Administrator Guide : Managing network connections : Connect strings for JDBC clients : OpenSSL for JDBC clients
  
OpenSSL for JDBC clients
solidDB® JDBC driver supports SSL encrypted communications via the Java Secure Sockets Extension (JSSE). Secure communications for solidDB® JDBC driver require Java version 1.7 or higher.
Enabling secure communications between the solidDB server and the JDBC client
In order to establish encrypted communications via the solidDB® JDBC driver, the following JDBC connection property must be specified in the Java application:
solid_use_tls=[yes|no] Default value is no.
Either directly embedded in the DriverManager connection URL:
Connection c = DriverManager.getConnection(“jdbc:solid://localhost:1315/dba/dba?solid_use_tls=yes”)
or by specifying the same into a connection property object:
java.util.Properties prop = new java.util.Properties();prop.put(“solid_use_tls”, “yes”);DriverManager.getConnection(“jdbc:solid://localhost:1315/dba/dba”, prop);
Server SSL certificate verification in the solidDB JDBC client
By default, solidDB® JDBC driver does not verify the server’s SSL certificates. In other words, solidDB® JDBC driver will allow by default any SSL certificate from the communication counterpart and is thus vulnerable to man-in-the-middle attacks.
Using trusted server certificates in the solidDB JDBC client
In order to prevent the man-in-the-middle attacks, one can limit the JDBC client to only allow communications to those servers that can be identified with an existing server SSL certificate.
JSSE specifies an entity called “keystore” for holding the client’s private SSL keys as well as the SSL certificates of trusted communication counterparts.
The following standard JSSE properties can be used in the solidDB® JDBC driver to define the location of the JSSE keystore file, the password for accessing its contents and the trust store file type, correspondingly.
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.trustStoreType
(Note that the javax.net.ssl.trustStoreType property is not mandatory in case the JSSE service provider default type was used when creating the actual keystore file.)
SSL connections to only trusted solidDB® servers are thus enabled by specifying the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties as follows:
System.setProperty(“javax.net.ssl.trustStore”,”./solidkeystore.jks”);
System.setProperty(“javax.net.ssl.trustStorePassword”,”changeme”);
Connection c = DriverManager.getConnection(“jdbc:solid://localhost:1315/dba/dba?solid_use_tls=yes”)
Or directly from the command line, using the following syntax
java -Djavax.net.trustStore=value \
-Djavax.net.trustStorePassword=changeme <app name>
Importing an existing solidDB server certificate into a JSSE keystore using the java keytool
Assuming you have already created an OpenSSL certificate for the solidDB® server as a file called “server.crt”, the certification can be imported to the “solidkeystore.jks” JSSE keystore file using the java keytool utility as follows:
keytool -importcert -trustcerts - file server.crt -alias solidDB -keystore solidkeystore.jks
The Java keytool utility will implicitly create the “solidkeystore.jks” file (of type JKS) and prompts you to come up with a password for encrypting/protecting the keystore contents. For more information, refer to Java keytool documentation.
See also
Connect strings for JDBC clients