The proxy server command line options are:
nohup java -cp KVHOME/lib/kvclient.jar:kvproxy/lib/kvproxy.jar
oracle.kv.proxy.KVProxy -help
-port <port-number> Port number of the proxy server. Default: 5010
-store <store-name> Required KVStore name. No default.
-helper-hosts <host:port,host:port,...> Required list of KVStore
hosts and ports (comma separated).
-security <security-file-path> Identifies the security file used
to specify properties for login. Required for connecting to
a secure store.
-username <user> Identifies the name of the user to login to the
secured store. Required for connecting to a secure store.
-read-zones <zone,zone,...> List of read zone names.
-max-active-requests <int> Maximum number of active requests towards
the store.
-node-limit-percent <int> Limit on the number of requests, as a
percentage of the requested maximum active requests.
-request-threshold-percent <int> Threshold for activating request
limiting, as a percentage of the requested maximum active
requests.
-request-timeout <long> Configures the default request timeout in
milliseconds.
-socket-open-timeout <long> Configures the open timeout in
milliseconds used when establishing sockets to the store.
-socket-read-timeout <long> Configures the read timeout in
milliseconds associated with the underlying sockets to the
store.
-max-iterator-results <long> A long representing the maximum
number of results returned in one single iterator call.
Default: 100
-iterator-expiration <long> Iterator expiration interval in
milliseconds.
-max-open-iterators <int> Maximum concurrent opened iterators.
Default: 10000
-num-pool-threads <int> Number of proxy threads. Default: 20
-max-concurrent-requests <int> The maximum number of
concurrent requests per iterator. Default: <num_cpus * 2>
-max-results-batches <int> The maximum number of results
batches that can be held in the proxy per iterator.
Default: 0
-help Usage instructions.
-version Print KVProxy server version number.
-verbose Turn verbose flag on.
Always start the Oracle NoSQL Database store before starting the proxy server.
When connecting to a non-secured store, the following parameters are required:
-helper-hosts
-port
-store
When connecting to a secured store, the following parameters are also required:
-security
-username
Drivers are able to start and stop the proxy server on the local host if properly configured. See Automatically Starting the Proxy Server for details.
If configured properly, the proxy can access a secure
installation of Oracle NoSQL Database. To do this, the
-username and
-security proxy options must be
specified.
The following example describes how to add security to an Oracle NoSQL Database single node deployment. The example also shows how to initiate a connection to the Oracle NoSQL Database replication nodes.
To install Oracle NoSQL Database securely:
java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar makebootconfig \ -root KVROOT -port 5000 \ -admin 5001 -host node01 -harange 5890,5900 \ -store-security configure -pwdmgr pwdfile -capacity 1
Run the makebootconfig utility
with the required
-store-security option to set up
the basic store configuration with security:
In this example, -store-security
configure is used, so the
security configuration utility
is run as part of the makebootconfig process and you
are prompted for a password to use for your keystore file:
Enter a password for the Java KeyStore:
Enter a password for your store and then reenter it
for verification. In this case, the password file is used, and
the securityconfig tool will automatically
generate the following security related files:
Enter a password for the Java KeyStore: *********** Re-enter the KeyStore password for verification: *********** Created files: security/client.trust security/client.security security/store.keys security/store.trust security/store.passwd security/security.xml
In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node. For more information on multiple node deployments see the Oracle NoSQL Database Security Guide.
Start the Storage Node Agent (SNA):
nohup java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar start -root KVROOT&
When a newly created store with a secure configuration is first started, there are no user definitions available against which to authenticate access. To reduce risk of unauthorized access, an admin will only allow you to connect to it from the host on which it is running. This security measure is not a complete safeguard against unauthorized access. It is important that you do not provide local access to machines running KVStore. In addition, you should perform steps 5, 6 and 7 soon after this step to minimize the time period in which the admin might be accessible without full authentication. For more information on maintaining a secure store see the Oracle NoSQL Database Security Guide.
Start runadmin in security mode on the
KVStore server host (node01). To do this, use the following
command:
java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar \ runadmin -port 5000 -host node01 \ -security KVROOT/security/client.security Logged in admin as anonymous
Use the configure -name command to specify
the name of the KVStore that you want to configure:
kv-> configure -name mystore Store configured: mystore
Configure the KVStore by deploying a Zone, a Storage Node, and an Admin Node. Then, create a Storage Node Pool. Finally, create and deploy a topology.
kv-> plan deploy-zone -name mydc -rf 1 -wait Executed plan 2, waiting for completion... Plan 2 ended successfully kv-> plan deploy-sn -zn zn1 -port 5000 -host node01 -wait Executed plan 3, waiting for completion... Plan 3 ended successfully kv-> plan deploy-admin -sn sn1 -port 5001 -wait Executed plan 4, waiting for completion... Plan 4 ended successfully kv-> pool create -name mypool kv-> pool join -name mypool -sn sn1 Added Storage Node(s) [sn1] to pool mypool kv-> topology create -name mytopo -pool mypool -partitions 30 Created: mytopo kv-> plan deploy-topology -name mytopo -wait Executed plan 5, waiting for completion... Plan 5 ended successfully
Create an admin user. In this case, user
root is defined:
kv-> plan create-user -name root -admin -wait Enter the new password: ******** Re-enter the new password: ******** Executed plan 6, waiting for completion... Plan 6 ended successfully
Create a new password file to store the credentials needed to allow clients to login as the admin user (root):
java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar securityconfig \ pwdfile create -file KVROOT/security/login.passwd java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar securityconfig pwdfile secret \ -file KVROOT/security/login.passwd -set -alias root Enter the secret value to store: ******** Re-enter the secret value for verification: ******** Secret created OK
The password must match the one set for the admin in the previous step.
At this point, it is possible to connect to the
store as the root user. To login, you can use
either the
-username <user>
runadmin argument or specify the
"oracle.kv.auth.username" property in the security
file.
In this example, a security file
(mylogin.txt) is used. To login, use the
following command:
java -Xmx256m -Xms256m \ -jar KVHOME/lib/kvstore.jar runadmin -port 5000 \ -host localhost -security mylogin Logged in admin as root
The file mylogin.txt should be a
copy of the client.security file
with additional properties settings for
authentication. The file would then contain content
like this:
oracle.kv.auth.username=root oracle.kv.auth.pwdfile.file=KVROOT/security/login.passwd oracle.kv.transport=ssl oracle.kv.ssl.trustStore=KVROOT/security/client.trust oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1 oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
Then, to run KVProxy and access the secure Oracle NoSQL Database deployment:
java -cp KVHOME/lib/kvclient.jar:KVPROXY/lib/kvproxy.jar oracle.kv.proxy.KVProxy -helper-hosts node01:5000 -port 5010 -store mystore -username root -security mylogin Nov 21, 2014 12:59:12 AM oracle.kv.proxy.KVProxy <init> INFO: PS: Starting KVProxy server Nov 21, 2014 12:59:12 AM oracle.kv.proxy.KVProxy <init> INFO: PS: Connect to Oracle NoSQL Database mystore nodes : localhost:5000 Nov 21, 2014 12:59:13 AM oracle.kv.proxy.KVProxy <init> INFO: PS: ... connected successfully Nov 21, 2014 12:59:13 AM oracle.kv.proxy.KVProxy startServer INFO: PS: Starting listener ( Half-Sync/Half-Async server - 20 no of threads on port 5010)
Because this proxy server is being used with a secure store, you should limit the proxy server's listening port (port 5010 in the previous example) to only those hosts running authorized clients.