Quarkus JDBC connection with SSL - ssl

I using quarkus with Panache + Agroal.
I need to setup a DB connection(postgres) with SSL enabled. So I need to somehow configure the server-cert, client-cert and client-key.
I only see this available for the reactive client.
Can this be achieved for non-reactive one? I find it very hard to believe that nobody needed this.

You can specify it via JDBC url. Different database would have its own way to config ssl. For postgres, it would be sslcert and sslkey, ref https://jdbc.postgresql.org/documentation/head/connect.html#ssl

Related

Does snowflake support ssl?

Hi I want to have the ability to connect from jdbc driver to snowflake with ssl. I did it many times with other db, just add ssl=true(sometimes other properties) in connection url.
Unfortunately I didn't find this option in snowflake documentation. I found that snowflake supports something like ssl they call it Using Key Pair Authentication
Does it ssl mode for snowflake?
Does snowflake support ssl?
You can set a jdbc connection property ssl to on or off as seen here
That's what determines if the connection will be made via https or http, going by the implementation here
I tried it and it worked for me.
Note that if ssl is not set, the value is on by default.
I believe Snowflake only allows HTTPS to connect, and so it always uses TLS/SSL.
SSL encryption cannot be switched off when connecting to Snowflake. Full Stop.
There is no option in the JDBC or ODBC driver to disable (or enable) SSL. That is why this parameter is not mentioned on the documentation pages of Snowflake.
Generic
ODBC
Snowflake connections use SSL by default.
And using only HTTPS connections. Regardless whether it is a driver or the GUI.
That is also the reason that you do not need to add https:// to your server connection.
More on this can be found here.
The http-connections you might see Snowflake drivers make are to satisfy OCSP.
If you trying to test whether Snowflake supports un-encrypted connections and you get the information back that Snowflake does support unencrypted connections or does support TLS1.0 or TLS1.1 you have been testing your proxy-server settings and not snowflakecomputing.com or snowflake.com.
BTW : Currently only TLS1.2 is supported by Snowflake for HTTPS connections.

How to specify a local custom SSL truststore for Hornetq client when connecting via JNDI naming server

We have a java client (mule app) which is using hornetq client (v2.3.25.SP20) for connecting to the HornetQ remote server via the JNDI naming server (port 1099).
The connection is secured with SSL. The driver is requiring the javax.net.ssl.trustStore property to be set explicitly. Otherwise, it does not find the trust store.
We would like to specify a custom truststore for the session.
But setting a global property javax.net.ssl.trustStore may affect other applications. So, we are looking for the alternative.
I've coded a custom trust manager (X509TrustManager) which points to the custom truststore. But the issue is that it's used only for establishing connectivity with the JNDI server. Then, the actual connection object is taking the trust store location from the remote server (in case, of course, if javax.net.ssl.trustStore is not set).
The error HQ212007 is produced:
connector.create or connectorFactory.createConnector should never
throw an exception, implementation is badly behaved, but we will deal
with it anyway.
Unable to create NettyConnector for myserver:4447
Failed to find a store at remote server keystore location
Googling the error code, I've found very similar issue described with not solution provided here.
So, is there another way of specifying a path to a truststore for hornetq client when connectivng via JNDI, so, that it would not affect other applications running on the same VM system? Or, may be there is a way to disable the SSL certificate validation on the client side completely - this would work for us as well?
There are HornetQ-specific system properties to set SSL configuration parameters. Check out the documentation for HornetQ 2.4.0.
These properties were added after 2.3.0.Final but backported to the 2.3.x branch which is why they're available in 2.3.25.SP20 but aren't documented in the 2.3.0.Final docs.
In short, you can use these system properties instead of the global ones:
org.hornetq.ssl.keyStore
org.hornetq.ssl.keyStorePassword
org.hornetq.ssl.trustStore
org.hornetq.ssl.trustStorePassword

SSL implementation oracle apex

Can anyone tell me how to set up SSL / HTTPS on Oracle Apex?
I'm using Oracle Apex 5.0 and I want to be able to access my application via HTTPS.
Information on this is fairly widespread, but varies depending on your middle tier.
http://dgielis.blogspot.com/2016/05/please-use-https-for-your-apex-apps.html
https://www.skillbuilders.com/free-oracle-apex-tutorials/how-to-get-oracle-apex-ssl-web-services-working/
https://apex.oracle.com/pls/apex/germancommunities/apexcommunity/tipp/6121/index-en.html
http://davidghedini.blogspot.com/2009/02/https-for-oracle-application-express-on.html
http://krisrice.io/2018-05-09-ORDS-and-lets_encrypt/
If you are using a Glassfish Server as the Middleware you will have a HTTP Listener enabled. You can enable HTTPS for that with a simple checkmark. Just go to the webinterface and have a look at the Network Settings.
Then you'll only need to get a valid SSL Certificate, for example a Free one from Let's Encrypt.
If you are using Apache Tomcat as the middleware it's similar. You gotta change the Listener to a HTTPS one and include your certificate.

NxLogs to Fluentd/SSL?

I have a bunch of linux servers configured to push logs to another fluentd server using the fluent-secure-output plugin. Now I'd like to configure our windows servers using nxlogs.
I read a bit on the om_ssl nxlogs module, but I am puzzled about the shared key. Basically, fluentd's secure-output plugin requires a shared key to be identical everywhere for authentication (this is not tied to the certificates at all). But I can't see how I could specify this key in nxlog's om_ssl configuration.
Is this even supported at all? Is it possible to use nxlogs to forward to an ssl fluentd server?
It looks like they have their own authentication protocol over TLS that uses shared_keys (i.e. passphrase) on the client side instead of using private keys. I don't know why that is needed but NXLog and most other log aggregator solutions (rsyslog, syslog-ng, logstash, etc) use plain TLS which can provide proper authentication for both the client and the server.
The protocol is described in their GitHub README and I doubt it will work with NXLog's om_ssl or anything else other than Fluentd's out_secure_forward.
The Fluentd input/output plugin to forward fluentd messages over SSL with authentication, works only between the two plugin (which is actually the same one) using authentication by shared_key check from both of client(out_secure_forward) and server(in_secure_forward).
So unfortunately you can't sent it through your nxlog only through out_secure_forward.

SSL on Tomcat connection pool

I have done a lot of searches, but still can't find a solution.
In my projects, I'm using both Tomcat connection pooling and C3P0 connection pooling for postgresql. I rejected to use JDBC connection pooling because it's not suggested by postgresql officially.
Now I need to enable SSL/TLS on these pools. I thought this should be a pretty common need. I found examples on JDBC pooling, but not for tomcat or c3p0. I'm really wondering if tomcat and c3p0 poolings can configure SSL!
Does anyone have any resources on this topic that I can refer to?
SSL transport should be pretty much transparent to c3p0. just set up your postgres RDBMS to use SSL. the postgres JDBC driver supports SSL connections. if you are using a self-signed certificate though (rather than a certificate signed by one of the well-known certificate authorities), you'll have to either configure your JVM to recognize your self-signed certificate or the JDBC driver not to validate certificates.
You'll need to configure several postgres-specific JDBC Connection Properties. The easiest way to do this is by just appending the properties as standard URL-style params to your postgres-jdbc URL:
jdbc:postgresql://myhost.mydomain/mydb?ssl=true
Or (dangerously)
jdbc:postgresql://myhost.mydomain/mydb?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
Those should work if you are configuring user and password (as usual) via c3p0 configuration parameters. Alternatively, you can configure all of the Connection parameters in a Properties object. Here is how that would work for c3p0:
// obviously, imports should go where there should go
import java.util.Properties;
import com.mchange.v2.c3p0.ComboPooledDataSource;
// this is very close to the postgres docs
Properties props = new Properties();
props.setProperty("user", myUsername);
props.setProperties("password", myPassword);
props.setProperty("ssl","true");
props.setProperty("sslfactory","org.postgresql.ssl.NonValidatingFactory");
// this is c3p0-specific
ComboPooledDataSource cpds = new ComboPooledDataSource();
cpds.setJdbcUrl("jdbc:postgresql://myhost.mydomain/mydb");
cpds.setProperties( props );
// set any other properties you wish to override from values in config and/or defaults
The easiest way, I think, will be to just set jdbcUrl, user, and password in c3p0 config files and append ssl params to the end of your postgres jdbc URL.