I've started mongod instance in kerberos auth mode.I'm able to connect from mongo shell.While connecting from java application,I get the following exception:
Key for the principal mongodb/****#**** not available in ***.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
My gss-jaas.conf is
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="mongodb/***#***"
doNotPrompt=true
keyTab="D:\***.keytab"
debug=true;};
I've used ktuil and executed following commands to write principal to keytab file.Can anyone help me to find out what's going wrong?
ktutil: add_entry -password -p mongodb/***#*** -k 1 -e des-cbc-md4
Password for mongodb/***#***:
ktutil: wkt /tmp/***.keytab
ktutil: quit
I've entered the password and also tried by skipping it with enter.In both the cases,I'm getting the above exception.I've used the following system properties in java application:
System.setProperty("java.security.krb5.conf","D:\\krb5.conf");
System.setProperty("java.security.auth.login.config","D:\\gss-jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.realm","****");
System.setProperty("java.security.krb5.kdc","*****");
kerberosCredential = MongoCredential.createGSSAPICredential(userName);
Related
I'm up-the-middle MongoDB with authentication localhost. I have the mongod configured to bind a specific user to a specific database and from the mongo shell and my Java programs, everything works great. When I log in as that user I can do all the mongo stuff on the mongo db I bound that user to.
$ mongo -u totallyLegitUser --authenticationDatabase admin
MongoDB shell version v4.4.3
Enter password:
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("2ba7a3f6-2ca1-49b7-8241-8133ceb3d842") }
MongoDB server version: 4.4.3
> use mfg-plan;
switched to db mfg-plan
> show collections;
activity
...
When I try to set up the same user through IntelliJ's "Database" thing, the "Test Connection" says everything is fine, but I can't run any queries through the console and the "explorer" drop down thing doesn't show collections I know are in the database.
This is what shows up when I look in the console after I've try to run the db.activity.findOne(); from the cli session...
com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-256, userName='totallyLegitUser', source='mfg-plan', password=<hidden>, mechanismProperties=<hidden>} com.mongodb.MongoCommandException: Command failed with error 17 (ProtocolError): 'Attempt to switch database target during SASL authentication.' on server localhost:27017. The full response is {"ok": 0.0, "errmsg": "Attempt to switch database target during SASL authentication.", "code": 17, "codeName": "ProtocolError"}
I have confirmed that the username, password, and database are all correct.
How do I get IntelliJ to connect to my authenticating mongos?
Problem solved. In the "Data Sources and Drivers" dialog for my mongo hosts it asks for a Database. I was giving it the database I wanted to connect to on the host (mfg-plan). What it wants is the authenticationDatabase for the host (usually 'admin'). When I change that to 'admin', all is well.
Need some assistance on adding a new user and role to ActiveMQ Artemis. Version is 2.16.
After updating ActiveMQ Artemis from 2.9.0 and 2.10.1 to 2.16 we fail to add new users. Perhaps there has been an updated security protocol or usage thereof?
We use the PropertiesLoginModule.
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule requisite
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
Usually we do this for adding a new user
./artemis user add --user newUser --password newPassword --role Apps,newUser
But after upgrading to 2.16 we get follow up questions in CLI:
--user-command-user
--user-command-password
I have tried with adding admin username/password on those. But still same Exception.
I get the following Security Exception:
Connection failed::AMQ229031: Unable to validate user from /<IPAddress>:48000. Username: newUser; SSL certificate subject DN: unavailable
Exception in thread "main" ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from /<IPAddress>:48002. Username: newUser; SSL certificate subject DN: unavailable]
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:540)
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:434)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:300)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:249)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionChannel(ClientSessionFactoryImpl.java:1401)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:705)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:316)
at org.apache.activemq.artemis.cli.commands.AbstractAction.performCoreManagement(AbstractAction.java:36)
at org.apache.activemq.artemis.cli.commands.user.AddUser.add(AddUser.java:52)
at org.apache.activemq.artemis.cli.commands.user.AddUser.execute(AddUser.java:42)
at org.apache.activemq.artemis.cli.Artemis.internalExecute(Artemis.java:153)
at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:101)
at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:128)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.activemq.artemis.boot.Artemis.execute(Artemis.java:134)
at org.apache.activemq.artemis.boot.Artemis.main(Artemis.java:50)
Any ideas on how to fix this?
In the Security section of the manual I cannot find any hints.
https://activemq.apache.org/components/artemis/documentation/latest/security.html
Since ActiveMQ Artemis 2.16 is no longer possible using the artemis user commands when the broker is offline and the parameters of the artemis user commands changed, ie: ./artemis user add --user-command-user guest --user-command-password guest --role admin --user admin --password admin
The --user and --password parameters are used to connect to the broker and the --user-command-user and --user-command-password parameters are used to add a new user.
You can find further details at Upgrading from older versions
I added a new user to posgresql (amanda) which is the same as my linux system user. At the console, I can open psql just fine -- I don't need a password because I'm already authenticated as amanda. When I try to set up pgAdmin III without a password, I get:
An error has occurred:
01:18:47 PM: Error: Error connecting to the server: fe_sendauth: no password supplied
And if I provide my system password, I get a password error:
An error has occurred:
01:15:30 PM: Error: Error connecting to the server: FATAL: password authentication failed for user "amanda"
FATAL: password authentication failed for user "amanda"
How do I get pgAdmin3 talking to postgres as amanda?
not a real solution but rather a workaround:
connect as command line and update your password hence:
ALTER USER amanda WITH PASSWORD 'your_new_password';
I installed memcached version 1.4.34 on my mac using homebrew. I wanted to configure a username and password to enable SASL support when interacting with memcache. Can you point me the right direction for this?
Ran below command to install memcache on mac.
brew install memcached --enable-sasl-pwdb
Above command installed memcache with sasl support.
echo "mech_list: plain" > memcached.conf
echo "myuser:mypass" > /tmp/memcached-sasl-db
export MEMCACHED_SASL_PWDB=/tmp/memcached-sasl-db
export SASL_CONF_PATH=`pwd`/memcached.conf
memcached -u myuser -m 1024 -p 8010 -S -B binary -vvv
Initialized SASL.
Now when I connect via memcache client it says Password verification failed on the terminal.
mech: ``PLAIN'' with 15 bytes of data
INFO: User <myuser#mylocal-macbook.local> failed to authenticate
SASL (severity 2): Password verification failed
sasl result code: -20
Unknown sasl response: -20
Here's the java code I'm using:
public class MemcacheTest {
public static void main(String[] args) {
System.setProperty("net.spy.memcached.auth.AuthThreshold", "10");
AuthDescriptor ad = new AuthDescriptor(new String[] { "PLAIN" },
new PlainCallbackHandler(
"myuser", "mypass"));
ConnectionFactory connFactory = new ConnectionFactoryBuilder()
.setProtocol(ConnectionFactoryBuilder.Protocol.BINARY)
.setAuthWaitTime(10000)
.setOpTimeout(10000)
.setShouldOptimize(true)
.setAuthDescriptor(ad).build();
List<InetSocketAddress> servers = AddrUtil
.getAddresses("localhost:8010");
MemcachedClient cacheClient = null;
try {
cacheClient = new MemcachedClient(connFactory, servers);
cacheClient.set("foo", 50000, "bar");
System.out.println("Value: " + cacheClient.get("foo"));
} catch (IOException iox) {
iox.printStackTrace();
}
}
}
Here are my intellij logs:
2017-02-23 15:19:04.223 INFO net.spy.memcached.MemcachedConnection: Reconnection due to exception handling a memcached operation on {QA sa=localhost/127.0.0.1:11211, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=1}. This may be due to an authentication failure.
OperationException: SERVER: Auth failure.
at net.spy.memcached.protocol.BaseOperationImpl.handleError(BaseOperationImpl.java:192)
at net.spy.memcached.protocol.binary.OperationImpl.finishedPayload(OperationImpl.java:204)
at net.spy.memcached.protocol.binary.SASLBaseOperationImpl.finishedPayload(SASLBaseOperationImpl.java:98)
at net.spy.memcached.protocol.binary.OperationImpl.readPayloadFromBuffer(OperationImpl.java:196)
at net.spy.memcached.protocol.binary.OperationImpl.readFromBuffer(OperationImpl.java:139)
at net.spy.memcached.MemcachedConnection.readBufferAndLogMetrics(MemcachedConnection.java:861)
at net.spy.memcached.MemcachedConnection.handleReads(MemcachedConnection.java:840)
at net.spy.memcached.MemcachedConnection.handleReadsAndWrites(MemcachedConnection.java:720)
at net.spy.memcached.MemcachedConnection.handleIO(MemcachedConnection.java:683)
at net.spy.memcached.MemcachedConnection.handleIO(MemcachedConnection.java:436)
at net.spy.memcached.MemcachedConnection.run(MemcachedConnection.java:1446)
Yay! I got the issue. Couch base client automatically adds hostname at the end of the username. In my case when I set the username as myuser:mypassword but when I pass myuser in my java code, memcacheclient pass that information as myuser#mylocalhost-mac and that's where the mismatch was happening. To solve that I added the complete username with local host of the ssl db.
Instead of below line
echo "myuser:mypass" > /tmp/memcached-sasl-db
is replaced by
echo "myuser#mylocalhostMacBook-Pro-2.local:mypass" > /tmp/memcached-sasl-db
Now in java client I just pass myuser and client add the hostname automatically.
I am using WSO2 Governance Registry v 4.6.0 and am trying to migrate the structure I have in an H2 backed test instance to a Postgres backed production instance (separate VMs for the Web server and database) using client-checkin.
I have successfully checked out the registry from the H2 instance but I am struggling to check it in to the Postgress system.
On the test instance I ran
./checkin-client.sh co https://localhost:9443/registry -u admin -p admin -f /../../../registry_checkout/registry.dump
to create the dump.
On the production system I executed
./checkin-client.sh ci https://arc-gov:9443/registry -u admin -p admin -f /../registry.dump
and get the following error below. (And yes I know the password is the same, it will change when I get it to work!). The url here is that of the wso2 web server not the Postgres database.
Any help would be much appreciated.
[2014-10-09 10:34:05,672] ERROR - Error in restoring the path. Make sure the registry is up and running Or the username, password is correct! and check the user have the WRITE permission to the path.
path: /
registry url: https://arc-gov:9443/registry
username: admin {org.wso2.registry.checkin.Client}
org.wso2.carbon.registry.synchronization.SynchronizationException: message code: ERROR_IN_RESTORING, parameters: {path: /, registry url: https://arc-gov:9443/registry, username: admin
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.restoreFromFile(CheckInCommand.java:207)
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.execute(CheckInCommand.java:164)
at org.wso2.registry.checkin.Checkin.execute(Checkin.java:70)
at org.wso2.registry.checkin.Checkin.execute(Checkin.java:56)
at org.wso2.registry.checkin.Client.execute(Client.java:272)
at org.wso2.registry.checkin.Client.start(Client.java:67)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.wso2.carbon.bootstrap.Bootstrap.loadClass(Bootstrap.java:63)
at org.wso2.carbon.bootstrap.CheckinClientBootstrap.main(CheckinClientBootstrap.java:36)
Caused by: org.wso2.carbon.registry.core.exceptions.RegistryException: Restoring to / failed.
at org.wso2.carbon.registry.app.RemoteRegistry.restore(RemoteRegistry.java:1725)
at org.wso2.carbon.registry.app.RemoteRegistry.restore(RemoteRegistry.java:1665)
at org.wso2.carbon.registry.synchronization.operation.CheckInCommand.restoreFromFile(CheckInCommand.java:198)
... 11 more
WSO2 Governance Registry does not support check-out , check-in from top level collection paths.[1] (i.e. /_system/governance/ and /_system/config/)
Instead we recommend that you check-out check-in from child collection paths.
There seems to be an issue with dumping remote registry path collections on Greg 4.6.0. [2]
You can also find the fix attached to [2]
[1] https://docs.wso2.com/display/Governance460/Check-in+Client+Examples
[2] https://wso2.org/jira/browse/REGISTRY-2044