I'm trying to connect to a Google Cloud SQL instance using dblink, which works well when setting up my username and password in the connection string, but I would like to save my Client credentials in the SQL instance not to have the need to explicitly put my password in the connection.
The .pgpass file which will used is the one that belongs to the OS user which is running the local database ('~/postgres/.pgpass', in most cases). And then for security reasons, it works only if you are locally a superuser. Can you meet those criteria?
but I would like to save my Client credentials in the SQL instance
What does "SQL instance" mean? I would not think that .pgpass would count as being inside the SQL instance.
An alternative solution is create a foreign server with "postgres_fdw". This doesn't seem to be documented (edit: it is documented here, but uses dblink_fdw not postgresql_fdw), but you can pass the name of a "postgres_fdw" foreign server (in single quotes) to dblink functions as the connection string. It will then pull the password to be used from the USER MAPPING for that server and user. I would think the USER MAPPING counts as inside the "SQL instance".
Related
I have 2 systems. system A and system B and both are DB2 servers. I want to be able to access system B database from system A. Both have a database called TESTDB. I am trying to run the following command to create a server.
CREATE WRAPPER "drdawrapper"
LIBRARY 'libdb2drda.so'
OPTIONS (DB2_FENCED 'Y'
);
db2 "CREATE SERVER "PRD_SERVER_SSL_FLEX" TYPE DB2/UDB VERSION '11' WRAPPER "drdawrapper" AUTHORIZATION "xyz" PASSWORD "xyz" OPTIONS (DB2_CONCAT_NULL_NULL 'Y',DB2_VARCHAR_BLANKPADDED_COMPARISON 'Y',DBNAME 'TESTDB',HOST '169.62.253.230',NO_EMPTY_STRING 'N',PORT '50001',SECURITY 'SSL',STRING_UNITS 'S');"
But I keep getting:
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL1101N Remote database "TESTDB" on node "<unknown>" could not be accessed
with the specified authorization id and password. SQLSTATE=08004
Node directory:
db2 list node directory
Node Directory
Number of entries in the directory = 1
Node 1 entry:
Node name = TESTNODE
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = 123.21.23.12
Service name = 50001
The credentials are correct. I am not sure what node is it looking for. Any pointers?
Your question is more about configuration than programming.
As you appear to be encrypting the federated connection it can be wise to first verify that the encrypted connection works at the command-line, separately from federation. This irons out a lot of the detail and is easier to troubleshoot. After you get that working, you can then begin on encrypting the federated connection.
Please follow the detailed instructions here (choose the correct Db2-version):
You have to know in advance which kind of SSL/TLS trust verification you want (i.e. either single cert (client trusts the server - simplest and easiest), or multiple certs (both sides trust the other - more setup, arguably more secure), because this determines the configuration.
Ensure both of your Db2 instances and databases are properly configured for SSL.
Catalog the remote-node locally with security SSL (db2 catalog tcpip node ... remote ... server ...security ssl)
Catalog the remote-database locally on the new node name (db2 catalog database ... at node ...) followed by db2 terminate .
Verify a command-line connect to the remote database using the federated credentials, using the configured db2dsdriver.cfg if using SSLSERVERCERTIFICATE method, or using the keystore/stash configuration ( db2 connect to remotedb user ... using ... ). Use the same userid/password that you will use later in the create server command.
Once that command-line connect works, you can proceed with the encrypted federation link, via db2 create wrapper... and db2 create server....
There's no need to use quotes around the wrapper name, just let it fold, otherwise quotes are just annoying redundant noise, although it is not a mistake.
Inside the script for create server command options instead of AUTHORIZATION "xyz" PASSWORD "xyz" use AUTHORIZATION \"xyz\" PASSWORD \"xyz\" (i.e. escape the quotes).
For one-sided trust, use SSL_SERVERCERTIFICATE in the create server options clause and ensure the value is accurate (fully qualified path to the remote-db2instance-certificate-file), and that the file/directory permissions are valid.
For mutual trusts, use both SSL_KEYSTORE and SSL_KEYSTASH keywords with correct values, in the create server options clause (having previously ensured your keystores are properly populated, as verified by a command-line connect above).
You may also want to consider create user mapping depending on the requirements.
Finally you can create your nicknames, and test out the federated link by querying those nicknames.
I am trying to connect to DB2 database to import source structure. I tried using ODBC DB2 Wire Protocol Driver Setup. I provided IP Address, TCP Port, Location ( DB2 to Z/OS and Iseries), but when I click on test connection I get below error:
[Informatica][ODBC DB2 Wire Protocol driver][DB2]NULLID.DDOS510A DOES NOT HAVE PRIVILEGE TO PERFORM OPERATION PACKAGE ON THIS OBJECT.
Same method I tried in lower environment of DB2 and connection works. but in higher environment I get this error. ( I verified login in the database directly and my user id has login access).
This is not a programming question, it is about configuration.
The reason that it works on one database, but fails on another, is because only one of the databases has the correct permissions.
Ask the DBA to grant relevant privileges to the userid at the database.
You will find more details at the following IBM technote and also at here.
I need to use MySQL to send queries to a Google Cloud SQL database set up. I already have an instance created and a user, and I am able to access the database through the Cloud Shell. I can't seem to find the credentials to log into the database (host name, username, password, port and socket), and I'm not sure how to access them through the shell.
You can find the available methods to connect to your Cloud SQL instance here.
Connecting from an IP address without SSL is probably the easiest one:
In the Cloud Console, go to the cloud SQL instances screen and click on your instance’s name.
In the overview tab, take note of the Primary IP Address, you’ll use it instead of a hostname.
In the users tab, you can create a new user or reset the password of an existente one, including the root user.
In the authorization tab, add the ip or ip range where you are attempting the connection from, so Cloud SQL accept connections from your client (more on this here).
Start your mysql client as follows (note the port is not necessary as the default one is used):
mysql --host=[INSTANCE_IP_ADDR] --user=[USER_NAME] --password
All,
I'm running a query on the target server that retrieves data from a source server. My query is using the digest function. Digest is on both servers. It is embedded in a UDF that is also present on both servers. BTW, the "select" portion of the query runs perfectly on the source server.
I would think that when you submit a remote query it will execute on the remote box. I am receiving a "1 function digest(text, unknown) does not exist ..." error. Also, since all the functions are in the public schema on both servers, I don't see how Postgres is failing is find the function.
Any help appreciated.
TIA,
Mike
Queries are executed on server specified in connection string. If no host was given, then on localhost. They are executed using role from connection string. That also includes search_path of that role.
Unrelated to your question, but I would try 2 things while debugging that issue you described:
Connect to remote server using the same role as dblink connection string and executing query
schema qualify that function in dblink: public.digest(..)
I want to add a new Informix sever entry into sqlhosts, but I'm not quite sure how it will impact the existing connection.
Currently sqlhosts contains only one server entry...
dbserver onsoctcp 111.111.111.20 7101
The database handle is created within an existing perl module (db is a database on the server)...
my $dsn = "DBI:Informix:db";
my $dbh = DBI->connect($dsn,"user","password");
Notice that "dbserver" is never referenced.
I want to add a test server to sqlhosts. Something like this...
dbserver onsoctcp 111.111.111.20 7101
dbserver_test onsoctcp 111.111.111.21 7101
With only one entry in sqlhosts, everything has been working fine. But my connection never references the server name in sqlhosts.
So, my question(s)...
Does Informix just try to use the only one available?
Will adding a second server entry in sqlhosts force me to include the server name in the connection string?
Thanks!
Informix client uses environment variables to resolve hosts and other configuration; check that INFORMIXDIR is set to the path where Informix CSDK is installed (I assume it is), and set INFORMIXSERVER to point to the new entry in sqlhosts. See this article in IBM knowledge base.
Alternatively, use db#server data source format:
my $dbh = DBI->connect("DBI:Informix:db#server", "user", "password");
Maybe it is a permissions issue? From the documentation:
Note that you might also be able to connect to other databases not
listed by DBI->data_sources using other notations to identify the
database. For example, you can connect to "dbase#server" if "server"
appears in the sqlhosts file and the database "dbase" exists on the
server and the server is up and you have permission to use both the
server and the database on the server and so on. Also, you might not
be able to connect to every one of the databases listed if you have
not been given at least connect permission on the database. However,
the databases listed by the DBI->data_sources method certainly exist,
and it is legitimate to try connecting to those sources.
http://search.cpan.org/~johnl/DBD-Informix-2013.0521/Informix.pm