Derby Security Guide Version 10.11 Derby Document build: August 7, 2014, 10:17:26 AM (PDT) Version 10.11 Derby Security Guide Contents Copyright................................................................................................................................4 License................................................................................................................................... 5 About this guide....................................................................................................................9 Purpose of this guide................................................................................................9 Audience..................................................................................................................... 9 How this guide is organized.....................................................................................9 Part One: Introduction to database security....................................................................11 Why databases need security................................................................................ 11 Vulnerabilities of unsecured databases...............................................................11 Threats to unsecured databases.........................................................................11 Defenses against security threats......................................................................... 12 Derby defenses against threats.......................................................................... 12 Defenses outside of Derby..................................................................................13 Defenses mapped to threats.................................................................................. 14 Designing safer Derby applications.......................................................................15 Security terminology............................................................................................... 15 Part Two: Configuring security for Derby........................................................................17 Basic security configuration tasks........................................................................ 17 Configuring security in an embedded environment.............................................18 Configuring security in a client/server environment............................................ 18 Configuring database encryption...........................................................................20 Requirements for Derby encryption.................................................................... 21 Working with encryption...................................................................................... 21 Using signed jar files.............................................................................................. 27 Configuring SSL/TLS...............................................................................................28 Creating a client key pair and certificate.............................................................29 Creating a server key pair and certificate........................................................... 29 Importing certificates........................................................................................... 29 Booting the server and connecting to it.............................................................. 30 Key and certificate handling................................................................................31 Starting the server with SSL/TLS........................................................................32 Running the client with SSL/TLS........................................................................ 33 Other server commands......................................................................................33 Understanding identity in Derby............................................................................ 34 Users and authorization identifiers......................................................................34 Database Owner..................................................................................................35 Configuring user authentication............................................................................ 36 Configuring LDAP authentication........................................................................ 37 Configuring NATIVE authentication.....................................................................41 Specifying authentication with a user-defined class............................................43 List of user authentication properties.................................................................. 45 Programming applications for Derby user authentication....................................46 Login failure exceptions with user authentication................................................47 Configuring Network Server authentication in special circumstances................. 47 Configuring user authorization.............................................................................. 49 Configuring coarse-grained user authorization................................................... 50 Configuring fine-grained user authorization........................................................ 52 Configuring Java security.......................................................................................70 Basic security policy template.............................................................................71 Sample customized Java security policy file.......................................................74 i Version 10.11 Derby Security Guide Using a Java security policy file..........................................................................76 Running embedded Derby with a security manager........................................... 76 Running the Network Server with a security manager........................................78 Running the Network Server without a security manager...................................79 Restricting file permissions....................................................................................79 Putting it all together.............................................................................................. 80 Starting a secured Network Server..................................................................... 80 Creating and using a secure database............................................................... 81 Stopping the secured Network Server................................................................ 82 Trademarks.......................................................................................................................... 83 ii Derby Security Guide Apache Software FoundationDerby Security GuideApache Derby 3 Derby Security Guide Copyright Copyright 2004-2014 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Related information License 4 Derby Security Guide License The Apache License, Version 2.0 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on