2.5.6. Database Configuration
The default database HSQLDB that the Enterprise Application Platform ships with must be disabled as it is not supported. Additional configuration is also required for JDBC drivers and supporting This section will outline how this can be done and then refer you to information on how to configure supported databases. This must be done in the
production
server profile.
Procedure 2.3. Configure Database
Create DefaultDS file
Create a default DS file for the desired database. Examples of this file are located inJBOSS_HOME/docs/examples/jca
.Important
ADefaultDS
file must be supplied in theJBOSS_HOME/server/production/deploy
directory.Delete HSQLDB files
Delete the following files as they refer to the HSQLDB database:JBOSS_HOME/server/production/deploy/hsqldb-ds.xml
JBOSS_HOME/common/lib/hsqldb.jar
JBOSS_HOME/common/lib/hsqldb-plugin.jar
JBOSS_HOME/server/production/deploy/messaging/hsqldb-persistence-service.xml
Remove HSQLDB Security Domain
Comment out the security domain forHsqlDbRealm
in theJBOSS_HOME/server/production/conf/login-config.xml
file as shown.<!-- Security domains for testing new jca framework <application-policy name = "HsqlDbRealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">sa</module-option> <module-option name = "userName">cctest</module-option> <module-option name = "password">cc1248</module-option> <module-option name = "managedConnectionFactoryName"> jboss.jca:service=LocalTxCM,name=DefaultDS </module-option> </login-module> </authentication> </application-policy> -->
Copy persistence service configuration file
The[database]-persistence-service.xml
file contains the persistence service definition for JBoss Messaging, for the database specified by the [database] in the filename.Copy the[database]-persistence-service.xml
file that corresponds to the database you are using from theJBOSS_HOME/docs/examples/jms
directory toJBOSS_HOME/server/production/deploy
.Note
The table definitions in any[database]-persistence-service.xml
are not optimized for performance.Relocate JDBC driver libraries
Place the supported JDBC driver libraries in the directoryJBOSS_HOME/server/production/lib/
.Important
Ensure you follow the policy guidelines in Section 2.5.5, “Java Security Manager Policy File ” and choose a supported JDBC driver from Table 2.1, “Allowed 5.1.0 Database and JDBC Driver Versions” or Table 2.2, “Allowed 5.1.1 Database and JDBC Driver Versions”to maintain an evaluated configuration.Add JDBC Grant Statement
Add the following grant statement for the JDBC driver you are using to the Java Security Manager policy file. The policy file is located inJBOSS_HOME/bin/security_cc.policy
. Substitute the directory name of the JDBC driver where [cc.jdbc.driver] is specified in the code sample.Important
Each JDBC driver can use different permissions. Check the JDBC driver documentation and replacejava.security.AllPermission;
with a secure permission scheme supported by the driver.// granting permissions to JDBC driver grant codeBase "file:${jboss.server.home.dir}/lib/[cc.jdbc.driver]" { permission java.security.AllPermission; };
Oracle Database Persistence Plugin Optimization
When using the Oracle Database, the database persistence plugin definition must be changed inJBOSS_HOME/server/production/deploy/ejb2-timer-service.xml
from being:<attribute name="DatabasePersistencePlugin"> org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin </attribute>
to being:<attribute name="DatabasePersistencePlugin"> org.jboss.ejb.txtimer.OracleDatabasePersistencePlugin </attribute>
Note
JBoss Enterprise Application Platform requires a database to store its operational state. The JNDI name referring to the database is
java:/DefaultDS
. The database has to be separated from all application databases: user applications must not provide additional tables to the java:/DefaultDS
database, but must use their own dedicated databases to store their objects.
This setup prevents attacks with SQL injection through user applications and information leaks from
java:/DefaultDS
database, as such injections are always limited to the connected database.
Note
The Installation and Configuration Guide contains specific information about the supported databases, and their configuration. Read this information in conjunction with the Common Criteria Configuration Guide overrides to ensure you maintain an evaluated configuration.