to complete.
On the Environments list page, select the environment that you want to work with. If you need help finding the list page, see To list environments.
- On the environment details page, select Security.
- Under Encryption, select Change encryption key.
- In the Change encryption key panel, select a Vault.
If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to find out if a virtual vault supports replication.
If the selected vault is in a different compartment, you might need to create IAM policies for vault access. See 3. Add the System Policy to Enable Customer-Managed Keys in Your Tenancy for details.
- Select a Master encryption key.
- Select Submit, then confirm that you want to change the key.
To Rotate a Key
You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the Vault service Console UI. See Key and Secret Management Concepts for more details on key versions.
Before you can rotate a key, the following conditions must be met:
- The environment Lifecycle state must be Active and the Health status must be Available.
- You must not have met the limit of key versions available for the vault. Production-to-test refreshes where the test environment uses customer-managed keys also consume key versions, so frequent P2Ts also reduce the number of remaining key versions in a vault.
What to expect during key rotation:
- There is no downtime, and the Health status of the environment remains as Available.
- A banner message on the environment details page alerts you that rotation is in progress.
- The Key status shows as Rotation in progress.
Follow the procedure Rotating a Vault Key in the Vault documentation.
To Verify Key Rotation
After you rotate a key, you can verify the rotation in the environment details page:
On the Environments list page, select the environment that you want to work with. If you need help finding the list page, see To list environments.
- On the environment details page, select Security.
- Under Encryption, select the key version to verify that it corresponds to the version in the Vault service.
Disabling and Enabling Keys
If you encounter a situation in which you want to shut down Fusion Applications and access to the Fusion database, your security administrator can disable the key to immediately force all users out of the system.
Disabling a key might result in loss of data. If the key is disabled, Fusion Applications cloud service proactively tries to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment can't be restarted until it's enabled again. While the key remains in a disabled state, no Fusion Applications cloud service can access any previously saved customer data.
- The Health status of the environment is updated to Unvailable. The Lifecycle state is updated to Disabled. All users are forced out of the application.
- A banner message on the environment details page alerts you that the encryption has been disabled.
- The Key status shows as Disabled.
When you initiate the disabling of a key, a series of processes takes place to shut down the components of the environment (for example, the database services, the middle tier, the load balancers), which can take up to an hour to complete. Do not attempt to re-enable a key until these processes have completed.
Similarly, when you initiate the enabling of a key, the completion of the set of processes to bring the system back up can take up to an hour.
To Disable a Key
Follow the procedure Disabling a Vault Key in the Vault documentation.
To Enable a Key
Follow the procedure Enabling a Vault Key in the Vault documentation.
Deleting Keys
The permissions granted to the security administrator role don't include delete for keys and vaults. The deletion of keys and vaults is a highly destructive operation and should be performed only by the tenancy administrator in rare circumstances.
When a tenancy administrator deletes a key, any data or any OCI resource (including your Fusion Applications database) that's encrypted by this key immediately becomes unusable or irretrievable.
We strongly recommend that you back up a key before you schedule the key for deletion. With a backup, you can restore the key and the vault if you want to continue using the key again later.
For more information, see Deleting a Vault Key.