Introduction
Usually, a user name and password are specified when connecting to a database.
- Such configurations are considered insecure as passwords are stored in clear text in external files or in job parameters.
- The SQL Server® provides a means to connect to a database without specifying a user account and password.
Integrated Security
This authentication scheme is based on the fact that the account that a component is operated for is already authenticated by the OS and therefore can access a database without specifying user/password credentials.
Prerequisites
The following prerequisites apply:
- to set up a domain account before JOC Cockpit installation for the user account that connects to the database,
- to set up a Hibernate configuration file, see JS7 - Database:
- Users can create an individual Hibernate configuration file and make the installer use this file. The
hibernate.connection.urlproperty in this file has to include theIntegratedSecurity=truesetting, no user name and no password must be specified. - This configuration will implicitly use the domain account that JOC Cockpit is operated for.
- Add IntegratedSecurity=true property
<property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=false;selectMethod=cursor;databaseName=[databasename]</property> <property name="hibernate.connection.username"></property> <property name="hibernate.connection.password"></property>
- Users can create an individual Hibernate configuration file and make the installer use this file. The
Use with Windows
The SQL Server® JDBC Driver distribution usually ships with a library for authentication purposes with a name such as sql_jdbc.dll or mssql-jdbc_auth-9.2.1.x64.dll or similar. This library should be added to a location that is specified with the Windows PATH environment variable for the JOC Cockpit Windows Service or can simply be stored to the C:\Windows\System32 directory or to the bin directory of the Java JDK/JRE in use.
Use with Linux
Rumor says that Integrated Security with Linux operating systems should be possible by use of the Kerberos integration layer.
However, SOS has no information about a securely working environment that would allow a Linux operating system account to connect to SQL Server® without a password.
Troubleshooting
If you modified an existing Hibernate configuration file to use a connection to SQL Server® with a Windows domain account then it might occur during installation that you receive an error message like this:
SQLException: Login failed for user 'DOMAIN\USER'
A check of SQL Server® logs might indicate that the given User ID that tried to establish the connection presented itself as an SQL\USER account, instead of a DOMAIN\USER account.
Consider to use the IntegratedSecurity=true setting with your Hibernate configuration file:
modify
JETTY_BASE/resources/joc/hibernate.cfg.xml:Add IntegratedSecurity=true property<property name"hibernate.connection.url">jdbc:sqlserver://[servername]:[port];IntegratedSecurity=true;sendStringParametersAsUnicode=false;selectMethod=cursor;databaseName=[databasename]</property>
Overview
Content Tools