10 Replies Latest reply on Nov 23, 2004 4:50 PM by rajs1

    encrypted database connection [again]

    rajs1

      I really would appreciate a query on how to connect JBoss to an encrypted database (as posted below).

      If (at the very least) this is confirmed as not being in the realm of possibilties (for JBoss), at least I can search for alternate solutions.

      Thanks
      -raj

        • 1. Re: Failed to register driver for: oracle.jdbc.driver.Oracle
          nehring

          I get the same error trying to connect to sybase:

          org.jboss.deployment.DeploymentException: Error while fixing table name; - nested throwable: (org.jboss.util.NestedSQLException: Failed to register driver for: com.sybase.jdbc2.jdbc.SybDatasource; - nested throwable: (java.lang.ClassNotFoundException: com.sybase.jdbc2.jdbc.SybDatasource); - nested throwable: (org.jboss.resource.ResourceException: Failed to register driver for: com.sybase.jdbc2.jdbc.SybDatasource; - nested throwable: (java.lang.ClassNotFoundException: com.sybase.jdbc2.jdbc.SybDatasource)))
          at org.jboss.ejb.plugins.cmp.jdbc.SQLUtil.fixTableName(SQLUtil.java:67)
          at org.jboss.ejb.plugins.cmp.jdbc.bridge.JDBCEntityBridge.(JDBCEntityBridge.java:103)
          at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.create(JDBCStoreManager.java:332)
          at org.jboss.ejb.plugins.CMPPersistenceManager.create(CMPPersistenceManager.java:155)
          at org.jboss.ejb.EntityContainer.create(EntityContainer.java:337)
          at org.jboss.ejb.Container.invoke(Container.java:789)
          at org.jboss.ejb.EntityContainer.invoke(EntityContainer.java:1055)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:491)
          at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:894)
          at $Proxy24.create(Unknown Source)
          at org.jboss.system.ServiceController.create(ServiceController.java:272)
          at java.lang.reflect.Method.invoke(Native Method)
          at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:491)
          at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
          at $Proxy22.create(Unknown Source)
          at org.jboss.ejb.EjbModule.createService(EjbModule.java:392)
          at org.jboss.system.ServiceMBeanSupport.create(ServiceMBeanSupport.java:134)
          at java.lang.reflect.Method.invoke(Native Method)
          at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:491)
          at com.sun.jdmk.comm.HtmlInvokePage.buildPage(HtmlInvokePage.java:240)
          at com.sun.jdmk.comm.HtmlRequestHandler.processGetRequest(HtmlRequestHandler.java:325)
          at com.sun.jdmk.comm.HtmlRequestHandler.processRequest(HtmlRequestHandler.java:152)
          at com.sun.jdmk.comm.HtmlRequestHandler.doRun(HtmlRequestHandler.java:79)
          at com.sun.jdmk.comm.ClientHandler.run(ClientHandler.java:84)
          at java.lang.Thread.run(Thread.java:479)


          I have put the jconn2.jar in the server/default/lib directory but I still get this error. I've even tried putting it in all the lib directories, but I still get the error.

          Any ideas?

          • 3. Re: encrypted database connection [again]
            rajs1

            Firstly, thanks for the reply.

            The problem is not enrypting the user password (life would be easy if that was the case).

            Here the database itself is encrypted on disk.

            So the {db}-ds.xml looks like:

            <connection-url>jdbc:blah b blah://localhost:<port>/<db-name>;bootPassword=<password></connection-url>
            



            Obviously the is currently in clear text. I need that to be encrypted.

            The "encrypted" password scenario as mentioned in the FAQ does not seem to cater for such a scenario (or am I wrong)?


            Thanks.

            • 4. Re: encrypted database connection [again]
              starksm64

              Then that is a driver level issue that has nothing to do with jboss.

              • 5. Re: encrypted database connection [again]
                rajs1

                That may well be the case but since thats how the driver expects the URL and its in JBoss where the configuration is being set, its like being stuck between a rock and a hard place.


                I wonder if this might work (and I would like your opinion).

                If I were to extend

                org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory
                


                and inside

                 public void setConnectionURL(final String connectionURL) {
                 this.connectionURL = connectionURL;
                 }
                


                were to append my boot password (hardwired I'm afraid!!), and then were to repackage jboss-local-jdbc.rar so that it contains my class and also ra.xml is modified so that,

                <managedconnectionfactory-class>org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory</managedconnectionfactory-class>
                


                now points to my class, will it work (or is there a fly in this ointment that I have missed?)

                Thanks.



                • 6. Re: encrypted database connection [again]
                  starksm64

                  Restart with a statement of exactly what the problem is. What is encrypted and what is the java code that allows one to access the database?

                  • 7. Re: encrypted database connection [again]
                    rajs1

                    Ok, here goes.

                    my {db}-ds.xml file is as follows:

                    <datasources>
                     <local-tx-datasource >
                     <jndi-name>DefaultDS</jndi-name>
                     <connection-url>jdbc:...://localhost../testdb;bootPassword=foobar</connection-url>
                     <driver-class>...</driver-class>
                     <user-name>test</user-name>
                     <password>test</password>
                     <min-pool-size>10</min-pool-size>
                     <max-pool-size>50</max-pool-size>
                     </local-tx-datasource>
                    </datasources>
                    



                    The reason the url contains a bootPassword=foobar is because the DB was created with this bootpassword so as to encrypt it on disk. It means that any jdbc connection without the bootPassword=foobar string in the URL WILL FAIL.

                    At this point I must state that this is how the db vendor asks the URL to be specified. There is no alternative on this at the moment!!!!

                    Obviously, in my {db}-ds.xml file:

                    1. I do not wish to state the boot password in clear text
                    2. I cannot see how the password encryption (as pointed by the FAQ link) scenario will help in this case where (a part of) the URL string needs to be encrypted.

                    Hence my query on if I were to extend the LocalManagedConnectionFactory class so that I take the incoming connectionURL string and append to it the bootPassword=foobar so that now it returns the correct URL.

                    The hardwired "bootPassword=foobar" will be obfuscated in some way and will be converted to string when required within this class (of mine).

                    After all this subterfuge, I hope to modify ra.xml file to point to my class, reconstruct the jboss-local-jdbc.rar (with all the additional classes and stuff) and deploy that in the server/{config}/deploy directory.

                    A pretty messy, hardwired solution, but will it work?

                    Alternatively there may be a much neater solution.


                    Much obliged, squire.

                    • 8. Re: encrypted database connection [again]
                      nehring

                      (Hope you don't mind me jumping in here.) Perhaps the quickest solution is just to make the the {db}-ds.xml file read-only for the JBoss account and not accessible for anyone else. (This should be common practice for any file containing passwords, regardless of the application.) Further, JBoss should be running using it's very own (locked) account.

                      The trouble I see with going to all the effort of encrypting a password in the {db}-ds.xml file and then decrypting it elsewhere, is that now you've transferred the problem to how you control that encryption key. You'll likely be needing to use symmetric encryption with a shared key - assuming you need to recover the cleartext password for the driver. So now that encryption key needs to be stored somewhere... Hardcoding the key is a bad practice for several reasons. Maybe there's a way to use PKE here....but I have to ask: does the driver send the password across the wire in cleartext to the database?

                      r,
                      Lance

                      • 9. 3730927
                        starksm64

                        The {db}-ds.xml is processed by the org.jboss.deployment.XSLSubDeployer using the xslt specified in the stylesheets/ConnectionFactoryTemplate.xsl found in the jboss-jca.jar. Modifying that to support a encrypted-connection-url would be less work and less likely to support issues due to changing implementation details in the jca implementation.

                        You could also simply write a minimal jdbc wrapper that dealt with the encryption issue and delegated to the real driver. This is certainly the path of least resistence.

                        More generically I have thought about adding support for encyrpting any mbean attribute using the service described in the datasource password encryption faq but this has not been started.

                        • 10. Re: encrypted database connection [again]
                          rajs1

                          Thanks for the reply.

                          First and foremost, the app in question is stuck with the db for the mo. The db does not support roles etc and due to legacy reasons was encrypted.

                          It will be replaced by something more appropriate a.s.a.p and I hope to revert back to just password encryption at that point.


                          The {db}-ds.xml is processed by the org.jboss.deployment.XSLSubDeployer using the xslt specified in the stylesheets/ConnectionFactoryTemplate.xsl found in the jboss-jca.jar. Modifying that to support a encrypted-connection-url would be less work and less likely to support issues due to changing implementation details in the jca implementation.


                          Though I must admit that I am unsure of what the above modification would entail, I shall nevertheless soilder on and dig deeper to fathom it.


                          You could also simply write a minimal jdbc wrapper that dealt with the encryption issue and delegated to the real driver. This is certainly the path of least resistence.


                          Presumably this is an alternate solution.


                          More generically I have thought about adding support for encyrpting any mbean attribute using the service described in the datasource password encryption faq but this has not been started.


                          That would be splendid, look forward to that.

                          Cheers
                          -raj