Re: Certificate based database authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Will, On 7/10/18 9:03 AM, Will Nordmeyer wrote: > I have an application in Tomcat 7 that connects to an Oracle > database. Currently we are connecting using the username/password > which is embedded in the xml files. To harden security, we are > looking at x509 certificate authentication. > > Is there a way to tie a certificate to Tomcat hand have them > authenticate that way? Your point is well-taken that sometimes the Tomcat users' mailing list is a better resource than many others. If you are asking a question you know to be off-topic, please tag it with the [OT] moniker. It changes nothing, but at least acknowledges that you are asking something that is not Tomcat-specific. I don't know about Oracle Server specifically, but this is how we do things for MySQL/MariaDB in our application's META-INF/context.xml file: So the URL for connecting to the MySQL driver has parameters which control how the authentication is set up. Note that the password for the keystore is right there in the configuration. There's really nothing you can do about that[1]. Make sure that your file-based security policy is sane, and that only the Tomcat server process can read that file. Looking at Oracle's documentation[2], I don't see anything in particular for how to configure a connection to use TLS *at all* let alone mutually-authenticated connections. There is a PDF whitepaper[3] that I found that might be helpful. Let us know if you have any success with any of that. Note that */I/ highly recommend* that all database connections from Java (and other) applications utilize mutual-authentication wherever possible, so I'm happy to hear about people implementing such security controls. Keep up the good work. - -chris [1] https://wiki.apache.org/tomcat/FAQ/Password [2] https://docs.oracle.com/cd/E13222_01/wls/docs81/jdbc_drivers/oracle.html [3] http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128. pdf -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIyBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltR++cACgkQHPApP6U8 pFj+lA/4zyI+Rn9No7/jIrU8Oq64akhaQAxFO0Lk7q59s/SwIuIQ1shR6V4XjMCS 8+1wbuv8r30kxjjSQqioIrmkUH9/gt3DjWn4ZhUzUrEHBSWSzWzlIWc/C87hP7zr 2VLksCtNUHDZ4NzXzaS4pHVrWc/NnCeUhzlLjKsHaGXVC94dFUHHnXqmG2LkQXCG 95V0P0nT6DaHMtYJ7gqj+j+Toh8Q4Ryr0jFJ9owWeTu0eiXfp01lk5TpjR3raPRp CfcVopxTUjpZo7RzhsQhqT8GgOTBHzMzDSmIwLWDUpcRTCvRFtYL3fz6WB7ojih8 HpX5JD+uAST6w9ANMln4fpP2/B4qUMq0wnCbHqOJoqNc0u0xjamX+coRKre1ORSG LcCLvzBeuEtct/j8WXqeOyjELv/YZDtvWzgkojR1Ia1G761Q5+ZMamcdx6mJqZ6L epe3bT9FNY3vN+VMHA/5YG1ospcJThUzBFgNQNQgtgqFRvu3sTAAJZeUgwWgZchI QznHCs20953v33QxuNoETgTC2s2USS+8NrlXCj6bkum2FlD84sKnbpAydoYz2Z1f aZJU0sH2ubnJGZhzt2PVaFAT0oR7Sg7E7F3KX0GZuR63BFteBvGubIJm8krfXioA JPZ8cCNDv+z9u9mQUW2b2O2tRfy/8Sz0lCXGgmQHZRQgbH3riQ== =APd6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Certificate based database authentication
Dear Will, I agree to Your approach. Said that, I also don't have any experience with the concrete question, but from my Tomcat and Java experience, I would say that -- from a quick look -- the docs https://blogs.oracle.com/dev2dev/ssl-connection-to-oracle-db-using-jdbc,-tlsv12,-jks-or-oracle-wallets https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf should provide the information you need. Good luck to find somebody who have already solved this challenge Guido >-Original Message- >From: Will Nordmeyer [mailto:quark...@gmail.com] >Sent: Tuesday, July 10, 2018 7:19 PM >To: Tomcat Users List >Subject: Re: Certificate based database authentication > >Thanks Andre - I agree it is an oracle driver based question, but >sometimes here is faster for answers based on people's own life >experience.
Re: Certificate based database authentication
Thanks Andre - I agree it is an oracle driver based question, but sometimes here is faster for answers based on people's own life experience. On Tue, Jul 10, 2018 at 11:26 AM, André Warnier (tomcat) wrote: > Hi. > > On 10.07.2018 15:03, Will Nordmeyer wrote: >> >> I have an application in Tomcat 7 that connects to an Oracle database. >> Currently we are connecting using the username/password which is >> embedded in the xml files. To harden security, we are looking at x509 >> certificate authentication. >> >> Is there a way to tie a certificate to Tomcat hand have them >> authenticate that way? >> > > As far as I know, when your application connects to a database (like you do > above), it is for that > using a driver specific to that database (such as Oracle in your case), and > that driver code is not a part of Tomcat. > So I believe that your question should be directed at whoever provides (or > supports) the database driver that you are using. Only they would know the > answer to your question. > This is also the sense of the following on-line documentation page : > http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html > (and similar ones for other tomcat versions, e.g. > http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html > ) > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Certificate based database authentication
Hi. On 10.07.2018 15:03, Will Nordmeyer wrote: I have an application in Tomcat 7 that connects to an Oracle database. Currently we are connecting using the username/password which is embedded in the xml files. To harden security, we are looking at x509 certificate authentication. Is there a way to tie a certificate to Tomcat hand have them authenticate that way? As far as I know, when your application connects to a database (like you do above), it is for that using a driver specific to that database (such as Oracle in your case), and that driver code is not a part of Tomcat. So I believe that your question should be directed at whoever provides (or supports) the database driver that you are using. Only they would know the answer to your question. This is also the sense of the following on-line documentation page : http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html (and similar ones for other tomcat versions, e.g. http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html ) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org