2 Factor Authentication Tomcat 7

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

2 Factor Authentication Tomcat 7

Will Nordmeyer
I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in the
next year).  I tried working with Oracle on this with no success.

We have an Oracle Database connection defined within our web.xml (see
below).  We need to convert to using 2 Factor (certificate?) based
Authentication.

How do we convert from our embedded username password to 2FA

<context-param>
<param-name>type</param-name>
<param-value>SIMPLE</param-value>
</context-param>

<context-param>
<param-name>datasource</param-name>
<param-value> </param-value>
</context-param>

<context-param>
<param-name>driver</param-name>
<param-value>oracle.jdbc.OracleDriver</param-value>
</context-param>

<context-param>
<param-name>url</param-name>
<param-value>jdbc:oracle:thin:@//server:1521/SID</param-value>
</context-param>

<context-param>
<param-name>username</param-name>
<param-value>myuser</param-value>
</context-param>

<context-param>
<param-name>password</param-name>
<param-value>mypass</param-value>
</context-param>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 10/23/18 10:44, Will Nordmeyer wrote:
> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
> the next year).  I tried working with Oracle on this with no
> success.
>
> We have an Oracle Database connection defined within our web.xml
> (see below).  We need to convert to using 2 Factor (certificate?)
> based Authentication.
>
> How do we convert from our embedded username password to 2FA

Uhh...

How would you enter your second-factor into the server? During service
startup? What happens if the connection times-out and you have to
re-authenticate? Do you want to be paged in the middle of the night to
re-enter your 2FA code? How about 10 times per hour on 100 different
servers?

2FA doesn't make any sense at all for services contacting other
services. 2FA makes sense for humans contacting services because
humans are so much worse at password management, social engineering
resistance, etc.

If you have a segment of your IT team mandating 2FA for database
connections (even for services), tell them that THEY have to use THEIR
2FA credentials to unlock the database for YOUR services. See how long
that policy survives.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
=baEw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Will Nordmeyer
Chris,

I understand all of that and am working all those concerns to the
PTB... but as with many management situations reality doesn't fit with
the "security" mindset.
On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
<[hidden email]> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Will,
>
> On 10/23/18 10:44, Will Nordmeyer wrote:
> > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
> > the next year).  I tried working with Oracle on this with no
> > success.
> >
> > We have an Oracle Database connection defined within our web.xml
> > (see below).  We need to convert to using 2 Factor (certificate?)
> > based Authentication.
> >
> > How do we convert from our embedded username password to 2FA
>
> Uhh...
>
> How would you enter your second-factor into the server? During service
> startup? What happens if the connection times-out and you have to
> re-authenticate? Do you want to be paged in the middle of the night to
> re-enter your 2FA code? How about 10 times per hour on 100 different
> servers?
>
> 2FA doesn't make any sense at all for services contacting other
> services. 2FA makes sense for humans contacting services because
> humans are so much worse at password management, social engineering
> resistance, etc.
>
> If you have a segment of your IT team mandating 2FA for database
> connections (even for services), tell them that THEY have to use THEIR
> 2FA credentials to unlock the database for YOUR services. See how long
> that policy survives.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
> pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
> Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
> KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
> Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
> HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
> 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
> SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
> Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
> WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
> dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
> w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
> =baEw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Pierre Chiu
You are using JDBC connection to oracle database.

Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from oracle.


> On Oct 23, 2018, at 11:03 AM, Will Nordmeyer <[hidden email]> wrote:
>
> Chris,
>
> I understand all of that and am working all those concerns to the
> PTB... but as with many management situations reality doesn't fit with
> the "security" mindset.
> On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
> <[hidden email]> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Will,
>>
>> On 10/23/18 10:44, Will Nordmeyer wrote:
>>> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
>>> the next year).  I tried working with Oracle on this with no
>>> success.
>>>
>>> We have an Oracle Database connection defined within our web.xml
>>> (see below).  We need to convert to using 2 Factor (certificate?)
>>> based Authentication.
>>>
>>> How do we convert from our embedded username password to 2FA
>>
>> Uhh...
>>
>> How would you enter your second-factor into the server? During service
>> startup? What happens if the connection times-out and you have to
>> re-authenticate? Do you want to be paged in the middle of the night to
>> re-enter your 2FA code? How about 10 times per hour on 100 different
>> servers?
>>
>> 2FA doesn't make any sense at all for services contacting other
>> services. 2FA makes sense for humans contacting services because
>> humans are so much worse at password management, social engineering
>> resistance, etc.
>>
>> If you have a segment of your IT team mandating 2FA for database
>> connections (even for services), tell them that THEY have to use THEIR
>> 2FA credentials to unlock the database for YOUR services. See how long
>> that policy survives.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
>> pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
>> Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
>> KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
>> Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
>> HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
>> 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
>> SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
>> Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
>> WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
>> dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
>> w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
>> =baEw
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Will Nordmeyer
Thanks Pierre - I hadn't found it either, wanted to make sure I wasn't
just stupid in my looking.

I'm fighting the it is a dumb idea to try to 2FA a service account -
but not sure if I can prevail against entrenched stupidity.
On Tue, Oct 23, 2018 at 11:08 AM Pierre Chiu <[hidden email]> wrote:

>
> You are using JDBC connection to oracle database.
>
> Just forget about tomcat. I cannot find out of the box jdbc 2fa feature from oracle.
>
>
> > On Oct 23, 2018, at 11:03 AM, Will Nordmeyer <[hidden email]> wrote:
> >
> > Chris,
> >
> > I understand all of that and am working all those concerns to the
> > PTB... but as with many management situations reality doesn't fit with
> > the "security" mindset.
> > On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
> > <[hidden email]> wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Will,
> >>
> >> On 10/23/18 10:44, Will Nordmeyer wrote:
> >>> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
> >>> the next year).  I tried working with Oracle on this with no
> >>> success.
> >>>
> >>> We have an Oracle Database connection defined within our web.xml
> >>> (see below).  We need to convert to using 2 Factor (certificate?)
> >>> based Authentication.
> >>>
> >>> How do we convert from our embedded username password to 2FA
> >>
> >> Uhh...
> >>
> >> How would you enter your second-factor into the server? During service
> >> startup? What happens if the connection times-out and you have to
> >> re-authenticate? Do you want to be paged in the middle of the night to
> >> re-enter your 2FA code? How about 10 times per hour on 100 different
> >> servers?
> >>
> >> 2FA doesn't make any sense at all for services contacting other
> >> services. 2FA makes sense for humans contacting services because
> >> humans are so much worse at password management, social engineering
> >> resistance, etc.
> >>
> >> If you have a segment of your IT team mandating 2FA for database
> >> connections (even for services), tell them that THEY have to use THEIR
> >> 2FA credentials to unlock the database for YOUR services. See how long
> >> that policy survives.
> >>
> >> - -chris
> >> -----BEGIN PGP SIGNATURE-----
> >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >>
> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
> >> pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
> >> Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
> >> KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
> >> Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
> >> HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
> >> 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
> >> SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
> >> Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
> >> WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
> >> dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
> >> w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
> >> =baEw
> >> -----END PGP SIGNATURE-----
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 10/23/18 12:46, Will Nordmeyer wrote:
> Thanks Pierre - I hadn't found it either, wanted to make sure I
> wasn't> just stupid in my looking.
>
> I'm fighting the it is a dumb idea to try to 2FA a service account
> - but not sure if I can prevail against entrenched stupidity.

Tell management that the only way to do it is to hire Oracle in an
Professional Services engagement and have them "consult" with you.

It will cost a bundle, take forever, and, eventually, nothing will
change. Except the policy.

Good luck.

- -chris

> On Tue, Oct 23, 2018 at 11:08 AM Pierre Chiu <[hidden email]>
> wrote:
>>
>> You are using JDBC connection to oracle database.
>>
>> Just forget about tomcat. I cannot find out of the box jdbc 2fa
>> feature from oracle.
>>
>>
>>> On Oct 23, 2018, at 11:03 AM, Will Nordmeyer
>>> <[hidden email]> wrote:
>>>
>>> Chris,
>>>
>>> I understand all of that and am working all those concerns to
>>> the PTB... but as with many management situations reality
>>> doesn't fit with the "security" mindset. On Tue, Oct 23, 2018
>>> at 10:59 AM Christopher Schultz <[hidden email]>
>>> wrote:
>>>>
> Will,
>
> On 10/23/18 10:44, Will Nordmeyer wrote:
>>>>>> I'm currently running Tomcat 7 (will likely migrate to 8
>>>>>> or 9 in the next year).  I tried working with Oracle on
>>>>>> this with no success.
>>>>>>
>>>>>> We have an Oracle Database connection defined within our
>>>>>> web.xml (see below).  We need to convert to using 2
>>>>>> Factor (certificate?) based Authentication.
>>>>>>
>>>>>> How do we convert from our embedded username password to
>>>>>> 2FA
>
> Uhh...
>
> How would you enter your second-factor into the server? During
> service startup? What happens if the connection times-out and you
> have to re-authenticate? Do you want to be paged in the middle of
> the night to re-enter your 2FA code? How about 10 times per hour on
> 100 different servers?
>
> 2FA doesn't make any sense at all for services contacting other
> services. 2FA makes sense for humans contacting services because
> humans are so much worse at password management, social
> engineering resistance, etc.
>
> If you have a segment of your IT team mandating 2FA for database
> connections (even for services), tell them that THEY have to use
> THEIR 2FA credentials to unlock the database for YOUR services. See
> how long that policy survives.
>
> -chris
>>>>
>>>> -------------------------------------------------------------------
- --
>>>>
>>>>
To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail:
>>>> [hidden email]
>>>>
>>>
>>> --------------------------------------------------------------------
- -
>>>
>>>
To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPgYAACgkQHPApP6U8
pFgfYBAAysDR2e7MByWEAiPEdvP+zyaK63xt645nUqIRqKuJhJUPYM2Rp0sgXupn
ZxZ7ZmGn6QprWZxaUMRWi5HN5RIPgpKzgULC5xBZgVvtgsNUFTiT1kPR0u55UDq2
wiYQn/bc9ATQNn0KocikECiSMPAJGUc57Q0PTqK8ndV4z6pmV3gZt1CCXDuXbyXi
ET5V7PJUEGR+aCHaKDzKEDlxvQb5vXTVR8oIqHk0TYk0IBfxhStB3yW0uqprGt+6
DMMu3oPhZTBIMeobp9tEO3qJn8sDTP+yROZkx5vUmEZSneQc/+dYqcpDWUHr9QDV
3nHUXc96/PsTYejaWAwEPx2842qLUpvD7pC+iN2Y/wNLl29LSsjHmnSvz/MF6j37
o25nj9Fg3UR5LcORitC8U34XMlC6KCjzX7I++g1ahpx1D1VS8qJPz48HmEyUYXOp
NJTukLLJqF6Fm3qE/XYyrXd7Y0x6wSkL4OuXat7gZWpoddiQGGXABDsA90YlevUF
FcX6DtnLzMgoxLvfCV11IAC1DN2CRaeNZGhkPju1PtPLOH5wfTZHT3uUbmBNn1+7
nOjq+raoQXx425U+Mbc+M54jnkZQh17O87tAmVkJs0V4fGwpotaV97zdVUeoT1RO
d6a+qIQCOILdiClguJ0QJ2M1hhruwhwxbjJGzSLbRY3GlaEBNfw=
=T/TY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: 2 Factor Authentication Tomcat 7

John.E.Gregg-2
In reply to this post by Will Nordmeyer
Will,


> -----Original Message-----
> From: Will Nordmeyer <[hidden email]>
> Sent: Tuesday, October 23, 2018 9:45 AM
> To: Tomcat Users List <[hidden email]>
> Subject: 2 Factor Authentication Tomcat 7
>
> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in the next year).  I
> tried working with Oracle on this with no success.
>
> We have an Oracle Database connection defined within our web.xml (see
> below).  We need to convert to using 2 Factor (certificate?) based
> Authentication.
>
> How do we convert from our embedded username password to 2FA
>
> <context-param>
> <param-name>type</param-name>
> <param-value>SIMPLE</param-value>
> </context-param>
>
> <context-param>
> <param-name>datasource</param-name>
> <param-value> </param-value>
> </context-param>
>
> <context-param>
> <param-name>driver</param-name>
> <param-value>oracle.jdbc.OracleDriver</param-value>
> </context-param>
>
> <context-param>
> <param-name>url</param-name>
> <param-value>jdbc:oracle:thin:@//server:1521/SID</param-value>
> </context-param>
>
> <context-param>
> <param-name>username</param-name>
> <param-value>myuser</param-value>
> </context-param>
>
> <context-param>
> <param-name>password</param-name>
> <param-value>mypass</param-value>
> </context-param>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

Are you truly being asked to switch to 2FA?  What is the additional factor?  Like others have said, supplying something like a code from an RSA token sounds exceptionally difficult, however that's not the only possibility.   You mentioned a certificate, so I'm wondering whether you're really being asked to do mutual authentication, which involves a certificate, but is not as hard as actual 2FA.

Also, I assume you have some code that consumes those params from your web.xml.  If so, then you might have some flexibility to change the code to do some other form of authentication.

John


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,

On 10/23/18 16:52, [hidden email] wrote:

> Will,
>
>
>> -----Original Message----- From: Will Nordmeyer
>> <[hidden email]> Sent: Tuesday, October 23, 2018 9:45 AM To:
>> Tomcat Users List <[hidden email]> Subject: 2 Factor
>> Authentication Tomcat 7
>>
>> I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
>> the next year).  I tried working with Oracle on this with no
>> success.
>>
>> We have an Oracle Database connection defined within our web.xml
>> (see below).  We need to convert to using 2 Factor (certificate?)
>> based Authentication.
>>
>> How do we convert from our embedded username password to 2FA
>>
>> <context-param> <param-name>type</param-name>
>> <param-value>SIMPLE</param-value> </context-param>
>>
>> <context-param> <param-name>datasource</param-name> <param-value>
>> </param-value> </context-param>
>>
>> <context-param> <param-name>driver</param-name>
>> <param-value>oracle.jdbc.OracleDriver</param-value>
>> </context-param>
>>
>> <context-param> <param-name>url</param-name>
>> <param-value>jdbc:oracle:thin:@//server:1521/SID</param-value>
>> </context-param>
>>
>> <context-param> <param-name>username</param-name>
>> <param-value>myuser</param-value> </context-param>
>>
>> <context-param> <param-name>password</param-name>
>> <param-value>mypass</param-value> </context-param>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
> Are you truly being asked to switch to 2FA?  What is the
> additional factor?  Like others have said, supplying something like
> a code from an RSA token sounds exceptionally difficult, however
> that's not the only possibility.   You mentioned a certificate, so
> I'm wondering whether you're really being asked to do mutual
> authentication, which involves a certificate, but is not as hard as
> actual 2FA.

I 100% agree that client-certs are a good thing to use for db
authentication. I have no idea how to do it with Oracle, but the MySQL
configuration isn't very complicated at all.

Also, a cert is definitely "2FA". It's a second factor. It's actually
something you "have". :)

> Also, I assume you have some code that consumes those params from
> your web.xml.  If so, then you might have some flexibility to
> change the code to do some other form of authentication.
Yeah, like having a 2FA SMS token delivered via email, which your
database driver retrieves and uses[1]. Sound complicated enough, yet? ;)

- -chris

[1] https://en.wikipedia.org/wiki/Jamie_Zawinski#Principles
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPkJ0ACgkQHPApP6U8
pFhuRxAAhzY0UQqF/WNgB4PjFL+1eegiq2dSh4GZi1J+gOew5hxgB7m6ES7ir+uu
28Rqg2oUyP7rZ8Bu4ivUCMB96jACHLyoc1+zY140FFT0n4yNLizBCq1lQQADGe9Q
dJnKHCN94lMDnt1GvG1qz4IkFck0nC9sqELlmFGcB8kuOE0PL1maEi4edpZ5YqHR
xGSrDF2ocwnQruvI6i9/dkJcQgM9kuStjgWYUF7vlPmeUkTD4WwU0gTNgObiUNAf
1AK1N8+N1UBazQCPuBcm03EDogg5A86+hPXrg2C4YtC8H1CjiSi0ZopHCTB7hkSo
WS7W4OfbZjKIS57OkqM1Bw/07b05LphQDtFQIEwDdp7LwNpDtwTh5asckbwZE9jU
lpykfQTXhH3QEAqDdpbcHruJtF/pyYyNPppt40Ff9g0cs4ja0OektkqPDfiYpP1E
6aA+53bOat1V6iSDcVbwTNMDREkDXeTnqyttHefvjNpsYNa5vXgf1Xn2gpBkV7fX
bTGxgh3R6ItNKYYbvfIt8POHAW9641Ybs891C6w4ZL3yqlfNk9YCMP2ZZE0XCjbs
b2xBRkH87JGHdLrZ6nLXs1vn3i8uMX/FOIrYOowMMNeIuLsbg246MCuC+D5Lp745
j1uK8b9cvPNQLndZ0FdFycxjSEmkBnazcjJoi3RjAXESTL55yik=
=svgu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 2 Factor Authentication Tomcat 7

Loai Abdallatif
In reply to this post by Will Nordmeyer
Thank Chris, Totally I agree with you

On Tue, Oct 23, 2018 at 6:03 PM Will Nordmeyer <[hidden email]> wrote:

> Chris,
>
> I understand all of that and am working all those concerns to the
> PTB... but as with many management situations reality doesn't fit with
> the "security" mindset.
> On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
> <[hidden email]> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Will,
> >
> > On 10/23/18 10:44, Will Nordmeyer wrote:
> > > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
> > > the next year).  I tried working with Oracle on this with no
> > > success.
> > >
> > > We have an Oracle Database connection defined within our web.xml
> > > (see below).  We need to convert to using 2 Factor (certificate?)
> > > based Authentication.
> > >
> > > How do we convert from our embedded username password to 2FA
> >
> > Uhh...
> >
> > How would you enter your second-factor into the server? During service
> > startup? What happens if the connection times-out and you have to
> > re-authenticate? Do you want to be paged in the middle of the night to
> > re-enter your 2FA code? How about 10 times per hour on 100 different
> > servers?
> >
> > 2FA doesn't make any sense at all for services contacting other
> > services. 2FA makes sense for humans contacting services because
> > humans are so much worse at password management, social engineering
> > resistance, etc.
> >
> > If you have a segment of your IT team mandating 2FA for database
> > connections (even for services), tell them that THEY have to use THEIR
> > 2FA credentials to unlock the database for YOUR services. See how long
> > that policy survives.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
> > pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
> > Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
> > KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
> > Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
> > HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
> > 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
> > SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
> > Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
> > WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
> > dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
> > w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
> > =baEw
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

RE: 2 Factor Authentication Tomcat 7

Louis Zipes
Hello,
To clarify, are you trying to get to a point where the password to the Oracle schema looks something like this in server.xml?

password="2d9377fee736w1115ca984a1dfb99c943"

instead of unencrypted like

password=<unencrypted method>

so that someone wandering around your server can't get the password to your Oracle database?

-----Original Message-----
From: Loai Abdallatif [mailto:[hidden email]]
Sent: Wednesday, October 24, 2018 2:00 AM
To: Tomcat Users List
Subject: Re: 2 Factor Authentication Tomcat 7

- - - external message, proceed with caution - - -


Thank Chris, Totally I agree with you

On Tue, Oct 23, 2018 at 6:03 PM Will Nordmeyer <[hidden email]> wrote:

> Chris,
>
> I understand all of that and am working all those concerns to the
> PTB... but as with many management situations reality doesn't fit with
> the "security" mindset.
> On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz
> <[hidden email]> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Will,
> >
> > On 10/23/18 10:44, Will Nordmeyer wrote:
> > > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in
> > > the next year).  I tried working with Oracle on this with no
> > > success.
> > >
> > > We have an Oracle Database connection defined within our web.xml
> > > (see below).  We need to convert to using 2 Factor (certificate?)
> > > based Authentication.
> > >
> > > How do we convert from our embedded username password to 2FA
> >
> > Uhh...
> >
> > How would you enter your second-factor into the server? During service
> > startup? What happens if the connection times-out and you have to
> > re-authenticate? Do you want to be paged in the middle of the night to
> > re-enter your 2FA code? How about 10 times per hour on 100 different
> > servers?
> >
> > 2FA doesn't make any sense at all for services contacting other
> > services. 2FA makes sense for humans contacting services because
> > humans are so much worse at password management, social engineering
> > resistance, etc.
> >
> > If you have a segment of your IT team mandating 2FA for database
> > connections (even for services), tell them that THEY have to use THEIR
> > 2FA credentials to unlock the database for YOUR services. See how long
> > that policy survives.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8
> > pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec
> > Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw
> > KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF
> > Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV
> > HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f
> > 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh
> > SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO
> > Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj
> > WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT
> > dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s
> > w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4=
> > =baEw
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
---------------------------------------
CONFIDENTIALITY NOTICE: This message is for intended addressee(s) only and may contain information that is confidential, proprietary or exempt from disclosure. If you are not the intended recipient, please contact the sender immediately. Unauthorized use or distribution is prohibited and may be unlawful.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]