SSL Configuration

The <ssl> configuration element specifies Secure Sockets Layer (SSL) settings for secure client-server communication.

The default configuration file contains the following <ssl> element:

<ssl enabled="false">
  <server-keystore path="$objectdb/ssl/server-kstore" password="pwd" />
  <client-truststore path="$objectdb/ssl/client-tstore" password="pwd" />
</ssl>

The enabled attribute of the ssl element, which can be set to true or false, specifies whether SSL is used. As shown in the example, SSL is disabled by default. Enable SSL when accessing remote ObjectDB databases over an insecure network, such as the Internet.

SSL Keystore and Truststore Files

To use SSL, you must generate at least two files:

• A keystore file that contains the server's unique signature. This file includes general details (such as a company name), an RSA private key, and its corresponding public key. The SSL protocol uses the RSA algorithm for key exchange.
• A truststore file that contains certificates that the client uses to validate the server's signature. This file is generated from the keystore file and contains the public key certificate but not the private key.

You can generate these files by using the JDK keytool utility:

https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

By using these keystore and truststore files, a client can verify during the SSL handshake that it is connected to the intended server and not an imposter, which prevents a man-in-the-middle attack. Conversely, the server might allow connections from any client that provides a valid username and password. If the server must also authenticate the client, a keystore file must be installed on the client, and its corresponding truststore file must be installed on the server. This client keystore can be different from the server keystore.

Setting the Configuration

<ssl enabled="true">
  <server-keystore path="$objectdb/ssl/server-kstore" password="pwd" />
  <server-truststore path="$objectdb/ssl/server-tstore" password="pwd" />
  <client-keystore path="$objectdb/ssl/client-kstore" password="pwd" />
  <client-truststore path="$objectdb/ssl/client-tstore" password="pwd" />
</ssl>

To use SSL, the enabled attribute of the ssl element must be set to true.

Every keystore or truststore file is represented by a separate child element with two required attributes: path, which specifies the path to the file, and password, which specifies the password required to access the file.

Typically, only the server-keystore element (on the server) and the client-truststore element (on the client) are required.

The other two elements, client-keystore and server-truststore, are required only when the server must also authenticate the client.

Connecting using SSL

Connecting to an SSL-enabled ObjectDB server requires specifying the "objectdbs" protocol (instead of the standard "objectdb" protocol) in the connection URL on the client side:

EntityManagerFactoryjakarta.persistence.EntityManagerFactoryInterface used to interact with the persistence unit, and to create new instances of   EntityManager  . emf = Persistencejakarta.persistence.PersistenceBootstrap class used to obtain an   EntityManagerFactory   in Java SE environments..createEntityManagerFactoryjakarta.persistence.Persistence.createEntityManagerFactory(String)Create and return an   EntityManagerFactory   for the named persistence unit.(
      "objectdbs://localhost/myDbFile.odb;user=admin;password=admin");