JNDI Configuration and Encryption
JNDI DB Datasource |
JNDI Datasource Troubleshooting |
Encrypted JNDI |
JNDI DB Datasource
CloverDX Server can connect to a database using JNDI Datasource which is configured in an application server.
Worker JNDI Configuration | |
---|---|
Note that the following configuration applies to Server Core only. Graphs running in Worker cannot use JNDI as defined in the application container of the Server Core, because Worker is a separate JVM process. Worker provides its own JNDI configuration. |
Example for Apache Tomcat and PostgreSQL database:
JNDI Datasource Definition
First you need to define a JNDI Datasource in an application server. The following context resource configuration may be added to the
[Tomcat_home]/conf/server.xml
file to the<Host>
element.Note: Do not put the code into the
<GlobalNamingResources>
element, since the resource would not be visible by the CloverDX webapp.<Context path="/clover"> <Resource name="jdbc/clover_server" auth="Container" type="javax.sql.DataSource" factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/clover_db" username="clover" password="" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/> </Context>
JNDI Connection Configuration
Now that the Datasource is defined, you should configure the connection.
The following parameters may be set in the same way as other parameters (in the properties file or the Tomcat context file). You can also set the parameters in the Database tab of the Setup GUI.
# The type of Datasource; must be set, because the default value is JDBC. # datasource.type=JNDI # JNDI location of DB Datasource; the default value is java:comp/env/jdbc/clover_server # datasource.jndiName=java:comp/env/jdbc/clover_server # Set the dialect according to DB which DataSource is connected to. # # The correct dialect can be found in the examples of DB configuration. # jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect
Since the DB connection contains sensitive information (e.g. username, password, etc.), CloverDX provides the JNDI Encryption feature.
Tip | |
---|---|
The resource configuration may also be added to the context file
|
Important | |
---|---|
Special characters typed in the context file have to be specified as XML entities, e.g. ampersand "&" as "&", etc. |
For a detailed list of parameters which can be set up in the configuration file, see Chapter 15, List of Configuration Properties.
JNDI Datasource Troubleshooting
JNDI and SQL Query Metadata on Worker
When using JNDI and SQL Query metadata,
JNDI must be configured on both Server Core and Worker.
Otherwise, the Cannot open DB connection from JNDI data source
error will occur.
JNDI Datasource in Oracle WebLogic
CloverDX's default Quartz configuration does not work with default JNDI Datasource from WebLogic. Proceed with one of the following options:
Configure the Quartz JDBC delegate manually before the server is started;
Disable JDBC type wrapping in the WebLogic's Datasource configuration.
Apache Tomcat's DBCP JNDI pool
The default JNDI pool DBCP in Apache Tomcat does not handle connections efficiently. With the DBCP JNDI pool, low performance can be seen if DatabaseWriter with returning statement is used.
Therefore, tomcat-jdbc-pool is used instead by adding
the factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
attribute to the definition of the JNDI resource.
See The Tomcat JDBC Connection Pool
Encrypted JNDI
The encryption feature allows you to protect your sensitive data defined in the Datasource definition (e.g. username, password, etc.), which are by default stored in plain text. The configuration differs between particular application servers.
Encrypted JNDI on Tomcat |
Encrypted JNDI on JBoss 7 |
Encrypted JNDI on WebSphere 8.5.5.0 |
Encrypted JNDI on WebLogic |
Encrypted JNDI on Tomcat
You need secure-cfg-tool
to encrypt the passwords.
Use the version of secure-cfg-tool
corresponding to the version of CloverDX Server.
Usage of the tool is described in Chapter 16, Secure Configuration Properties.
Use encrypt.sh
or encrypt.bat
for password encryption.
Place the encrypted password into a configuration file,
and put cloverdx-secure-jndi-resource-{version}.jar
and
jasypt-1.9.0.jar
files on the classpath of the application server.
The .jar
files can be found in the
tomcat-secure-jndi-resource
directory packed in secure-cfg-tool.
The tomcat-secure-jndi-resource
directory contains a useful
README
file with further details on encrypted JNDI.
Example of encrypted JNDI connection for PostgreSQL
Encrypt the password:
./encrypt.sh -a PBEWithSHA1AndDESede
The configuration is placed in
${CATALINA_HOME}/conf/context.xml
. Note that the encryption algorithm PBEWithSHA1AndDESede is not default.<Resource name="jdbc/clover_server" auth="Container" factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory" secureAlgorithm="PBEWithSHA1AndDESede" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8" username="conf#rPz5Foo7HPn4dFTRV5Ourg==" password="conf#4KlNp8/FVDR+rTWX0dEqWA==" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
If you use other JCE (e.g. Bouncy Castle), it has to be added to the classpath of the application server (
${CATALINA_HOME}/lib
). The encrypt command requires the path to directory with JCE, too../encrypt.sh -l ~/lib/ -c org.bouncycastle.jce.provider.BouncyCastleProvider -a PBEWITHSHA256AND256BITAES-CBC-BC
<Resource name="jdbc/clover_server" auth="Container" factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory" secureProvider="org.bouncycastle.jce.provider.BouncyCastleProvider" secureAlgorithm="PBEWITHSHA256AND256BITAES-CBC-BC" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8" username="conf#Ws9IuHKo9h7hMjPllr31VxdI1A9LKIaYfGEUmLet9rA=" password="conf#Cj1v59Z5nCBHaktn6Ubgst4Iz69JLQ/q6/32Xwr/IEE=" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
Encrypted JNDI on JBoss 7
JBoss 7 - JBoss EAP 6.2.0.GA - AS 7.3.0.Final-redhat-14
Note | |
---|---|
For details, see Using Encrypted DataSource Password in JBoss AS7. |
Configuration steps are similar to configuring of JBoss 6.
The configuration takes place in a single configuration file, e.g. for standalone
profile JBOSS_HOME/standalone/configuration/standalone.xml
.
Original data source:
<datasources> <datasource jndi-name="java:/MysqlDS" pool-name="MySQLPool"> <connection-url>jdbc:mysql://localhost:3306/clover</connection-url> <driver>mysql</driver> <pool> <max-pool-size>30</max-pool-size> </pool> <security> <user-name>user</user-name> <password>password</password> </security> </datasource> <drivers> <driver name="mysql" module="com.cloveretl.jdbc"> <driver-class>com.mysql.jdbc.Driver</driver-class> </driver> </drivers> <datasources>
In JBOSS_HOME directory run the cli command:
java -cp modules/system/layers/base/org/picketbox/main/picketbox-4.0.19.SP2-redhat-1.jar:client/jboss-logging.jar org.picketbox.datasource.security.SecureIdentityLoginModule password
The command will return an encrypted password, e.g. 5dfc52b51bd35553df8592078de921bc.
Add a new security-domain to security-domains, the password value is a result of the command from the previous step.
<security-domain name="EncryptDBPassword" cache-type="default"> <authentication> <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username" value="user"/> <module-option name="password" value="5dfc52b51bd35553df8592078de921bc"/> <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MysqlPool"/> </login-module> </authentication> </security-domain>
Replace user and password with a reference to the security domain.
<datasources> <datasource jndi-name="java:/MysqlDS" pool-name="MysqlPool" enabled="true" use-java-context="true"> <connection-url>jdbc:mysql://localhost:3306/clover</connection-url> <driver>mysql</driver> <pool> <max-pool-size>30</max-pool-size> </pool> <security> <security-domain>EncryptDBPassword</security-domain> </security> </datasource> <drivers> <driver name="mysql" module="com.cloveretl.jdbc"> <driver-class>com.mysql.jdbc.Driver</driver-class> </driver> </drivers> </datasources>
It is possible that the same mechanism can also be used for JMS.
Encrypted JNDI on WebSphere 8.5.5.0
In WebSphere, user credentials aren't saved in plain text, but as J2C authentication data. (see How to Create a WAS JDBC Provider, J2C Authentication Alias, and Data Source for the IBM i).
The same mechanism can also be used for JMS connection (see IBM's instructions on Configuring an external JMS provider).
Encrypted JNDI on WebLogic
Password in a JNDI datasource file is encrypted by default when created by admin's web console (Service/Datasource).
Example of datasource file (located in the DOMAIN/config/jdbc/
directory):
<?xml version='1.0' encoding='UTF-8'?> <jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd"> <name>MysqlDS</name> <jdbc-driver-params> <url>jdbc:mysql://127.0.0.1:3306/clover</url> <driver-name>com.mysql.jdbc.Driver</driver-name> <properties> <property> <name>user</name> <value>user</value> </property> </properties> <password-encrypted>{AES}zIiq6/JutK/wD4CcRPX1pOueIlKqc6uRVxAnZZcC3pI=</password-encrypted> </jdbc-driver-params> <jdbc-connection-pool-params> <test-table-name>SQL SELECT 1</test-table-name> </jdbc-connection-pool-params> <jdbc-data-source-params> <jndi-name>jdbc/MysqlDS</jndi-name> <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol> </jdbc-data-source-params> </jdbc-data-source>
The same mechanism is also used for encrypting password in the JMS connection (see Oracle's instructions on Configuring an external JMS provider).
Note | |
---|---|
Continue with: Activation |