How to conect Google Apps Script JDBC to Amazon RDS with SSL - ssl

Google launched support for SSL connections in the JDBC service. Google added three new connection parameters to support this feature: _serverSslCertificate, _clientSslCertificate, and _clientSslKey. The documentation is available here:
https://developers.google.com/apps-script/reference/jdbc/jdbc#getConnection(String,Object)
When a database in Amazon is created, we can add SSL support to it:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
As an example if we create a MariaDB database, we just have to download the next certificate: rds-ca-2015-root.pem
And access to database with the next command:
mysql -h mymariadbinstance.abcd1234.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
And apply SSL to an specific user:
GRANT USAGE ON *.* TO 'encrypted_user'#'%' REQUIRE SSL
So, how can we conect with SSL to an Amazon Database using the GAS JDBC API?

The question isn't entirely clear to me, but it looks like you asking how you can pass the server cert while initiating the jdbc connection. The API has a _serverSslCertificate argument that should do just this.
https://developers.google.com/apps-script/reference/jdbc/jdbc#getConnection(String,Object)
Try it out and let us know if you still have issues.

Related

Could anyone connect Cloud SQL with cloud sql proxy pod

I'm trying to setup a very basic wordpress setup as explained in this document: https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk
And cloud sql proxy is giving me certificate errors:
esonika#cloudshell:~ (esonika)$ k logs wordpress-8d7998ccd-xnfn9 -c cloudsql-proxy
2022/12/30 10:43:38 using credential file for authentication; email=cloudsql-proxy#esonika.iam.gserviceaccount.com
2022/12/30 10:43:38 Listening on 127.0.0.1:3306 for esonika:europe-west9:mysql-wordpress-instance
2022/12/30 10:43:38 Ready for new connections
2022/12/30 10:44:01 New connection for "esonika:europe-west9:mysql-wordpress-instance"
2022/12/30 10:44:02 couldn't connect to "esonika:europe-west9:mysql-wordpress-instance": x509: certificate is valid for 38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog, not esonika:mysql-wordpress-instance
I dont know why a certificate such as "38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog" is created and where.
Tried resetting ssl configurations and it didn't work.
Usually, if you don't explicitly set a SSL connection on your Cloud SQL instance, the communication with the database is in plain text.
EXCEPT when you create a tunnel with Cloud SQL proxy. This time, a secure connection is created, with encrypted data. The encryption is ensure by this automatically and ephemeral certificate created by the proxy.
Here is a doc which might help you in connecting to Cloud SQL from GKE using sidecar pods.
Thanks, The document doesn't list anything that I haven't tried. I think there is an internal issue with cloud_sql_proxy, that's why I decided to switch Cloud SQL to a private network only and wordpress pod is directly connecting to Cloud SQL private IP.
I was running into the same issue around the time you posted this question. I also reset SSL configuration on the DB like you did. My solution was upgrading from the version 1.11 to 1.33.2. It resolved all of the x509 errors. No clue why it suddenly stopped working.

How to make an ssl based tcp connection to memsql in Go

I'm trying to setup an ssl based tcp connection to memsql using Go.
The application/services are running as openshift pods and written in Go.
Can I have one-way authentication to memsql from the service?
Do I need to enable any port in memsql to listen for tls based ssl connection?
Apart from updating the DSN in my service to tls=true, what can be the alternative to customise this configuration.
Can someone suggest an efficient way to connect to memsql with ssl enabled?
I've followed the memsql documentation and inserted the certificates to memsql master and aggregator, as well as made the permission check enabled, but still I'm able to get into the memsql without giving the rootCertificate in the login.
Currently the connection is established by following code:
db, err := sql.Open("mysql", DSN) and
DSN=root:#tcp(IPAddress:3306)/riodev?interpolateParams=true&parseTime=true
Can you clarify what your question is? The SSL authentication is one-way, the client verifies the server. The server verifies the client via their login information.
No, MemSQL uses the same port for SSL and non-SSL connections.
You may also need to configure the SSL certificate, as described in https://github.com/go-sql-driver/mysql#tls.
Most client libraries support connecting with SSL.
I've followed the memsql documentation and inserted the certificates to memsql master and aggregator, as well as made the permission check enabled, but still I'm able to get into the memsql without giving the rootCertificate in the login.
Is it possible the connection is already using SSL? It may be using SSL-preferred mode without verifying the certificate.

Does snowflake support ssl?

Hi I want to have the ability to connect from jdbc driver to snowflake with ssl. I did it many times with other db, just add ssl=true(sometimes other properties) in connection url.
Unfortunately I didn't find this option in snowflake documentation. I found that snowflake supports something like ssl they call it Using Key Pair Authentication
Does it ssl mode for snowflake?
Does snowflake support ssl?
You can set a jdbc connection property ssl to on or off as seen here
That's what determines if the connection will be made via https or http, going by the implementation here
I tried it and it worked for me.
Note that if ssl is not set, the value is on by default.
I believe Snowflake only allows HTTPS to connect, and so it always uses TLS/SSL.
SSL encryption cannot be switched off when connecting to Snowflake. Full Stop.
There is no option in the JDBC or ODBC driver to disable (or enable) SSL. That is why this parameter is not mentioned on the documentation pages of Snowflake.
Generic
ODBC
Snowflake connections use SSL by default.
And using only HTTPS connections. Regardless whether it is a driver or the GUI.
That is also the reason that you do not need to add https:// to your server connection.
More on this can be found here.
The http-connections you might see Snowflake drivers make are to satisfy OCSP.
If you trying to test whether Snowflake supports un-encrypted connections and you get the information back that Snowflake does support unencrypted connections or does support TLS1.0 or TLS1.1 you have been testing your proxy-server settings and not snowflakecomputing.com or snowflake.com.
BTW : Currently only TLS1.2 is supported by Snowflake for HTTPS connections.

How to enable SSL on my db2cli command?

My database admin told me that a secure handshake of SSL credentials is required to connecting the DB2 server.
But they are not familiar with db2cli.exe.
So what is the most simple way to enable my db2cli command to initiate the connection with SSL handshake ?
db2cli is a utility that's included with the IBM DB2 Data Server Driver package. It's generally used for either validating entries in the db2dsdriver.cfg file or registering System ODBC DSNs on Windows machines. The db2dsdriver.cfg file in an XML file that actually contains all of the connection details for each database. db2cli can be used as a debugging utility to call CLI functions, but I can't imagine too many people are using it to type CLI function calls.
So, to enable SSL, you'd either need to modify the db2dsdriver.cfg file to add the appropriate SSL-related options (Security=ssl, SSLClientKeystoredb=/path/to/keystore, SSLClientKeystash=/path/to/keystash) for the particular database. You will also need to create the SSL client keystore/keystash and add your database server's SSL certificate to the keystore.
Alternatively, if you are defining your connections in the application you can specify these options in the DSN you pass to SQLDriverConnect():
"Database=sampledb; Protocol=tcpip; Hostname= myhost; Servicename=50001;
Security=ssl; SSLClientKeystoredb=/home/test1/keystore/clientstore.kdb;
SSLClientKeystash=/home/test1/keystore/clientstore.sth;"
This is documented here.

Gsutil - Installing and configuring on a remote server. How to automate it?

I have currently installed gsutil on a server to access my GCS buckets. I followed the instructions under the section 'How to convert gsutil to use OAuth 2.0' from https://cloud.google.com/storage/docs/gsutil_install
The intermediate steps in the instructions require that a URL is copy pasted in the browser to generate a code that you have to enter again on the terminal. You also need to enter proxy server details (if any).
I am looking for ways to automate this set up and configuration process for gsutil.
Any ideas/references/suggestions/comments are welcome.
Thanks.
Can you say more about what you're trying to do? Are you looking to create distinct credentials for each of a set of users, or are you trying to set up gsutil running on multiple machines all as part of an application that authenticates as that application to Google Cloud Storage?
For the former you need users to set up their own credentials. The web-based dialog for OK'ing the creation of OAuth2 credentials was designed to make it unlikely that a customer could grant long lasting credentials without being aware that they are doing so (for security reasons).
For the latter you should use a service account (see https://cloud.google.com/storage/docs/authentication#service_accounts). You create those credentials once and then deploy them on your production machines along with gsutil - which is a valid security approach because all instances of those machines are authenticating on behalf of an application, not distinct users.