Configuring Network Server authentication without SSL/TLS

If you do not encrypt network traffic with SSL/TLS, you can use properties to specify the encryption of user names and passwords on the Network Server side.

Important: Using SSL/TLS is strongly recommended for production applications. Use the properties only under unusual circumstances.

When you run Derby in embedded mode or when you use the Derby Network Server, you can enable or disable server-side user authentication. (Enabling user authentication is strongly recommended.) However, when you use the Network Server, the default security mechanism (CLEAR_TEXT_PASSWORD_SECURITY) requires that you supply both the user name and password.

In addition to the default user name and password security mechanism, org.apache.derby.jdbc.ClientDataSource.CLEAR_TEXT_PASSWORD_SECURITY, Derby Network Server supports the following security properties:

The user name that is specified upon connection is the default schema for the connection, if a schema with that name exists. See the Derby Developer's Guide for more information on schema and user names.

If you specify any other security mechanism, you will receive an exception.

To change the default, you can specify another security mechanism either as a property or on the URL (using the securityMechanism=value attribute) when you make the connection. For details, see Configuring Network Client authentication without SSL/TLS and "securityMechanism=value attribute" in the Derby Reference Manual.

Whether the security mechanism you specify for the client actually takes effect depends upon the setting of the derby.drda.securityMechanism property for the Network Server. If the derby.drda.securityMechanism property is set, the Network Server accepts only connections that use the security mechanism specified by the property setting. If the derby.drda.securityMechanism property is not set, clients can use any valid security mechanism. For details, see "derby.drda.securityMechanism property" in the Derby Server and Administration Guide.

Security mechanism options when user authentication is enabled on the Network Server

When user authentication is enabled in Derby, you can use either of the following security mechanisms.

Security mechanism options when user authentication is disabled on the Network Server

When user authentication is turned off in Derby, you can use any of the security mechanism options.

You must provide a user and password for all security mechanisms except USER_ONLY_SECURITY. However, because user authentication is disabled in the Derby server, the user name and password that you supply do not have to be among those recognized as valid by Derby.

Enabling the encrypted user ID and password security mechanism

To use the encrypted user ID and password security mechanism, you need a Java environment with a JCE (Java Cryptography Extension) that supports the Diffie-Hellman algorithm with a public prime of 256 bits.

The Java Platform, Standard Edition (Java SE) requires a public prime of 512 bits or more.

To use the encrypted user id and password security mechanism during JDBC connection using the network client, specify the securityMechanism=value connection property.
Note: If an encrypted database is booted in the Network Server, users can connect to the database without giving the bootPassword. The first connection to the database must provide the bootPassword, but all subsequent connections do not need to supply it. To remove access from the encrypted database, use the shutdown=true option to shut down the database. See Configuring database encryption for more information.