I don't think it passes the creds in the clear, I thought it did a hash comparison.
If you can configure the secure jdbc connection to the db (the db must support this) our app should be able to use this (though it's not supported) - we need the jdbc connection, what happens between the jdbc driver and the db should not matter to us.
As far as stunnel or ssh, there are guides on the internet about how to do this, any guide on this should work. you can also pass this connection across using a secure tunnel like gre.
This connection should still be passing over an encrypted connection when it goes to the db - I can't imaging that a connection between two datacenters is not tunneled, but the traffic would be exposed to other systems that have access to the tunnel.