This page describes the communication between the dbWatch Monitor and the Server.

The default setup

To ensure the privacy of the user sessions, dbWatch wraps all communication
between the monitors and the servers in ssl.
During installation the installer generates new unique keys for monitors and servers.

As the monitors and servers do not share information during installation, it is not possible for the installation to establish a trust structure to be used for authentication. Therefore the authentication of servers and monitors is turned off by default.

Even though dbWatch works without going through this step, we strongly recommend hardening the communication by setting up a trust structure.

Hardening the communication

The default setup of dbWatch makes the application vulnerable to a ‘man-in-the-middle’ attack. It is possible to turn on certificate-validation, on both the server and the monitor using the following steps;

To make the monitor verify the server

On the server

Use the java keytool to create a java keystore containing a new key pair for the server and to create a certificate signing request.

keytool -genkey -alias nameOfMyKey -keyalg RSA -keystore myKeystore.jks -keysize 2048 -dname "CN=<hostname>, OU=?, O=?, L=?, ST=?, C=?" -storepass securePassword

keytool -certreq -keystore  myKeystore.jks -storepass securePassword -alias nameOfMyKey  -file myKeystore.cert.req

Get a certificate authority to sign the certificate. Import the certificate authority’s certificate and your new signature into the keystore.

keytool -import -file ca.cert -keystore myKeystore.jks -storepass securePassword -alias ca -noprompt

keytool -import -file myKeystore.cert -keystore myKeystore.jks -storepass securePassword -alias nameOfMyKey -noprompt

Stop the server.
In the servers configuration file (./server_configuration.xml)

  • Locate the tags rmi-ssl-keystore. Set keystore-file and keystore-password to the correct values for the newly created keystore.
  • Locate the tag rmi-server-hostname and set its value to the hostname of the server, which should be the hostname of your certificate.

After a restart the server will use the newly created keystore for it’s TLS traffic.

On the monitor

Turn off the dbWatch monitor.

Open a shell and cd to <>/monitor/resources.

  • Delete(or rename) the old keystore named rmissl.jks
  • Create a new keystore using keytool.
keytool -genkey -alias nameOfMyKey -keyalg RSA -keystore rmissl.jks -keysize 2048 -dname "CN=<hostname>, OU=?, O=?, L=?, ST=?, C=?" -storepass securePassword

This should result in a new rmissl.jks being created.
Import the certificate of authority used to sign the servers certificate into the monitors keystore.

keytool -import -file ca.cert -keystore rmissl.jks -storepass securePassword -alias ca -noprompt

Open the monitor.xml file. See File Structure.

Locate the tag SSL_KEYSTORE_PASSWORD and set the value to the secure password mentioned above. After the monitor restarts the password will be encrypted.

<param>
  <key>SSL_KEYSTORE_PASSWORD</key>
  <class>java.lang.String</class>
  <value>0ebe3ffb60ee5e059d4e3da20273f428454ccf84bf1a09965b8ae8270ea1e59e</value>
</param>

Locate the ASSERT_SSL_CERTIFICATION_CHAIN and set the value to true.

<param>
  <key>ASSERT_SSL_CERTIFICATION_CHAIN</key>
  <class>java.lang.Boolean</class>
  <value>true</value>
</param>

Using this setup the monitor will validate the servers certificate and host name.

To make the server verify the monitor

On the monitor

Turn off the dbWatch monitor.

Open a shell and cd to [dbWatch installation folder]/monitor/resources.

Use the java keytool to create a certificate signing request for the monitor.

keytool -certreq -keystore  rmissl.jks -storepass securePassword -alias nameOfMyKey  -file monitor.cert.req

Get a certificate authority to sign the certificate. Import the certificate authority’s certificate and your new signature into the keystore.

keytool -import -file ca.cert -keystore rmissl.jks -storepass securePassword -alias ca -noprompt

keytool -import -file monitor.cert -keystore rmissl.jks -storepass securePassword -alias nameOfMyKey -noprompt

On the server

Stop the server.

Open the servers configuration file (./server_configuration.xml) in a text editor.

locate the tag rmi-ssl-truststore.

<rmi-ssl-truststore>
  <keystore>
    <keystore-password>9b4d4cdb907068f67da04f72fc97fe9d</keystore-password>
    <keystore-file>server/resources/rmissl.jks</keystore-file>
  </keystore>
</rmi-ssl-truststore>

Open a shell and cd to the place the servers keystore is located.

Use the java keytool to import the certificate used to sign the monitors certificate.

keytool -import -file ca.cert -keystore myKeystore.jks -storepass securePassword -alias ca -noprompt

Open the servers configuration file (./server_configuration.xml) in a text editor.

Locate the tag assert-ssl-certificate-chain and set the value to true.

Restart the monitor and the server.

This setup makes the server verify the client’s certificate

The tls.properties file

It is possible to control the above mentioned properties in a single file.
This file is named tls.properties and should be placed in the server directory when configuring the server, or in the users dbwatch directory when configuring the monitor.
The properties in this file have priority over the coresponding properties in other configuration files.

The sceleton of a tls.properties file:

// The ciphers used for tls.
 cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA

 // Keystore filename and password
 keyStoreFileName=keystore.jks
 keyStorePassword=

 // Thruststore filename and password
 trustStoreFileName=thruststore.jks
 trusStorePassword=

 // Turn on client authentication
 needClientAuth=true

 // Turn on certificate chain checking
 checkCertChain=true

 // Check if the hostname matches the certificate
 assertHost=true

 // Disable all tls.
 // This removes all security. 
 // By setting this flag to true you disable all attempts by dbwatch to keep your communication secure. 
 //disable=true

← Configuration / Integrating with Active Directory →

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment