This document describes how to configure the Teradata JDBC Driver Stored Password Protection feature on the Linux platform using the SSH file system (sshfs).
Stored Password Protection uses two Java properties files: a password-encryption-key file and an encrypted-password file to provide a password for logging onto a database. The properties files can be located on a network volume to prevent loss of the file in case the physical client machine is stolen. To protect their contents while in transit, an encrypted protocol is used.
This document is written using SUSE Linux 11 & 12 systems.
A total of four Linux systems will be used as shown in the table below.
System |
Requirement |
Description |
system1 |
JDK
GCC (GNU Compiler Collection) |
Contains:
|
server1 |
GCC (GNU Compiler Collection) | Contains the password-encryption-key properties file |
server2 |
GCC (GNU Compiler Collection) | Contains the encrypted-password properties file |
client1 |
JDK
sshfs
|
Contains:
|
Install sshfs on the Linux client system. sshfs can be downloaded from https://github.com/libfuse/sshfs. View the README.md from the link or the download package for installation instructions.
As stated in README.md, FUSE 2.2 or later and glib2.0 need to be installed prior to installing sshfs.
FUSE can be downloaded from https://github.com/libfuse/libfuse.
Refer to the README.md file from the FUSE download for installation instructions.
Both sshfs and FUSE are needed on the on the Linux client system only.
To limit root privileges, a non-root user should be used to store and access the sshfs mount. The non-root user should be created on "server1", "server2", and "client1". This would normally be done by setting up an LDAP server, but we will use local users to simplify the example.
The user "user1" and password "password1" will be created. Logged in as "root" on the Linux system, create the non-root user as follows:
Command |
Description |
useradd -d /home/user1 -m user1 |
Create new user and home directory |
passwd user1 |
Change user password |
NOTE: A user and group can also be created using the Linux system administration tool "YaST".
Make the following change to the OpenSSH server file as described below.
File |
Setting |
Value |
/etc/ssh/sshd_config |
PasswordAuthentication | yes |
This entry only needs to be changed on "server1" and "server2" as sshd_config is the configuration file for OpenSSH server only.
This section will create the encrypted password properties files needed for the Stored Password Protection example. The properties files will be created with the TJEncryptPassword.java sample program that is part of the Teradata JDBC Driver sample programs. Full documentation on how to run the program is included in the program file.
On "system1", the properties files that will be created are:
In a directory on the Linux system "system1" as listed in Prerequisites,
compile TJEncryptPassword.java and run the program as follows:
javac TJEncryptPassword.java
java -cp .:terajdbc4.jar TJEncryptPassword AES/CBC/NoPadding -default HmacSHA1 PassKey.properties EncPass.properties dbs1 user1 password1
Older versions prior to Teradata JDBC Driver 16.20.00.11 require tdgssconfig.jar
to be listed on the classpath as follows:
java -cp .:terajdbc4.jar:tdgssconfig.jar TJEncryptPassword AES/CBC/NoPadding -default HmacSHA1 PassKey.properties EncPass.properties dbs1 user1 password1
The command will encrypt the database password "password1" and generate two Stored Password Protection properties files. One file contains the password-encryption-key and the other contains the encrypted-password. These two files that have been created on "system1" will be copied to the server systems in the next section.
Once the password-encryption-key and encrypted-password properties files have been created, they need to be copied to the Linux server systems.
As an example, on "server1":
As an example, on "server2":
The encrypted password properties files generated above in Create the encrypted password properties files for Stored Password Protection
created by the TJEncryptPassword.java sample program are resources that will be accessed by the Teradata JDBC Driver.
These resources are accessed via the classpath or direct files by specifying a prefix of either classpath:
or file:
in the
ENCRYPTED_PASSWORD string.
To access the resource files using the classpath access, the following syntax is used:
"ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties)"
For security, classpath resources are required to have specific resource name prefixes. The PasswordEncryptionKeyResourceName (PassKey.properties
is used
in this document) must begin with "PassKey" and the EncryptedPasswordResourceName (EncPass.properties
is used in this document) must begin with "EncPass".
To access the resource files using the file access, the following syntax is used:
"ENCRYPTED_PASSWORD(file:PassKey.properties,file:EncPass.properties)"
There is no prefix requirement for the resource name when using file access.
For simplicity, the examples in this document use the same resource names "PassKey.properties
" and "EncPass.properties
" for
both classpath and file access.
For futher examples of file access using the current directory, relative paths, and absolute paths refer to the documentation in the program file.
Teradata JDBC Driver Stored Password Protection offers flexibility for accessing the password-encryption-key file and the encrypted-password file.
In general, classpath access offers greater control and security, whereas file access offers greater flexibility.
In this section, we will run a sample Java program LogonTest.java using Stored Password Protection on the Linux client system "client1
"
using both classpath and file access.
terajdbc4.jar
from "system1" to a directory on "client1".
Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar
.
javac LogonTest.java
mkdir mnt1
mkdir mnt2
sshfs username@host: mountpoint
Example: user1@server1: ./mnt1
Using the command in this format, sshfs will prompt for a password for the remote user.
sshfs username@host: mountpoint
Example: user1@server2: ./mnt2
Using the command in this format, sshfs will prompt for a password for the remote user.
NOTE: Steps #7 and #8 above are examples of mounting a sshfs volume on a remote Linux system as a non-root user.
java -classpath .:./terajdbc4.jar:./mnt1/JdbcKey:./mnt2/JdbcPass LogonTest jdbc:teradata://dbs1 user1 "ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties)"
Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar
to be listed on the classpath.
The following results are returned:
Connecting to jdbc:teradata://dbs1 with user user1 and password ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties) Successfully logged on Closing Connection Pass
java -classpath .:./terajdbc4.jar LogonTest jdbc:teradata://dbs1 user1 "ENCRYPTED_PASSWORD(file:./mnt1/JdbcKey/PassKey.properties,file:./mnt2/JdbcPass/EncPass.properties)"
Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar
to be listed on the classpath.
The following results are returned:
Connecting to jdbc:teradata://dbs1 with user user1 and password ENCRYPTED_PASSWORD(file:./mnt1/JdbcKey/PassKey.properties,file:./mnt2/JdbcPass/EncPass.properties) Successfully logged on Closing Connection Pass
These examples use the properties files created in the previous section Create the encrypted password properties files for Stored Password Protection.