Discussion:
2 Factor Authentication Tomcat 7
Will Nordmeyer
2018-10-23 14:44:55 UTC
Permalink
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in the
next year). I tried working with Oracle on this with no success.

We have an Oracle Database connection defined within our web.xml (see
below). We need to convert to using 2 Factor (certificate?) based
Authentication.

How do we convert from our embedded username password to 2FA

<context-param>
<param-name>type</param-name>
<param-value>SIMPLE</param-value>
</context-param>

<context-param>
<param-name>datasource</param-name>
<param-value> </param-value>
</context-param>

<context-param>
<param-name>driver</param-name>
<param-value>oracle.jdbc.OracleDriver</param-value>
</context-param>

<context-param>
<param-name>url</param-name>
<param-value>jdbc:oracle:thin:@//server:1521/SID</param-value>
</context-param>

<context-param>
<param-name>username</param-name>
<param-value>myuser</param-value>
</context-param>

<context-param>
<param-name>password</param-name>
<param-value>mypass</param-value>
</context-param>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-10-23 14:59:34 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...

How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?

2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.

If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Will Nordmeyer
2018-10-23 15:03:18 UTC
Permalink
Chris,

I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...
How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Pierre Chiu
2018-10-23 15:08:45 UTC
Permalink
You are using JDBC connection to oracle database.

Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from oracle.
Post by Will Nordmeyer
Chris,
I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...
How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Will Nordmeyer
2018-10-23 16:46:42 UTC
Permalink
Thanks Pierre - I hadn't found it either, wanted to make sure I wasn't
just stupid in my looking.

I'm fighting the it is a dumb idea to try to 2FA a service account -
but not sure if I can prevail against entrenched stupidity.
Post by Pierre Chiu
You are using JDBC connection to oracle database.
Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from oracle.
Post by Will Nordmeyer
Chris,
I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...
How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-10-23 20:16:01 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,
Post by Will Nordmeyer
Thanks Pierre - I hadn't found it either, wanted to make sure I
wasn't> just stupid in my looking.
I'm fighting the it is a dumb idea to try to 2FA a service account
- but not sure if I can prevail against entrenched stupidity.
Tell management that the only way to do it is to hire Oracle in an
Professional Services engagement and have them "consult" with you.

It will cost a bundle, take forever, and, eventually, nothing will
change. Except the policy.

Good luck.

- -chris
Post by Will Nordmeyer
Post by Pierre Chiu
You are using JDBC connection to oracle database.
Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from oracle.
On Oct 23, 2018, at 11:03 AM, Will Nordmeyer
Chris,
I understand all of that and am working all those concerns to
the PTB... but as with many management situations reality
doesn't fit with the "security" mindset. On Tue, Oct 23, 2018
Will,
Post by Pierre Chiu
Post by Will Nordmeyer
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8
or 9 in the next year). I tried working with Oracle on
this with no success.
We have an Oracle Database connection defined within our
web.xml (see below). We need to convert to using 2
Factor (certificate?) based Authentication.
How do we convert from our embedded username password to
2FA
Uhh...
How would you enter your second-factor into the server? During
service startup? What happens if the connection times-out and you
have to re-authenticate? Do you want to be paged in the middle of
the night to re-enter your 2FA code? How about 10 times per hour on
100 different servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social
engineering resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use
THEIR 2FA credentials to unlock the database for YOUR services. See
how long that policy survives.
-chris
Post by Pierre Chiu
Post by Will Nordmeyer
-------------------------------------------------------------------
- --
Post by Will Nordmeyer
Post by Pierre Chiu
--------------------------------------------------------------------
- -
Post by Will Nordmeyer
Post by Pierre Chiu
---------------------------------------------------------------------
---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPgYAACgkQHPApP6U8
pFgfYBAAysDR2e7MByWEAiPEdvP+zyaK63xt645nUqIRqKuJhJUPYM2Rp0sgXupn
ZxZ7ZmGn6QprWZxaUMRWi5HN5RIPgpKzgULC5xBZgVvtgsNUFTiT1kPR0u55UDq2
wiYQn/bc9ATQNn0KocikECiSMPAJGUc57Q0PTqK8ndV4z6pmV3gZt1CCXDuXbyXi
ET5V7PJUEGR+aCHaKDzKEDlxvQb5vXTVR8oIqHk0TYk0IBfxhStB3yW0uqprGt+6
DMMu3oPhZTBIMeobp9tEO3qJn8sDTP+yROZkx5vUmEZSneQc/+dYqcpDWUHr9QDV
3nHUXc96/PsTYejaWAwEPx2842qLUpvD7pC+iN2Y/wNLl29LSsjHmnSvz/MF6j37
o25nj9Fg3UR5LcORitC8U34XMlC6KCjzX7I++g1ahpx1D1VS8qJPz48HmEyUYXOp
NJTukLLJqF6Fm3qE/XYyrXd7Y0x6wSkL4OuXat7gZWpoddiQGGXABDsA90YlevUF
FcX6DtnLzMgoxLvfCV11IAC1DN2CRaeNZGhkPju1PtPLOH5wfTZHT3uUbmBNn1+7
nOjq+raoQXx425U+Mbc+M54jnkZQh17O87tAmVkJs0V4fGwpotaV97zdVUeoT1RO
d6a+qIQCOILdiClguJ0QJ2M1hhruwhwxbjJGzSLbRY3GlaEBNfw=
=T/TY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Loai Abdallatif
2018-10-24 05:59:39 UTC
Permalink
Thank Chris, Totally I agree with you
Post by Will Nordmeyer
Chris,
I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...
How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
Louis Zipes
2018-10-24 19:42:19 UTC
Permalink
Hello,
To clarify, are you trying to get to a point where the password to the Oracle schema looks something like this in server.xml?

password="2d9377fee736w1115ca984a1dfb99c943"

instead of unencrypted like

password=<unencrypted method>

so that someone wandering around your server can't get the password to your Oracle database?

-----Original Message-----
From: Loai Abdallatif [mailto:***@gmail.com]
Sent: Wednesday, October 24, 2018 2:00 AM
To: Tomcat Users List
Subject: Re: 2 Factor Authentication Tomcat 7

- - - external message, proceed with caution - - -


Thank Chris, Totally I agree with you
Post by Will Nordmeyer
Chris,
I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
Post by Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
Uhh...
How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?
2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.
If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------
CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m

J***@wellsfargo.com.INVALID
2018-10-23 20:52:43 UTC
Permalink
Will,
-----Original Message-----
Sent: Tuesday, October 23, 2018 9:45 AM
Subject: 2 Factor Authentication Tomcat 7
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in the next year). I
tried working with Oracle on this with no success.
We have an Oracle Database connection defined within our web.xml (see
below). We need to convert to using 2 Factor (certificate?) based
Authentication.
How do we convert from our embedded username password to 2FA
<context-param>
<param-name>type</param-name>
<param-value>SIMPLE</param-value>
</context-param>
<context-param>
<param-name>datasource</param-name>
<param-value> </param-value>
</context-param>
<context-param>
<param-name>driver</param-name>
<param-value>oracle.jdbc.OracleDriver</param-value>
</context-param>
<context-param>
<param-name>url</param-name>
</context-param>
<context-param>
<param-name>username</param-name>
<param-value>myuser</param-value>
</context-param>
<context-param>
<param-name>password</param-name>
<param-value>mypass</param-value>
</context-param>
---------------------------------------------------------------------
Are you truly being asked to switch to 2FA? What is the additional factor? Like others have said, supplying something like a code from an RSA token sounds exceptionally difficult, however that's not the only possibility. You mentioned a certificate, so I'm wondering whether you're really being asked to do mutual authentication, which involves a certificate, but is not as hard as actual 2FA.

Also, I assume you have some code that consumes those params from your web.xml. If so, then you might have some flexibility to change the code to do some other form of authentication.

John

Т���������������������������������������������������������������������ХF�V�7V'67&�&R�R���âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F����6����G2�R�
Christopher Schultz
2018-10-23 21:20:29 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,
Post by J***@wellsfargo.com.INVALID
Will,
-----Original Message----- From: Will Nordmeyer
Authentication Tomcat 7
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
the next year). I tried working with Oracle on this with no
success.
We have an Oracle Database connection defined within our web.xml
(see below). We need to convert to using 2 Factor (certificate?)
based Authentication.
How do we convert from our embedded username password to 2FA
<context-param> <param-name>type</param-name>
<param-value>SIMPLE</param-value> </context-param>
<context-param> <param-name>datasource</param-name> <param-value>
</param-value> </context-param>
<context-param> <param-name>driver</param-name>
<param-value>oracle.jdbc.OracleDriver</param-value>
</context-param>
<context-param> <param-name>url</param-name>
</context-param>
<context-param> <param-name>username</param-name>
<param-value>myuser</param-value> </context-param>
<context-param> <param-name>password</param-name>
<param-value>mypass</param-value> </context-param>
---------------------------------------------------------------------
Are you truly being asked to switch to 2FA? What is the
additional factor? Like others have said, supplying something like
a code from an RSA token sounds exceptionally difficult, however
that's not the only possibility. You mentioned a certificate, so
I'm wondering whether you're really being asked to do mutual
authentication, which involves a certificate, but is not as hard as
actual 2FA.
I 100% agree that client-certs are a good thing to use for db
authentication. I have no idea how to do it with Oracle, but the MySQL
configuration isn't very complicated at all.

Also, a cert is definitely "2FA". It's a second factor. It's actually
something you "have". :)
Post by J***@wellsfargo.com.INVALID
Also, I assume you have some code that consumes those params from
your web.xml. If so, then you might have some flexibility to
change the code to do some other form of authentication.
Yeah, like having a 2FA SMS token delivered via email, which your
database driver retrieves and uses[1]. Sound complicated enough, yet? ;)

- -chris

[1] https://en.wikipedia.org/wiki/Jamie_Zawinski#Principles
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPkJ0ACgkQHPApP6U8
pFhuRxAAhzY0UQqF/WNgB4PjFL+1eegiq2dSh4GZi1J+gOew5hxgB7m6ES7ir+uu
28Rqg2oUyP7rZ8Bu4ivUCMB96jACHLyoc1+zY140FFT0n4yNLizBCq1lQQADGe9Q
dJnKHCN94lMDnt1GvG1qz4IkFck0nC9sqELlmFGcB8kuOE0PL1maEi4edpZ5YqHR
xGSrDF2ocwnQruvI6i9/dkJcQgM9kuStjgWYUF7vlPmeUkTD4WwU0gTNgObiUNAf
1AK1N8+N1UBazQCPuBcm03EDogg5A86+hPXrg2C4YtC8H1CjiSi0ZopHCTB7hkSo
WS7W4OfbZjKIS57OkqM1Bw/07b05LphQDtFQIEwDdp7LwNpDtwTh5asckbwZE9jU
lpykfQTXhH3QEAqDdpbcHruJtF/pyYyNPppt40Ff9g0cs4ja0OektkqPDfiYpP1E
6aA+53bOat1V6iSDcVbwTNMDREkDXeTnqyttHefvjNpsYNa5vXgf1Xn2gpBkV7fX
bTGxgh3R6ItNKYYbvfIt8POHAW9641Ybs891C6w4ZL3yqlfNk9YCMP2ZZE0XCjbs
b2xBRkH87JGHdLrZ6nLXs1vn3i8uMX/FOIrYOowMMNeIuLsbg246MCuC+D5Lp745
j1uK8b9cvPNQLndZ0FdFycxjSEmkBnazcjJoi3RjAXESTL55yik=
=svgu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Loading...