Multiple Node Secure Deployment

Adding Security to a New Installation
Adding Security to an Existing Installation

The following examples describe how to add security to a new or to an existing Oracle NoSQL Database multiple host deployment.

Adding Security to a New Installation

To install an Oracle NoSQL Database three node, capacity=3 (3x3) secure deployment:

  1. Run the makebootconfig utility with the required -store-security option to set up the basic store configuration with security:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar makebootconfig \
    -root KVROOT -port 5000 \
    -admin 5001 -host node01 -harange 5010,5020 \
    -store-security configure -pwdmgr wallet -capacity 3
  2. In this example, -store-security configure is used, so the security configuration utility is run as part of the makebootconfig process and you are prompted for a password to use for your keystore file:

    Enter a password for the Java KeyStore: 
  3. Enter a password for your store and then reenter it for verification. For example, using wallet, the securityconfig tool will automatically generate the following security related files:

    Enter a password for the Java KeyStore: ***********
    Re-enter the KeyStore password for verification: ***********
    Created files:
    security/security.xml
    security/store.keys
    security/store.trust
    security/store.wallet/cwallet.sso 
    security/client.security 
    security/client.trust 
  4. In a multi-host store environment, the security directory and all files contained in it should be copied from the first node to each server that will host a Storage Node, to setup internal cluster authentication. For example, the following commands assume that the different nodes are visible and accessible on the current node (node01):

    cp -R node01/KVROOT/security node02/KVROOT/
    cp -R node01/KVROOT/security node03/KVROOT/ 

    Note

    You may need to use a remote copying command, like scp, to do the copying if the files for the different nodes are not visible on the current node.

  5. Enable security on the other two nodes using the -store-security enable command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar makebootconfig \
    -root KVROOT \
    -host node02 \
    -port 6000 \
    -admin 6001 \
    -harange 6010,6020 \
    -capacity 3 \
    -store-security enable \
    -pwdmgr wallet
    
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar makebootconfig \
    -root KVROOT \
    -host node03 \
    -port 7000 \
    -admin 7001 \
    -harange 7010,7020 \
    -capacity 3 \
    -store-security enable \
    -pwdmgr wallet
  6. Start the Storage Node Agent (SNA) on each node:

    nohup java -Xmx256m -Xms256m \ 
    -jar KVHOME/lib/kvstore.jar start -root KVROOT&
  7. Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:

    java -Xmx256m -Xms256m -jar KVHOME/lib/kvstore.jar \
    runadmin -port 5000 -host node01 \
    -security KVROOT/security/client.security
    Logged in admin as anonymous
  8. Use the configure -name command to specify the name of the KVStore that you want to configure:

    kv-> configure -name mystore
    Store configured: mystore 
  9. Create an admin user. In this case, user root is defined:

    kv-> plan create-user -name root -admin -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 6, waiting for completion...
    Plan 6 ended successfully  

    For more information on user creation and administration, see User management.

  10. Create the wallet to enable client credentials for the admin user (root):

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig \
    wallet create -dir KVROOT/security/login.wallet 
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
    -dir KVROOT/security/login.wallet -set -alias root 
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created
    OK 

    Note

    The password must match the one set for the admin in the previous step.

  11. At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

    In this example, a security file (adminlogin.txt) is used. To login, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar runadmin -port 5000 \
    -host localhost -security adminlogin.txt 
    Logged in admin as root

    The file adminlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=root
    oracle.kv.auth.wallet.dir=KVROOT/security/login.wallet
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=KVROOT/security/client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    For more information, see User login.

  12. Once logged in as admin, you can create some users:

    kv-> plan create-user -name user1 -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 7, waiting for completion...
    Plan 7 ended successfully 
    kv-> plan create-user -name user2 -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 8, waiting for completion...
    Plan 8 ended successfully 
  13. Create the wallet to enable client credentials for each user. Typically you will reuse this wallet for all your regular users:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig \
    wallet create -dir KVROOT/security/users.wallet 
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
    -dir KVROOT/security/users.wallet -set -alias user1 
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created
    OK
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
    -dir KVROOT/security/users.wallet -set -alias user2
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created OK

    Note

    Each password must match the one set for each user in the previous step. This wallet is independent from the admin one. It is possible to store admin/user passwords using the same wallet.

  14. At this point, it is possible to connect to the store as a user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

    In this example, a security file (userlogin.txt) is used. To login, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar runadmin -port 5000 \
    -host localhost -security userlogin.txt 
    Logged in admin as user1

    The file userlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=user1
    oracle.kv.auth.wallet.dir=KVROOT/security/users.wallet
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=KVROOT/security/client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    For more information, see User login.

Adding Security to an Existing Installation

To add security to an existing three node, capacity=3 (3x3) Oracle NoSQL Database installation:

  1. Shut down the KVStore instance on each node:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar stop \
    -root KVROOT
  2. Run the securityconfig utility to set up the basic store configuration with security:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig
  3. Use the config create command with the -pwdmgr option to specify the mechanism used to hold passwords that is needed for access to the stores. In this case, Oracle Wallet is used:

    config create -pwdmgr wallet -root KVROOT
    Enter a password for the Java KeyStore:
  4. Enter a password for your store and then reenter it for verification. The configuration tool will automatically generate some security related files:

    Enter a password for the Java KeyStore: ***********
    Re-enter the KeyStore password for verification: ***********
    Created files:
    security/security.xml
    security/store.keys
    security/store.trust
    security/store.wallet/cwallet.sso 
    security/client.security 
    security/client.trust  
  5. In a multi-host store environment, the security directory and all files contained in it should be copied from the first node to each server that will host a Storage Node, to setup internal cluster authentication. For example, the following commands assume that the different nodes are visible and accessible on the current node (node01):

    cp -R node01/KVROOT/security node02/KVROOT/
    cp -R node01/KVROOT/security node03/KVROOT/ 

    Note

    You may need to use a remote copying command, like scp, to do the copying if the files for the different nodes are not visible on the current node.

  6. Use the config add-security command on each node to add the security configuration you just created:

    security-> config add-security -root KVROOT -secdir security 

    Note

    When running this command, the securityconfig tool will verify the existence of the referenced files and will update the specified bootstrap configuration file to refer to the security configuration. This process is normally done with the KVStore instance stopped, and must be performed on each Storage Node of the store.

  7. Start the Storage Node Agent (SNA) on each node:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar start -root KVROOT&
  8. Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar \
    runadmin -port 5000 -host node01 \
    -security KVROOT/security/client.security 

    This command sets SSL as a connection method and names a copy of the generated truststore file (client.security). For more information on SSL properties, see SSL communication properties.

  9. Create an admin user. In this case, user root is defined:

    kv-> plan create-user -name root -admin -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 8, waiting for completion...
    Plan 8 ended successfully 

    For more information on user creation and administration, see User management.

  10. Create the wallet to enable client credentials for the admin user (root):

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig \
    wallet create -dir KVROOT/security/login.wallet 
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
    -dir KVROOT/security/login.wallet -set -alias root 
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created
    OK 

    Note

    The password must match the one set for the admin in the previous step.

  11. At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

    In this example, the oracle.kv.security property is used. To login use the following command:

    java -Xmx256m -Xms256m \
    -Doracle.kv.security=adminlogin.txt \
    -jar KVHOME/lib/kvstore.jar runadmin -port 5000 -host localhost
    Logged in admin as root >

    The file adminlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=root
    oracle.kv.auth.wallet.dir=KVROOT/security/login.wallet
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=KVROOT/security/client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    For more information, see User login.