Managing TLS Security

TLS security is configured using the "ssl" property in the nuoadmin.conf file. Set the value to "true" to enable TLS support, or "false" to disable it. For more information on nuoadmin.conf properties, see Configuring NuoDB Admin.

The TLS security settings can be modified either by manually editing the "ssl" property in the nuoadmin.conf file or by using the NuoDB Admin service control script.

On Linux systems, the NuoDB Admin service control script is $NUODB_HOME/etc/nuoadmin, where $NUODB_HOME is the location of the NuoDB installation. Depending on the installation, $NUODB_HOME may vary. For the RPM package it is /opt/nuodb and for the TAR package it is wherever the package was extracted.

On Windows systems, the NuoDB Admin service control script is %NUODB_HOME%\etc\nuoadmin.bat, where %NUODB_HOME% is the location of the NuoDB installation. For EXE packages it defaults to C:\Program Files\NuoDB, and for ZIP packages it is wherever the package was extracted. For more information, see Environment Variables.

The interface on Windows is the same; replace $NUODB_HOME/etc/nuoadmin in the following commands with %NUODB_HOME%\etc\nuoadmin.bat.

  • For these changes to take effect, you must restart the domain being managed by NuoDB Admin.

  • If TLS security is enabled, Admin Process (AP) cannot start until keys have been created, see Enabling TLS Encryption.

Checking the Status of TLS Support

To determine the state of TLS support, run:

NUODB_HOME/etc/nuoadmin tls status
NuoDB Admin TLS support is ENABLED
This shows the current setting of TLS in the nuoadmin.conf file; it may not match the configuration of a running NuoDB AP.

Enabling TLS Support

To enable TLS support the nuoadmin.conf file, run:

$NUODB_HOME/etc/nuoadmin tls enable

Disabling TLS Support

To disable TLS support in the nuoadmin.conf file, run:

$NUODB_HOME/etc/nuoadmin tls disable

Configuring TLS on a Transaction Engine (TE)

To configure TLS on a TE, perform one of the following:

  • Start the TE with the cipher-suites TLS database option to ensure that only TLS connections are possible.

    For example:

    nuocmd start process --db-name test --engine-type TE --options cipher-suites TLS --server-id XXX

  • Create a database with the default-options cipher-suites TLS database option.

    For example:

    nuocmd create database --db-name test --default-options cipher-suites TLS …

  • In a Kubernetes environment, configure cipher-suites: TLS in the database.options section of the database chart’s values YAML file.

    For example:

    ## database-wide options.
# These are applied using the --database-options on the startup command
# change these to values appropriate for this database
# these options are applied to all processes in the database.
options:
  ping-timeout: 60
  max-lost-archives: 0
  cipher-suites: TLS
    max-lost-archives is applicable only to SMs.

    To enable TLS in Kubernetes, see Security Model of NuoDB in Kubernetes.

To enable TLS for a specific driver, see the corresponding driver section.