1. Security Guide
  2. SSL keystore generation

B SSL keystore generation

The keystores (store.keys and store.trust) that are automatically generated by makebootconfig or securityconfig is using a RSA private key with size of 2048 and the associated certificate that has 365 days lifetime. They can also be manually created to have different key algorithm, size, validity or other characteristics, using the following keytool (Java built-in key and certificate management tool) commands:

To generate the keypair, use the keytool -genkeypair command: 

keytool -genkeypair \
-keystore store.keys \
-storepass <passwd> \
-keypass <passwd> \
-alias shared \
-dname "CN=NoSQL" \
-keyAlg RSA \
-keysize 1024 \
-validity 365

To export the keypair, use the keytool -export command: 

keytool -export \
-file <temp file> \
-keystore store.keys \
-storepass <passwd> \
-alias shared

To import the keypair, use the keytool -import command: 

keytool -import \
-file <temp file> \
-keystore store.keys \
-storepass <passwd>
-noprompt

You can also use the keytool commands described above to manually generate other keystore and truststore keys and substitute them for the ones that Oracle NoSQL Database generates, provided you adhere to the following rules:

  • The store.keys file should have a key pair with the alias "shared".

  • The store.keys store password (-storepass) must match the key password (-keypass), they must be the same as the password specified in the (-kspwd) when the security configuration directory is created via makebootconfig or securityconfig.

  • If a subject distinguished name other than CN=NoSQL is chosen for the self-signed certificate, then you must specify the following options to the makebootconfig or securityconfig command: 

    -param "ha:serverIdentityAllowed=dnmatch(SOMEDN)"
-param "ha:clientIdentityAllowed=dnmatch(SOMEDN)"
-param "internal:serverIdentityAllowed=dnmatch(SOMEDN)"
-param "internal:clientIdentityAllowed=dnmatch(SOMEDN)"
-param "client:serverIdentityAllowed=dnmatch(SOMEDN)"

    where SOMEDN is the distinguished name (-dname) chosen.

  • The store password for store.trust should match the store password for store.keys.

After creating the keystores (store.keys and store.trust) with above commands, replace the old ones in the security configuration directory created by makebootconfig or securityconfig utility.