-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security enhancement for the JTOpen library #200
Conversation
Signed-off-by: Marcel Romijn <[email protected]>
ec221ae
to
65577cc
Compare
Signed-off-by: Marcel Romijn <[email protected]>
Not sure we will be going this way. I think our thought is giving users the ability to specify path to certificate store with a password, and the additional option to indicate whether or not all certificates should be trusted (in which case no certificate store needs to be specified). |
@nadiramra, only specifying a path to a certificate store with a password will not work for us. One option could be to implement both:
Obviously, that second extra API can make use of the first one. |
@nadiramra, could you provide an estimated timeframe? Even a rough indication would be helpful. |
I understand the use case for both, and I think we will inevitably need both. |
Signed-off-by: Jesse Gorzinski <[email protected]>
6f82ca5
to
93a2933
Compare
@MarcelRomijn as you can see I pushed in some changes that would honor both a custom I did some basic testing and have more to do, but will you please verify that the latest version of this branch works for your needs? |
I saw the update to be able to provide a truststore filename and password for the JDBC connections. I copied my JDBC test
A small remark... But even without an extra KeyStore type attribute in JDProperties, the current branch code-base works well for me... Thank you! |
I have integrated this patch into our system and it works as expected, except the SSL options specified on the AS400 object did not carry through to SQL connections. In our system everything starts with an I added the new socket factory object to the copy constructor of I've tested forcing SSL on pub400.com with success. We also have an LPAR with a self-signed certificate. API calls work using a trust-all SSLSocketFactory. SQL calls work when using a version of JTOpen that includes my patch, but fail when using this PR without my change. Our admin changed the test system settings to be SSL-only, and all of our monitoring items work with (lenient) SSL enabled, so I believe that the properties are carrying through (e.g. no non-SSL leaks). |
Thanks for merging the branch to main! 👍 |
Added a security enhancement that allows setting a custom
SSLSocketFactory
for making secure connections to a host.This enhancement is available for both JTOpen connections made with the
SecureAS400
class and with theAS400JDBCDriver
class.I created another GitHub repository that contains tester code to test/demonstrate the security enhancement (in branch
feature/security
): https://github.com/MarcelRomijn/JTOpen_security_test/tree/feature/security