Enable Customer Managed Keys on ODI Marketplace

May 11, 2022 | 5 minute read
Carla Romano
Master Principal Cloud Architect
Text Size 100%:

Oracle Cloud Infrastructure's Marketplace offers a simple deployment of Oracle Data Integrator to an OCI Compute instance.   The default encryption on this compute utilizes Oracle Managed Keys, which cannot be changed during the deployment process,  It is a simple process to change the encryption keys to Customer Managaed Keys in OCI Key Vault after the deployment is complete.  Here's how...

After deploying an ODI Classic or ODI BYOL instance from OCI Marketplace by following the Getting Started guide,

Create OCI Groups and Policies

If not already created, create the necessary OCI Groups and policies required for OCI vault

Create Security Admin Group for OCI Key Vault

  1. Login to the OCI Console as an Administrator
  2. Go to Menu > Identity > Groups
  3. Click the Create Group button
  4. Enter the following:
    • Name:  my-security-group
    • Description: My Security Group
  5. Click the Create button to save
  6. Under Group Members, click ‘Add Users to Group’
    • Select user to include in the group, and click ‘Add’
    • Repeat for each user

Create Dynamic Group

Create a Dynamic Group and include a rule for each resource that you need to encrypt with Customer Managed Keys, as described in  Creating a Dynamic Group and Matching rules.

  1. Login to the OCI Console as an Administrator
  2. Go to Menu > Identity > Dynamic Groups
  3. Click the Create Dynamic Group button
    • Name: my-dynamic-group
    • Add rules for each resources and instances you wish to encrypt with Customer Managed Keys:

Autonomous Database which ODI Repository

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
resource.id = 'ocid1.autonomousdatabase.oc1.phx.xxxxxxxxx…’

The Boot volume on the OCI Compute instance where your ODI Marketplace is installed.

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
All {instance.id = 'ocid1.bootvolume.oc1.phx.xxxxxxxxxx….'}

Add additional rules for any other resources and instances you wish to encrypt with Customer Managed Keys

  1. Click the Create Dynamic Group button to save

Create Policies

Create policies for a my-security-group and the Key Management Service to manage keys and vaults at the the tenancy or compartment level:

Tenancy level security group policies

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
Allow service keymanagementservice to manage vaults in <strong>tenancy </strong>

Allow group my-security-group to manage vaults in <strong>tenancy</strong>

Allow group my-security-group to manage keys in <strong>tenancy</strong>

Allow group my-security-group to manage secret-family in <strong>tenancy</strong>

Compartment level security group policies

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
Allow service keymanagementservice to manage vaults in compartment <strong>my-vault-compartment </strong>

Allow group my-security-group to manage vaults in compartment <strong>my-vault-compartment</strong> 

Allow group my-security-group to manage keys in compartment <strong>my-key-compartment </strong>

Allow group my-security-group to manage secret-family in compartment <strong>my-key-compartment</strong>

Dynamic Group policies

Allow the dynamic group to use the vault and keys in the compartments

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
Allow dynamic-group <strong>my-dynamic-group</strong> to use vaults in compartment <strong>my-vault-compartment</strong>        

Allow dynamic-group <strong>my-dynamic-group</strong> to use keys in compartment <strong>my-key-compartment</strong>

Service policies

Allow the services you wish to encrypt to use the keys in the compartments

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
Allow service blockstorage to use keys in compartment <strong>my-key-compartment</strong> 

Allow service objectstorage-us-phoenix-1 to use keys in <strong>my-key-compartment</strong>

Create a key vault, keys and assign them to ODI Compute (and other resources)

OCI Key Vault

Now create a Vault in the compartment my-vault-compartment, then add a key that can be used to encrypt a secret.  Follow the OCI Vault documentation to add and rotate key secrets.

  1. Login to the OCI Console as an Administrator
  2. Go to Menu > Security > Vault
  3. Select a compartment my-vault-compartment 
  4. Click the Create Vault button

  5. Enter the following:
    • Name:  my-vault
    • Click Create button to save
  6. Click on the my-vault that was just create
    • Click on the Keys link under Resources
    • Click ‘Create Key’
    • Select the compartment my-key-compartment 
    • Select ‘HSM’ In protection mode
    • Enter a unique name for the key:
      • Name: my-key
    • Select ‘AES’ key shape algorithm ('AES' is required for OCI boot or block volumes, refer to documentation for other resources)
    • Select 256 bits from the Key Shape
    • Click Create Key button to save

Assign Keys to your ODI Instance

Change the encryption key on the boot volume, and any block volumes you may have attached to your ODI compute instance.  If you haven't done so already, you can change the encryption keys on any other resources you wish to encrypt with Customer Managed Keys. Refer to the Assigning Keys section of OCI Key management documentation on how to assign keys to each resource

  1. Access the ODI Compute instance and close ODI Studio and stop any deployed agents.

  2. Open the navigation menu and click Compute.

  3. Under List Scope, in the Compartment list, choose the compartment that contains the boot volume that you want to encrypt with a Vault service master encryption key.

  4. Under Instances, click on the ODI node you wish to encrypt

  5. Under Resources (bottom left), click Boot Volume.

  6. From the Boot Volume list, click the volume name.

  7. Do one of the following:

    • If the volume already has a key assigned to it, next to Encryption Key, click Edit to assign a different key.

    • If the volume does not already have a key assigned to it, next to Encryption Key, click Assign.

  8. Choose my-vault-compartment, my-vault-name, my-key-compartment, and my-key.

  9. When you are finished, click Assign or Update, as appropriate

  10. It will take some time for the encryption to complete.  When finished, the key information shows on the Boot Volume page under the heading Encryption

  11. Start the ODI studio on the instance and clear the cache. 

  12. Start the agents

 

Now you've encrypted your ODI environment with OCI Vault Customer Managed keys. Sign into your ODI Studio and test all the connections in topology.

Helpful References

Overview of Vault

OCI Key Management Concepts

Getting Started with Oracle Data Integrator on Oracle Cloud Marketplace

Using Oracle Data Integrator on Oracle Cloud Marketplace

Managing Encryption Keys on Autonomous Database

Notes for Using Customer-Managed Keys with Autonomous Database

Carla Romano

Master Principal Cloud Architect


Previous Post

GoldenGate Microservices Initial Load Instantiation with WebUI

Alex Lima | 17 min read

Next Post


Introducing interactive Cloud Premigration Advisor (CPAT) as part of the Oracle Cloud Infrastructure Database Migration (DMS) Spring 2022 Update

Jorge Martinez | 3 min read
Oracle Chatbot
Disconnected