Encrypted JNDI
You can store password for database connection in an encrypted format. The configuration differs between particular application servers.
Encrypted JNDI on Tomcat
You need secure-cfg-tool to encrypt the passwords.
Use the version of secure-cfg-tool corresponding to the version of CloverETL Server.
Usage of the tool is described in Chapter 10, Secure Configuration Properties.
Use encrypt.sh or encrypt.bat for password encryption.
Place the encrypted password into a configuration file, and put
cloveretl-secure-jndi-resource-{version}.jar and
jasypt-1.9.0.jar files on the classpath of the application server.
The .jar files can be found in the
tomcat-secure-jndi-resource directory packed in secure-cfg-tool.
The tomcat-secure-jndi-resource directory contains a useful
README file with further details on encrypted JNDI.
Example of encrypted JNDI connection for Postgresql
Encrypt the password:
./encrypt.sh -a PBEWithSHA1AndDESedeThe configuration is placed in
${CATALINA_HOME}/conf/context.xml. Note that the encryption algorithm PBEWithSHA1AndDESede is not default.<Resource name="jdbc/clover_server" auth="Container" factory="com.cloveretl.secure.tomcatresource.SecureDataSourceFactory" secureAlgorithm="PBEWithSHA1AndDESede" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/clover410m1?charSet=UTF-8" username="conf#rPz5Foo7HPn4dFTRV5Ourg==" password="conf#4KlNp8/FVDR+rTWX0dEqWA==" maxActive="20" maxIdle="10" maxWait="-1"/>If you use other JCE (e.g. Bouncy Castle), it has to be added to the classpath of the application server (
${CATALINA_HOME}/lib). The encrypt command requires the path to directory with JCE, too../encrypt.sh -l ~/lib/ -c org.bouncycastle.jce.provider.BouncyCastleProvider -a PBEWITHSHA256AND256BITAES-CBC-BC<Resource name="jdbc/clover_server" auth="Container" factory="com.cloveretl.secure.tomcatresource.SecureDataSourceFactory" secureProvider="org.bouncycastle.jce.provider.BouncyCastleProvider" secureAlgorithm="PBEWITHSHA256AND256BITAES-CBC-BC" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/clover410m1?charSet=UTF-8" username="conf#Ws9IuHKo9h7hMjPllr31VxdI1A9LKIaYfGEUmLet9rA=" password="conf#Cj1v59Z5nCBHaktn6Ubgst4Iz69JLQ/q6/32Xwr/IEE=" maxActive="20" maxIdle="10" maxWait="-1"/>
Encrypted JNDI on Jetty 9 (9.2.6)
![[Note]](figures/note.png) | Note |
|---|---|
See the Jetty documentation on Secure Password Obfuscation. |
Configuration of a JNDI jdbc connection pool is stored in the plain text file,
$JETTY_HOME/etc/jetty.xml.
<New id="MysqlDB" class="org.eclipse.jetty.plus.jndi.Resource"> <Arg></Arg> <Arg>jdbc/MysqlDS</Arg> <Arg> <New class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource"> <Set name="URL">jdbc:mysql://localhost:3306/clover_empty</Set> <Set name="User">user</Set> <Set name="Password">password</Set> </New> </Arg> </New>
Obfuscating the Password
Password can be obfuscated using org.eclipse.jetty.util.security.Password class
within lib/jetty-util-{VERSION}.jar:
java -cp lib/jetty-util-9.2.6.v20141205.jar org.eclipse.jetty.util.security.Password password
Command returns obfuscated and hashed password. The obfuscated one will be used to replace the plain password value.
Replacing the Password
Replace the plain text password with the Call element. Its only argument is a string starting with the OBF: prefix returned by the command mentioned in the previous section.
<New id="MysqlDB" class="org.eclipse.jetty.plus.jndi.Resource"> <Arg></Arg> <Arg>jdbc/MysqlDS</Arg> <Arg> <New class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource"> <Set name="URL">jdbc:mysql://localhost:3306/clover_empty</Set> <Set name="User">user</Set> <Set name="Password"> <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate"> <Arg>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Arg> </Call> </Set> </New> </Arg> </New>
| Note |
|---|---|
Password in the JMS connection can also be obfuscated. |
Encrypted JNDI on JBoss 6.0.0
| Note |
|---|---|
See the JBoss documentation on Encrypting Data Source Passwords
(In the documentation, |
Original datasource with an unencrypted password:
<datasources> <local-tx-datasource> <jndi-name>MysqlDS</jndi-name> <connection-url>jdbc:mysql://127.0.0.1:3306/clover</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>user</user-name> <password>password</password> </local-tx-datasource> </datasources>
Encrypt the data source password:
Unix-like systems:
java -cp client/jboss-logging.jar:lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule password
Windows system:
java -cp client\jboss-logging.jar;lib\jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule password
The command will return an encrypted password, e.g. 5dfc52b51bd35553df8592078de921bc.
Create a new application authentication policy in
conf/login-config.xmlwithin currently used server's profile directory (e.g.server/default/conf/login-config.xml).<application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">user</module-option> <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=MysqlDS,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy>
Replace authentication entries with a reference to the application authentication policy
<security-domain>EncryptDBPassword</security-domain>
The final datasource looks like this:
<datasources> <local-tx-datasource> <jndi-name>MysqlDS</jndi-name> <connection-url>jdbc:mysql://127.0.0.1:3306/clover</connection-url> <driver-class>com.mysql.jdbc.Driver</driver-class> <security-domain>EncryptDBPassword</security-domain> </local-tx-datasource> </datasources>
The same mechanism can be probably used also for JMS.
<tx-connection-factory> ... <security-domain-and-application>RealmWithEncryptedPassword</security-domain-and-application> ... </tx-connection-factory>
Encrypted JNDI on JBoss 7
JBoss 7 - JBoss EAP 6.2.0.GA - AS 7.3.0.Final-redhat-14
| Note |
|---|---|
See Using Encrypted DataSource Password in JBoss AS7 for details. |
Configuration steps are similar to configuring of JBoss 6.
All configuration takes place in the single configuration file,
e.g. for standalone profile JBOSS_HOME/standalone/configuration/standalone.xml.
Original datasource:
<datasources> <datasource jndi-name="java:/MysqlDS" pool-name="MySQLPool"> <connection-url>jdbc:mysql://localhost:3306/clover</connection-url> <driver>mysql</driver> <pool> <max-pool-size>30</max-pool-size> </pool> <security> <user-name>user</user-name> <password>password</password> </security> </datasource> <drivers> <driver name="mysql" module="com.cloveretl.jdbc"> <driver-class>com.mysql.jdbc.Driver</driver-class> </driver> </drivers> <datasources>
In JBOSS_HOME directory run the cli command:
java -cp modules/system/layers/base/org/picketbox/main/picketbox-4.0.19.SP2-redhat-1.jar:client/jboss-logging.jar org.picketbox.datasource.security.SecureIdentityLoginModule password
The command will return an encrypted password, e.g. 5dfc52b51bd35553df8592078de921bc.
Add a new security-domain to security-domains, the password value is a result of the command from the previous step.
<security-domain name="EncryptDBPassword" cache-type="default"> <authentication> <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username" value="user"/> <module-option name="password" value="5dfc52b51bd35553df8592078de921bc"/> <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MysqlPool"/> </login-module> </authentication> </security-domain>
Replace user and password with a reference to the security domain.
<datasources> <datasource jndi-name="java:/MysqlDS" pool-name="MysqlPool" enabled="true" use-java-context="true"> <connection-url>jdbc:mysql://localhost:3306/clover</connection-url> <driver>mysql</driver> <pool> <max-pool-size>30</max-pool-size> </pool> <security> <security-domain>EncryptDBPassword</security-domain> </security> </datasource> <drivers> <driver name="mysql" module="com.cloveretl.jdbc"> <driver-class>com.mysql.jdbc.Driver</driver-class> </driver> </drivers> </datasources>
It is possible that the same mechanism can also be used for JMS.
Encrypted JNDI on Glassfish 3 (3.1.2.2)
Configuration of jdbc connection pool is stored in the plain text file $DOMAIN/config/domain.xml.
<jdbc-connection-pool driver-classname="com.mysql.jdbc.Driver" datasource-classname="" res-type="java.sql.Driver" description="" name="jdbc/MysqlDS"> <property name="URL" value="jdbc:mysql://localhost:3306/clover_empty"></property> <property name="user" value="user"></property> <property name="password" value="password"></property> </jdbc-connection-pool>
Password is unencrypted, but can be replaced with so called password alias:
A password alias stores a password in an encrypted form in the domain keystore, providing a clear-text alias name to use instead of the password. In password files and the domain configuration file, use the form ${ALIAS=alias-name} to refer to the encrypted password.
Creating a Password Alias
There are two ways to create a password alias: using create-password-alias command in a command-line admin-console utility, or in the web Server Administration Console in the Password Aliases section (Domain->Password Aliases).
Replacing the Password with the Password Alias
Replace the password (the attribute value) with a ${ALIAS=password_alias_name} string, where password_alias_name is the name of the alias.
<jdbc-connection-pool driver-classname="com.mysql.jdbc.Driver" datasource-classname="" res-type="java.sql.Driver" description="" name="jdbc/MysqlDS">
<property name="URL" value="jdbc:mysql://localhost:3306/clover_empty"></property>
<property name="user" value="user"></property>
<property name="password" value="${ALIAS=password_alias_name}"></property>
</jdbc-connection-pool> | Note |
|---|---|
Glassfish Administration Server Console mentions a lower case keyword (alias); if it doesn't work, try changing to upper case (ALIAS). |
| Note |
|---|---|
Password for a JMS connection can be replaced with an alias as well. |
Encrypted JNDI on WebSphere 8.5.5.0
In WebSphere, user credentials aren't saved in plain text, but as J2C authentication data. (see How to Create a WAS JDBC Provider, J2C Authentication Alias, and Data Source for the IBM i).
The same mechanism can also be used for JMS connection (see IBM's instructions on Configuring an external JMS provider).
Encrypted JNDI on WebLogic
Password in a JNDI datasource file is encrypted by default when created by admin's web console (Service/Datasource).
Example of datasource file (located in DOMAIN/config/jdbc/ directory):
<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
<name>MysqlDS</name>
<jdbc-driver-params>
<url>jdbc:mysql://127.0.0.1:3306/clover</url>
<driver-name>com.mysql.jdbc.Driver</driver-name>
<properties>
<property>
<name>user</name>
<value>user</value>
</property>
</properties>
<password-encrypted>{AES}zIiq6/JutK/wD4CcRPX1pOueIlKqc6uRVxAnZZcC3pI=</password-encrypted>
</jdbc-driver-params>
<jdbc-connection-pool-params>
<test-table-name>SQL SELECT 1</test-table-name>
</jdbc-connection-pool-params>
<jdbc-data-source-params>
<jndi-name>jdbc/MysqlDS</jndi-name>
<global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
</jdbc-data-source-params>
</jdbc-data-source>The same mechanism is also used for encrypting password in the JMS connection (see Oracle's instructions on Configuring an external JMS provider).
| Note |
|---|---|
|
