Liquibase Business uses JDBC and vendor provided native clients to establish connections to the database.
Database Connection Method
Uses standard JDBC Providers (database vendors)
Username/hostname is defined in connection string
Encrypted Password passed via database driver property method (not as part of the connection string)
Information on setup of SSL JDBC connections
Liquibase Database Connection Information
Liquibase obtains connection user/password information from one of these two methods below. We strongly recommend to use the first method (runtime credentials) because it is more secure. The third option (storing credentials in the datical.project file) is to be avoided because of the possibility of the encoded passwords being decoded.
Option 1: Runtime Credentials (more secure)
This method is strongly recommended for securely passing database credentials to Liquibase in the GUI or in automation (using the Command Line)
For Automation/Command Line, the automation platform retrieves database credentials from the company's credential store (often a 3rd-party tool like CyberArk or the CI/CD platform's native credential store) and loads them into environment variables before calling the Liquibase Business CLI
Credentials are passed to the CLI at runtime via environment variables
They are not persisted by Liquibase
For GUI usage, the user is prompted for database credentials at run-time
The Graphical User interface prompts users for information in real-time
They are not persisted by Liquibase
Option 2: Platform-Specific credential options (security depends on your configuration)
For SQL Server, you can use Integrated Security:
Passwords are NOT stored in datical.project with Integrated Security for SQL Server
For Oracle, you can use EZCONNECT, TNSNAMES, LDAP, or SSL through Oracle Wallet:
Passwords can optionally be stored in datical.project with these connections for Oracle depending on your configuration - we recommend configurations that do NOT store the password in datical.project file
Option 3: Stored Credentials (less secure)
This method is only for evaluations and single-user usage as the encoding method is not secure and could compromise passwords in a multi-user environment.
When using the Stored Credentials option, for both the GUI and CLI the database User and Password are stored and persisted in the datical.project file:
Password is encoded (but not encrypted)
There may be potential risk of having the stored password be decoded
Limit who has access to the datical.project files on the machines running Liquibase Business
Limit who has access to the datical.project files stored in source control (Git, SVN, TFS)
We recommend that all customers use our hammer debug export "scrubber" to remove sensitive information from files before sending them in to Liquibase tech support. If you are using the less secure Stored Credentials option, then that is extra incentive be sure to "scrub" your Liquibase files with the hammer debug export command before sending files to tech support: Assembling Data for Liquibase Support