Generating Keystores and Truststores: Shared Admin Key

This section demonstrates the generating of a keystore and truststore for the Shared Admin Key model. Also demonstrated is the installation of identical copies of the keystore and the truststore on all hosts for NuoDB Admin processes, as well as the generation of NuoDB Command PEM files.

PASSWDis an environment variable that holds the password value.

Note: The following commands must be run as a user who has write access to /etc/nuodb/keys.

1. Generate a key pair certificate to be used for all NuoDB Admin processes.

nuocmd create keypair --keystore nuoadmin.p12 --store-password "$PASSWD" --ca

2. Import the admin certificate generated in step 1 into a truststore.

nuocmd import certificate --keystore nuoadmin.p12 --store-password "$PASSWD" \
    --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"   

3. Generate a certificate to be used by NuoDB Command clients.

nuocmd create keypair --keystore nuocmd.p12 --store-password "$PASSWD" --dname "CN=nuocmd"

4. Import the client certificate generated (step 3) into the truststore created (step 2).

nuocmd import certificate --keystore nuocmd.p12 --store-password "$PASSWD" \
    --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

5. Convert the client key and certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore nuocmd.p12 --store-password "$PASSWD" > nuocmd.pem

6. Convert the admin certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore nuoadmin.p12 --store-password "$PASSWD" --cert-only > nuoadmin.cert

7. For every host for admin processes, copy the required certificate files to the NuoDB config directory.

cp nuoadmin.p12 nuoadmin-truststore.p12 nuocmd.pem nuoadmin.cert /etc/nuodb/keys
chown -R nuodb:nuodb /etc/nuodb/keys

8. For every host for admin processes, update nuoadmin.conf so that TLS is enabled and the generated certificates files are specified.

...
"ssl": "true",
"keystore": "/etc/nuodb/keys/nuoadmin.p12",
"keystore-type": "PKCS12",
"keystore-password": "<PASSWD value>",
"truststore": "/etc/nuodb/keys/nuoadmin-truststore.p12",
"truststore-type": "PKCS12",
"truststore-password": "<PASSWD value>",
...

For more information on nuoadmin.conf properties, see Host Properties (default.properties).

9. For every host for admin processes, shut down and restart the NuoDB Admin process so that the configuration changes take effect.

service nuoadmin restart

10. Set the NUOCMD_CLIENT_KEY and NUOCMD_VERIFY_SERVER environment variables to allow NuoDB Command to authenticate itself and verify NuoDB Admin processes using HTTPS.

Set the variables:

export NUOCMD_CLIENT_KEY=/etc/nuodb/keys/nuocmd.pem
export NUOCMD_VERIFY_SERVER=/etc/nuodb/keys/nuoadmin.cert

Start NuoDB Admin and verify that the client can communicate with NuoDB Admin:

sudo service restart nuoadmin
nuocmd show domain

Get certificate data to verify that TLS is enabled:

nuocmd --show-json get certificate-info