1. Security Guide
  2. Keeping Oracle NoSQL Database Secure
  3. Guidelines for Updating the External Certificates

Guidelines for Updating the External Certificates

Follow these steps to update the external certificates for a secure installation that is already using external certificates.

Note:

This procedure assumes you already have a Java keystore and truststore setup having the updated external certificates. For more information see Java KeyStore Preparation.

  1. Create a new security configuration that uses external certificates. 

    security-> config create -root NEW_KVROOT \
-pwdmgr wallet -kspwd password \
-param "client:serverIdentityAllowed=dnmatch
(CN=myhost, OU=TeamA, O=MyCompany, L=Unknown,
ST=California, C=US)" \
-param "internal:serverIdentityAllowed=dnmatch
(CN=myhost, OU=TeamA, O=MyCompany, L=Unknown,
ST=California, C=US)" \
-param "internal:clientIdentityAllowed=dnmatch
(CN=myhost, OU=TeamA, O=MyCompany, L=Unknown,
ST=California, C=US)" \
-param "ha:serverIdentityAllowed=dnmatch
(CN=myhost, OU=TeamA, O=MyCompany, L=Unknown,
ST=California, C=US)" \
-param "ha:clientIdentityAllowed=dnmatch
(CN=myhost, OU=TeamA, O=MyCompany, L=Unknown,
ST=California, C=US)"

  2. Replace the keystore and server truststores with your own: 

    copy store.keys store.trust NEW_KVROOT/security/

  3. On the configuration host, merge the truststore entries with the NEW_KVROOT directory. Check that all Replication Nodes are online and then restart each Storage Node one by one using the following commands. If the updated external certificate uses a different distinguished name, update the dnmatch value in the security configuration to a compatible one using the procedures found in Guidelines for Configuring External Certificates for an Existing Default Secure Installation.

    Note:

    Before starting the SNA, set the environment variable MALLOC_ARENA_MAX to 1. Setting MALLOC_ARENA_MAX to 1 ensures that the memory usage is restricted to the specified heap size. 

    java -Xmx64m -Xms64m \
-jar <KVHOME>/lib/kvstore.jar securityconfig \
config merge-trust -root KVROOT \
-source-root <NEW_KVROOT>

java -Xmx64m -Xms64m -jar <KVHOME>/lib/kvstore.jar stop -root KVROOT
java -Xmx64m -Xms64m -jar <KVHOME>/lib/kvstore.jar start -root KVROOT&

    Note:

    You do not need to update the client truststore if the new certificates are signed by the same Certificate Authority (CA).

  4. Copy the updated store.keys file to the security directory on each host. Then, check that all Replication Nodes are online and restart each Storage Node one by one using the following commands: 

    java -Xmx64m -Xms64m -jar <KVHOME>/lib/kvstore.jar stop -root KVROOT
java -Xmx64m -Xms64m -jar <KVHOME>/lib/kvstore.jar start -root KVROOT&

  5. For all Storage Nodes, remove the obsolete certificate mykey in store.trust. Also, rename the new certificate mykey_2 to mykey using the following command: 

    keytool -delete -keystore KVROOT/security/store.trust \
-alias mykey 
    keytool -changealias -keystore \
KVROOT/security/store.trust -alias mykey_2 -destalias mykey