Configuring security in a data store
Basics of data store security
Oracle NoSQL Database can be configured securely.
In a secure configuration, network communications between NoSQL clients, utilities, and NoSQL data store components are encrypted using SSL/TLS, and all processes must authenticate themselves to the components to which they connect. It is strongly advised that you configure Oracle NoSQL Database with security enabled.
store-security
specifies whether security is in use. Specifying
none indicates that security will not be in use. Specifying
configure indicates that you want to configure security. When you
specify configure or do not specify the store-security
parameter, then the makebootconfig process will invoke the securityconfig
utility as part of its operation. Specifying enable indicates security
will be in use. When you specify enable , you will need to either
explicitly configure security by utilizing the security configuration
utility(securityconfig
), or copy a previously created security
configuration from another system.
Note:
If you do not specify the -store-security
parameter,
security is configured by default. To complete a secure installation, you must
use the securityconfig
utility to create the security folder
before starting up the Storage Node agents.
Configuring security using securityconfig tool
securityconfig
tool before or after
the makebootconfig
process. This tool creates the security
directory and also creates security related files. The
makebootconfig
utility automatically invokes the
securityconfig
tool in one of the following two
scenarios.
- You specify
store-security configure
in themakebootconfig
command explicitly requesting to configure a secure data store. - You omit the
store-security
parameter in themakebootconfig
command. A secure data store is then configured by default.
securityconfig
tool as shown
below:java -Xmx64m -Xms64m
-jar $KVHOME/lib/kvstore.jar
securityconfig \
config create -root $KVROOT -kspwd (******)
Created files
$KVROOT/security/security.xml
$KVROOT/security/store.keys
$KVROOT/security/store.trust
$KVROOT/security/client.trust
$KVROOT/security/client.security
$KVROOT/security/store.passwd (Generated in CE version)
$KVROOT/security/store.wallet/cwallet.sso (Generated in EE version)
Created
See Configuring Security with Securityconfig in the Security Guide for more details.
-store-security configure
). The security directory
and all files contained in it should be copied from the first Storage Node
to other Storage Nodes to setup security. Zip all the security related files
from the first Storage Node to
security.zip
.cd ;
zip -r $HOME/security.zip $KVROOT/security;
cd -
Copy the security.zip
from first Storage Node to
other Storage Nodes. In the other Storage Nodes, you will unzip the
security.zip
file and use this security information
(copied from the first Storage Node). You then use -store-security
enable
while configuring the remaining Storage Nodes.
Create users and configure security with remote access
You need to create users for a secure cluster.
To configure security with remote access, see the following steps:
-
Create the first admin user. In this case, user
root
is defined.kv->execute 'CREATE USER root IDENTIFIED BY "password" ADMIN'
-
Grant the
readwrite
role to the first admin user:kv->execute "GRANT readwrite TO USER root"
-
Generate a password store for the first admin user. This step creates an
root.passwd
file in the$KVROOT/security
directory. These are the commands to createroot.passwd
.java -Xmx64m -Xms64m \ -jar $KVHOME/lib/kvstore.jar securityconfig \ pwdfile create -file $KVROOT/security/root.passwd java -Xmx64m -Xms64m \ -jar $KVHOME/lib/kvstore.jar securityconfig \ pwdfile secret \ -file $KVROOT/security/root.passwd -set -alias root -secret password
-
Copy the
client.security
file to another file namedroot.login
. Thisclient.security
was created by thesecurityconfig
utility earlier.cp $KVROOT/security/client.security $KVROOT/security/root.login
- Zip all the user security files. This needs to be copied to all
Storage Nodes of the data
store.
cd $KVROOT/security; zip -r root.zip root.* client.trust ; cd -
- From every Storage Node ( other than the first Storage Node in the
data store), unzip the user security files into
$KVROOT/security
.unzip -o $KVROOT/security/root.zip -d $KVROOT/security
-
You can now access the Admin node running on a Storage Node from another Storage Node remotely as shown below:
java -Xmx64m -Xms64m \ -jar $KVHOME/lib/kvstore.jar runadmin \ -port 5000 -host node01 \ -security $KVROOT/security/root.login