|
|
|
|
@ -706,6 +706,15 @@ CREATE TABLE turnusers_lt ( |
|
|
|
|
PRIMARY KEY (realm,name) |
|
|
|
|
); |
|
|
|
|
|
|
|
|
|
The field hmackey contains HEX string representation of the key. |
|
|
|
|
We do not store the user open passwords for long-term credentials, for security reasons. |
|
|
|
|
Storing only the HMAC key has its own implications - if you change the realm, |
|
|
|
|
you will have to update the HMAC keys of all users, because the realm is |
|
|
|
|
used for the HMAC key generation. |
|
|
|
|
|
|
|
|
|
The key must be 32 characters (HEX representation of 16 bytes) for SHA1, |
|
|
|
|
or 64 characters (HEX representation of 32 bytes) for SHA256. |
|
|
|
|
|
|
|
|
|
# Table for short-term credentials mechanism authorisation: |
|
|
|
|
# |
|
|
|
|
CREATE TABLE turnusers_st ( |
|
|
|
|
@ -760,19 +769,10 @@ CREATE TABLE turn_realm_option ( |
|
|
|
|
primary key (realm,opt) |
|
|
|
|
); |
|
|
|
|
|
|
|
|
|
The field hmackey contains HEX string representation of the key. |
|
|
|
|
We do not store the user open passwords for long-term credentials, for security reasons. |
|
|
|
|
Storing only the HMAC key has its own implications - if you change the realm, |
|
|
|
|
you will have to update the HMAC keys of all users, because the realm is |
|
|
|
|
used for the HMAC key generation. |
|
|
|
|
|
|
|
|
|
The key must be 32 characters (HEX representation of 16 bytes) for SHA1, |
|
|
|
|
or 64 characters (HEX representation of 32 bytes) for SHA256. |
|
|
|
|
|
|
|
|
|
# oAuth key storage table. |
|
|
|
|
# |
|
|
|
|
CREATE TABLE oauth_key ( |
|
|
|
|
kid varchar(128), |
|
|
|
|
kid varchar(128), /* |
|
|
|
|
ikm_key varchar(256) default '', |
|
|
|
|
timestamp bigint default 0, |
|
|
|
|
lifetime integer default 0, |
|
|
|
|
@ -784,6 +784,42 @@ CREATE TABLE oauth_key ( |
|
|
|
|
primary key (kid) |
|
|
|
|
); |
|
|
|
|
|
|
|
|
|
The oauth_key table fields meanings are: |
|
|
|
|
|
|
|
|
|
kid: the kid of the key; |
|
|
|
|
|
|
|
|
|
ikm_key - (optional) base64-encoded key ("input keying material"); |
|
|
|
|
The ikm_key is not needed if the as_rs_key and auth_key are defined |
|
|
|
|
explicitly in the database; |
|
|
|
|
|
|
|
|
|
timestamp - (optional) the timestamp (in seconds) when the key |
|
|
|
|
lifetime started; |
|
|
|
|
|
|
|
|
|
lifetime - (optional) the key lifetime in seconds; the default value |
|
|
|
|
is 0 - unlimited lifetime. |
|
|
|
|
|
|
|
|
|
hkdf_hash_func - (optional) hash function for HKDF procedure; the |
|
|
|
|
valid values are SHA-1 and SHA-256, with SHA-256 as default; |
|
|
|
|
The hkdf_hash_func is not needed if the as_rs_key and auth_key |
|
|
|
|
are defined explicitly in the database; |
|
|
|
|
|
|
|
|
|
as_rs_alg - oAuth token encryption algorithm; the valid values are |
|
|
|
|
"AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM", |
|
|
|
|
"AEAD-AES-256-GCM". |
|
|
|
|
The default value is "AES-256-CBC"; |
|
|
|
|
|
|
|
|
|
as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then |
|
|
|
|
calculated with ikm_key and hkdf_hash_func. The as_rs_key length |
|
|
|
|
is defined by as_rs_alg. |
|
|
|
|
|
|
|
|
|
auth_alg - (optional) oAuth token authentication algorithm; the valid values are |
|
|
|
|
"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1". |
|
|
|
|
The default value is "HMAC-SHA-256-128". |
|
|
|
|
|
|
|
|
|
auth_key - (optional) base64-encoded AUTH key. If not defined, then |
|
|
|
|
calculated with ikm_key and hkdf_hash_func. The auth_key length |
|
|
|
|
is defined by auth_alg. |
|
|
|
|
|
|
|
|
|
You can use turnadmin program to manage the database - you can either use |
|
|
|
|
turnadmin to add/modify/delete users, or you can use turnadmin to produce |
|
|
|
|
the hmac keys and modify the database with your favorite tools. |
|
|
|
|
@ -945,6 +981,11 @@ Or in the turnserver.conf file: |
|
|
|
|
|
|
|
|
|
mongo-userdb="mongodb://localhost:27017/turndb" |
|
|
|
|
|
|
|
|
|
The meanings of the MongoDB keys are the same as for the other databases, see the |
|
|
|
|
explanations for the Postgres, for example. |
|
|
|
|
|
|
|
|
|
See the file testmongosetup.sh for the database structure examples. |
|
|
|
|
|
|
|
|
|
XVII. Redis setup |
|
|
|
|
|
|
|
|
|
The Redis setup is well documented on their site http://redis.io. |
|
|
|
|
@ -1013,6 +1054,8 @@ Redis TURN admin commands: |
|
|
|
|
|
|
|
|
|
$ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u gorst -r north.gov -p hero |
|
|
|
|
$ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic |
|
|
|
|
|
|
|
|
|
See the file testredisdbsetup.sh for the data structure examples. |
|
|
|
|
|
|
|
|
|
XVIII. Performance tuning |
|
|
|
|
|
|
|
|
|
|
mom040267
11 years ago