This page describes the communication between the dbWatch Monitor and the Server.
The default setup
To ensure the privacy of the user sessions, dbWatch wraps all communication
between the monitors and the servers in ssl.
During installation the installer generates new unique keys for monitors and servers.
As the monitors and servers do not share information during installation, it is not possible for the installation to establish a trust structure to be used for authentication. Therefore the authentication of servers and monitors is turned off by default.
Even though dbWatch works without going through this step, we strongly recommend hardening the communication by setting up a trust structure.
Hardening the communication
The default setup of dbWatch makes the application vulnerable to a ‘man-in-the-middle’ attack. It is possible to turn on certificate-validation, on both the server and the monitor using the following steps;
To make the monitor verify the server
On the server
Use the java keytool to create a java keystore containing a new key pair for the server and to create a certificate signing request.
keytool -genkey -alias nameOfMyKey -keyalg RSA -keystore myKeystore.jks -keysize 2048 -dname "CN=<hostname>, OU=?, O=?, L=?, ST=?, C=?" -storepass securePassword
keytool -certreq -keystore myKeystore.jks -storepass securePassword -alias nameOfMyKey -file myKeystore.cert.req
Get a certificate authority to sign the certificate. Import the certificate authority’s certificate and your new signature into the keystore.
keytool -import -file ca.cert -keystore myKeystore.jks -storepass securePassword -alias ca -noprompt
keytool -import -file myKeystore.cert -keystore myKeystore.jks -storepass securePassword -alias nameOfMyKey -noprompt
Stop the server.
In the servers configuration file (./server_configuration.xml)
- Locate the tags rmi-ssl-keystore. Set keystore-file and keystore-password to the correct values for the newly created keystore.
- Locate the tag rmi-server-hostname and set its value to the hostname of the server, which should be the hostname of your certificate.
After a restart the server will use the newly created keystore for it’s TLS traffic.
On the monitor
Turn off the dbWatch monitor.
Open a shell and cd to <>/monitor/resources.
- Delete(or rename) the old keystore named rmissl.jks
- Create a new keystore using keytool.
keytool -genkey -alias nameOfMyKey -keyalg RSA -keystore rmissl.jks -keysize 2048 -dname "CN=<hostname>, OU=?, O=?, L=?, ST=?, C=?" -storepass securePassword
This should result in a new rmissl.jks being created.
Import the certificate of authority used to sign the servers certificate into the monitors keystore.
keytool -import -file ca.cert -keystore rmissl.jks -storepass securePassword -alias ca -noprompt
Open the monitor.xml file. See File Structure.
Locate the tag SSL_KEYSTORE_PASSWORD and set the value to the secure password mentioned above. After the monitor restarts the password will be encrypted.
<param>
<key>SSL_KEYSTORE_PASSWORD</key>
<class>java.lang.String</class>
<value>0ebe3ffb60ee5e059d4e3da20273f428454ccf84bf1a09965b8ae8270ea1e59e</value>
</param>
Locate the ASSERT_SSL_CERTIFICATION_CHAIN and set the value to true.
<param>
<key>ASSERT_SSL_CERTIFICATION_CHAIN</key>
<class>java.lang.Boolean</class>
<value>true</value>
</param>
Using this setup the monitor will validate the servers certificate and host name.
To make the server verify the monitor
On the monitor
Turn off the dbWatch monitor.
Open a shell and cd to [dbWatch installation folder]/monitor/resources.
Use the java keytool to create a certificate signing request for the monitor.
keytool -certreq -keystore rmissl.jks -storepass securePassword -alias nameOfMyKey -file monitor.cert.req
Get a certificate authority to sign the certificate. Import the certificate authority’s certificate and your new signature into the keystore.
keytool -import -file ca.cert -keystore rmissl.jks -storepass securePassword -alias ca -noprompt
keytool -import -file monitor.cert -keystore rmissl.jks -storepass securePassword -alias nameOfMyKey -noprompt
On the server
Stop the server.
Open the servers configuration file (./server_configuration.xml) in a text editor.
locate the tag rmi-ssl-truststore.
<rmi-ssl-truststore>
<keystore>
<keystore-password>9b4d4cdb907068f67da04f72fc97fe9d</keystore-password>
<keystore-file>server/resources/rmissl.jks</keystore-file>
</keystore>
</rmi-ssl-truststore>
Open a shell and cd to the place the servers keystore is located.
Use the java keytool to import the certificate used to sign the monitors certificate.
keytool -import -file ca.cert -keystore myKeystore.jks -storepass securePassword -alias ca -noprompt
Open the servers configuration file (./server_configuration.xml) in a text editor.
Locate the tag assert-ssl-certificate-chain and set the value to true.
Restart the monitor and the server.
This setup makes the server verify the client’s certificate
The tls.properties file
It is possible to control the above mentioned properties in a single file.
This file is named tls.properties and should be placed in the server directory when configuring the server, or in the users dbwatch directory when configuring the monitor.
The properties in this file have priority over the coresponding properties in other configuration files.
The sceleton of a tls.properties file:
// The ciphers used for tls.
cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
// Keystore filename and password
keyStoreFileName=keystore.jks
keyStorePassword=
// Thruststore filename and password
trustStoreFileName=thruststore.jks
trusStorePassword=
// Turn on client authentication
needClientAuth=true
// Turn on certificate chain checking
checkCertChain=true
// Check if the hostname matches the certificate
assertHost=true
// Disable all tls.
// This removes all security.
// By setting this flag to true you disable all attempts by dbwatch to keep your communication secure.
//disable=true
Post your comment on this topic.