Enabling TLS in the JDBC Driver

All connections from Java applications to NuoDB are secured by default using the Secure Remote Password (SRP) protocol. Connections can also be secured using the Transport Layer Security (TLS) protocol. This section explains how to enable secure connections using TLS in the JDBC driver.

Java applications must use JDK 11.0.16 or later to connect using TLS, because earlier versions do not support 256-bit cipher keys.

Steps to Enable TLS

To enable TLS in the JDBC driver:

  1. Enable TLS in the domain.

    For more information, see Enabling TLS Encryption.

  2. Obtain a copy of the truststore file from DBA or system administrator in PEM, JKS, or PCS12 format.

  3. Add the following connection properties to the connection URL:

    • verifyHostname=false to disable hostname verification.

      By default, the JDBC driver verifies whether the Distinguished Name (DN) in the truststore certificate matches the application client hostname.

      This verification might fail. To disable hostname verification, set the verifyHostname connection property to false.

      To verify the hostname , use keytool. For example:

      keytool -list -v \
-keystore C:\Work\nuodb-keys\nuoadmin-truststore.jks \
-storepass <password> -storetype PKCS12 | grep -i owner
      Owner: CN=ca.nuodb.com, OU=Eng, O=NuoDB, L=Boston, ST=MA, C=US

      Hostname is indicated as CN.

      For Windows users replace grep -i owner with findstr -i owner.

    • trustStore to specify the location of truststore file on disk and trustStorePassword to specify the password to access the truststore file.

      Or trustedCertificates to specify the trusted certificate as a PEM encoded string.

      The trustStore property must specify either a path relative to the client application, or an absolute path accessible by the client.

    • allowSRPFallback=false to prevent the driver from falling back to SRP if the TLS connection fails.

      If trustStore or trustedCertificates is not specified, allowSRPFallback is ignored. For more information, see Managing TLS Security.

For example:

jdbc:com.nuodb://localhost/test?verifyHostname=false&allowSRPFallback=false&trustStore=/path/to/truststore-file.pem&trustStorePassword=<password>
jdbc:com.nuodb://localhost/test?verifyHostname=false&allowSRPFallback=false&trustedCertificates="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----"

Example

public static final String DATABASE_URL = "jdbc:com.nuodb://localhost/test";

com.nuodb.jdbc.DataSource dataSource = new com.nuodb.jdbc.DataSource();
dataSource.setUrl(DATABASE_URL + "?verifyHostname=false&trustStore=</path/to/nuoadmin-truststore.p12>&trustStorePassword=<password>");
dataSource.setUser(user);
dataSource.setPassword(password);
dataSource.setDefaultSchema("Hockey");

dbConnection = dataSource.getConnection();