Sunday, November 15, 2015

How to connect to informix db without username & password (Enable trusted connection)

IBM Informix DB supports trusted connections where you do not want to provide a user name and password when connecting to the DB. You can refer my previous blog from here to get started with informix from here. So lets see how we can make a trusted connection in informix and how to connect to the DB.

Step 1 Create a trusted connection in informix DB


For this you will need the ip of the connection that will try to connect to the DB and the user name of that respective connection. So in my example the details is as follows,

  1. IP - 192.168.1.5
  2. User - Simple
Launch a server instance and access the instance via "dbaccess". Navigate to "Query - Language" then you will be asked for a database to select. Select one of your desired databases and press "Enter". Now click on "New", you will be taken to the "Query Editor" (Refer below pic)


Now first grant permission to the user to enable him to grant privileges to create trusted connections for that you can use the following query,



1) GRANT DBSECADM TO {INFORMIX_USER};

Now that we granted the user permission to create trusted connections now lets look at the sample query that will enable informix to identify a user who is trying to connect to the DB without providing a username and password in the connection string.


2 ) CREATE TRUSTED CONTEXT tcx1 USER Sample ATTRIBUTES (ADDRESS '192.168.1.5') ENABLE;

3) GRANT CONNECT TO Sample;

In query 2 "Sample" is the username that I am going to provide permission to connect without providing a username and password. The address 192.168.1.5 is the address that the user will try to connect to the DB. Query 3 is to grant permission regarding to connection for the server. After executing the above two queries we have now configured user "Sample" to connect without username and password.




Step 2 Connect and test the trusted connection without credentials


I will be using DBeaver as the DB client to test this connection. DBeaver is a universal db connection tool which can be downloaded from here.

Now run the DBeaver client and create a new informix connection and provide the connection details as below.

jdbc:informix-sqli://192.168.1.5:9093/{DB_NAME}:INFORMIXSERVER={SERVER_NAME};TRUSTED_CONTEXT=TRUE


Now test the connection without providing a user name and password. You will be successfully connected to the DB(refer below pic).







Monday, November 2, 2015

Integrate WSO2 ESB as a message consumer from WSO2 MB using SSL


WSO2 ESB can be used to consume / produce messages to WSO2 MB via different ways. Using proxies, MS/MP & inbound endpoints. This post will be on how to use the ESB as a message consumer from WSO2 MB via SSL connection.

Step 1 Download the products

For this I am using WSO2 ESB 4.9.0 which can be found from here. WSO2 MB RC1 which can be found from here.

Step 2 Configure SSL in WSO2 MB and WSO2 ESB

WSO2 MB
To configure a new keystore and configure it in WSO2 MB refer my previous blog post from here. Also remember to set a port offset as 1 for WSO2 MB.


WSO2 ESB
In ESB side since we are using inbound endpoint it is very limited areas that we need to change.


  1. Copy the client libraries from WSO2 MB which is located at {WSO2_MB_HOME}/client-libs to {WSO2_ESB_HOME}repository/components/lib
  2. Configure the jndi.properties file as follows. The jndi file can be found at {WSO2_ESB_HOME}repository/conf
          Create the queue connection factory as shown below

connectionfactory.QueueConnectionFactorySSL = amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8673?ssl='true'&ssl_cert_alias='RootCA'&trust_store='{PATH TO TRUST STORE}/client-truststore.jks'&trust_store_password='wso2carbon'&key_store='{PATH TO KEY STORE/mykeystore.jks'&key_store_password='mypkpasswordd''


Step 3 Creating a SSL enabled inbound endpoint in ESB

Now that we configure WSO2 MB and ESB lets create the queue and connect via SSL to MB. Navigate to WSO2 ESB console and click on inbound endpoint section. From there give a name and select JMS. Refer the below pic to complete the fields. Remember to point to the jndi file and also give the connection factory and the initial connection factory.




Step 4 Testing the connection

Ones the above inbound endpoint is created a queue will be created in WSO2 MB with an active subscription. 


You can verify whether SSL is working correctly by changing the jndi connection with a false password. Then an exception will be thrown.


Sunday, November 1, 2015

How to configure a new keystore in WSO2 MB

WSO2 products are shipped with a default keystore. However in production it is not recomended to use it as it is publicly available. So it is recomended to create a new keystore in order to use SSL communication. This blog post will be a guide on how to configure new keystore in WSO2 MB.


Step 1 Create a new keystore


There is a good blog post which explains the steps in order to create a newkeystore - Hasini Gunasinghe's blog - Installing a new keystore into WSO2 Carbon based products.. Follow the first 3 steps in order to create the new keystore


Step 2 Change the configurations as per the new keystore


Now that you have added the new keystore to {WSO2MB}/repository/resources/security folder next step is to change the configuartion files. In WSO2 MB there are 3 configuartion files that is needed to be edited.

  1. carbon.xml
  2. broker.xml
  3. catalina-server.xml

These files can be located under {WSO2MB}/repository/conf folder. Below are the snippets where the respective files needs to be amended.

carbon.xml


        <KeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>JKS</Type>
            <!-- Keystore password-->
            <Password>mypkpassword</Password>
            <!-- Private Key alias-->
            <KeyAlias>mycert</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>mypkpassword</KeyPassword>
        </KeyStore>



broker.xml


<amqp enabled="true">
            <bindAddress>0.0.0.0</bindAddress>

            <defaultConnection enabled="true" port="5672" />

            <sslConnection enabled="true" port="8672">
                <keyStore>
                     <location>repository/resources/security/mykeystore.jks</location>
                     <password>mypkpassword</password>
                </keyStore>
                <trustStore>
                    <location>repository/resources/security/client-truststore.jks</location>
                    <password>wso2carbon</password>
                </trustStore>
            </sslConnection>

            <maximumRedeliveryAttempts>10</maximumRedeliveryAttempts>
            <allowSharedTopicSubscriptions>true</allowSharedTopicSubscriptions>

            <!-- Refer repository/conf/advanced/qpid-config.xml for further AMQP-specific configurations.-->
        </amqp>




        <mqtt enabled="true">
            <bindAddress>0.0.0.0</bindAddress>

            <defaultConnection enabled="true" port="1883" />

            <sslConnection enabled="true" port="8883">
                <keyStore>
                    <location>repository/resources/security/mykeystore.jks</location>
                    <password>mypkpassword</password>
                </keyStore>
                <trustStore>
                    <location>repository/resources/security/client-truststore.jks</location>
                    <password>wso2carbon</password>
                </trustStore>
            </sslConnection>



catalina-server.xml


Navigate to " <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" section and set the new keystore name and the password as shown below.

 keystoreFile="${carbon.home}/repository/resources/security/mykeystore.jks"
 keystorePass="mypkpassword"


That is it, now you have configured the new keystore, you may have seen the below log printed when the default keystore was present. It should ideally not be printed at server startup now.


"[2015-11-01 13:10:31,953]  WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -  Carbon is configured to use the default keystore (wso2carbon.jks). To maximize security when deploying to a production environment, configure a new keystore with a unique password in the production server profile.
[2015-11-01 13:10:31,953]  WARN {org.wso2.carbon.core.bootup.validator.util.ValidationResultPrinter} -  Carbon is configured to use the default keystore (wso2carbon.jks). To maximize security when deploying to a production environment, configure a new keystore with a unique password in the production server profile.
"


Wednesday, October 28, 2015

Creating databases and testing the connection of a IBM Informix DB


This blog post will be mainly focused on how to start / stop the informix server. Create a database and table etc.


Login from informix user and run the server instance


Login with the informix windows user that was created during the installation and simply search for informix under start and you will find a server instance similar to "ol_informix1210". Run the server instance as Administrator.


Basic commands to get started with informix


Run the below commands in the cmd that was open.
  • Start informix server - oninit -ivy
  • Shut down informix server - onmode -ky
  • Check server status   - onstat -g dis

Create Informix DB



Use the command "dbaccess" cmd to navigate to db creation section. You will be getting the following options.




Navigate to Database  - > Create

Provide a suitable name for the database which needs to be created.



Select a DB space

After selecting a DB space select  "Create-new-database" and click enter. This will create the new database.




Create a table


Select the DB that was created and go to tables section the select "Create" and provide a table name.



Add columns as your requirement refer below pic to get an idea.



Once you are done select "Build-new-table" this will create the table.


Connect and test the informix DB created


You can use a client like DBeaver to connect to the database you created. You have to provide the host, Port, server,database/Schema, username and password in order to connect to the server.

NOTE - Informix by default binds a ipv6 for the port. So to connect to the db follow the below sample.

* You can use a simple tool such as cports to view the ports and the address that it is bind to or you can use the command

netstat -a | findstr 'Port number' 


jdbc connection URL looks like this, which needs for the connection.

jdbc:informix-sqli://{hostip}:{port}/{DBName}:INFORMIXSERVER={InformixServerName}

jdbc:informix-sqli://fe80::f16e:99a8:22ca:682:9088/test:INFORMIXSERVER=ol_informix1210



Now you can view the table that was created via dbeaver client



Binding the Port to a IP V4  


After the installation you will be able to see a separate option called the 'IBM informix' in the start menu. You can create any number of server instances from the 'Server Instance Manager' tool under that option the Start Menu.




In informix you have the possibility to create a server with a IP V4 or IP V6. We can create a IP V4 from the 'Server Instance Manager'.

From there you will be asked to set a 'service name' and a 'port number'  while proceeding.  Set the desired values for these fields, So they can be referred lately.









Wednesday, October 21, 2015

How to apply security (QOS) to a proxy in WSO2 ESB 4.9.0 using WSO2 Developer Studio


From WSO2 ESB 4.9.0 on-wards applying security for a proxy / service should be done via WSO2 Developer Studio. This post will be a simple guide on how to create a proxy and apply basic qos to it. I will be using User Name token authentication to apply qos.

Find the links below to download the latest releases of the two  products.

  1. WSO2 ESB 4.9.0
  2. WSO2 Developer Studio 3.8.0

Step 1 Extract and run the two products


After you download the two products extract them to a preferred location. And start WSO2 ESB by navigating to <ESB_HOME>/bin and run wso2server.sh if you are on linux or  wso2server.bat if your are on windows. Go to <DEVSTUDIO_HOME> and launch by double clicking eclipse icon.


Step 2 Create a registry project


Lets start first by creating a registry project - Open Developer studio dash board and select "Registry Resource" project

Dev studio dashboard



Now lets create a registry resource file. Right click on the project created then search for "Registry Resource" and click next and follow the below 3 steps to create the registry resource file.

Step 1 - Select registry resource

Step 2 - Select From existing template

Step 3 - Select Template and registry project

Select the Template as WS - Policy and Select the registry project name ( by default it will be selected) and click on Finish.


Step 3 Select user token security policy and grant permission


Double click on the registry resource file that was created which will lead show the scenarios that are available as the below pic shows.





Select "UsernameToken" and click on "User Roles" and a window will be opened as below. Now point to the esb instance URL and provide user name and password as admin/admin. Now click on Get Roles. This will fetch all the user roles that is available in ESB. Lets select admin and click on ok.



Now  click on the source view and the source will be shown as below. Note that the user role admin can be seen in the source. Refer below pic.






Step 4 Create the proxy project


Select "Proxy Service" project from the dev studio dashboard. In the window that popups provide any name for the proxy, leave the  proxy type as Pass Through Proxy and click on "Create a new ESB project" and create a project. Finally provide the endpoint url for this I have used the default echo service that is been shipped in ESB.







After creating the proxy select and double click on the proxy file which resides in proxy- services(refer below pic)



Now in the graphical view select the proxy as the below picture shows.



Now set "Security Enabled" to true and click on Service policies which will open a window as shown in below pic where you can select the policy key





Browse to the eclipse project by selecting work-space.



Select the registry resource file from the works pace as shown in below pic and save the changes.



Click on source view then you will see that the security policy is been added.





Step 4 Create a Car file


To deploy the proxy and the registry file we need to bundle it in a Composite Application Project and then export it which will create a .car extension file which can be then uploaded to ESB. Lets see how it is done.


Select the Composite Application Project from dashboard and then select the two projects that were created. Refer below pic.




Remember to change the server role to Enterprise Service Bus in the registry project.




Now right click on the project created and click on "Export Composite Application Project" This will create the .car file.



Step 5 Deploy the project in WSO2 ESB



Now that we created the car file its just a matter of deploying it in ESB to secure the echo service. To do that go to ESB home and navigate to Carbon Applications section and browse to the car file created and upload the car file. If it is successfully deployed the ESB log will be as below.

[2015-10-18 12:04:52,063]  INFO - ApplicationManager Deploying Carbon Application : QOS_Composite_Proj_1.0.0.car...
[2015-10-18 12:04:53,100]  INFO - ProxyService Building Axis service for Proxy service : QOS_PROXY_PROJECT
[2015-10-18 12:04:53,111]  INFO - ProxyService Adding service QOS_PROXY_PROJECT to the Axis2 configuration
[2015-10-18 12:04:53,112]  INFO - DeploymentInterceptor Deploying Axis2 service: QOS_PROXY_PROJECT {super-tenant}
[2015-10-18 12:04:53,115]  INFO - ProxyService WS-Security is enabled for service : QOS_PROXY_PROJECT
[2015-10-18 12:04:53,116]  INFO - ProxyService Successfully created the Axis2 service for Proxy service : QOS_PROXY_PROJECT
[2015-10-18 12:04:53,116]  INFO - ProxyServiceDeployer ProxyService named 'QOS_PROXY_PROJECT' has been deployed from file : /home/jasons/Products/ESB/QOS/wso2esb-4.9.0-RC4-SNAPSHOT/tmp/carbonapps/-1234/1445150092064QOS_Composite_Proj_1.0.0.car/QOS_PROXY_PROJECT_1.0.0/QOS_PROXY_PROJECT-1.0.0.xml
[2015-10-18 12:04:53,116]  INFO - ApplicationManager Successfully Deployed Carbon Application : QOS_Composite_Proj_1.0.0 {super-tenant}



To verify whether the proxy is been secured go to Services -> List section verify that the secured symbol is available as shown in below pic.




Step 6 Test the service


Now lets verify that the service is secured. For this I will be using SOPA UI. Create  a SOAP project and give the wsdl of the proxy created. Then copy the https endpoint and set it as the url. Set the user name and the password. Now invoke the web-service to echo a string and you will be able to see the result. Try it with false credentials and you will not be able to echo the message.









Wednesday, October 7, 2015

How to enable Email as the user name in WSO2 Products


Let us see how to enable email to be used as the user name in WSO2 Products. This feature by default is disabled which can be enabled with ease. For this example I will be using WSO2 Message Broker.


Step 1 - Download and extract the WSO2 MB product


Step 2 - Change configuration in carbon.xml


Open the carbon.xml which can be found under <WSO2MBHOME>/repository/conf/carbon.xml. Un-comment the below section,

<!--EnableEmailUserName>true</EnableEmailUserName-->


Step 3 -  Change configuration in user-mgt.xml


Replace,
 <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
with - 
 <Property name="UsernameJavaRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>

Now lets set up the admin account with a email address,

                 <AdminUser>
                     <UserName>jason@yopmail.com</UserName>
                     <Password>123123</Password>
                </AdminUser>

Step 4 - Login to management console


Start message broker by issuing the command <WSO2MBHOME>/bin/wso2server.sh start  if you are using linux distro or <PRODUCT_HOME>\bin\wso2server.bat if you are on windows and navigate to https://localhost:9443/carbon. Now you can login to console with the above credentials.

Sunday, September 13, 2015

How to create users and assign permissions in Apache ActiveMQ broker using Simple Authentication Plugin




Recently I wanted to create a user in Apache ActiveMQ with permission only to Publish and subscribe but not to create queues. So, I was playing around with the broker and found out a simple quick way to configure and create users and permissions.

I will be using the Simple Authentication Plugin in order to configure this.

Follow the below steps in order to create a user and assign user roles.


Step 1  Download Apache ActiveMQ


Download Apache ActiveMQ link.


Step 2 Open Activemq.xml


Extract the downloaded ActiveMQ pack to a desired location and navigate to {ACTIVEMQ_HOME}/conf/activemq.xml


 Step 3 Create ActiveMQ User



The below snippet will invoke the Simple Authentication Plugin. I have created two users with passwords  and assigned groups. Groups represent the permissions that  the respective user is given. These groups can be given different levels of permissions.

<plugins>
      <simpleAuthenticationPlugin>
        <users>
           <authenticationUser username="super" password="super" groups="admins"/>
          <authenticationUser username="jason" password="jason" groups="jrole"/>
        </users>
      </simpleAuthenticationPlugin>
</plugins>



Step 4 Assign Permission to the groups



Now that we created a user lets see how we can assign permission to the groups "jrole" & "admins" which we created. There are 3 main roles in ActiveMQ,


  1. Write - Publish rights
  2. Read - Consume rights
  3. Admin - Create rights

Below snippet describes how we can assign permission to the group that we created.

<authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
              <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
             <authorizationEntry queue=">" write="jrole" read="jrole"  />
              <authorizationEntry topic=">" write="jrole" read="jrole" admin="jrole"/>
            </authorizationEntries>
          </authorizationMap>
        </map>
</authorizationPlugin>

So for "admins" role we have given write, read and admins permission for both queues and topics. This means users who are given this role can create, consume and publish from queues and topics.
The "jrole" role is also given the same permissions but you can see that the queue admin rights is not given.

If you try to create a queue from user jason now it will be refused from the broker.


Plugin configuration 


Below is the full plugin snippet, place it between the <broker> </broker> tag in activemq.xml config file.

<plugins>
      <simpleAuthenticationPlugin>
        <users>
          <authenticationUser username="super" password="super" groups="admins"/>
          <authenticationUser username="jason" password="jason" groups="jrole"/>
        </users>
      </simpleAuthenticationPlugin>
      </simpleAuthenticationPlugin>
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
              <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
             <authorizationEntry queue=">" write="jrole" read="jrole"  />
              <authorizationEntry topic=">" write="jrole" read="jrole" admin="jrole"/>
            </authorizationEntries>
          </authorizationMap>
        </map>
      </authorizationPlugin>
</plugins>