Customer-Managed Keys for Oracle Break Glass
Secure your Fusion Applications environments with Oracle Break Glass and customer-managed keys.
By default, your Fusion Applications environments are protected by Oracle-managed encryption keys. By subscribing to the Oracle Break Glass service, you are offered the customer-managed keys feature that allows you to provide and manage the encryption keys that protect your environments. You can also purchase this option as an add-on subscription.
With customer-managed keys, you use your keys, stored in an OCI vault to secure the data stored at rest in your production and non-production environments. You can enable the customer-managed keys option on your environment either during environment creation or after you create the environment.
Best Practices for Setting Up and Managing Vaults and Keys
It is a best practice to create separate vaults for production and non-production environments. Within the non-production vault, create separate keys for your test and development environments. For example, you might create the following:
| Environment | Vault | Master encryption key |
|---|---|---|
| Production | my-production-vault | my-production-key |
| Test | my-nonproduction-vault | my-test-environment-key |
| Development | my-development-environment-key |
Benefits of separate vaults for production and non-production:
- Maintaining separate vaults allows for independent rotation of keys for production and non-production environments.
- There is limit to the number of keys per vault. Having separate vaults provides a separate count for production and non-production.
Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, therefore frequent P2Ts will reduce the number of remaining key versions more quickly in a vault.
You can verify your key limits and usage by viewing the Limits, Quotas and Usage page where your resource limits, quotas, and usage for the specific region are displayed, broken out by service:
- In the Console, open the navigation menu and select Governance & Administration. Under Tenancy Management, select Limits, Quotas and Usage.
- From the Service list, select Key Management.
Verify the key limits for: "Key Version Count for Virtual Vaults" or "Software Key Version Count for Virtual Vaults," as appropriate for the key type you chose to use.
Setting Up Customer-Managed Keys
Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.
Overview of Setup Tasks and Roles
Managing customer-managed keys involves tasks that need to be performed by different roles in your organization. Here is a summary of the roles and tasks performed by each:
| Role | Set up tasks | Maintenance tasks |
|---|---|---|
| Tenancy Administrator |
|
|
| Security Administrator |
|
|
| Fusion Applications Administrator |
|
|
Setup Tasks for the Tenancy Administrator
The tenancy administrator performs the tasks to set up the tenancy for the security administrator and fusion applications administrator to enable and manage customer-managed keys.
It is recommended that you create a distinct security administrator group to limit access to the security features of your Fusion Applications environments.
The policy for the security administrator group allows the group to manage vaults and keys but does not allow deletion. The policy is:
allow group '<identity-domain-name'/'<your-group-name>' to manage keys in <location> where request.permission not in ('KEY_DELETE')
allow group '<identity-domain-name'/'<your-group-name>' to manage vaults in <location> where request.permission not in ('VAULT_DELETE')
See Managing Oracle Cloud Users with Specific Job Functions for the procedures to create groups and policies to define roles, including the specific required permissions for the security administrator role.
read permissions for vaults
and keys. The read permission enables the FA administrator to:- Choose the vault and key during configuration.
- Verify key rotation.
- View the vault and keys in the OCI Vault service for troubleshooting.
To add the permissions for the Fusion Applications Administrator:
- See the procedure Managing Oracle Cloud Users with Specific Job Functions , which describes creating the Fusion Applications administrator role.
- Add the following statements to the Fusion Applications Environment Administrator role, if not already present:
Allow group '<identity-domain-name'/'<your-group-name>' to read vaults in compartment <location> Allow group '<identity-domain-name'/'<your-group-name>' to read keys in compartment <location> Allow group '<identity-domain-name'/'<your-group-name>' to use key-delegate in compartment <location>
Ensure that you replace all <location> variables with the name of the compartment where the vault and keys were created.
The policy to enable customer-managed keys must be added before you add the vault and key to your environment. If this policy is not added, your environment will not complete provisioning (if added during environment creation) or will not complete the maintenance cycle (if added to an existing environment).
Create a policy with the following statements:
define tenancy fusionapps1 as ocid1.tenancy.oc1..aaaaaaaau5s6lj67ia5vy6qjglhvquqdszjqlmvlmsetu4jrtjni4mng6hea
define tenancy fusionapps2 as ocid1.tenancy.oc1..aaaaaaaajgaoycccrtt3l3vnnlave6wkc2zbf6kkksq66begstczxrmxjlia
define dynamic-group fusionapps1_environment as ocid1.dynamicgroup.oc1..aaaaaaaa5wcbybhxa5vqcvniefoihlvnidty4fk77fitn2hjhd7skhzaadqq
define dynamic-group fusionapps2_environment as ocid1.dynamicgroup.oc1..aaaaaaaaztbusgx23a3jdpvgxqx6tkv2nedgxld6pj3w7hcvhfzvw5ei7fiq
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to manage keys in compartment <location>
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to use vaults in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to manage keys in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to use vaults in compartment <location>
allow service keymanagementservice to manage vaults in tenancy
allow any-user to read keys in tenancy where all {request.principal.type = 'fusionenvironment'}
allow any-user to read vaults in tenancy where all {request.principal.type = 'fusionenvironment'}The preceding policy is for tenancies in the Commercial Cloud (OC1 realm) only. If your Fusion Applications environment is in any other realm (for example, Oracle US Government Cloud, United Kingdom Government Cloud, etc.), then you must Open a Support Request to get the correct policy.
Ensure that you replace all <location> variables with the name of the compartment where the vault and keys were created.
If you create vaults and keys in multiple compartments, create a policy for each compartment. Alternatively, you can create the policy to allow access to the tenancy, which allows access to all compartments.
Setup Tasks for the Security Administrator
The security administrator sets up the vaults and keys and gives the information to the Fusion Applications administrator to add them to the environment.
Follow the procedure Creating a Vault in the Vault documentation.
The basic vault type is included in your Break Glass service subscription. When you create a vault, you have the option to Make it a virtual private vault. This vault type uses a dedicated partition for your vault and is not included in your Break Glass service subscription. If you select Make it a virtual private vault you will incur additional charges. For more information about vault types, see Key and Secret Management Concepts.
It is recommended that you create 2 vaults: one for your production environment keys and one for your non-production environment keys.
After you create the vaults, replicate the vault you created for your production environment. The replicated vault is used for disaster recovery.
- Verify the disaster recovery region pairing for the region where your production Fusion Applications environment is located. See Disaster Recovery Support for the list of region pairings.
- Subscribe to the region listed as the pairing for your region. To subscribe to a region, see Subscribing to an Infrastructure Region.
- Replicate the vault you created for your production environment by following the steps at Replicating Vaults and Keys. When you select the destination region for replication, ensure to choose the disaster recovery region you subscribed to in the previous step.
Follow the procedure Creating a Master Encryption Key in the Vault documentation or, to import your own keys follow the procedures in Getting Public RSA Wrapping Key and Applying RSA-OAEP with AES to Wrap Key Material.
You must make the following selections when creating keys for Fusion Applications:
- For Key Shape: Algorithm, select AES (Symmetric key used for Encrypt and Decrypt (you must select this option for Fusion Applications customer-managed keys).
- For Key Shape: Length, select 256 bits.
It is recommended you create one key in the production vault for your production environment and one key for each non-production environment in your non-production vault.
After you create the vault and keys give the vault compartment name, vault name, and key name (and key compartment name, if different) to the Fusion Applications administrator.
Adding Customer-Managed Keys to New and Existing Environments
The Fusion Applications administrator adds the customer-managed keys to the environments. This can be performed either during environment creation or after the environment has already been created. For existing environments, Oracle provides the administrator a choice of time windows to schedule the update. For new environments, the keys are added at the time of environment provisioning, and no scheduling is required.
After customer-managed keys have been enabled, the administrator can also change a key in an environment.
Prerequisites:
- The subscription has been added to the environment family. If the subscription has not been added, you won't see the option to choose customer-managed key.
- The Security Administrator has created the vault and key.Note
The basic vault type is included in your Break Glass service subscription. When you create a vault, you have the option to Make it a virtual private vault. This vault type uses a dedicated partition for your vault and is not included in your Break Glass service subscription. If you select Make it a virtual private vault you will incur additional charges. For more information about vault types, see Key and Secret Management Concepts. - The Tenancy Administrator has set up the system policy to enable customer-managed keys in your tenancy.
- The Tenancy Administrator has created a policy for the Fusion Applications Administrator to read vaults and keys and associate them to Fusion Applications environments.
This procedure includes only the steps for enabling the customer-managed key. See Environment Management Tasks for the full procedure for creating an environment.
On the environment creation page:
- Select Show advanced options.
- Select the Encryption tab.
-
Select Customer-managed key (recommended).
If you don't see this option, the subscription has not been added to the environment family.
- Select the Vault. If your vault is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment.
- Select the Key. If your key is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment. Only AES-256-bit keys are displayed.
After you complete all the steps to set up the environment, the provisioning process begins. Adding the customer-managed key adds time to the provisioning process. While the key is being enabled, you'll see a message alerting you that the environment is unavailable.
- When you enable a customer-managed key on an existing environment, the encryption isn't performed immediately. The option is enabled during a scheduled update, which can be during the next scheduled maintenance cycle, or at one of two other times provided by Oracle. The two alternate times for your environment are displayed in the OCI Console when you open the Edit encryption dialog to request the update. Note that in the list of displayed time windows for scheduling the update, the regular maintenance window is the last entry in the list of choices. See To enable a customer-managed key for an existing environment in this topic for details.
-
If you choose to enable customer-managed keys during one of the two alternate times Oracle provides for enabling this option, you can reschedule or cancel this update in the OCI Console without contacting Oracle Support, as long as the update is in the "Scheduled" state. If the update is in progress or complete, you cannot cancel or undo the update.
If you choose to enable customer-managed keys during the next scheduled maintenance, and then need to reschedule or cancel the encryption update, you must contact Oracle Support to cancel or reschedule.
- If you're enabling customer-managed keys outside of a regularly scheduled maintenance, ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer managed keys while the refresh is taking place.
- Until the update is made to enable customer-managed keys, the environment will continue to be encrypted by the Oracle-managed key.
To enable a customer-managed key for an existing environment:
- Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
- Under Resources, select Security. The Encryption tab is displayed.
- By default, the Type is Oracle-managed. Select Edit encryption to add your vault and key.
If you don't see the edit option, either you haven't added the appropriate options or the environment is updating.
-
Select Customer-managed key.
- Select the Vault. If your vault isn't in the same compartment that you're creating your environment in, select Change Compartment and select the appropriate compartment. If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to determine if a virtual vault supports replication.
- Select the Master encryption key. If your key isn't in the same compartment that you're creating your environment in, select Change Compartment and select the appropriate compartment. Only AES-256-bit keys are displayed.
-
In the Encryption update schedule section, select the time window to specify the time you would like the encryption management update to begin. Up to three dates are displayed, depending on when the next scheduled maintenance run for the environment is.
Note that one of the dates in the list of choices is the date of the next scheduled maintenance. If you select the date of the next scheduled maintenance, hint text displays the message "The selected date above is the next scheduled maintenance date."
The hint text for the next scheduled maintenance date appears as shown in the following image:
Note the following:
- By default, the time window shows the option of your next scheduled maintenance update. If you use this option and need to cancel or reschedule the update to enable customer-managed keys, you must contact Oracle Support.
- Oracle provides two time windows that are not the time of your next scheduled maintenance update. If you select one of these two windows, you can use the OCI Console to cancel or reschedule the update to enable customer-managed keys.
- Select Submit to request the update that enables customer-managed keys in your environment.
The message at the bottom of the window displays when the encryption is scheduled to occur. The encryption is performed during the time window you specified. Until the maintenance occurs, the environment remains encrypted by the Oracle-managed key.
If you need reschedule or cancel the update for customer managed keys, see the instructions in To Reschedule or Cancel an Update to Enable Customer-Managed Keys.
Rescheduling or Canceling an Update to Enable Customer-Managed Keys
You can reschedule or cancel an update to switch to customer managed keys as long as the update status is "scheduled." How you do this depends on whether the update is scheduled to take place during regular maintenance, or outside the regular maintenance window.
- Updates scheduled during regular maintenance: If you submitted a request to enable customer-managed keys during a regularly scheduled maintenance, contact Oracle Support to cancel or reschedule the enabling of customer-managed keys.
- Updates scheduled outside of a maintenance window: If you specified a time window for the enabling of customer-managed keys that wasn't during regularly scheduled maintenance, you can cancel or reschedule the update yourself in the OCI Console, using the instructions in this topic.
To reschedule or cancel an update to switch to customer-managed keys, the update status must be "scheduled." If the update is in progress or complete, the update can't be canceled or undone.
These instructions only apply to updates scheduled outside of the regular maintenance window. The status for the update must be "scheduled" to use these instructions. If your update to enable customer-managed keys is scheduled to take place during regular maintenance, contact Oracle Support for help.
- Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
- Under Resources, select Security. The Encryption tab is displayed.
- In the table of encryption options, find the "Customer managed" row and select the Actions menu (
) and then select Reschedule or Cancel. -
Reschedule only: If you are rescheduling the update for Customer-Managed Keys, select a new date using the drop-down menu, then select Submit.
Note
If you're enabling customer-managed keys outside of a regularly scheduled maintenance, ensure that the time you pick for the update doesn't conflict with other important environment activities, such as a refresh operation. For refresh operations, this means that neither the source nor the target environment can be updated for customer managed keys while the refresh is taking place.Cancel only: If you're canceling the update, type in the environment name to confirm that you want to cancel the update, and then select Cancel scheduled key.
Viewing Key Status and Details
To view key status and details:
- Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
- Under Resources, select Security. The Encryption tab is displayed.
If the key has been added, but the maintenance cycle has not yet run, the Key status will show as Scheduled.
You can select the Vault and Key names to navigate to these resources.
Changing and Rotating Keys
You can change the master encyrption key and rotate key versions as needed.
- Navigate to the environment: On the Applications Home of the Console, select Fusion Applications. On the Overview page, find the environment family for the environment, and then select the environment name.
- Under Resources, select Security.
- Select the Encryption tab.
- Select Change encryption key.
-
In the Change encryption key panel, select a Vault. If you're using disaster recovery (DR), you must select a vault that supports replication. All private vaults support replication. For virtual vaults, see Replicating Vaults and Keys for information on how to find out if a virtual vault supports replication.
If the selected vault is in a different compartment, you might need to create IAM policies for vault access. See 3. Add the System Policy to Enable Customer-Managed Keys in Your Tenancy for details.
- Select a Master encryption key.
- Select Submit, then confirm that you want to change the key.
You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the Vault service Console UI. See Key and Secret Management Concepts for more details on key versions.
Before you can rotate a key, the following conditions must be met:
- The environment Lifecycle state must be Active and the Health status must be Available.
- You must not have met the limit of key versions available for the vault. Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, so frequent P2Ts will also reduce the number of remaining key versions in a vault.
What to expect during key rotation:
- There is no downtime, and the Health status of the environment remains as Available.
- A banner message on the environment details page is displayed to alert you that rotation is in progress.
- The Key status shows as Rotation in progress.
To Rotate a Key
Follow the procedure Rotating a Vault Key in the Vault documentation.
To Verify Key Rotation
After you rotate a key, you can verify the rotation in the environment details page:
- Navigate to the environment: On the Applications Home under My applications, select Fusion Applications, and then select the environment name. The environment details page is displayed.
- Under Resources, select Security. The Encryption tab is displayed.
- Select the Key version to verify that it corresponds to the version in the Vault service.
Disabling and Enabling Keys
If you encounter a situation in which you want to shut down Fusion Applications and access to the Fusion database, your security administrator can disable the key to immediately force all users out of the system.
Disabling a key may result in loss of data. If the key is disabled, Fusion Applications cloud service will proactively try to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment cannot be restarted until it is enabled again. While the key remains in a disabled state, no Fusion Applications cloud service will be able to access any previously saved customer data.
- The Health status of the environment is updated to Unvailable. The Lifecycle state is updated to Disabled. All users are forced out of the application.
- A banner message on the environment details page is displayed to alert you that the encryption has been disabled.
- The Key status shows as Disabled.
When you initiate the disabling of a key, a series of processes takes place to shut down the components of the environment (e.g., the database services, the middle tier, the load balancers), which can take up to an hour to complete. Do not attempt to re-enable a key until these processes have completed.
Similarly, when you initiate the enabling of a key, the completion of the set of processes to bring the system back up can take up to an hour.
To Disable a Key
Follow the procedure Disabling a Vault Key in the Vault documentation.
To Enable a Key
Follow the procedure Enabling a Vault Key in the Vault documentation.
Deleting Keys
The permissions granted to the security administrator role do not include delete for keys and vaults. The deletion of keys and vaults is a highly destructive operation and should be performed only by the tenancy administrator in rare circumstances.
When a tenancy administrator deletes a key, any data or any OCI resource (including your Fusion Applications database) that is encrypted by this key will be unusable or irretrievable immediately.
We strongly recommend that you back up a key before you schedule the key for deletion. With a backup, you can restore the key and the vault if you want to continue using the key again later.
For more information, see Deleting a Vault Key.