Starting from release 22.1, in the default security configuration, the database server KeyStore and TrustStore, typically named store.keys and store.trust respectively, are created in PKCS12 format and protected by password specified using -kspwd.

The TrustStore, client.trust, that is used by the client application is created in PKCS12 format and password-less, by default, if no password is specified using -ctspwd. Additionally, if the Java used to run the configuration utilities does not support password-less PKCS12 store, utilities fall back to create the client.trust in JKS format. The Java version supporting password-less PKCS12 must have security properties keystore.pkcs12.certProtectionAlgorithm and keystore.pkcs12.macAlgorithm available. The minimum JAVA versions required for this feature are JDK 8u301 for Java 8, JDK 11.0.12 for Java 11, and the first release of Java 17.

The client application can specify the password in the login properties file using the oracle.kv.ssl.trustStorePassword property or store the password in External Password Storage and specify only the alias name using the oracle.kv.ssl.trustStorePasswordAlias property.

#Security property settings for communication with KVStore servers using password
oracle.kv.ssl.trustStore=client.trust
oracle.kv.ssl.trustStoreType=PKCS12
oracle.kv.ssl.trustStorePassword=<client.trust password>
oracle.kv.ssl.protocols=TLSv1.3,TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
oracle.kv.transport=ssl

#Security property settings for communication with KVStore servers using password alias
oracle.kv.ssl.trustStore=client.trust
oracle.kv.ssl.trustStoreType=PKCS12
oracle.kv.ssl.trustStorePasswordAlias=cts
oracle.kv.ssl.protocols=TLSv1.3,TLSv1.2
oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
oracle.kv.transport=ssl
oracle.kv.auth.wallet.dir=<wallet_directory>
oracle.kv.auth.username=<user_name>

The security configuration created by releases earlier than NoSQL Database Release 22.1 generates all Java KeyStores in JKS format. You need to perform the following steps to upgrade Java KeyStores to PKCS12 format.

1. Copy the existing security configuration directory from one of the NoSQL Database storage nodes.
2. Run the following command to update the KeyStore to PKCS12 format:

   java -jar $KVHOME/lib/kvstore.jar securityconfig config update -secdir <security dir> -kstype PKCS12 [-ctspwd <client.trust password>]

   This command converts the existing KeyStore (store.keys) and TrustStore (store.trust) used by the NoSQL Database server to PKCS12 format and reuses the KeyStore password of stores in the existing configuration. Similar to the configuration creation, this command also creates a new password-less client.trust in PKCS12 format, if no password is specified using -ctspwd. If Java doesn't support the password-less PKCS12 store, it falls back to creating a JKS format client.trust.
3. Run the show security configuration command to verify that the store type is updated to PKCS12 format.

   java -jar $KVHOME/lib/kvstore.jar securityconfig config show -secdir security
        Security parameters:
        certMode=shared
        internalAuth=ssl
        keystore=store.keys
        keystorePasswordAlias=keystore
        keystoreType=PKCS12
        securityEnabled=true
        truststore=store.trust
        truststoreType=PKCS12
        walletDir=store.wallet
        
        internal Transport parameters:
        ...
        Keystore: security/store.keys
        Keystore type: PKCS12
        Keystore provider: SUN
   
        Your keystore contains 1 entry
   
        shared, Feb 11, 2022, PrivateKeyEntry,
        Certificate fingerprint (SHA-256): AA:98:B8:C6...
   
        Keystore: security/store.trust
        Keystore type: PKCS12
        Keystore provider: SUN
   
        Your keystore contains 1 entry
   
        mykey, Feb 11, 2022, trustedCertEntry,
        Certificate fingerprint (SHA-256): AA:98:B8:C6...

4. In the configuration directory, verify that there is a backup of each Java KeyStore named with the suffix '.old'.

   ls $KVROOT/security
        store.wallet
        store.trust.old
        store.trust
        store.keys.old
        store.keys
        security.xml
        client.trust.old
        client.trust
        client.security

5. Verify that the base login properties file, client.security, is updated with PKCS12 format.

   cat security/client.security
        #Security property settings for communication with KVStore servers
        #Fri Feb 11 10:59:39 PST 2022
        oracle.kv.ssl.trustStore=client.trust
        oracle.kv.ssl.trustStoreType=PKCS12
        oracle.kv.ssl.protocols=TLSv1.2
        oracle.kv.ssl.hostnameVerifier=dnmatch(CN\=NoSQL)
        oracle.kv.transport=ssl

6. Copy the updated security directory to each server node (Storage Node), and replace the old security configuration directory. Then, check that all Replication Nodes are online and restart each Storage Node, one by one, using the following command:

   java -jar $KVHOME/lib/kvstore.jar stop -root $KVROOT 
   java -jar $KVHOME/lib/kvstore.jar start -root KVROOT&

7. Start the Admin CLI, and check that all Replication Nodes (RNs) are up using the ping command:

   java -jar $KVHOME/lib/kvstore.jar runadmin -host localhost -port 5000 -security
   $KVROOT/security/client.security

   Output:

   Logged in admin as anonymous

   kv-> ping

When updating the SSL keys and certificates with a new security configuration using Guidelines for Updating SSL Keys and Certificates, the merge-trust command automatically converts the merged truststore (store.trust) used by the NoSQL Database server to PKCS12 format and protected by the original KeyStore password of the existing security configuration. It also creates a new password-less client.trust in PKCS12 format if no password is specified using -ctspwd. If the Java used to run merge-trust command doesn't support the password-less PKCS12 store, it falls back to create a JKS client.trust.

java -jar $KVHOME/lib/kvstore.jar securityconfig config /
create -root /Users/my_name/tmp/kvroot/newKey -kspwd 123456 -kstype JKS