JNDI Configuration and Encryption

JNDI DB Datasource
JNDI Datasource Troubleshooting
Encrypted JNDI

JNDI DB Datasource

CloverDX Server can connect to a database using JNDI Datasource which is configured in an application server.

Example for Apache Tomcat and PostgreSQL database:
  • JNDI Datasource Definition

    First you need to define a JNDI Datasource in an application server. The following context resource configuration may be added to the [Tomcat_home]/conf/server.xml file to the <Host> element.

    Note: Do not put the code into the <GlobalNamingResources> element, since the resource would not be visible by the CloverDX webapp.

    <Context path="/clover">
      <Resource name="jdbc/clover_server"
                auth="Container"
                type="javax.sql.DataSource"
                factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
                driverClassName="org.postgresql.Driver"
                url="jdbc:postgresql://127.0.0.1:5432/clover_db"
                username="clover"
                password=""
                maxTotal="20"
                maxIdle="10"
                maxWaitMillis="-1"/>
    </Context>
  • JNDI Connection Configuration

    Now that the Datasource is defined, you should configure the connection.

    The following parameters may be set in the same way as other parameters (in the properties file or the Tomcat context file). You can also set the parameters in the Database tab of the Setup GUI.

    datasource.type=JNDI                                 # type of Datasource; must be set, because the default value is JDBC #
    datasource.jndiName=jdbc/clover_server               # JNDI location of DB Datasource; the default value is java:comp/env/jdbc/clover_server #
    jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect # Set the dialect according to DB which DataSource is connected to.
                                                         # The correct dialect can be found in the examples of DB configuration. #

    Since the DB connection contains sensitive information (e.g. username, password, etc.), CloverDX provides the JNDI Encryption feature.

[Tip]Tip

The resource configuration may also be added to the context file [Tomcat_home]/conf/Catalina/localhost/clover.xml.

[Important]Important

Special characters typed in the context file have to be specified as XML entities, e.g. ampersand "&" as "&amp;", etc.

For a detailed list of parameters which can be set up in the configuration file, see Chapter 15, List of Configuration Properties.

JNDI Datasource Troubleshooting

JNDI Datasource in Oracle WebLogic

CloverDX's default Quartz configuration does not work with default JNDI Datasource from WebLogic. Proceed with one of the following options:

  1. Configure the Quartz JDBC delegate manually before the server is started;

  2. Disable JDBC type wrapping in the WebLogic's Datasource configuration.

Apache Tomcat's DBCP JNDI pool

The default JNDI pool DBCP in Apache Tomcat does not handle connections efficiently. With the DBCP JNDI pool, low performance can be seen if DBOutputTable with returning statement is used.

Therefore, tomcat-jdbc-pool is used instead by adding the factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" attribute to the definition of the JNDI resource. See The Tomcat JDBC Connection Pool

Encrypted JNDI

The encryption feature allows you to protect your sensitive data defined in the Datasource definition (e.g. username, password, etc.), which are by default stored in plain text. The configuration differs between particular application servers.

Encrypted JNDI on Tomcat
Encrypted JNDI on JBoss 7
Encrypted JNDI on WebSphere 8.5.5.0
Encrypted JNDI on WebLogic

Encrypted JNDI on Tomcat

You need secure-cfg-tool to encrypt the passwords. Use the version of secure-cfg-tool corresponding to the version of CloverDX Server. Usage of the tool is described in Chapter 16, Secure Configuration Properties.

Use encrypt.sh or encrypt.bat for password encryption. Place the encrypted password into a configuration file, and put cloverdx-secure-jndi-resource-{version}.jar and jasypt-1.9.0.jar files on the classpath of the application server. The .jar files can be found in the tomcat-secure-jndi-resource directory packed in secure-cfg-tool.

The tomcat-secure-jndi-resource directory contains a useful README file with further details on encrypted JNDI.

Example of encrypted JNDI connection for PostgreSQL

Encrypt the password:

  1. ./encrypt.sh -a PBEWithSHA1AndDESede

  2. The configuration is placed in ${CATALINA_HOME}/conf/context.xml. Note that the encryption algorithm PBEWithSHA1AndDESede is not default.

    <Resource name="jdbc/clover_server"
              auth="Container"
              factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory"
              secureAlgorithm="PBEWithSHA1AndDESede"
              type="javax.sql.DataSource"
              driverClassName="org.postgresql.Driver"
              url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8"
              username="conf#rPz5Foo7HPn4dFTRV5Ourg=="
              password="conf#4KlNp8/FVDR+rTWX0dEqWA=="
              maxTotal="20"
              maxIdle="10"
              maxWaitMillis="-1"/>

    If you use other JCE (e.g. Bouncy Castle), it has to be added to the classpath of the application server (${CATALINA_HOME}/lib). The encrypt command requires the path to directory with JCE, too.

    ./encrypt.sh -l ~/lib/ -c org.bouncycastle.jce.provider.BouncyCastleProvider -a PBEWITHSHA256AND256BITAES-CBC-BC

    <Resource name="jdbc/clover_server"
              auth="Container"
              factory="com.cloveretl.secure.tomcatresource.Tomcat8SecureDataSourceFactory"
              secureProvider="org.bouncycastle.jce.provider.BouncyCastleProvider"
              secureAlgorithm="PBEWITHSHA256AND256BITAES-CBC-BC"
              type="javax.sql.DataSource"
              driverClassName="org.postgresql.Driver"
              url="jdbc:postgresql://127.0.0.1:5432/clover_db?charSet=UTF-8"
              username="conf#Ws9IuHKo9h7hMjPllr31VxdI1A9LKIaYfGEUmLet9rA="
              password="conf#Cj1v59Z5nCBHaktn6Ubgst4Iz69JLQ/q6/32Xwr/IEE="
              maxTotal="20" maxIdle="10"
              maxWaitMillis="-1"/>

Encrypted JNDI on JBoss 7

JBoss 7 - JBoss EAP 6.2.0.GA - AS 7.3.0.Final-redhat-14

Configuration steps are similar to configuring of JBoss 6.

The configuration takes place in a single configuration file, e.g. for standalone profile JBOSS_HOME/standalone/configuration/standalone.xml.

Original data source:

<datasources>
    <datasource jndi-name="java:/MysqlDS" pool-name="MySQLPool">
        <connection-url>jdbc:mysql://localhost:3306/clover</connection-url>
        <driver>mysql</driver>
        <pool>
            <max-pool-size>30</max-pool-size>
        </pool>
        <security>
            <user-name>user</user-name>
            <password>password</password>
        </security>
    </datasource>

    <drivers>
        <driver name="mysql" module="com.cloveretl.jdbc">
            <driver-class>com.mysql.jdbc.Driver</driver-class>
        </driver>
    </drivers>
<datasources>
  1. In JBOSS_HOME directory run the cli command:

    java -cp modules/system/layers/base/org/picketbox/main/picketbox-4.0.19.SP2-redhat-1.jar:client/jboss-logging.jar org.picketbox.datasource.security.SecureIdentityLoginModule password

    The command will return an encrypted password, e.g. 5dfc52b51bd35553df8592078de921bc.

  2. Add a new security-domain to security-domains, the password value is a result of the command from the previous step.

    <security-domain name="EncryptDBPassword" cache-type="default">
            <authentication>
                <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                    <module-option name="username" value="user"/>
                    <module-option name="password" value="5dfc52b51bd35553df8592078de921bc"/>
                    <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MysqlPool"/>
                </login-module>
            </authentication>
        </security-domain>
  3. Replace user and password with a reference to the security domain.

    <datasources>
            <datasource jndi-name="java:/MysqlDS" pool-name="MysqlPool" enabled="true" use-java-context="true">
                <connection-url>jdbc:mysql://localhost:3306/clover</connection-url>
                <driver>mysql</driver>
                <pool>
                    <max-pool-size>30</max-pool-size>
                </pool>
                <security>
                    <security-domain>EncryptDBPassword</security-domain>
                </security>
            </datasource>
    
            <drivers>
                <driver name="mysql" module="com.cloveretl.jdbc">
                    <driver-class>com.mysql.jdbc.Driver</driver-class>
                </driver>
            </drivers>
        </datasources>

It is possible that the same mechanism can also be used for JMS.

Encrypted JNDI on WebSphere 8.5.5.0

In WebSphere, user credentials aren't saved in plain text, but as J2C authentication data. (see How to Create a WAS JDBC Provider, J2C Authentication Alias, and Data Source for the IBM i).

The same mechanism can also be used for JMS connection (see IBM's instructions on Configuring an external JMS provider).

Encrypted JNDI on WebLogic

Password in a JNDI datasource file is encrypted by default when created by admin's web console (Service/Datasource).

Example of datasource file (located in the DOMAIN/config/jdbc/ directory):

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
  <name>MysqlDS</name>
  <jdbc-driver-params>
    <url>jdbc:mysql://127.0.0.1:3306/clover</url>
    <driver-name>com.mysql.jdbc.Driver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>user</value>
      </property>
    </properties>
    <password-encrypted>{AES}zIiq6/JutK/wD4CcRPX1pOueIlKqc6uRVxAnZZcC3pI=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>
    <test-table-name>SQL SELECT 1</test-table-name>
  </jdbc-connection-pool-params>
  <jdbc-data-source-params>
    <jndi-name>jdbc/MysqlDS</jndi-name>
    <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
  </jdbc-data-source-params>
</jdbc-data-source>

The same mechanism is also used for encrypting password in the JMS connection (see Oracle's instructions on Configuring an external JMS provider).

[Note]Note

Continue with:  Activation