JDBC password consumer with Tomcat
search cancel

JDBC password consumer with Tomcat

book

Article ID: 69215

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Question:

How to configure a Tomcat application to use a JDBC Password consumer

 

 

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component:

Resolution

Answer:

This assumes that the Tomcat already works connecting to SQL Server directly and that a PIM agent is already running on the server hosting tomcat with PUPM integration configured using an ENTM where a password consumer is already configured. In other words, all we want to do is configure the tomcat application to use the password consumer rather than a hardcoded password and everything else is already in place.

1. Copy the following files to <tomcat>\lib: 

<AccessControl>\SDK\JDBC\CAJDBCDriver.jar 
<AccessControl>\SDK\JDBC\CAPUPMClientCommons.jar 
<AccessControl>\SDK\JDBC\jsafeFIPS.jar 

 

2. The CAJDBC driver needs to be loaded by adding the following parameter to the java.exe runtime options: 

-Djdbc.drivers=com.ca.ppm.clients.jdbc.CAJDBCDriver 

The recommended way of doing this is to add the following line to <tomcat>\bin\setenv.bat 

set JAVA_OPTS="-Djdbc.drivers=com.ca.ppm.clients.jdbc.CAJDBCDriver" 

Note that setenv.bat does not exist by default so you may need to create it. If it already exists you need to make sure that you do not overwrite any other JAVA_OPTS. 

 

3. Make sure the java instance for tomcat is running under an Access Control user that can use the password consumer. 

If you are using <tomcat>\bin\startup.bat, log in as the user and execute <tomcat>\bin\startup.bat.

If you are running tomcat as a service, open "Services", right click -> Properties on the service you use to start tomcat. On the "Log On" tab, select "This account:", click browse and search for, find and select the user. Press ok.

 

4. Configure the datasource to use the CAJDBCDriver rather than the SQL Server JDBC driver.

This assumes you are using META_INF/context.xml to make the database connection. If you are using a resource in another configuration file, you need to change driverClassName and url there instead. Note that the value of the password attribute will not be used. It will be substituted with the password returned from the ENTM.

<sqlserver> = the host/FQDN of the database server
<dbname> = the name of the database on <sqlserver>
<username> = the login on <sqlserver>

In <app>.war modify the dirverClassName and url in META_INF/context.xml like so: 

<?xml version="1.0" encoding="UTF-8"?>
<Context>
	<Resource name="jdbc/Test_Jboss_DB" 
		auth="Container"
		type="javax.sql.DataSource"
		username="<username>"
		password="notused"
		driverClassName="com.ca.ppm.clients.jdbc.CAJDBCDriver"
		url="@@@com.microsoft.sqlserver.jdbc.SQLServerDriver@@@jdbc:sqlserver://<sqlserver>;DatabaseName=<dbname>;SelectMethod=cursor;"
		logValidationErrors="true"
		maxActive="8" /> 
</Context>
Powered by Wolken Software