how to provide password encryptions in JDBC connections

Connectivity
Enthusiast

how to provide password encryptions in JDBC connections

Hi,

   we have a requiremnt to enable auto connections for a JAVA application. we are using TD JDBC for connectivity. we understand SSO and TDWALLET isn't supported for this route of Teradata conenctions. we don't want to embed plain text passwords in JDBC connection strings. can you please suggest some alternate method to incoporate password encrytions in this scenario?

Regards

4 REPLIES
Teradata Employee

Re: how to provide password encryptions in JDBC connections

>>> we understand SSO and TDWALLET isn't supported for this route of Teradata conenctions.

Single Sign-On (SSO) is supported with Kerberos authentication. Please refer to the Teradata JDBC Driver User Guide section on Kerberos, and SSO with Kerberos.

http://developer.teradata.com/doc/connectivity/jdbc/reference/current/jdbcug_chapter_2.html#CCHCBHJI

>>> we don't want to embed plain text passwords in JDBC connection strings.

While the PASSWORD= connection parameter is supported, it is not required for an application to specify the password with the PASSWORD= connection parameter.

The application can instead specify the password by calling the DriverManager.getConnection method with a separate String password argument, or the application can all the DriverManager.getConnection method with a Properties argument that contains the password.

Please refer to the Teradata JDBC Driver User Guide section on the PASSWORD= connection parameter.

http://developer.teradata.com/doc/connectivity/jdbc/reference/current/jdbcug_chapter_2.html#URL_PASS...

>> can you please suggest some alternate method to incoporate password encrytions in this scenario?

Many Java applications such as Eclipse (which Teradata Studio is based on), and many commercial application servers such as WebSphere and WebLogic, provide an encrypted password store for JDBC data source passwords. If you are using one of those products, then your JDBC data source passwords are already protected.

The concern about a lack of stored password protection typically relates to command-line Java applications that may store JDBC data source passwords in cleartext configuration files. To assist those types of applications, encrypted password support is on the product roadmap for the Teradata JDBC Driver. We plan to introduce a password encryption feature for the Teradata JDBC Driver. Initially, it will be a separate feature from Teradata Wallet. They may interoperate at some point in the future, but we do not have any plans for that yet.

In the meantime, your options are limited. If you are developing this application, then you can choose to store the JDBC password in encrypted form in your application's configuration file, and use the JDK's decryption APIs to decrypt the password after reading from the configuration file.

Enthusiast

Re: how to provide password encryptions in JDBC connections

Thanks Tom,

       very helpful. do you know, if we need to set up application specific realms. I see following example settings in the documentation.

================================================

ticket_lifetime = 6000

default_realm = ESROOTDOM.ESDEV.TDAT

clockskew = 13000

default_tkt_enctypes = des-cbc-md5

default_tgs_enctypes = des-cbc-md5

checksum_type=2

[realms]

ESROOTDOM.ESDEV.TDAT = {

kdc = esroot.esrootdom.esdev.tdat:88

default_domain = esrootdom

}

[domain_realm]

esrootdom = {

.esrootdom = ESROOTDOM.ESDEV.TDAT

esrootdom = ESROOTDOM.ESDEV.TDAT

}

Teradata Employee

Re: how to provide password encryptions in JDBC connections

>>> if we need to set up application specific realms

No, application-specific realms are not required for Kerberos.

Highlighted
Teradata Employee

Re: how to provide password encryptions in JDBC connections

Teradata JDBC Driver Stored Password Protection is now available, beginning with Teradata JDBC Driver version 16.00.00.24.
http://developer.teradata.com/doc/connectivity/jdbc/reference/current/jdbcug_chapter_2.html#SPPSECTI...

 

Please note that Teradata JDBC Driver Stored Password Protection is separate from Teradata Wallet. At the present time, there is no interoperability between the two features, but that may be added in the future.