I am running Kubernetes API to access a kubernetes cluster. The connection fails with teh following error
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
The kubernetes endpoint is http and not https. How do I make sure that this is configured in the JAVA_OPTS for eclipse>?
It sounds like you tried to access the wrong port.
By default, a secure port is opened on 6443. You should be able to make an SSL connection to that port:
https://github.com/kubernetes/kubernetes/blob/54706661ad72d62ea0b494112a74e0467093c9f4/cmd/kube-apiserver/app/server.go#L128
For up-to-date information about how to access the API, please take a look at the documentation:
http://kubernetes.io/v1.1/docs/user-guide/accessing-the-cluster.html
http://kubernetes.io/v1.1/docs/admin/accessing-the-api.html
If more information would be useful there, please file an issue requesting the specific information you would expect to see in the documentation.
https://github.com/kubernetes/kubernetes/issues/new
Related
I am creating a Linked Service to connect to BigQuery with Service Account authentication and p12 file has already been placed in IR VM directory.
Receiving following error:
ERROR [HY000] [Microsoft][DriverSupport] (1160) Cannot enable SSL for the connection when connecting to a server that has not enabled SSL. If the server has SSL enabled, please check if it has been configured to use a SSL protocol version that is lower than what is allowed for the connection. The minimum SSL protocol version allowed for the connection is: TLS 1.2.
But when i place p12 file in another IR VM, linked service is working correctly.
Tried to check TLS version in both VM's and everything looks same.
Please suggest ways to check SSL and TLS version in VM's and how to resolve this issue.
Based on the error message it seems the issue might be w.r.t SSL certificate so 1st step would be to compare the SSL/TLS across both the servers
In case if they are same, would suggest to monitor the traffic across both the server when trying to access GCP Big Query.
You might get the exact cause of failure which can be like :
Firewall blockage
some missing set up like Big query need Google_base set up as a signature
etc.
You could create a PowerShell script that checks the TLS & SSL registry entries mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Even if after enabling TLS/SSL settings the same issue arises then please try re-installing IR in the VM
I am trying to access the repository from a standalone java application using JcrUtils.
**repository = JcrUtils.getRepository("http://localhost:4502/crx/server"); this works**
**repository = JcrUtils.getRepository("https://localhost:4502/crx/server"); this doesn't work**
Exception in thread "main" javax.jcr.RepositoryException: Unable to
access a repository with the following settings:
org.apache.jackrabbit.repository.uri: https://localhost:4502/crx/server The following
RepositoryFactory classes were consulted:
org.apache.jackrabbit.commons.JndiRepositoryFactory: declined
org.apache.jackrabbit.core.RepositoryFactoryImpl: declined
org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory: declined
org.apache.jackrabbit.jcr2spi.Jcr2spiRepositoryFactory: declined Perhaps the repository you are trying to access is not available at
the moment. at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:223)
at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:263)
at com.hero.jcr.util.CqHelper.getSession(CqHelper.java:20) at
com.hero.jcr.commandline.CheckConnection.getDamAssets(CheckConnection.java:36)
at
com.hero.jcr.commandline.CheckConnection.main(CheckConnection.java:29)
Thanks in advance
The problem can have different causes.
HTTPS configured and on which port
It looks like you're trying to access http and https in the same situation on the same port. Http and Https don't run on the same port in parallel.
Please use the SSL Wizard as hinted by ronnyfm to check if SSL is activated and on which port it is used: https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/ssl-by-default.html
For instance the default port for https in AEM is 8443, so try https://localhost:8443 to access it, if you have configured it there.
Untrusted Certificate
Also connecting to https might not work if you use an untrusted certificate, which you need to add to the Java security keystore first. In my case I got the same "Unable to access" message, because the original exception regarding the certificate got silently swallowed in the JCR library I was using.
Wrong certificate
When you added the certificate to the keystore and it still doesn't work, check if the certificate was created for them same host you request. If you created it for bla.host, but try to access it via localhost, it also gives you the same exception, while the original message is silently swallowed.
Kubernetes surfaces an API proxy, which allows querying the internal services via eg: https://myhost.com/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/
This is all well, and good. However, for security & compliance reasons, all of our services expose an HTTPS endpoint. Attempting to access them by going to https://myhost/api/v1/proxy/namespaces/default/services/myhttpsservice:3000/ results in
Error: 'read tcp 172.20.122.129:48830->100.96.29.113:3000: read: connection reset by peer'
Trying to reach: 'http://100.96.29.113:3000/'
Because the endpoint, 100.96.29.113:3000 is in fact https.
Is there any way to configure the proxy to apply SSL to specific service endpoints?
(Edit: If this is not currently possible, a relevant github issue link for tracking the feature request is also acceptable answer until it will be)
As documented at https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls, (and pointed out on slack), you can access services behind HTTPS by prefixing the servicename with "https:" ;
Using the example from above, correctly it would be: https://myhost/api/v1/proxy/namespaces/default/services/https:myhttpsservice:3000/
Reading the documentation from http://kubernetes.io/docs/admin/kube-proxy/ it doesn't look like I can connect to the apiserver via https.
The same goes for scheduler and controller-manager, but those two maybe are supposed to run on the same machine as the apiserver and can connect via localhost.
But what about the proxy? This is supposed to connect remotely to the apiserver. Is it possible to configure authentication and/or authorization from the proxy to the apiserver?
This is embarrassing. Looks like all daemons support a "--kubeconfig" flag that gives access to public and private key for authorization.
I'm using the Keycloak authorization server in order to manage my application permissions. However, I've found out the standalone server can be accessed locally only.
http://localhost:8080/auth works, but not it does http://myhostname:8080/auth. This issue doesn't permit accessing the server from the internal network.
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn't allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable it.
However, if your Wildfly is running on a remote machine and you try to
access your administrative page through the network by it’s IP address
or hostname, let’s say, at http://54.94.240.170:8080/, you will
probably see a graceful This webpage is not available error, in
another words, Wildfly said “No, thanks, I’m not allowing requests
from another guys than the ones at my local machine”.
See also:
Enable Wildfly remote access
Wildfly remotely access administration console doesnt work
you can start keycloak server with this command
standalone.bat -b 0.0.0.0
For anyone who happens by here now, I found this in the documentation for Keycloak 8:
Users can interact with Keycloak without SSL so long as they stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172.16.x.x. If you try to access Keycloak without SSL from a
non-private IP address you will get an error.
This is how you can disable it from the admin console, just click on your realm, and make the mentioned option.
Note: Don't forget the following
standalone.bat -b 0.0.0.0