Configuring NuoDB Admin TLS Security

NuoDB Admin provides two TLS-based encrypted security features:

The use of TLS security is enabled by default. However, for bare-metal and virtual machine deployments, you must either complete the TLS configuration (or disable it) before using NuoDB.

Enabling TLS Security

You may create your own TLS authentication keys using methods approved by your IT security department. Alternatively, you may use NuoDB Command (nuocmd) to create and install TLS authentication keys. The NuoDB Command TLS key creation commands use keytool to create keys and certificates.

Note: keytool is a key and certificate management utility. For more information, see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.

Note: In physical deployments, NuoDB is not distributed with a default TLS authentication certificate. In OpenShift environment deployments, where a NuoDB Docker image is used, each NuoDB release includes a default TLS key and certificate that is unique to that release. For production environments, an alternate TLS key must be used.

Using NuoDB Command to Manage TLS Keys and Certificates

Note: The create keypair, show certificate, and import certificate commands are issued using NuoDB Command (nuocmd). For more information on NuoDB Command and other command line tools, see Command Line Tools.

Generating a Key Pair

Use the create keypair command to generate a key pair for NuoDB Admin and NuoDB Command and store them in a new or existing key store. This command invokes the keytool from the Java JDK (a requirement for running NuoDB).

Extracting the base64-encoded Key and Certificate

Use the show certificate command to extract the base64-encoded key and certificate from a key store to create a .pem file. This command displays the private key and/or the entire certificate chain, both of which are needed for client authentication with NuoDB Command (NUOCMD_CLIENT_KEY) and the latter of which is needed for server verification CA-signed certificate (NUOCMD_SERVER_CERT).

Importing a Certificate

Use the import certificate command to import a certificate from a key store into a trust store.

Example - Creating Self-Signed TLS Certificates

1. Use the create kepair command to create a key pair to be used to authenticate NuoDB Admin process communication requests.

Note: In this example, PKCS12 (the industry standard key type) is used. PASSWD is an environment variable that holds the password value.

nuocmd create keypair --keystore nuoadmin.p12 \
--store-password $PASSWD \
--key-password $PASSWD

2. So that the key pair created in step 1 can be used to authentic NuoDB Command commands, repeat step 1 for NuoDB Command.

nuocmd create keypair --keystore nuocmd-keystore.p12 \
--store-password $PASSWD \
--key-password $PASSWD

3. Use the show certificate command to create a plain text .pem certificate file from the NuoDB Command key store.

nuocmd show certificate --keystore nuocmd-keystore.p12 \
--store-password $PASSWD \
--key-password $PASSWD > nuocmd.pem

4. Use the import certificate command to store the NuoDB Admin and NuoDB Command certificates in the NuoDB Admin trust store.

nuocmd import certificate --keystore nuoadmin.p12 \
--store-password $PASSWD \
--truststore nuoadmin-truststore.p12 \
--truststore-password $PASSWD

nuocmd import certificate --keystore nuocmd-keystore.p12 \
--store-password $PASSWD \
--truststore nuoadmin-truststore.p12 \
--truststore-password $PASSWD

5. Copy the following TLS security files to the NuoDB config directory, as shown.

cp nuadmin.p12 /etc/nuodb/keys
cp nuocmd-keystore.p12 /etc/nuodb/keys
cp nuocmd.pem /etc/nuodb/keys
chown -R nuodb /etc/nuodb/keys
chgrp -R nuodb /etc/nuodb/keys

Note: Also, use the Ensure the TLS security files are owned by the nuodb user. In the example above, the user is nuodb.

6. Review settings in nuoadmin.conf to ensure TLS is enabled, that is, ensure the ssl property is set to true.

"ssl": "true",

For more information on nuoadmin.conf properties, see Configuring Admin Processes.

7. Shut down any running admin processes. For example, from the host running admin process nuoadmin-1 in a two-host cluster where one admin process is named nuoadmin-1 and a second admin process is named nuoadmin-2, run the following script from the host running nuoadmin-1:

nuocmd shutdown server --server-id nuoadmin-2
service nuoadmin stop

8. Copy the TLS security files (see step 5) to the /etc/nuodb/key host directory where nuoadmin-2 is installed.

9. To restart the admin processes on each host, run the following script.

service nuoadmin restart

10. Test and confirm that TLS authentication is working properly.

export NUOCMD_CLIENT_KEY=/etc/nuodb/keys/nuocmd.pem
nuocmd show domain

Disabling TLS Security

To disable NuoDB Admin TLS security, edit the nuoadmin.conf file for each admin process in the domain and set the ssl property to false.

"ssl": "false"

Note: For this change to take effect, you must restart the domain being managed by NuoDB Admin. For more information on nuoadmin.conf properties, see Configuring Admin Processes.