Oracle Cloud Infrastructure's Marketplace offers a simple deployment of Oracle Data Integrator to an OCI Compute instance. The default encryption on this compute utilizes Oracle Managed Keys, which cannot be changed during the deployment process, It is a simple process to change the encryption keys to Customer Managaed Keys in OCI Key Vault after the deployment is complete. Here's how...
After deploying an ODI Classic or ODI BYOL instance from OCI Marketplace by following the Getting Started guide,
If not already created, create the necessary OCI Groups and policies required for OCI vault
Create a Dynamic Group and include a rule for each resource that you need to encrypt with Customer Managed Keys, as described in Creating a Dynamic Group and Matching rules.
Autonomous Database which ODI Repository
resource.id = 'ocid1.autonomousdatabase.oc1.phx.xxxxxxxxx…’
The Boot volume on the OCI Compute instance where your ODI Marketplace is installed.
All {instance.id = 'ocid1.bootvolume.oc1.phx.xxxxxxxxxx….'}
Add additional rules for any other resources and instances you wish to encrypt with Customer Managed Keys
Create policies for a my-security-group and the Key Management Service to manage keys and vaults at the the tenancy or compartment level:
Allow service keymanagementservice to manage vaults in <strong>tenancy </strong>
Allow group my-security-group to manage vaults in <strong>tenancy</strong>
Allow group my-security-group to manage keys in <strong>tenancy</strong>
Allow group my-security-group to manage secret-family in <strong>tenancy</strong>
Allow service keymanagementservice to manage vaults in compartment <strong>my-vault-compartment </strong>
Allow group my-security-group to manage vaults in compartment <strong>my-vault-compartment</strong>
Allow group my-security-group to manage keys in compartment <strong>my-key-compartment </strong>
Allow group my-security-group to manage secret-family in compartment <strong>my-key-compartment</strong>
Allow the dynamic group to use the vault and keys in the compartments
Allow dynamic-group <strong>my-dynamic-group</strong> to use vaults in compartment <strong>my-vault-compartment</strong>
Allow dynamic-group <strong>my-dynamic-group</strong> to use keys in compartment <strong>my-key-compartment</strong>
Allow the services you wish to encrypt to use the keys in the compartments
Allow service blockstorage to use keys in compartment <strong>my-key-compartment</strong>
Allow service objectstorage-us-phoenix-1 to use keys in <strong>my-key-compartment</strong>
Now create a Vault in the compartment my-vault-compartment, then add a key that can be used to encrypt a secret. Follow the OCI Vault documentation to add and rotate key secrets.
Click the Create Vault button
Change the encryption key on the boot volume, and any block volumes you may have attached to your ODI compute instance. If you haven't done so already, you can change the encryption keys on any other resources you wish to encrypt with Customer Managed Keys. Refer to the Assigning Keys section of OCI Key management documentation on how to assign keys to each resource
Access the ODI Compute instance and close ODI Studio and stop any deployed agents.
Open the navigation menu and click Compute.
Under List Scope, in the Compartment list, choose the compartment that contains the boot volume that you want to encrypt with a Vault service master encryption key.
Under Instances, click on the ODI node you wish to encrypt
Under Resources (bottom left), click Boot Volume.
From the Boot Volume list, click the volume name.
Do one of the following:
If the volume already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.
If the volume does not already have a key assigned to it, next to Encryption Key, click Assign.
Choose my-vault-compartment, my-vault-name, my-key-compartment, and my-key.
When you are finished, click Assign or Update, as appropriate
It will take some time for the encryption to complete. When finished, the key information shows on the Boot Volume page under the heading Encryption
Start the ODI studio on the instance and clear the cache.
Access the ODI Compute instance
Go to the ORACLE_HOME/odi/studio directory.
Enter the following command: sh ./odi.sh -clean -initialize
Start the agents
Now you've encrypted your ODI environment with OCI Vault Customer Managed keys. Sign into your ODI Studio and test all the connections in topology.
Getting Started with Oracle Data Integrator on Oracle Cloud Marketplace
Using Oracle Data Integrator on Oracle Cloud Marketplace
Managing Encryption Keys on Autonomous Database
Notes for Using Customer-Managed Keys with Autonomous Database
Previous Post
Next Post