1. Security Guide
  2. Security Configuration
  3. Security Configuration Overview

Security Configuration Overview

To set up security, you need to create an initial security configuration. To do this, run securityconfig before, after, or as part of the makebootconfig process before starting the SNA on an initial node. You should not create a security configuration at each node. Instead, you should distribute the initial security configuration across all the Storage Nodes in your store. If the stores do not share a common security configuration they will be unable to communicate with one another.

Note:

The makebootconfig utility embeds the functionality of securityconfig tool.

Th securityconfig tool creates a set of security files based on the standard configuration. It is possible to perform the same tasks manually, and advanced security configuration might require manual setup, but using this tool helps to ensure a consistent setup. For more information on the manual setup, see SSL keystore generation.

Note:

It is possible to modify the security configuration after it is created in order to use a non-standard configuration. It is recommended that you use a standard configuration.

Those security files are generated, by default, within a directory named "security". In a secure configuration, the bootstrap configuration file for a Storage Node includes a reference to that directory, which must be within the KVROOT directory for the Storage Node. The security directory contains: 

security/security.xml
security/store.keys
security/store.trust
security/store.passwd  (CE or EE installations)
security/store.wallet  (EE installations only)
security/store.wallet/cwallet.sso (EE installations only)
security/client.security
security/client.trust

where:

  • security.xml

    A configuration file that tells the Oracle NoSQL Database server how to apply security.

  • store.keys

    A Java keystore file containing one or more SSL/TLS key pairs. This keystore is protected by a keystore password, which is recorded in an accompanying password store. The password store may be either an Oracle Wallet or a FileStore. The password is stored under the alias "keystore" in the password store. This file should be accessible only by the Oracle NoSQL Database server processes, and not to Oracle NoSQL Database clients.

  • store.trust

    A Java truststore file, which is a keystore file that contains only public certificates, and no private keys.

  • store.passwd (CE or EE installations)

    A password file that acts as the password store for a Community Edition (CE) installation. It contains secret information that should be known only to the server processes. Make sure the password file is readable and writable only by the Oracle NoSQL Database server. The file should not be copied to client machines.

    For Enterprise Edition (EE) installations, Oracle Wallet usage is preferred over the password file option.

  • store.wallet (EE installations only)

    An Oracle Wallet directory that acts as the password store for an Enterprise Edition (EE) installation. It contains secret information that should be known only to the server processes. Make sure the directory and its contents are readable and writable only by Oracle NoSQL Database. The file should not be copied to client machines.

  • cwallet.sso (EE installations only)

    The wallet password storage file.

  • client.security

    A security configuration file that captures the communication transport properties for connecting clients to KVStore.

    The generated client.security file should be copied to and used by Oracle NoSQL Database clients when connecting to the KVStore.

  • client.trust

    A truststore file used by clients is generated.

    The generated client.trust file should be copied to and used by Oracle NoSQL Database clients when connecting to the KVStore.

Note:

In a multi-host store environment, the security directory and all files contained in it should be copied to each server that will host a Storage Node.