Multiple Node Secure Deployment

The following examples describe how to add security to a new or to an existing Oracle NoSQL Database multiple host deployment.

Adding Security to a New Installation

To install an Oracle NoSQL Database three node, capacity=3 (3x3) secure deployment:

Run the makebootconfig utility with the -store-security option to set up the basic store configuration with security:

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar makebootconfig \
-root KVROOT -port 5000 \
-host node01 -harange 5010,5020 \
-store-security configure -pwdmgr wallet -capacity 3

In this example, -store-security configure is used, so the security configuration utility is run as part of the makebootconfig process and you are prompted for a password to use for your keystore file:
```
Enter a password for the Java KeyStore: 
```

Enter a password for your store and then reenter it for verification. For example, using wallet, the securityconfig tool will automatically generate the following security related files:

Enter a password for the Java KeyStore: ***********
Re-enter the KeyStore password for verification: ***********
Created files:
security/security.xml
security/store.keys
security/store.trust
security/store.wallet/cwallet.sso
security/client.security
security/client.trust

In a multi-host store environment, the security directory and all files contained in it should be copied from the first node to each server that will host a Storage Node, to setup internal cluster authentication. For example, the following commands assume that the different nodes are visible and accessible on the current node (node01):
```
cp -R node01/KVROOT/security node02/KVROOT/
cp -R node01/KVROOT/security node03/KVROOT/ 
```
Note:

You may need to use a remote copying command, like scp, to do the copying if the files for the different nodes are not visible on the current node.

Enable security on the other two nodes using the -store-security enable command:

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar makebootconfig \
-root KVROOT \
-host node02 \
-port 6000 \
-harange 6010,6020 \
-capacity 3 \
-store-security enable \
-pwdmgr wallet

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar makebootconfig \
-root KVROOT \
-host node03 \
-port 7000 \
-harange 7010,7020 \
-capacity 3 \
-store-security enable \
-pwdmgr wallet

Start the Storage Node Agent (SNA) on each node:

Note:

Before starting the SNA, set the environment variable MALLOC_ARENA_MAX to 1. Setting MALLOC_ARENA_MAX to 1 ensures that the memory usage is restricted to the specified heap size.
```
nohup java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar start -root KVROOT&
```

Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar \
runadmin -port 5000 -host node01 \
-security KVROOT/security/client.security
Logged in admin as anonymous

Use the configure -name command to specify the name of the KVStore that you want to configure:
```
kv-> configure -name mystore
Store configured: mystore 
```
Create an admin user. The password should comply with the security policies described in Password Complexity Policies. In this case, user root is defined:
```
kv-> execute 'CREATE USER root IDENTIFIED BY \"password\" ADMIN
Statement completed successfully  
```
For more information on user creation and administration, see User Management.

Create the wallet to enable client credentials for the admin user (root):

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig \
wallet create -dir KVROOT/security/login.wallet
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
-dir KVROOT/security/login.wallet -set -alias root
Enter the secret value to store: ********
Re-enter the secret value for verification: ********
Secret created

Note:

The password must match the one set for the admin in the previous step.

At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

In this example, a security file (adminlogin.txt) is used. To login, use the following command:
```
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar runadmin -port 5000 \
-host localhost -security adminlogin.txt
Logged in admin as root
```
The file adminlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:
```
oracle.kv.auth.username=root
oracle.kv.auth.wallet.dir=KVROOT/security/login.wallet
oracle.kv.transport=ssl
oracle.kv.ssl.trustStore=KVROOT/security/client.trust
oracle.kv.ssl.protocols=TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 
```
For more information, see User Login.

Once logged in as admin, you can create some users:

kv-> execute 'CREATE USER user1 IDENTIFIED BY \"password\"
Statement completed successfully

kv-> execute 'CREATE USER user2 IDENTIFIED BY \"password\"
Statement completed successfully

Create the wallet to enable client credentials for each user. Typically you will reuse this wallet for all your regular users:

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig \
wallet create -dir KVROOT/security/users.wallet
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
-dir KVROOT/security/users.wallet -set -alias user1
Enter the secret value to store: ********
Re-enter the secret value for verification: ********
Secret created
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
-dir KVROOT/security/users.wallet -set -alias user2
Enter the secret value to store: ********
Re-enter the secret value for verification: ********
Secret created

Note:

Each password must match the one set for each user in the previous step. This wallet is independent from the admin one. It is possible to store admin/user passwords using the same wallet.

At this point, it is possible to connect to the store as a user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

In this example, a security file (userlogin.txt) is used. To login, use the following command:
```
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar runadmin -port 5000 \
-host localhost -security userlogin
Logged in admin as user1
```
The file userlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:
```
oracle.kv.auth.username=user1
oracle.kv.auth.wallet.dir=KVROOT/security/users.wallet
oracle.kv.transport=ssl
oracle.kv.ssl.trustStore=KVROOT/security/client.trust
oracle.kv.ssl.protocols=TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 
```
For more information, see User Login.

Adding Security to an Existing Installation

To add security to an existing three node, capacity=3 (3x3) Oracle NoSQL Database installation:

Shut down the KVStore instance on each node:

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar stop \
-root KVROOT

Run the securityconfig utility to set up the basic store configuration with security:
```
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig
```
Use the config create command with the -pwdmgr option to specify the mechanism used to hold passwords that is needed for accessing the stores. In this case, Oracle Wallet is used:
```
config create -pwdmgr wallet -root KVROOT
Enter a password for the Java KeyStore:
```

Enter a password for your store and then reenter it for verification. The configuration tool will automatically generate some security related files:

Enter a password for the Java KeyStore: ***********
Re-enter the KeyStore password for verification: ***********
Created files:
security/security.xml
security/store.keys
security/store.trust
security/store.wallet/cwallet.sso
security/client.security
security/client.trust

In a multi-host store environment, the security directory and all files contained in it should be copied from the first node to each server that will host a Storage Node, to setup internal cluster authentication. For example, the following commands assume that the different nodes are visible and accessible on the current node (node01):
```
cp -R node01/KVROOT/security node02/KVROOT/
cp -R node01/KVROOT/security node03/KVROOT/ 
```
Note:

You may need to use a remote copying command, like scp, to do the copying if the files for the different nodes are not visible on the current node.
Use the config add-security command on each node to add the security configuration you just created:
```
security-> config add-security -root KVROOT -secdir security 
```
Note:

When running this command, the securityconfig tool will verify the existence of the referenced files and will update the specified bootstrap configuration file to refer to the security configuration. This process is normally done with the KVStore instance stopped, and must be performed on each Storage Node of the store.
Start the Storage Node Agent (SNA) on each node:

Note:

Before starting the SNA, set the environment variable MALLOC_ARENA_MAX to 1. Setting MALLOC_ARENA_MAX to 1 ensures that the memory usage is restricted to the specified heap size.
```
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar start -root KVROOT&
```
Start runadmin in security mode on the KVStore server host (node01). To do this, use the following command:
```
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar \
runadmin -port 5000 -host node01 \
-security KVROOT/security/client.security 
```
This command sets SSL as a connection method and names a copy of the generated truststore file (client.security). For more information on SSL properties, see SSL communication properties.
Create an admin user. The password should comply with the security policies described in Password Complexity Policies. In this case, user root is defined:
```
kv-> execute 'CREATE USER root IDENTIFIED BY \"password\" ADMIN
Statement completed successfully
```
For more information on user creation and administration, see User Management.

Create the wallet to enable client credentials for the admin user (root):

java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig \
wallet create -dir KVROOT/security/login.wallet
java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar securityconfig wallet secret \
-dir KVROOT/security/login.wallet -set -alias root
Enter the secret value to store: ********
Re-enter the secret value for verification: ********
Secret created

Note:

The password must match the one set for the admin in the previous step.

At this point, it is possible to connect to the store as the root user. To login, you can use either the -username <user> runadmin argument or specify the "oracle.kv.auth.username" property in the security file.

In this example, the oracle.kv.security property is used. To login use the following command:
```
java -Xmx64m -Xms64m \
-Doracle.kv.security=adminlogin.txt \
-jar KVHOME/lib/kvstore.jar runadmin -port 5000 -host localhost
Logged in admin as root >
```
The file adminlogin.txt should be a copy of the client.security file with additional properties settings for authentication. The file would then contain content like this:
```
oracle.kv.auth.username=root
oracle.kv.auth.wallet.dir=KVROOT/security/login.wallet
oracle.kv.transport=ssl
oracle.kv.ssl.trustStore=KVROOT/security/client.trust
oracle.kv.ssl.protocols=TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL) 
```
For more information, see User Login.