Part Two: Configuring security for Derby

This part of the manual describes the specific tasks involved in securing Derby databases.

Derby can be deployed in a number of ways and in a number of different environments, ranging from a single-user deployment for small-scale development and testing to a multi-user deployment of a large database. For all but the smallest deployments, however, it is essential to make the Derby system secure.

To secure a Derby database or databases, take the following steps.

  1. Understand the basic tasks involved in configuring security in a client-server environment or an embedded environment.

    See Basic security configuration tasks for details.

  2. Encrypt your databases.

    Derby provides ways to encrypt data stored on disk.

    For more information about encryption, see Configuring database encryption.

  3. Sign any jar files that you use in your databases.

    Derby validates certificates for classes loaded from signed jar files.

    For more information about using signed jar files, see Using signed jar files.

  4. Encrypt network traffic with SSL/TLS.

    SSL/TLS certificate authentication is also supported. See Configuring SSL/TLS for details.

  5. Understand the concept of identity in Derby.

    See Understanding identity in Derby for details.

  6. Configure authentication by setting up users and passwords.

    Authentication determines whether someone is a legal user. It establishes a user's identity. Derby verifies user names and passwords before permitting access to the Derby system.

    For more information about authentication, see Configuring user authentication.

  7. Configure user authorization for the system.

    Authorization determines what operations can be performed by a user's Derby identity. Authorization grants users or roles permission to read a database or to write to a database.

    For more information about authorization, see Configuring user authorization.

  8. If necessary, restrict database file access to the operating system account that started the JVM.

    For details, see Restricting file permissions.

See the Derby Reference Manual for information about many security-related properties and system procedures, as well as such statements as GRANT, REVOKE, CREATE ROLE, DROP ROLE, CREATE PROCEDURE, and CREATE FUNCTION.