• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JNDI connection only partially encrypting

 
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

We have a Java servlet running on Tomcat and Windows and all database connections are encrypted using SSL. This works apart from a strange issue on one of the connections (SQL Server) which I do not understand. I am using WireShark to check the encryption is working but, whenever a new login is performed through the servlet, the FIRST data transfer for this particular connection is only partially encrypting, but if a second or third data transfer to this database connection is made under the same login the entire message is encrypted.

After the login all requests are handled through a token provided by Tomcat. The servlet also connects to an Oracle database which encrypts all the messages from the outset.

Why will the first data transfer only be partially encrypting?

Here is the JNDI entry in Tomcats context.xml file but obviously a few things amended to hide them

<Resource auth="Container"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
factory="org.moss.jdj.dbcp.EncryptedDataSourceFactory" maxActive="100"
maxIdle="30" maxWait="10000" name="jdbc/connectionname"
password="*******" type="javax.sql.DataSource"
url="jdbc:sqlserver://databaseinstallname\db_instancename:2369;
databaseName=Images;encrypt=true;trustServerCertificate=true"
username="*******" />


Here is the entry in Tomcats server.xml file but again a few things amended to hide them

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" KeyAlias="ows"
KeystoreFile="C:\SSLKeys\ows.key" KeystorePass="********" />

Thanks in advance

Regards

AJF
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Insecure traffic to a Microsoft server? Who'da thunk it?

JDBC has no inherent encryption capabilities itself. The only encryption you get is whatever the JDBC driver implements and that is dependent on what - if any data channel encryption the database server itself supports. So if the database server has no encrypted channels, no amount of work on the Tomcat side is going to give it any. If the JDBC driver doesn't have any code to use the database server's encryption scheme, you're likewise out of luck (unless you roll your own JDBC driver), and if the JDBC driver isn't encrpyting all sensitive traffic, the best you can do is file a bug report (or, again, roll your own driver).

The fact that Oracle has no problems but SQL server does would indicate a fault in the SQL Server JDBC driver. It may be that someone got sloppy, or it may actually mean that SQL Server left a security hole in that it doesn't start listening to encrypted traffic early enough.

 
A Farroll
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim Holloway. I have found a otential option is in the SQL Server properties to Force Encryption but trouble is that option can only be applied if all applications connecting to the database use SSL, which I don't think they do but I am checking with our infrastructure.

Regarding the JDBC, do you mean it is possible to amend the JDBC to ensure encryption takes place on each data transfer?

Thnaks again

Regards

AJF
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
SQL Server permits the definition of multiple channels and a selection of protocols. You might not be able to use the same TCP/IP port for both clear and encrypted data, but as long as it supports encryption, you should be able to have a channel defined that's secure. It has been a while since I configured a SQL server, so I cannot remember the exact options.

As I said, encryption is not part of JDBC itself, as there's no standard for such things. Instead it's up to the designer of the JDBC driver to support whatever encryption scheme(s) the server might support (if any). That may or may not include SSL as an encryption protocol. It could be something proprietary, instead.
 
reply
    Bookmark Topic Watch Topic
  • New Topic