-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Will,
On 10/23/18 10:44, Will Nordmeyer wrote: > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in > the next year). I tried working with Oracle on this with no > success. > > We have an Oracle Database connection defined within our web.xml > (see below). We need to convert to using 2 Factor (certificate?) > based Authentication. > > How do we convert from our embedded username password to 2FA Uhh... How would you enter your second-factor into the server? During service startup? What happens if the connection times-out and you have to re-authenticate? Do you want to be paged in the middle of the night to re-enter your 2FA code? How about 10 times per hour on 100 different servers? 2FA doesn't make any sense at all for services contacting other services. 2FA makes sense for humans contacting services because humans are so much worse at password management, social engineering resistance, etc. If you have a segment of your IT team mandating 2FA for database connections (even for services), tell them that THEY have to use THEIR 2FA credentials to unlock the database for YOUR services. See how long that policy survives. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8 pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4= =baEw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org