Using trusted server certificates in the solidDB JDBC client
If the solidDB server is started without specifying a server certificate and private key, a one-time self-signed certificate and corresponding private key is generated by the server for each incoming SSL client connection. The generated key is a 2048 bit RSA key and the generated certificate acts as a container for the public key.
However, this method does not protect against a ‘man-in-the-middle’ (MitM) attack and should not be used for sensitive, public communications as the client might establish a connection with an untrustworthy solidDB server.
In order to prevent an MitM, you can limit the JDBC client to allow communications with only those servers that can be identified with an existing server SSL certificate.
Java Secure Socket Extension (JSSE) specifies an entity called a keystore that is used to store the client private SSL keys as well as the SSL certificates of trusted communication counterparts.
You can configure the use of the keystore by using Java system properties or non-standard JDBC properties in the connection string.
Importing an existing solidDB server certificate into a JSSE keystore by using the java keytool
If you create an OpenSSL certificate for the solidDB server as a file called server.crt, the certificate can be imported to a JSSE keystore file named solidkeystore.jks by using the java keytool utility with the following command:
The Java keytool utility implicitly creates the solidkeystore.jks file (of type JKS) and prompts you for a password to encrypt the keystore contents. For more information, refer to Java keytool documentation.
Configuring the use of the JSSE keystore
You can configure the JDBC driver to use the certificate in the keystore by using one of the following methods.
Use non-standard JDBC properties (available in solidDB version 200.0.3 and later)
▪ solid_truststore_path (defines location of the JSSE truststore file)
▪ solid_truststore_pwd (defines the password for the JSSE truststore)
▪ solid_keystore_path (defines the location of the JSSE keystore_file)
▪ solid_keystore_pwd (defines the password for the JSSE keystore)
Note If a single file is used for both the keystore and the truststore, you only need to include the solid_truststore_path and solid_truststore_pwd properties.
The following standard JSSE properties can be used in the solidDB JDBC driver:
▪ javax.net.ssl.trustStore (defines location of the JSSE truststore file)
▪ javax.net.ssl.trustStorePassword (defines the password for the truststore)
▪ javax.net.ssl.trustStoreType (defines the trust store type)
▪ javax.net.ssl.keyStore (defines location of the JSSE keystore file)
▪ javax.net.ssl.keyStorePassword (defines the password for the keystore)
▪ javax.net.ssl.keyStoreType (defines the key store type)
Note The javax.net.ssl.trustStoreType and javax.net.ssl.keyStoreType properties are not mandatory in case the JSSE service provider default type was used when the keystore or truststore file was created.
Enable SSL connections to only trusted solidDB servers by using one of the following methods:
▪ specifying the Java system properties by using code similar to the following example in your application:
System.setProperty("javax.net.ssl.trustStore","./solidkeystore.jks"); System.setProperty("javax.net.ssl.trustStorePassword","changeme"); Connection c = DriverManager.getConnection("jdbc:solid://localhost:1315/dba/dba?solid_use_tls=yes")
▪ specifying the Java system properties directly from the command line, by using the following syntax: