Customer-Managed Keys for Oracle Break Glass

Secure your Fusion Applications environments with Oracle Break Glass and customer-managed keys.

By default, your Fusion Applications environments are protected by Oracle-managed encryption keys. By subscribing to the Oracle Break Glass service, you are offered the customer-managed keys feature that allows you to provide and manage the encryption keys that protect your environments. You can also purchase this option as an add-on subscription.

With customer-managed keys, you use your keys, stored in an OCI vault to secure the data stored at rest in your production and non-production environments. You can enable the customer-managed keys option on your environment either during environment creation or after you create the environment.

Best Practices for Setting Up and Managing Vaults and Keys

It is a best practice to create separate vaults for production and non-production environments. Within the non-production vault, create separate keys for your test and development environments. For example, you might create the following:

Environment Vault Master encryption key
Production my-production-vault my-production-key
Test my-nonproduction-vault my-test-environment-key
Development my-development-environment-key

Benefits of separate vaults for production and non-production:

  • Maintaining separate vaults allows for independent rotation of keys for production and non-production environments.
  • There is limit to the number of keys per vault. Having separate vaults provides a separate count for production and non-production.
Important

Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, therefore frequent P2Ts will reduce the number of remaining key versions more quickly in a vault.

You can verify your key limits and usage by viewing the Limits, Quotas and Usage page where your resource limits, quotas, and usage for the specific region are displayed, broken out by service:

  1. In the Console, open the navigation menu and select Governance & Administration. Under Tenancy Management, select Limits, Quotas and Usage.
  2. From the Service list, select Key Management.

    Verify the key limits for: "Key Version Count for Virtual Vaults" or "Software Key Version Count for Virtual Vaults," as appropriate for the key type you chose to use.

Setting Up Customer-Managed Keys

Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.

Overview of Setup Tasks and Roles

Managing customer-managed keys involves tasks that need to be performed by different roles in your organization. Here is a summary of the roles and tasks performed by each:

Role Set up tasks Maintenance tasks
Tenancy Administrator
  • Creates compartments for vaults and keys
  • Creates the Security Administrator group, adds admin users to the group, and creates policy for the group to be able to manage vaults and keys.
  • Adds the system policy to enable customer-manage keys to be used by Fusion Applications
  • Adds permissions to allow Fusion Applications Administrator to read vaults and keys
  • None
Security Administrator
  • Creates the vaults for production and non-production environments
  • Creates the keys for production and non-production environments
  • Provides vault and key information to the Fusion Applications Administrator to add to the environments
  • Rotates keys
  • Verifies key rotation
  • Disables keys (if necessary)
Fusion Applications Administrator
  • Enables customer-managed keys in production and non-production environments
  • Optionally, schedules start date for use of customer-managed keys
  • Changes customer-managed keys in production and non-production environments
  • Verifies key rotation

Setup Tasks for the Tenancy Administrator

The tenancy administrator performs the tasks to set up the tenancy for the security administrator and fusion applications administrator to enable and manage customer-managed keys.

Setup Tasks for the Security Administrator

The security administrator sets up the vaults and keys and gives the information to the Fusion Applications administrator to add them to the environment.

Adding Customer-Managed Keys to New and Existing Environments

The Fusion Applications administrator adds the customer-managed keys to the environments. This can be performed either during environment creation or after the environment has already been created. For existing environments, Oracle provides the administrator a choice of time windows to schedule the update. For new environments, the keys are added at the time of environment provisioning, and no scheduling is required.

After customer-managed keys have been enabled, the administrator can also change a key in an environment.

Prerequisites:

  • The subscription has been added to the environment family. If the subscription has not been added, you won't see the option to choose customer-managed key.
  • The Security Administrator has created the vault and key.
    Note

    The basic vault type is included in your Break Glass service subscription. When you create a vault, you have the option to Make it a virtual private vault. This vault type uses a dedicated partition for your vault and is not included in your Break Glass service subscription. If you select Make it a virtual private vault you will incur additional charges. For more information about vault types, see Key and Secret Management Concepts.
  • The Tenancy Administrator has set up the system policy to enable customer-managed keys in your tenancy.
  • The Tenancy Administrator has created a policy for the Fusion Applications Administrator to read vaults and keys and associate them to Fusion Applications environments.

Rescheduling or Canceling an Update to Enable Customer-Managed Keys

You can reschedule or cancel an update to switch to customer managed keys as long as the update status is "scheduled." How you do this depends on whether the update is scheduled to take place during regular maintenance, or outside the regular maintenance window.

  • Updates scheduled during regular maintenance: If you submitted a request to enable customer-managed keys during a regularly scheduled maintenance, contact Oracle Support to cancel or reschedule the enabling of customer-managed keys.
  • Updates scheduled outside of a maintenance window: If you specified a time window for the enabling of customer-managed keys that wasn't during regularly scheduled maintenance, you can cancel or reschedule the update yourself in the OCI Console, using the instructions in this topic.
Important

To reschedule or cancel an update to switch to customer-managed keys, the update status must be "scheduled." If the update is in progress or complete, the update can't be canceled or undone.

Viewing Key Status and Details

To view key status and details:

  1. Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
  2. Under Resources, select Security. The Encryption tab is displayed.

If the key has been added, but the maintenance cycle has not yet run, the Key status will show as Scheduled.

You can select the Vault and Key names to navigate to these resources.

Changing and Rotating Keys

You can change the master encyrption key and rotate key versions as needed.

You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the Vault service Console UI. See Key and Secret Management Concepts for more details on key versions.

Before you can rotate a key, the following conditions must be met:

  • The environment Lifecycle state must be Active and the Health status must be Available.
  • You must not have met the limit of key versions available for the vault. Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, so frequent P2Ts will also reduce the number of remaining key versions in a vault.

What to expect during key rotation:

  • There is no downtime, and the Health status of the environment remains as Available.
  • A banner message on the environment details page is displayed to alert you that rotation is in progress.
  • The Key status shows as Rotation in progress.

To Rotate a Key

Follow the procedure Rotating a Vault Key in the Vault documentation.

To Verify Key Rotation

After you rotate a key, you can verify the rotation in the environment details page:

  1. Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
  2. Under Resources, select Security. The Encryption tab is displayed.
  3. Select the Key version to verify that it corresponds to the version in the Vault service.

Disabling and Enabling Keys

If you encounter a situation in which you want to shut down Fusion Applications and access to the Fusion database, your security administrator can disable the key to immediately force all users out of the system.

Warning

Disabling a key may result in loss of data. If the key is disabled, Fusion Applications cloud service will proactively try to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment cannot be restarted until it is enabled again. While the key remains in a disabled state, no Fusion Applications cloud service will be able to access any previously saved customer data.
What to expect when you disable a key:
  • The Health status of the environment is updated to Unvailable. The Lifecycle state is updated to Disabled. All users are forced out of the application.
  • A banner message on the environment details page is displayed to alert you that the encryption has been disabled.
  • The Key status shows as Disabled.
Note

When you initiate the disabling of a key, a series of processes takes place to shut down the components of the environment (e.g., the database services, the middle tier, the load balancers), which can take up to an hour to complete. Do not attempt to re-enable a key until these processes have completed.

Similarly, when you initiate the enabling of a key, the completion of the set of processes to bring the system back up can take up to an hour.

Deleting Keys

The permissions granted to the security administrator role do not include delete for keys and vaults. The deletion of keys and vaults is a highly destructive operation and should be performed only by the tenancy administrator in rare circumstances.

When a tenancy administrator deletes a key, any data or any OCI resource (including your Fusion Applications database) that is encrypted by this key will be unusable or irretrievable immediately.

We strongly recommend that you back up a key before you schedule the key for deletion. With a backup, you can restore the key and the vault if you want to continue using the key again later.

For more information, see Deleting a Vault Key.