Guidelines for Disabling TLSv1.1 and TLSv1 Protocols
Update TLS protocol configuration to TLSv1.2 only
NoSQL Database has disabled TLSv1 and TLSv1.1 protocols in the default security configuration, the only protocol enabled is TLSv1.2.
Upgrade Implication:
This change doesn't remove the support of TLSv1.1 and TLSv1.2 but only disable them in the default security configuration. Upgrading to 24.1.11 release with security configuration created by previous release won't have compatibility issue, but it's recommended to disable the TLSv1.1 and TLSv1 in the existing NoSQL Database installation.
Prerequisite:
- . Check if protocol settings in the security configuration of
your NoSQL Database server has enabled TLSv1.2 protocol. Run
securityconfigutility to verify if protocols have TLSv1.2 included.java -jar $KVHOME/lib/kvstore.jar securityconfig config show -secdir $KVROOT/securityIf protocols in the security configuration don't have TLSv1.2, follow the section "Enable TLSv1.2 protocol" to enable TLSv1.2 first.
- Check the client application login properties. Verify if the
following NoSQL login property has TLSv1.2.
For example:
oracle.kv.ssl.protocols="TLSv1.2,TLSv1.1,TLSv1"Add TLSv1.2 and restart the client application if it wasn't specified in this security property.
Enable TLSv1.2 protocol
- Make two copies of the existing security configuration directory. Keep one as backup, and use the other for updating the protocols.
- Update the SSL protocols in the copied security configuration
directory.
java -jar $KVHOME/lib/kvstore.jar securityconfig \ config update -secdir security \ -param "allowProtocols=TLSv1.2,TLSv1.1,TLSv1" \ -param "clientAllowProtocols=TLSv1.2,TLSv1.1,TLSv1" - Verify if protocols in the updated security configuration has
TLSv1.2
enabled.
java -jar $KVHOME/lib/kvstore.jar securityconfig config show -secdir $KVROOT/securityVerify if the protocol has TLSv1.2.
- Copy the updated security directory to each Storage Node, and
replace the old security configuration directory. Then, check that all
Replication Nodes (RN) are online and restart each Storage Node, one by one,
using the following
command.
java -jar $KVHOME/lib/kvstore.jar stop -root $KVROOT java -jar $KVHOME/lib/kvstore.jar start -root $KVROOT& - Start the Admin CLI, and check that all Replication Nodes (RNs)
are up using the
pingcommand:
Output:java -jar $KVHOME/lib/kvstore.jar runadmin -host localhost -port 5000 -security $KVROOT/security/client.securityLogged in admin as anonymouskv-> ping
Update TLS protocol to TLSv1.2 only
- Update login properties of the client application. Update oracle.kv.ssl.protocols to have TLSv1.2 only (if it exists).
- Make two copies of existing security configuration directory. Keep one as backup, and use the other one for updating the protocols.
- Update the SSL protocols in the copied security configuration
directory.
java -jar $KVHOME/lib/kvstore.jar securityconfig \ config update -secdir security \ -param "allowProtocols=TLSv1.2" -param "clientAllowProtocols=TLSv1.2" - Verify if protocols in the updated security configuration has
only
TLSv1.2.
java -jar $KVHOME/lib/kvstore.jar securityconfig config show -secdir $KVROOT/securityVerify if protocols has TLSv1.2 only.
- Copy the updated security directory to each server node (Storage
Node), and replace the old security configuration directory. Then, check
that all Replication Nodes are online and restart each Storage Node, one by
one, using the following
command:
java -jar $KVHOME/lib/kvstore.jar stop -root $KVROOT java -jar $KVHOME/lib/kvstore.jar start -root KVROOT& - Start the Admin CLI, and check that all Replication Nodes (RNs)
are up using the
pingcommand:
Output:java -jar $KVHOME/lib/kvstore.jar runadmin -host localhost -port 5000 -security $KVROOT/security/client.securityLogged in admin as anonymouskv-> ping