Chapter 2. Security Configuration

Table of Contents

Security Configuration Overview
Configuring Security with Makebootconfig
Configuring Security with Securityconfig
Creating the security configuration
Adding the security configuration
Removing the security configuration
Merging truststore configuration

This chapter describes how to use either the makebootconfig or securityconfig tool to perform the security configuration of your store. If you are installing a store with security for the first time, you can skip ahead to the next chapter Performing a Secure Oracle NoSQL Database Installation.

Note

For simpler use cases (for example, lab environments) it is possible to perform a basic installation of your store by explicitly opting out of security on the command line. If you do this, your store loses all the security features described in this book. For more information see Configuring Security with Makebootconfig.

Security Configuration Overview

To set up security, you need to create an initial security configuration. To do this, you can run securityconfig before, after or as part of the makebootconfig process but before starting the SNA on an initial node. You should not create a security configuration at each node. Instead, you should distribute the initial security configuration across all the Storage Nodes in your store. If the stores do not share a common security configuration they will be unable to communicate with one another.

Note

The makebootconfig utility embeds the functionality of securityconfig tool.

This tool creates a set of security files based on the standard configuration. It is possible to perform the same tasks manually, and advanced security configuration might require manual setup, but using this tool helps to ensure a consistent setup. For more information on the manual setup, see SSL keystore generation.

Note

It is possible to modify the security configuration after it is created in order to use a non-standard configuration. It is recommended that you use a standard configuration.

Those security files are generated, by default, within a directory named "security". In a secure configuration, the bootstrap configuration file for a Storage Node includes a reference to that directory, which must be within the KVROOT directory for the Storage Node. The security directory contains:

security/security.xml
security/store.keys
security/store.trust
security/store.passwd  (CE or EE installations)
security/store.wallet  (EE installations only) 
security/store.wallet/cwallet.sso (EE installations only)
security/client.security
security/client.trust 

where:

  • security.xml

    A configuration file that tells the Oracle NoSQL Database server how to apply security.

  • store.keys

    A Java keystore file containing one or more SSL/TLS key pairs. This keystore is protected by a keystore password, which is recorded in an accompanying password store. The password store may be either an Oracle Wallet or a FileStore. The password is stored under the alias "keystore" in the password store. This file should be accessible only by the Oracle NoSQL Database server processes, and not to NoSQL clients.

  • store.trust

    A Java truststore file, which is a keystore file that contains only public certificates, and no private keys.

  • store.passwd (CE or EE installations)

    A password file that acts as the password store for a Community Edition (CE) installation. It contains secret information that should be known only to the server processes. Make sure the password file is readable and writable only by the Oracle NoSQL Database server. The file should not be copied to client machines.

    For Enterprise Edition (EE) installations, Oracle Wallet usage is preferred over the password file option.

  • store.wallet (EE installations only)

    An Oracle Wallet directory that acts as the password store for an Enterprise Edition (EE) installation. It contains secret information that should be known only to the server processes. Make sure the directory and its contents are readable and writable only by the NoSQL DB server. The file should not be copied to client machines.

  • cwallet.sso (EE installations only)

    The wallet password storage file.

  • client.security

    A security configuration file that captures the communication transport properties for connecting clients to KVStore.

    The generated client.security file should be copied to and used by Oracle NoSQL Database clients when connecting to the KVStore.

  • client.trust

    A truststore file used by clients is generated.

    The generated client.trust file should be copied to and used by Oracle NoSQL Database clients when connecting to the KVStore.

Note

In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.