B SSL keystore generation
The keystores (store.keys and store.trust) that are automatically generated by
makebootconfig
or securityconfig
is using a RSA
private key with size of 2048 and the associated certificate that has 365 days lifetime.
They can also be manually created to have different key algorithm, size, validity or
other characteristics, using the following keytool
(Java built-in key
and certificate management tool) commands:
To generate the keypair, use the keytool -genkeypair
command:
keytool -genkeypair \
-keystore store.keys \
-storepass <passwd> \
-keypass <passwd> \
-alias shared \
-dname "CN=NoSQL" \
-keyAlg RSA \
-keysize 1024 \
-validity 365
To export the keypair, use the keytool -export
command:
keytool -export \
-file <temp file> \
-keystore store.keys \
-storepass <passwd> \
-alias shared
To import the keypair, use the keytool -import
command:
keytool -import \
-file <temp file> \
-keystore store.keys \
-storepass <passwd>
-noprompt
You can also use the keytool
commands described above to manually generate other keystore and truststore keys and substitute them for the ones that Oracle NoSQL Database generates, provided you adhere to the following rules:
-
The store.keys file should have a key pair with the alias "shared".
-
The store.keys store password (
-storepass
) must match the key password (-keypass
), they must be the same as the password specified in the (-kspwd
) when the security configuration directory is created viamakebootconfig
orsecurityconfig
. -
If a subject distinguished name other than
CN=NoSQL
is chosen for the self-signed certificate, then you must specify the following options to the makebootconfig or securityconfig command:-param "ha:serverIdentityAllowed=dnmatch(SOMEDN)" -param "ha:clientIdentityAllowed=dnmatch(SOMEDN)" -param "internal:serverIdentityAllowed=dnmatch(SOMEDN)" -param "internal:clientIdentityAllowed=dnmatch(SOMEDN)" -param "client:serverIdentityAllowed=dnmatch(SOMEDN)"
where
SOMEDN
is the distinguished name (-dname) chosen. -
The store password for store.trust should match the store password for store.keys.
After creating the keystores (store.keys and store.trust) with above commands, replace
the old ones in the security configuration directory created by
makebootconfig
or securityconfig
utility.