Integration with Apache Tomcat

7 min

this section describes how to configure apache tomcat to use the kron pam jdbc proxy driver for secure and dynamic database authentication after configuration, tomcat retrieves database credentials directly from kron pam vault at runtime, eliminating the need for static passwords in configuration files prerequisites before starting the integration, ensure the following components are available kron pam server a running kron pam instance with network access from the tomcat host access token a valid api token generated from kron pam for the service account that will retrieve database credentials kron pam proxy driver com kron jdbc 1 0 0 jar database jdbc driver the native jdbc driver corresponding to your target database (postgresql, mysql, oracle, sql server) apache tomcat version apache tomcat 8 5 or later general configuration steps copy the jar files place both the kron pam proxy driver (com kron jdbc 1 0 0 jar) and the native jdbc driver (e g , postgresql 42 7 3 jar) into the tomcat library directory ($catalina home/lib) modify the context definition edit the data source configuration in either $catalina base/conf/context xml , or meta inf/context xml inside your application replace the driver and url set driverclassname to com kron jdbc proxydriver update the jdbc url to use the jdbc\ kron prefix and add kron pam parameters restart tomcat restart the tomcat service for configuration changes to take effect postgresql configuration example the following is an example context xml configuration for connecting to a postgresql database via a credential fetched from kron pam \<resource name="jdbc/postgresqlds" auth="container" type="javax sql datasource" driverclassname="com kron jdbc proxydriver" url="jdbc\ kron\ postgresql //postgresql example com 5432/employee db?baseurl=https //example kronpam com\&acc token=3aa0b9f5 cab4 4a3d b410 1df18328079d\&acc name=webapp user\&acc path=/vaultfolder\&agenthost=localhost\&agentport=6396" maxtotal="20" maxidle="10" maxwaitmillis=" 1" /> parameter descriptions parameter description driverclassname instructs tomcat to load the kron proxy driver url combines database connection info with kron pam vault parameters baseurl url of the kron pam server acc token access token for kron pam api authentication acc name name of the managed database account acc path vault path of the account agenthost (optional) kron pam secrets manager agent ip address/hostname agentport (optional) kron pam secrets manager agent port number driver component postgresql jdbc driver 42 7 3 supported versions postgresql 9 4 and later (tested up to v15) mysql configuration example the following is an example context xml configuration for connecting to a mysql database via a credential fetched from kron pam \<resource name="jdbc/mysqlds" auth="container" type="javax sql datasource" driverclassname="com kron jdbc proxydriver" url="jdbc\ kron\ mysql //mysql host 3306/appdb?baseurl=https //example kronpam com\&acc token=6adcb6af b84c 4a4c bfe3 e1d97d633f2b\&acc name=mysql app user\&acc path=/dbs/mysql" maxtotal="20" maxidle="10" maxwaitmillis=" 1" /> driver component mysql connector/j 8 2 supported versions mysql 5 7 and 8 0 (compatible with java 8 and above) oracle database configuration example the following is an example context xml configuration for connecting to an oracle database via a credential fetched from kron pam \<resource name="jdbc/oracleds" auth="container" type="javax sql datasource" driverclassname="com kron jdbc proxydriver" url="jdbc\ kron\ oracle\ thin @//oracle host 1521/orclpdb?baseurl=https //example kronpam com\&acc token=6adcb6af b84c 4a4c bfe3 e1d97d633f2b\&acc name=c##jdbcuser\&acc path=/dbs" maxtotal="20" maxidle="10" maxwaitmillis=" 1" /> driver component oracle jdbc driver (ojdbc8 21 5 0 0 jar supported versions oracle 11g r2 through 21c microsoft sql server configuration example the following is an example context xml configuration for connecting to an mssql database via a credential fetched from kron pam \<resource name="jdbc/sqlserverds" auth="container" type="javax sql datasource" driverclassname="com kron jdbc proxydriver" url="jdbc\ kron\ sqlserver //sql host 1433;databasename=appdb?baseurl=https //example kronpam com\&acc token=6adcb6af b84c 4a4c bfe3 e1d97d633f2b\&acc name=sql app user\&acc path=/dbs/sqlserver" maxtotal="20" maxidle="10" maxwaitmillis=" 1" /> driver component microsoft jdbc driver for sql serve supported versions sql server 2012 – 2022 (compatible with java 8, 11, 17+) verification after tomcat is restarted verify that the application can successfully establish a database connection check tomcat logs (catalina out) for any proxy or connectivity messages confirm from the kron pam vault audit logs that credentials were retrieved through the api at runtime