Secure Oracle DB Username & Password in Tomcat 6

ashuji
ashuji used Ask the Experts™
on
Hi

I am using Oracle RAC as backend with Tomcat 6.  I am storing, oralce username & password as simple text as in example below:


DBConfig.JDBCURL=jdbc:oracle:thin:@(description=(address_list=(load_balance=on)(failover=on)(address=(protocol=tcp)(host=Oracle_Server_Name-vip)(port=1521))(address=(protocol=tcp)(host=ORACLE_SERVER_Virtual_IP)(port=1521)))(connect_data=(service_name=NAME_of_SERVICE)(failover_mode=(type=select)(method=basic))))
DBConfig.Username=DB_USERNAME
DBConfig.Password=DB_PASSWORD



Please suggest the way where I could keep the password in encrypted format.

Regards

Ashwani Jain
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007

Commented:
The web.xml configuration file for the webapp is a good place.  Or you can create a separate properties file and read that when the webapp initializes.

Author

Commented:
HI

I could not undersatnd the suggestion, please elaborate, it would be helpful if you could identify the step by step commands and file changes that are required to generate the encrypted DB password and then use that encrypted password in config file.  Like steps mentioned in link belwo for JBoss:

https://community.jboss.org/wiki/EncryptingDataSourcePasswords
Top Expert 2007
Commented:
Ah -- you want Tomcat to handle the decryption.  I don't think that comes with Tomcat out of the box.

There are solutions which involve having some code, see this article here (they're using base64 as the example of encryption, but of course you would want something better than that):
http://java.sys-con.com/node/393364?page=0,1

This person wrote about using a real encryption handler, based on the above article:
http://scribblejava.wordpress.com/2010/03/23/encrypt-username-and-password-for-jndi-in-tomcat-server-xml/

But both of these require some programming knowledge.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Author

Commented:
HI mrcoffee365

This article (http://scribblejava.wordpress.com/2010/03/23/encrypt-username-and-password-for-jndi-in-tomcat-server-xml/) was helpful, but there are few question about it, since I am not developoer but just a Linux Admin, don't know how to do followings:

1.  Create JAR as mentioned, it would be helpful if you could suggest exact commands
2.  Generate encrypted code for password - no commands are mentioned.
Top Expert 2007

Commented:
The article gives the command to create a jar.  I don't think you will be able to make this work unless you can get a programmer to work with you.  If you don't know how to create an encrypted password, then the whole thing is not going to do you any good.

We don't do programming for people here at EE, we answer questions.  I was able to answer you -- Tomcat doesn't have the capability you are looking for.

Author

Commented:
I am still trying to get with DEV to to have JAR file created.  In the mean time can you help me understand how to secure Login Credentials MSSQL DB in case.
Top Expert 2007

Commented:
Great.  Award points on this question, since I answered it for you, and then you can ask another question on EE which doesn't have anything to do with Java or Tomcat.  Your question now is about MSSQL database (not Oracle any more?) so you need some different experts looking at your new question.

Author

Commented:
...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial