Secrets Manager JDBC - Key Management Service - Alibaba Cloud Documentation Center

If you install Secrets Manager Java Database Connectivity (JDBC), your applications can use the secrets that are managed by Secrets Manager to complete identity authentication when your applications establish connections to databases. After the connections are established, your applications can access the databases by using JDBC API. This way, you do not need to hard code the passwords of database accounts in application code. This topic describes how to install and use Secrets Manager JDBC.

Features

Secrets Manager JDBC encapsulates business logic, best practices, and design patterns based on Secrets Manager API. This way, you can easily integrate the capabilities of Secrets Manager into business systems.

Secrets Manager JDBC supports JDBC connections, connection pools such as c3p0 and database connection pool (DBCP), and open source frameworks.
Secrets Manager JDBC supports ApsaraDB RDS for MySQL, ApsaraDB RDS for SQL Server, ApsaraDB RDS for PostgreSQL, and ApsaraDB RDS for MariaDB TX.
Secrets Manager JDBC allows you to specify a custom rotation interval for a secret.

Limits

Only Java 1.8 and later are supported. For more information, visit Open source code repository of Secrets Manager JDBC.
Only ApsaraDB RDS secrets and generic secrets are supported.
- We recommend that you use ApsaraDB RDS secrets in Manage Dual Account mode.
- The value of a generic secret is in the JSON format. Example:
```
{
    "AccountName":"<The username of your database account>",
    "AccountPassword":"<The password of your database account>"
}
```

Install Secrets Manager JDBC

Install Secrets Manager JDBC by using Maven.

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>aliyun-secretsmanager-jdbc</artifactId>
    <version>x.x.x</version>
</dependency>

Note Make sure that the SDK version of Secrets Manager JDBC is x.x.x or later.

Configure the parameters for Secrets Manager JDBC

You can modify the configuration file secretsmanager.properties to configure the parameters for Secrets Manager JDBC.

The configuration file secretsmanager.properties contains the parameters for Secrets Manager JDBC. The required configuration item is cache_client_dkms_config_info. The configuration item cache_client_dkms_config_info is a JSON array. You can configure multiple Key Management Service (KMS) instances to provide high availability and disaster recovery capabilities. The following table describes the elements in the array.


Element	Description
regionId	The region where the KMS instance resides.
endpoint	The virtual private cloud (VPC) address of the KMS instance.
clientKeyFile	The absolute or relative path to the client key file in the JSON format.
passwordFromFilePath or passwordFromEnvVariable	passwordFromFilePath: The password of the client key file is obtained from a file. The value is a string. The string indicates the absolute or relative path to a file that contains the password of the client key file. passwordFromEnvVariable: The password of the client key file is obtained from an environment variable. The value is a string. The string indicates the name of an environment variable that contains the password of the client key file.
ignoreSslCerts	Specifies whether to ignore the SSL certificate. Valid values: true: yes false: no
caFilePath	The absolute or relative path to the certificate authority (CA) certificate file of the KMS instance.

Method 1: Obtain the password of the client key file from a file. The following sample code shows the content of the configuration file secretsmanager.properties:

cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromFilePath":"< your password file path >","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]

Method 2: Obtain the password of the client key file from an environment variable. The following sample code shows the content of the configuration file secretsmanager.properties:
```
cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromEnvVariable":"<your_password_env_variable>","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
```
Note You must also specify the environment variable. The name of the environment variable is specified by passwordFromEnvVariable, and the value of the environment variable is the password of the client key file.

Use Secrets Manager JDBC to connect to a database

In the following examples, an ApsaraDB RDS for MySQL database is used, and three connection methods are demonstrated.

Note You must replace #your-mysql-secret-name#, <your-mysql-ip>, <your-mysql-port>, and <your-database-name> in the sample code with the actual secret name, server IP address of the database, server port number of the database, and the name of the database.

Connect to the database by using JDBC

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

public class SecretManagerJDBCSample {
    public static void main(String[] args) throws Exception {
        // Load Secrets Manager JDBC.
        Class.forName("com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver");
        Connection connect = null;
        try {
            connect = DriverManager.getConnection("secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>", "#your-mysql-secret-name#","");
        } catch(SQLException e) {
            e.printStackTrace();
        }
    }
}

Connect to the database by using a connection pool

You can also connect to the database by using a c3p0 connection pool. The following sample code shows how to prepare the configuration file c3p0.properties:

c3p0.user=#your-mysql-secret-name#
c3p0.driverClass=com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver
c3p0.jdbcUrl=secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>

Connect to the database by using an open source framework

Add the following configuration to the Spring configuration file:

<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" >
      <property name="driverClass" value="com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver" />
      <property name="user" value="#your-mysql-secret-name#" />
      <property name="jdbcUrl" value="secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>" />
      <property name="maxPoolSize" value="***" />
      <property name="minPoolSize" value="***" />
      <property name="initialPoolSize" value="***" />
  </bean>
  <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate" >
      <property name="dataSource" ref="dataSource" />
  </bean>

Note Configure the maxPoolSize, minPoolSize, and initialPoolSize parameters based on your business requirements.