1. Security Guide
  2. Keeping Oracle NoSQL Database Secure
  3. Guidelines for Updating Keystore Passwords

Guidelines for Updating Keystore Passwords

Follow these steps to update the keystore passwords:

  1. In the security directory on the configuration host run the keytool command. You can provide the new passwords through the keytool interactive prompt or using arguments. For example, to set the new key and store passwords for store.keys as well as the new store password for store.trust using the keytool prompt:

    Note:

    The 3 new passwords must be equal, otherwise the store cannot be successfully restarted. 

    keytool -keypasswd -keystore store.keys -alias shared
Enter keystore password:
New key password for <shared>:
Re-enter new key password for <shared>: 
    keytool -storepasswd -keystore store.keys
Enter keystore password:
New keystore password:
Re-enter new keystore password: 
    keytool -storepasswd -keystore store.trust
Enter keystore password:
New keystore password:
Re-enter new keystore password:

    You could also run the keytool command and set the new passwords using arguments instead. For example: 

    keytool -keypasswd -keystore store.keys \
-alias shared -keypass <old_pwd> -new <new_pwd> -storepass <old_pwd> 
    keytool -storepasswd -keystore store.keys \
-storepass <old_pwd> -new <new_pwd> 
    keytool -storepasswd -keystore store.trust \
-storepass <old_pwd> -new <new_pwd>

  2. If using a Password File store, skip ahead to the next step. To update the keystore password for wallets, use the following command: 

    java -Xmx64m -Xms64m \
-jar <KVHOME>/lib/kvstore.jar securityconfig \
wallet secret -directory store.wallet -set -alias keystore

    Securityconfig will prompt for the new password. The new password should match the new one provided earlier to the keytool command.

  3. If using Password File stores instead of wallets, use the following command to update the keystore password: 

    java -Xmx64m -Xms64m \
-jar <KVHOME>/lib/kvstore.jar securityconfig \
pwdfile secret -file store.pwd -set -alias keystore

    Securityconfig will prompt for the new password. The new password should match the new one provided earlier to the keytool command.

  4. Copy the updated store.keys, store.trust file, and either store.pwd or the contents of store.wallet to the security directory on each host and restart the Storage Node using the following commands: 

    java -Xmx64m -Xms64m \
-jar <KVHOME>/lib/kvstore.jar stop -root KVROOT

    Note:

    Before starting the SNA, set the environment variable MALLOC_ARENA_MAX to 1. Setting MALLOC_ARENA_MAX to 1 ensures that the memory usage is restricted to the specified heap size. 

    java -Xmx64m -Xms64m \
-jar <KVHOME>/lib/kvstore.jar start -root KVROOT&