Enabling Client to connect Sybase using SSL

We live in a world where security is one of the key concerns for any Company. Most of the applications use HTTPS to expose their APIs so the connection remains secure. We use authentication and authorization to make sure only relevant people can access them. There can be multiple things we do to secure our Applications.

A database is a place where we store data related to the Application and most of the time it runs in the same network where the application runs and ideally it’s not accessible to public networks. You can see in the below diagram the basic architecture of any simple Application.

The above application is secure

• The outside world can only connect over HTTPS
• Application is in a private network and can only be accessed by Load Balancer or services which are in the same network
• The database is present in the private network and can only be accessed by the Application with the given username and password including the required roles.

If you are saying the above is secure but it’s not fully. There are a few things which we can do better

• Allow the application to connect with the database only over SSL and disable direct connection so no one can connect without having actual certificates

Challenges to connect with the Sybase

I was working for one of the Clients and they had the requirement to use SSL to connect with the Sybase. I checked with the database team and got the Certificates that I could use to connect over SSL.

We were using the below dependency to connect to Sybase

<dependency>
       <groupId>com.sybase</groupId>
       <artifactId>jconn4</artifactId>
       <version>2.4.x</artifactId>
</dependency>

I checked the documentation but seems none of the approaches worked for me

• ENABLE_SSL=TRUE
• SSL_TRUST_ALL_CERTS=TRUE
• Added certificates to cacerts present in JRE and passed them as arguments to Java Application
• -Djavax.net.ssl.trustStore=<path_to_custom_trusstore>
• -Djavax.net.ssl.trustStorePassword=storePassword
• -Djavax.net.debug=all (This prints the logs when secure connection is established)

String dbURL = "jdbc:sybase:Tds:dbHost:port/schema_name?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true";

Properties properties = new Properties();
properties.put("user","user");
properties.put("password","password");

DriverManager.getConnection(dbURL, properties);

With all the above, I was not able to connect over SSL and keep getting errors. I was able to connect using Connection Manager with the certificates provided so I concluded there is an issue with the code and somehow there is an issue with the parameters that I am passing.

Verify Connection using SSL Socket Factory

Secured Socket Layer (SSL) enables a secured connection between clients and servers. SSL provisions a secure channel between two devices operating over a network connection

I checked the host and port using SSL Factory and I was able to connect successfully which means definitely there was an issue with the parameters.

SSLSocketFactory sslsocketfactory = SSLSocketFactory.getDefault(); SSLSocket sslsocket = (SSLSocket) sslsocketfactory .createSocket(dbHost, dbPort); 
InputStream in = sslsocket.getInputStream(); 
OutputStream out = sslsocket.getOutputStream(); 
out.write(2); 
while (in.available() > 0) {
 System.out.print(in.read()); 
} 
System.out.println(“Secured connection established.”);

Connect using SSL with SYBSOCKET_FACTORY

I again checked the documentation and find out that there is a parameter that I can pass in the Property when connect to the Sybase database

• SYBSOCKET_FACTORY
• To use a custom socket with jConnect, set the SYBSOCKET_FACTORY connection property to a string that is either: The name of a class that implements com.sybase.jdbcx.SybSocketFactory

I created Custom Implementation of SybSocketFactory and provided that as Parameter in Properties.

//Certs already added in cacers present in jre/lib/security/cacerts
public class CustomSybSocketFactory implements SybSocketFactory {
    public Socket createSocket(String dbHost, int dbPort, Properties props) throws IOException {
        SSLSocketFactory sslsocketfactory = SSLSocketFactory.getDefault();
        return (SSLSocket) sslsocketfactory .createSocket(dbHost, dbPort);
    }
}

Using Custom Socket Factory

String dbURL = "jdbc:sybase:Tds:dbHost:port/schema_name";

Properties properties = new Properties();
properties.put("user","user");
properties.put("password","password");
properties.put("SYBSOCKET_FACTORY","com.demo.CustomSybSocketFactory");

DriverManager.getConnection(dbURL, properties);

Sybase SSL Configuration in Hikari

HikariConfig hikariConfig = new HikariConfig();
hikariConfig.setDriverClassName("com.sybase.jdbc4.jdbc.SybDriver");
hikariConfig.setJdbcUrl("<URL_TO_CONNECT>");
hikariConfig.setUsername("<USERNAME");
hikariConfig.setPassword("<PASSWORD>");

hikariConfig.setDataSourceProperties(new Properties());
hikariConfig.getDataSourceProperties().setProperty("SYBSOCKET_FACTORY","com.demo.CustomSybSocketFactory");

HikariDataSource hikariDS = new HikariDataSource(hikariConfig);

After that, I was able to connect to the database and execute queries successfully. It took a lot of time because I couldn’t find suitable articles on the internet so it was worth it.