Guidelines for enabling TLSV1.3 protocol
Update TLS protocol configuration to enable TLSv1.3
Oracle NoSQL Database now supports TLSv1.3 protocol. To run NoSQL Database and
application with TLSv1.3, you must use JDK11 or later, JDK8 Update 261 (JDK 8u261)
or later. Since 21.3 release, NoSQL Database adds TLSv1.3 protocol to the default
TLS protocols of security configuration created via makebootconfig
or securityconfig utility. It's recommended to update the TLS
protocol of existing security configuration to latest protocol TLSv1.3 since it is
the most secure.
Enable TLSv1.3 protocol
- Update login properties of client application. Add TLSv1.3 to
oracle.kv.ssl.protocols if it exists. Then restart the client application to
make the protocol change to take
effect.
oracle.kv.ssl.protocols="TLSv1.3,TLSv1.2" - Make two copies of existing security configuration directory of the storage
node. Keep one as backup, and the other one for updating the
protocols.
Note:
This step is to update the security configuration of storage node used by NoSQL Database server, as opposed to the client application changes in the previous step. - Update the SSL protocols in the copied security configuration
directory.
java -jar $KVHOME/lib/kvstore.jar securityconfig \ config update -secdir security \ -param "allowProtocols=TLSv1.3,TLSv1.2" \ -param "clientAllowProtocols=TLSv1.3,TLSv1.2" - Verify if protocols in the updated security configuration has
TLSv1.3.
Verify if the protocol has TLSv1.3.java -jar $KVHOME/lib/kvstore.jar securityconfig config show -secdir $KVROOT/security - Copy the updated security directory to each Storage Node, and
replace the old security configuration directory. Then, check that all
Replication Nodes (RN) are online and restart each Storage Node, one by one,
using the following
command.
java -jar $KVHOME/lib/kvstore.jar stop -root $KVROOT java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT& - Start the Admin CLI, and check that all Replication Nodes (RNs)
are up using the
pingcommand:
Output:java -jar $KVHOME/lib/kvstore.jar runadmin -host localhost -port 5000 -security $KVROOT/security/client.securityLogged in admin as anonymouskv-> ping
Update TLS protocol to TLSv1.3 only
This is the procedure to enable TLSv1.3 only in NoSQL Database security configuration. It assumes the existing security configuration has already TLSv1.3 protocol, if not, follow the last procedure to enable TLSv1.3 first.
- Make two copies of existing security configuration directory. Keep one as backup, and use the other one for updating the protocols.
- Update the SSL protocols in the copied security configuration
directory.
java -jar $KVHOME/lib/kvstore.jar securityconfig \ config update -secdir security \ -param "allowProtocols=TLSv1.3" \ -param "clientAllowProtocols=TLSv1.3" - Verify if protocols in the updated security configuration has TLSv1.3
only.
java -jar kv/lib/kvstore.jar securityconfig config show -secdir KVROOT/securityVerify if protocols has TLSv1.3 only.
- Copy the updated security directory to each Storage Node, and
replace the old security configuration directory. Then, check that all
Replication Nodes (RN) are online and restart each Storage Node, one by one,
using the following
command.
java -jar $KVHOME/lib/kvstore.jar stop -root $KVROOT java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT& - Start the Admin CLI, and check that all Replication Nodes (RNs)
are up using the
pingcommand:
Output:java -jar $KVHOME/lib/kvstore.jar runadmin -host localhost -port 5000 -security $KVROOT/security/client.securityLogged in admin as anonymouskv-> ping