Oracle Key Vault 21.3 nShield® HSM Integration Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

This guide describes how to integrate Entrust nshield Hardware Security Module (HSM) with Oracle Key Vault.

The HSM generates and stores a Root of Trust (RoT) which protects the security objects used by Oracle Key Vault to safeguard users' keys and credentials. The HSM can be used in FIPS 140-2 Level 2 or Level 3 mode to meet compliance requirements.

Note that:

An Oracle Key Vault cluster node can have multiple HSMs enrolled, as long as the HSMs are in the same Security World.
An existing Oracle Key Vault deployment cannot be migrated to use an HSM as a RoT.
Oracle Key Vault can function only if the RoT stored in the HSM is available.
To restart or restore Key Vault in HSM mode when Operator Card Set (OCS) protection is used, the OCS for the HSM must be in slot 0 of the HSM.

Product configurations

Entrust has successfully tested nshield HSM integration with Oracle Key Vault in the following configurations:

Product	Version
Operating System	Oracle Linux 7 64-bit
Oracle Key Vault Version	21.3

Supported nshield hardware and software versions

Entrust has successfully tested with the following nshield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.60.11	12.50.11	12.60.10	✓	✓	✓
12.80.4	12.50.11	12.80.4	✓	✓	✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.60.11	12.50.8	12.60.10	✓	✓	✓
12.80.4	12.50.8	12.80.4	✓	✓	✓

Supported nshield functionality

Feature	Support	Feature	Support	Feature	Support
Key generation	Yes	1-of-N Operator Card Set	Yes	FIPS 140-2 Level 3 support	Yes
Key management	Yes	k-of-N Operator Card Set	No	Common Criteria support	Yes
Key import	Yes	Softcards	Yes	Load sharing	Yes
Key recovery	Yes	Module-Only key	Yes	Fail over	Yes

Requirements

Before installing these products, read the associated documentation:

For the nshield HSM: Installation Guide and User Guide .
If nshield Remote Administration is to be used: [.cite]nshield Remote Administration User Guide_.
Oracle Key Vault documentation ( https://docs.oracle.com/en/database/oracle/key-vault ).

In addition, the integration between nshield HSMs and Oracle Key Vault requires:

A separate non-HSM machine on the network to use as the Remote File System for the HSM. The RFS machine can also be used as a client to the HSM, to allow presentation of Java Cards using nshield Remote Administration. See the [.cite]nshield Remote Administration User Guide_.
PKCS #11 support in the HSM.
A correct quorum for the Administrator Card Set (ACS).
Operator Card Set (OCS), Softcard, or Module-Only protection.

If OCS protection is to be used, a 1-of-N quorum must be used.
Firewall configuration with usable ports:
- 9004 for the HSM (hardserver).
- 8200 for Key Vault.

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140-2 Level 3 standards.

If using FIPS Restricted mode, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nshield HSM.
Whether to instantiate the Security World as recoverable or not.

More information

For more information about OS support, contact your Oracle Key Vault sales representative or Entrust nshield Support, https://nshieldsupport.entrust.com .

Procedures

The high-level procedure to install and configure one or more Oracle Key Vault servers with one or more nshield HSMs is as follows:

Install the required number of instances of Oracle Key Vault. For instructions, see the Oracle Key Vault documentation.
Install and configure the required number of HSMs and the Security World software, including setting up the Remote File System (RFS) or Remote Administration. For instructions, see the Installation Guide for your HSM.
- nshield HSMs require a separate non-HSM machine on the network to use as the RFS. You must set up this machine and copy the nshield Security World Software files to it before you install the HSM client software on Oracle Key Vault servers.
- All enrolled HSMs must be in the same Security World and must have access to the OCS in slot 0 if OCS-protection is used. If the HSM whose slot 0 is used is enrolled on each of the Key Vault servers, the Key Vault web user interface has access to all of the HSMs, as long as they are in the same Security World.
- If dynamic slots are to be used on the HSMs, set up Remote Administration and configure slot mapping.
Install the HSM client software on the Oracle Key Vault server(s).
Enroll the Key Vault(s) as client(s) of the HSM(s).
Enable HSM mode in the Oracle Key Vault web user interface.
If you have a high availability Oracle Key Vault environment, enroll your HSM and configure initialization of the HSM in each of the nodes.

Install HSM client software on the Key Vault server

Perform these steps on the Oracle Key Vault server.

If you have a high availability Oracle Key Vault environment, perform these steps:

In a primary-standby architecture, on both the primary and the standby.
In a cluster architecture, on each Key Vault instance to be added to the cluster.

To install HSM client software on the Key Vault server:

Log into the Oracle Key Vault server as the support user using SSH:

$ ssh support@<okv_instance>
<Enter the support user password when prompted>

Switch to root:
```
$ su root
```
Install the latest version of the Security World software as described in the Installation Guide for the HSM.

Note
Entrust recommends that you uninstall any existing nshield software before installing the new nshield software.
Create the Security World as described in the User Guide , creating the ACS and OCS that you require.
As root on the Key Vault server, add the nfast group to the oracle user:
```
root# usermod -a -G nfast oracle
```

Switch to the oracle user, and verify the installation:

root# su oracle
oracle$ PATH=/opt/nfast/bin:$PATH
oracle$ export PATH
oracle$ enquiry

The mode should say operational in the output. For example:

Server:
enquiry reply flags  none
enquiry reply level  Six
serial number        nnnn-nnnn-nnnn
mode                 operational
version              12.60.7
speed index          15843

Restart the Oracle Key Vault server for the group change to take effect.

Note
To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.
As the root user, set firewall rules to enable port 9004 for the hardserver (the client process in the nshield Security World software that communicates with the HSM).

Enroll Key Vault as a client of the HSM

Add the Key Vault server IP address to the client list on the HSM using the front panel or via an update to the Connect configuration file. For instructions, see the User Guide for your HSM.
- Select privileged on any port.
- If you have a high availability Oracle Key Vault environment, add the IP addresses of all Key Vault servers to the client list on all HSMs.

Switch to the oracle user:

root# su oracle
oracle$ PATH=/opt/nfast/bin:$PATH
oracle$ export PATH

To obtain the ESN and keyhash for the nethsmenroll command in the next step, run the anonkneti command:
```
anonkneti <HSM IP address>
```

On the Key Vault server, enroll with the HSM:

oracle$ nethsmenroll --privileged <HSM IP address> <HSM ESN> <HSM keyhash>

Run the following command:
```
enquiry
```
Verify that the HSM mode is operational and the hardware status is OK.

Configure TCP sockets:

oracle$ config-serverstartup --enable-tcp --enable-privileged-tcp

Switch to root and restart the hardserver:

oracle$ su root
root# /opt/nfast/sbin/init.d-ncipher restart

On the Remote File System machine, run the following command:

rfs-setup --gang-client --write-noauth <IP address of your Key Vault server>

If OCS protection is intended to be used but the Security World has not been created yet, edit the cardlist file to enable Java Cards for use through dynamic slots. If the Security World has been created with this RFS, this configuration is already enabled.
1. Go to the following directory on the RFS:
  #/opt/nfast/kmdata/config
2. Open the cardlist file in a text editor.
3. Add an asterisk (*) to authorize all Java Cards for dynamic slots.
  
  If only certain Java Cards are authorized for this use, list them by their serial number. For example:
  4286005559064791 4286005559064792 4286005559064793
4. Copy the updated cardlist file from the RFS to all clients.

On the Key Vault server as the oracle user, run the following commands:

oracle$ rfs-sync --setup <IP address of Remote File System machine>
oracle$ rfs-sync --update

As the root user, create the /opt/nfast/cknfastrc configuration file for PKCS#11 variables. For information on these variables, see the User Guide for your HSM.
1. OCS protection.
  
  If you are using OCS or Module protection, cknfastrc needs the following set:
  CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm
2. Softcard Protection.
  
  If you are using Softcard protection, then CKNFAST_LOADSHARING must be set. This is not supported alongside the Module-only Key protection settings. See also [{xref_known-issues}] .
  CKNFAST_LOADSHARING=1 CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm
3. Module Protection.
  
  If you are using Module-Only protection, cknfastrc needs the following set:
  CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness;tokenkeys;longterm CKNFAST_FAKE_ACCELERATOR_LOGIN=1

On the Key Vault Server, test PKCS#11 access as follows:

oracle$ /opt/nfast/bin/ckcheckinst

Select a slot number to run a library test. Various slots are displayed, depending on your configuration.

Example 1:

0 Fixed token "accelerator"
1 Operator card "OKV_OCS"

Example 2:

0  Operator card     "OKV_OCS"
1  Soft token        "OKV_Softcard"

Test execution:

Test                      Pass/Failed
----                      -----------

1 Generate RSA key pair   Pass
2 Generate DSA key pair   Pass
3 Encryption/Decryption   Pass
4 Signing/Verification    Pass

Deleting test keys         ok

PKCS#11 library test successful.

Enable HSM mode in Key Vault

After installing HSM software and enrolling Key Vault as an HSM client, you can enable HSM mode with nshield HSM(s) from the Key Vault web user interface. This will protect the Oracle Key Vault Root of Trust key with the HSM.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
Select Settings on the Left menu and then Select HSM under Network Services .

The Hardware Security Module page appears.

The red downward arrow shows the non-initialized Status . The Type field displays None .
Select Initialize .

The Initialize HSM dialog appears.
From the Vendor list, select Entrust .
Enter a password two times: first in HSM Credential and second in Re-enter HSM Credential .
- If you are using OCS protection, then your OCS passphrase needs to be entered in twice with your card presented in slot 0.
- If you are using Softcard protection, then the Softcard passphrase needs to be entered twice.
- If you are using Module-Only protection, enter a password that you set up for this credential check.
  
  Note
  The password will be needed in the future, for example for reverse migration.
Enter the recovery passphrase for Oracle Key Vault.
If you are using token labels, used for OCS protection and Softcards for instance, check the Use Token Label checkbox and enter the name of the token.
Select Initialize .

At the end of a successful initialize operation, the Hardware Security Module page appears. The initialized status is indicated by an green upward arrow. The Type field shows details of the HSM in use.

Note
The Token label is accelerator if Module-Only protection is used.

Note
Only the first two numbers of the firmware are included.
After a successful initialize operation of the nshield HSM, run the following command as the oracle user on the Key Vault server:
```
oracle$ /opt/nfast/bin/rfs-sync --commit
```

Note	If you change the HSM credential on the HSM after initialization, you must also update the HSM credential on the Oracle Key Vault server: In the Vendor list select Entrust , then select `Set Credential` .

Enable the HSM in a primary-standby high availability deployment

In a high availability Oracle Key Vault installation, you must enable the HSM(s) separately on the servers that you plan to designate as primary and standby before pairing them in a high availability configuration. On the primary server, the HSM(s) will be enabled through the Oracle Key Vault web user interface. On the standby server, the command line interface with ssh will be used to enable the HSM(s).

Install Oracle Key Vault on two servers that you mean to designate as primary and standby.
Install the nshield Security World software on each Oracle Key Vault server, see Install HSM client software on the Key Vault server .
Enroll the primary and standby nodes as clients of the HSM, see Enroll Key Vault as a client of the HSM .
From the Oracle Key Vault web user interface, initialize the intended primary server for HSM mode with nshield HSM(s), see Enable HSM mode in Key Vault .

On the primary server, run the following commands as the oracle user:

$ ssh support@<okv_primary_instance>
<Enter password when prompted>
$ su root
root# su oracle
oracle$ rfs-sync --commit
oracle$ cd /usr/local/okv/hsm/wallet
oracle$ scp cwallet.sso support@<okv_standby_instance>:/tmp
oracle$ scp enctdepwd support@<okv_standby_instance>:/tmp
oracle$ cd /usr/local/okv/hsm/restore
oracle$ scp ewallet.p12 support@<okv_standby_instance>:/tmp

On the standby server, run the following commands as the root user:

$ ssh support@<okv_standby_instance>
<Enter password when prompted>
$ su root
root# cd /usr/local/okv/hsm/wallet
root# mv /tmp/enctdepwd .
root# mv /tmp/cwallet.sso .
root# chown oracle *
root# chgrp oinstall *
root# cd /usr/local/okv/hsm/restore
root# mv /tmp/ewallet.p12 .
root# chown oracle *
root# chgrp oinstall *

Continuing as the root user, open the okv_security.conf file for writing:

root# vi /usr/local/okv/etc/okv_security.conf

A sample okv_security.conf file before enabling HSM mode:

SNMP_ENCRYPTION_PWD="snmp_encryption_password"
SNMP_AUTHENTICATION_PWD="snmp_auth_password"
SNMP_USERNAME="snmpuser"
SMTP_TRUSTSTORE_PWD="smtp_truststore_password"
HSM_ENABLED="0"
FIPS_ENABLED="0"
HSM_FIPS_ENABLED="1"
OKV_OCI_INSTALL="DISABLED"
HSM_TOKEN_LABEL=""
HSM_KEY_EXTRACTABLE="0"
OKVAG_LINK_UI="https://docs.oracle.com/en/database/oracle/key-vault/21.3/okvag/"
LDAP_TRACE_LEVEL="1"

Make updates to the okv_security.conf file as follows:
1. Set the variable HSM_ENABLED to 1. If the variable does not exist, add it and set its value to 1.
  HSM_ENABLED="1"
2. Add the following line:
  HSM_PROVIDER="2"
3. If using Softcards or OCS cards, enter the name of the card set:
  HSM_TOKEN_LABEL="card_set_name"
On the standby server, run the rfs-sync --update command as the oracle user:
```
root# su oracle
oracle$ /opt/nfast/bin/rfs-sync --update
```
Without restarting the Oracle Key Vault instances, navigate to the web user interfaces of the primary and standby servers, and configure primary-standby via the Oracle Key Vault web user interface. For information on the configuration and settings, see the Oracle documentation.

Configure an HSM for a multi-master cluster

You can configure HSMs in a multi-master cluster with a single node or multiple nodes. In a multi-master Oracle Key Vault installation, any Key Vault node in the cluster can use any HSM. The nodes in the multi-master cluster can use different TDE wallet passwords (recovery passwords), RoT keys, and HSM credentials.

Note	To ensure complete security, you must HSM-enable all Oracle Key Vault nodes in the cluster.

Note	Entrust recommends that you read https://docs.oracle.com/en/database/oracle/key-vault/21.3/okvag/managing_multimaster.html for details on how to setup clusters.

This guide will set up the cluster from scratch. If you already have a cluster in place, read the documentation above.

To use an HSM within a cluster, you should start with a single node and add additional nodes as needed.

Oracle recommends the following steps to configure an HSM for a multi-master cluster:

Convert an Oracle Key Vault server into the first node (the controller node) of the cluster.
1. Create the cluster by configuring the first node of the cluster.
2. Select the Cluster tab.
3. On the left menu, select Configure .
  
  The Configure as a Candidate Node page appears. For example:
  - For Current Server IP , enter the server IP address.
  - For First Node of Cluster , select Yes if this is the first node, otherwise set it to No .
  - Node Name should be pre-populated with the host name of the OKV server.
  - For Cluster Name , enter the name for the cluster.
  - For Cluster SubGroup , enter the name of the group.
    
    Note
    If any node in the cluster is already HSM-enabled, you cannot add a new node that is not HSM-enabled.
4. Select Convert Candidate Node . The Cluster Information page appears.
If using multiple nodes, add the candidate nodes to the cluster using the controller node.

Refer to https://docs.oracle.com/en/database/oracle/key-vault/21.3/okvag/managing_multimaster.html for details on how to add a candidate node to the cluster.
HSM-enable the controller node (first node).

Follow instructions to enable HSM mode on the first node of the cluster. See Enable HSM mode in Key Vault section on how to do this.
If multiple nodes are being used in the cluster, create an HSM bundle from the controller node and apply it to the candidate node(s).

You can configure HSM for the other nodes by copying information from the HSM-enabled controller node in the cluster. You do that by creating a bundle and applying the bundle to the candidate nodes in the cluster.
- On the contoller node of the cluster (first node), log into the Oracle Key Vault web user interface as a Key Administrator
- Select the System tab.
- On the left side of the System page, select Settings .
- Select HSM under the Network Services section. The Hardware Security Module page appears.
  
  Note
  The controller node must be HSM enabled first.
- Select Create Bundle .
- Enter the HSM Credentials.
- Enter the recovery passphrase.
- Select Create Bundle .
  
  A message indicating the bundle was created successfully appears.
- Log into the controller (first node) HSM-enabled node through SSH as the support user.
  % ssh support@HSMENABLEDNODEIP
- Copy the bundle to the candidate node using the node IP addresses:
  % sudo scp /usr/local/okv/hsm/hsmbundle support@CANDIDATENODEIPADDRESS:/tmp
- Log into the candidate node in the cluster, except the original HSM-enabled node, using the node IP address:
  % ssh support@CANDIDATENODEIPADDRESS
- Perform the following steps to copy the bundle to the /usr/local/okv/hsm location and apply user and group ownership:
  % sudo cp /tmp/hsmbundle /usr/local/okv/hsm/ % sudo chown oracle:oinstall /usr/local/okv/hsm/hsmbundle
- On the candidate node, select Apply Bundle on the Hardware Security Module page in the Web interface. Enter the recovery passphrase.
  
  Note
  If you plan on reverse-migrating the original HSM-enabled node, you must apply the bundle immediately on all nodes first.
HSM-enable the candidate node.

Follow instructions to enable HSM mode on the candidate node of the cluster when using multiple nodes. See Enable HSM mode in Key Vault section on how to do this.

Verify that each HSM is enabled in the cluster.

In the Oracle Key Vault web user interface, select the Cluster tab.
Select Monitoring in the left sidebar.

Check that the Cluster Settings State has all green ticks for HSM:

Note	An enabled HSM does not mean that the HSM is active. The status only indicates whether the HSM is enabled for these nodes. To check whether the HSM is active, use the status information on the Hardware Security Module page of the web user interface.

After you have HSM-enabled all nodes and verified the replication between all nodes, remove the hsmbundle file from all of the nodes.

Reverse migration operations to a local wallet

Reverse migrating an HSM-enabled Oracle Key Vault server reverts the Key Vault server to using the recovery passphrase to protect the TDE wallet. This operation is necessary if the HSM that protects Oracle Key Vault must be decommissioned.

Reverse migrating a standalone deployment

You can reverse migrate a standalone deployment by using the Oracle Key Vault web user interface.
Reverse migrating a primary-standby deployment

To reverse migrate a primary-standby deployment, use both the Oracle Key Vault web user interface and the command line.
Reverse migrating a multi-master cluster

You can reverse migrate a multi-master cluster by using the Oracle Key Vault web user interface.

Reverse migrate a standalone deployment

You can reverse migrate a standalone deployment by using the Oracle Key Vault web user interface.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings .
Select HSM under the under the Network Services section.
Select Reverse Migrate .

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential , enter the HSM credential. For nshield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase , enter the old recovery passphrase.
3. For New Recovery Passphrase , enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase .
Select Reverse Migrate .
The Hardware Security Module page appears. The red downward arrow indicates the Status .

Reverse migrate a primary-standby deployment

To reverse migrate a primary-standby deployment, use both the Oracle Key Vault web user interface and the command line.

On the primary server, log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings .
Select HSM under the under the Network Services section.
Select Reverse Migrate .

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential , enter the HSM credential. For nshield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase , enter the old recovery passphrase.
3. For New Recovery Passphrase , enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase .
Select Reverse Migrate .

The Hardware Security Module page appears. The red downward arrow indicates the Status .
On the standby server, log in using SSH as the support user, then, with the su command, switch to the root user.
```
$ ssh support@<okv_standby_instance>
$ su root
```
Modify the okv_security.conf file.
```
$ vi /usr/local/okv/etc/okv_security.conf
```
- Delete the line HSM_PROVIDER="2" .
- Change the value of the HSM_ENABLED parameter to 0 .
- Check that the HSM_TOKEN_LABEL parameter is set to "".

On the standby server, remove the following files:

$ cd /usr/local/okv/hsm/wallet
$ rm -f cwallet.sso enctdepwd
$ cd /usr/local/okv/hsm/restore
$ rm -f cwallet.sso ewallet.p12
$ cd /mnt/okvram
$ rm -f cwallet.sso ewallet.p12
$ cd /mnt/okvram/restore
$ rm -f cwallet.sso ewallet.p12
$ cd /usr/local/okv/tde
$ rm -f cwallet.sso

Switch user to oracle :
```
$ su oracle
```

Run the following command:

/var/lib/oracle/dbfw/bin/orapki wallet create -wallet /usr/local/okv/tde -auto_login

Enter the new recovery passphrase that you specified above.

Enter wallet password:
Operation is successfully completed.

The primary-standby deployment is successfully reverse migrated.

Reverse migrate a multi-master cluster

You can reverse migrate a multi-master cluster by using the Oracle Key Vault web user interface. You will need to do this on each of the nodes in the cluster.

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings .
Select HSM under the Network Services section.

The Hardware Security Module page appears.
Select Reverse Migrate .

The HSM Reverse Migrate dialog box appears.
In the HSM Reverse Migrate dialog box, enter the following details:
1. For HSM Credential , enter the HSM credential. For nshield HSMs, the credential is what you use for OCS, Softcard, or Module-Only protection.
2. For Old Recovery Passphrase , enter the old recovery passphrase.
3. For New Recovery Passphrase , enter the new recovery passphrase. Repeat this in Re-enter New Recovery Passphrase .
Select Reverse Migrate .

The Hardware Security Module page appears. The red downward arrow indicates the Status .

Configure backup of the Key Vault server in HSM mode

Log into the Oracle Key Vault web user interface as a Key Administrator.

The Oracle Key Vault Home page appears.
Select the System tab.

The Status page appears.
On the left side of the System page, select Settings .
Select Backup and Restore under the System Configuration section.
Add the backup destination on the System Backup page, just as you would in non-HSM mode.
Perform a backup as usual from the user interface on the web user interface.

Restore from a Key Vault backup in HSM mode

Note	To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.

Only backups taken in HSM mode can be restored onto an HSM-enabled Oracle Key Vault. Before you restore a backup onto a system, you must ensure that the system can access both the:

HSM.
Root of Trust used to take the backup. You must therefore have installed the HSM on the Oracle Key Vault server and enrolled Oracle Key Vault as a client of the HSM prior to this step.
1. If OCS protection is used, present the OCS card to the HSM.
2. Log into the Oracle Key Vault web user interface as a user with system administrative privileges.
  
  The Oracle Key Vault Home page appears.
3. Select the System tab.
  
  The Status page appears.
4. On the left side of the System page, select Settings .
5. Select HSM under the under the Network Services section.
  
  The Hardware Security Module page appears. On restore, the Status is disabled first, then enabled after the restore completes.
6. Select Set Credential .
  
  The Prepare for HSM Restore screen appears.
7. From the Vendor list, select Entrust and enter the HSM credential twice as requested.
8. Select Set Credential .
  
  The HSM credential will be stored in the system. This HSM credential must be entered manually to do an HSM restore because it is not stored in the backup itself.
9. On the left side of the page, select Settings .
10. Select Backup and Restore under the System Configuration section.
11. Select Restore and restore the Key Vault backup.

Restart or restore in HSM mode using nshield Remote Administration

To restart or restore Key Vault in HSM mode when OCS protection is used, the OCS for the HSM must be in slot 0 of the HSM.

The raserv package of nshield software is only available on the nshield RFS machine, it is not supported on Oracle Key Vault servers. When the Oracle Key Vault server restarts or restores from a backup and Java Cards cannot be presented to the HSMs that are enrolled to that server, the restart or restore will fail.

If the HSM is also enrolled to the RFS, you can present Java Cards there when the RFS is operational. As a result, when the Oracle Key Vault server comes back up, it can still access the keys from the HSM using the OCS in slot 0.

Known issues

Issue	Action for Integrator
If you want to use Softcards as a means of protection, you need to set `CKNFAST_LOADSHARING=1` in `cknfastrc` , but this causes the firmware version to appear as 0.0 when the Oracle Key Vault server is initialized with the HSM.	None.

RESOURCES

Integration Guide
Oracle Key Vault 21.3 nShield® HSM Integration Guide

Oracle Key Vault 21.3: nShield HSM Integration Guide

Table of Contents