Version

    JNDI Configuration and Encryption

    JNDI DB Datasource
    JNDI Datasource Troubleshooting
    Encrypted JNDI

    JNDI DB Datasource

    CloverDX Server can connect to a database using JNDI Datasource which is configured in an application server.

    [Note]Worker JNDI Configuration

    Note that the following configuration applies to Server Core only. Graphs running in Worker cannot use JNDI as defined in the application container of the Server Core, because Worker is a separate JVM process. Worker provides its own JNDI configuration.

    Example for Apache Tomcat and PostgreSQL database:
    • JNDI Datasource Definition

      First you need to define a JNDI Datasource in an application server. The following context resource configuration may be added to the [Tomcat_home]/conf/server.xml file to the <Host> element.

      Note: Do not put the code into the <GlobalNamingResources> element, since the resource would not be visible by the CloverDX webapp.

      <Context path="/clover">
        <Resource name="jdbc/clover_server"
                  auth="Container"
                  type="javax.sql.DataSource"
                  factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
                  driverClassName="org.postgresql.Driver"
                  url="jdbc:postgresql://127.0.0.1:5432/clover_db"
                  username="clover"
                  password=""
                  maxTotal="20"
                  maxIdle="10"
                  maxWaitMillis="-1"/>
      </Context>
    • JNDI Connection Configuration

      Now that the Datasource is defined, you should configure the connection.

      The following parameters may be set in the same way as other parameters (in the properties file or the Tomcat context file). You can also set the parameters in the Database tab of the Setup GUI.

      # The type of Datasource; must be set, because the default value is JDBC. #
      datasource.type=JNDI
      # JNDI location of DB Datasource; the default value is java:comp/env/jdbc/clover_server #
      datasource.jndiName=java:comp/env/jdbc/clover_server
      # Set the dialect according to DB which DataSource is connected to. #
      # The correct dialect can be found in the examples of DB configuration. #
      jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect

      Since the DB connection contains sensitive information (e.g. username, password, etc.), CloverDX provides the JNDI Encryption feature.

    [Tip]Tip

    The resource configuration may also be added to the context file [Tomcat_home]/conf/Catalina/localhost/clover.xml.

    [Important]Important

    Special characters typed in the context file have to be specified as XML entities, e.g. ampersand "&" as "&amp;", etc.

    For a detailed list of parameters which can be set up in the configuration file, see Chapter 15, List of Configuration Properties.

    JNDI Datasource Troubleshooting

    JNDI and SQL Query Metadata on Worker

    When using JNDI and SQL Query metadata, JNDI must be configured on both Server Core and Worker. Otherwise, the Cannot open DB connection from JNDI data source error will occur.

    JNDI Datasource in Oracle WebLogic

    CloverDX's default Quartz configuration does not work with default JNDI Datasource from WebLogic. Proceed with one of the following options:

    1. Configure the Quartz JDBC delegate manually before the server is started;

    2. Disable JDBC type wrapping in the WebLogic's Datasource configuration.

    Apache Tomcat's DBCP JNDI pool

    The default JNDI pool DBCP in Apache Tomcat does not handle connections efficiently. With the DBCP JNDI pool, low performance can be seen if DatabaseWriter with returning statement is used.

    Therefore, tomcat-jdbc-pool is used instead by adding the factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" attribute to the definition of the JNDI resource. See The Tomcat JDBC Connection Pool

    Encrypted JNDI

    The encryption feature allows you to protect your sensitive data defined in the Datasource definition (e.g. username, password, etc.), which are by default stored in plain text. The configuration differs between particular application servers.

    Encrypted JNDI on Tomcat
    Encrypted JNDI on JBoss 7
    Encrypted JNDI on WebSphere 8.5.5.0
    Encrypted JNDI on WebLogic

    Encrypted JNDI on Tomcat

    You need secure-cfg-tool to encrypt the passwords. Use the version of secure-cfg-tool corresponding to the version of CloverDX Server. Usage of the tool is described in Chapter 16, Secure Configuration Properties.

    Use encrypt.sh or encrypt.bat for password encryption. Place the encrypted password into a configuration file, and put cloverdx-secure-jndi-resource-{version}.jar and jasypt-1.9.0.jar files on the classpath of the application server. The .jar files can be found in the tomcat-secure-jndi-resource directory packed in secure-cfg-tool.

    The tomcat-secure-jndi-resource directory contains a useful README file with further details on encrypted JNDI.

    Example of encrypted JNDI connection for PostgreSQL

    Encrypt the password:

    1. ./encrypt.sh -a PBEWithSHA1AndDESede

    2. The configuration is placed in ${CATALINA_HOME}/conf/context.xml. Note that the encryption algorithm PBEWithSHA1AndDESede is not default.

      <Resource name="jdbc/clover_server"
                auth="Container"
                factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory"
                secureAlgorithm="PBEWithSHA1AndDESede"
                type="javax.sql.DataSource"
                driverClassName="org.postgresql.Driver"
                url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8"
                username="conf#rPz5Foo7HPn4dFTRV5Ourg=="
                password="conf#4KlNp8/FVDR+rTWX0dEqWA=="
                maxTotal="20"
                maxIdle="10"
                maxWaitMillis="-1"/>

      If you use other JCE (e.g. Bouncy Castle), it has to be added to the classpath of the application server (${CATALINA_HOME}/lib). The encrypt command requires the path to directory with JCE, too.

      ./encrypt.sh -l ~/lib/ -c org.bouncycastle.jce.provider.BouncyCastleProvider -a PBEWITHSHA256AND256BITAES-CBC-BC

      <Resource name="jdbc/clover_server"
                auth="Container"
                factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory"
                secureProvider="org.bouncycastle.jce.provider.BouncyCastleProvider"
                secureAlgorithm="PBEWITHSHA256AND256BITAES-CBC-BC"
                type="javax.sql.DataSource"
                driverClassName="org.postgresql.Driver"
                url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8"
                username="conf#Ws9IuHKo9h7hMjPllr31VxdI1A9LKIaYfGEUmLet9rA="
                password="conf#Cj1v59Z5nCBHaktn6Ubgst4Iz69JLQ/q6/32Xwr/IEE="
                maxTotal="20" maxIdle="10"
                maxWaitMillis="-1"/>

    Encrypted JNDI on JBoss 7

    JBoss 7 - JBoss EAP 6.2.0.GA - AS 7.3.0.Final-redhat-14

    Configuration steps are similar to configuring of JBoss 6.

    The configuration takes place in a single configuration file, e.g. for standalone profile JBOSS_HOME/standalone/configuration/standalone.xml.

    Original data source:

    <datasources>
        <datasource jndi-name="java:/MysqlDS" pool-name="MySQLPool">
            <connection-url>jdbc:mysql://localhost:3306/clover</connection-url>
            <driver>mysql</driver>
            <pool>
                <max-pool-size>30</max-pool-size>
            </pool>
            <security>
                <user-name>user</user-name>
                <password>password</password>
            </security>
        </datasource>
    
        <drivers>
            <driver name="mysql" module="com.cloveretl.jdbc">
                <driver-class>com.mysql.jdbc.Driver</driver-class>
            </driver>
        </drivers>
    <datasources>
    1. In JBOSS_HOME directory run the cli command:

      java -cp modules/system/layers/base/org/picketbox/main/picketbox-4.0.19.SP2-redhat-1.jar:client/jboss-logging.jar org.picketbox.datasource.security.SecureIdentityLoginModule password

      The command will return an encrypted password, e.g. 5dfc52b51bd35553df8592078de921bc.

    2. Add a new security-domain to security-domains, the password value is a result of the command from the previous step.

      <security-domain name="EncryptDBPassword" cache-type="default">
              <authentication>
                  <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                      <module-option name="username" value="user"/>
                      <module-option name="password" value="5dfc52b51bd35553df8592078de921bc"/>
                      <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MysqlPool"/>
                  </login-module>
              </authentication>
          </security-domain>
    3. Replace user and password with a reference to the security domain.

      <datasources>
              <datasource jndi-name="java:/MysqlDS" pool-name="MysqlPool" enabled="true" use-java-context="true">
                  <connection-url>jdbc:mysql://localhost:3306/clover</connection-url>
                  <driver>mysql</driver>
                  <pool>
                      <max-pool-size>30</max-pool-size>
                  </pool>
                  <security>
                      <security-domain>EncryptDBPassword</security-domain>
                  </security>
              </datasource>
      
              <drivers>
                  <driver name="mysql" module="com.cloveretl.jdbc">
                      <driver-class>com.mysql.jdbc.Driver</driver-class>
                  </driver>
              </drivers>
          </datasources>

    It is possible that the same mechanism can also be used for JMS.

    Encrypted JNDI on WebSphere 8.5.5.0

    In WebSphere, user credentials aren't saved in plain text, but as J2C authentication data. (see How to Create a WAS JDBC Provider, J2C Authentication Alias, and Data Source for the IBM i).

    The same mechanism can also be used for JMS connection (see IBM's instructions on Configuring an external JMS provider).

    Encrypted JNDI on WebLogic

    Password in a JNDI datasource file is encrypted by default when created by admin's web console (Service/Datasource).

    Example of datasource file (located in the DOMAIN/config/jdbc/ directory):

    <?xml version='1.0' encoding='UTF-8'?>
    <jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source"
                      xmlns:sec="http://xmlns.oracle.com/weblogic/security"
                      xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls"
                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                      xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
      <name>MysqlDS</name>
      <jdbc-driver-params>
        <url>jdbc:mysql://127.0.0.1:3306/clover</url>
        <driver-name>com.mysql.jdbc.Driver</driver-name>
        <properties>
          <property>
            <name>user</name>
            <value>user</value>
          </property>
        </properties>
        <password-encrypted>{AES}zIiq6/JutK/wD4CcRPX1pOueIlKqc6uRVxAnZZcC3pI=</password-encrypted>
      </jdbc-driver-params>
      <jdbc-connection-pool-params>
        <test-table-name>SQL SELECT 1</test-table-name>
      </jdbc-connection-pool-params>
      <jdbc-data-source-params>
        <jndi-name>jdbc/MysqlDS</jndi-name>
        <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
      </jdbc-data-source-params>
    </jdbc-data-source>

    The same mechanism is also used for encrypting password in the JMS connection (see Oracle's instructions on Configuring an external JMS provider).

    [Note]Note

    Continue with:  Activation