We are investigating using native encryption with our DB2 v11.1 instance. I have read the documentation available but have been advised by a team member that once native encryption is enabled on a database, when the database instance is restarted the DBAs would need to re-enter the password for the encryption key before any application could access the database. We are not planning to stash the password.
Can anyone advise if this is the case? The reference I have found is here on this IBM KB article and says:
However, this additional security must be weighed against any requirements that the DB2 instance can start without human intervention. If the password is not stashed, you cannot access an encrypted database until you provide the keystore password.
Does that include a web application that connects to the DB2 instance to access the encrypted database? Or is this just for DBAs connecting to maintain/run queries?
Thanks in advance!
Without stashing you can use
db2start open keystore using <Keystore-Passwort>
or
db2start open keystore passarg filename:<file>
Related
To utilize Always Encrypted feature in SQL Server, impleting Azure Key Vault provider is the most convenient option. However, it has a dependency with the Azure cloud network.
Azure Key Vault cannot be used for on-premise intranet only deployments. When the application is running on Windows Server, any Windows comptibale provider like MSSQL_CERTIFICATE_STORE can be used. But if the application is running on Linux server, there is no provider available.
What is the recommend solution to use a key store provider for Always Encrypted SQL Server on Linux machines?
One possible way is to use ODBC Driver 17 for always encrypted SQL Server running on Linux machine. You can download the driver from here.
This official document will help you to understand all the prerequisites and implementation steps.
I am trying to connect PostgreSQL database to Power Bi. Database is hosted on Heroku. I am getting the following error -
An error happened while reading data from the provider:
'The remote certificate is invalid according to the validation procedure.
I think i am getting this error because it needs "sslmode=require". but I am not sure how to proceed.
Can someone help me with this problem.
Thanks in advance.
These steps should help you connect to Power BI desktop via ODBC. Note, you should probably create a follower database in heroku so you're not using your production database credentials.
Download PostgreSQL ODBC driver and install. Note, be sure to check the GAC option during installation (https://www.postgresql.org/ftp/odbc/versions/msi/).
Restart computer.
Open Power BI and click "Get Data" button in the ribbon.
Click "Other" and then select "ODBC".
Choose "None" as the data source name.
Click the "Advanced options" and enter this connection string:
Driver={PostgreSQL Unicode};Server=HEROKU_HOST, where HEROKU_HOST is the "Host" from your heroku database credentials (example: ec2-xx-xxx-xx-xx.xxx.amazon.com).
On the next screen, enter the user name (user from heroku db credentials), password (password from heroku db credentials), and for connection string enter the following (with HEROKU_XXXX replaced with your info:
PORT=HEROKU_PORT;DATABASE=HEROKU_DATABASE;POOLING=True;MINPOOLSIZE=1;MAXPOOLSIZE=20;HOST=HEROKU_HOST;COMPATIBLE=2.2.3.0;USER ID=HEROKU_USER;PASSWORD=HEROKU_PASSWORD;SSLMODE=require
I don't use Heroku but had a similar problem with AWS and had to configure the db provider and certificates as described below. I would think that something similar is needed for Heroku.
I did some digging and found 2 possible solutions for Heroku:
Supply the additional settings sslmode=Require;Trust Server Certificate=true in the database connection. This does not seem to be an option with PowerBI, because even under "Advanced Settings" there is nowhere to provide these.
Download the certificate for you database as described here and then follow much the same process as I did below to register the certificate with Windows. If Heroku supplies a P7B (PKCS#7 or pfx (PKCS#12) format certificate you can register that with Windows without having to do the conversion I described.
My setup of the Npgsql provider and AWS Certificates
PowerBI and Excel support connections to Postgres using the Npgsql .NET Data Provider. This provider is not installed by default on Windows. Here's how to install it:
Download the appropriate .msi installer from the Npgsql releases page. The version you need depends on your version of Excel. I am running Office 365, which required version 4.0.x (I installed 4.0.10, download here).
Run the installer. During the install there is an option to install to the GAC which is switched off by default - you must select to have the files installed to the GAC.
Reboot your computer and you should be able to connect setup a Postgres connection in PowerBI or Excel.
AWS RDS Postgres - additional requirement
If you are connecting to a Postgres cluster running in AWS, when you attempt to connect to Postgres after installing the Npgsql provider you may get an error saying:
"The remote certificate is invalid according to the validation procedure"
Here's how to fix it:
Download the public keys for AWS RDS regions: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
Convert the bundle to a Windows certificate in P7B/PKCS#7 format. There are many ways to do this, and easy one is to use https://www.sslshopper.com/ssl-converter.html.
In Windows, search for the "Manage User Certificates" utility and open it.
Right-click on "Trusted Root Certificate Authorities", "All Tasks", "Import..."
Select the .p7b file which was the output of converting the AWS keys to P7B format.
Choose to place all certificates in the Trusted Root Certification Authorities store.
You will probably have to confirm for each certificate - there is one per AWS region
You should now be able to connect to your AWS RDS Postgres database from PowerBI or Excel.
You need to check if the host based authentication in your postgres database is allowing this from connection from POWERBI.
[https://www.postgresql.org/docs/current/auth-pg-hba-conf.html][1]
The file is usually available in the postgres data folder and the structure is like below. Make sure the client host, username have the right permissions to access the database.
local database user auth-method [auth-options]
Note: If you are using a cluster manager like patroni, the pg_hba.conf file will be overwritten by Patroni every time you edit it. you will have to edit this configuration from the patronictl command.
I've got on the same computer (Win server 2012 R2 Datacenter) a web app being built on ASP.NET and a SQL Server 2017. Goal is to secure sensitive data on the database in case someone gains access to this computer. I've used Always Encrypted feature to encrypt columns with sensitive data and the according certificate is being stored to the \Certificates(Local Computer)\Personal\Certificates location.
Is there a way to prevent (password protect for example) an active windows user to access this certificate and export it?
To achieve your goal "to secure sensitive data on the database in case someone gains access to this computer" you should not consider keeping your certificate in the same machine (or) server.
You need to maintain the certificate in a Centralized Key Stores like Azure Key Vault
Please see my detailed answer here
Do we require to install Oracle client on local machine if we are using SQL Developer(local machine) for accessing the oracle database on the server(different from local)?
Sometimes yes. For example when your account expires, then there is no way how to change your password via JDBC. This is Oracle specific feature, there it is not supported by JDBC standard.
When DBA creates you account with expiring password, and your password expires, then you have no other way then connecting via OCI to resolve this.
JDBC does not allow you to open a session using two passwords(old one and a now one).
Also errors messages from OCI drivers contain more information then JDBC ones.
We don't require to install Oracle 11g client if we want to access the Oracle database which is present on different machine or server. We just require the tool for accessing the same. For example, SQL Developer. Also we require the credentials such as username, password, hostname, sid, port no.
The Oracle Wallet Manager allows admins to store and manage database login credentials securely by wrapping the them in a password-protected container. I have used this in the past to run VBScripts that update tables in an Oracle database, without prompting the user for a password or storing the password in cleartext in the script itself.
Now, I have written some Powershell scripts that update a SQL Server database, but I have had to store the passwords in cleartext in the scripts.
I was wondering if there was an equivalent to the Oracle Wallet feature in SQL Server? Or would I have to store passwords in a text file and encrypt it using Powershell's ConvertFrom-SecureString? I'm looking for a secure and flexible solution.
The easy way for one-off scripts, accessing specific databases, is to use scheduled tasks. You set them to run as a specific account which has the appropriate permissions, then you don't have to worry about SQL Logins or passwords.
If you want something similar to Oracle's Wallet manager, then you should look at Credentials, and Proxies in MS SQL server.
See: Security Questions: Logins Credentials and Proxies
The Credential allows you to store and manage Login information.
A proxy is used by SQL Server Agent to map credentials to SQL Server Agent subsystems (i.e. PowerShell or SSIS).
Here is a link to a detailed guide on creating Credentials and Proxies and: Run Operating System Commands in SQL Agent using PowerShell