I am trying to enable SSL/TLS for all connections to an Amazon Aurora MySQL compatible instance. I went through the AWS documentation, but I couldn't find the corresponding parameter value to enforce this at the instance level.
I am able to connect to the RDS at the user level using the below command
mysql -h rdsinstance.us-west-2.rds.amazonaws.com --ssl-ca=us-ca.pem --ssl-mode=REQUIRED -P 3306 -u user123 -p
mysql> \s
--------------
mysql Ver 8.0.31 for Win64 on x86_64 (MySQL Community Server - GPL)
Connection id: 41
Current database:
Current user: user123#171.165.11.11
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Using delimiter: ;
Server version: 5.7.12 MySQL Community Server (GPL)
Protocol version: 10
Connection: rdsinstance.us-west-2.rds.amazonaws.com via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: cp850
Conn. characterset: cp850
TCP port: 3306
But I want all connections to the database using SSL.
I am not sure if it's because of the community version.
Thank you.
As per the AWS documentation, You can set the require_secure_transport parameter to ON to require SSL/TLS for connections to your DB cluster.
By default, the require_secure_transport parameter is set to OFF.
Special Note as per documentation: The require_secure_transport parameter is only available for Aurora MySQL version 5.7. You can set this parameter in a custom DB cluster parameter group. The parameter isn't available in DB instance parameter groups.
refer to the Requiring an SSL/TLS connection to an Aurora MySQL DB cluster section from the AWS documentation URL:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html#AuroraMySQL.Security.SSL
if you have a custom DB cluster parameter group and the respected supported version already, please try
aws rds modify-db-parameter-group \
--db-parameter-group-name <parameter-group-name> \
--parameters "ParameterName='require_secure_transport',ParameterValue=ON,ApplyMethod=immediate"
refer to modify-db-parameter-group for all list of supported arguments with the command.
Related
I want to connect to a remote SQL Server from WSL2, but I keep getting errors for some reason. I tried connecting using my Windows Host machine without any problem.
~/.odbc.ini
[MSSQLTest]
Description=Microsoft ODBC Driver 17 for SQL Server
Driver=/opt/microsoft/msodbcsql17/lib64/libmsodbcsql-17.9.so.1.1
server=tcp:server,port
Database=Databasename
Trusted_Connection=yes
TrustServerCertificate=yes
uid=username#domain.com
pwd=password
odbcinst -j
unixODBC 2.3.7
DRIVERS............: /etc/odbcinst.ini
SYSTEM DATA SOURCES: /etc/odbc.ini
FILE DATA SOURCES..: /etc/ODBCDataSources
USER DATA SOURCES..: /home/test/.odbc.ini
SQLULEN Size.......: 8
SQLLEN Size........: 8
SQLSETPOSIROW Size.: 8
Errors
test#Desktop:/mnt/c/Users/test$ isql -v mssqltest
[S1000][unixODBC][Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
[S1000][unixODBC][Microsoft][ODBC Driver 17 for SQL Server]Cannot generate SSPI context
I tried several different changes in the DSN, but none worked. The only thing that changed was the error messages. Then I tried installing mssql-tools to use sqlcmd, but I got similar errors.
Errors
test#DESKTOP:/mnt/c/Users/test$ sqlcmd -S server -U domain\\username -P password -G
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSL Provider: [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate].
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish the connection.
I have no idea what the error above means.
test#DESKTOP:/mnt/c/Users/test$ sqlcmd -S server#example.com -U domain\username -P password -G
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSL Provider: [error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate].
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish connection.
I get a similar error. If I change something in the DSN, I get an error stating No kerberos credentials available (default cache: FIEL:/tmp/krb5cc_1000). Cannot generate SSPI context.
I looked up and tried many different solutions suggested on SO and other sites, but I can't seem to get it working. I can, however, ping the server.
Why is it doing this? Why does my connection work from my Windows Host machine but not WSL? What am I missing?
I don't think there's anything wrong with your setup. You might want to check if your admin allows SQL Authentication. Then use the sqlcmd to check if it works for you. You may be able to figure out the solution then.
sqlcmd -SXX.XX.XX.XXX -U username -P password -Q "select top 5 * from your_table"
I have been researching this Redis error for days now...
I created a GCP Memorystore Redis instance and received the following internal IP endpoint:
10.xxx.xxx.xxx:6378
I created a small GCE instance and made sure that zone matched the Redis instance:
us-central1-f
However, I when I ssh into the VM, connect to Redis, and issue a PING, I get the following error response
Protocol error, got "\x15" as reply type byte
Any idea why I am getting this error?
If the Redis instance was configured with an AUTH string and/or TLS encryption, you would need to pass these credentials when connecting to it.
I received the same error when using your command to connect to my encrypted instance. This can be done in two ways as far as I tested (from a GCE instance in the same VPC as Redis):
1. Using the redis-cli, you could use the following command to authenticate (see here for information on the flags used in the command):
redis-cli -h <ip_addres> -p <port> -a <auth_string> --tls --cacert <path/to/certificate_file.pem>
Note: the certificate file would need to be installed to your VM.
2. The GCP Memorystore documentation recommends using telnet and Stunnel to connect to a secured and encrypted instance.
Something not included in the documentation is that after running telnet localhost 6378 in step 4, you would need to pass the AUTH string in the telnet console:
AUTH <auth_string>
+OK
PING
+PONG
After that, you can PING the instance in step 5, skipping sending the AUTH string will return this error: -NOAUTH Authentication required. Besides that, you should follow as documented the rest of the steps.
I am using Microsoft SQL Server on my mac through a docker container. I currently have a database on my local host. I want to share it with another computer/user so that they can get access to the DBMS and use C#. They are getting a error something like 'the server is not found or accessible'.
How can i make the database remote?
search for my.conf file in container.
whereis mysql
change bind address value:
bind-address 0.0.0.0
Then try to connect remotely:
mysql -h <host-name> -P <port> -u <user-name> -p
I have accepted the "Chromebook challenge." So far, I have successfully ssh'ed into my new Google Compute Engine from ChromeOS's built in ssh terminal. But now I am faced with the task of connecting to an Amazon RDS (relational database service) instance that a consulting client has set up for me. I have found no tutorials how to do this. I don't know if I should be ssh'ing into the RDS, or what.
Has anyone else done this successfully?
Aha, so there is no way of ssh-ing to an RDS instance directly (Chromebook or otherwise), as Fredrick mentioned.
That said, I have accomplished all I needed by ssh-ing from my Chromebook into my Google Compute Engine, and then hopping from there to my RDS instance, using the standard:
me#myserver$mysql -h myrdsinstanceaddress -P 3306 -u root -p
So, the crux is that you have to ssh into some other server, and then work from there.
From the aws documentation.
Type the following command at a command prompt to connect to a DB instance using the MySQL utility. For the -h parameter, substitute the DNS name for your DB instance. For the -P parameter, substitute the port for your DB instance. Enter the master user password when prompted.
PROMPT> mysql -h myinstance.123456789012.us-east-1.rds.amazonaws.com -P 3306 -u mymasteruser -p
I am trying to use always encrypted column with SQL Server 2016 and RHEL 7.
I have created my DSN in /etc/odbc.ini.
Info reg odbc.ini is
[test]
Driver=/opt/microsoft/msodbcsql/lib64/libmsodbcsql-13.1.so.8.0
Description=My Sample ODBC Database Connection
Trace=Yes
Server=ip address of sqlserver 2016
Database=Test
ColumnEncryption=Enabled
I have tried to put the column master key in .crt format in
/ssl/private and /etc/pki/ca-trust/extracted/pem/.
I am using the command to connect
sqlcmd -D -S test -U test -P test -d Test -Q "select * from empInfo"
I am getting the error
Sqlcmd: Error: Internal error at ReadAndHandleColumnData (Reason: Error reading column data).
SqlState CE200, Keystore provider MSSQL_CERTIFICATE_STORE not found. Ensure that the appropriate Keystore provider library has been loaded.
Can anyone help me with this? It seems like that it is not picking up the certificate. If that is the case then what will be the location of the crt file to put?
Regards,
Sanjay
Currently, MSSQL_CERTIFICATE_STORE is not supported on Linux. You will have to use Azure Key Vault. Please refer this article