Jason De Silva's Blog: November 2015

Sunday, November 15, 2015

How to connect to informix db without username & password (Enable trusted connection)

IBM Informix DB supports trusted connections where you do not want to provide a user name and password when connecting to the DB. You can refer my previous blog from here to get started with informix from here. So lets see how we can make a trusted connection in informix and how to connect to the DB.

Step 1 Create a trusted connection in informix DB

For this you will need the ip of the connection that will try to connect to the DB and the user name of that respective connection. So in my example the details is as follows,

IP - 192.168.1.5
User - Simple

Launch a server instance and access the instance via "dbaccess". Navigate to "Query - Language" then you will be asked for a database to select. Select one of your desired databases and press "Enter". Now click on "New", you will be taken to the "Query Editor" (Refer below pic)

Now first grant permission to the user to enable him to grant privileges to create trusted connections for that you can use the following query,

1) GRANT DBSECADM TO {INFORMIX_USER};

Now that we granted the user permission to create trusted connections now lets look at the sample query that will enable informix to identify a user who is trying to connect to the DB without providing a username and password in the connection string.

2 ) CREATE TRUSTED CONTEXT tcx1 USER Sample ATTRIBUTES (ADDRESS '192.168.1.5') ENABLE;

3) GRANT CONNECT TO Sample;

In query 2 "Sample" is the username that I am going to provide permission to connect without providing a username and password. The address 192.168.1.5 is the address that the user will try to connect to the DB. Query 3 is to grant permission regarding to connection for the server. After executing the above two queries we have now configured user "Sample" to connect without username and password.

Step 2 Connect and test the trusted connection without credentials

I will be using DBeaver as the DB client to test this connection. DBeaver is a universal db connection tool which can be downloaded from here.

Now run the DBeaver client and create a new informix connection and provide the connection details as below.

jdbc:informix-sqli://192.168.1.5:9093/{DB_NAME}:INFORMIXSERVER={SERVER_NAME};TRUSTED_CONTEXT=TRUE

Now test the connection without providing a user name and password. You will be successfully connected to the DB(refer below pic).

Monday, November 2, 2015

Integrate WSO2 ESB as a message consumer from WSO2 MB using SSL

WSO2 ESB can be used to consume / produce messages to WSO2 MB via different ways. Using proxies, MS/MP & inbound endpoints. This post will be on how to use the ESB as a message consumer from WSO2 MB via SSL connection.

Step 1 Download the products

For this I am using WSO2 ESB 4.9.0 which can be found from here. WSO2 MB RC1 which can be found from here.

Step 2 Configure SSL in WSO2 MB and WSO2 ESB

WSO2 MB
To configure a new keystore and configure it in WSO2 MB refer my previous blog post from here. Also remember to set a port offset as 1 for WSO2 MB.

WSO2 ESB
In ESB side since we are using inbound endpoint it is very limited areas that we need to change.

Copy the client libraries from WSO2 MB which is located at {WSO2_MB_HOME}/client-libs to {WSO2_ESB_HOME}repository/components/lib
Configure the jndi.properties file as follows. The jndi file can be found at {WSO2_ESB_HOME}repository/conf

Create the queue connection factory as shown below

connectionfactory.QueueConnectionFactorySSL = amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8673?ssl='true'&ssl_cert_alias='RootCA'&trust_store='{PATH TO TRUST STORE}/client-truststore.jks'&trust_store_password='wso2carbon'&key_store='{PATH TO KEY STORE/mykeystore.jks'&key_store_password='mypkpasswordd''

Step 3 Creating a SSL enabled inbound endpoint in ESB

Now that we configure WSO2 MB and ESB lets create the queue and connect via SSL to MB. Navigate to WSO2 ESB console and click on inbound endpoint section. From there give a name and select JMS. Refer the below pic to complete the fields. Remember to point to the jndi file and also give the connection factory and the initial connection factory.

Step 4 Testing the connection

Ones the above inbound endpoint is created a queue will be created in WSO2 MB with an active subscription.

You can verify whether SSL is working correctly by changing the jndi connection with a false password. Then an exception will be thrown.

Sunday, November 1, 2015

How to configure a new keystore in WSO2 MB

WSO2 products are shipped with a default keystore. However in production it is not recomended to use it as it is publicly available. So it is recomended to create a new keystore in order to use SSL communication. This blog post will be a guide on how to configure new keystore in WSO2 MB.

Step 1 Create a new keystore

There is a good blog post which explains the steps in order to create a newkeystore - Hasini Gunasinghe's blog - Installing a new keystore into WSO2 Carbon based products.. Follow the first 3 steps in order to create the new keystore

Step 2 Change the configurations as per the new keystore

Now that you have added the new keystore to {WSO2MB}/repository/resources/security folder next step is to change the configuartion files. In WSO2 MB there are 3 configuartion files that is needed to be edited.

carbon.xml
broker.xml
catalina-server.xml

These files can be located under {WSO2MB}/repository/conf folder. Below are the snippets where the respective files needs to be amended.

carbon.xml

<Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location>

<Password>mypkpassword</Password>

<KeyAlias>mycert</KeyAlias>

<KeyPassword>mypkpassword</KeyPassword>

</KeyStore>

broker.xml

<location>repository/resources/security/mykeystore.jks</location>

<password>mypkpassword</password>

</keyStore>

<location>repository/resources/security/client-truststore.jks</location>

<password>wso2carbon</password>

</trustStore>

</sslConnection>

</amqp>

<location>repository/resources/security/mykeystore.jks</location>

<password>mypkpassword</password>

</keyStore>

<location>repository/resources/security/client-truststore.jks</location>

<password>wso2carbon</password>

</trustStore>

</sslConnection>

catalina-server.xml

Navigate to " <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" section and set the new keystore name and the password as shown below.

keystoreFile="${carbon.home}/repository/resources/security/mykeystore.jks"

keystorePass="mypkpassword"

That is it, now you have configured the new keystore, you may have seen the below log printed when the default keystore was present. It should ideally not be printed at server startup now.

"[2015-11-01 13:10:31,953] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Carbon is configured to use the default keystore (wso2carbon.jks). To maximize security when deploying to a production environment, configure a new keystore with a unique password in the production server profile.

[2015-11-01 13:10:31,953] WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} - Carbon is configured to use the default keystore (wso2carbon.jks). To maximize security when deploying to a production environment, configure a new keystore with a unique password in the production server profile.