Oracle Vault

Oracle Vault provides a secure and reliable Key Management Service (KMS) that can be leveraged to safeguard keys of wallets managed by the Wallet API. This document outlines how to integrate Oracle Vault with the Wallet API and manage keys securely.

If you are new to OCI Vault, make sure to familiarize yourself with the service through the guides available here. The following sections assume that you have knowledge of how Vault works and have already set up and configured a key management service.

Using Oracle Vault with Wallet API

There are two main methods for integrating Oracle Vault with the Wallet API:

  1. OCI SDK: Utilize the OCI SDK to manage keys in Oracle Vault programmatically.
  2. OCI REST API: Interact with the OCI REST API to manage keys in Oracle Vault directly.

OCI SDK Integration with Oracle Vault

The OCI SDK provides a convenient way to manage keys in Oracle Vault without the need to interact with the REST API directly.

But you will have to configure the vault for instance principal authentication as you won't be providing any private keys.

Another configuration should be done where you will have to provide the compartment id and the vault id to the Wallet API's oci.conf file.

Example Configuration :

vaultId="ocid1.vault.oc1.iad.amaaaaaa4q6q6qia7q7"
compartmentId="ocid1.compartment.oc1..aaaaaaaawirugoz35riiybcxsvf7bmelqsxo3sajaav5w3i2vqowcwqrllxa"

OCI REST API - Oracle Vault

With the OCI REST API you can manage keys in Oracle Vault without the need to interact with the SDK directly. You will have to provide the necessary configuration to the Wallet API to interact with the OCI Vault in the oci-rest-api.conf.

Example Configuration :

tenancyOcid = "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
compartmentOcid= "ocid1.tenancy.oc1..aaaaaaaaiijfupfvsqwqwgupzdy5yclfzcccmie4ktp2wlgslftv5j7xpk6q"
userOcid = "ocid1.user.oc1..aaaaaaaaxjkkfjqxdqk7ldfjrxjmacmbi7sci73rbfiwpioehikavpbtqx5q"
fingerprint = "bb:d4:4b:0c:c8:3a:49:15:7f:87:55:d5:2b:7e:dd:bc"
managementEndpoint = "entcvrlraabc4-management.kms.eu-frankfurt-1.oraclecloud.com"
cryptoEndpoint = "entcvrlraabc4-crypto.kms.eu-frankfurt-1.oraclecloud.com"
signingKeyPem = """
                         PRIVATE_KEY_HERE
                """
JWT/OIDCRest API - Oracle Vault