|
|
@@ -706,6 +706,15 @@ CREATE TABLE turnusers_lt (
|
|
|
PRIMARY KEY (realm,name)
|
|
|
);
|
|
|
|
|
|
+The field hmackey contains HEX string representation of the key.
|
|
|
+We do not store the user open passwords for long-term credentials, for security reasons.
|
|
|
+Storing only the HMAC key has its own implications - if you change the realm,
|
|
|
+you will have to update the HMAC keys of all users, because the realm is
|
|
|
+used for the HMAC key generation.
|
|
|
+
|
|
|
+The key must be 32 characters (HEX representation of 16 bytes) for SHA1,
|
|
|
+or 64 characters (HEX representation of 32 bytes) for SHA256.
|
|
|
+
|
|
|
# Table for short-term credentials mechanism authorisation:
|
|
|
#
|
|
|
CREATE TABLE turnusers_st (
|
|
|
@@ -760,19 +769,10 @@ CREATE TABLE turn_realm_option (
|
|
|
primary key (realm,opt)
|
|
|
);
|
|
|
|
|
|
-The field hmackey contains HEX string representation of the key.
|
|
|
-We do not store the user open passwords for long-term credentials, for security reasons.
|
|
|
-Storing only the HMAC key has its own implications - if you change the realm,
|
|
|
-you will have to update the HMAC keys of all users, because the realm is
|
|
|
-used for the HMAC key generation.
|
|
|
-
|
|
|
-The key must be 32 characters (HEX representation of 16 bytes) for SHA1,
|
|
|
-or 64 characters (HEX representation of 32 bytes) for SHA256.
|
|
|
-
|
|
|
# oAuth key storage table.
|
|
|
#
|
|
|
CREATE TABLE oauth_key (
|
|
|
- kid varchar(128),
|
|
|
+ kid varchar(128), /*
|
|
|
ikm_key varchar(256) default '',
|
|
|
timestamp bigint default 0,
|
|
|
lifetime integer default 0,
|
|
|
@@ -784,6 +784,42 @@ CREATE TABLE oauth_key (
|
|
|
primary key (kid)
|
|
|
);
|
|
|
|
|
|
+The oauth_key table fields meanings are:
|
|
|
+
|
|
|
+ kid: the kid of the key;
|
|
|
+
|
|
|
+ ikm_key - (optional) base64-encoded key ("input keying material");
|
|
|
+ The ikm_key is not needed if the as_rs_key and auth_key are defined
|
|
|
+ explicitly in the database;
|
|
|
+
|
|
|
+ timestamp - (optional) the timestamp (in seconds) when the key
|
|
|
+ lifetime started;
|
|
|
+
|
|
|
+ lifetime - (optional) the key lifetime in seconds; the default value
|
|
|
+ is 0 - unlimited lifetime.
|
|
|
+
|
|
|
+ hkdf_hash_func - (optional) hash function for HKDF procedure; the
|
|
|
+ valid values are SHA-1 and SHA-256, with SHA-256 as default;
|
|
|
+ The hkdf_hash_func is not needed if the as_rs_key and auth_key
|
|
|
+ are defined explicitly in the database;
|
|
|
+
|
|
|
+ as_rs_alg - oAuth token encryption algorithm; the valid values are
|
|
|
+ "AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM",
|
|
|
+ "AEAD-AES-256-GCM".
|
|
|
+ The default value is "AES-256-CBC";
|
|
|
+
|
|
|
+ as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then
|
|
|
+ calculated with ikm_key and hkdf_hash_func. The as_rs_key length
|
|
|
+ is defined by as_rs_alg.
|
|
|
+
|
|
|
+ auth_alg - (optional) oAuth token authentication algorithm; the valid values are
|
|
|
+ "HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".
|
|
|
+ The default value is "HMAC-SHA-256-128".
|
|
|
+
|
|
|
+ auth_key - (optional) base64-encoded AUTH key. If not defined, then
|
|
|
+ calculated with ikm_key and hkdf_hash_func. The auth_key length
|
|
|
+ is defined by auth_alg.
|
|
|
+
|
|
|
You can use turnadmin program to manage the database - you can either use
|
|
|
turnadmin to add/modify/delete users, or you can use turnadmin to produce
|
|
|
the hmac keys and modify the database with your favorite tools.
|
|
|
@@ -945,6 +981,11 @@ Or in the turnserver.conf file:
|
|
|
|
|
|
mongo-userdb="mongodb://localhost:27017/turndb"
|
|
|
|
|
|
+The meanings of the MongoDB keys are the same as for the other databases, see the
|
|
|
+explanations for the Postgres, for example.
|
|
|
+
|
|
|
+See the file testmongosetup.sh for the database structure examples.
|
|
|
+
|
|
|
XVII. Redis setup
|
|
|
|
|
|
The Redis setup is well documented on their site http://redis.io.
|
|
|
@@ -1013,6 +1054,8 @@ Redis TURN admin commands:
|
|
|
|
|
|
$ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u gorst -r north.gov -p hero
|
|
|
$ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
|
|
|
+
|
|
|
+See the file testredisdbsetup.sh for the data structure examples.
|
|
|
|
|
|
XVIII. Performance tuning
|
|
|
|
mom040267