1. Security Guide
  2. Keeping Oracle NoSQL Database Secure
  3. Guidelines for Disabling TLSv1.1 and TLSv1 Protocols

Guidelines for Disabling TLSv1.1 and TLSv1 Protocols

Update TLS protocol configuration to TLSv1.2 only

NoSQL Database has disabled TLSv1 and TLSv1.1 protocols in the default security configuration, the only protocol enabled is TLSv1.2.

Upgrade Implication:

This change doesn't remove the support of TLSv1.1 and TLSv1.2 but only disable them in the default security configuration. Upgrading to 21.2 release with security configuration created by previous release won't have compatibility issue, but it's recommended to disable the TLSv1.1 and TLSv1 in the existing NoSQL Database installation.

Prerequisite:

Before updating the TLS protocol to TLSv1.2 only, you must ensure the existing security configuration has already enabled the TLSv1.2 protocol, otherwise your NoSQL Database server won't be functional during the update.
  1. . Check if protocol settings in the security configuration of your NoSQL Database server has enabled TLSv1.2 protocol. Run securityconfig utility to verify if protocols have TLSv1.2 included.
    java -jar kv/lib/kvstore.jar securityconfig config show -secdir
      KVROOT/security

    If protocols in the security configuration don't have TLSv1.2, follow the section "Enable TLSv1.2 protocol" to enable TLSv1.2 first.

  2. Check the client application login properties. Verify if the following NoSQL login property has TLSv1.2.
    For example:
    oracle.kv.ssl.protocols="TLSv1.2,TLSv1.1,TLSv1"

    Add TLSv1.2 and restart the client application if it wasn't specified in this security property.

Enable TLSv1.2 protocol

This is the procedure to enable TLSv1.2 in the NoSQL Database security configuration. It assumes the existing security configuration only has enabled TLSv1.1 and TLSv1.
  1. Make two copies of the existing security configuration directory. Keep one as backup, and use the other for updating the protocols.
  2. Update the SSL protocols in the copied security configuration directory.
    java -jar /kv/lib/kvstore.jar securityconfig \
 config update -secdir security \
 -param "allowProtocols=TLSv1.2,TLSv1.1,TLSv1" \
 -param "clientAllowProtocols=TLSv1.2,TLSv1.1,TLSv1"
  3. Verify if protocols in the updated security configuration has TLSv1.2 enabled.
    java -jar kv/lib/kvstore.jar securityconfig config show -secdir
      KVROOT/security

    Verify if the protocol has TLSv1.2.

  4. Copy the updated security directory to each server node (Storage Node), and replace the old security configuration directory. Then, check that all Replication Nodes (RN) are online and restart each Storage Node, one by one, using the following command.
    java -jar /lib/kvstore.jar stop -root KVROOT java -jar
      /lib/kvstore.jar start -root KVROOT&
  5. Continuing from your NoSQL development environment, start the Admin CLI. Using the ping command, check if all RNs are up:
    (~/tmp/kvroot/newKey)=> java -jar $KVHOME/lib/kvstore.jar
                           runadmin -host localhost -port 5000 -security
$KVROOT1/security/client.security
Logged in admin as anonymous
kv-> ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-07 00:34:37 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 max
DelayMillis:1 max CatchupTimeSecs:0
Storage Node [sn1] on localhost:5000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,MASTER
sequenceNumber:63 haPort:5011
Storage Node [sn2] on localhost:6000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Rep Node [rg1-rn2]     Status: RUNNING,REPLICA
sequenceNumber:63 haPort:6010 delayMillis:1 catchupTimeSecs:0
Storage Node [sn3] on localhost:7000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Rep Node [rg1-rn3]     Status: RUNNING,REPLICA
sequenceNumber:63 haPort:7010 delayMillis:? catchupTimeSecs:?
  6. Restart each SN sequentially. Make sure that the last one you restarted is completely up before continuing to the next SN.
    java -jar $KVHOME/lib/kvstore.jar stop -root
/Users/my_name/tmp/kvroot/kvroot1
(~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT1 &

kv-> ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:23:56 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 maxDelayMillis:0 maxCatchupTimeSecs:0
Storage Node [sn1] on localhost:5000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]   

Status: RUNNING   Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:62 haPort:5011 delayMillis:0 catchupTimeSecs:0

Storage Node [sn2] on localhost:6000 Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn2] Status: RUNNING,MASTER
sequenceNumber:62 haPort:6010

Storage Node [sn3] on localhost:7000 Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:62 haPort:7010 delayMillis:0 catchupTimeSecs:0

Rep Node [rg1-rn1] Status: RUNNING,REPLICA is up, now restart the next SN
 (~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar stop -root /Users/my_name/tmp/kvroot/kvroot2

kv->ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:25:39 UTC Version: 12.2.4.5.12
Shard Status: healthy:0 writable-degraded:1 read-only:0 offline:0
Admin Status: healthy

Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:2 offline:1 maxDelayMillis:? maxCatchupTimeSecs:?
Storage Node [sn1] on localhost:5000 Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:62 haPort:5011

Storage Node [sn2] on localhost:6000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false] UNREACHABLE
       Rep Node [rg1-rn2] Status: UNREACHABLE

Storage Node [sn3] on localhost:7000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
       Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:62 haPort:7010 delayMillis:? catchupTimeSecs:?

(~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT2 & kv->ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:26:09 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 maxDelayMillis:1 maxCatchupTimeSecs:0
Storage Node [sn1] on localhost:5000 Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:63 haPort:5011
Storage Node [sn2] on localhost:6000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
       Rep Node [rg1-rn2] Status: RUNNING,REPLICA
sequenceNumber:63 haPort:6010 delayMillis:1 catchupTimeSecs:0
Storage Node [sn3] on localhost:7000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:63 haPort:7010 delayMillis:1 catchupTimeSecs:0

Update TLS protocol to TLSv1.2 only

This is the procedure to update the existing security configuration to only enable protocol TLSv1.2. It assumes the TLSv1.2 is already enabled in the security configuration.
  1. Update login properties of the client application. Update oracle.kv.ssl.protocols to have TLSv1.2 only (if it exists).
  2. Make two copies of existing security configuration directory. Keep one as backup, and use the other one for updating the protocols.
  3. Update the SSL protocols in the copied security configuration directory.
    java -jar /kv/lib/kvstore.jar securityconfig \
config update -secdir security \
-param "allowProtocols=TLSv1.2" -param "clientAllowProtocols=TLSv1.2"
  4. Verify if protocols in the updated security configuration has only TLSv1.2.
    java -jar kv/lib/kvstore.jar securityconfig config show -secdir
      KVROOT/security

    Verify if protocols has TLSv1.2 only.

  5. Copy the updated security directory to each server node (Storage Node), and replace the old security configuration directory. Then, check that all Replication Nodes are online and restart each Storage Node, one by one, using the following command:
    java -jar /lib/kvstore.jar stop -root KVROOT java -jar
      /lib/kvstore.jar start -root KVROOT&
  6. Continuing from your NoSQL development environment, start the Admin CLI. Using the ping command, check if all RNs are up.
    (~/tmp/kvroot/newKey)=> java -jar $KVHOME/lib/kvstore.jar
                           runadmin -host localhost -port 5000 -security
$KVROOT1/security/client.security
Logged in admin as anonymous

kv-> ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-07 00:34:37 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 max
DelayMillis:1 max CatchupTimeSecs:0
Storage Node [sn1] on localhost:5000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,MASTER
sequenceNumber:63 haPort:5011
Storage Node [sn2] on localhost:6000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Rep Node [rg1-rn2]     Status: RUNNING,REPLICA
sequenceNumber:63 haPort:6010 delayMillis:1 catchupTimeSecs:0
Storage Node [sn3] on localhost:7000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]    Status: RUNNING  
Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Rep Node [rg1-rn3]     Status: RUNNING,REPLICA
sequenceNumber:63 haPort:7010 delayMillis:? catchupTimeSecs:?
  7. Restart each SN sequentially. Make sure that the last one you restarted is completely up before continuing to the next SN.
    java -jar $KVHOME/lib/kvstore.jar stop -root
/Users/my_name/tmp/kvroot/kvroot1
(~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT1 &

kv-> ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:23:56 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 maxDelayMillis:0 maxCatchupTimeSecs:0
Storage Node [sn1] on localhost:5000    Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]   
Status: RUNNING   Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC  Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:62 haPort:5011 delayMillis:0 catchupTimeSecs:0
Storage Node [sn2] on localhost:6000 Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn2] Status: RUNNING,MASTER
sequenceNumber:62 haPort:6010

Storage Node [sn3] on localhost:7000 Zone: [name=Austin
id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:62 haPort:7010 delayMillis:0 catchupTimeSecs:0
Rep Node [rg1-rn1] Status: RUNNING,REPLICA is up, now restart the next SN
(~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar stop -root /Users/my_name/tmp/kvroot/kvroot2

kv->ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:25:39 UTC Version: 12.2.4.5.12
Shard Status: healthy:0 writable-degraded:1 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:2 offline:1 maxDelayMillis:? maxCatchupTimeSecs:?
Storage Node [sn1] on localhost:5000 Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:62 haPort:5011
Storage Node [sn2] on localhost:6000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false] UNREACHABLE
       Rep Node [rg1-rn2] Status: UNREACHABLE
Storage Node [sn3] on localhost:7000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
       Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:62 haPort:7010 delayMillis:? catchupTimeSecs:?

(~/hg/kv/kvstore)=> java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT2 & kv->ping
Pinging components of store HSRStore based upon topology sequence #18
10 partitions and 3 storage nodes
Time: 2018-02-06 21:26:09 UTC Version: 12.2.4.5.12
Shard Status: healthy:1 writable-degraded:0 read-only:0 offline:0
Admin Status: healthy
Zone [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
RN Status: online:3 offline:0 maxDelayMillis:1 maxCatchupTimeSecs:0
Storage Node [sn1] on localhost:5000 Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
        Admin [admin1] Status: RUNNING,MASTER
        Rep Node [rg1-rn1]   Status: RUNNING,REPLICA
sequenceNumber:63 haPort:5011
Storage Node [sn2] on localhost:6000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
       Rep Node [rg1-rn2] Status: RUNNING,REPLICA
sequenceNumber:63 haPort:6010 delayMillis:1 catchupTimeSecs:0
Storage Node [sn3] on localhost:7000
Zone: [name=Austin id=zn1 type=PRIMARY allowArbiters=false]
Status: RUNNING Ver: 12cR2.4.5.12 2018-02-06 08:51:55 UTC Build id: 0d00330822fc
      Rep Node [rg1-rn3] Status: RUNNING,REPLICA
sequenceNumber:63 haPort:7010 delayMillis:1 catchupTimeSecs:0