Oracle Wallet

An Oracle wallet is a mechanism used to securely store sensitive information such as passwords that are required for authentication and secure communication. It is only available in the Enterprise Edition version of Oracle NoSQL Database.

If you want to use a wallet to store your passwords, you must specify wallet as the password management mechanism while configuring the store security using the securityconfig utility or makebootconfig utility.

The following steps show you how this can be done.

• Using securityconfig:
  Run the securityconfig utility to set up the basic store configuration with security. For more information on the securityconfig utility, see Configuring Security with Securityconfig.

  java -Xmx64m -Xms64m -jar $KVHOME/lib/kvstore.jar securityconfig

  Use the config create command with the -pwdmgr option to specify the password management mechanism. In this case, the mechanism is wallet.

  security-> config create -pwdmgr wallet -root $KVROOT
  Enter a password for the Java KeyStore:

• Using makebootconfig:
  Run the makebootconfig utility with -store-security configure option. For more information on the makebootconfig utility, see Configuring Security with Makebootconfig. For example:

  java -Xmx64m -Xms64m \
  -jar KVHOME/lib/kvstore.jar makebootconfig \
  -root KVROOT -port 5000 \
  -host node01 -harange 5010,5020 \
  -store-security configure -pwdmgr wallet -capacity 3

  Enter a password for the Java KeyStore: 

Enter a password for your store and then re-enter it for verification. The configuration tool generates the security related files. It creates a wallet directory store.wallet that contains the keystore access password. The keystore access password protects the keys and certificates used for secure communication within the database cluster. It contains secret information that should be known only to the server processes. The file should remain on the server side.

The client.security and client.trust files should be copied to the client and used when connecting to the data store.

Created files
    $KVROOT/security/store.keys
    $KVROOT/security/store.trust
    $KVROOT/security/client.trust
    $KVROOT/security/client.security
    $KVROOT/security/store.wallet/cwallet.sso.lck
    $KVROOT/security/store.wallet/cwallet.sso
    $KVROOT/security/security.xml
Created

You can create and manipulate wallets to store user passwords. User passwords are required to authenticate individual users or clients to the database for data access and operations based on the privileges granted to them.

The following commands show you how this can be done.

To create a new wallet, run the wallet create command:

wallet create -dir <wallet directory> 

For example:

security-> wallet create -dir $KVROOT/security/loginwallet
Created

To manipulate secrets (passwords), which are associated with a name (alias), run the wallet secret command:

wallet secret -dir <wallet directory> 
{-set | -delete} -alias <alias>

If the -set option is specified, the user is prompted for a new password for the specified alias and required to verify the new secret.

If the -delete option is specified, the secret is deleted from the store.

For example, to manipulate the secret (password) associated with user John, run the wallet secret command as follows:

security-> wallet secret -dir $KVROOT/security/loginwallet -set -alias John
Enter the secret value to store: <password for user John>
Re-enter the secret value for verification: <password for user John>
Secret created

Special considerations should be taken if Oracle wallet is used and you are deploying your Oracle NoSQL Database. For more information, see Guidelines for Deploying Secure Applications.

In order to authenticate as a user, you must provide the user name and the wallet directory as security properties while connecting to the data store. To do this, create a copy of the client.security file present in the security folder that was created earlier. The client.security file contains the security properties and configuration details required for clients to securely connect to the data store. In the copied file, include additional properties containing the user name and the wallet directory.

The following steps show you how this can be done.

Make a copy of the client.security file present in the security folder. Let us call it user.login.

cp client.security user.login

Include the following additional properties in user.login file:

oracle.kv.auth.username=John
oracle.kv.auth.wallet.dir=$KVROOT/security/loginwallet

Now, you can use user.login to securely connect to the store as user John:

java -Xmx64m -Xms64m -jar lib/kvstore.jar runadmin -port 8000 -host localhost -security kvroot/security/user.login
Logged in to Admin as John
kv->