This section describes how to enable extended password encryption for the jConnect for JDBC Driver.
The ENCRYPT_PASSWORD connection property specifies whether the password is transmitted in encrypted format. In ESD #8, this same property is used to enable asymmetric key encryption. When password encryption is enabled and the server supports asymmetric key encryption, this format is used instead of the symmetric key encryption.
Set the ENCRYPT_PASSWORD connection property to true to enable password encryption. The default value is false.
If the server is configured to require clients to use
an encrypted password, entering a plain text password will cause
login to fail.
Server login fails when the ENCRYPT_PASSWORD property is set to true, and the server does not support password encryption. If you want to use a clear text password for servers that do not support password encryption, set the RETRY_WITH_NO_ENCRYPTION connection property to true.
When both ENCRYPT_PASSWORD and RETRY_WITH_NO_ENCRYPTION properties are set to true, jConnect first logs in using the encrypted password. If login fails, jConnect logs in using the clear text password.
The new asymmetric password encryption mechanism uses RSA encryption algorithms to encrypt the password being transmitted. In order to perform this RSA encryption, configure your JRE with a suitable Java Cryptography Extension (JCE) provider. The configured JCE provider should be capable of supporting the “RSA/NONE/OAEPWithSHA1AndMGF1Padding” transformation.
The Sun JCE provider included with Sun JREs may not be capable of handling the “RSA/NONE/OAEPWithSHA1AndMGF1Padding” transformation. In order to use the extended password encryption feature in this case, you need to configure an external JCE provider that includes support for this transformation. If the JCE is not capable of handling the required transformation, you will receive an error message at login.
You can use the JCE_PROVIDER_CLASS connection property to specify the JCE provider. There are a number of commercial and open source JCE providers that you can choose from. For example, the “Bouncy Castle Crypto APIs for Java” is a popular open source Java JCE provider. If you choose not to specify the JCE_PROVIDER_CLASS property, jConnect will attempt to use any bundled JCE.
To specify a JCE provider:
Set the JCE_PROVIDER_CLASS property to the fully qualified class name of the provider you want to use. For example, to use the Bouncy Castle JCE:
String url = "jdbc:sybase:Tds:myserver:3697";
Properties props = new Properties();
props.put("ENCRYPT_PASSWORD ", “true”);
props.put("JCE_PROVIDER_CLASS",
"org.bouncycastle.jce.provider.BouncyCastleProvider");
/* Set up additional connnection properties as needed */
props.put("user", "xyz");
props.put("password", "123");
/* get the connection */
Connection con = DriverManager.getConnection(url, props);
Configure the JCE provider before using it. This can be done by one of two ways:
Copy the JCE provider jar file into the JRE standard extension directory:
For UNIX / Mac OS X platforms: ${JAVA_HOME}/jre/lib/ext
For Windows: %JAVA_HOME%\jre\lib\ext
If you cannot copy the JCE jar file to the appropriate directory, refer to the Sun JCE Reference Guide for instructions on setting up an external JCE provider.
If jConnect is unable to use the JCE provider specified, it will attempt to use the JCE providers configured in the JRE security profile. If no other JCE providers are configured or configured providers do not support the required transformation and password encryption is enabled, the connection will fail.
The JCE provider you specify must support the “RSA/NONE/OAEPWithSHA1AndMGF1Padding” transformation.
