Thread: Using JDBC and SSL (or any method of security)
Hello, We want to use JDBC together with a patched PostgreSQL using Brett McCormick's PostgreSQl-SSL patch. Is it possible to use encrypted communication with JDBC using this? Or kerberos? Or do you have any suggestions as to how we can make it secure? The database will contain sensitive information and will be available over the Internet, to those who are authorised. If no encryption is possible, is it possible to ensure that no one can read the passwords (by encrypting them)? I would be grateful for any help; please reply to my email addresses also. -- Nick Urbanik, Dept. of Elec & Comms Engineering, HKTC(TY) email: nicku@vtc.edu.hk, nicku@iohk.com Tel: (852) 2436 8660, (825) 2436 8674 Fax: (852) 2436 8643
On Tue, 14 Jul 1998, Nick Urbanik wrote: > Hello, > > We want to use JDBC together with a patched PostgreSQL using Brett > McCormick's PostgreSQl-SSL patch. Is it possible to use encrypted > communication with JDBC using this? Or kerberos? Or do you have any > suggestions as to how we can make it secure? Currently there is no way of encrypting the data stream using SSL or Kerberos - yet. The java.security api may help us in the near future. > The database will contain sensitive information and will be available > over the Internet, to those who are authorised. > > If no encryption is possible, is it possible to ensure that no one can > read the passwords (by encrypting them)? I would be grateful for any > help; please reply to my email addresses also. The only encoding possible so far is using the crypt authentication system, where the password is sent over the wire encrypted. We can handle this, as we have our own copy of crypt in the driver. -- Peter T Mount peter@retep.org.uk or petermount@earthling.net Main Homepage: http://www.retep.org.uk ************ Someday I may rebuild this signature completely ;-) ************ Work Homepage: http://www.maidstone.gov.uk Work EMail: peter@maidstone.gov.uk
At 06:51 AM 15/07/98 +0100, you wrote: >> We want to use JDBC together with a patched PostgreSQL using Brett >> McCormick's PostgreSQl-SSL patch. Is it possible to use encrypted >> communication with JDBC using this? Or kerberos? Or do you have any >> suggestions as to how we can make it secure? > >Currently there is no way of encrypting the data stream using SSL or >Kerberos - yet. The java.security api may help us in the near future. The article "JBDC Drivers and Web Security" by Mukul Sood in Dr. Dobb's Journal (July 1998) discusses this a bit and somesolutions that currently exist. A discussion about the use of SSL in JBDC solutions is included. In addition, three ofthe driver venders considered in the latter part of the article make use of SSL. As Sood says "any program that makes use of TCP can be modified to use SSL connections". Several of the driver venders makeuse of this by providing encryption and authentification services to network applications (including Java applets andapplications using JDBC) using SSL. For a good example of this, read the section in the article on WebLogic's Tengah/JBDC, which uses RSA SSL. >The only encoding possible so far is using the crypt authentication >system, where the password is sent over the wire encrypted. We can handle >this, as we have our own copy of crypt in the driver. Peter or somebody, could you point me to an example of how this is used? Thanks. Andrew
[email problems within maidstone.gov.uk has delayed this response - peter] On Wed, 15 Jul 1998, Andrew R. Jackson wrote: > At 06:51 AM 15/07/98 +0100, you wrote: > >> We want to use JDBC together with a patched PostgreSQL using Brett > >> McCormick's PostgreSQl-SSL patch. Is it possible to use encrypted > >> communication with JDBC using this? Or kerberos? Or do you have any > >> suggestions as to how we can make it secure? > > > >Currently there is no way of encrypting the data stream using SSL or > >Kerberos - yet. The java.security api may help us in the near future. > > The article "JBDC Drivers and Web Security" by Mukul Sood in Dr. Dobb's > Journal (July 1998) discusses this a bit and some solutions that > currently exist. A discussion about the use of SSL in JBDC solutions is > included. In addition, three of the driver venders considered in the > latter part of the article make use of SSL. > > As Sood says "any program that makes use of TCP can be modified to use > SSL connections". Several of the driver venders make use of this by > providing encryption and authentification services to network > applications (including Java applets and applications using JDBC) using > SSL. > > For a good example of this, read the section in the article on > WebLogic's Tengah/JBDC, which uses RSA SSL. When I get time, I'll look at how SSL works with postgresql at the moment, and see if I can implement it easily. > >The only encoding possible so far is using the crypt authentication > >system, where the password is sent over the wire encrypted. We can handle > >this, as we have our own copy of crypt in the driver. > > Peter or somebody, could you point me to an example of how this is used? Thanks. Simply set the authentication type in pg_hba.conf to crypt. ie: host all 192.168.4.0 255.255.255.0 crypt Because the protocol sents the authentication type to the client, the driver automatically switches to crypt. -- Peter Mount (at work) peter@taer.maidstone.gov.uk or peter@maidstone.gov.uk If you mail me here, please cc my home address peter@retep.org.uk