Thanks Pierre - I hadn't found it either, wanted to make sure I wasn't just stupid in my looking.
I'm fighting the it is a dumb idea to try to 2FA a service account - but not sure if I can prevail against entrenched stupidity. On Tue, Oct 23, 2018 at 11:08 AM Pierre Chiu <pc8...@gmail.com> wrote: > > You are using JDBC connection to oracle database. > > Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from > oracle. > > > > On Oct 23, 2018, at 11:03 AM, Will Nordmeyer <quark...@gmail.com> wrote: > > > > Chris, > > > > I understand all of that and am working all those concerns to the > > PTB... but as with many management situations reality doesn't fit with > > the "security" mindset. > > On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz > > <ch...@christopherschultz.net> wrote: > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> Will, > >> > >> On 10/23/18 10:44, Will Nordmeyer wrote: > >>> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in > >>> the next year). I tried working with Oracle on this with no > >>> success. > >>> > >>> We have an Oracle Database connection defined within our web.xml > >>> (see below). We need to convert to using 2 Factor (certificate?) > >>> based Authentication. > >>> > >>> How do we convert from our embedded username password to 2FA > >> > >> Uhh... > >> > >> How would you enter your second-factor into the server? During service > >> startup? What happens if the connection times-out and you have to > >> re-authenticate? Do you want to be paged in the middle of the night to > >> re-enter your 2FA code? How about 10 times per hour on 100 different > >> servers? > >> > >> 2FA doesn't make any sense at all for services contacting other > >> services. 2FA makes sense for humans contacting services because > >> humans are so much worse at password management, social engineering > >> resistance, etc. > >> > >> If you have a segment of your IT team mandating 2FA for database > >> connections (even for services), tell them that THEY have to use THEIR > >> 2FA credentials to unlock the database for YOUR services. See how long > >> that policy survives. > >> > >> - -chris > >> -----BEGIN PGP SIGNATURE----- > >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > >> > >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8 > >> pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec > >> Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw > >> KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF > >> Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV > >> HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f > >> 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh > >> SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO > >> Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj > >> WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT > >> dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s > >> w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4= > >> =baEw > >> -----END PGP SIGNATURE----- > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org