Executive Summary

Oracle provides many security options within its database framework, but when organizations start to scale their infrastructure, these options can quickly become complicated and hard to manage.  HashiCorp Vault provides a centralized way of managing security within a larger, scaled environment.  The theme of this paper is aimed at providing organizations a view into how HashiCorp Vault can be installed and configured against a single Oracle database and then expanded out to multiple databases from a single interface.

Installation

The installation process outlined here is for the installation of HashiCorp Vault using the pre-compiled binary.  For further installation instructions, refer to the online documentation at https://www.vaultproject.io/docs/install.

To install HashiCorp Vault, download the pre-compiled binary for the platform where it is going to run.  In this case, the platform will be on Oracle Enterprise Linux (x86-64).

1. Download the binary set for HashiCorp Vault (Open Source) (here).
2. After obtaining the zip file, unzip the zip file into any directory where HashiCorp Vault will run.
   $ unzip vault_1.5.2_linux_amd64.zip -d {{ directory }}
3. Update the $PATH environment variable to specify the location of the HashiCorp Vault binary. If wanting to manage HashiCorp Vault from the command line, execute the following:
   $ export PATH={{ directory }}:$PATH
4. Verify the installation of HashiCorp Vault. Using the help command will produce output that will give you commands and options used by HashiCorp Vault.
   $ vault -h

Configure Oracle Database

To secure Oracle Database with HashiCorp Vault, some minimal items need to be established.  One of these items is a dedicated user that will act as the primary user required for HashiCorp Vault to work against the database.  This user will also be known as the “vault root” user.
Within an Oracle Pluggable Database (PDB), the Vault user needs to be created.  Example 1 shows what the vault root user should look like.  This user will not have any database objects and will only log in to the Oracle Pluggable Database and managed secrets for other users and service accounts.

Example 1: Vault Root User Creation

CREATE USER VAULTADMIN

IDENTIFIED BY {{ Password }}

DEFAULT TABLESPACE USERS

TEMPORARY TABLESPACE TEMP

QUOTA UNLIMITED ON USERS

ACCOUNT UNLOCK;

 

GRANT CONNECT TO VAULTADMIN;

GRANT RESOURCE TO VAULTADMIN;

 

GRANT CREATE SESSION TO VAULTADMIN;

GRANT SELECT ANY DICTIONARY TO VAULTADMIN;

GRANT SELECT ANY TABLE TO VAULTADMIN;

GRANT UNLIMITED TABLESPACE TO VAULTADMIN;

GRANT ALTER USER TO VAULTADMIN;

Note: HashiCorp Vault does not support the use of a common user (C##), preventing a user in the Container Database from being used.  If container database support is needed, the SYS or SYSTEM user needs to be configured as…