Oracle Cloud Infrastructure Documentation

Creating a Private Endpoint

Create a Private Endpoint for external key management resource.

You can configure a private endpoint to represent the external key management resource in the VCN and access the OCI KMS service.
Note

Ensure you explicitly delete failed Private Endpoints to overcome memory allocation issue. If this issue persists, it might limit exhaustion even when no active private endpoints exist.
    1. Open the Oracle Cloud Console navigation menu and click Identity & Security. Under Key Management and Secret Management, click Private Endpoints.
    2. In the Private Endpoints page, click Create private endpoints.
    3. In the Create Private Endpoint page, provide the following details:
      • Type. Displays the external key management private endpoint type as "External." This is the only endpoint type that OCI KMS supports.
      • Name. Enter a name for the external key management private endpoint.
      • Description. Provide a short description.
      • Virtual Cloud Network. Select a VCN from the drop-down list.
      • Subnet. The subnet value gets auto-populated based on the VCN that you select.
      • External Key Management IP address. Based on your TLS connectivity configuration, provide either the static IP address of the Thales CipherTrust Manager or the API Gateway Private IP address.
      • Port. Enter the external key management resource port number. For static IP address based TLS connectivity, provide the port number of Thales CipherTrust Manager server. For example, 443. For FQDN based TLS connectivity, leave the field blank.
      • CA Bundle. The external CA is a PEM-formatted certificate file. For more information about CA, see Certificate Authority.
        Note

        Based on your TLS connectivity configuration, use the CA bundle of Thales CTM or OCI API Gateway.
    4. Click Submit.

      Once you create a private endpoint for external key management, you can access the Private Endpoint Details page to see the endpoint in "ACTIVE" state. You can use the actions at the page top to rename, move resource, add tags or delete the endpoint.

  • Open a command prompt and run ooci kms ekm ekms-private-endpoint create to create a new private endpoint:

    oci kms ekm ekms-private-endpoint create  --ca-bundle <bundle_type> --compartment-id <compartment_id>| -c <secret_name> --display-name <name> --xternal-key-manager-ip <ip address> --subnet-id,  <subnet_id> --defined-tags <tags> --freeform-tags<tags>

    For example:

    
--ca-bundle "-----BEGIN CERTIFICATE-----\nMIIFrjCCA5agAwIBAgIQAsMYA04ijAErxlDri 6cIa/\n-----END CERTIFICATE-----",
--compartment-id "ocid1.compartment.region1..aaaaaaaaiexample6mjdbzlsxf576zgtlbi3",
--display-name "Example EKMS PE",
--external-key-manager-ip 1.2.3.4,
--subnet-id "ocid1.subnet.region1.sea.aaaaaaexamplenpse5gupw56s5",
--freeform-tags {"key": "value"},
--port 6758

    Avoid entering confidential information.

    For a complete list of flags and variable options for Vault CLI commands, see Command Line Reference.

  • Run the CreateEkmsPrivateEndpoint operation to create private endpoint for connecting External KMS to Thales CipherTrust Manager.

    Note

    Each region has a unique endpoint for create, update, and list operations for secrets. This endpoint is referred to as the control plane URL or secret management endpoint. Each region also has a unique endpoint for operations related to retrieving secret contents. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.