Total Crystal/EJB/JNDI noob so please be considerate :) I don't have any source codes to post (yet) because I don't know enough about these 3 combined to post anything meaningful.
Anyway...
I am maintaining an application that uses EJB3 and JNDI to connect to the DB for my Crystal reports. Now, due to our requirements, we need to ensure that the communication between the app and the DB is secure (e.g. encrypted). How should this be done?
I've been seeing discussions on using security domains, JAAS and roles (like this one), but from what I'm seeing, that's going to force me to put annotations on every method that's concerned with connecting to the DB, not to mention define roles for users (which is not needed at this point). Then there are those saying it's just a matter of configuring my application server (in this case, it's JBoss) or putting a transport-guarantee in my web.xml (e.g. CONFIDENTIAL).
What's the best approach (or do you think that this is redundant/unnecessary)? Any help or hints on where to start would be really appreciated as I don't really see how to tackle this.
Thanks in advance!
You have 2 options:
IPsec
The first option is a OS-level encryption. All network traffic between host endpoints are encrypted. You will need to configure the OS of both the APP and DB servers for IPsec.
encrypted JDBC connection
In this option, only the JDBC network traffic between the database server and client is encrypted. On the DB server side, you'll need to configure your database server to SUPPORT or REQUIRE encryption. On the client side, you need to configure your JDBC connection properties to use encryption. The exact configuration and path for the SSL keys are dependent on the database that you are using.
The 2 options are not mutually exclusive and you can implement both at the same time but I think that is an overkill.
Related
I am trying to figure out how to connect to an oracle database located in sql developer, using java in eclipse. I have been looking online and have found responses like this one java connect to backend explanation which give a detailed step by step on how to connect.
However I was also reading about using PuttY/tunneling, which the link that I showed above does not talk about. How do I know if PuttY has to be used? For context, the oracle sql developer database is a database that belongs to my company
Hypothetically, you could SSH tunneling if you want to connect to a server that is behind a firewall that blocks the database port, or on a private network that your network cannot route to.
Another possible use-case might be to provide an encrypted channel for your database connection to protect the data against snooping (or worse) by a third party. (But there better ways to do that; e.g. using a VPN, or an SSL connection to the database.)
Generally speaking, SSH tunneling of database connections is something you do when other approaches are not available or won't work.
I was wondering if there is anyway to save an IMAP session in database so that it can be reused.
Any help much appreciated
Darshan
TL;DR: No.
An IMAP session is something which involves quite an involved amount of state of at least two networked services. The concept of caching a connection is very useful if you want to avoid a possible costly process of connection establishment, setup, configuration, and perhaps entering a particular state on the other end of the connection. With IMAP, this typically involves both setting up a TCP connection, agreeing upon an TLS session on top of that, exchanging authentication data, reading the remote party's CAPABILITY bits, exchanging the ID data for software version troubleshooting etc etc etc.
You could do something, for example it's quite possible to set up an IMAP proxy and design your DB-caching for using some identifiers-within-the-DB as a key/index/token for your proxy, but that sounds like a lot of work compared to what IMAP can do (and compared to what IMAP can easily benefit from, for example TLS session caching).
Have you tried IMAP command pipelining already? Have you measured and verified your performance data to see where the bottlenecks really are?
For the past few weeks, I have been scouring the internet, the minds of computer programmers, and just a few random people over the situation I am looking to overcome. Basically, what I am trying to do it write a AntiJoinBot "plugin" (if you will) for the popular game Minecraft. This would be like all others in respect that it blocks IPs based on if they are using a proxy or not, but this AntiJoinBot is running on a different VPS than the actual server.
This is the best graph I can make of the situation (it's not that good):
(non-minecraft server) Connection -> Proxy check -> Redirect to the
server -> Minecraft
The only problem is, I need to be able to redirect the IP and close the connection so that the player's real IP is the one that would connect to the server. If the connection is not able to be closed, it would cause real problems due to some of the plugins we are running.
If you have a solution or a better way to do this, please help me.
Redirection of connections along the lines that you want requires support from the (application) protocol. TCP/IP does not support it. AFAIK, SOCKS does not support it either. Unless the Minecraft application protocol (and by implication, Minecraft clients and servers) include support for redirection, you are out of luck.
(FWIW - that's how HTTP redirection works. HTTP has a "protocol element" that allows the server to tell the client to redirect, and where to redirect to. The client then resends the original request to a new address.)
But that doesn't mean that you can't deal with the pests. It just means that the redirection approach is not viable. Try a custom proxy or an IP filter / redirector instead.
You are trying to save the server's resources on the cost of increase Traffic.
I am not sure with the answer but may be by looking into the concept of LBS(Load Balancing Server) you may find the answer.
LBS is purely defined and controlled by us so you can manage the resources of two servers using one load balancing server.
I've got a database that is mirrored using SQL 2008 Mirroring.
I have a java application, running on Linux, using the Microsoft SQL
type 4 JDBC drivers.
I have this setup duplicated as a QA environment.
On my QA environment, when I manually fail over the database,
providing a successful connection had already been made, the failover
was completely transparent. I did not have to implement anything in
order to get the application to talk to the new Principle (Old
mirror).
In the live environment however, the connections stop working once I
have manually failed over.
There are quite a few things different between the live and QA environments, but not anything I'd consider fundamental to this process, communication between databases is all very localised in both situations and there are no firewalls (Except the ones built into Windows Server 2008) between my java app and the Windows boxes running SQL 2008.
Does anyone have any ideas about how I can go about diagnosing this issue? Or can anyone tell me how this failover transparency occurs so I can work out how to diagnose this myself?
This behaviour is handled by the SQL Server provider as part of the Client Redirect behaviour. This was part of the SQL Server 2005 JDBC (Java Database Connectivity) 1.1 Driver, I'm unsure if that provider was directly used for the new type 4 drivers though?
In your live environment, is your application successfully connecting to the primary server before it fails over, so it is able to cache the failover partner and make use of that when the failover occurs?
To be sure, you can explicitly state the failover partner in the connection string, which is the recommended practice:
jdbc:sqlserver://serverA:1433; databaseName=AdventureWorks; integratedSecurity=true; failoverPartner=serverB
The full documentation of the redirect behaviour can be found here.
The addition of the failover documentation here suggests that it could be a manual consideration.
I have simple server-client application that uses JDBC to connect to database and things works ok. Application does few simple things with JDBC connection (get data, insert new line and few others).
Now, I would like to keep the same application but use it outside of firewall - so, I would put something else on some host:port (and open that port to outside world) - instead of JDBC opening database access directly.
I guess that this problem is faced many many times and sure there are a lot approches.
One way can be doing servlet on one side, accessing it on client side.
I guess, I haven't touched Spring yet, maybe another would be to do POJO Java Class and using Spring configure it as http service.
I have heard also "rumors" that Jetty has something that can help in this case (to minimaze coding on server and client side)
I would prefer something that:
- is not complicate (easy learning path)
- reuse something that is already done.
What approach would you recommend ?
Thank you and regards,
Igor
The normal approach would be to implement a web service, which can be pretty easy these days with Axis etc.
You really don't want to open direct JDBC to clients outside a firewall by tunnelling over HTTP... the server should strictly control what kind of interaction takes place with the database.
I would recommend using something like SSH tunnels to carry your JDBC connections through the firewall. Set up a tunnel on the DMZ machine on whatever publicly open port your can, and connect the other end of the tunnel to the appropriate port on the DB server.
Then just change your JDBC connection settings to connect to the tunnel machine's public port and it will transparently end up communicating with the database as usual, while passing through the firewall via the accepted port.
If this is an IT policy problem, in that they won't let you directly access the database, then you would need to work out what you are allowed to do and work with that as far as possible. Changing JDBC to another access method is unlikely to be acceptable to the IT policy in this case.
Edit: after reading Jon's answer, he may be right. I was assuming that the issue was the connection between your server/webapp, and the database server. If you were talking about the client creating direct JDBC connections to the database, then yes - firewall or no, this is very bad practice. The client should talk to your server to ask for what it wants, and your server should do the DB queries as required to get the information.
I think that would just be an unnecessary complication. Your DBMS (usually) brings access control and transport layer security. If you introduce your own layer, are you sure that you can make it safer than a direct connection to the DB?
I see your rationale, but if there isn't a framework to do this, avoid building your own! For example, PostgreSQL comes with a bunch of nifty options to tie things down. For example, require SSL certificate-based authentication on the transport level (clients must present a cert that the server checks), or IP-based access.
Of course you still have to trust your DBMS implementation to get basic details like access control right (= "uncrackable"), but you still need to rely on this anyway after the black hats have broken into your web-proxy ;)
#dtsazza: Maybe edit your answer to include the keyword "VPN"? ssh tunnels probably scale badly outside of a private setup.
Volker