This page addresses various security related matters.
The database user name and password is configured via the toolbox configure command which stores the configuration in:
<OPENVPMS_HOME>/conf/openvpms.properties
When the database is created, these are used to create a corresponding MySQL database user.
If the database user name or password is changed*:
* For information on setting the MSQL password see:
https://dev.mysql.com/doc/refman/5.7/en/set-password.html
The default installation creates an OpenVPMS user named 'admin', with password 'admin'. This should be changed using either:
toolbox user --setpassword admin -p somestrongpassword
User passwords can be configured using:
toolbox user --setpassword admin -p somestrongpassword
There is little restriction on what passwords may be entered, but it is recommended that strong passwords are used.
The OpenVPMS and Tomcat installation directories should only be accessible to a single user with a strong password.
These directories contain files that could enable an attacker to gain access to the OpenVPMS web application, or the MySQL database.
For security, Tomcat should be configured to use HTTPS connections. These encrypt data travelling between the browser and web server.
See SSL/TLS Configuration HOW-TO in the Apache Tomcat documentation.
The default openvpms.properties configuration disables SSL access to the MySQL database server by specifying useSSL=false in the JDBC connection string i.e.:
db.url = jdbc:mysql://localhost:3306/openvpms_dev?useSSL=false
To connect to a MySQL server securely, see Connecting Securely Using SSL in the MySQL documentation.