Table of Contents
Encryption of network data provides data privacy so that unauthorized parties are not able to view plain text data as it passes over the network.
Oracle NoSQL Database uses SSL-based encryption to encrypt network traffic between applications and the server, command line-utilities and the server, as well as between server components.
JMX access requires the use of SSL. The web Admin interface does not operate over SSL.
Oracle NoSQL Database uses a simple SSL key management strategy. A
single, shared, RSA key is used to protect communication.
In this shared key model, you must be sure that
there is a master copy of the security directory and
that it gets copied to each server. You should not run
makebootconfig with the -store-security
configure option on all servers. Most
servers should have the -store-security
enable option specified in their
makebootconfig command.
The shared key has an associated self-signed certificate with a
Subject Distinguished Name that is not server-specific.
The automatically-created certificates are generated with
the Distinguished Name: CN=NoSQL.
Each server component listens on SSL interfaces and presents the shared certificate to clients and other servers that connect to it, as proof of its authenticity. Each client and server component uses a Java truststore containing a copy of the shared certificate to validate the certificate presented by servers.
When accessing a NoSQL instance that is secured using SSL/TLS, you must specify at least the following information:
You must specify that the client will connect using SSL. This is done by setting the security property oracle.kv.transport to "ssl".
You must specify the Java truststore file that is used to validate the server certificate. This is done by setting the security property oracle.kv.ssl.trustStore.
For example, to start
runadmin in security mode
use the following command:
java -Doracle.kv.security=mylogin.txt \ -jar KVHOME/lib/kvstore.jar runadmin
where the file mylogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:
oracle.kv.auth.username=root oracle.kv.auth.wallet.dir=login.wallet oracle.kv.transport=ssl oracle.kv.ssl.trustStore=client.trust oracle.kv.ssl.protocols=TLSv1.2,TLSv1.1,TLSv1 oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
If you fail to correctly specify the oracle.kv.transport property or the truststore, the client will fail to connect to the server.