It is possible to add security to a new or to an existing Oracle NoSQL Database installation.
The following examples describe how to add security to a new or to an existing Oracle NoSQL Database single host deployment.
To install Oracle NoSQL Database securely:
Run the makebootconfig utility
with the required -store-security option
to set up the basic store configuration with security:
java -jar KVHOME/lib/kvstore.jar makebootconfig \ -root KVROOT -port 5000 \ -admin 5001 -host node01 -harange 5010,5020 \ -store-security configure -capacity 1
In this example, -store-security
configure is used, so the
security configuration utility
is run as part of the makebootconfig process and you
are prompted for a password to use for your keystore file:
Creating SSL keystore Enter a password for your keystore:
Enter a password for your store and then reenter it
for confirmation. For example, in a Community Edition (CE)
installation, the securityconfig
tool will automatically generate the following security related files:
Enter a password for your keystore: *********** Re-enter the password: *********** Created files: security/security.xml security/store.keys security/store.trust security/store.passwd security/client.security security/client.trust
In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.
Start the Storage Node Agent (SNA):
nohup java -jar KVHOME/lib/kvstore.jar start -root KVROOT&
When a newly created store with a secure configuration is first started, there are no user definitions available against which to authenticate access. In order to reduce risk of unauthorized access, an admin will only allow you to connect to it from the host on which it is running. This security measure is not a complete safeguard against unauthorized access. It is important that you do not provide local access to machines running KVStore. In addition, you should perform steps 5, 6 and 7 soon after this step in order to minimize the time period in which the admin might be accessible without full authentication. For more information on maintaining a secure store see Guidelines for Securing the Configuration.
Start runadmin in security mode on the
KVStore server host (node01). To do this, use the following
command:
java -jar KVHOME/lib/kvstore.jar \ runadmin -port 5000 -host node01 -store-security KVROOT/security/client.security
Use the configure -name command to specify
the name of the KVStore that you want to configure:
configure -name mystore Store configured: mystore
Create a user. In this case, user
root is defined:
kv-> plan create-user -name root -admin -wait Enter the new password: ******** Re-enter the new password: ******** Executed plan 6, waiting for completion... Plan 6 ended successfully
For more information on user creation and administration, see User management.
At this point, it is possible to connect to the
store as the root user. To login, you can use either the
-username <user> or the
-security <path to security file> runadmin
argument.
In this example, a security file (mylogin.txt) is used. To login, use the following command:
java -jar KVHOME/lib/kvstore.jar runadmin -security mylogin.txt
The file mylogin.txt should be a copy of the
client.security file with additional properties
settings for authentication. The file would then contain content like this:
oracle.kv.auth.username=root oracle.kv.auth.pwdfile.file=login.pwd oracle.kv.transport=ssl oracle.kv.ssl.trustStore=client.trust oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1 oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
For more information, see User login.