Skip to content
Read the latest Eclipsys Blogs today - Click here to learn more!

Safeguarding Data in the Age of AI: Why Oracle Key Vault Multi Master Matters

Chanaka Yapa Jun 9, 2025 10:34:58 AM
Safeguarding Data in the Age of AI: Why Oracle Key Vault Multi Master Matters
10:01

Contents

Using Yubico Security Key on MacOS for SSH – Eclipsys

Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security Breach (OKV - Part 1 )

Protecting Your Encryption Keys: (OKV - Part 2)

Introduction

In today’s data-driven and AI-accelerated world, data security risks are growing faster than ever. As artificial intelligence continues to evolve, so do the techniques used in cyberattacks, making it crucial for organizations to stay ahead of potential threats. The frequency and sophistication of hacking attempts are only expected to rise.
 
To protect sensitive data, organizations must implement strong security and disaster recovery measures. One of the foundational practices is encrypting data at rest. However, as IT environments become more complex, spanning multiple systems, clouds, and geographies, managing encryption keys securely becomes a challenge.
 
This is where Oracle Key Vault (OKV) comes in. OKV offers a centralized, robust solution for managing encryption keys, certificates, and secrets across the enterprise. Its multi-master architecture ensures high availability, scalability, and fault tolerance, making it an essential component in any modern data protection strategy.
 

What is OKV  Multi-Master Architecture? 

Oracle Key Vault's multi-master architecture allows multiple OKV nodes to actively participate in key management across geographically distributed environments. Each node can read and write data, ensuring high availability, fault tolerance, and seamless scalability. This setup not only eliminates a single point of failure but also supports consistent key access and synchronization across sites, making it ideal for enterprise-grade security and disaster recovery.

Key Features of OKV Multi-Master:

 

  • Active-Active Architecture:
    All nodes in the cluster are active and capable of processing client requests, including cryptographic operations and key management functions.

  • Automatic Synchronization:
    Nodes automatically replicate and synchronize key and metadata changes to ensure consistency across the cluster.

  • Fault Tolerance:
    If one node becomes unavailable, other nodes continue to operate without disruption, ensuring high availability.

  • Geographically Distributed Support:
    Nodes can be deployed across different data centers or geographic regions to support disaster recovery and improve performance for distributed applications.

  • Certificate-Based Trust Establishment:
    Each node uses certificates to establish trust and securely exchange data with other nodes in the cluster.

 

In this article, I’ll walk you through the steps to configure a multi-master cluster in Oracle Key Vault (OKV). For this demonstration, we will be setting up a 2-node cluster, although best practice recommends using at least 3 or 4 nodes to ensure better fault tolerance and avoid unexpected failures.

Key Characteristics of OKV Multi-Master Architecture

 

  • High Availability, Scalability, and Fault Tolerance are built in.

  • All nodes must be running the same OKV version to join the cluster.

  • NTP-based time synchronization is mandatory across all nodes.

  • Nodes actively serve endpoints and maintain an identical dataset.

  • Cluster Size Limits:

    • Minimum: 2 nodes

    • Maximum: 16 nodes

    • Supports multiple read-write node pairs across data centers.

 

Cluster Setup Details

We will use the following configuration:

  • Cluster Name: okv-cl01

  • Cluster Subgroup Name: okv-cl01-sg01

Nodes Used:

 

  1. Controller Node  192.168.56.210  okv.oracle.com
    Acts as the first master node in the cluster.

  2. Candidate Node  192.168.56.211  okv02.oracle.com

 

Pre-Configuration Notes

Before starting the configuration, make sure to consider the following:

 

  1. Backups are Critical
    If OKV runs on a virtualized platform, take a full VM snapshot before proceeding. A failed configuration is not easy to roll back.

  2. Time Synchronization is Mandatory
    All nodes must use NTP (Network Time Protocol) to ensure accurate time sync. Desynchronized clocks will prevent successful cluster formation.

  3. Static IPs for all OKV nodes.

Required Firewall Ports for OKV Access

To ensure proper communication between OKV nodes and endpoints, make sure the following ports are open in your firewall:

 

  • TCP 5696 – Required for secure key management operations between OKV and Oracle endpoints.

  • TCP 443 – To access the OKV web console.

  • TCP 22 – For SSH access (administrative use only).

 
                                      
                                           Figure 1: OKV required ports


Enabling Cluster Mode in Oracle Key Vault (OKV)

 

To enable cluster mode in OKV, follow these high-level steps:

Initial Node Selection:

When you select the first OKV node for cluster setup, it becomes the Controller Node. This node manages cluster membership and coordination.

 

 
Joining Additional Nodes:

All subsequent nodes you add to the cluster are treated as Candidate Nodes. These nodes synchronize with the controller and become part of the cluster.

Cluster Formation:

Once all candidate nodes successfully join, the OKV cluster becomes fully functional. The cluster ensures high availability and load balancing across nodes.

 

Multi-Master Cluster Setup Steps

Controller node settings 

First, select the controller node and enter the required controller settings. After completing the controller setup, you can proceed to configure the candidate node settings.

Steps (summary):

  • Log in to the Oracle Key Vault (OKV) web console.
  • Navigate to the Cluster tab.
  • Select the initial node to act as the controller and enter its details.
  • Add the candidate node details.
  • On node01 (controller), retrieve the controller certificate and copy it to the candidate node.
  • On node02 (candidate), retrieve the candidate certificate and copy it to the controller node.

 

 


                                                     Figure 2: Navigate to the cluster.
                                                   
When you're on the cluster setup page, ensure you select the first node to act as the Controller Node. This node will initialize and manage the cluster.

 

 
Figure 3: Controller node settings 

For this example, the controller node is okv.oracle.com. Once you click "Convert to Candidate Node", the node transitions to read-only restricted mode.
 
 
Figure 4: Initial node state (read-only restricted)

                 
Next, you need to add Candidate node information.  
 
 
                                               Figure 5: Add a candidate in the Controller node.

Candidate node certification we need to obtain from node02: okv02.oracle.com.
 
Figure 6: Add a candidate in the Controller node 2.


Preparing and Configuring the Candidate Node for Oracle Key Vault Clustering

To add a candidate node to the OKV cluster, follow these steps using the current server details:

  1. Access the Candidate Node:
    Log in to the candidate server (e.g., okv02.example.com) via SSH or console access.

  2. Set Hostname and Network Configuration:
    Ensure the hostname and IP address are correctly set and resolvable from the controller node.

  3. Sync Time Settings:
    Configure NTP to synchronize time with the controller node to prevent cluster issues.

  4. Install or Verify OKV Software:
    Confirm that the Oracle Key Vault software is installed and that the correct version matches the controller node.

  5. Retrieve and Import Controller Certificate:

    • Obtain the controller certificate from node01 (controller).

    • Copy it to the candidate node and place it in the appropriate section.

  6. Generate and Share Candidate Certificate:

    • Generate the candidate node's certificate.

    • Copy it back to node01 to complete the mutual trust setup.

  7. Join the Cluster from the Controller Node:
    Use the OKV web console to initiate the cluster join process with node02 as the candidate node.

Note: It is essential to securely store the recovery password, as it is required during the configuration of the multi-master cluster nodes.
 
 
Figure 7: Candidate node


Add controller node information and obtain a certificate from node 01 (okv.oracle.com). 
 



                                                             Figure 8: Candidate settings 2
 
 

After entering all the required details, initiate the conversion of the server to a candidate node.

 
 
Figure 9: Convert to candidate node.


Several steps must be successfully completed to finalize the multi-master setup. Ensure that each step is carried out correctly.
 
Figure 10: Candidate node steps.


This process will pause until you copy the candidate certificate to the controller node.
 
 


 
Figure 11: Candidate node steps.

Once you add this process, the state moves.
 
Figure 12: Process of the candidate configuration.


Details of each task :
 


Figure 13: Process of the candidate details.


Once the configuration is complete, you can validate from the cluster main page.
 
 
Figure 13: Cluster details.

Conclusion.

Configuring a multi-master cluster in Oracle Key Vault (OKV) is a critical step for organizations looking to enhance their data security and ensure high availability across distributed environments. By setting up a multi-master cluster, organizations can achieve seamless scalability, fault tolerance, and geographic redundancy, which are essential for modern data protection strategies.

Throughout this guide, we’ve walked through the process of setting up a 2-node OKV cluster, starting from the initial node configuration to successfully adding a candidate node. By following the necessary pre-configuration steps, ensuring proper synchronization, and securely managing certificates, you can create a robust OKV deployment that meets the needs of today’s complex and data-driven enterprise environments.

Remember that it’s crucial to secure the recovery password and verify all configurations before completing the setup. A well-planned and executed multi-master configuration can safeguard your encryption keys and ensure your systems remain resilient against potential threats and failures.

By leveraging OKV’s multi-master architecture, you can stay ahead of the evolving cybersecurity landscape and maintain continuous protection for your sensitive data across various environments and geographies.

 
 
Artificial Intelligence Data Safe Oracle Key Vault

Using Yubico Security Key on MacOS for SSH – Eclipsys

Protecting Your Encryption Keys: Lessons from the Oracle Cloud Security Breach (OKV - Part 1 )

Protecting Your Encryption Keys: (OKV - Part 2)
Previous

Key Rotation for SQL Server TDE in an Always On Availability Group Environment
Next

EXACS Standby - ORA-12154: TNS (Disable RFS Client)

Leave a Comment

Want to read more?

Fill out the form below to unlock access to more Eclipsys blogs – It’s that easy!