While trying to connect to Db2 Warehouse Local from clpplus as below giving an error
````
clpplus -nw db2inst1#WP
````
jcc][t4][2030][11211][4.24.92] A communication error occurred during
operations on the connection's underlying socket, socket input stream,
or socket output stream. Error location: Reply.fill() -
socketInputStream.read (-1). Message:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target. ERRORCODE=-4499,
SQLSTATE=08001
My DB is SSL enabled and I have downloaded IBM data server client on Mac and created db2dsdriver.cfg as below
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001
db2cli writecfg add -dsn WP -database BLUDB -host db2inst1.zc.com -port 50001
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001 -parameter "SecurityTransportMode=SSL" `
Generally when connecting from dbvizualizer we use the below db connection url
BLUDB:sslConnection=true;sslTrustStoreLocation=/Users/Documents/truststore/ibm-truststore.jks;sslTrustStorePassword=<>;
I even tried to create the file as below but the same error persists
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001
db2cli writecfg add -dsn WP -database BLUDB -host db2inst1.zc.com -port 50001
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001 -parameter "SecurityTransportMode=SSL"
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001 -parameter "sslTrustStoreLocation=/Users/Documents/truststore/ibm-truststore.jks"
db2cli writecfg add -database BLUDB -host db2inst1.zc.com -port 50001 -parameter "sslTrustStorePassword=<>"
Actually, I'm trying to connect to Db2 Warehouse using ibm_db in a Juypter Notebook but for this, the DB should be cataloged and I'm unable to use the notebook because of this issue and also on mac db2 client is not supported and hence I have to go with data server client. So I need help in achieving this
To not have everything as comment, let's start composing an answer....
If you want to connect to Db2 Warehouse using clpplus and using SSL, there were changes starting in one of the latest versions of Db2 Warehouse. You would need to set up an IBM data server driver configuration file like this:
<configuration>
<dsncollection>
<dsn alias="SSLAMPLE" name="SAMPLE" host="9.121.221.159" port="50001">
</dsn>
</dsncollection>
<databases>
<database name="SAMPLE" host="9.121.221.159" port="50001">
<parameter name="SecurityTransportMode" value="SSL"/>
</database>
</databases>
</configuration>
The above configures an alias SSLAMPLE for the database SAMPLE. With clpplus you would then connect to SSLAMPLE.
Related
I registered for an account on a mqtt server provider.
They provide 3 ports:
port: 1xxxx
ssl port: 2xxxx
websockets(TLS only): 3xxxx
I am publishing and receiving data from port 1xxx.
I would like to add encryption though. The mqtt server provider gives a "shared" subdomain but says:
If you want to use a custom domain for your instance you have to provide your own certificate to use with MQTT+TLS and Websockets. Certificates must be PEM encoded and the privte key unencrypted. Certs are only stored on your dedicated instance. When certs are installed you can point your domain as a CNAME to hairdresser.cloudmqtt.com.
I added a CNAME on my domain panel which I call it (mqtt.mydomain.com) and resolves to the above subdomain.
On my domain panel also I added ssl from letsenrypt(free) to my subdomain mqtt.mydomain.com(which points to mqtt server domain).
After adding the ssl I downloaded a zip file from the domain panel which contains 3 files:
mqtt.mydomain.com.ca
mqtt.mydomain.com.cert
mqtt.mydomain.com.key
I paste the contents of ca file to CA chain, cert file to Certificate and key file to Private key
Saved everything and restarted instance(mqtt server).
Then I tried from my computer:
mosquitto_pub -h "mqtt.mydomain.com" -p 1xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c
works but since its port 1xxxx its not SSL.
Trying the ssl:
mosquitto_pub -h "mqtt.mydomain.com" -p 2xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c --cafile C:\Users\CT\Downloads\certs\mqtt.mydomain.com.ca
gives me error on cmd:
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
Tried many different commands like passing cert file appart from ca and even key file(which is probably wrong i guess) and I am getting different errors on the server logs like:
OpenSSL Error: error:14094418:SSL routine
s:ssl3_read_bytes:tlsv1 alert unknown ca
OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Client connection from xx.xx.xx.xx failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
I am trying to get Redis 6 (with TLS enabled during compilation, tests after compilation were successful) to work. I am using Lets Encrypt certificate and following configuration:
tls-port 63790
tls-cert-file /etc/letsencrypt/live/myserver.net/cert.pem
tls-key-file /etc/letsencrypt/live/myserver.net/privkey.pem
tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/
tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"
and this client command from localhost
redis-cli --tls --cert /etc/letsencrypt/live/myserver.net/cert.pem --key /etc/letsencrypt/live/myserver.net/privkey.pem --cacert /etc/letsencrypt/live/myserver.net/fullchain.pem -h myserver.net -p 63790 -a password
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Could not connect to Redis at myserver.net:63790: SSL_connect failed: certificate verify failed
this is output from redis log:
Error accepting a client connection: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
While I am using openssl client with same certificates, i am able to connect and get ping reply from Redis server
No matter if I change
tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/
to
tls-ca-cert
on server side
or
--cacert /etc/letsencrypt/live/myserver.net/fullchain.pem to chain.pem on client side
I tried to all versions of
tls-protocols ""
and change
tls-auth-clients no
to
tls-auth-clients optional
but I am still stuck with same error
OpenSSL version is 1.1.1
Redis version is 6.0.8
OS: Ubuntu 20.04
Can you help me to find out reason why is TLS not working, please?
Thank you
Wil
Ahh, SOLVED!
I was putting wrong CA chain. I had to chain root and intermediate certs downloaded from LE website into new file. It may come handy for someone with same problem.
I need help to configure this MQTT to work on TLS mode.
I have setup the MQTT in the server. The server is protected by letsencrypt certificate that's why it has https in its domain, then I set it up also in a remote computer.
the server runs this command
mosquitto_sub -h localhost -t 'testtopic' -p 1883
the remote computer runs this command
mosquitto_pub -h domainName -t 'testtopic' -m "test message" -p 1883
the MQTT configuration on both computers is like this
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
port 1883
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
allow_anonymous true
tls_version tlsv1.2
this one works. but how to make the communication into TLS mode?
can someone please let me know what's the proper configuration?
how to pass parameters in both computers?
I have tried changing the port of the config into 8883
In both computers I have tried passing the --cafile whereby the cafile
is a .pem certificate which came from the server which was generated by letsencrypt. So I just copied that and pasted it to the remote computer
those are the things I have tried so far, but in the wireshark it cannot detect TLS communication at all and the connection is being refused or something wrong with CA file
By setting allow anonymous true, anyone can publish to your broker without authentication.
TLS is not used directly in MQTT brokers, you need to configure MQTTS which uses TLS.
To use a secure MQTT connection,your Mosquitto configuration file found in /etc/mosquitto/mosquitto.conf needs to have the following lines:
listener 8883
cafile <path-to-cafile>
certfile <path-to-server-cert>
keyfile <path-to-server-key-file>
where <path-to-cafile>, and needs to be replaced by your absolute path where your ca file, server certificate i.e. your .pem file and server-key certificate is found.
For example in my case my mosquitto.conf looks like this:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
listener 1883
protocol mqtt
listener 8883
cafile /etc/ssl/certs/broker/ca.pem
certfile /etc/ssl/certs/broker/server.pem
keyfile /etc/ssl/certs/broker/server-key.pem
tls_version tlsv1.2
Save this configuration and restart mosquitto using the above configuration
You can test your TLS connection by running:
mosquitto_pub -t test -m test-message -p 8883 --cafile <path-to-your-ca-file> --insecure
In my case it is:
mosquitto_pub -t test -m test-message -p 8883 --cafile /etc/ssl/certs/broker/ca.pem --insecure
You need to use --insecure option because the certificates are all self-signed. Self-signed server certificates cannot be verified by the mosquitto client.
If you don't use the --insecure option, you'll get an error which says
Error: host name verification failed.
OpenSSL Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
To setup authentication, create a text file with content
<user>:<password>
where is a placeholder for the username you want to allow
and is a placeholder for the password you want to set
For example:
panda:black
will create a user called panda and the password for the user panda will be black.
To encrypt the password, run the command
mosquitto_passwd -U <path-to-passwordfile>
This will now have contents like this:
panda:$6$a2foLssTVgMG4QY6$3rWvoLqwo1uCz6jZH6KDK3yAcWtIFlATbOSbwx7XJx2Q5Mix2S+iRqWI7KDqp43nSDdPV7mMvnYJS6tgHb7QjA==
Now add these two lines to the mosquitto configuration file
allow_anonymous false
password_file <path-to-passwordfile>
Restart/reload the mosquitto broker to have a fully authenticated MQTTS connection
To publish to the broker with username and password use:
mosquitto_pub -t test -m test-message -p 8883 --cafile <path-to-ca-file> -u panda -P black --insecure
I tried creating a ssl configuration for my kvstore, I configure the store and create a user root , however whenever I try to connect to a store , I get the following error :
- kv-> connect store -name OracleNoSqlSecurityTests -security /home/impadmin/oracle/client.txt
Error handling command connect store -name OracleNoSqlSecurityTests -security /home/impadmin/oracle/client.txt: Cannot connect to OracleNoSqlSecurityTests at localhost:5000
When I restart the kvstore server and trie to create user root again I get the following :
kv-> plan create-user -name root -admin -wait
Enter the new password:
Re-enter the new password:
This command can't be used until the Admin is configured.
Any clue what is going on here ?
It seems that it is just a matter of wrong port.
Have you tried without SSL ? In case it helps, this is how I use to connect to kvstore:
java -jar $KVHOME/lib/kvstore.jar kvlite -root $KVROOT -host localhost &
java -jar $KVHOME/lib/kvstore.jar runadmin -port 5000 -host localhost
kv-> connect store -host localhost -port 5000 -name kvstore ;
Like many, we start selenium server via the following command:
java -jar selenium-server-standalone-2.21.0.jar
What we found is that this opens selenium up on 0.0.0.0:4444
Started SocketListener on 0.0.0.0:4444
[USER # BOX ~]# netstat -na | grep LISTEN | grep 4444
tcp 0 0 :::4444 :::* LISTEN
Is there any way to bind selenium to a specific ip (localhost)?
Thanks.
Use the following command
java -jar selenium-server-standalone-2.21.0.jar -host 192.168.1.100
where 192.168.1.100 is the IP address of the host
This is not the correct way of handling this problem but its a way
So what this will do is just drop any connection on port 4444 from any outside source. You can test this by first going to page
start server like this
java -jar selenium-server-standalone-2.39.0.jar -host 127.0.0.1 -port 4444
verify everything is working
http://yourexternalip:4444/wd/hub/
the page will load. if your server is running properly.
Dispatch the commands
sudo iptables -A INPUT -p tcp --dport 4444 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 4444 -j DROP
then reload the page. the webpage will no longer be accessible (because you are accessing from external IP)
your new accessible URL is now
http://127.0.0.1:4444/wd/hub/
which should be working
Again this is more of a band-aid to a greater problem and doing this will not force you to change any source code and still keeping a secure system
This will be possible by adding the "-host 192.168.1.100" parameter, provided you have this fix in your version:
https://code.google.com/p/selenium/source/detail?r=71c5e231f442
(That fix isn't included in the available binaries at the time of writing so you will have to build your own from source.)
I was also facing the same problem with the Hub. So my Hub is pointing toward some other IP address when I tried to UP the hub, but when I check my IP address it was different on my local system. To overcome the problem I just tried the following code and it works.
java -jar selenium-server-standalone-3.12.0.jar -host 192.XXX.X.XX -role hub
And my hub was registered to my local machine IP address.
You could run java -jar selenium-server-standalone-2.21.0.jar on a remote machine
and then in your selenium scripts define your webdriver to run remotely.
In ruby you could do it this way
#driver = Selenium::WebDriver.for(:remote, :url => "http://specific_ip_of_remotemachine:4444", :desired_capabilities => firefox)
is this what you are looking for?