Currently, Unwired Accelerator does not encrypt the user name and password used to log in to the RDBMS server containing the portal database tables. If anyone knows the database user name and password, they can use ISQL to access the database tables directly. To safeguard portal security, you can:
Change the DBA password.
Optionally create a whole new database user to own the portal database.
Limit access to the global.properties.xml file, so that only appropriate people can view it and see the passwords.
Change the password in the server.xml file, and limit access so that only appropriate people can view it and see the passwords.
Changing the password,
and optionally the PortalDB table owner
The simplest safeguard is to change the database password, using the ISQL GUI. The ISQL GUI requires the jConnect JDBC driver, which is packaged separately under the SYBASE\tomcat\common\lib directory.
Optionally, another safeguard is to create a custom database user to own the portal database tables, rather than using the dba user (ASA) or the sa user (Adaptive Server). This prevents unauthorized users from using ISQL directly into your database to look at PortalDB tables.
If you create the custom database owner, also change the default database user name found in this entry in SYBASE\tomcat\conf\server.xml:
<GlobalNamingResources> <Resource name="jdbc/portaldb"Coordinate these changes between the PortalDB and the server.xml file.
From the command line, navigate to the following directory:
cd SYBASE\asa\java
Access isql using the command that follows. The command adds the jConnect JDBC driver to the class path.
java -classpath ..\..\tomcat\common\lib\
jconn3.jar;jisql.jar com.sybase.jisql.Jisql
The jisql login screen displays.
Log in, and change the dba or sa password from the defaults (“SQL” for ASA and “ ” for Adaptive Server).
// Change the password. sp_password <oldpassword>, <newpassowrd>
Optionally, use isql to create a new database user in the portal database and make this user the owner of PortalDB. Here is the input using isql:
For ASA:
// Create a user portalowner/portalowner. GRANT CONNECT TO portalowner IDENTIFIED BY portalowner go // Change the DBA password. GRANT CONNECT TO DBA IDENTIFIED BY <newpassword> go // Make the “dba” account a group GRANT GROUP to DBA // Make the portalowner a memeber of the group, enabling portalowner // to access the tables/views of the dtabase without having to prefix // everytning with “dba.” GRANT MEMBERSHIP IN GROUP DBA TO portalowner
For Adaptive Server:
// Create a user portalowner/portalowner whose default database // is the portaldatabase. sp_addlogin portalowner, portalowner, portaldatabase go // Make this user the owner of portaldatabase. use portaldatabase go sp_changedbowner portalowner, true go // Change the DBA password. sp_password <oldpassword>, <newpassowrd>
Limiting global.properties.xml access to the portal
server owner
Another safeguard is to make the global.properties.xml file readable only by the computer user the portal server (Tomcat) runs in.
Make the global.properties.xml file readable only by the computer user for the portal server.
If you are using Tomcat:
From Windows Explorer, navigate to SYBASE\tomcat\ webapps\onepage\config, right-click the global.properties.xml file, and choose Properties.
Select the Security tab and:
In the top window, add the user/group that will be running the portal, and grant them Full Control on the file.
Click Everyone, unselect the “Allow inheritable permissions” check box and click the Deny check box next to Full Control.
This prevents anyone but the specified users from reading the file and seeing the password.
On UNIX:
If you run the portal as the “root” user, issue these commands to make global.properties.xml owned by root, and readable only by root:
% su
>chown root global.properties.xml
>chmod 400 global.properties.xml
>exit
Modify database account information in the server.xml file, and limit access to the file.
Modifying database account
information in server.xml
As a final safeguard, modify the database account information in the server.xml file, then limit access to the server.xml file as you did in the preceding procedure.
These instructions are for Tomcat.
In Windows Explorer, navigate to the following directory:
cd SYBASE\tomcat\conf
In a text editor, open server.xml.
Search for “Global JNDI resources.” This section defines a Java Naming and Directory Interface (JNDI) connection pool to the PortalDB. The XML looks like:
<!-- Global JNDI resources --> <GlobalNamingResources> <Resource name="jdbc/portaldb" auth="Container" type="javax.sql.DataSource" driverClassName="com.sybase.jdbc3.jdbc.SybDriver" url="jdbc:sybase:Tds:labxp.sybase.com:4747? servicename=portaldatabase" username="dba" password="SQL" maxActive="20" maxIdle="10" maxWait="20000"/
<Resource name="jdbc/agdb" auth="Container" type="javax.sql.DataSource" driverClassName="com.sybase.jdbc3.jdbc.SybDriver" url="jdbc:sybase:Tds:labxp.sybase.com:8099" username="dba" password="" maxActive="20" maxIdle="10" maxWait="20000"/>
<Resource name="jdbc/uaml" auth="Container" type="javax.sql.DataSource" driverClassName="com.sybase.jdbc3.jdbc.SybDriver" url="jdbc:sybase:Tds:labxp.sybase.com:4747?servicename=uaml" username="DBA" password="SQL" maxActive="20" maxIdle="10" maxWait="20000"/> </GlobalNamingResources>
Change the appropriate set of user name and password parameters to the new database user owner and password that you set up, and optionally change the database connections for the new database (see “Setting up a JNDI data source resource” for information).
Save and close the server.xml file.
Make the server.xml file readable only by the computer user for the portal server (Tomcat).
On Windows:
From Windows Explorer, navigate to SYBASE\tomcat\ conf, right-click the server.xml file, and choose Properties.
Select the Security tab and:
In the top window, add the user/group that will be running the portal, and grant them Full Control on the file
Click Everyone, unselect the “Allow inheritable permissions” check box and click the Deny check box next to Full Control.
This prevents anyone but the specified users from reading the file and seeing the password.
On UNIX:
If you run the portal as the “root” user, issue the following commands to make server.xml owned by root, and readable only by root:
% su
>chown root server.xml
>chmod 400 server.xml
>exit
Restart the application server to apply the changes you made to global.properties.xml and server.xml.
