Re: PgJDBC - Using certificate auth with jboss & postgres - Mailing list pgsql-jdbc

From Craig Ringer
Subject Re: PgJDBC - Using certificate auth with jboss & postgres
Date
Msg-id 4E0A66E4.8010903@postnewspapers.com.au
Whole thread Raw
In response to PgJDBC - Using certificate auth with jboss & postgres  ("Eyal Edri" <eedri@redhat.com>)
List pgsql-jdbc
On 06/28/2011 11:00 PM, Eyal Edri wrote:
> Hi,
>
> I'm trying to make postgres and jboss

JBoss version?

> work together using certificate authentication method and SSL.

Possibly stupid question: Why?

In almost all cases with application servers the appserver is on the
same machine as the DB or on the same network segment, so few people
even bother using SSL let alone client cert auth. If the app server is
cracked, the attacker can dump the certificate and private key just as
easily as they can dump the pool's username and password, so you don't
gain much by using cert auth in security terms either.

> I've read some recent posts that this functionality is going to
> implemented (?) but I couldn't find documentation about how to implement
> it.

It'd really help if you provided links to the documents you're referring to.

Anyway, client cert auth already works with an unmodified PgJDBC.

The code/discussion you saw recently was probably the custom
SSLSocketFactory intended to make it easier to specify your own KeyStore
location and customize the process.

With current PgJDBC, you just use standard JSSE parameters to specify a
keystore and add your keys to that store. I'd be astonished if JBoss AS
didn't already have a KeyStore, so you probably don't have to go messing
with JSSE parameters. As for adding keys to the store, if JBoss doesn't
provide its own key management interfaces you'd use the standard java
keytool command.

Note that keys in a JBoss-wide keystore would be visible and accessible
to all applications running on the server. If that is not acceptable,
you'll have to use a custom SSLSocketFactory to load your chosen
KeyStore. Example code is on the mailing list (and will make it into
PgJDBC soon hopefully). In the mean time you can make your own jar with
your SSLSocketFactory, put it in the same directory as the appserver's
copy of PgJDBC and refer to it using the sslsocketfactory jdbc
datasource parameter.


It's also worth noting that Pg had a bug where it didn't tell the client
which CA certificate it expected client certs to be signed by. Java
couldn't figure out which certificate to offer if it had more than one
in the KeyStore, because Pg didn't give it the information required to
decide. This bug is fixed, I just can't remember whether it was fixed in
8.4 or 9.0.

--
Craig Ringer

pgsql-jdbc by date:

Previous
From: "Eyal Edri"
Date:
Subject: PgJDBC - Using certificate auth with jboss & postgres
Next
From: Justin Bertram
Date:
Subject: Re: Possible oversight in org.postgresql.xa.PGXAConnection.commitPrepared(Xid xid)