Mark, On 4/7/16 12:30 PM, Mark Eggers wrote: > OSP, > > On 4/7/2016 8:28 AM, Christopher Schultz wrote: >> OSP, >> >> On 4/7/16 10:08 AM, Linux Support wrote: >>> Greetings all, >>> >>> ===== Server number: 8.0.28.0 OS Name: Linux OS Version: >>> 2.6.32-573.8.1.el6.x86_64 JVM Version: 1.8.0_66-b17 ===== >>> >>> Back end database is mariadb residing on a another remote linux >>> instance. I have downloaded and copied the Mariadb jdbc driver to >>> the lib directory of the TC server. >>> >>> Can you let me know how to encrypt the database connectivity from >>> the TC instance to the DB instance. >> >> Just to confirm: you want to encrypt the communication channel >> between your application (really the JDBC driver) and the database? >> >> -chris > > > There appears to be at least two ways of doing this. > > 1. Build an SSH tunnel between your Tomcat server and DB server > > This requires ssh and remote access to the DB server. You'll also want > to configure a tunnel to come up when your Tomcat server is restarted > and resume if the tunnel disconnects. You'll probably want to use a > certificate-based authentication for the SSH tunnel so user names and > passwords don't have to be entered.
You can also use stunnel which is slightly simpler and IMO more reliable, since stunnel has a daemon which can can auto-connect, etc. > 2. Use SSL at the JDBC level > > MariaDB can be configured to use SSL, and the client can be configured > to use a certificate. I've not done this, but it appears that the > connection parameters are useSSL=true, requireSSL=true, > serverSslCert=certpath. certpath appears to be an absolute file path, a > path relative to the current classpath, or a DER-encoded certificate string. > > You may (most probably) have to install JCE for the version of Java that > you are using. > > Please note that I've not tried any of this. Hopefully, the above > pointers will get you started. IIRC, *MySQL* is a giant pain in the neck to get going with SSL. I'm not sure if MariaDB is any easier. Your existing Java version should be sufficient to make outgoing SSL connections; there's no need to add JCE or anything else, unless you want to add the unlimited-strength policy files to allow for ciphers with larger keys. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
