Are the default mysql user values currently installed in the distribution the smartest ones?
I was looking at the createdb.sql script in the distribution and wondered if it is really the best we can do.
It is a really unsecured default installation, and while I know any decent implementers would change it, I just wondered if we shouldn't be modifying it to be a little more security conscious.
I was thinking more like:
# # Script to create the openvpms database, and add a single user 'openvpms', # with all privileges # CREATE DATABASE `openvpms` /*!40100 DEFAULT CHARACTER SET utf8 */; GRANT INSERT, SELECT, DROP, CREATE, LOCK TABLES, EXECUTE, UPDATE, INDEX ON openvpms.* TO 'openvpms'@'localhost' IDENTIFIED BY 'openvpms'; # UN-COMMENT IF YOU THE TOMCAT AND MYSQL INSTALLTION ARE ON REMOTE MACHINES. # # GRANT INSERT, SELECT, DROP, CREATE, LOCK TABLES, EXECUTE, UPDATE, INDEX ON openvpms.# * TO 'openvpms'@'%' IDENTIFIED BY 'openvpms';
We should also advise that the user change the mysql root password to something personal and secure.
Re: Are the default mysql user values currently installed in ...
Agreed.
Ideally the openvpms password should be changed. This requires changing the various hibernate.properties files:
1. <OPENVPMS_HOME>/conf/hibernate.properties
2. WEB-INF/classes/hibernate.properties
The MySQL server shouldn't be accessible outside of the local network. If its co-located with Tomcat, then there's no need to make it accessible outside of the local host.
The database connection properties can be moved into Tomcat's JNDI* so they don't need to be changed when the war is redeployed, but the <OPENVPMS_HOME>/conf/hibernate.properties will need to be changed manually.
* https://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto....
Re: Are the default mysql user values currently installed in ...
I've updated the createdb.sql script, and added a basic security section to readme.txt, in revision 5879.