Re: Certificate based database authentication

2018-07-20 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Will,

On 7/10/18 9:03 AM, Will Nordmeyer wrote:
> I have an application in Tomcat 7 that connects to an Oracle
> database. Currently we are connecting using the username/password
> which is embedded in the xml files.  To harden security, we are
> looking at x509 certificate authentication.
> 
> Is there a way to tie a certificate to Tomcat hand have them 
> authenticate that way?

Your point is well-taken that sometimes the Tomcat users' mailing list
is a better resource than many others. If you are asking a question
you know to be off-topic, please tag it with the [OT] moniker. It
changes nothing, but at least acknowledges that you are asking
something that is not Tomcat-specific.

I don't know about Oracle Server specifically, but this is how we do
things for MySQL/MariaDB in our application's META-INF/context.xml file:

   

So the URL for connecting to the MySQL driver has parameters which
control how the authentication is set up.

Note that the password for the keystore is right there in the
configuration. There's really nothing you can do about that[1]. Make
sure that your file-based security policy is sane, and that only the
Tomcat server process can read that file.

Looking at Oracle's documentation[2], I don't see anything in
particular for how to configure a connection to use TLS *at all* let
alone mutually-authenticated connections.

There is a PDF whitepaper[3] that I found that might be helpful. Let
us know if you have any success with any of that.

Note that */I/ highly recommend* that all database connections from
Java (and other) applications utilize mutual-authentication wherever
possible, so I'm happy to hear about people implementing such security
controls. Keep up the good work.

- -chris

[1] https://wiki.apache.org/tomcat/FAQ/Password
[2]
https://docs.oracle.com/cd/E13222_01/wls/docs81/jdbc_drivers/oracle.html
[3]
http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.
pdf
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIyBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltR++cACgkQHPApP6U8
pFj+lA/4zyI+Rn9No7/jIrU8Oq64akhaQAxFO0Lk7q59s/SwIuIQ1shR6V4XjMCS
8+1wbuv8r30kxjjSQqioIrmkUH9/gt3DjWn4ZhUzUrEHBSWSzWzlIWc/C87hP7zr
2VLksCtNUHDZ4NzXzaS4pHVrWc/NnCeUhzlLjKsHaGXVC94dFUHHnXqmG2LkQXCG
95V0P0nT6DaHMtYJ7gqj+j+Toh8Q4Ryr0jFJ9owWeTu0eiXfp01lk5TpjR3raPRp
CfcVopxTUjpZo7RzhsQhqT8GgOTBHzMzDSmIwLWDUpcRTCvRFtYL3fz6WB7ojih8
HpX5JD+uAST6w9ANMln4fpP2/B4qUMq0wnCbHqOJoqNc0u0xjamX+coRKre1ORSG
LcCLvzBeuEtct/j8WXqeOyjELv/YZDtvWzgkojR1Ia1G761Q5+ZMamcdx6mJqZ6L
epe3bT9FNY3vN+VMHA/5YG1ospcJThUzBFgNQNQgtgqFRvu3sTAAJZeUgwWgZchI
QznHCs20953v33QxuNoETgTC2s2USS+8NrlXCj6bkum2FlD84sKnbpAydoYz2Z1f
aZJU0sH2ubnJGZhzt2PVaFAT0oR7Sg7E7F3KX0GZuR63BFteBvGubIJm8krfXioA
JPZ8cCNDv+z9u9mQUW2b2O2tRfy/8Sz0lCXGgmQHZRQgbH3riQ==
=APd6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Certificate based database authentication

2018-07-11 Thread Jäkel , Guido
Dear Will,

I agree to Your approach. Said that, I also don't have any experience with the 
concrete question, but from my Tomcat and Java experience, I would say that -- 
from a quick look -- the docs 


https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets


https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

should provide the information you need.

Good luck to find somebody who have already solved this challenge

Guido

>-Original Message-
>From: Will Nordmeyer [mailto:quark...@gmail.com]
>Sent: Tuesday, July 10, 2018 7:19 PM
>To: Tomcat Users List 
>Subject: Re: Certificate based database authentication
>
>Thanks Andre - I agree it is an oracle driver based question, but
>sometimes here is faster for answers based on people's own life
>experience.



Re: Certificate based database authentication

2018-07-10 Thread Will Nordmeyer
Thanks Andre - I agree it is an oracle driver based question, but
sometimes here is faster for answers based on people's own life
experience.

On Tue, Jul 10, 2018 at 11:26 AM, André Warnier (tomcat)  
wrote:
> Hi.
>
> On 10.07.2018 15:03, Will Nordmeyer wrote:
>>
>> I have an application in Tomcat 7 that connects to an Oracle database.
>> Currently we are connecting using the username/password which is
>> embedded in the xml files.  To harden security, we are looking at x509
>> certificate authentication.
>>
>> Is there a way to tie a certificate to Tomcat hand have them
>> authenticate that way?
>>
>
> As far as I know, when your application connects to a database (like you do
> above), it is for that
> using a driver specific to that database (such as Oracle in your case), and
> that driver code is not a part of Tomcat.
> So I believe that your question should be directed at whoever provides (or
> supports) the database driver that you are using. Only they would know the
> answer to your question.
> This is also the sense of the following on-line documentation page :
> http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html
> (and similar ones for other tomcat versions, e.g.
> http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html
> )
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Certificate based database authentication

2018-07-10 Thread tomcat

Hi.

On 10.07.2018 15:03, Will Nordmeyer wrote:

I have an application in Tomcat 7 that connects to an Oracle database.
Currently we are connecting using the username/password which is
embedded in the xml files.  To harden security, we are looking at x509
certificate authentication.

Is there a way to tie a certificate to Tomcat hand have them
authenticate that way?



As far as I know, when your application connects to a database (like you do above), it is 
for that
using a driver specific to that database (such as Oracle in your case), and that driver 
code is not a part of Tomcat.
So I believe that your question should be directed at whoever provides (or supports) the 
database driver that you are using. Only they would know the answer to your question.

This is also the sense of the following on-line documentation page :
http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html
(and similar ones for other tomcat versions, e.g.
http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html
)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org