How to use Stored Password Protection with sshfs

Preface

This document describes how to configure the Teradata JDBC Driver Stored Password Protection feature on the Linux platform using the SSH file system (sshfs).

Stored Password Protection uses two Java properties files: a password-encryption-key file and an encrypted-password file to provide a password for logging onto a database. The properties files can be located on a network volume to prevent loss of the file in case the physical client machine is stolen. To protect their contents while in transit, an encrypted protocol is used.


Prerequisites

This document is written using SUSE Linux 11 & 12 systems.

A total of four Linux systems will be used as shown in the table below.

System

Requirement

Description

system1

JDK
GCC (GNU Compiler Collection)
Contains:
  • Teradata JDBC Driver
  • password-encryption-key properties file
  • encrypted-password properties file

server1

GCC (GNU Compiler Collection) Contains the password-encryption-key properties file

server2

GCC (GNU Compiler Collection) Contains the encrypted-password properties file

client1

JDK
sshfs
  • FUSE
  • glib2.0
Contains:
  • Teradata JDBC Driver
  • sample Java Program


Install sshfs

Install sshfs on the Linux client system. sshfs can be downloaded from https://github.com/libfuse/sshfs. View the README.md from the link or the download package for installation instructions.


Install FUSE

As stated in README.md, FUSE 2.2 or later and glib2.0 need to be installed prior to installing sshfs.

FUSE can be downloaded from https://github.com/libfuse/libfuse.

Refer to the README.md file from the FUSE download for installation instructions.


Both sshfs and FUSE are needed on the on the Linux client system only.



Create non-root user and group

To limit root privileges, a non-root user should be used to store and access the sshfs mount. The non-root user should be created on "server1", "server2", and "client1". This would normally be done by setting up an LDAP server, but we will use local users to simplify the example.

The user "user1" and password "password1" will be created. Logged in as "root" on the Linux system, create the non-root user as follows:

Command

Description

useradd -d /home/user1 -m user1

Create new user and home directory

passwd user1

Change user password

NOTE: A user and group can also be created using the Linux system administration tool "YaST".



Edit the configuration file for OpenSSH server

Make the following change to the OpenSSH server file as described below.

File

Setting

Value

/etc/ssh/sshd_config

PasswordAuthentication yes

This entry only needs to be changed on "server1" and "server2" as sshd_config is the configuration file for OpenSSH server only.


Create the encrypted properties files for Stored Password Protection

This section will create the encrypted password properties files needed for the Stored Password Protection example. The properties files will be created with the TJEncryptPassword.java sample program that is part of the Teradata JDBC Driver sample programs. Full documentation on how to run the program is included in the program file.

On "system1", the properties files that will be created are:


In a directory on the Linux system "system1" as listed in Prerequisites, compile TJEncryptPassword.java and run the program as follows:

javac TJEncryptPassword.java

java -cp .:terajdbc4.jar TJEncryptPassword AES/CBC/NoPadding -default HmacSHA1 PassKey.properties EncPass.properties dbs1 user1 password1


Older versions prior to Teradata JDBC Driver 16.20.00.11 require tdgssconfig.jar to be listed on the classpath as follows:

java -cp .:terajdbc4.jar:tdgssconfig.jar TJEncryptPassword AES/CBC/NoPadding -default HmacSHA1 PassKey.properties EncPass.properties dbs1 user1 password1


The command will encrypt the database password "password1" and generate two Stored Password Protection properties files. One file contains the password-encryption-key and the other contains the encrypted-password. These two files that have been created on "system1" will be copied to the server systems in the next section.


Copy the properties files

Once the password-encryption-key and encrypted-password properties files have been created, they need to be copied to the Linux server systems.

As an example, on "server1":

  1. log in as non-root user "user1"
  2. mkdir JdbcKey
  3. cd JdbcKey
  4. copy PassKey.properties here
  5. chmod 400 PassKey.properties


As an example, on "server2":

  1. log in as non-root user "user1"
  2. mkdir JdbcPass
  3. cd JdbcPass
  4. copy EncPass.properties here
  5. chmod 400 EncPass.properties


Access the encrypted password properties files for Stored Password Protection

The encrypted password properties files generated above in Create the encrypted password properties files for Stored Password Protection created by the TJEncryptPassword.java sample program are resources that will be accessed by the Teradata JDBC Driver. These resources are accessed via the classpath or direct files by specifying a prefix of either classpath: or file: in the ENCRYPTED_PASSWORD string.


Use Stored Password Protection with Classpath Access

To access the resource files using the classpath access, the following syntax is used:

"ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties)"


For security, classpath resources are required to have specific resource name prefixes. The PasswordEncryptionKeyResourceName (PassKey.properties is used in this document) must begin with "PassKey" and the EncryptedPasswordResourceName (EncPass.properties is used in this document) must begin with "EncPass".


Use Stored Password Protection with File Access

To access the resource files using the file access, the following syntax is used:

"ENCRYPTED_PASSWORD(file:PassKey.properties,file:EncPass.properties)"


There is no prefix requirement for the resource name when using file access.

For simplicity, the examples in this document use the same resource names "PassKey.properties" and "EncPass.properties" for both classpath and file access.

For futher examples of file access using the current directory, relative paths, and absolute paths refer to the documentation in the program file.



Comparison of Classpath Access Versus File Access

Teradata JDBC Driver Stored Password Protection offers flexibility for accessing the password-encryption-key file and the encrypted-password file.

In general, classpath access offers greater control and security, whereas file access offers greater flexibility.



Run a Java program using Stored Password Protection

In this section, we will run a sample Java program LogonTest.java using Stored Password Protection on the Linux client system "client1" using both classpath and file access.

On the Linux client system:

  1. Log in as non-root user "user1"
  2. Copy the Teradata JDBC Driver terajdbc4.jar from "system1" to a directory on "client1". Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar.
  3. Save LogonTest.java to the same directory used for step #2
  4. Compile the sample program LogonTest.java with the command: javac LogonTest.java
  5. mkdir mnt1
  6. mkdir mnt2
  7. Mount the remote directory on "server1" using sshfs

    Example: user1@server1: ./mnt1

    Using the command in this format, sshfs will prompt for a password for the remote user.

  8. mount the remote directory on "server2" using sshfs

    Example: user1@server2: ./mnt2

    Using the command in this format, sshfs will prompt for a password for the remote user.

  9. NOTE: Steps #7 and #8 above are examples of mounting a sshfs volume on a remote Linux system as a non-root user.

  10. run the sample Java program using encrypted-password using either classpath or file access (see examples below)

Run the sample Java program with classpath access

(All on one line)

java -classpath .:./terajdbc4.jar:./mnt1/JdbcKey:./mnt2/JdbcPass LogonTest jdbc:teradata://dbs1 user1 "ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties)"


Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar to be listed on the classpath.


The following results are returned:

Connecting to jdbc:teradata://dbs1 with user user1 and password ENCRYPTED_PASSWORD(classpath:PassKey.properties,classpath:EncPass.properties)
Successfully logged on
Closing Connection
Pass

Run the sample Java program with file access

(All on one line)

java -classpath .:./terajdbc4.jar LogonTest jdbc:teradata://dbs1 user1 "ENCRYPTED_PASSWORD(file:./mnt1/JdbcKey/PassKey.properties,file:./mnt2/JdbcPass/EncPass.properties)"


Older versions prior to Teradata JDBC Driver 16.20.00.11 also require tdgssconfig.jar to be listed on the classpath.


The following results are returned:

Connecting to jdbc:teradata://dbs1 with user user1 and password ENCRYPTED_PASSWORD(file:./mnt1/JdbcKey/PassKey.properties,file:./mnt2/JdbcPass/EncPass.properties)
Successfully logged on
Closing Connection
Pass

These examples use the properties files created in the previous section Create the encrypted password properties files for Stored Password Protection.