Skip to content

feat: Add SSL/TLS Support to DataCloud JDBC Driver#89

Merged
praveen2450 merged 20 commits intoforcedotcom:mainfrom
praveen2450:praveen-driver-connection-ssl-mode-enhancement
Jan 22, 2026
Merged

feat: Add SSL/TLS Support to DataCloud JDBC Driver#89
praveen2450 merged 20 commits intoforcedotcom:mainfrom
praveen2450:praveen-driver-connection-ssl-mode-enhancement

Conversation

@praveen2450
Copy link
Contributor

@praveen2450 praveen2450 commented Aug 6, 2025
edited
Loading

🔒 Add SSL/TLS Support to DataCloud JDBC Driver

This PR implements comprehensive SSL/TLS support for the DataCloud JDBC driver, enabling secure connections with automatic SSL mode detection and flexible certificate configuration.

📋 Changes Made

Core SSL Implementation

  • New SslProperties class with SSL/TLS auto-detection
    • Added SslMode enum with four auto-detected modes: DISABLED, DEFAULT_TLS, ONE_SIDED_TLS, MUTUAL_TLS
    • Automatic SSL mode detection based on certificate properties provided
    • Implemented SSL context creation using GrpcSslContexts and NettyChannelBuilder
    • Support for both JKS truststore and PEM certificate formats

SSL Mode

The driver automatically determines the SSL mode based on certificate properties:

  1. DEFAULT_TLS - SSL with Java's system truststore (secure by default)
  2. ONE_SIDED_TLS - SSL with custom trust verification (JKS truststore or PEM CA cert)
  3. MUTUAL_TLS - Two-sided TLS with client certificate authentication
  4. DISABLED - Plaintext connections (testing only, via ssl.disabled=true)

⚠️ Breaking Changes

This wont break for clients using salesforce-datacloud jdbc driver, this is only a breaking change for salesforce-hyper,
Plaintext Connections: For plaintext connections (local testing), you must now explicitly pass ssl.disabled=true:

// Before: Plaintext was the default
String url = "jdbc:salesforce-hyper://localhost:port";
Connection conn = DriverManager.getConnection(url);

// After: Must explicitly disable SSL for plaintext
String url = "jdbc:salesforce-hyper://localhost:port?ssl.disabled=true";
Connection conn = DriverManager.getConnection(url);

This change ensures security by default - all connections now use SSL unless explicitly disabled.

🔧 Configuration Examples

System Truststore SSL (Default - No Config Needed)

// No SSL properties needed - automatically uses secure system truststore
Connection conn = DriverManager.getConnection(url, props);

Custom Trust with JKS Truststore

props.setProperty("ssl.truststore.path", "/path/to/truststore.jks");
props.setProperty("ssl.truststore.password", "password");
props.setProperty("ssl.truststore.type", "JKS");

Custom Trust with PEM CA Certificate

props.setProperty("ssl.ca.certPath", "/etc/identity/ca/cacerts.pem");

Mutual TLS with PEM Certificates

props.setProperty("ssl.client.certPath", "/etc/identity/client/certificates/client.pem");
props.setProperty("ssl.client.keyPath", "/etc/identity/client/keys/client-key.pem");
props.setProperty("ssl.ca.certPath", "/etc/identity/ca/cacerts.pem");

Mixed Configuration (JKS Trust + PEM Client Certs)

props.setProperty("ssl.truststore.path", "/path/to/truststore.jks");
props.setProperty("ssl.truststore.password", "password");
props.setProperty("ssl.client.certPath", "/etc/identity/client/certificates/client.pem");
props.setProperty("ssl.client.keyPath", "/etc/identity/client/keys/client-key.pem");

Plaintext Connection (Testing Only)

props.setProperty("ssl.disabled", "true");

Spark DataSource Integration

val df = spark.read()
  .format("com.salesforce.datacloud.spark.HyperResultSource")
  .option("queryId", "your-query-id")
  .option("jdbcUrl", "jdbc:salesforce-hyper://host:port")
  .option("ssl.disabled", "false")
  .option("ssl.truststore.path", "/path/to/truststore.jks")
  .option("ssl.truststore.password", "password")
  .option("ssl.client.certPath", "/path/to/client.pem")
  .option("ssl.client.keyPath", "/path/to/client-key.pem")
  .load()

@praveen2450 praveen2450 mentioned this pull request Aug 19, 2025
Draft
vogelsgesang
vogelsgesang reviewed Sep 6, 2025
View reviewed changes
Copy link
Contributor

@vogelsgesang vogelsgesang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the overall behavior looks good now. I think we should implement the logic in a slightly different way, though

@praveen2450 praveen2450 force-pushed the praveen-driver-connection-ssl-mode-enhancement branch from 0cec757 to a2f46c4 Compare October 8, 2025 09:14
@codecov
Copy link

codecov bot commented Oct 8, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 40.70796% with 67 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.74%. Comparing base (1ff41dc) to head (5e755d7).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
.../salesforce/datacloud/jdbc/core/SslProperties.java 36.89% 48 Missing and 17 partials ⚠️
...com/salesforce/datacloud/jdbc/HyperDatasource.java 66.66% 1 Missing and 1 partial ⚠️

❌ Your patch status has failed because the patch coverage (38.53%) is below the target coverage (90.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main      #89      +/-   ##
============================================
- Coverage     84.00%   82.74%   -1.26%     
- Complexity     1288     1301      +13     
============================================
  Files           106      107       +1     
  Lines          3814     3918     +104     
  Branches        382      404      +22     
============================================
+ Hits           3204     3242      +38     
- Misses          445      493      +48     
- Partials        165      183      +18
Components Coverage Δ
JDBC Core 83.97% <38.53%> (-1.69%) ⬇️
JDBC Main 40.69% <ø> (ø)
JDBC HTTP 91.09% <100.00%> (ø)
JDBC Utilities 66.07% <ø> (ø)
Spark Datasource ∅ <ø> (∅)
Files with missing lines Coverage Δ
.../datacloud/jdbc/auth/SalesforceAuthProperties.java 94.59% <100.00%> (ø)
...com/salesforce/datacloud/jdbc/HyperDatasource.java 51.35% <66.66%> (-1.43%) ⬇️
.../salesforce/datacloud/jdbc/core/SslProperties.java 36.89% <36.89%> (ø)

Impacted file tree graph

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@praveen2450
feat: Add unit test, rename custom_truststore to onesided_tls amd ren…
cbdbae4 
…ame system_truststore to default_tls to match standard naming conventions
@praveen2450
feat: Add SSL/TLS support with mTLS capabilities
82500dd 
- Replace DirectDataCloudConnectionProperties in favour of SslProperties for SSL configuration and channel building
- Remove DirectDataCloudConnection
@praveen2450
remove empty line
984d8fa
vogelsgesang
vogelsgesang reviewed Oct 10, 2025
View reviewed changes
vogelsgesang
vogelsgesang reviewed Nov 4, 2025
View reviewed changes
vogelsgesang
vogelsgesang reviewed Nov 10, 2025
View reviewed changes
@praveen2450
refactor(ssl): align SslProperties with SalesforceAuthProperties patt…
4274bb2 
…ern and improve validation

- Updated tests to create real temporary files for validation
@praveen2450
Merge upstream main
1bab401
vogelsgesang
vogelsgesang reviewed Dec 10, 2025
View reviewed changes
mkaufmann
mkaufmann approved these changes Jan 21, 2026
View reviewed changes
@praveen2450 praveen2450 merged commit 9123c1b into forcedotcom:main Jan 22, 2026
13 of 18 checks passed
@github-actions github-actions bot mentioned this pull request Jan 22, 2026
Merged
KaviarasuSakthivadivel pushed a commit that referenced this pull request Feb 5, 2026
@github-actions
chore(main): release 0.42.0 (#146)
7d815de 
🤖 I have created a release *beep* *boop*
---


##
[0.42.0](0.41.0...v0.42.0)
(2026-02-05)


### Features

* Add SSL/TLS Support to DataCloud JDBC Driver
([#89](#89))
([9123c1b](9123c1b))
* implement automated release pipeline using Release Please
([#139](#139))
([268eb2e](268eb2e))
* Provide a low level Async Interface
([#150](#150))
([b1fba90](b1fba90))
* Support PreparedStatement.getMetaData()
([#151](#151))
([52448d9](52448d9))


### Bug Fixes

* Breaking - Remove data loss for slow readers
([#142](#142))
([1ff41dc](1ff41dc))
* **ci:** remove explicit SNAPSHOT version from snapshot workflow
([#141](#141))
([b30c3fe](b30c3fe))
* **ci:** synchronize Release Please state to resolve empty change set
error ([#143](#143))
([8518b23](8518b23))
* **ci:** use simple release-type with extra-files for Gradle project
([#145](#145))
([5a8aac4](5a8aac4))


### Performance Improvements

* Optimize ResultSet column lookup with HashMap-based indexing
([#138](#138))
([b8c5eb9](b8c5eb9))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Feb 5, 2026
Merged
KaviarasuSakthivadivel pushed a commit that referenced this pull request Feb 5, 2026
@github-actions
chore(main): release 0.42.0 (#154)
10153b2 
🤖 I have created a release *beep* *boop*
---


##
[0.42.0](0.41.0...v0.42.0)
(2026-02-05)


### Features

* Add SSL/TLS Support to DataCloud JDBC Driver
([#89](#89))
([9123c1b](9123c1b))
* implement automated release pipeline using Release Please
([#139](#139))
([268eb2e](268eb2e))
* Provide a low level Async Interface
([#150](#150))
([b1fba90](b1fba90))
* Support PreparedStatement.getMetaData()
([#151](#151))
([52448d9](52448d9))


### Bug Fixes

* Breaking - Remove data loss for slow readers
([#142](#142))
([1ff41dc](1ff41dc))
* **ci:** remove explicit SNAPSHOT version from snapshot workflow
([#141](#141))
([b30c3fe](b30c3fe))
* **ci:** synchronize Release Please state to resolve empty change set
error ([#143](#143))
([8518b23](8518b23))
* **ci:** use simple release-type with extra-files for Gradle project
([#145](#145))
([5a8aac4](5a8aac4))
* Remove comments from JDBC driver version
([#153](#153))
([32f7216](32f7216))


### Performance Improvements

* Optimize ResultSet column lookup with HashMap-based indexing
([#138](#138))
([b8c5eb9](b8c5eb9))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KaviarasuSakthivadivel KaviarasuSakthivadivel KaviarasuSakthivadivel left review comments

@mkaufmann mkaufmann mkaufmann approved these changes

@vogelsgesang vogelsgesang vogelsgesang approved these changes

+1 more reviewer

@jschneidereit jschneidereit jschneidereit left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@praveen2450 @mkaufmann @jschneidereit @KaviarasuSakthivadivel @vogelsgesang