Total Crystal/EJB/JNDI noob so please be considerate :) I don't have any source codes to post (yet) because I don't know enough about these 3 combined to post anything meaningful.
Anyway...
I am maintaining an application that uses EJB3 and JNDI to connect to the DB for my Crystal reports. Now, due to our requirements, we need to ensure that the communication between the app and the DB is secure (e.g. encrypted). How should this be done?
I've been seeing discussions on using security domains, JAAS and roles (like this one), but from what I'm seeing, that's going to force me to put annotations on every method that's concerned with connecting to the DB, not to mention define roles for users (which is not needed at this point). Then there are those saying it's just a matter of configuring my application server (in this case, it's JBoss) or putting a transport-guarantee in my web.xml (e.g. CONFIDENTIAL).
What's the best approach (or do you think that this is redundant/unnecessary)? Any help or hints on where to start would be really appreciated as I don't really see how to tackle this.
Thanks in advance!
You have 2 options:
The first option is a OS-level encryption. All network traffic between host endpoints are encrypted. You will need to configure the OS of both the APP and DB servers for IPsec.
In this option, only the JDBC network traffic between the database server and client is encrypted. On the DB server side, you'll need to configure your database server to SUPPORT or REQUIRE encryption. On the client side, you need to configure your JDBC connection properties to use encryption. The exact configuration and path for the SSL keys are dependent on the database that you are using.
The 2 options are not mutually exclusive and you can implement both at the same time but I think that is an overkill.