How do we connect to PostgreSql through Kerberos?
I tried to connect through
1. adding Kerberos module in drivers folder,
2. then adding jaasappllication n kerberosservername with db url
3. and providing cfg file to cmd param java.security.auth.login.config=
But while starting Corda node it throws error w/ message -
no valid credentials provided.. Mechanism Level: Failed to find kerberos tgt
However same is working with simple Java program.
Kerberos is a product unrelated to R3, as of now there is no demo integration between kerberos and Corda at the moment.
Hence there is no documentation around this on the docs.corda.net. However, we are exploring the potentials of it in our research.
Related
I´ve been trying to connect to a HDFS server protected by Kerberos for days.
I alterady have have Kerberos for windows installed here. And it shows me the valid/active ticket.
But as I run 'Klist' on prompt, I see no tickets
If I run Kinit on prompt, it asks for my password and returns 'Authenticated to Kerberos v5' but still does not show me any klist ticket.
If I create a new tickt, using prompt or Kerberos GUI, it comes back showing me an active/valid ticket, but klist still does not.
I am trying to connect to hdfs using KerberosClient, but as I connect, somehow it does not "see" my active ticked (as klist too), so I got a connection denial.
I´ve setup the KRB5_CONFIG and KRB5CCNAME system variables to the folder exposed above.
What am I doing wrong?
Your system has two Kerberos libraries (MIT KfW & Windows SSPI) and two different klist tools:
the Windows klist.exe, which only shows the Windows LSA in-memory ticket cache that will be used by "Windows native" SSPI-based applications;
the MIT Kerberos klist.exe, which shows the file-based $KRB5CCNAME ticket cache that will be used by MIT "gssapi32.dll" GSSAPI-based applications.
(sometimes also the Java JRE klist.exe as well!)
If your HDFS client uses $KRB5CCNAME (e.g. if it uses GSSAPI via gssapi32.dll), then you need to run the MIT KfW klist.exe specifically. Use where.exe kinit to find out where it's located, then run it by full path.
On the other hand, if your HDFS client uses SSPI, then MIT KfW won't help you much – it can access tickets in the "MSLSA:" cache, but as far as I know it cannot put new tickets there. (It is possible to easily make SSPI acquire tickets for non-AD Kerberos services, but that's a different topic.)
Please help as I am a little clueless..
I am trying to upgrade our Airflow installation including Kerberos authentication from the localexecutor to the celeryexecutor. Currently, we run the airflow installation from only one server.
The exact same sqoop job fails using the celeryexecutor due to an kerberos authentication error while the localexecutor is successful:
Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "lsrv****.linux.****/10.251.128.148"; destination host is: "lsrv***.linux.****":8020; , while invoking ClientNamenodeProtocolTranslatorPB.getFileInfo over lsrv****.linux.****/10.251.128.104:8020 after 1 failover attempts. Trying to failover after sleeping for 1377ms.'
kerberos settings:
[kerberos]
ccache = /tmp/krb5cc_32606
# gets augmented with fqdn
principal = airflow
reinit_frequency = 3600
kinit_path = kinit
keytab = /var/lib/airhome/.certs/airflow.keytab
Is there anything that needs to change in the kerberos or celery setup to have kerberos work in combination with celery executor? Or does anything need to change in the Cloudera Hadoop settings? (e.g.: hadoop.security.token.service.use_ip?)
Does it have to do something with the additional ip adress mentioned in the error message?
You need to run also airflow kerberos where you run airflow worker. It's Kerberos ticket renewer component in Airflow.
https://airflow.apache.org/docs/stable/security.html#kerberos
I'm integrating Bitvise client into my winform app. I am using Bitvise SSH Client command line (stnlc.exe in the app's directory) to do so. My app needs to have multiple connections at the same time.
It works well with some addresses, but some other it doesn't. This is the command that I'm using:
"C:\Program Files (x86)\Bitvise SSH Client\stnlc.exe" -profile="C:\Users\AutoOffer\AutoOffer\bin\Debug\data\sshprofile.bscp" -host=<myhost> -port=22 -user=<username> -pw=<password> -ka=y -proxyFwding=y -proxyListIntf=127.0.0.1 -proxyListPort=<port>
And this is the error I got:
Bitvise SSH Client 6.45 - stnlc - free for individual use only, see EULA
Copyright (C) 2000-2015 by Bitvise Limited.
Connecting to SSH2 server XX.XX.XX.XX:22.
Connection established.
Server version: SSH-2.0-dropbear_0.46
First key exchange started.
ERROR: The SSH2 session has terminated with error.
Reason: Error class: LocalSshDisconn, code: KeyExchangeFailed, message: FlowSshTransport: no mutually supported key exchange algorithm.
Local list: "ecdh-sha2-1.3.132.0.10,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1".
Remote list: "diffie-hellman-group1-sha1".
I tried to connect manually by the Bitvise app with GUI and it successfully connected!
I also updated my bitvise version to the latest (6.45).
Local list: "ecdh-sha2-1.3.132.0.10,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1".
Remote list: "diffie-hellman-group1-sha1".
So it looks like the remote side just supports diffie-hellman-group1-sha1, which is not supported on your side.
On Bitvise SSH Server Version History I read:
The 1024-bit fixed prime Diffie Hellman key exchange methods, diffie-hellman-group1-sha1 and gssapi-group1-sha1 with Kerberos 5, are now disabled by default, due to doubts about continuing security of Diffie Hellman with a 1024-bit fixed prime. Compatibility with most older clients should be retained via the diffie-hellman-group14-sha1 method, which uses a 2048-bit fixed prime. We recommend migrating older SSH clients to new versions supporting ECDH and ECDSA.
So it looks like you have to modify the settings and allow 1024-bit fixed prime Diffie Hellman key exchange methods. Otherwise you will not be able to connect. As explained it is of course better to change the ssh server settings.
Also, please note that running stnlc as a service is a possibility. With it, the tunnel can be started even without the user having to log on, and can be restarted upon dropping.
Be aware that wrapping and running stnlc as a service (using eg. nssm or winsw) absolutely requires adding the unat=y option to prevent the service from going interactive and failing.
I'm trying to setup a cell and a collective in a WAS for bluemix service. I've found a few steps online for generic liberty setup, but nothing specific for a bluemix collective or cell. Can someone point me in the right direction?
At a high level, you should be able to do the following for a Cell:
Login to the Admin Console as wsadmin
Create a server.
Open all the ports on each host for each server created by running the openFirewallPorts.sh script. Below, you will find the standard ports for a new server given that only one server exists on each host You may need to open more ports for additional servers on the same host since ports can be unique per server. Try the following:
cd WAS_HOME/virtual/bin
export serverPorts=2810:TCP,2810:UDP,8880:TCP,8880:UDP,9101:TCP,9101:UDP,9061:TCP,9061:UDP,9080:TCP,9080:UDP,9354:TCP,9354:UDP,9044:TCP,9044:UDP,9443:TCP,9443:UDP,5060:TCP,5060:UDP,5061:TCP,5061:UDP,11005:TCP,11005:UDP,11007:TCP,11007:UDP,9633:TCP,9633:UDP,7276:TCP,7276:UDP,7286:TCP,7286:UDP,5558:TCP,5558:UDP,5578:TCP,5578:UDP
sudo ./openFirewallPorts.sh -ports $serverPorts -persist true
Start your server.
Deploy your application.
There are a few slight differences for a Liberty Collective, but again, at a high level, you should be able to try the following:
Switch your user to wsadmin or ssh to your host using wsadmin / password
On each host, create a server and join it to the collective. Be sure to use the full host name of the controller for the --host parameter.
cd WAS_HOME/bin
./server create server
./collective join server --host=yourhostname --port=9443 --user=wsadmin --password=xxxxxxxx --keystorePassword=yyyyyyyy
Accept the chain certificate (y/n) y
Save the output from each join so you can paste it into each host's application server.xml file before deploying your application.
Install the features required by your application on each host. The features listed below are an example.
cd /opt/IBM/WebSphere/Liberty/bin
./featureManager install --acceptLicense ejblite-3.2 websocket-1.0 jsp-2.3 jdbc-4.1 jaxrs-2.0 cdi-1.2 beanValidation-1.1
NOTE: Output from this command will contain messages similar to:
chmod: changing permissions of
`/opt/IBM/WebSphere/Liberty/bin/featureManager': Operation not
permitted
This is OK. You should see this message upon completion:
Product validation completed successfully.
Update your application's server.xml file with the information saved in Step 2.
Start your server.
Deploy your application.
Verify your application is reachable :9080/appname
Environment:
IBM Worklight 6.2,
IBM Liberty 8.5.5.1,
IBM DB2 10.5 &
Windows 2008 standard Edition.
For the High Availability of DB instance[WLDBINST], the following Architecture I have followed.
2 Windows Clustered Machines with IBM DB2 binary and SAN storage used to share the Database file in Common.
If any 1 node is not available the other node will take over the control without any loss of the data.
I have tested the DB2 instance via Cluster IP and it works fine.
The below error has been logged, when I run the Worklight Server Configuration tool,
Instance WLDBINST not found on server. Found only [WLDBINST C, :, DB2CLUSTER, DB2]
I have found the reason for the above issue. To list the DB2 Instances we can use the command db2ilist
C:\>db2ilist
WLDBINST C : DB2CLUSTER
DB2
Above result shows that we have two instances
WLDBINST which is in "C" drive and part of DB2CLUSTER &
DB2
Worklight Configuration tool also uses the similar DB2 tool to list the instances, I guess.
So the configuration tool considering the result as 4 instances as follows,
WLDBINST C,
:,
DB2CLUSTER and
DB2
How I can resolve this issue.
If the Server Configuration Tool is not able to create the database for your topology, you should create it manually before running the tool.
For the Administration database, the doc is here:
https://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/t_creating_the_db2_database_for_wladmin.html
For the Project Runtime databases, the doc is here:
https://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.deploy.doc/admin/t_creating_the_db2_databases.html
The server configuration tool will not do any specific configuration to ensure that Liberty reopens a connection if there is a database node switch. I recommend that you review the behavior of Liberty in this case, and add settings in the server.xml as required.