Secure your Fusion Applications environments with Oracle Break Glass and
customer-managed keys.
By default, your Fusion Applications environments are protected by Oracle-managed
encryption keys. By subscribing to the Oracle Break Glass service, you are offered the
customer-managed keys feature that allows you to provide and manage the encryption keys
that protect your environments. You can also purchase this option as an add-on
subscription.
With customer-managed keys, you use your keys, stored in an OCI vault to secure the data stored at rest in your production and non-production environments. You can enable the customer-managed keys option on your environment either during environment creation or after you create the environment.
Best Practices for Setting Up and Managing Vaults and Keys
It is a best practice to create separate vaults for production and non-production
environments. Within the non-production vault, create separate keys for your test and
development environments. For example, you might create the following:
Environment
Vault
Master encryption key
Production
my-production-vault
my-production-key
Test
my-nonproduction-vault
my-test-environment-key
Development
my-development-environment-key
Benefits of separate vaults for production and non-production:
Maintaining separate vaults allows for independent rotation of keys for production
and non-production environments.
There is limit to the number of keys per vault. Having separate vaults provides a
separate count for production and non-production.
Important
Production-to-test refreshes where the test environment uses customer-managed keys
will also consume key versions, therefore frequent P2Ts will reduce the number of
remaining key versions more quickly in a vault.
You can verify your key limits and usage by viewing the Limits, Quotas and Usage page
where your resource limits, quotas, and usage for the specific region are displayed,
broken out by service:
In the Console, open the navigation menu and select Governance &
Administration. Under Tenancy Management, select Limits, Quotas and
Usage.
From the Service list, select Key Management.
Verify the key limits for: "Key Version Count for Virtual Vaults" or "Software Key Version Count for Virtual Vaults," as appropriate for the key type you chose to use.
Setting Up Customer-Managed Keys 🔗
Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.
Overview of Setup Tasks and Roles 🔗
Managing customer-managed keys involves tasks that need to be performed by different
roles in your organization. Here is a summary of the roles and tasks performed by
each:
Role
Set up tasks
Maintenance tasks
Tenancy Administrator
Creates compartments for vaults and keys
Creates the Security Administrator group, adds admin users
to the group, and creates policy for the group to be able to
manage vaults and keys.
Adds the system policy to enable customer-manage keys to be
used by Fusion Applications
Adds permissions to allow Fusion Applications Administrator
to read vaults and keys
None
Security Administrator
Creates the vaults for production and non-production
environments
Creates the keys for production and non-production
environments
Provides vault and key information to the Fusion
Applications Administrator to add to the environments
Rotates keys
Verifies key rotation
Disables keys (if necessary)
Fusion Applications Administrator
Enables customer-managed keys in production and
non-production environments
Optionally, schedules start date for use of customer-managed keys
Changes customer-managed keys in production and non-production environments
Verifies key rotation
Setup Tasks for the Tenancy Administrator 🔗
The tenancy administrator performs the tasks to set up the tenancy for the security
administrator and fusion applications administrator to enable and manage
customer-managed keys.
It is recommended that you create a distinct security administrator group to limit access
to the security features of your Fusion Applications environments.
The policy for the security administrator group allows the group to manage vaults and
keys but does not allow deletion. The policy is:
Copy
allow group '<identity-domain-name'/'<your-group-name>' to manage keys in <location> where request.permission not in ('KEY_DELETE')
allow group '<identity-domain-name'/'<your-group-name>' to manage vaults in <location> where request.permission not in ('VAULT_DELETE')
Allow group '<identity-domain-name'/'<your-group-name>' to read vaults in compartment <location>
Allow group '<identity-domain-name'/'<your-group-name>' to read keys in compartment <location>
Allow group '<identity-domain-name'/'<your-group-name>' to use key-delegate in compartment <location>
Ensure that you replace all <location> variables with the name of
the compartment where the vault and keys were created.
The policy to enable customer-managed keys must be added before you add the vault and key to your environment. If this policy is not added, your environment will not complete provisioning (if added during environment creation) or will not complete the maintenance cycle (if added to an existing environment).
Create a policy with the following statements:
Copy
define tenancy fusionapps1 as ocid1.tenancy.oc1..aaaaaaaau5s6lj67ia5vy6qjglhvquqdszjqlmvlmsetu4jrtjni4mng6hea
define tenancy fusionapps2 as ocid1.tenancy.oc1..aaaaaaaajgaoycccrtt3l3vnnlave6wkc2zbf6kkksq66begstczxrmxjlia
define dynamic-group fusionapps1_environment as ocid1.dynamicgroup.oc1..aaaaaaaa5wcbybhxa5vqcvniefoihlvnidty4fk77fitn2hjhd7skhzaadqq
define dynamic-group fusionapps2_environment as ocid1.dynamicgroup.oc1..aaaaaaaaztbusgx23a3jdpvgxqx6tkv2nedgxld6pj3w7hcvhfzvw5ei7fiq
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to manage keys in compartment <location>
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to use vaults in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to manage keys in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to use vaults in compartment <location>
allow service keymanagementservice to manage vaults in tenancy
allow any-user to read keys in tenancy where all {request.principal.type = 'fusionenvironment'}
allow any-user to read vaults in tenancy where all {request.principal.type = 'fusionenvironment'}
Note
The preceding policy is for tenancies in the Commercial Cloud (OC1 realm) only. If your Fusion Applications environment is in any other realm (for example, Oracle US Government Cloud, United Kingdom Government Cloud, etc.), then you must Open a Support Request to get the correct policy.
Ensure that you replace all <location> variables with the name of
the compartment where the vault and keys were created.
If you create vaults and keys in multiple compartments, create a policy for each
compartment. Alternatively, you can create the policy to allow access to the tenancy,
which allows access to all compartments.
Setup Tasks for the Security Administrator 🔗
The security administrator sets up the vaults and keys and gives the information to the
Fusion Applications administrator to add them to the environment.
Follow the procedure Creating a Vault in
the Vault documentation.
Note
The basic vault type is included in your Break Glass service subscription. When you create a vault, you have the option to Make it a virtual private vault. This vault type uses a dedicated partition for your vault and is not included in your Break Glass service subscription. If you select Make it a virtual private vault you will incur additional charges. For more information about vault types, see Key and Secret Management Concepts.
It is recommended that you create 2 vaults: one for your production environment keys and
one for your non-production environment keys.
After you create the vaults, replicate the vault you created for your production
environment. The replicated vault is used for disaster recovery.
Verify the disaster recovery region pairing for the region where your production
Fusion Applications environment is located. See Disaster Recovery Support for the list of region pairings.
Replicate the vault you created for your production environment by following the
steps at Replicating Vaults and Keys. When you
select the destination region for replication, ensure to choose the disaster
recovery region you subscribed to in the previous step.
You must make the following selections when creating keys for Fusion Applications:
For Key Shape: Algorithm, select AES (Symmetric key used for Encrypt and
Decrypt (you must select this option for Fusion Applications
customer-managed keys).
For Key Shape: Length, select 256 bits.
It is recommended you create one key in the production vault for your production
environment and one key for each non-production environment in your non-production
vault.
After you create the vault and keys give the vault compartment name, vault name, and key
name (and key compartment name, if different) to the Fusion Applications
administrator.
Adding Customer-Managed Keys to New and Existing Environments 🔗
The Fusion Applications administrator adds the customer-managed keys to the environments. This can be performed either during environment creation or after the environment has already been created. For existing environments, Oracle provides the administrator a choice of time windows to schedule the update. For new environments, the keys are added at the time of environment provisioning, and no scheduling is required.
After customer-managed keys have been enabled, the administrator can also change a key in an environment.
Prerequisites:
The subscription has been added to the environment family. If the subscription has
not been added, you won't see the option to choose customer-managed key.
The basic vault type is included in your Break Glass service subscription. When you create a vault, you have the option to Make it a virtual private vault. This vault type uses a dedicated partition for your vault and is not included in your Break Glass service subscription. If you select Make it a virtual private vault you will incur additional charges. For more information about vault types, see Key and Secret Management Concepts.
The Tenancy Administrator has set up the
system policy to enable customer-managed keys in your tenancy.
This procedure includes only the steps for enabling the customer-managed key. See Environment Management Tasks for the full procedure for creating an
environment.
On the environment creation page:
Select Show advanced options.
Select the Encryption tab.
Select Customer-managed key (recommended).
If you don't see this option, the subscription has not been added to the
environment family.
Select the Vault. If your vault is not in the same
compartment that you are creating your environment in, you need to click
Change Compartment and choose the appropriate
compartment.
Select the Key. If your key is not in the same compartment
that you are creating your environment in, you need to click Change
Compartment and choose the appropriate compartment. Only AES-256-bit
keys are displayed.
After you complete all the steps to set up the environment, the provisioning process
begins. Adding the customer-managed key adds time to the provisioning process. While the
key is being enabled, you'll see a message alerting you that the environment is
unavailable.
When you enable a customer-managed key on an existing environment, the encryption isn't performed immediately. The option is enabled during a scheduled update, which can be during the next scheduled maintenance cycle, or at one of two other times provided by Oracle. The two alternate times for your environment are displayed in the OCI
Console when you open the Edit encryption dialog to request the update. Note that in the list of displayed time windows for scheduling the update, the regular maintenance window is the last entry in the list of choices. See To enable a customer-managed key for an existing environment in this topic for details.
If you choose to enable customer-managed keys during one of the two alternate times Oracle provides for enabling this option, you can reschedule or cancel this update in the OCI
Console without contacting Oracle Support, as long as the update is in the "Scheduled" state. If the update is in progress or complete, you cannot cancel or undo the update.
If you choose to enable customer-managed keys during the next scheduled maintenance, and then need to reschedule or cancel the encryption update, you must contact Oracle Support to cancel or reschedule.
If you're enabling customer-managed keys outside of a regularly scheduled maintenance, ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer managed keys while the refresh is taking place.
Until the update is made to enable customer-managed keys, the environment will continue to be encrypted by the Oracle-managed key.
To enable a customer-managed key for an existing environment:
Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
Under Resources, select Security. The Encryption tab is displayed.
By default, the Type is Oracle-managed. Select Edit encryption to add your vault and key.
If you don't see the edit option, either you haven't added the appropriate options or the environment is updating.
Select Customer-managed key.
Select the Vault. If your vault isn't in the same compartment that you're creating your environment in, select Change Compartment and select the appropriate compartment. If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to determine if a virtual vault supports replication.
Select the Master encryption key. If your key isn't in the same compartment that you're creating your environment in, select Change Compartment and select the appropriate compartment. Only AES-256-bit keys are displayed.
In the Encryption update schedule section, select the time window to specify the time you would like the encryption management update to begin. Up to three dates are displayed, depending on when the next scheduled maintenance run for the environment is.
Note that one of the dates in the list of choices is the date of the next scheduled maintenance. If you select the date of the next scheduled maintenance, hint text displays the message "The selected date above is the next scheduled maintenance date."
The hint text for the next scheduled maintenance date appears as shown in the following image:
Note the following:
By default, the time window shows the option of your next scheduled maintenance update. If you use this option and need to cancel or reschedule the update to enable customer-managed keys, you must contact Oracle Support.
Oracle provides two time windows that are not the time of your next scheduled maintenance update. If you select one of these two windows, you can use the OCI
Console to cancel or reschedule the update to enable customer-managed keys.
Select Submit to request the update that enables customer-managed keys in your environment.
The message at the bottom of the window displays when the encryption is scheduled to occur. The encryption is performed during the time window you specified. Until the maintenance occurs, the environment remains encrypted by the Oracle-managed key.
Rescheduling or Canceling an Update to Enable Customer-Managed Keys 🔗
You can reschedule or cancel an update to switch to customer managed keys as long as the update status is "scheduled." How you do this depends on whether the update is scheduled to take place during regular maintenance, or outside the regular maintenance window.
Updates scheduled during regular maintenance: If you submitted a request to enable customer-managed keys during a regularly scheduled maintenance, contact Oracle Support to cancel or reschedule the enabling of customer-managed keys.
Updates scheduled outside of a maintenance window: If you specified a time window for the enabling of customer-managed keys that wasn't during regularly scheduled maintenance, you can cancel or reschedule the update yourself in the OCI
Console, using the instructions in this topic.
Important
To reschedule or cancel an update to switch to customer-managed keys, the update status must be "scheduled." If the update is in progress or complete, the update can't be canceled or undone.
These instructions only apply to updates scheduled outside of the regular maintenance window. The status for the update must be "scheduled" to use these instructions. If your update to enable customer-managed keys is scheduled to take place during regular maintenance, contact Oracle Support for help.
Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
Under Resources, select Security. The Encryption tab is displayed.
In the table of encryption options, find the "Customer managed" row and select the Actions menu () and then select Reschedule or Cancel.
Reschedule only: If you are rescheduling the update for Customer-Managed Keys, select a new date using the drop-down menu, then select Submit.
Note
If you're enabling customer-managed keys outside of a regularly scheduled maintenance, ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer managed keys while the refresh is taking place.
Cancel only: If you're canceling the update, type in the environment name to confirm that you want to cancel the update, and then select Cancel scheduled key.
Viewing Key Status and Details 🔗
To view key status and details:
Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
Under Resources, select Security. The Encryption tab is displayed.
If the key has been added, but the maintenance cycle has not yet run, the Key
status will show as Scheduled.
You can select the Vault and Key names to navigate to these resources.
Changing and Rotating Keys 🔗
You can change the master encyrption key and rotate key versions as needed.
Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
Under Resources, select Security.
Select the Encryption tab.
Select Change encryption key.
In the Change encryption key panel, select a Vault. If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to find out if a virtual vault supports replication.
Select Submit, then confirm that you want to change the key.
You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the Vault service Console UI. See Key and Secret Management Concepts for more details on key versions.
Before you can rotate a key, the following conditions must be met:
The environment Lifecycle state must be Active and the Health
status must be Available.
You must not have met the limit of key versions available for the vault.
Production-to-test refreshes where the test environment uses customer-managed keys
will also consume key versions, so frequent P2Ts will also reduce the number of
remaining key versions in a vault.
What to expect during key rotation:
There is no downtime, and the Health status of the environment remains as
Available.
A banner message on the environment details page is displayed to alert you that
rotation is in progress.
After you rotate a key, you can verify the rotation in the environment details
page:
Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
Under Resources, select Security. The Encryption tab is displayed.
Select the Key version to verify that it corresponds to the version in the Vault service.
Disabling and Enabling Keys 🔗
If you encounter a situation in which you want to shut down Fusion Applications and
access to the Fusion database, your security administrator can disable the key to
immediately force all users out of the system.
Warning
Disabling a key may result in loss of data. If the key is disabled, Fusion Applications cloud service will proactively try to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment cannot be restarted until it is enabled again. While the key remains in a disabled state, no Fusion Applications cloud service will be able to access any previously saved customer data.
What to expect when you disable a key:
The Health status of the environment is updated to Unvailable. The
Lifecycle state is updated to Disabled. All users are forced
out of the application.
A banner message on the environment details page is displayed to alert you that
the encryption has been disabled.
The Key status shows as Disabled.
Note
When you initiate the disabling of a key, a series of processes
takes place to shut down the components of the environment (e.g., the database services,
the middle tier, the load balancers), which can take up to an hour to complete. Do not
attempt to re-enable a key until these processes have completed.
Similarly, when you
initiate the enabling of a key, the completion of the set of processes to bring the
system back up can take up to an hour.
The permissions granted to the security administrator role do not include delete for keys
and vaults. The deletion of keys and vaults is a highly destructive operation and should
be performed only by the tenancy administrator in rare circumstances.
When a tenancy administrator deletes a key, any data or any OCI resource (including your
Fusion Applications database) that is encrypted by this key will be unusable or
irretrievable immediately.
We strongly recommend that you back up a key before you schedule the key for deletion.
With a backup, you can restore the key and the vault if you want to continue using the
key again later.