Skip to main content
Skip table of contents

Database Integration

All production deployments should use an external database for data persistence. The following sections provide information on connecting to an external database along with examples for different databases.

The following databases are supported:

  • MariaDB

  • MySQL

  • Microsoft SQL Server

  • PostgreSQL

  • Oracle

Connect EJBCA to an external database

To connect EJBCA to a database, you need to provide a JDBC connection string, a username, and a password. These can be specified in the values.yaml file of the Helm Chart in one of the following ways.

Reference Kubernetes Secret

Create a Kubernetes secret to store the database credentials, then reference it in values.yaml using envFrom to make all keys and values available to EJBCA.

  1. Create a dedicated Kubernetes secret for storing the database credentials:

    BASH 
    kubectl create secret generic ejbca-db-credentials \
    --from-literal=DATABASE_USER='ejbca' \
    --from-literal=DATABASE_PASSWORD='foo123'

  2. Make all keys and values of the secret available to EJBCA by referencing it in values.yaml:

    YAML 
    ejbca:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envFrom:
    - secretRef:
        name: ejbca-db-credentials

Reference specific credentials

Reference specific credentials in an existing secret , for example, ejbca-credentials using envRaw:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: ejbca-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: ejbca-credentials
         key: database_user

Use plain text values

This method is only recommended for testing purposes.

For testing, you can optionally use env and plain text values:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
    DATABASE_USER: ejbca
    DATABASE_PASSWORD: foo123

Database Connection Examples

The following sections provide examples of connecting to different databases.

MariaDB/MySQL

The following example shows modifications to the helm chart values file used to connect EJBCA to a MariaDB/MySQL database with server name mariadb-server and database name ejbca using username ejbca and password foo123:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:mariadb://mariadb-server:3306/ejbca?characterEncoding=UTF-8
    DATABASE_USER: ejbca
    DATABASE_PASSWORD: foo123

Please use jdbc:mariadb even when connecting to a MySQL database. This JDBC driver supports both MariaDB and MySQL databases.

PostgreSQL

The following example connects EJBCA to a PostgreSQL database and uses a Kubernetes secret for storing the database username and password:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:postgresql://postgresql-server:5432/ejbcadb
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: ejbca-db-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: ejbca-db-credentials
         key: database_user

Microsoft SQL Server

The following example connects EJBCA to a Microsoft SQL Server database using a secret that contains DATABASE_USER and DATABASE_PASSWORD keys:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:sqlserver://mssql-server:1433;DatabaseName=ejbca;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;sendStringParametersAsUnicode=false
  envFrom:
    - secretRef:
        name: ejbca-db-credentials

Oracle

The following example connects EJBCA to an Oracle database using a secret that contains DATABASE_USER and DATABASE_PASSWORD keys:

YAML 
ejbca:
  env:
    DATABASE_JDBC_URL: jdbc:oracle:thin:@//oracle-server:1521/ejbca
  envFrom:
    - secretRef:
        name: ejbca-db-credentials

Connect SignServer to an external database

All production deployments of SignServer should use an external database for data persistence.

The following sections provides examples for connecting to different databases.

Reference Kubernetes Secret

Create a Kubernetes secret to store the database credentials, then reference it in values.yaml using envFrom to make all keys and values available to SignServer.

  1. Create a dedicated Kubernetes secret for storing the database credentials:

    BASH 
    kubectl create secret generic signserver-db-credentials \
    --from-literal=DATABASE_USER='signserver' \
    --from-literal=DATABASE_PASSWORD='foo123'

  2. Make all keys and values of the secret available to SignServer by referencing it in values.yaml:

    YAML 
    signserver:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envFrom:
    - secretRef:
        name: signserver-db-credentials

Reference specific credentials

Reference specific credentials in an existing secret , for example, signserver-credentials using envRaw:

YAML 
signserver:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: signserver-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: signserver-credentials
         key: database_user

Use plain text values

This method is only recommended for testing purposes.

For testing, you can optionally use env and plain text values:

YAML 
signserver:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
    DATABASE_USER: signserver
    DATABASE_PASSWORD: foo123

MariaDB

The following example shows modifications to the helm chart values file used to connect to a MariaDB database with server name mariadb-server and database name signserverdb using username signserver and password foo123:

YAML 
signserver:
  useEphemeralH2Database: false
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://signserver-mariadb:3306/signserverdb?characterEncoding=utf8"
    DATABASE_USER: signserver
    DATABASE_PASSWORD: foo123

PostgreSQL

The following example connects SignServer to a PostgreSQL database and uses a Kubernetes secret for storing the database username and password:

YAML 
signserver:
  useEphemeralH2Database: false
  env:
    DATABASE_JDBC_URL: jdbc:postgresql://postgresql-server:5432/signserverdb
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: signserver-db-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: signserver-db-credentials
         key: database_user

Microsoft SQL Server

The following example connects SignServer to a Microsoft SQL Server database…

YAML 
signserver:
  env:
    DATABASE_JDBC_URL: jdbc:sqlserver://mssql-server:1433;DatabaseName=signserver;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;sendStringParametersAsUnicode=false
  envFrom:
    - secretRef:
        name: signserver-db-credentials

Oracle

The following example connects SignServer to an Oracle database using a secret that contains DATABASE_USER and DATABASE_PASSWORD keys:

YAML 
signserver:
  env:
    DATABASE_JDBC_URL: jdbc:oracle:thin:@//oracle-server:1521/signserver
  envFrom:
    - secretRef:
        name: signserver-db-credentials
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close