|
|
|
In FairCom DB V11.2 and later, FairCom DB SQL JDBC supports TLS connections per the JDBC standard. Enable TLS in a JDBC connection URL using the ssl=value parameter string.
TLS connections are enabled in the JDBC connection URL using the new format (it is not supported on the old URL format) and a new parameter ssl.
The new URL format is:
jdbc:ctree://<host>[:portnumber]/<dbname>[?param=value[¶m=value]...]
The valid param values are:
basic
peerAuthentication
NOTE: For backward compatibility, the older format ("jdbc:ctree:6597@localhost:ctreeSQL", "ADMIN", "ADMIN") is still supported but should be considered deprecated.
Basic TLS with JDBC clients
Traffic to the server is encrypted, but there is no assurance of the server's identity.
Basic SSL encryption on the client is enabled by the URL parameter ssl, for example:
Connection c = getConnection("jdbc:ctree://localhost:6597/ctreeSQL?ssl=basic");
Peer Authenticated TLS with JDBC clients using System properties
If the client wants to authenticate the server, then the client's trust store must contain the server's CA certificate (or a self-signed server certificate). A Java keystore must first be created that contains this CA certificate.
For example, the following adds the trusted CA certificate ctsrvr.pem to a keystore named server.store
keytool -importcert -file ctsrvr.pem -keystore server.store
keytool is part of the Java distribution, and will prompt you for a password used to encrypt the trust store. In this example we used mypassword as the password.
Client SSL with server authentication is enabled by the URL parameter ssl set to peerAuthentication.
You must set the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to reference the trust store for the desired database server.
Example:
System.setProperty("javax.net.ssl.trustStore","server.store");
System.setProperty("javax.net.ssl.trustStorePassword","mypassword");
Connection c = getConnection("jdbc:ctree://localhost:6597/ctreeSQL?ssl=peerAuthentication");
Full TLS authentication with JDBC clients
The FairCom database server may be configured to allow or require client TLS authentication in place of password based authentication. The client needs to both authenticate the server (with the same requirements as for peerAuthentication), and provide proof of identity to the server by providing a client certificate that is trusted by the server. This may be set in the connection string by specifying a trustStore for the server and keyStore for the user.
Example:
Create the trust store with the trusted CA certificate ctsrvr.pem to a keystore named server.store. Keytool is part of the Java distribution, and will prompt you for a password used to encrypt the trust store. In this example we use mypassword as the password.
keytool -importcert -file ctsrvr.pem -keystore server.store
The client must possess a keystore containing their certificate and private key. Here we assume a keystore exists named johndoe.pkcs12 protected with password secret.
NOTE: The default keystore format is controlled by the java.security configuration file under the property keystore.type. The PKCS12 keystore format is supported by all Java implementations, but prior to Java9 JKS was the default format. You may need to adjust this configuration for your keystore to be accessed by Java.
The following connection string will attempt to connect using these certificate sets for TLS authentication.
Connection c = getConnection("jdbc:ctree://localhost:6597/ctreeSQL?trustStore=server.store&trustStorePassword=mypassword&keyStore=johndoe.pkcs12&keyStorePassword=secret");
See Also:
Java keytool documentation provides examples of how to generate a key pair, request a certificate from a CA, or generate certificates for a server.
