Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-2045

Support encrypted connection to the database for fail over configuration

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: karaf-core
    • Labels:
      None
    1. KARAF-2045.patch
      17 kB
      Christian Müller

      Activity

      Hide
      muellerc Christian Müller added a comment -

      With this patch, we are able to encrypt our database connection to Oracle, which is a PCI DSS (Payment Card Industries Data Security Standards) requirement.
      Note: Oracle doesn't support adding additional connection properties to its JDBC connection URL (like Derby, ... supports).

      A sample configuration could look like this:

      karaf.lock.jdbc.connection.properties=oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=(AES256, AES192, AES128,3DES168, RC4_256, RC4_128)
      
      Show
      muellerc Christian Müller added a comment - With this patch, we are able to encrypt our database connection to Oracle, which is a PCI DSS (Payment Card Industries Data Security Standards) requirement. Note: Oracle doesn't support adding additional connection properties to its JDBC connection URL (like Derby, ... supports). A sample configuration could look like this: karaf.lock.jdbc.connection.properties=oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=(AES256, AES192, AES128,3DES168, RC4_256, RC4_128)
      Hide
      muellerc Christian Müller added a comment -

      Patch for current trunk

      Show
      muellerc Christian Müller added a comment - Patch for current trunk
      Hide
      muellerc Christian Müller added a comment -

      Hey JB,

      this is something we need to (for PCI) if it's not available for all passwords at present (JMX password, ...).

      But this JIRA address another issue we have.
      We use the Karaf Master/Slave fail over mechanism. We use the jdbc lock mechanism (with Oracle). By default, Oracle (and I think the others too) doesn't use an encrypted connection. This means the user/password is sent in plain text from Karaf to the database. This is considered as insecure from our auditors.
      A simple solution (at least for Oracle) is to be able to provide jdbc connection properties. Oracle support some properties to secure the connection.

      With this JIRA, I would like to introduce a new property "karaf.lock.jdbc.connection.properties" in $KARAF_HOME/etc/system.properties to support this requirement.

      Show
      muellerc Christian Müller added a comment - Hey JB, this is something we need to (for PCI) if it's not available for all passwords at present (JMX password, ...). But this JIRA address another issue we have. We use the Karaf Master/Slave fail over mechanism. We use the jdbc lock mechanism (with Oracle). By default, Oracle (and I think the others too) doesn't use an encrypted connection. This means the user/password is sent in plain text from Karaf to the database. This is considered as insecure from our auditors. A simple solution (at least for Oracle) is to be able to provide jdbc connection properties. Oracle support some properties to secure the connection. With this JIRA, I would like to introduce a new property "karaf.lock.jdbc.connection.properties" in $KARAF_HOME/etc/system.properties to support this requirement.
      Hide
      jbonofre Jean-Baptiste Onofré added a comment -

      FYI, I will create a more generic Jira, related to that.

      As we did from the encryption of password in etc/users.properties, we should provide a more "generic" encryption service:

      • all properties should support values which look like {CRYPT}foobar{CRYPT}

        .

      • like this Karaf can "detect" encrypted values and decrypt when we use the property
      Show
      jbonofre Jean-Baptiste Onofré added a comment - FYI, I will create a more generic Jira, related to that. As we did from the encryption of password in etc/users.properties, we should provide a more "generic" encryption service: all properties should support values which look like {CRYPT}foobar{CRYPT} . like this Karaf can "detect" encrypted values and decrypt when we use the property

        People

        • Assignee:
          Unassigned
          Reporter:
          muellerc Christian Müller
        • Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:

            Development