1. Security Guide
  2. Encryption
  3. SSL model

SSL model

Oracle NoSQL Database uses a simple SSL key management strategy. A single, shared, RSA key is used to protect communication. In this shared key model, you must be sure that there is a master copy of the security directory and that it gets copied to each server. You should not run makebootconfig with the -store-security configure option on all servers. Most servers should have the -store-security enable option specified in their makebootconfig command.

The shared key has an associated self-signed certificate with a Subject Distinguished Name that is not server-specific. The automatically-created certificates are generated with the Distinguished Name: CN=NoSQL.

Each server component listens on SSL interfaces and presents the shared certificate to clients and other servers that connect to it, as proof of its authenticity. Each client and server component uses a Java truststore containing a copy of the shared certificate to validate the certificate presented by servers.

When accessing a NoSQL instance that is secured using SSL/TLS, you must specify at least the following information:

  1. You must specify that the client will connect using SSL. This is done by setting the security property oracle.kv.transport to "ssl".

  2. You must specify the Java truststore file that is used to validate the server certificate. This is done by setting the security property oracle.kv.ssl.trustStore.

    For example, to start runadmin in security mode use the following command: 

    java -Xmx64m -Xms64m \
-Doracle.kv.security=mylogin.txt \
-jar KVHOME/lib/kvstore.jar runadmin

    where the file mylogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this: 

    oracle.kv.auth.username=root
oracle.kv.auth.wallet.dir=login.wallet
oracle.kv.transport=ssl
oracle.kv.ssl.trustStore=client.trust
oracle.kv.ssl.protocols=TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)

    Note:

    If you fail to correctly specify the oracle.kv.transport property or the truststore, the client will fail to connect to the server.