Password store file

A password store file is a mechanism used to securely store sensitive information such as passwords that are required for authentication and secure communication. This mechanism is available in the Community and Enterprise Edition versions of Oracle NoSQL Database. The password store file is an unencrypted file. It is read-protected to prevent unauthorized access.

If you want to use a password store file to store your passwords, you must specify password file (pwdfile) as the password management mechanism while configuring the store security using the securityconfig utility or makebootconfig utility.

The following steps show you how this can be done.

  • Using securityconfig:
    Run the securityconfig utility to set up the basic store configuration with security. For more information on the securityconfig utility, see Configuring Security with Securityconfig.
    java -Xmx64m -Xms64m -jar $KVHOME/lib/kvstore.jar securityconfig
    Use the config create command with the -pwdmgr option to specify the password management mechanism. In this case, the mechanism is pwdfile. 
    security-> config create -pwdmgr pwdfile -root $KVROOT
Enter a password for the Java KeyStore:
  • Using makebootconfig:
    Run the makebootconfig utility with -store-security configure option. For more information on the makebootconfig utility, see Configuring Security with Makebootconfig. For example:
    java -Xmx64m -Xms64m \
-jar KVHOME/lib/kvstore.jar makebootconfig \
-root KVROOT -port 5000 \
-host node01 -harange 5010,5020 \
-store-security configure -pwdmgr pwdfile -capacity 3
    Enter a password for the Java KeyStore:

Enter a password for your store and then re-enter it for verification. The configuration tool generates the security related files. The file store.passwd is the password store file that contains the keystore access password. It contains secret information that should be known only to the server processes. The file should should remain on the server side.

The client.security and client.trust files should be copied to the client and used when connecting to the data store.
Created files
    $KVROOT/security/store.keys
    $KVROOT/security/store.trust
    $KVROOT/security/client.trust
    $KVROOT/security/client.security
    $KVROOT/security/store.passwd
    $KVROOT/security/security.xml
Created

You can create and manipulate password store files to store user passwords. User passwords are required to authenticate individual users or clients to the database for data access and operations based on the privileges granted to them.

The following commands show you how this can be done.

To create a new password store file, run the pwdfile create command:
pwdfile create -file <password store file>
For example:
security-> pwdfile create -file $KVROOT/security/login.pwd
Created

To manipulate secrets (passwords), which are associated with a name (alias), run the pwdfile secret command: 

pwdfile secret -file <password store file> 
{-set | -delete} -alias <alias>

If the user specifies the -set option, the user is prompted for a new password for the specified alias and required to verify the new password.

If the -delete option is specified, the alias is deleted from the store.

For example, to manipulate the secret (password) associated with user John, run the pwdfile secret command as follows:
security-> pwdfile secret -file $KVROOT/security/login.pwd -set -alias John
Enter the secret value to store: <password for user John>
Re-enter the secret value for verification: <password for user John>
Secret created

In order to authenticate as a user, you must provide the user name and the password file as security properties while connecting to the data store. To do this, create a copy of the client.security file present in the security folder that was created earlier. The client.security file contains the security properties and configuration details required for clients to securely connect to the data store. In the copied file, include additional properties containing the user name and the password file.

The following steps show you how this can be done.

Make a copy of the client.security file present in the security folder. Let us call it user.login.
cp client.security user.login
Include the following additional properties in user.login file:
oracle.kv.auth.username=John
oracle.kv.auth.pwdfile.file=$KVROOT/security/login.pwd
Now, you can use user.login to securely connect to the store as user John:
java -Xmx64m -Xms64m -jar lib/kvstore.jar runadmin -port 8000 -host localhost -security kvroot/security/user.login
Logged in to Admin as John
kv->