I am having to consume a web service via 2 way SSL. We have exchanged certificates and I am trying to connect and am getting a handshake failure. I am using Oracle Service Bus to connect to the web service. My questions:
What is the keystore in the fwmconfig folder (that I access from Oracle Enterprise Manager)?
What is the keystore in the weblogic server (that I access from the admin console/managed server keystore tab)?
What are the differences between these and which one should I use to import the servers cert and try to connect?
Also, there are cacerts in several directories in the installation, what do I use those for?
Not knowing where to import the server certificate. Can someone please help?
The enterprise manager keystore is used by fusion middleware for message level security (encrypting the message with certificates
The weblogic keystore is used by the webserver/load balancer to accept the HTTP requests and handles SSL
See above
The cacerts are the default trusted Root CA's
So the keystore to use for enabling SSL is the weblogic server version.
Also be sure to enable 2 way SSL in weblogic:
http://docs.oracle.com/cd/E14571_01/apirefs.1111/e13952/taskhelp/security/ConfigureTwowaySSL.html
Resources used:
http://theheat.dk/blog/?p=2059
Related
PowerBI: Version: 2.86.727.0 64-bit (October 2020)
ODBC Connector: PowerBI's integrated Snowflake ODBC connector (out of the box one)
Snowflake: .southeast-2.privatelink.snowflakecomputing.com
Authentication: OAuth2.0 integration with AAD
Error Message while connecting from PowerBI:
Details: "ODBC: ERROR [HY000] [Microsoft][Snowflake] (4)
REST request for URL https://bhp_dev.ap-southeast-2.privatelink.snowflakecomputing.com:443/session/v1/login-request?requestId=6100abf5-7441-4dc8-8b86-35f44ca0e94c&request_guid=257da304-137e-4e39-95b0-edfff416fb0d&warehouse=COST_MONITOR
failed: CURLerror (curl_easy_perform() failed) - code=60 msg='SSL peer certificate or SSH remote key was not OK' osCode=9 osMsg='Bad file descriptor'
Snowflake setup:
created a security integration to enable SSO as per the doco link
created a network policy to include the PowerBI and PowerQueryEditor network addresses
assigned the network policy to a user
PowerBI setup:
nothing special.
The SSO works ok when the Snowflake is not using private links.
Any ideas would be greatly appreciated.
Currently, the Snowflake Power BI SSO feature has the following limitations:
AWS PrivateLink and Azure Private Link are not supported. If it is necessary to use either of these two services to connect to Snowflake, use the on-premises gateway to connect. This pathway will not provide single sign-on.
https://docs.snowflake.com/en/user-guide/oauth-powerbi.html#limitations
We are deploying a java application to RHEL 7.5, this java application need connect to SQL Server 2016. As security request, we must use integrated security to connect SQL Server 2016. Follow Microsoft website's suggestion, we are implementing Kerberos in Windows AD Server and RHEL 7.5.
Unfortunately, we are facing a credentials issue. klist command is working fine on RHEL 7.5, means Kerberos clinet which has installed in RHEL7.5 can talk to Kerberos Server(Windows AD server) as normal. And RHEL7.5 can ping / talnet AD Server and SQL Server.
we have followed Microsoft's spec to set SPN as following:
setspn -A HTTP/SERVER_01.devdc.local#DEVDC.LOCAL devdc.local\admin.
As microsoft's guideline, we should use MSSQLSvc not HTTP, but it has issue when we use MSSQLSvc, we think the reason is OS version of AD server is Windows Server 2012, so cannot support MSSQLSvc protocal. After change to HTTP, kerberos is working fine. Can use kinit generate ticket and use klist to see the ticket information.
Part of our Java code as below:
System.setProperty("java.security.krb5.conf", "~/krb5.conf");
SQLServerDataSource ds = new SQLServerDataSource();
ds.setServerName("192.168.100.150");
ds.setPortNumber(1234);
ds.setIntegratedSecurity(true);
ds.setAuthenticationScheme("JavaKerberos");
ds.setDatabaseName("DB_TEST");
The error details as following:
Error connection to database:(using class com.microsoft.sqlserver.jdbc.SQLServerDriver)
GSSException: No valid credentials provide (mechanism level: Server not found)
KrbException: Server not found in Kerberos database(7)
KrbException: Identifier doesn't match expected value(906)
I would be grateful if you can help.
You don't appear to be setting the SPN. See
A service principal name (SPN) is the name by which a client uniquely
identifies an instance of a service.
You can specify the SPN using the serverSpn connection property, or
simply let the driver build it for you (the default). This property is
in the form of: "MSSQLSvc/fqdn:port#REALM" where fqdn is the
fully-qualified domain name, port is the port number, and REALM is the
Kerberos realm of the SQL Server in upper-case letters. The realm
portion of this property is optional if your Kerberos configuration's
default realm is the same realm as that of the Server and is not
included by default. If you wish to support a cross-realm
authentication scenario where the default realm in the Kerberos
configuration is different than the realm of the Server, then you must
set the SPN with the serverSpn property.
For example, your SPN might look like:
"MSSQLSvc/some-server.zzz.corp.contoso.com:1433#ZZZZ.CORP.CONTOSO.COM"
Using Kerberos integrated authentication to connect to SQL Server - Service principal names.
The driver will attempt to build the SPN for you from the other connection attributes, but you've got an IP address instead of a FQDN, so it cannot build the correct SPN. In the default configuration SQL Server registers its own SPNs and you can see the correct SPN in the SQL Server log, but there are scenarios where additional SPNs must be registered for the service account, and you would need to use the setspn command on Windows to see them.
Assuming your SQL Server is listening on port 1234, and you haven't changed the service account for the SQL Server instance from the default, then the SPNs should be registered for the machine accoune, and the setspn statements should be:
setspn –A MSSQLSvc/SERVER_01.devdc.local devdc\SERVER_01$
setspn –A MSSQLSvc/SERVER_01.devdc.local:1234 devdc\SERVER_01$
if you've set a domain account as the service account, say devdc\sqlsvc then substitute that.
setspn –A MSSQLSvc/SERVER_01.devdc.local devdc\sqlsvc
setspn –A MSSQLSvc/SERVER_01.devdc.local:1234 devdc\sqlsvc
TL/DR use the SQL Server's fully-qualified domain name (FQDN) for setServerName() instead of an IP address. If that doesn't work, you'll have to ask your network security people what SPNs are registered for the SQL Server service account. If you give up on Kerberos, fall back to NTLM.
Also in the newer JDBC driver Microsoft has implemented NTLM, which is the other Windows Authentication protocol.
But be aware of the following security caveat:
The NTLM protocol is an old authentication protocol with various
vulnerabilities, which pose a security risk. It's based on a
relatively weak cryptographic scheme and is vulnerable to various
attacks. It's replaced with Kerberos, which is a lot more secure and
recommended. NTLM authentication should only be used in a secure
trusted environment, or when Kerberos can't be used.
The Microsoft JDBC Driver for SQL Server only supports NTLM v2, which
has some security improvements over the original v1 protocol. It's
also recommended to enable Extended Protection, or use SSL Encryption
for increased security.
Using NTLM Authentication to connect to SQL Server - Security risks
I am creating a simple client to connect to the LDAP servers running on one of my windows 2008R2 Active Directory Domain Controllers.
I have successfully connected to the LDAP server over a non TLS connection. However, whenever I attempt to make a TLS connection, the handshake fails. After some digging, and downloading the certificate using the following command:
openssl s_client -connect <domain controller>:636
I found that the certificate being served from the LDAP server is invalid. I can see that the certificate is signed by our CA and my local system, that runs the application already has this trust established with the CA. However, It is missing all of the subject information in the certificate. The client application does not allow for this.
After speaking with the administrator, he indicated that the certificates being generated for the domain controller systems to serve TLS certificates over LDAP is automatic and is created by our internal Microsoft Certificate Server. He was not sure how to address this.
After numerous Google searches, I have come up pretty empty on how to resolve this. Is it something that is addressed on the certificate server? Is it something on the domain controller which is stripping the subject information? Is it some setting or configuration? Since, I do not have direct access to these systems I am at a loss on where to begin.
Any assistance would be appreciated.
Blindly trusting a certificate that is invalid is not an acceptable solution.
Ask your admin to export the root certificate for your environment (like, to a .cer file). Then you can use that file to add it as a trusted root certificate on the computer that needs to access it.
That's how we do it in our environment when we've needed to access an external domain over LDAPS.
Of course, that only works if the application accessing LDAPS uses the Windows certificate store. Some applications, like Java-based apps, don't, and you need to do it another way.
I was able to assist my Admin with updating the template the certificate server was using to include the subject and subject alternate name.
I found the following articles that helped determine the problem
https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate
Ultimately going over each setting until we found the right solution that solved the problem of why the certificate server was sending and invalid certificate.
I'm trying to install the preview of Azure AD Connect:
https://connect.microsoft.com/site1164/program8612
During the setup, you can configure the sign-in method for users, synchronization or a federation with ADFS. I want to use ADFS, and I want the setup to configure a new ADFS farm. The setup wants a SSL certificate, so I've made a self-signed certificate and exported it as a .PFX file. However, the setup won't accept the certificate, it states "The certificate is invalid or corrupted. Please try another certificate"
I selected another certificate which I've used for a website, and I get the same result. The certificate chain is OK, I've tried to install the certificate, but no matter what, the setup keeps rejecting the certificate. I can't find any further info in the eventlog or setup log file, and since the Azure AD connect software is quite new and still in preview, there's not much info on the web regarding the installation.
Any ideas on how to make this work?
It is mandatory for AD FS to use a third-party signed certificate. If you don't want to pay for a certificate, you can use one from wosign which is free and publicly trusted (as an intermediate certification authority from VeriSign or similar I think).
All the tutorials i have seen regarding installation of x.509 Certificate assumes that the server machine is your local machine and you have full access to it. But my app is hosted on DiscountASP, so how can I install the certificate on their machine ?
You can't because you don't have permissions to install certificate on hosting server. If you want to use HTTPS you must pay your hosting provider for buying and installing certificate for you (or you must have plan which offers SSL or shared SSL directly). In case of message security (not supported by Silverlight) you can load certificate from file.