I have setup my own mongoDB and enabled authorization that’s hosted on an external server.
Which i can now connect to my DB using mongo Compass while mongoDB is:
bindIp : 0.0.0.0
But not any other things else.
Then I found this thread on the mongoDB community forum:
here
Stating that there’s a misconception on bindIp. Which it does not listen to remote ip that wants to connect, but listen to only local network. In order to connect to my mongoDB with a remote ip while not opening all my port to public (0.0.0.0) i need to set up a SSL connection.
Now here’s the problem. How do i setup SSL connection ? I took the class M301 and know about X.509 but still have no clue how to connect via SSL.
I would like to connect through something like with the connection string of:
mongod://:#XXX.XX.XX.XXX:XXXXX/?ssl=true <<<<
If X.509 is the method, how do i work with pem key ? how do i sign one ? how do i use client key in mongo compass?
If you have a certificate, MongoDB documentation provides guides for setting up TLS on the server. How to create the certificate is usually not covered; typically you would either work for a company whose IT department would take care of this for you, or you would use a service such as MongoDB Atlas which would handle TLS termination.
For learning purposes you can use self-signed certificates and there is probably a university course for setting up TLS.
Related
This is for a Oracle database standalone server running 12c 12.2.0.1 on windows server 2016.
We are hardening our system and one of the findings was to remove support of SSL and implement TLS 1.2 and upwards where possible. A pen test report found certain port was currently using vulnerable protocols. On investigation i found this to be oracle listener. From research, it seems using Net manager we can configure SSL certificates so that the server to client communications on Oracle are encrypted. The only trouble i'm having right now is finding out any oracle document which will tell me exactly what encryption methods are supported? does anyone know how what is supported? I would like to basically disable support for SSL v2 and v3 through windows registry on all machines and allow only TLS 1.2 or higher but this may break the oracle database 12c comminications i suppose if there is no support for TLS 1.2 or higher? Any help would be appreciated in conjuction with what are the best practices for oracle standalone servers when it comes to security?
Also, a bit of a basic question i guess but in Net manager there are two tabs. One is called Encryption and another called SSL? I understand SSL would mean creating certificates and having them on the client and server such that the messages can be de-crypted. However, what does the Encryption tab do? does it literally just encrypt all communications between server and client but not using SSL or TLS?
Thank you for any help.
Check out the 2 Day DBA + Security Guide for info on network encryption. By default Oracle uses "native" encryption libraries that don't use SSL at all (those are managed by the "Encryption" tab you mentioned). SSL encryption (under the "SSL" tab) uses an entirely different protocol, and requires a specially configured listener, a different network port, and certificates in an Oracle Wallet. Check out the docs; they should walk you through everything. It's certainly too big a subject to tackle completely here.
I am creating a simple client to connect to the LDAP servers running on one of my windows 2008R2 Active Directory Domain Controllers.
I have successfully connected to the LDAP server over a non TLS connection. However, whenever I attempt to make a TLS connection, the handshake fails. After some digging, and downloading the certificate using the following command:
openssl s_client -connect <domain controller>:636
I found that the certificate being served from the LDAP server is invalid. I can see that the certificate is signed by our CA and my local system, that runs the application already has this trust established with the CA. However, It is missing all of the subject information in the certificate. The client application does not allow for this.
After speaking with the administrator, he indicated that the certificates being generated for the domain controller systems to serve TLS certificates over LDAP is automatic and is created by our internal Microsoft Certificate Server. He was not sure how to address this.
After numerous Google searches, I have come up pretty empty on how to resolve this. Is it something that is addressed on the certificate server? Is it something on the domain controller which is stripping the subject information? Is it some setting or configuration? Since, I do not have direct access to these systems I am at a loss on where to begin.
Any assistance would be appreciated.
Blindly trusting a certificate that is invalid is not an acceptable solution.
Ask your admin to export the root certificate for your environment (like, to a .cer file). Then you can use that file to add it as a trusted root certificate on the computer that needs to access it.
That's how we do it in our environment when we've needed to access an external domain over LDAPS.
Of course, that only works if the application accessing LDAPS uses the Windows certificate store. Some applications, like Java-based apps, don't, and you need to do it another way.
I was able to assist my Admin with updating the template the certificate server was using to include the subject and subject alternate name.
I found the following articles that helped determine the problem
https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
Ultimately going over each setting until we found the right solution that solved the problem of why the certificate server was sending and invalid certificate.
I’m having a very specific issue with Azure and I couldn’t find any solution on the web.
So, we are little by little migrating our client’s infrastructure to Azure and we are starting with our Workers (webjobs).
These webjobs need to consume data present on a AWS SQL Server instance.
We already have checked that the App Service Plan’s Outbound IPs are whitelisted and that the SQL server is listening on TCP port 1433.
An evidence of that is the fact that we are able to communicate with the SQL Server instance through the Azure Debug Console:
But when we run the WebApp, the worker cannot find and connect to the same DB:
Does anyone have a clue of how I can solve this issue? It would be very appreciated!
Well, as you demonstrated by the first image, the SQL Server instance is configured correctly.
The worker Outbound IP address is definetely the same as the App Service Plan's machine.
Based on that, can you then please check if the Connection string you are setting have 'tcp:' before the IP Address?
Sometimes you need to force it, otherwise IIS can choose other ways to connect to your SQL server (like UDP for instance).
I've done a small TCP/IP server which acts quite like an ftp server.
On the client side, I'm using an API to connect and to exchange data against the server.
This server will be on an active-directory ecosystem, so the client.
What kind of API should I use to implement a SSO/AD authentication on my server ?
(Everything is written in C)
I've seen that SqlServer is doing this through the Trusted connection term. Perhaps a simplier to do things ?
Should I lead to SSPI exchange loop ?
Yes, you need to init a security context from the client and accept that contect from the server, loop until the security context has been established. If you are concerned about your private, you can encrypt the entire traffic with Kerberos.
Now an application is connected to a database server in the same LAN and performs selects and inserts.
The database will be moved to a remote location accessible throughout internet. Performance degradation will be addressed reducing the number of operations to the db. It is not possible to use vpn or configure access-in rules based on client IP on the firewall of the net where the database server will be moved. So it seems to me it is necessary to create a database front end in order to protect it. I suppose one way to achieve this goal is to create a web service.
Are there easier alternatives?
I'm new to web services: it should run into Glassfish server while the client would be a c# application.
I read a bit about securing a web service but I'm a confused.
One method I found in internet is to use Glassfish built-in authentication mechanism and configure web.xml limiting the access to the web service URL to a group of users.
It seems an easy approach, are there any drawbacks?
Is it easy to use this type of authentication in the C# client?
Other existing web services wants a parameter key in the request. Then this key is compared with valid ones and if the check is successful the request will be accepted.
Is this approach more secure than the previous one?
Another alternative is to use WSIT but at a first glance it seems over-complicated and all the security mechanisms need a server certificate.
Anyway it looks more secure; does it fit well with JAX-RS and restful web services?
You can use L2TP or PPTP VPN in this case.
Let me show you first Network topology.
Client (accessing firewall with L2TP or PPTP )-----> Firewall (L2TP or PPTP VPN Server)---> Firewall LAN where your Server placed.
In above case all Client come from VPN so its secure and On firewall you have to Configure VPN to LAN rule with client base rule.