Closed poikilotherm closed 1 year ago
FWIW: this can now be addressed given the fact that Payara 5.2022.2 included a fix for this.
Here's a real life example of a problem this will solve:
We had a support request (RT 321319) where a remote admin was asking about hardening their installation, specifically about enforcing SSL on the connection between the application and the database.
When the jdbc library opens the connection to PostgresQL, it defaults to sslmode=prefer
(meaning, it will use SSL if the remote server supports it; but would also be happy to use an unencrypted connection if not; it does not verify the SSL certificates in this mode either). If a user wants to ensure that their Dataverse installation will never talk to the database w/out SSL, they need to use sslmode=require
. Or sslmode=verify-ca
, to verify the certs.
As of now, the only way to pass this parameter is to attach it to the database name, like this:
<system-property name="dataverse.db.name" value="dvndb?sslmode=require"/>
so that it ends up in the combined connection string; but it's a bit hacky. #8915 will provide a clean way to supply this extra parameter (via dataverse.db.parameters
).
I am pleased to report that, so far, Leonid's ?sslmode=require
suggestion above appears to work with a test RDS instance.
Now that #7701 is merged and we are on 5.2021.4, we can enable real defaults for the database connection.
Context
I learned that any variable expansion supporting annotations or files, that will have Payara create resources, containers or sth else from, will not retrieve default values from the
microprofile-config.properties
file bundled in the WAR.Instead, we need to provide defaults with the new
${MPCONFIG=name:default}
syntax.Todo