Datasource *-ds.xml security with Active Directory

Latest response

Our security requiresments indicate that our database accouts must be controlled in Active Directory.  So the user id and password that I would normally store in a JBoss *-ds.xml file has to come from Active Directory. While I see a ton of How-To's on encrypting and securing the password in this file, I am finding nothing on how I can have JBoss Datasource files use AD user id's and passwords while only specifically knowing the user id and not storing the password in the JBoss Datasource file.  Help please?  Oh and we're useing JBoss EAP 6.0.1 with EnterpriseDB

 

Thanks,

 

Liisa Underwood

Responses

Hello,

The following has not been tested by myself but I think it's possible.

The database needs to be configured of course (see [1]) but I suppose you already have that done.
On the datasource, you can set a property "kerberosServerName" for the service name of the database host, see [2]

Your deployed application should then use an SPNEGO security domain, which would handle the tickets.
The datasource should then use "security-domain" to point to that domain.

I can however not find any example or if someone has already done this.
If needed, please feel free to open a support ticket to get someone (myself potentially) to look at this in detail.

Kind regards
Tom

[1] http://www.postgresql.org/docs/devel/static/auth-methods.html#KERBEROS-AUTH
[2] http://jdbc.postgresql.org/documentation/84/connect.html#connection-parameters