Fortanix DSM - Oracle Cloud Infrastructure Group Setup Guide

  • Updated on Nov 3, 2025
  • Published on Nov 1, 2025
  • 8 minute(s) read
Prev Next

1.0 Introduction

This article describes how to set up a Cloud Data Control (CDC) group for Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) group using Fortanix-Data-Security-Manager (DSM).

The Fortanix solution for OCI KMS offers Cloud Native Key Management  (CNKMS) and Bring Your Own Key (BYOK), and complete lifecycle management and automation of OCI keys and allows users to manage all keys centrally and securely.

This guide will walk you through setting up an OCI CDC group that will be used for both CNKMS and BYOK workflows.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to Fortanix DSM - Cloud Data Control - Getting Started.

3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. For more information, refer to User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.0 Fortanix DSM OCI CDC Group Setup

4.1 Create an OCI Vault

Before connecting Fortanix DSM to OCI, ensure that a Vault is already set up in your Oracle tenancy to hold DSM-managed keys.

  1. Log in to the Oracle Cloud console and navigate to MenuIdentity & Security → Vault → Vaults. For more information on how to create Vaults in the Oracle Cloud console, refer to the official Oracle Cloud documentation.

    NOTE

    Each Vault resides within a specific Compartment and Region. Ensure that the same values are configured later in the OCI CDC group in Fortanix DSM.

  2. Select the Vault that you want Fortanix DSM to manage.

  3. Click SAVE to store the settings.

4.2 Retrieve OCI Values for Fortanix DSM Integration

Before configuring the OCI CDC group in Fortanix DSM, obtain the following values from the Oracle Cloud console.

4.2.1 User OCID

Every user in OCI has a unique OCID. Fortanix DSM uses this identifier to authenticate the user and perform operations in OCI.

Perform the following steps to retrieve the User OCID:

  1. In the OCI console, click your User Profile icon in the top-right corner.

  2. Select User settings.

  3. On the User information page, copy the value of the OCID field.

4.2.2 Region

Each OCI deployment resides in a specific region. Fortanix DSM requires the region identifier to communicate with the appropriate OCI Vault endpoint.

Perform the following steps to retrieve the Region identifier:

  1. In the Oracle Cloud console header, click the Regions drop down list.

  2. Select Manage regions. A list of all available regions appears.

  3. Copy the Region identifier corresponding to the active region.

4.2.3 Tenant OCID (Compartment OCID)

A compartment is used to organize and manage resources in OCI. If you do not already have one, refer to the official Oracle Cloud documentation to create a compartment.

Perform the following steps to retrieve the Compartment OCID:

  1. In the Oracle Cloud console search bar, type Compartments and press Enter.

  2. Select the required Compartment from the results.

  3. In the Details tab, copy the value of the OCID field.

4.3 Configure an OCI CDC Group

After obtaining the OCI values, perform the following steps to create an OCI CDC group in Fortanix DSM:

  1. Navigate to the Groups menu in the DSM left navigation panel and click the + button on the Groups page to create a new group.

  2. In the Add new group form, do the following:

    1. Enter a name and description for the group.

    2. Click LINK HSM/EXTERNAL KMS to select the OCI KMS as the external KMS type, so that Fortanix DSM can connect to it.

    3. Select the OCI Vault option from the drop down menu.

    4. On the Adding new group page, enter the following details:

    5. In the Authentication section, click GENERATE API KEY to create a new key pair in Fortanix DSM. If you are an existing user, you can also select an existing key pair from the API Key drop down list to configure the signing key in OCI.

    6. Once the public key is created in the text box below, click the copy button to copy the public key, and then log in to the Oracle Cloud console and follow the steps in Section 4.4: Configure OCI API Key to register it.

  3. Click TEST CONNECTION to test your OCI KMS connection. If Fortanix DSM connects to OCI using the provided OCI credentials, then it shows the status as “Connected” with a green tick   and fetches the Vault details associated with the provided OCID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign .

  4. Click SAVE to store the configuration securely in Fortanix DSM.

4.4 Configure OCI API Key

Perform the following steps to configure the API key and register it in OCI Vault for key-based authentication:

  1. Log in to the Oracle Cloud console.

  2. In the upper-right corner of the screen, click your User Profile icon and select User settings.

  3. In the Tokens and keys section, click Add API key. This allows Fortanix DSM to establish a secure connection to OCI Vault using key-based authentication.

  4. In the Add API key window, select the Paste a public key option and paste the public key as copied in Step 2(f) of Section 4.3: Configure an OCI CDC Group. For more information on API keys limitations, refer to Fortanix DSM - Oracle Cloud Infrastructure Troubleshooting.

  5. Click Add to register the key. Oracle Cloud generates and displays the following information:

    • Fingerprint: The unique identifier of the uploaded public key.

    • Tenant OCID: The Oracle tenancy identifier associated with your account.

    • User OCID: The unique Oracle Cloud user identifier.

    • Region: The geographic region where your OCI Vault resides.

Once the key is created, return to the Fortanix DSM UI and click Test Connection to validate the configuration.

NOTE

After uploading the public key, it may take a few minutes for the change to reflect and show a "success" status in Fortanix DSM.

4.5 Not Connected Scenario

When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the OCI. If that happens, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection provided and edit them later.

4.6 HSM/KMS Tab

The group details now include an HSM/KMS tab displaying information about your KMS.

The HSM/KMS tab displays the Region and Compartment ID for the configured OCI Vault. The section also displays the Credential ID and Public half of API Key Pair (upload to OCI) information and ROTATE API KEY PAIR NOW option to rotate the API key pair in the Authentication section. For more information on how to rotate the API key pair, refer to Section 4.6.1: Rotate API Key Pair.

You can click EDIT to update the configuration or DELETE HSM/KMS to remove the OCI Vault mapping.

After editing and saving, click the TEST CONNECTION button to check the connection.

Click SYNC KEYS to fetch or refresh keys from the Oracle Cloud console. During synchronization, Fortanix DSM shows “Scanning for keys” to retrieve any new keys created at OCI side.

4.6.1 Rotate API Key Pair

You can rotate the Oracle API key pair used to authenticate Fortanix DSM with OCI Vault. This replaces the existing RSA key pair with a new one and requires the updated public key to be uploaded to the user’s OCI profile.

Perform the following steps to rotate the API key pair:

  1. In the OCI CDC group detailed view, navigate to the HSM/KMS tab.

  2. Click ROTATE API KEY PAIR NOW.

  3. Fortanix DSM generates a new RSA key pair and updates the credential in the OCI CDC group.

  4. Copy the new Public half of API Key Pair (upload to OCI) value using the copy button.

  5. Log in to the Oracle Cloud console and navigate to User settings API Keys and paste the new public key to register it.

  6. Once the public key is uploaded, return to Fortanix DSM UI and click TEST CONNECTION to verify the updated credential.

NOTE

  • After rotation, the old key pair becomes inactive. You must upload the new public key to OCI before performing any further BYOK operations.

  • After performing the rotation, if you do not upload the new public key to OCI, the connection test or any subsequent BYOK operation will fail with the “The required information to complete authentication was not provided or was incorrect” error.

4.7 Groups Table View

After saving the group details, you can view the list of all groups and notice the special symbol next to the newly created group. This symbol indicates that it is an OCI CDC group, distinguishing it from other groups.

4.8 User’s View

Navigate to the Users menu item in the DSM navigation panel and click the user that says “You” on the Users page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to OCI KMS, displaying their status as "connected" or "not connected."

5.0 Oracle Cloud Infrastructure Group BYOK and Cloud Native Key Management

For more information on how to perform BYOK key lifecycle management in OCI using Fortanix DSM, refer to the Fortanix DSM – Oracle Cloud Infrastructure Bring Your Own Key.

For more information on how to perform native key lifecycle management in OCI using Fortanix DSM, refer to Fortanix DSM - Oracle Cloud Infrastructure Cloud Native Key Management.

Related articles