Liquibase Business uses JDBC and vendor provided native clients to establish connections to the database.

Database Connection Method

• Uses standard JDBC Providers (database vendors)

• Username/hostname is defined in connection string

• Encrypted Password passed via database driver property method (not as part of the connection string)

• Information on setup of SSL JDBC connections

  • Oracle Wallet for SSL Connections - SSL Connection to an Oracle Database through Oracle Wallet

  • SQL Server - https://msdn.microsoft.com/en-us/library/bb879935(v=sql.110).aspx

  • DB2 - https://www.ibm.com/support/knowledgecenter/SSEPGG_9.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005815.html

Liquibase Database Connection Information

Liquibase obtains connection user/password information from one of these two methods below.  We strongly recommend to use the first method (runtime credentials) because it is more secure.  The third option (storing credentials in the datical.project file) is to be avoided because of the possibility of the encoded passwords being decoded.

• Option 1: Runtime Credentials (more secure)

  • This method is strongly recommended for securely passing database credentials to Liquibase in the GUI or in automation (using the Command Line)

  • For Automation/Command Line, the automation platform retrieves database credentials from the company's credential store (often a 3rd-party tool like CyberArk or the CI/CD platform's native credential store) and loads them into environment variables before calling the Liquibase Business CLI

    • Credentials are passed to the CLI at runtime via environment variables

    • They are not persisted by Liquibase

  • For GUI usage, the user is prompted for database credentials at run-time

    • The Graphical User interface prompts users for information in real-time

    • They are not persisted by Liquibase

• Option 2: Platform-Specific credential options (security depends on your configuration)

  • For SQL Server, you can use Integrated Security:

    • Passwords are NOT stored in datical.project with Integrated Security for SQL Server

      • Setting up Integrated Security for Active Directory

  • For Oracle, you can use EZCONNECT, TNSNAMES, LDAP, or SSL through Oracle Wallet:

    • Passwords can optionally be stored in datical.project with these connections for Oracle depending on your configuration - we recommend configurations that do NOT store the password in datical.project file 

      • Choosing a Database Connection Method for Oracle Databases

        • EZCONNECT Connection to an Oracle Database

        • TNSNAMES Connection to an Oracle Database

        • LDAP Connection to an Oracle Database

        • SSL Connection to an Oracle Database Through Oracle Wallet

• Option 3: Stored Credentials (less secure)

  • This method is only for evaluations and single-user usage as the encoding method is not secure and could compromise passwords in a multi-user environment.

  • When using the Stored Credentials option, for both the GUI and CLI the database User and Password are stored and persisted in the datical.project file:

    • Password is encoded (but not encrypted)

    • There may be potential risk of having the stored password be decoded

    • Limit who has access to the datical.project files on the machines running Liquibase Business

    • Limit who has access to the datical.project files stored in source control (Git, SVN, TFS)

    • We recommend that all customers use our hammer debug export "scrubber" to remove sensitive information from files before sending them in to Liquibase tech support.  If you are using the less secure Stored Credentials option, then that is extra incentive be sure to "scrub" your Liquibase files with the hammer debug export command before sending files to tech support: Assembling Data for Liquibase Support

See also these related pages for additional Credential Management information: 

• Database Credential Management

  • /wiki/spaces/DDOC/pages/896569326

    • Providing Runtime Credentials

    • Password Character Requirements