Derby
  1. Derby
  2. DERBY-65

Network Server user ID and password encryption requires IBMJCE

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Network Server
    • Labels:
      None

      Description

      If you set securityMechanism=9 as a JCC (DB2 Universal Driver) property when connecting to Derby a java.lang.ClassNotFoundException is returned in an error because the code in the org.apache.derby.impl.drda.EncryptionManager constructor does the following:

      try

      { if (java.security.Security.getProvider ("IBMJCE") == null) // IBMJCE is not installed, install it. java.security.Security.addProvider ((java.security.Provider) Class.forName("IBMJCE").newInstance()); <SNIP> }

      catch (java.lang.ClassNotFoundException e)

      { throw new SQLException ("java.lang.ClassNotFoundException is caught" + " when initializing EncryptionManager '" + e.getMessage() + "'"); }

      Some improvements could also be made to related documentation:

      http://incubator.apache.org/derby/manuals/admin/hubprnt16.html should probably be improved to describe the valid values for all properties (e.g. securityMechanism ) or have links (or a comment) to other manuals that have further information on the properties.

      ==================================

      Here is how to reproduce the problem using the ij tool:

      D:\Derby_snapshots\svnversion_46005>java -cp .;.\lib\derby.jar;.\lib\derbynet.jar;.\lib\derbytools.jar;..\db2jcc\lib\db2jcc.jar;..\db2jcc\lib\db2jcc_license_c.jar -Dij.driver=com.ibm.db2.jcc.DB2Driver -Dij.user=wkpoint -Dij.password=wppass -Dij.protocol=jdbc:derby:net://localhost:1527/ org.apache.derby.tools.ij
      ij version 10.0 (C) Copyright IBM Corp. 1997, 2004.
      ij> connect 'testDB3;create=true:retrieveMessagesFromServerOnGetMessage=true;securityMechanism=9;';
      ERROR (no SQLState): java.lang.ClassNotFoundException is caught when initializing EncryptionManager 'IBMJCE'
      ij>

      ------------------ Java Information ------------------
      Java Version: 1.4.2_05
      Java Vendor: Sun Microsystems Inc.
      Java home: C:\Program Files\Java\j2re1.4.2_05
      Java classpath: .;.\lib\derby.jar;.\lib\derbynet.jar;.\lib\derbytools.jar;..\db2jcc\lib\db2jcc.jar;..\db2jcc\lib\db2jcc_license_c.j
      ar
      OS name: Windows XP
      OS architecture: x86
      OS version: 5.1
      Java user name: sissonj
      Java user home: C:\Documents and Settings\john
      Java user dir: D:\Derby_snapshots\svnversion_46005
      --------- Derby Information --------
      [D:\Derby_snapshots\svnversion_46005\lib\derby.jar] 10.0.2.0 - (46005)
      [D:\Derby_snapshots\svnversion_46005\lib\derbynet.jar] 10.0.2.0 - (46005)
      [D:\Derby_snapshots\svnversion_46005\lib\derbytools.jar] 10.0.2.0 - (46005)
      [D:\Derby_snapshots\db2jcc\lib\db2jcc.jar] 2.4 - (17)
      [D:\Derby_snapshots\db2jcc\lib\db2jcc_license_c.jar] 2.4 - (17)
      ------------------------------------------------------
      ----------------- Locale Information -----------------
      ------------------------------------------------------

        Issue Links

          Activity

          Hide
          John Sisson added a comment -

          The class org.apache.derby.impl.drda.EncryptionManager in the description of this issue should be org.apache.derby.impl.drda.DecryptionManager

          http://svn.apache.org/repos/asf/incubator/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DecryptionManager.java

          Show
          John Sisson added a comment - The class org.apache.derby.impl.drda.EncryptionManager in the description of this issue should be org.apache.derby.impl.drda.DecryptionManager http://svn.apache.org/repos/asf/incubator/derby/code/trunk/java/drda/org/apache/derby/impl/drda/DecryptionManager.java
          Hide
          Kathey Marsden added a comment -

          This issue is related to the protocol specification available at http://www.opengroup.org/dbiop/. I sent a question to the support publications group and asked about it. Below are the question and response I got.

          QUESTION

          The specification has a hardcoded 32-byte prime and base (256 bits) in the protocol
          spec. This is not supported by Sun JCE , but is supported in ibm141 and some atest versions of ibm142. SunJCE requires at least 512 bits (64 byte), presumably 32-byte is considered not secure.

          Are there plans to enhance the specification to support this?

          RESPONSE

          For secure connections, SSL connections should be used. The encryption support was defined to allow a high performance encryption technique but with an understanding it is less secure than industry standards. There is no plans to change it.

          Show
          Kathey Marsden added a comment - This issue is related to the protocol specification available at http://www.opengroup.org/dbiop/ . I sent a question to the support publications group and asked about it. Below are the question and response I got. QUESTION The specification has a hardcoded 32-byte prime and base (256 bits) in the protocol spec. This is not supported by Sun JCE , but is supported in ibm141 and some atest versions of ibm142. SunJCE requires at least 512 bits (64 byte), presumably 32-byte is considered not secure. Are there plans to enhance the specification to support this? RESPONSE For secure connections, SSL connections should be used. The encryption support was defined to allow a high performance encryption technique but with an understanding it is less secure than industry standards. There is no plans to change it.
          Show
          Kathey Marsden added a comment - A related thread: http://mail-archives.apache.org/mod_mbox/db-derby-dev/200506.mbox/%3c20050616191041.GA5239@barbar.sun.com%3e
          Hide
          Kathey Marsden added a comment -

          Support for DRDA Strong User ID and Password Substitute Authentication (USRSSBPWD) scheme was added in DERBY-528 for use with non-IBM JVM's

          Show
          Kathey Marsden added a comment - Support for DRDA Strong User ID and Password Substitute Authentication (USRSSBPWD) scheme was added in DERBY-528 for use with non-IBM JVM's

            People

            • Assignee:
              Unassigned
              Reporter:
              John Sisson
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development