-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Will,
On 10/23/18 12:46, Will Nordmeyer wrote: > Thanks Pierre - I hadn't found it either, wanted to make sure I > wasn't> just stupid in my looking. > > I'm fighting the it is a dumb idea to try to 2FA a service account > - but not sure if I can prevail against entrenched stupidity. Tell management that the only way to do it is to hire Oracle in an Professional Services engagement and have them "consult" with you. It will cost a bundle, take forever, and, eventually, nothing will change. Except the policy. Good luck. - -chris > On Tue, Oct 23, 2018 at 11:08 AM Pierre Chiu <pc8...@gmail.com> > wrote: >> >> You are using JDBC connection to oracle database. >> >> Just forget about tomcat. I cannot find out of the box jdbc 2fa >> feature from oracle. >> >> >>> On Oct 23, 2018, at 11:03 AM, Will Nordmeyer >>> <quark...@gmail.com> wrote: >>> >>> Chris, >>> >>> I understand all of that and am working all those concerns to >>> the PTB... but as with many management situations reality >>> doesn't fit with the "security" mindset. On Tue, Oct 23, 2018 >>> at 10:59 AM Christopher Schultz <ch...@christopherschultz.net> >>> wrote: >>>> > Will, > > On 10/23/18 10:44, Will Nordmeyer wrote: >>>>>> I'm currently running Tomcat 7 (will likely migrate to 8 >>>>>> or 9 in the next year). I tried working with Oracle on >>>>>> this with no success. >>>>>> >>>>>> We have an Oracle Database connection defined within our >>>>>> web.xml (see below). We need to convert to using 2 >>>>>> Factor (certificate?) based Authentication. >>>>>> >>>>>> How do we convert from our embedded username password to >>>>>> 2FA > > Uhh... > > How would you enter your second-factor into the server? During > service startup? What happens if the connection times-out and you > have to re-authenticate? Do you want to be paged in the middle of > the night to re-enter your 2FA code? How about 10 times per hour on > 100 different servers? > > 2FA doesn't make any sense at all for services contacting other > services. 2FA makes sense for humans contacting services because > humans are so much worse at password management, social > engineering resistance, etc. > > If you have a segment of your IT team mandating 2FA for database > connections (even for services), tell them that THEY have to use > THEIR 2FA credentials to unlock the database for YOUR services. See > how long that policy survives. > > -chris >>>> >>>> ------------------------------------------------------------------- - -- >>>> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org >>>> >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPgYAACgkQHPApP6U8 pFgfYBAAysDR2e7MByWEAiPEdvP+zyaK63xt645nUqIRqKuJhJUPYM2Rp0sgXupn ZxZ7ZmGn6QprWZxaUMRWi5HN5RIPgpKzgULC5xBZgVvtgsNUFTiT1kPR0u55UDq2 wiYQn/bc9ATQNn0KocikECiSMPAJGUc57Q0PTqK8ndV4z6pmV3gZt1CCXDuXbyXi ET5V7PJUEGR+aCHaKDzKEDlxvQb5vXTVR8oIqHk0TYk0IBfxhStB3yW0uqprGt+6 DMMu3oPhZTBIMeobp9tEO3qJn8sDTP+yROZkx5vUmEZSneQc/+dYqcpDWUHr9QDV 3nHUXc96/PsTYejaWAwEPx2842qLUpvD7pC+iN2Y/wNLl29LSsjHmnSvz/MF6j37 o25nj9Fg3UR5LcORitC8U34XMlC6KCjzX7I++g1ahpx1D1VS8qJPz48HmEyUYXOp NJTukLLJqF6Fm3qE/XYyrXd7Y0x6wSkL4OuXat7gZWpoddiQGGXABDsA90YlevUF FcX6DtnLzMgoxLvfCV11IAC1DN2CRaeNZGhkPju1PtPLOH5wfTZHT3uUbmBNn1+7 nOjq+raoQXx425U+Mbc+M54jnkZQh17O87tAmVkJs0V4fGwpotaV97zdVUeoT1RO d6a+qIQCOILdiClguJ0QJ2M1hhruwhwxbjJGzSLbRY3GlaEBNfw= =T/TY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
