You can also run the securityconfig
tool before or after the makebootconfig process by using
the following command:
java -jar KVHOME/lib/kvstore.jar securityconfig
For more information on creating, adding, removing or merging the security configuration using securityconfig, see the following sections.
You can use the config create command to create
the security configuration:
config create
-root <secroot> [ -secdir <security dir> ]
[ -pwdmgr { pwdfile | wallet } ]
-param [client:|ha:|internal:|]<param>=<value> ]
where:
-root <secroot>
Specifies the directory in which the security configuration will be created. It is not required that this directory be a full KVROOT, but the directory must exist.
-secdir <security dir>
Specifies the name of the directory within the KVROOT that will hold the security configuration. This must be specified as a name relative to the specified secroot. If not specified, the default value is "security".
-pwdmgr [ pwdfile | wallet ]
Indicates the password manager mechanism used to hold passwords that are needed for accessing keystores, etc.
where -pwdmgr can have the following options:
-pwdmgr pwdfile
Indicates that the password store is a
read-protected clear-text password file.
This is the only available option for
Oracle NoSQL Database CE deployments. You can specify an
alternate implementation. For more
information on pwdfile
manipulation, see Password store file
-pwdmgr wallet
Specifies Oracle Wallet as the password
storage mechanism. This option is only
available in the Oracle NoSQL Database EE version. For
more information on Oracle
wallet manipulation, see
Oracle Wallet
-param [client:|ha:|internal:|]<param>=<value>]
A repeatable argument that allows configuration defaults to be overridden. The value may be either a simple parameter, such as "truststore", or a qualified parameter such as "client:serverKeyAlias". If specified in qualified form, the qualifier (for example, "client") names a transport within the security configuration, and the assignment is specific to that transport. If in simple form, it applies to either the securityParams structure or to all transports within the file, depending on the type of parameter.
For more information on configuring security with securityconfig, see Adding Security to an Existing Installation.
You can use the config add-security command to add
the security configuration you created earlier:
config add-security -root <kvroot> [-secdir <security dir>] [-config <config.xml>]
When running this command, the securityconfig
tool will verify the existence of the referenced files and
will update the specified bootstrap configuration file to refer
to the security configuration. This process is normally done with the
KVStore instance stopped, and must be performed on each Storage Node
of the store.
where:
-root <kvroot>
A KVStore root directory must be provided as an argument.
-secdir <security dir>
Specifies the name of the directory within the KVROOT that holds the security configuration. This must be specified as a name relative to the KVROOT. If not specified, the default value is "security".
-config <config.xml>
Specifies the bootstrap configuration file that is to be updated. This must be specified as a name relative to the KVROOT. If not specified, the default value is "config.xml".
If you want to disable security for some reason in an existing
installation, you can use the config remove-security
command:
config remove-security -root <kvroot> [-config <config.xml>]
When running this command, the securityconfig
tool will update the specified bootstrap configuration file to refer
to the security configuration. This process is normally done with the
KVStore instance stopped, and must be performed on each Storage
Node of the store.
where:
-root <kvroot>
A KVStore root directory must be provided as an argument.
-config <config.xml>
Specifies the bootstrap configuration file that is to be updated. This must be specified as a name relative to the KVROOT. If not specified, the default value is "config.xml".
If you want to merge truststore entries from one security
configuration into another security configuration use the
config merge-trust command. This command
is helpful when performing security maintenance, particularly
when you need to update the SSL key/certificate. For more information,
see Guidelines for Updating the SSL key/certificate
config merge-trust -root <secroot> [-secdir <security dir>] -source-root <secroot> [-source-secdir <security dir>]
When running this command, the securityconfig
tool will verify the existence of the referenced files
and will combine trust entries from the source security
configuration into the primary security configuration.
where:
-root <secroot>
Specifies the directory that contains the security configuration that will be updated. It is not required that this directory be a full KVROOT, but the directory must exist and contain an existing security configuration.
-secdir <security dir>
Specifies the name of the directory within the secroot that holds the security configuration. This must be specified as a name relative to the secroot. If not specified, the default value is "security".
-source-root <secroot>
Specifies the directory that contains the security configuration that will provide new trust information. It is not required that this directory be a full KVROOT, but the directory must exist and must contain an existing security configuration.
-source-secdir <security dir>
Specifies the name of the security directory within the source secroot that will provide new trust information. If not specified, the default value is "security".