Generating Keystores and Truststores: Shared Admin Key

This section demonstrates the generating of a keystore and truststore for the Shared Admin Key model. Also demonstrated is the installation of identical copies of the keystore and the truststore on all hosts for NuoDB Admin Processes (APs), as well as the generation of NuoDB Command PEM files.

PASSWD is an environment variable that holds the password value.

The following commands must be run as a user who has write access to /etc/nuodb/keys.

1. Generate a key pair certificate to be used for all NuoDB APs.

nuocmd create keypair --keystore nuoadmin.p12 --store-password "$PASSWD" --ca

2. Import the admin certificate generated in step 1 into a truststore.

nuocmd import certificate --keystore nuoadmin.p12 --store-password "$PASSWD" \
    --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

3. Generate a certificate to be used by NuoDB Command clients.

nuocmd create keypair --keystore nuocmd.p12 --store-password "$PASSWD" --dname "CN=nuocmd"

4. Import the client certificate generated (step 3) into the truststore created (step 2).

nuocmd import certificate --keystore nuocmd.p12 --store-password "$PASSWD" \
    --truststore nuoadmin-truststore.p12 --truststore-password "$PASSWD"

5. Convert the client key and certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore nuocmd.p12 --store-password "$PASSWD" > nuocmd.pem

6. Convert the admin certificate to PEM format so that it can be used by NuoDB Command.

nuocmd show certificate --keystore nuoadmin.p12 --store-password "$PASSWD" --cert-only > nuoadmin.cert

7. For every host running APs, copy the required certificate files to the NuoDB config directory.

cp nuoadmin.p12 nuoadmin-truststore.p12 nuocmd.pem nuoadmin.cert /etc/nuodb/keys
chown -R nuodb:nuodb /etc/nuodb/keys

8. For every host running APs, update nuoadmin.conf so that TLS is enabled and the generated certificates files are specified.

...
"ssl": "true",
"keystore": "/etc/nuodb/keys/nuoadmin.p12",
"keystore-type": "PKCS12",
"keystore-password": "<PASSWD value>",
"truststore": "/etc/nuodb/keys/nuoadmin-truststore.p12",
"truststore-type": "PKCS12",
"truststore-password": "<PASSWD value>",
...

For more information on nuoadmin.conf properties, see Host Properties (nuoadmin.conf).

9. For every host running APs, shut down and restart the NuoDB AP so that the configuration changes take effect.

systemctl restart nuoadmin

10. Set the NUOCMD_CLIENT_KEY and NUOCMD_VERIFY_SERVER environment variables to allow NuoDB Command to authenticate itself and verify NuoDB APs using HTTPS.

Set the variables:

export NUOCMD_CLIENT_KEY=/etc/nuodb/keys/nuocmd.pem
export NUOCMD_VERIFY_SERVER=/etc/nuodb/keys/nuoadmin.cert

Verify that the client can communicate with NuoDB Admin:

nuocmd show domain

Get certificate data to verify that TLS is enabled:

nuocmd --show-json get certificate-info