Re: PgJDBC - Using certificate auth with jboss & postgres
| От | Craig Ringer |
|---|---|
| Тема | Re: PgJDBC - Using certificate auth with jboss & postgres |
| Дата | |
| Msg-id | 4E0A66E4.8010903@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | PgJDBC - Using certificate auth with jboss & postgres ("Eyal Edri" <eedri@redhat.com>) |
| Список | pgsql-jdbc |
On 06/28/2011 11:00 PM, Eyal Edri wrote: > Hi, > > I'm trying to make postgres and jboss JBoss version? > work together using certificate authentication method and SSL. Possibly stupid question: Why? In almost all cases with application servers the appserver is on the same machine as the DB or on the same network segment, so few people even bother using SSL let alone client cert auth. If the app server is cracked, the attacker can dump the certificate and private key just as easily as they can dump the pool's username and password, so you don't gain much by using cert auth in security terms either. > I've read some recent posts that this functionality is going to > implemented (?) but I couldn't find documentation about how to implement > it. It'd really help if you provided links to the documents you're referring to. Anyway, client cert auth already works with an unmodified PgJDBC. The code/discussion you saw recently was probably the custom SSLSocketFactory intended to make it easier to specify your own KeyStore location and customize the process. With current PgJDBC, you just use standard JSSE parameters to specify a keystore and add your keys to that store. I'd be astonished if JBoss AS didn't already have a KeyStore, so you probably don't have to go messing with JSSE parameters. As for adding keys to the store, if JBoss doesn't provide its own key management interfaces you'd use the standard java keytool command. Note that keys in a JBoss-wide keystore would be visible and accessible to all applications running on the server. If that is not acceptable, you'll have to use a custom SSLSocketFactory to load your chosen KeyStore. Example code is on the mailing list (and will make it into PgJDBC soon hopefully). In the mean time you can make your own jar with your SSLSocketFactory, put it in the same directory as the appserver's copy of PgJDBC and refer to it using the sslsocketfactory jdbc datasource parameter. It's also worth noting that Pg had a bug where it didn't tell the client which CA certificate it expected client certs to be signed by. Java couldn't figure out which certificate to offer if it had more than one in the KeyStore, because Pg didn't give it the information required to decide. This bug is fixed, I just can't remember whether it was fixed in 8.4 or 9.0. -- Craig Ringer
В списке pgsql-jdbc по дате отправления: