Configuring Security with Securityconfig

Creating the security configuration
Adding the security configuration
Removing the security configuration
Merging truststore configuration

You can also run the securityconfig tool before or after the makebootconfig process by using the following command:

java -jar KVHOME/lib/kvstore.jar securityconfig 

For more information on creating, adding, removing or merging the security configuration using securityconfig, see the following sections.

Creating the security configuration

You can use the config create command to create the security configuration:

config create 
-root <secroot> [ -secdir <security dir> ] 
[ -pwdmgr { pwdfile | wallet } ] 
[ -param <param=value> ] 

where:

  • -root <secroot>

    Specifies the directory in which the security configuration will be created. It is not required that this directory be a full KVROOT, but the directory must exist.

  • -secdir <security dir>

    Specifies the name of the directory within the KVROOT that will hold the security configuration. This must be specified as a name relative to the specified secroot. If not specified, the default value is "security".

  • -pwdmgr [ pwdfile | wallet ]

    Indicates the password manager mechanism used to hold passwords that are needed for access to keystores, etc.

    where -pwdmgr can have the following options:

    • -pwdmgr pwdfile

      Indicates that the password store is a read-protected clear-text password file. This is the only available option for Oracle NoSQL Database CE deployments. You can specify an alternate implementation. For more information on pwdfile manipulation, see Password store file

    • -pwdmgr wallet

      Specifies Oracle Wallet as the password storage mechanism. This option is only available in the Oracle NoSQL Database EE version. For more information on Oracle wallet manipulation, see Oracle Wallet

  • -param <param=value>

    A repeatable argument that allows configuration defaults to be overridden. The value may be either a simple parameter, such as "truststore", or a qualified parameter such as "client:serverKeyAlias". If specified in qualified form, the qualifier (for example, "client") names a transport within the security configuration, and the assignment is specific to that transport. If in simple form, it applies to either the securityParams structure or to all transports within the file, depending on the type of parameter.

For more information on configuring security with securityconfig, see Adding Security to an Existing Installation.

Adding the security configuration

You can use the config add-security command to add the security configuration you created earlier:

config add-security 
-root <kvroot> [-secdir <security dir>] 
[-config <config.xml>] 

Note

When running this command, the securityconfig tool will verify the existence of the referenced files and will update the specified bootstrap configuration file to refer to the security configuration. This process is normally done with the KVStore instance stopped, and must be performed on each Storage Node of the store.

where:

  • -root <kvroot>

    A KVStore root directory must be provided as an argument.

  • -secdir <security dir>

    Specifies the name of the directory within the KVROOT that holds the security configuration. This must be specified as a name relative to the KVROOT. If not specified, the default value is "security".

  • -config <config.xml>

    Specifies the bootstrap configuration file that is to be updated. This must be specified as a name relative to the KVROOT. If not specified, the default value is "config.xml".

Removing the security configuration

If you want to disable security for some reason in an existing installation, you can use the config remove-security command:

config remove-security 
-root <kvroot> [-config <config.xml>] 

Note

When running this command, the securityconfig tool will update the specified bootstrap configuration file to refer to the security configuration. This process is normally done with the KVStore instance stopped, and must be performed on each Storage Node of the store.

where:

  • -root <kvroot>

    A KVStore root directory must be provided as an argument.

  • -config <config.xml>

    Specifies the bootstrap configuration file that is to be updated. This must be specified as a name relative to the KVROOT. If not specified, the default value is "config.xml".

Merging truststore configuration

If you want to merge truststore entries from one security configuration into another security configuration use the config merge-trust command. This command is helpful when performing security maintenance, particularly when you need to update the SSL key/certificate. For more information, see Guidelines for Updating the SSL key/certificate

config merge-trust
-root <secroot> [-secdir <security dir>]
-source-root <secroot> [-source-secdir <security dir>]

Note

When running this command, the securityconfig tool will verify the existence of the referenced files and will combine trust entries from the source security configuration into the primary security configuration.

where:

  • -root <secroot>

    Specifies the directory that contains the security configuration that will be updated. It is not required that this directory be a full KVROOT, but the directory must exist and contain an existing security configuration.

  • -secdir <security dir>

    Specifies the name of the directory within the secroot that holds the security configuration. This must be specified as a name relative to the secroot. If not specified, the default value is "security".

  • -source-root <secroot>

    Specifies the directory that contains the security configuration that will provide new trust information. It is not required that this directory be a full KVROOT, but the directory must exist and must contain an existing security configuration.

  • -source-secdir <security dir>

    Specifies the name of the security directory within the source secroot that will provide new trust information. If not specified, the default value is "security".