Chris, I understand all of that and am working all those concerns to the PTB... but as with many management situations reality doesn't fit with the "security" mindset. On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Will, > > On 10/23/18 10:44, Will Nordmeyer wrote: > > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in > > the next year). I tried working with Oracle on this with no > > success. > > > > We have an Oracle Database connection defined within our web.xml > > (see below). We need to convert to using 2 Factor (certificate?) > > based Authentication. > > > > How do we convert from our embedded username password to 2FA > > Uhh... > > How would you enter your second-factor into the server? During service > startup? What happens if the connection times-out and you have to > re-authenticate? Do you want to be paged in the middle of the night to > re-enter your 2FA code? How about 10 times per hour on 100 different > servers? > > 2FA doesn't make any sense at all for services contacting other > services. 2FA makes sense for humans contacting services because > humans are so much worse at password management, social engineering > resistance, etc. > > If you have a segment of your IT team mandating 2FA for database > connections (even for services), tell them that THEY have to use THEIR > 2FA credentials to unlock the database for YOUR services. See how long > that policy survives. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8 > pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec > Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw > KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF > Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV > HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f > 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh > SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO > Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj > WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT > dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s > w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4= > =baEw > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
