Thread: PgJDBC - Using certificate auth with jboss & postgres

Hi,

I'm trying to make postgres and jboss work together using certificate
authentication method and SSL.
I've read some recent posts that this functionality is going to
implemented (?) but I couldn't find documentation about how to implement
it.

We're using postgres 8.4.7 under rhel 6 and the datasource file
'postgres-ds.xml' for jboss comm with pg over jdbc.

I was able to communicate with postgres with 'psql -h localhost -d
postgres -U postgres' (after creating the server/client certs and keys and
setting the auth
To 'cert' in pg_hba.conf'.

What I couldn't find out is how (if possible) to tell jboss(in
postgres-ds.xml)  to use a keystore in order to find the certs it needs to
connect.
Also, if it's possible to define an alias property, so it can access the
relevant certificate in the keystore.

Thanks,

Eyal Edri
Redhat.

On 06/28/2011 11:00 PM, Eyal Edri wrote:
> Hi,
>
> I'm trying to make postgres and jboss

JBoss version?

> work together using certificate authentication method and SSL.

Possibly stupid question: Why?

In almost all cases with application servers the appserver is on the
same machine as the DB or on the same network segment, so few people
even bother using SSL let alone client cert auth. If the app server is
cracked, the attacker can dump the certificate and private key just as
easily as they can dump the pool's username and password, so you don't
gain much by using cert auth in security terms either.

> I've read some recent posts that this functionality is going to
> implemented (?) but I couldn't find documentation about how to implement
> it.

It'd really help if you provided links to the documents you're referring to.

Anyway, client cert auth already works with an unmodified PgJDBC.

The code/discussion you saw recently was probably the custom
SSLSocketFactory intended to make it easier to specify your own KeyStore
location and customize the process.

With current PgJDBC, you just use standard JSSE parameters to specify a
keystore and add your keys to that store. I'd be astonished if JBoss AS
didn't already have a KeyStore, so you probably don't have to go messing
with JSSE parameters. As for adding keys to the store, if JBoss doesn't
provide its own key management interfaces you'd use the standard java
keytool command.

Note that keys in a JBoss-wide keystore would be visible and accessible
to all applications running on the server. If that is not acceptable,
you'll have to use a custom SSLSocketFactory to load your chosen
KeyStore. Example code is on the mailing list (and will make it into
PgJDBC soon hopefully). In the mean time you can make your own jar with
your SSLSocketFactory, put it in the same directory as the appserver's
copy of PgJDBC and refer to it using the sslsocketfactory jdbc
datasource parameter.


It's also worth noting that Pg had a bug where it didn't tell the client
which CA certificate it expected client certs to be signed by. Java
couldn't figure out which certificate to offer if it had more than one
in the KeyStore, because Pg didn't give it the information required to
decide. This bug is fixed, I just can't remember whether it was fixed in
8.4 or 9.0.

--
Craig Ringer