Monday, October 1, 2012

GlassFish3: Using encrypted password for JDBC connections

If you had configured a jdbc-connection-pool, or jms-connection on GlassFish3, you may have noticed that the passwords are stored in plain-text in config/domain.xml. That is unfortunate, and a security-guy in your organization may give you a hard-time for it.

Hopefully, a future release of GlassFish may choose encrypted-password-storage as the DEFAULT, but till then, creating password-alias could be a satisfactory alternative. There is enough documentation on the create-password-alias command, but I thought of creating a really simple example in this context.

Let's create a jdbc-connection-pool called MyConnectionPool from cmd-line. It could be done with a single command or easily through admin-console as well.

asadmin> create-jdbc-connection-pool --datasourceclassname oracle.jdbc.pool.OracleDataSource --restype javax.sql.DataSource MyConnectionPool

asadmin>
set resources.jdbc-connection-pool.MyConnectionPool.property.user=dbuser
asadmin>
set resources.jdbc-connection-pool.MyConnectionPool.property.password=${ALIAS=db_password_alias}
asadmin> set resources.jdbc-connection-pool.MyConnectionPool.property.url="jdbc:oracle:thin:@host:port:service

And if you look at the domain.xml , you would see something like this:

      <property name="password" value="${ALIAS=db_password_alias}"></property>

Now let's provide actual-password, the one we want to store in an encrypted manner:

asadmin> create-password-alias
Enter the value for the aliasname operand>
db_password_alias
Enter the alias password> *******
Enter the alias password again> ******
Command create-password-alias executed successfully.

You can take a peek in the config/domain-passwords file, which maps aliases to passwords, and confirm that your password above can not be deciphered. That's it, but don't forget to verify that a connection could be retrieved using the encrypted password.

asadmin> ping-connection-pool MyConnectionPool
Command ping-connection-pool executed successfully.

If you fat-fingered, or if you would like to change the password, you can use update-password-alias command. Refer to glassfish commands documentation for more information, and that above command works in a non-interactive mode as well, if you prefer to script it.

Good-luck getting that security-guy off your back!