Securing JDBC connections

VaraPrasad · April 2, 2020, 12:33pm

Hello,

We are using SonarQube 7.9.1 with Oracle 19c database.

For Securing JDBC connection,properties like “oracle.net.ssl_cipher_suites” needs to be set while getting the JDBC connection.

To my understanding, user cannot set any extra properties for JDBC connections in sonar.properties file.

Can you please clarify on below ?

Are the JDBC connections already SSL enabled (at client side) in SonarQube ?
Is it possible to provide extra properties for JDBC connections ?
Any default encryption is used by SonarQube for JDBC connections and any recommendations from SonarQube ?

Thanks in advance.

With Regards,
Vara Prasad.

pierreguillot · April 3, 2020, 7:39am

Hello, you can set properties in the JDBC url in the sonar.properties file. To answer your other questions, there is no SSL encryption by default, and i do not have specifics recommandations regarding that, expect “follow the database vendor recommandations”.

VaraPrasad · April 3, 2020, 10:22am

Hi Pierre,

Thanks for the reply.

Except sonar.jdbc.url,sonar.jdbc.username and sonar.jdbc.password, i cannot see any other properties which i can set in sonar.properties file.

Is there a way to set extra properties other than above in sonar.properties file for JDBC connections ?

Setting properties like oracle.net.ssl_cipher_suites is a client side setting recommended by vendor (for Oracle) and as per our understanding, user cannot set any such property explicitly in case of SonarQube JDBC connection. Is that correct ?

Thanks in advance.

With Regards,
Vara Prasad.

Rebse · April 3, 2020, 10:37am

Hi,

did you consult
https://docs.oracle.com/apps/search/search.jsp?category=database&q=ssl
already ?
Guess its configured via jdbc connection string as usual.
This might help also https://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
According to this pdf - search for tcps - you have to use tcps protocol to activate ssl.
See page 7, how to activate ssl

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername
     )(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))

Gilbert

pierreguillot · April 3, 2020, 11:01am

yep sorry I realize my message was unclear: you should be able to set theses properties in the JDBC URL.

VaraPrasad · April 3, 2020, 12:12pm

Hi Gilbert/Pierre,

Thanks for the pointers.

Apart from server side settings, we need to set client side settings (apart from changing the JDBC url).
For example, oracle.net.ssl_cipher_suites need to be set as part of JDBC connection properties.
Do you see any provision to set these to JDBC connection for SonarQube ?

With Regards,
Vara Prasad.

pierreguillot · April 3, 2020, 12:26pm

from what i read, oracle.net.ssl_cipher_suites can be set through environment variables, so you can put it to (you need to do both) :

sonar.web.javaAdditionalOpts
sonar.ce.javaAdditionalOpts