Securing the embedded Derby database
By default, the embedded Derby database server does not use authentication for database connections. Security for the Derby database can be enabled by creating a derby.properties file under the <GERONIMO_HOME>/var/derby directory. The contents of a sample properties file are shown below:
derby.connection.requireAuthentication=true derby.authentication.provider=BUILTIN derby.user.userName1=password1 derby.user.userName2=password2
Here, the authentication mechanism used is BUILTIN, whereby the usernames and passwords are specified in the properties file itself. The authentication methods that can be used are:
BUILTIN—User credentials are specified in the derby.properties file
User defined Class should implement org.apache.derby.authentication.UserAuthenticator
In derby.properties, two users— "userName1" with password "password1" and "userName2" with password "password2" are created.
Users can also be configured at the database level by using stored procedures. The following is an example of such a stored procedure:
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.user.userName3', 'password3')
By executing the stored procedure as shown, a user with a name of "userName3" and a password of "password3" is created.
Updating database pools
Once security is enabled for the embedded Derby database server, the pre-configured user credentials in the database pools using the databases in the Derby server should be updated to reflect the new credentials. This can be done in one of two ways:
Before enabling Derby security, update the credentials by using the Database Pools portlet in the Administration Console and then enable Derby security, as discussed earlier.
Enable Derby security, edit the config.xml file to update the credentials, and then start Geronimo. The XML fragment to update credentials in a database pool is shown later in this section.
Note that the config.xml file should be edited only when the server is stopped. Otherwise the changes will be lost.
The database pools that need to be updated are as follows:
If you intend to update the database pools by using the Administration Console, then you should make the update before enabling Derby security. Otherwise Geronimo server will not start. If you intend to update the database pools by editing the config.xml file, then you can use the following XML fragment, which shows the updates of the SystemDatasource database pool.
<module name="org.apache.geronimo.configs/system-database/2.1.4/car"> <gbean name="org.apache.geronimo.configs/system-database/2.1.4/car?J2EEApplication=null,JCAConnectionFactory=SystemDatasource,JCAResource=org.apache.geronimo.configs/system-database/2.1.4/car,ResourceAdapter=org.apache.geronimo.configs/system-database/2.1.4/car,ResourceAdapterModule=org.apache.geronimo.configs/system-database/2.1.4/car,j2eeType=JCAManagedConnectionFactory,name=SystemDatasource"> <attribute name="UserName">username</attribute> <attribute name="Password">password</attribute> </gbean> </module>
Here, org.apache.geronimo.configs/system-database/2.1.4/car is the name of the module containing the SystemDatasource database pool. You will need to obtain the module name for each of the database pools from the given list that needs to be updated. Start the Geronimo server after updating all of these database pools in the config.xml file.