Chapter 6. Encryption

Table of Contents

SSL model
SSL communication properties

Encryption of network data provides data privacy so that unauthorized parties are not able to view plaintext data as it passes over the network.

Oracle NoSQL Database uses SSL-based encryption to encrypt network traffic between applications and the server, command line-utilities and the server, as well as between server components.

Note

JMX access requires the use of SSL. The web Admin interface does not operate over SSL.

SSL model

Oracle NoSQL Database uses a simple SSL key management strategy. A single, shared, RSA key is used to protect communication. In this shared key model, you must be sure that there is a master copy of the security directory and that it gets copied to each server. You should not run makebootconfig with the -store-security configure option on all servers. Most servers should have the -store-security enable option specified in their makebootconfig command.

The shared key has an associated self-signed certificate with a Subject Distinguished Name that is not server-specific. The automatically-created certificates are generated with the Distinguished Name: CN=NoSQL.

Each server component listens on SSL interfaces and presents the shared certificate to clients and other servers that connect to it, as proof of its authenticity. Each client and server component uses a Java truststore containing a copy of the shared certificate to validate the certificate presented by servers.

When accessing a NoSQL instance that is secured using SSL/TLS, you must specify at least the following information:

  1. You must specify that the client will connect using SSL. This is done by setting the security property oracle.kv.transport to "ssl".

  2. You must specify the java truststore file that is used to validate the server certificate. This is done by setting the security property oracle.kv.ssl.trustStore.

    For example, to start runadmin in security mode use the following command:

    java -Doracle.kv.security=mylogin.txt \
    -jar KVHOME/lib/kvstore.jar runadmin  

    where the file mylogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=root
    oracle.kv.auth.wallet.dir=login.wallet
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    Note

    If you fail to correctly specify the oracle.kv.transport property or the truststore, the client will fail to connect to the server.