Configuring security in a data store

• Basics of data store security
• Configuring security using securityconfig tool
• Create users and configure security with remote access

Basics of data store security

Oracle NoSQL Database can be configured securely.

In a secure configuration, network communications between NoSQL clients, utilities, and NoSQL data store components are encrypted using SSL/TLS, and all processes must authenticate themselves to the components to which they connect. It is strongly advised that you configure Oracle NoSQL Database with security enabled.

When you configure the Oracle NoSQL Database, the parameter store-security specifies whether security is in use. Specifying none indicates that security will not be in use. Specifying configure indicates that you want to configure security. When you specify configure or do not specify the store-security parameter, then the makebootconfig process will invoke the securityconfig utility as part of its operation. Specifying enable indicates security will be in use. When you specify enable , you will need to either explicitly configure security by utilizing the security configuration utility(securityconfig), or copy a previously created security configuration from another system.

Note:

If you do not specify the -store-security parameter, security is configured by default. To complete a secure installation, you must use the securityconfig utility to create the security folder before starting up the Storage Node agents.

Configuring security using securityconfig tool

You can run the securityconfig tool before or after the makebootconfig process. This tool creates the security directory and also creates security related files. The makebootconfig utility automatically invokes the securityconfig tool in one of the following two scenarios.

• You specify store-security configure in the makebootconfig command explicitly requesting to configure a secure data store.
• You omit the store-security parameter in the makebootconfig command. A secure data store is then configured by default.

Invoke the securityconfig tool as shown below:

java -Xmx64m -Xms64m 
-jar $KVHOME/lib/kvstore.jar 
securityconfig \
config create -root $KVROOT -kspwd (******)
Created files
$KVROOT/security/security.xml
$KVROOT/security/store.keys
$KVROOT/security/store.trust
$KVROOT/security/client.trust
$KVROOT/security/client.security
$KVROOT/security/store.passwd (Generated in CE version)
$KVROOT/security/store.wallet/cwallet.sso (Generated in EE version)
Created
 

See Configuring Security with Securityconfig in the Security Guide for more details.

If you have more than one Storage Node in your data store, then the security configuration is configured in the first Storage Node using -store-security configure). The security directory and all files contained in it should be copied from the first Storage Node to other Storage Nodes to setup security. Zip all the security related files from the first Storage Node to security.zip.

cd ; 
zip -r $HOME/security.zip $KVROOT/security; 
cd -

Copy the security.zip from first Storage Node to other Storage Nodes. In the other Storage Nodes, you will unzip the security.zip file and use this security information (copied from the first Storage Node). You then use -store-security enable while configuring the remaining Storage Nodes.

Create users and configure security with remote access

You need to create users for a secure cluster.

To configure security with remote access, see the following steps:

• Create the first admin user. In this case, user root is defined.

  kv->execute 'CREATE USER root IDENTIFIED BY "password" ADMIN'

• Grant the readwrite role to the first admin user:

  kv->execute "GRANT readwrite TO USER root"

• Generate a password store for the first admin user. This step creates an root.passwd file in the $KVROOT/security directory. These are the commands to create root.passwd.

  java -Xmx64m -Xms64m \
  -jar $KVHOME/lib/kvstore.jar securityconfig \
  pwdfile create -file $KVROOT/security/root.passwd
  
  java -Xmx64m -Xms64m \
  -jar $KVHOME/lib/kvstore.jar securityconfig \
  pwdfile secret \
  -file $KVROOT/security/root.passwd -set -alias root -secret password

• Copy the client.security file to another file named root.login. This client.security was created by the securityconfig utility earlier.

  cp $KVROOT/security/client.security $KVROOT/security/root.login

• Zip all the user security files. This needs to be copied to all Storage Nodes of the data store.

  cd $KVROOT/security; 
  zip -r root.zip root.* client.trust ;
  cd -
  

• From every Storage Node ( other than the first Storage Node in the data store), unzip the user security files into $KVROOT/security.

  unzip -o $KVROOT/security/root.zip -d $KVROOT/security

• You can now access the Admin node running on a Storage Node from another Storage Node remotely as shown below:

  java -Xmx64m -Xms64m \
  -jar $KVHOME/lib/kvstore.jar runadmin \ 
  -port 5000 -host node01 \
  -security $KVROOT/security/root.login