Introduction

  • Usually, a user name and password are specified when connecting to a database.

  • Such configurations are considered insecure as passwords are stored in clear text in external files or in job parameters.
  • The SQL Server® provides a means to connect to a database without specifying a user account and password.

Integrated Security

This authentication scheme is based on the fact that the account that a component is operated for is already authenticated by the OS and can therefore access a database without specifying user/password credentials.

Prerequisites

The following prerequisites apply:

  • a domain account has to be set up before installation of the JOC Cockpit for the user account that connects to the database,
  • to set up a Hibernate configuration file, see JS7 - Database:
    • Users can create an individual Hibernate configuration file and make the installer use this file. The hibernate.connection.url property in this file has to include the IntegratedSecurity=true setting, no user name or password has to be specified.
    • This configuration will implicitly use the domain account that JOC Cockpit is operated for.

      Add IntegratedSecurity=true property
      <property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=true;selectMethod=cursor;databaseName=[databasename]</property>
      <property name="hibernate.connection.username"></property> 
      <property name="hibernate.connection.password"></property>
      

Use with Windows

The SQL Server® JDBC Driver distribution usually ships with a library for authentication purposes with a name such as sql_jdbc.dll or  mssql-jdbc_auth-9.2.1.x64.dll or similar. This library should be added to a location that is specified with the Windows PATH environment variable for the JOC Cockpit Windows Service. Alternatively, it can simply be stored in the C:\Windows\System32 directory or to the bin directory of the Java JDK/JRE in use.

Use with Linux

Rumor says that Integrated Security with Linux operating systems should be possible by using the Kerberos integration layer.

However, SOS has no information about a securely working environment that would allow a Linux operating system account to connect to SQL Server® without a password.

Troubleshooting

If you modified an existing Hibernate configuration file to use a connection to SQL Server® with a Windows domain account then it might happen that you receive an error message like this during installation:

 SQLException: Login failed for user 'DOMAIN\USER'


A check of the SQL Server® logs might indicate that the given User ID that tried to establish the connection presented itself as an SQL\USER account, instead of a DOMAIN\USER account.

Consider using the IntegratedSecurity=true setting with your Hibernate configuration file:

  • modify JETTY_BASE/resources/joc/hibernate.cfg.xml:

    Add IntegratedSecurity=true property
    <property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=true;selectMethod=cursor;databaseName=[databasename]</property>