Connect EJBCA to external database

To connect EJBCA to a database, you need to provide a JDBC connection string, a username, and a password. These values are specified in the Helm chart’s values.yaml file. The following sections describe supported approaches.

Use a Kubernetes Secret for Credentials

Create a Kubernetes Secret to store the database credentials and reference it in the values.yaml using envFrom to make all keys and values available to EJBCA.

1. Create a dedicated Kubernetes Secret for storing the database credentials:

   BASH

   kubectl create secret generic ejbca-db-credentials \
       --from-literal=DATABASE_USER='ejbca' \
       --from-literal=DATABASE_PASSWORD='foo123'

2. Make all keys and values of the Secret available to EJBCA by referencing it in values.yaml:

   YAML

   ejbca:
     env:
       DATABASE_JDBC_URL: <jdbc connection string>
     envFrom:
       - secretRef:
           name: ejbca-db-credentials

Reference specific credentials

If an existing Secret already contains the database values, you can reference the required keys using envRaw:

ejbca:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: ejbca-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: ejbca-credentials
         key: database_user 

Use plain text values (testing only)

Plain text values should only be used for testing.

For testing, you can optionally use env and plain text values:

ejbca:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
    DATABASE_USER: ejbca
    DATABASE_PASSWORD: foo123

Database Connection Examples

The following examples show how to connect EJBCA to common databases.

MariaDB/MySQL

This example connects EJBCA to a MariaDB or MySQL database with the server name mariadb-server, using the database name ejbca:

ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:mariadb://mariadb-server:3306/ejbca?characterEncoding=UTF-8
    DATABASE_USER: ejbca
    DATABASE_PASSWORD: foo123

Use jdbc:mariadb even when connecting to a MySQL database. The JDBC driver supports both MariaDB and MySQL.

PostgreSQL

This example connects EJBCA to a PostgreSQL database and uses a Kubernetes Secret for storing the database username and password:

ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:postgresql://postgresql-server:5432/ejbcadb
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: ejbca-db-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: ejbca-db-credentials
         key: database_user

For TLS authentication, see Connect EJBCA to a database over TLS

Microsoft SQL Server or Azure SQL

This example connects EJBCA to a Microsoft SQL Server database using a Secret containing DATABASE_USER and DATABASE_PASSWORD keys:

ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:sqlserver://mssql-server:1433;DatabaseName=ejbca;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;sendStringParametersAsUnicode=false
  envFrom:
    - secretRef:
        name: ejbca-db-credentials

For information on how to use Azure managed identities to authenticate to an Azure SQL database in AKS, see Connect EJBCA to a database using cloud provider identities.

Oracle

This example connects EJBCA to an Oracle database using a Secret containing the DATABASE_USER and DATABASE_PASSWORD keys:

ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:oracle:thin:@//oracle-server:1521/ejbca
  envFrom:
    - secretRef:
        name: ejbca-db-credentials

Related Content

For information on securing database connections or using cloud-provider identities, see also: