I have a customer trying to connect a Google Data Studio data source to MySQL, via SSL connection, however, they are receiving an Error Code: a113b4a0.
What does this error ID represent, and how do I help them resolve this problem?
Found the solution -
Apparently for SSL connection in Data Studio, we need to provide the cert file in .pem file format instead of .crt format.
We can use openssl to convert the cert file.
Perhaps the product team can change the error message to something more meaningful instead of just error ID (the error ID changed for every attempt). Also the documentation is not easy to find pertaining to this issue (didn't come across any)
p/s: will like to vote down whom vote down the question. If the person think the question is of low quality, should at least provide the answer to those whom need it, not just discount others without giving the the solution.
The solution to this problem I was having was to enable TLSv1.1 in MySQL server's configuration. What it looked like was that Google Data Studio's SSL configuration was not capable of connecting via TLSv1.2 or TLSv1.3 versions of the protocol.
This is enabled by including in /etc/my.cnf.d/server.cnf:
[mysqld]
tls_version = TLSv1.1,TLSv1.2,TLSv1.3
Related
I am developping one server service using the Kerberos and got the ticket from client, I can deciphered the ticket with the predefined keytab, now my question is how to use the PAC information in the ticket. Previously I use the LDAP procedure to query the user's group membership to get the authorization information.
Now the PAC's logon information include the membership, but it is group ID, but I need "DN" text based format (CN=xxx,OU=xxx, DC=xxx...).
I would like to know in general, how to use this authorization data in the ticket in the service server. Thanks!
If your application service is not running on Windows, you will not be able to read the PAC without jumping through some serious hoops. The PAC is built using Microsoft proprietary code, which is something Microsoft introduced into their flavor of Kerberos IAW RFC 1510 but their words, "slightly modified". Shortly after the release of Windows 2000 [Active Directory], Microsoft received some negative press attention because of the proprietary way they used the PAC field in a Kerberos ticket. [Microsoft] explicitly forbids the creation of software that implements the PAC as described in the specifications.
I spent a long time trying to find something open source and reliable which could read the PAC anyway, and I found that JAASLounge does this. It's an old article though (from 2010). Be aware that, it appears, based on my interpretation based on Microsoft's statement, to be a violation of their terms and conditions.
Anyway, I've also bookmarked two threads from right here in this forum by people who claim to have gotten JAASLounge this working, and some of the troubles they had to work through.
Decrypt kerberos ticket using Spnego
Malformed PAC logon info on new KerberosToken
In case you don't want to go down this route, and want to bypass the PAC to determine the AD user's group memberships, then you will have to resort to making an LDAP call back to the AD domain controller.
I'll close by saying that if you're running on a Windows-based application server such as IIS or SharePoint, Kerberos decoding of the PAC takes place automatically, so no special code, configuration, or keytab file is ever required.
The Microsoft node.js sql server driver (https://github.com/Azure/node-sqlserver) has not had any commits for 11 months. Anyone know what's going on with this effort? My company is using it actively, but has run across some issues that led me to the repo and the discovery that it seems to have been abandoned. Lots of open bugs also.
Should we give up on this driver and try another? Any recommendations?
Microsoft, please weigh in here.
I emailed the Microsoft main contributor and he was very helpful, although he did admit that officially MS has never declared one way or the other if they were going to continue support. Guess we'll wait and see.
In regards to my original problem - this info may help someone.
I was using queryRaw and listening for events to build the response. This method allows the user to submit multiple sql queries in one request (just separate them with ;). A large text datatype field was getting truncated and I couldn't figure out why. Turns out that the 'more' parameter that is supplied by the driver means that you must concatinate the return data.
Lots of trial and error when figuring out this driver.
I can capture the packets using wireshark, but I can't decode the stream into anything intelligible.
This item in the WireShark bug database suggests that maybe this isn't possible in SQL Server 2005 or newer. But several people on Stack Overflow claimed this was a good method in answers to this question:
How to validate SQL Server traffic is encrypted?
Any help appreciated.
Edit (2017-05-02): Microsoft Network Monitor - has been replaced by Microsoft Message Analyzer - which serves the same purpose. See also comment below this answer or the answer further down for how to use it!
Note: Microsoft Message Analyzer was deprecated in late 2019, and is no longer available for download.
Original Answer
There is another much underrated tool from Microsoft itself: 'Microsoft Network Monitor'. Basically this is very similar to wireshark with the exception that some specific MS protocols have better parser and visualisation support than wireshark itself and obviously it would only run under windows ;-).
The tool is quite old and looks abandoned (havn't seen a newer release so far) but still does an good job and the grammar for defining new protocols is quite neat/interesting - so this still possess a lot of power for the future.
Analysis Example - Recording is filtered for TDS - so the other packets are discared mostly:
This is also true for sql server connections. The MNM can even visualize the resultsets going over the wire - quite neat. Nonetheless wireshark as mentioned above would be sufficient to validate encryption and applied certificates on the wire itself. Means it can understand the TDS-Protocoll fully.
Handling TLS
Also with an extension (so called experts) 'NmDecrypt' and the right certificates (including private keys) - it is possible to decrypt protocolls - quite nice for TDS which uses TLS INSIDE of TDS - no wonder - no one has really implemented that yet as a fully supported protocoll for wireshark ;)
So far - regarding MSSQL-Traffic - or to be more precice TDS-Protocol this is the best tool I've come across so far. Wireshark is cool - but in this case MNM is 'better'. Have phun! ;)
Links for the tools:
Microsoft Network Monitor: http://www.microsoft.com/en-us/download/details.aspx?id=4865
NMDecrypt: http://nmdecrypt.codeplex.com/releases/view/85581
Not wireshark, but for me the Microsoft Message Analyzer worked great for that.
To get all the sent commands
Start a new session
Add Live Trace as as Data Source
Select Scenario (I chose Local Network Interfaces)
Enter a session filter expression like *address == 10.1.2.129 to filter only traffic to your sql server.
Click start
Right click on column header in the massage table and select Add columns...
Add TDS > SQLBatch > SqlBatchPacketData > SQLText
This should give you something like the following
Unfortunately there is no autoscroll implemented at the moment, but you can sort by timestamp and have the new queries popping up at the top.
The question that you are refering to is how to prove that the traffic is encrypted.
So they were using wireshark to show that you could not read it.
The encryption was weak on earlier versions of SQL server, but I don't think that it is easy to decrypt SQL Server 2005 traffic.
Wireshark decodes and shows you captured data when understand the protocol (and layer). That means the captured data isn't encripted.
If the data is encripted (SSL, ie), WS will only show SSL handshakes and raw data.
Is there a simple way to determine what database is in use behind a website from an external HTTP request? i.e., I make an HTTP request, get back whatever data is going to come from the webserver - can I inspect any of that and reliably determine that DB in use? I am thinking not, but figured I would ask this group.
No. The same answer could come from a static file, a SQL database, or a martian telepath.
No and for a good reason. If there were it would be a security hole. Unless it is a part of the application functionality.
For most websites, the answer is no, however, you may find security holes which reveal this information. For example, it's possible to get this information if the site isn't coded against sql injection attacks. For example, try entering the following as your user name:
'; select version();
On shared hosting system, they often don't have a firewall protecting the database from external connections.
Try the following:
telnet localhost 3306
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
5
5.0.51a—Bjb-W
This tells you that the server is running MySQL version 5.0.51a. MSSQL and Sybase also identify their version number before the client attempts to login.
Probably the easiest way is just to ask the webmaster. If your not a hacker, and the site isn't a bank, they will likely tell you.
I am devoloping an windows application in dot net.It's config file includes sensitive data such as sql pass..So When deploying application i want to give it as encrypted.
I googled arund and found one that Rsiprovider to encrypt the fields.
But encryption is machine specific and needs deploying config file in clear mode and after first run of program ,encryption is succeed on the runnig machine.
Is there a way to deploy config files as encrypted ?
Think about it - if you encrypt before shipping you will also have to provide a key somewhere. And then the problem shifts to how to hide that key...
The post-setup encryption is meant to hide the config from prying eyes.
This link has helped me make an encrypted config file. The problem with other solutions is that they are machine specific, so if you encrypt the .config, it cannot be de-crypted in another machine (not very feasible when you are deploying the app to many machines)