Support for GSSAPI-encrypted connection v18.104.22.168
Support for GSSAPI-ecncrypted connections is available in EDB JDBC Connector release 22.214.171.124 and later.
The EDB JDBC driver supports GSSAPI-encrypted connections for EDB Postgres Advanced Server 12 onwards.
gssEncMode parameter controls GSSAPI-encrypted connection. The parameter can have any of these values:
Disable. Disables any attempt to connect using GSS-encrypted mode.
Allow. Attempts to connect in plain text. Then, if the server requests it, it switches to encrypted mode.
Prefer. Attempts to connect in encrypted mode and falls back to plain text if it fails to acquire an encrypted connection.
Require. Attempts to connect in encrypted mode and fails to connect if that isn't possible.
The default behavior of GSSAPI/SSPI authentication on Windows and Linux platforms is as following:
- On Windows, the EDB JDBC driver tries to connect using SSPI.
- On Linux, the EDB JDBC driver tries to connect using GSSAPI.
This default behavior is controlled using the
gsslib connection parameter that takes one of the following values:
auto. The driver attempts for SSPI authentication when the server requests it, the EDB JDBC client is running on Windows, and the waffle libraries required for SSPI are on the CLASSPATH. Otherwise it opts for Kerberos/GSSAPI authentication via JSSE. Unlike libpq, the EDB JDBC driver doesn't use the Windows SSPI libraries for Kerberos (GSSAPI) requests.
gssapi. This option forces JSSE's GSSAPI authentication even when SSPI is available.
sspi. This option forces SSPI authentication. This authentication fails on Linux or where SSPI is unavailable.
When the EDB Postgres Advanced Server and JDBC client both are on Windows, the JDBC driver connects with SSPI authentication using one of the following connection strings:
gsslib=sspiis optional because the server requires SSPI authentication.
- There is no need to specify username and password. The logged-in user credentials are used to authenticate the user.
The example assumes that SSPI authentication is configured on a Windows machine. Suppose the
edb-jdbc18.jar path is
<PATH_DRIVER> and the waffle libraries path is
<PATH_WAFFLE>. Here's how to set
CLASSPATH and run the JEdb sample:
When the EDB Postgres Advanced Server and JDBC client both are on Linux, the JDBC driver connects with GSSAPI authentication using the following connection string:
gsslib=gssapi is optional because the server requires GSSAPI authentication.
This example assumes that GSS authentication is configured on a Linux machine.
Create a file named
pgjdbc.conf with the following contents.
pgjdbc.conf is placed at
/etc/pgjdbc.conf. Here's how to run JEdb sample:
When the EDB Postgres Advanced Server is on Linux with authentication configured as GSSAPI, and the JDBC client is on Windows, the EDB JDBC connects either using SSPI or GSSAPI authentication.
gsslib=auto, EDB JDBC uses SSPI. For
gsslib=gssapi it uses GSSAPI authentication.
This example assumes that GSS authentication is configured between Windows Active Directory and a Linux machine.
In this scenario, JDBC is using SSPI authentication. Create the connection using the following code:
Running an EDB JDBC-based app in this case is the same as described in Using SSPI (Windows-only environment).
In this scenario, JDBC is using GSSAPI authentication. Create the connection using the following code:
Set up the Kerberos credential cache file and obtain a ticket.
Create a new directory, say
c:\temp, and a system environment variable
KRB5CCNAME. In the variable value field, enter
krb5cache is a file that's managed by the Kerberos software.
Obtain a ticket for a Kerberos principal either using MIT Kerberos Ticket Manager or using a
keytab file using the
pgjdbc.conf file with the same contents described in Using GSSAPI (Linux-only environment).
pgjdbc.conf is placed at
c:\pgjdbc.conf. Here's how to run JEdb sample: