Securing JDBC Connection
I have a linux box that acts as my client and makes a JDBC (thin) connection to an another Oracle box running on linux. My primary goal is to encrypt the connection since we have internal passwords that we pass over the wire and we don't want it to be in the clear.
Couple of questions?
When the applications first makes a JDBC connection, is the username/password in the clear, the JDBC connection? If so, is there a way I can encryt this. If its sent in the clear I guess anyone listening on the network would get the username/password to connect to the DB. Could you also point me to some documention where its says the connection string username and password is encrypted or not by deafult, etc.
Everything between the client and the DB I want to encrypt, is this possible in the driver level, I did the document on configuring the thin driver. Could anyone point me to detailed instructions as to where the property files are and what I need to change.
[984 byte] By [
yodarulesa] at [2007-10-2 11:11:20]
> When the applications first makes a JDBC connection,
> is the username/password in the clear, the JDBC
> connection?
Depends on the driver.
> If so, is there a way I can encryt this.
Depends on the driver. Check its documentation.
> If its sent in the clear I guess anyone listening on
> the network would get the username/password to
> connect to the DB. Could you also point me to some
> documention where its says the connection string
> username and password is encrypted or not by deafult,
> etc.
You can download various versions of the JDBC specification from this page: http://java.sun.com/products/jdbc/download.html
I can tell you (I just looked) that the JDBC 3.0 spec does not contain the word "encrypt". However it may use some other method of specifying that.
> Everything between the client and the DB I want to
> encrypt, is this possible in the driver level, I did
> the document on configuring the thin driver. Could
> anyone point me to detailed instructions as to where
> the property files are and what I need to change.
Check the driver documentation.
To answer your question specifically, yes, you can encrypt communications, including login between your client and an oracle server using the Oracle JDBC drivers. As the previous poster stated, check your driver documentation, it is very clearly described.
Since Oracle provides a type 3 (OCI) and type 4 (thin) driver, there are differences in implementation. I believe OCI encryption is enabled through the sqlnet.ora file, while the thin driver is implemented through proprietary Oracle classes. If you want to look this up on the Oracle website or through google, look for "Oracle Advanced Security".
What DrClap said...
and further, if the driver has support, it may also depend on settings of the database server. For example, the Oracle driver is capable of a few different modes of encryption, but the Oracle database (the listener, actually) absolutely has to also be enabled to accept those connection types, and that's not a default configuration.
http://download-west.oracle.com/docs/cd/B10501_01/java.920/a96654/advanc.htm#1024279
Regarding the discussion on Encryption of the first initial JDBC call, its encrypted as per the documentation.
http://download-west.oracle.com/docs/cd/A87860_01/doc/network.817/a85430/asojbdc.htm#1004635
I also verified by sniffing the network that the inital password on the connection string is encryted. Of course data after this is not.
Thanks eveyone for your input as well.
