Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

2.5.6. Database Configuration

The default database HSQLDB that the Enterprise Application Platform ships with must be disabled as it is not supported. Additional configuration is also required for JDBC drivers and supporting This section will outline how this can be done and then refer you to information on how to configure supported databases. This must be done in the production server profile.

Procedure 2.3. Configure Database

  1. Create DefaultDS file

    Create a default DS file for the desired database. Examples of this file are located in JBOSS_HOME/docs/examples/jca.

    Important

    A DefaultDS file must be supplied in the JBOSS_HOME/server/production/deploy directory.
  2. Delete HSQLDB files

    Delete the following files as they refer to the HSQLDB database:
    • JBOSS_HOME/server/production/deploy/hsqldb-ds.xml
    • JBOSS_HOME/common/lib/hsqldb.jar
    • JBOSS_HOME/common/lib/hsqldb-plugin.jar
    • JBOSS_HOME/server/production/deploy/messaging/hsqldb-persistence-service.xml
  3. Remove HSQLDB Security Domain

    Comment out the security domain for HsqlDbRealm in the JBOSS_HOME/server/production/conf/login-config.xml file as shown.
    <!-- Security domains for testing new jca framework
    <application-policy name = "HsqlDbRealm">
      <authentication>
        <login-module 
          code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" 
          flag = "required">
          <module-option name = "principal">sa</module-option>
          <module-option name = "userName">cctest</module-option>
          <module-option name = "password">cc1248</module-option>
          <module-option name = "managedConnectionFactoryName">
            jboss.jca:service=LocalTxCM,name=DefaultDS
          </module-option>
        </login-module>
      </authentication>
    </application-policy>
    -->
    
  4. Copy persistence service configuration file

    The [database]-persistence-service.xml file contains the persistence service definition for JBoss Messaging, for the database specified by the [database] in the filename.
    Copy the [database]-persistence-service.xml file that corresponds to the database you are using from the JBOSS_HOME/docs/examples/jms directory to JBOSS_HOME/server/production/deploy.

    Note

    The table definitions in any [database]-persistence-service.xml are not optimized for performance.
  5. Relocate JDBC driver libraries

    Place the supported JDBC driver libraries in the directory JBOSS_HOME/server/production/lib/.

    Important

    Ensure you follow the policy guidelines in Section 2.5.5, “Java Security Manager Policy File ” and choose a supported JDBC driver from Table 2.1, “Allowed 5.1.0 Database and JDBC Driver Versions” or Table 2.2, “Allowed 5.1.1 Database and JDBC Driver Versions”to maintain an evaluated configuration.
  6. Add JDBC Grant Statement

    Add the following grant statement for the JDBC driver you are using to the Java Security Manager policy file. The policy file is located in JBOSS_HOME/bin/security_cc.policy. Substitute the directory name of the JDBC driver where [cc.jdbc.driver] is specified in the code sample.

    Important

    Each JDBC driver can use different permissions. Check the JDBC driver documentation and replace java.security.AllPermission; with a secure permission scheme supported by the driver.
    // granting permissions to JDBC driver 
    grant codeBase "file:${jboss.server.home.dir}/lib/[cc.jdbc.driver]" { 
      permission java.security.AllPermission; 
    };
  7. Oracle Database Persistence Plugin Optimization

    When using the Oracle Database, the database persistence plugin definition must be changed in JBOSS_HOME/server/production/deploy/ejb2-timer-service.xml from being:
    <attribute name="DatabasePersistencePlugin">
    org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin
    </attribute>
    to being:
    <attribute name="DatabasePersistencePlugin">
    org.jboss.ejb.txtimer.OracleDatabasePersistencePlugin
    </attribute>

Note

JBoss Enterprise Application Platform requires a database to store its operational state. The JNDI name referring to the database is java:/DefaultDS. The database has to be separated from all application databases: user applications must not provide additional tables to the java:/DefaultDS database, but must use their own dedicated databases to store their objects.
This setup prevents attacks with SQL injection through user applications and information leaks from java:/DefaultDS database, as such injections are always limited to the connected database.

Note

The Installation and Configuration Guide contains specific information about the supported databases, and their configuration. Read this information in conjunction with the Common Criteria Configuration Guide overrides to ensure you maintain an evaluated configuration.