Chapter 3. Performing a Secure Oracle NoSQL Database Installation

Table of Contents

Single Node Secure Deployment
Adding Security to a New Installation
Adding Security to an Existing Installation
Multiple Node Secure Deployment
Adding Security to a New Installation
Adding Security to an Existing Installation

It is possible to add security to a new or to an existing Oracle NoSQL Database installation.

To add security to a new or to an existing Oracle NoSQL Database single host deployment, see the next section. For multiple node deployments, see Multiple Node Secure Deployment.

Single Node Secure Deployment

The following examples describe how to add security to a new or to an existing Oracle NoSQL Database single host deployment.

Adding Security to a New Installation

To install Oracle NoSQL Database securely:

  1. Run the makebootconfig utility with the required -store-security option to set up the basic store configuration with security:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar makebootconfig \
    -root KVROOT -port 5000 \
    -admin 5001 -host node01 -harange 5010,5020 \
    -store-security configure -pwdmgr pwdfile -capacity 1 
  2. In this example, -store-security configure is used, so the security configuration utility is run as part of the makebootconfig process and you are prompted for a password to use for your keystore file:

    Enter a password for the Java KeyStore: 
  3. Enter a password for your store and then reenter it for verification. In this case, the password file is used, and the securityconfig tool will automatically generate the following security related files:

    Enter a password for the Java KeyStore: ***********
    Re-enter the KeyStore password for verification: ***********
    Created files:
    security/client.trust
    security/client.security 
    security/store.keys
    security/store.trust
    security/store.passwd
    security/security.xml 

    Note

    In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.

  4. Start the Storage Node Agent (SNA):

    nohup java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar start -root KVROOT&

    When a newly created store with a secure configuration is first started, there are no user definitions available against which to authenticate access. In order to reduce risk of unauthorized access, an admin will only allow you to connect to it from the host on which it is running. This security measure is not a complete safeguard against unauthorized access. It is important that you do not provide local access to machines running KVStore. In addition, you should perform steps 5, 6 and 7 soon after this step in order to minimize the time period in which the admin might be accessible without full authentication. For more information on maintaining a secure store see Guidelines for Securing the Configuration.

  5. Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar \
    runadmin -port 5000 -host node01 \
    -security KVROOT/security/client.security
    Logged in admin as anonymous 
  6. Use the configure -name command to specify the name of the KVStore that you want to configure:

    kv-> configure -name mystore
    Store configured: mystore 
  7. Create an admin user. In this case, user root is defined:

    kv-> plan create-user -name root -admin -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 6, waiting for completion...
    Plan 6 ended successfully  

    For more information on user creation and administration, see User management.

  8. Create a new password file to store the credentials needed to allow clients to login as the admin user (root):

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig \
    pwdfile create -file KVROOT/security/login.passwd
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig pwdfile secret \
    -file KVROOT/security/login.passwd -set -alias root 
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created
    OK

    Note

    The password must match the one set for the admin in the previous step.

    For more information on user creation and administration, see User management.

  9. At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

    In this example, a security file (mylogin.txt) is used. To login, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar runadmin -port 5000 \
    -host localhost -security mylogin.txt 
    Logged in admin as root 

    The file mylogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=root
    oracle.kv.auth.pwdfile.file=KVROOT/security/login.passwd
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=KVROOT/security/client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    For more information, see User login.

Adding Security to an Existing Installation

To add security to an existing Oracle NoSQL Database installation:

  1. Shut down the KVStore instance:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar stop \
    -root KVROOT
  2. Run the securityconfig utility to set up the basic store configuration with security:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig
  3. Use the config create command with the -pwdmgr option to specify the mechanism used to hold passwords that is needed for access to the stores. In this case, Oracle Wallet is used. Oracle Wallet is only available in the Oracle NoSQL Database EE version. CE deployments should use the pwdfile option instead.

    config create -pwdmgr wallet -root KVROOT
    Enter a password for the Java KeyStore: 
  4. Enter a password for your store and then reenter it for verification. The configuration tool will automatically generate some security related files:

    Enter a password for the Java KeyStore: ***********
    Re-enter the KeyStore password for verification: ***********
    Created files:
    security/security.xml
    security/store.keys
    security/store.trust
    security/store.wallet/cwallet.sso 
    security/client.security 
    security/client.trust  

    Note

    In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.

  5. Use the config add-security command to add the security configuration you just created:

    security-> config add-security -root KVROOT
    -secdir security  -config config.xml
    Configuration updated. 

    Note

    When running this command, the securityconfig tool will verify the existence of the referenced files and will update the specified bootstrap configuration file to refer to the security configuration. This process is normally done with the KVStore instance stopped, and must be performed on each Storage Node of the store.

  6. Start the Storage Node Agent (SNA):

    nohup java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar start -root KVROOT&
  7. Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar \
    runadmin -port 5000 -host node01 \
    -security KVROOT/security/client.security 
    Logged in admin as anonymous.

    This command sets SSL as a connection method and names a copy of the generated truststore file (client.security). For more information on SSL properties, see SSL communication properties.

  8. Create an admin user. In this case, user root is defined:

    kv-> plan create-user -name root -admin -wait
    Enter the new password: ********
    Re-enter the new password: ********
    Executed plan 8, waiting for completion...
    Plan 8 ended successfully 

    For more information on user creation and administration, see User management.

  9. Create a new wallet file to store the credentials needed to allow clients to login as the admin user (root):

    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig \
    wallet create -dir KVROOT/security/login.wallet
    java -Xmx256m -Xms256m \
    -jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
    -dir KVROOT/security/login.wallet -set -alias root 
    Enter the secret value to store: ********
    Re-enter the secret value for verification: ********
    Secret created
    OK 

    Note

    The password must match the one set for the admin in the previous step.

    For more information on user creation and administration, see User management.

  10. At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

    In this example, the oracle.kv.security property is used. To login use the following command:

    java -Xmx256m -Xms256m \
    -Doracle.kv.security=mylogin.txt \
    -jar KVHOME/lib/kvstore.jar runadmin -port 5000 -host localhost
    Logged in admin as root

    The file mylogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:

    oracle.kv.auth.username=root
    oracle.kv.auth.wallet.dir=KVROOT/security/login.wallet
    oracle.kv.transport=ssl
    oracle.kv.ssl.trustStore=KVROOT/security/client.trust
    oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1
    oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 

    For more information, see User login.