I have 2 systems. system A and system B and both are DB2 servers. I want to be able to access system B database from system A. Both have a database called TESTDB. I am trying to run the following command to create a server.
CREATE WRAPPER "drdawrapper"
LIBRARY 'libdb2drda.so'
OPTIONS (DB2_FENCED 'Y'
);
db2 "CREATE SERVER "PRD_SERVER_SSL_FLEX" TYPE DB2/UDB VERSION '11' WRAPPER "drdawrapper" AUTHORIZATION "xyz" PASSWORD "xyz" OPTIONS (DB2_CONCAT_NULL_NULL 'Y',DB2_VARCHAR_BLANKPADDED_COMPARISON 'Y',DBNAME 'TESTDB',HOST '169.62.253.230',NO_EMPTY_STRING 'N',PORT '50001',SECURITY 'SSL',STRING_UNITS 'S');"
But I keep getting:
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL1101N Remote database "TESTDB" on node "<unknown>" could not be accessed
with the specified authorization id and password. SQLSTATE=08004
Node directory:
db2 list node directory
Node Directory
Number of entries in the directory = 1
Node 1 entry:
Node name = TESTNODE
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = 123.21.23.12
Service name = 50001
The credentials are correct. I am not sure what node is it looking for. Any pointers?
Your question is more about configuration than programming.
As you appear to be encrypting the federated connection it can be wise to first verify that the encrypted connection works at the command-line, separately from federation. This irons out a lot of the detail and is easier to troubleshoot. After you get that working, you can then begin on encrypting the federated connection.
Please follow the detailed instructions here (choose the correct Db2-version):
You have to know in advance which kind of SSL/TLS trust verification you want (i.e. either single cert (client trusts the server - simplest and easiest), or multiple certs (both sides trust the other - more setup, arguably more secure), because this determines the configuration.
Ensure both of your Db2 instances and databases are properly configured for SSL.
Catalog the remote-node locally with security SSL (db2 catalog tcpip node ... remote ... server ...security ssl)
Catalog the remote-database locally on the new node name (db2 catalog database ... at node ...) followed by db2 terminate .
Verify a command-line connect to the remote database using the federated credentials, using the configured db2dsdriver.cfg if using SSLSERVERCERTIFICATE method, or using the keystore/stash configuration ( db2 connect to remotedb user ... using ... ). Use the same userid/password that you will use later in the create server command.
Once that command-line connect works, you can proceed with the encrypted federation link, via db2 create wrapper... and db2 create server....
There's no need to use quotes around the wrapper name, just let it fold, otherwise quotes are just annoying redundant noise, although it is not a mistake.
Inside the script for create server command options instead of AUTHORIZATION "xyz" PASSWORD "xyz" use AUTHORIZATION \"xyz\" PASSWORD \"xyz\" (i.e. escape the quotes).
For one-sided trust, use SSL_SERVERCERTIFICATE in the create server options clause and ensure the value is accurate (fully qualified path to the remote-db2instance-certificate-file), and that the file/directory permissions are valid.
For mutual trusts, use both SSL_KEYSTORE and SSL_KEYSTASH keywords with correct values, in the create server options clause (having previously ensured your keystores are properly populated, as verified by a command-line connect above).
You may also want to consider create user mapping depending on the requirements.
Finally you can create your nicknames, and test out the federated link by querying those nicknames.
Related
I'm starting to use Postgres as a database in my application, and I need to configure an agent that serves as a build server as part of the build we are running unit tests.
I need to configure the agent and I'm having trouble as the agent name is different for each machine, and there is a configuration in Postgres that needs to be applied when using windows authentication in the pg_hba.conf and pg_indent.conf.
In the pg_indent.conf I need to use a system user, and I have one, but in the following syntax user#comutername:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
MapForSSPI user#computername postgres
The issue is when the agent is starting (we have a dynamic pool) the name of the computer is different, and I want to avoid using the computer name, and use something like user#localhost or the equivalent in Postgres.
How I can achieve that?
You can use wildcards in pg_ident.conf:
MapForSSPI /^user# postgres
That will match everything that starts with user#. If the “system user name” starts with a /, the rest of the string will be treated as a regular expression.
Please promise me that you will not allow your application to connect as a superuser, that is an unnecessary risk.
I'm trying to connect to a Google Cloud SQL instance using dblink, which works well when setting up my username and password in the connection string, but I would like to save my Client credentials in the SQL instance not to have the need to explicitly put my password in the connection.
The .pgpass file which will used is the one that belongs to the OS user which is running the local database ('~/postgres/.pgpass', in most cases). And then for security reasons, it works only if you are locally a superuser. Can you meet those criteria?
but I would like to save my Client credentials in the SQL instance
What does "SQL instance" mean? I would not think that .pgpass would count as being inside the SQL instance.
An alternative solution is create a foreign server with "postgres_fdw". This doesn't seem to be documented (edit: it is documented here, but uses dblink_fdw not postgresql_fdw), but you can pass the name of a "postgres_fdw" foreign server (in single quotes) to dblink functions as the connection string. It will then pull the password to be used from the USER MAPPING for that server and user. I would think the USER MAPPING counts as inside the "SQL instance".
I need to use MySQL to send queries to a Google Cloud SQL database set up. I already have an instance created and a user, and I am able to access the database through the Cloud Shell. I can't seem to find the credentials to log into the database (host name, username, password, port and socket), and I'm not sure how to access them through the shell.
You can find the available methods to connect to your Cloud SQL instance here.
Connecting from an IP address without SSL is probably the easiest one:
In the Cloud Console, go to the cloud SQL instances screen and click on your instance’s name.
In the overview tab, take note of the Primary IP Address, you’ll use it instead of a hostname.
In the users tab, you can create a new user or reset the password of an existente one, including the root user.
In the authorization tab, add the ip or ip range where you are attempting the connection from, so Cloud SQL accept connections from your client (more on this here).
Start your mysql client as follows (note the port is not necessary as the default one is used):
mysql --host=[INSTANCE_IP_ADDR] --user=[USER_NAME] --password
I cannot add a connection in oracle SQL developer installed.
The error I am getting is:
IO Error :The network adapter could not establish connection.
Also can anyone help me as to what user name and password it is asking?
Is there anything else I need to install.
SQL Developer is a tool which enables you to connect to the database - let's presume an Oracle one. Did you install it? If not, is there any available on the network? If not, you'll have to do that first (i.e. install a database - 11g Express Edition might be your choice, download it here), and then let SQL Developer connect to it.
As of username and password you'd use: database owner is SYS, but - you shouldn't use it for coding training - you'd rather create a new user, or unlock one of pre-installed; unless I'm wrong, 11gXE contains the HR schema (Human Resources). In order to unlock it, establish a connection to the previously mentioned SYS user (remember which password you choose for it during the installation process) and choose the SYSDBA role. Then unlock the HR user and modify its password by issuing the following statements:
alter user hr account unlock;
alter user hr identified by hr;
Now create a new connection to HR user (this time choose the "default" role); you should be able to see its tables, run queries, etc.
Make sure your oracle database is up and running.. if you are using docker you need to restart the oracle docker image in this case.
I had similar issue then i tried to restart the oracle using
docker-compose -f docker-image-oracle.yml -d up (in this case you might have a diff name).
or you can start docker image directly from cmd .
Make sure that your hostname, listener port, sid/service name, username/password are correct.
You can use lsnrctl status to get the port number.
There are four things that come to my mind:
Is your Oracle Database installed and running? If not, install it and make sure it works.
Have you entered the correct username and password? Have you entered the correct hostname and/ or port number? If hostname and port number are wrong, check the listener.ora file (if you have the permission). Alternatively, you can look into the tnsnames.ora file.
Maybe your listener is not working after all. With the command "C:> lsnrctl status" (on cmd), you can check, if the listener works. If it doesn't, run the command "C:> lsnrctl start".
Are you using the right URL?
The following link may help you:
https://community.oracle.com/tech/welcome/discussion/2547624/io-error-the-network-adapter-could-not-establish-the-connection
I want to add a new Informix sever entry into sqlhosts, but I'm not quite sure how it will impact the existing connection.
Currently sqlhosts contains only one server entry...
dbserver onsoctcp 111.111.111.20 7101
The database handle is created within an existing perl module (db is a database on the server)...
my $dsn = "DBI:Informix:db";
my $dbh = DBI->connect($dsn,"user","password");
Notice that "dbserver" is never referenced.
I want to add a test server to sqlhosts. Something like this...
dbserver onsoctcp 111.111.111.20 7101
dbserver_test onsoctcp 111.111.111.21 7101
With only one entry in sqlhosts, everything has been working fine. But my connection never references the server name in sqlhosts.
So, my question(s)...
Does Informix just try to use the only one available?
Will adding a second server entry in sqlhosts force me to include the server name in the connection string?
Thanks!
Informix client uses environment variables to resolve hosts and other configuration; check that INFORMIXDIR is set to the path where Informix CSDK is installed (I assume it is), and set INFORMIXSERVER to point to the new entry in sqlhosts. See this article in IBM knowledge base.
Alternatively, use db#server data source format:
my $dbh = DBI->connect("DBI:Informix:db#server", "user", "password");
Maybe it is a permissions issue? From the documentation:
Note that you might also be able to connect to other databases not
listed by DBI->data_sources using other notations to identify the
database. For example, you can connect to "dbase#server" if "server"
appears in the sqlhosts file and the database "dbase" exists on the
server and the server is up and you have permission to use both the
server and the database on the server and so on. Also, you might not
be able to connect to every one of the databases listed if you have
not been given at least connect permission on the database. However,
the databases listed by the DBI->data_sources method certainly exist,
and it is legitimate to try connecting to those sources.
http://search.cpan.org/~johnl/DBD-Informix-2013.0521/Informix.pm