Configuring security in a data store

Basics of data store security

Oracle NoSQL Database can be configured securely.

In a secure configuration, network communications between NoSQL clients, utilities, and NoSQL data store components are encrypted using SSL/TLS, and all processes must authenticate themselves to the components to which they connect. It is strongly advised that you configure Oracle NoSQL Database with security enabled.

When you configure the Oracle NoSQL Database, the parameter store-security specifies whether security is in use. Specifying none indicates that security will not be in use. Specifying configure indicates that you want to configure security. When you specify configure or do not specify the store-security parameter, then the makebootconfig process will invoke the securityconfig utility as part of its operation. Specifying enable indicates security will be in use. When you specify enable , you will need to either explicitly configure security by utilizing the security configuration utility(securityconfig), or copy a previously created security configuration from another system.

Note:

If you do not specify the -store-security parameter, security is configured by default. To complete a secure installation, you must use the securityconfig utility to create the security folder before starting up the Storage Node agents.

Configuring security using securityconfig tool

You can run the securityconfig tool before or after the makebootconfig process. This tool creates the security directory and also creates security related files. The makebootconfig utility automatically invokes the securityconfig tool in one of the following two scenarios.

You specify store-security configure in the makebootconfig command explicitly requesting to configure a secure data store.
You omit the store-security parameter in the makebootconfig command. A secure data store is then configured by default.

Invoke the securityconfig tool as shown below:

java -Xmx64m -Xms64m 
-jar $KVHOME/lib/kvstore.jar 
securityconfig \
config create -root $KVROOT -kspwd (******)
Created files
$KVROOT/security/security.xml
$KVROOT/security/store.keys
$KVROOT/security/store.trust
$KVROOT/security/client.trust
$KVROOT/security/client.security
$KVROOT/security/store.passwd (Generated in CE version)
$KVROOT/security/store.wallet/cwallet.sso (Generated in EE version)
Created

See Configuring Security with Securityconfig in the Security Guide for more details.

If you have more than one Storage Node in your data store, then the security configuration is configured in the first Storage Node using -store-security configure). The security directory and all files contained in it should be copied from the first Storage Node to other Storage Nodes to setup security. Zip all the security related files from the first Storage Node to security.zip.

cd ; 
zip -r $HOME/security.zip $KVROOT/security; 
cd -

Copy the security.zip from first Storage Node to other Storage Nodes. In the other Storage Nodes, you will unzip the security.zip file and use this security information (copied from the first Storage Node). You then use -store-security enable while configuring the remaining Storage Nodes.

Create users and configure security with remote access

You must create users for a secure cluster.

To configure security with remote access, perform the following steps:

Invoke the runadmin command to start the Admin command line interface (CLI) utility on the Storage Node. This command starts the kv prompt.
```
java -jar $KVHOME/lib/kvstore.jar runadmin -host $KVHOST -port 5000 -security $KVROOT/security/client.security
```
Create the first admin user. In this case, user root is defined.
```
kv->execute 'CREATE USER root IDENTIFIED BY "password" ADMIN'
```
Grant the readwrite role to the first admin user:
```
kv->execute "GRANT readwrite TO USER root"
```
Exit the Admin command line interface (CLI) utility.
```
kv-> exit
```

Generate a password store for the first admin user. This step creates a root.passwd file in the $KVROOT/security directory. These are the commands to create root.passwd.

java -Xmx64m -Xms64m \
-jar $KVHOME/lib/kvstore.jar securityconfig \
pwdfile create -file $KVROOT/security/root.passwd

java -Xmx64m -Xms64m \
-jar $KVHOME/lib/kvstore.jar securityconfig \
pwdfile secret \
-file $KVROOT/security/root.passwd -set -alias root -secret password

Copy the client.security file to another file named root.login. This client.security was created by the securityconfig utility earlier. For details, see Configuring security using securityconfig tool.
```
cp $KVROOT/security/client.security $KVROOT/security/root.login
```
Zip all the user security files. This must be copied to all the Storage Nodes of the data store.
```
cd $KVROOT/security; 
zip -r root.zip root.* client.trust ;
cd -
```
From every Storage Node (other than the first Storage Node in the data store), unzip the user security files into the $KVROOT/security directory.
```
unzip -o $KVROOT/security/root.zip -d $KVROOT/security
```

You can now access the Admin node running on a Storage Node from another Storage Node remotely as follows:

java -Xmx64m -Xms64m \
-jar $KVHOME/lib/kvstore.jar runadmin \ 
-port 5000 -host node01 \
-security $KVROOT/security/root.login