Introduction
Usually, a user name and password are specified when connecting to a database.
- Such configurations are considered insecure as passwords are stored in clear text in external files or in job parameters.
- The SQL Server® provides a means to connect to a database without specifying a user account and password.
Integrated Security
This authentication scheme is based on the fact that the account that a component is operated for is already authenticated by the OS and can therefore access a database without specifying user/password credentials.
Prerequisites
The following prerequisites apply:
- a domain account has to be set up before installation of the JOC Cockpit for the user account that connects to the database,
- to set up a Hibernate configuration file, see JS7 - Database:
- Users can create an individual Hibernate configuration file and make the installer use this file. The
hibernate.connection.url
property in this file has to include theIntegratedSecurity=true
setting, no user name or password has to be specified. This configuration will implicitly use the domain account that JOC Cockpit is operated for.
Add IntegratedSecurity=true property<property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=true;selectMethod=cursor;databaseName=[databasename]</property> <property name="hibernate.connection.username"></property> <property name="hibernate.connection.password"></property>
- Users can create an individual Hibernate configuration file and make the installer use this file. The
Use with Windows
The SQL Server® JDBC Driver distribution usually ships with a library for authentication purposes with a name such as sql_jdbc.dll
or mssql-jdbc_auth-9.2.1.x64.dll
or similar. This library should be added to a location that is specified with the Windows PATH
environment variable for the JOC Cockpit Windows Service. Alternatively, it can simply be stored in the C:\Windows\System32
directory or to the bin
directory of the Java JDK/JRE in use.
Use with Linux
Rumor says that Integrated Security with Linux operating systems should be possible by using the Kerberos integration layer.
However, SOS has no information about a securely working environment that would allow a Linux operating system account to connect to SQL Server® without a password.
Troubleshooting
If you modified an existing Hibernate configuration file to use a connection to SQL Server® with a Windows domain account then it might happen that you receive an error message like this during installation:
SQLException: Login failed for user 'DOMAIN\USER'
A check of the SQL Server® logs might indicate that the given User ID that tried to establish the connection presented itself as an SQL\USER
account, instead of a DOMAIN\USER
account.
Consider using the IntegratedSecurity=true
setting with your Hibernate configuration file:
modify
JETTY_BASE/resources/joc/hibernate.cfg.xml
:Add IntegratedSecurity=true property<property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=true;selectMethod=cursor;databaseName=[databasename]</property>