通过 SSL 的 JDBC 到缓存数据库
我的能力远远超出了我的能力范围,所以请耐心等待。我们通过 com.intersys.jdbc.cachedriver 使用 JDBC 在 Intersystems Cache 中运行存储过程并以 Java 形式获取结果。但是,还有其他客户端通过 telnet 使用终端直接连接到缓存。我们必须锁定 Cache 的 telnet 端口,以便只能通过 SSL 进行 telnet。然而,这里的 Cache 专家表示,锁定 Cache 中的一个端口就会锁定所有端口,因此 Java 到 Cache 的连接也必须使用 SSL。我隐约知道一些 JDBC 驱动程序支持 SSL,但我没有看到 Cache 驱动程序支持 SSL。我需要知道的是:
- 为 JDBC 连接配置 SSL 需要什么? (我们使用的是 JBoss 4.2.3)
- 证书怎么样?我认为那些必须去某个地方。
- 锁定 telnet 连接是否真的也会以同样的方式锁定 JDBC?
I'm pretty far out of my depth here, so bear with me. We're using JDBC via com.intersys.jdbc.cachedriver to run stored procedures in Intersystems Cache and get the results in Java. However, there are other clients that connect directly to the Cache using a terminal over telnet. We have to lock down Cache's telnet port so that only telnet over SSL is possible. However, the Cache experts here say that locking down one port in Cache locks them all down, so the Java to Cache connection will also have to use SSL. I understand vaguely that some JDBC drivers support SSL, but I don't see that the Cache one does. What I need to know is:
- What's needed to configure SSL for the JDBC connections? (We're using JBoss 4.2.3)
- What about certificates? I assume those have to go somewhere.
- Is it actually true that locking down the telnet connections is also going lock down JDBC in the same way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
配置 Java 客户端以使用 SSL /TLS 与缓存
将 SSL/TLS 与 Caché 结合使用
Telnet 与 ssh 是一个关于操作系统允许什么的问题,并且仅与外围缓存相关。对于第 1 项或第 2 项,它没有任何意义。因此,在回答您提出的直接问题时,“否”。
Configuring Java Clients to Use SSL/TLS with Caché
Using SSL/TLS with Caché
Telnet vs ssh is a question about what the OS allows and only relates to Cache peripherally. It doesn't mean anything regarding items 1 or 2. So in answer to the direct question you are asking, "No".
请参阅http://docs.intersystems.com/cache20102/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_ssltls#GCAS_ssltls_javacli 了解详细信息。本节没有明确提及 JDBC,但对于 JDBC 来说确实如此(并且已为文档 2011.1 [下一个版本] 添加了参考。)
引用文档:“如果客户端有私钥和证书,则这些将被存储在客户端的密钥库中;密钥库还可以保存客户端的根 CA 证书和任何中间 CA 证书为了验证服务器,客户端可能需要拥有服务器的根 CA 证书和任何中间 CA 证书,这些都可以存储。有关密钥库和信任库的更多信息,请参阅 Java 安全套接字扩展 (JSSE) 参考指南中的“密钥库和信任库”部分。
是的——如果 telnet 连接需要 TLS,那么超级服务器 TLS 设置需要为“必需”,这意味着您必须对通过超级服务器的任何内容(包括 JDBC)使用 TLS。如果您只想允许对 telnet 连接使用 TLS,请将 TLS 值设置为“启用”,这将允许通过其他方式(例如 JDBC)进行非 TLS 连接。
See http://docs.intersystems.com/cache20102/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_ssltls#GCAS_ssltls_javacli for details. This section doesn't explicitly mention JDBC, but it's true for JDBC (and the reference has been added for the documentation 2011.1 [next release] .)
To quote the documentation: "If the client has a private key and certificate, these are stored in the client’s keystore; the keystore can also hold the client’s root CA certificate and any intermediate CA certificates. To authenticate the server, the client may need to have the root CA certificate for the server and any intermediate CA certificates, these can be stored either in the client’s truststore or along with client certificate information in the keystore. For more information on keystores and truststores, see the section “Keystores and Truststores” in the Java Secure Socket Extension (JSSE) Reference Guide."
Yes -- if telnet connections are to require TLS, then the superserver TLS setting needs to be Required, which means that you have to use TLS for anything that goes through the superserver (including JDBC). If you just want to allow the use of TLS for telnet connections, set the TLS value to Enabled, which allows non-TLS connections by other means (such as JDBC).