Customer-Managed Keys for Oracle Break Glass

Secure your Fusion Applications environments with Oracle Break Glass and customer-managed keys.

By default, your Fusion Applications environments are protected by Oracle-managed encryption keys. By subscribing to the Oracle Break Glass service, you are offered the customer-managed keys feature that allows you to provide and manage the encryption keys that protect your environments. You can also purchase this option as an add-on subscription.

Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure the data stored at rest in your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.

Best Practices for Setting Up and Managing Vaults and Keys

It is a best practice to create separate vaults for production and non-production environments. Within the non-production vault, create separate keys for your test and development environments. For example, you might create the following:

Environment Vault Master encryption key
Production my-production-vault my-production-key
Test my-nonproduction-vault my-test-environment-key
Development my-development-environment-key

Benefits of separate vaults for production and non-production:

  • Maintaining separate vaults allows for independent rotation of keys for production and non-production environments.
  • There is limit to the number of keys per vault. Having separate vaults provides a separate count for production and non-production.
Important

Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, therefore frequent P2Ts will reduce the number of remaining key versions more quickly in a vault.

You can verify your key limits and usage by viewing the Limits, Quotas and Usage page where your resource limits, quotas, and usage for the specific region are displayed, broken out by service:

  1. In the Console, open the navigation menu and click Governance & Administration. Under Tenancy Management, click Limits, Quotas and Usage.
  2. From the Service list, select Key Management.

    Verify the key limits for: Key Version Count for Virtual Vaults or Software Key Version Count for Virtual Vaults, as appropriate for the key type you chose to use.

Setting Up Customer-Managed Keys

Fusion Applications leverages the OCI Vault service to enable you to create and manage encryption keys to secure your production and non-production environments. You can set up keys on your environment either during environment creation or you can add the key to an existing environment. If you add the configuration on an existing environment, encryption of the environment will occur during the next scheduled maintenance cycle.

Overview of Setup Tasks and Roles

Managing customer-managed keys involves tasks that need to be performed by different roles in your organization. Here is a summary of the roles and tasks performed by each:

Role Set up tasks Maintenance tasks
Tenancy Administrator
  • Creates compartments for vaults and keys
  • Creates the Security Administrator group, adds admin users to the group, and creates policy for the group to be able to manage vaults and keys.
  • Adds the system policy to enable customer-manage keys to be used by Fusion Applications
  • Adds permissions to allow Fusion Applications Administrator to read vaults and keys
  • None
Security Administrator
  • Creates the vaults for production and non-production environments
  • Creates the keys for production and non-production environments
  • Provides vault and key information to the Fusion Applications Administrator to add to the environments
  • Rotates keys
  • Verifies key rotation
  • Disables keys (if necessary)
Fusion Applications Administrator
  • Enables customer-managed keys in production and non-production environments
  • Verifies key rotation

Setup Tasks for the Tenancy Administrator

The tenancy administrator performs the tasks to set up the tenancy for the security administrator and fusion applications administrator to enable and manage customer-managed keys.

1. Create the Security Administrator Group

It is recommended that you create a distinct security administrator group to limit access to the security features of your Fusion Applications environments.

The policy for the security administrator group allows the group to manage vaults and keys but does not allow deletion. The policy is:

allow group '<identity-domain-name'/'<your-group-name>' to manage keys in <location> where request.permission not in ('KEY_DELETE')
allow group '<identity-domain-name'/'<your-group-name>' to manage vaults in <location> where request.permission not in ('VAULT_DELETE')
 

See Managing Oracle Cloud Users with Specific Job Functions for the procedures to create groups and policies to define roles, including the specific required permissions for the security administrator role.

2. Add Permissions for the Fusion Applications Administrator
The Fusion Applications administrator needs read permissions for vaults and keys. The read permission enables the FA administrator to:
  • Choose the vault and key during configuration.
  • Verify key rotation.
  • View the vault and keys in the OCI Vault service for troubleshooting.

To add the permissions for the Fusion Applications Administrator:

  1. See the procedure Managing Oracle Cloud Users with Specific Job Functions , which describes creating the Fusion Applications administrator role.
  2. Add the following statements to the Fusion Applications Environment Administrator role, if not already present:
    
    Allow group '<identity-domain-name'/'<your-group-name>' to read vaults in compartment <location>
    Allow group '<identity-domain-name'/'<your-group-name>' to read keys in compartment <location>
    Allow group '<identity-domain-name'/'<your-group-name>' to use key-delegate in compartment <location>

Ensure that you replace all <location> variables with the name of the compartment where the vault and keys were created.

3. Add the System Policy to Enable Customer-Managed Keys in Your Tenancy
Important

This policy must be added before you add the vault and key to your environment. If this policy is not added, your environment will not complete provisioning (if added during environment creation) or will not complete the maintenance cycle (if added to an existing environment).

Create a policy with the following statements:

define tenancy fusionapps1 as ocid1.tenancy.oc1..aaaaaaaau5s6lj67ia5vy6qjglhvquqdszjqlmvlmsetu4jrtjni4mng6hea
define tenancy fusionapps2 as ocid1.tenancy.oc1..aaaaaaaajgaoycccrtt3l3vnnlave6wkc2zbf6kkksq66begstczxrmxjlia
define dynamic-group fusionapps1_environment as ocid1.dynamicgroup.oc1..aaaaaaaa5wcbybhxa5vqcvniefoihlvnidty4fk77fitn2hjhd7skhzaadqq
define dynamic-group fusionapps2_environment as ocid1.dynamicgroup.oc1..aaaaaaaaztbusgx23a3jdpvgxqx6tkv2nedgxld6pj3w7hcvhfzvw5ei7fiq
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to manage keys in compartment <location>
admit dynamic-group fusionapps1_environment of tenancy fusionapps1 to use vaults in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to manage keys in compartment <location>
admit dynamic-group fusionapps2_environment of tenancy fusionapps2 to use vaults in compartment <location>
allow service keymanagementservice to manage vaults in tenancy
allow any-user to read keys in tenancy where all {request.principal.type = 'fusionenvironment'}
allow any-user to read vaults in tenancy where all {request.principal.type = 'fusionenvironment'}

Ensure that you replace all <location> variables with the name of the compartment where the vault and keys were created.

If you create vaults and keys in multiple compartments, create a policy for each compartment. Alternatively, you can create the policy to allow access to the tenancy, which allows access to all compartments.

Setup Tasks for the Security Administrator

The security administrator sets up the vaults and keys and gives the information to the Fusion Applications administrator to add them to the environment.

1. Create Vaults for the Environments

Follow the procedure Creating a Vault in the Vault documentation.

It is recommended that you create 2 vaults: one for your production environment keys and one for your non-production environment keys.

After you create the vaults, replicate the vault you created for your production environment. The replicated vault is used for disaster recovery.

  1. Verify the disaster recovery region pairing for the region where your production Fusion Applications environment is located. See Disaster Recovery Support for the list of region pairings.
  2. Subscribe to the region listed as the pairing for your region. To subscribe to a region, see Subscribing to an Infrastructure Region.
  3. Replicate the vault you created for your production environment by following the steps at Replicating Vaults and Keys. When you select the destination region for replication, ensure to choose the disaster recovery region you subscribed to in the previous step.
2. Create Keys

Follow the procedure Creating a Master Encryption Key in the Vault documentation.

You must make the following selections when creating keys for Fusion Applications:

  • For Key Shape: Algorithm, select AES (Symmetric key used for Encrypt and Decrypt (you must select this option for Fusion Applications customer-managed keys).
  • For Key Shape: Length, select 256 bits.

It is recommended you create one key in the production vault for your production environment and one key for each non-production environment in your non-production vault.

3. Give the Vault and Key Information to the Fusion Applications Administrator

After you create the vault and keys give the vault compartment name, vault name, and key name (and key compartment name, if different) to the Fusion Applications administrator.

Setup Tasks for the Fusion Applications Administrator

The Fusion Applications administrator adds the customer-managed keys to the environments. This can be performed either during environment creation or after the environment has already been created.

Prerequisites:

Adding Customer-Managed Key During Environment Creation

This procedure includes only the steps for enabling the customer-managed key. See Environment Management Tasks for the full procedure for creating an environment.

On the environment creation page:

  1. Click Show advanced options.
  2. Click the Encryption tab.
  3. Select Customer-managed key (recommended).

    Create environment flow, highlighting the Customer-managed key selection

    If you don't see this option, the subscription has not been added to the environment family.

  4. Select the Vault. If your vault is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment.
  5. Select the Key. If your key is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment. Only AES-256-bit keys are displayed.

After you complete all the steps to set up the environment, the provisioning process begins. Adding the customer-managed key adds time to the provisioning process. While the key is being enabled, you'll see a message alerting you that the environment is unavailable.

Adding Customer-Managed Key for an Existing Environment
Important

When you enable a customer-managed key on an existing environment the encryption is not performed immediately. The encryption with the new key is performed during the next scheduled maintenance cycle. After you have added the key, to change the scheduled encryption, you must contact support. Until the maintenance cycle, the environment will continue to be encrypted by the Oracle-managed key.

To enable a customer-managed key for an existing environment:

  1. Navigate to the environment: On the Applications tab of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then click the environment name.
  2. Under Resources, click Security. The Encryption tab is displayed.
  3. By default, the Type is Oracle-managed. Click Edit encryption key to add your vault and key.

    If you don't see the edit option, either you have not added the appropriate options or the environment is updating.

  4. Select Customer-managed key.


    Adding a customer-managed key to an existing environment, highlighting the Customer-managed key selection
  5. Select the Vault. If your vault is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment.
  6. Select the Key. If your key is not in the same compartment that you are creating your environment in, you need to click Change Compartment and choose the appropriate compartment. Only AES-256-bit keys are displayed.
  7. Click Save changes.

The message at the bottom of the window displays when the encryption is scheduled to occur. The encryption is performed in the next maintenance cycle or patch update. Until the maintenance occurs, the environment remains encrypted by the Oracle-managed key.

Viewing Key Status and Details

To view key status and details:

  1. Navigate to the environment: On the Applications tab of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then click the environment name.
  2. Under Resources, click Security. The Encryption tab is displayed.

If the key has been added, but the maintenance cycle has not yet run, the Key status will show as Scheduled.

You can click the Vault and Key names to navigate to these resources.

Rotating Keys

You rotate keys based on your organization's security practice. You can set up a CLI job to automatically rotate the keys, or your designated security administrator can rotate them manually through the Vault service Console UI. See Key and Secret Management Concepts for more details on key versions.

Before you can rotate a key, the following conditions must be met:

  • The environment Lifecycle state must be Active and the Health status must be Available.
  • You must not have met the limit of key versions available for the vault. Production-to-test refreshes where the test environment uses customer-managed keys will also consume key versions, so frequent P2Ts will also reduce the number of remaining key versions in a vault.

What to expect during key rotation:

  • There is no downtime, and the Health status of the environment remains as Available.
  • A banner message on the environment details page is displayed to alert you that rotation is in progress.
  • The Key status shows as Rotation in progress.

To Rotate a Key

Follow the procedure Rotating a Vault Key in the Vault documentation.

To Verify Key Rotation

After you rotate a key, you can verify the rotation in the environment details page:

  1. Navigate to the environment: On the Applications tab of the Console, click Fusion Applications. On the Overview page, find the environment family for the environment, and then click the environment name.
  2. Under Resources, click Security. The Encryption tab is displayed.
  3. Click the Key version to verify that it corresponds to the version in the Vault service.

Disabling and Enabling Keys

If you encounter a situation in which you want to shut down Fusion Applications and access to the Fusion database, your security administrator can disable the key to immediately force all users out of the system.

Warning

Disabling a key may result in loss of data. If the key is disabled, Fusion Applications as a Service will proactively try to shut down the environment to minimize the chance of failures while the environment is being used. Once the key is disabled, however, the environment cannot be restarted until it is enabled again. While the key remains in a disabled state, no Fusion Applications cloud service will be able to access any previously saved customer data.
What to expect when you disable a key:
  • The Health status of the environment is updated to Unvailable. The Lifecycle state is updated to Disabled. All users are forced out of the application.
  • A banner message on the environment details page is displayed to alert you that the encryption has been disabled.
  • The Key status shows as Disabled.
Note

When you initiate the disabling of a key, a series of processes takes place to shut down the components of the environment (e.g., the database services, the middle tier, the load balancers), which can take up to an hour to complete. Do not attempt to re-enable a key until these processes have completed.

Similarly, when you initiate the enabling of a key, the completion of the set of processes to bring the system back up can take up to an hour.

Deleting Keys

The permissions granted to the security administrator role do not include delete for keys and vaults. The deletion of keys and vaults is a highly destructive operation and should be performed only by the tenancy administrator in rare circumstances.

When a tenancy administrator deletes a key, any data or any OCI resource (including your Fusion Applications database) that is encrypted by this key will be unusable or irretrievable immediately.

We strongly recommend that you back up a key before you schedule the key for deletion. With a backup, you can restore the key and the vault if you want to continue using the key again later.

For more information, see Deleting a Vault Key.