To add security to an existing Oracle NoSQL Database installation:
Shut down the KVStore instance:
java -jar KVHOME/lib/kvstore.jar stop \ -root KVROOT
Run the securityconfig
utility to set up the basic store configuration with
security:
java -jar /home/kvuser/kvstore/lib/kvstore.jar securityconfig
Use the config create command
with the -pwdmgr option to specify
the mechanism used to hold passwords that is needed
for access to the stores. In this case, Oracle Wallet is used:
config create -pwdmgr wallet -root KVROOT Creating SSL keystore Enter a password for your keystore:
Enter a password for your store and then reenter it for confirmation. The configuration tool will automatically generate some security related files:
Enter a password for your keystore: *********** Re-enter the password: *********** Created files: security/security.xml security/store.keys security/store.trust security/store.wallet/cwallet.sso security/client.security security/client.trust
In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.
Use the config add-security command to add
the security configuration you just created:
config add-security \ -root KVROOT -secdir security \ -config config.xml
When running this command, the securityconfig
tool will verify the existence of the referenced files and
will update the specified bootstrap configuration file to refer
to the security configuration. This process is normally done with the
KVStore instance stopped, and must be performed on each Storage Node
of the store.
Start the Storage Node Agent (SNA):
nohup java -jar KVHOME/lib/kvstore.jar start -root KVROOT&
Start runadmin in security mode on the
KVStore server host (node01). To do this, use the following
command:
java -jar KVHOME/lib/kvstore.jar \ runadmin -port 5000 -host node01 -security KVROOT/security/client.security
This command sets SSL as a connection method and names a copy of the generated truststore file (client.security). For more information on SSL properties, see SSL communication properties.
Create a user. In this case, user
root is defined:
kv-> plan create-user -name root -admin -wait Enter the new password: ******** Re-enter the new password: ******** Executed plan 8, waiting for completion... Plan 8 ended successfully
For more information on user creation and administration, see User management.
At this point, it is possible to connect to the
store as the root user. To login, you can use either the
-username <user> or the
-security <path to security file> runadmin
argument described earlier in this section.
In this example, the oracle.kv.security property is used. To login use the following command:
java -Doracle.kv.security=mylogin.txt \ -jar KVHOME/lib/kvstore.jar runadmin
The file mylogin.txt should be a copy of the
client.security file with additional properties
settings for authentication. The file would then contain content like this:
oracle.kv.auth.username=root oracle.kv.auth.wallet.dir=login.wallet oracle.kv.transport=ssl oracle.kv.ssl.trustStore=client.trust oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1 oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
For more information, see User login.