StateManager JNDI configuration is not needed from 9.0.02 onwarrds
Article ID: 116276
Updated On:
Products
CA Rapid App Security
CA Advanced Authentication
Issue/Introduction
Prior to CA Strong Authentication version 9.0.02. The JNDI connection when using say Tomcat as the application server required one to do the following:
1.Specify a JNDI name on the AtcotAFMWizard configuration screen like the one below
Note that "Primary JNDI Name" is not asked for in version 9.0.02 and the ArcotAFMWizard screen looks like this:
2. Prior to 9.0.02 arcotsm.properties file that was created had these line for JNDI configuration as shown below. Note that at 9.0.02 you will not find these lines in arctosm.properties.
# --------------------------------------------------------------------------
# Application server pool name(s). Uncomment backup datasource settings to
# configure the backup database. To configure additional backup data sources, add more
# database properties.
#
# --------------------------------------------------------------------------
#<!-- Primary datasource properties -->
AppServerConnectionPoolName.1=java:comp/env/primaryjndi
#<!-- Backup datasource properties -->
#AppServerConnectionPoolName.2=
3. Prior to 9.0.02, to make the JNDI connection to the database it was required that server.xml contain the following "Resource name" section that required the "username" and "password" to provided in clear. At 9.0.02 this entry is not needed.
=== The section "<Resource name..........." with JNDI name "primaryjndi" in the example below is NOT needed at 9.0.02==
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<Resource name="primaryjndi" auth="Container"
type="javax.sql.DataSource" username="arcotuser" password="yourpasswrd"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" url="jdbc:sqlserver://kumgi02-S12076:1433;databaseName=arcotdb;selectMethod=cursor" maxWait="30000" maxActive="32" maxIdle="4" initialSize="4"
timeBetweenEvictionRunsMillis="600000" minEvictableIdleTimeMillis="600000"/>
============================ ====================================
4. Prior to 9.0.02, to make the JNDI connection to the database it was required that context.xml contain the following "ResourceLink" section. At 9.0.02 this entry is not needed.
========= Similarly context.xml will not need this ResourceLink line ==============
<ResourceLink global="primaryjndi" name="primaryjndi" type="javax.sql.DataSource"/>
============================= ========================================
Customers have requested that any DB credential related entries that are required in say server.xml should be encrypted and not be shown in clear. Hence, CA Strong Authentication version 9.0.02 addresses the security issue and removes any requirements that may lead to exposing the DB credentials in clear.
1.Specify a JNDI name on the AtcotAFMWizard configuration screen like the one below
<Please see attached file for image>
Note that "Primary JNDI Name" is not asked for in version 9.0.02 and the ArcotAFMWizard screen looks like this:
<Please see attached file for image>
2. Prior to 9.0.02 arcotsm.properties file that was created had these line for JNDI configuration as shown below. Note that at 9.0.02 you will not find these lines in arctosm.properties.
# --------------------------------------------------------------------------
# Application server pool name(s). Uncomment backup datasource settings to
# configure the backup database. To configure additional backup data sources, add more
# database properties.
#
# --------------------------------------------------------------------------
#<!-- Primary datasource properties -->
AppServerConnectionPoolName.1=java:comp/env/primaryjndi
#<!-- Backup datasource properties -->
#AppServerConnectionPoolName.2=
3. Prior to 9.0.02, to make the JNDI connection to the database it was required that server.xml contain the following "Resource name" section that required the "username" and "password" to provided in clear. At 9.0.02 this entry is not needed.
=== The section "<Resource name..........." with JNDI name "primaryjndi" in the example below is NOT needed at 9.0.02==
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<Resource name="primaryjndi" auth="Container"
type="javax.sql.DataSource" username="arcotuser" password="yourpasswrd"
driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" url="jdbc:sqlserver://kumgi02-S12076:1433;databaseName=arcotdb;selectMethod=cursor" maxWait="30000" maxActive="32" maxIdle="4" initialSize="4"
timeBetweenEvictionRunsMillis="600000" minEvictableIdleTimeMillis="600000"/>
============================ ====================================
4. Prior to 9.0.02, to make the JNDI connection to the database it was required that context.xml contain the following "ResourceLink" section. At 9.0.02 this entry is not needed.
========= Similarly context.xml will not need this ResourceLink line ==============
<ResourceLink global="primaryjndi" name="primaryjndi" type="javax.sql.DataSource"/>
============================= ========================================
Customers have requested that any DB credential related entries that are required in say server.xml should be encrypted and not be shown in clear. Hence, CA Strong Authentication version 9.0.02 addresses the security issue and removes any requirements that may lead to exposing the DB credentials in clear.
Environment
CA Strong Authenticaion version 9.0.02
Resolution
1. Run the ArcotAFMWizard (which will create the arcotsm.properties in <ARCOT_HOME>\conf\afm)
2. Ensure that new arcotsm.war that is released as a part of 9.0.02 is deployed correctly (clearing any WORK and Temp folders associated with the application server of choice)
2. Ensure that new arcotsm.war that is released as a part of 9.0.02 is deployed correctly (clearing any WORK and Temp folders associated with the application server of choice)
Additional Information
To test if the CA Statemanager is connecting to the Database
Step 1. Use the Statemanager test tool by invoking -http://hostname:port/arcotsm to bring up the Statemanager test page. Then Create a token and Read the token back.
Step #2. After a successful Token Create action using the tool mentioned in Step #1 above please verify that the Tokens are being inserted in ARTSTOKENs table. You may check the inserted row in the ARTSTOKENS table via the SQL query below. This query should return a row for the token that was inserted in Step #1.
select * from ARTSTOKENS where tsTokenId ='Povide the Token that you created in Step 1 ';
Step #3 Examine the arcotsm.log to check that no errors are reported on Create Token or Read Token as attempted in Step #1
Step 1. Use the Statemanager test tool by invoking -http://hostname:port/arcotsm to bring up the Statemanager test page. Then Create a token and Read the token back.
Step #2. After a successful Token Create action using the tool mentioned in Step #1 above please verify that the Tokens are being inserted in ARTSTOKENs table. You may check the inserted row in the ARTSTOKENS table via the SQL query below. This query should return a row for the token that was inserted in Step #1.
select * from ARTSTOKENS where tsTokenId ='Povide the Token that you created in Step 1 ';
Step #3 Examine the arcotsm.log to check that no errors are reported on Create Token or Read Token as attempted in Step #1
Attachments
Feedback
Yes
No
Powered by
