Oracle NoSQL Database can be installed such that your client code does not have to authenticate to the store. (For the sake of clarity, most of the examples in this book do not perform authentication.) However, if you want your store to operate in a secure manner, you can require authentication. Note that doing so will result in a performance cost due to the overhead of using SSL and authentication. While best practice is for a production store to require authentication over SSL, some sites that are performance sensitive may want to forgo that level of security.
Authentication involves sending username/password credentials to the store at the time the proxy server connects to the store. The proxy server gets the username that it uses from the client code connecting to it. The rest of the credential information is contained in a security properties file that must be installed on the same local host as the proxy server. Be aware that the connection from your driver code to the proxy server is not secure. It is therefore recommended that you run your proxy server and your driver code on the same physical host.
A store that is configured to support authentication is automatically configured to communicate with clients using SSL in order to ensure privacy of the authentication and other sensitive information. When SSL is used, SSL certificates need to be installed on the machines where your proxy server runs in order to validate that the store that is being accessed is trustworthy.
Configuring a store for authentication is described in the Oracle NoSQL Database Security Guide.
If you are using a secure store, then all communications between your proxy server and the store is transported over SSL, including authentication credentials. You must therefore configure your client code to use SSL. To do this, you identify where the SSL certificate data is, and you also separately indicate that the SSL transport is to be used.
When an Oracle NoSQL Database store is configured to use the SSL
transport, a series of security files are generated using
a security configuration tool. One of these files is the
client.trust file, which must be copied
to any machine running
a proxy server.
For information on using the security configuration tool, see the Oracle NoSQL Database Security Guide.
Your
proxy server
must be told where the client.trust
file can be found because it contains the certificates
necessary to establish an SSL connection
with the store. You indicate where this file is
physically located on your machine using the
oracle.kv.ssl.trustStore property.
When an Oracle NoSQL Database secure store is installed, a file is
generated called client.security. This
file contains security properties that are needed by your
proxy server. Copy this file to the machine that will run
your proxy server, along with your client.trust
file and the login.passwd file. All of
these files were created during the installation process.
You may need to edit your client.security
file to adjust the location of files for the local host.
When you get done, client.security
should look something like this:
oracle.kv.auth.username=root oracle.kv.auth.pwdfile.file=/security/login.passwd oracle.kv.transport=ssl oracle.kv.ssl.trustStore=/security/client.trust oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1 oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
Once these files are in place and are edited correctly,
when your client code creates a store connection, it
must identify both the location of the
client.security file on the
disk where the proxy server is running,
as well as the username the client wants to authenticate
as. See Connecting to the Store
for an example of how this is done.