I'm trying to establish 2 way SSL MQ connection from node js application via 'ibmmq' node module. Is it possible to configure truststore and keystore (SSL configs) with ibmmq? If so, how should it be configured?
See comments in the amqsconntls.js sample.
As it's built on the C client, the Node.js layer requires a kdb-format store which combines the role of keystore and truststore. Use of that store from client programs is described in the MQ knowledgecenter - various mechanisms including program-specified, ini file and environment variables can be used to access it depending on your requirements.
Related
I have Strimzi Kafka cluster set-up successfully on OpenShift. I can see the following services:
kafka-brokers
kafka-bootstrap
zookeeper-client
zookeeper-nodes
This is actually different from what is called out here; so, not sure, if this is a Strimzi installation issue. I followed installation steps from here.
I created a routes for kafka-bootstrap and kafka-brokers on port 9092 (non-TLS clients). In both cases, I get a ECONNREFUSED error when I provide the route value (e.g. my-cluster-myproject.192.168.99.100.nip.io:9092 in the example from kafkajs.
How do I get the kafkajs package connected to the Strimzi cluster?
The Strimzi services that you are seeing are correct but in order to access the Kafka brokers, it's better using the bootstrap service which allows to specify only one "broker" in the bootstrap servers list of your client and it will select a broker to connect the first time and then getting metadata (it avoids to you to connect using the headless service where the pod IPs can change on restart).
So saying that, if you need to access the brokers from outside of OpenShift you don't have to create a route for the bootstrap service manually but you have to configure external listeners (https://strimzi.io/docs/latest/#assembly-configuring-kafka-broker-listeners-deployment-configuration-kafka) with type route.
As already mentioned above, the OpenShift routes work with TLS only for TCP connections.
In order to provide your clients the right certificate tu use for TLS you can follow this part of the documentation: https://strimzi.io/docs/latest/#kafka_client_connections
Have you checked out external listeners?
BTW, if you need to expose strimzi by router, TLS encryption is necessary. OpenShift router does not support TCP, but support TLS.
I work on a software application that uses gRPC to establish a bi-directional stream between client and a server.
I'm looking for something similar to this ticket's answer only in java: How to enable server side SSL for gRPC?
I would like to configure my application so that they can choose what TLS scenario they want to use:
Scenario 1: plaintext (no encryption)
Scenario 2: Server-side TLS
Scenario 3: Mutual TLS
For TLS setups, I am using Java on non-Android environments, so I will only be considering the OpenSSL installed scenario using https://github.com/grpc/grpc-java/blob/master/SECURITY.md#openssl-statically-linked-netty-tcnative-boringssl-static
Configuring the server side seems pretty straight forward because it is documented quite well: https://github.com/grpc/grpc-java/blob/master/SECURITY.md#mutual-tls
Here would be the steps for the corresponding TLS options:
Sever-side configuration for Scenario 1: Use builder.usePlaintext
Sever-side configuration for Scenario 2: Add a NettyServerBuilder.sslContext built by SSL Context Builder with GrpcSslContexts.forServer and set the cert chain and cert key (and password if needed)
Sever-side configuration for Scenario 3: Add a NettyServerBuilder.sslContext built by SSL Context Builder with GrpcSslContexts.forServer and set the cert chain and cert key (and password if needed), and also set a trustManager on the sslContextBuidler set to the trust cert file.
The server-side part is well documented which is excellent.
Now I want to configure a NettyChannelBuilder on the client side. The only thing I can find information on this is in this unit test: https://github.com/grpc/grpc-java/blob/master/interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java
Here are the configurations I think are needed, but need to get confirmation on.
Client-side configuration for Scenario 1: Use nettyChannelBuilder.usePlaintext(true). This will disable TLS on the netty channel to grpc.
Client-side configuration for Scenario 2: Set the sslContext using nettyChannelBuilder.negotiationType(NegotiationType.TLS).sslContext(GrpcSslContexts.configure(SslContextBuilder.forClient(), SslProvider.OPENSSL).build()). This will configure the channel to communicate through TLS to grpc server using the default ciphers and application protocol configs.
Client-side configuration for Scenario 3: Set up TLS for the netty channel using nettyChannelBuilder.negotiationType(NegotiationType.TLS).sslContext(GrpcSslContexts.configure(SslContextBuilder.forClient(), SslProvider.OPENSSL).sslContextBuilder.trustManager(clientAuthCertFile)
.clientAuth(ClientAuth.OPTIONAL).build()) where clientAuthCertFile is the trust cert file and ClientAuth.OPTIONAL can also be ClientAuth.REQUIRED if you require mutual TLS.
Is there anything incorrect with my client-side configurations? Do I need any tweaks? I will add this as a PR to the security.md file after getting some blessing from the community on this post.
I added a hello world TLS PR to the grpc-java project here https://github.com/grpc/grpc-java/pull/3992
the latest version of grpc-java as soon as this pr is merged will have a really nice working hello-world example. So all you have to do is git clone that project from master, and look at the example/README.md.
I came across this awesome library xterm.js which is also the base for Visual Studio Code's terminal. I have a very general question.
I want to access a machine(ssh into a machine ) on a local network through a web based terminal(which is out of network, may be on a aws server). I was able to do this in a local network successfully but I could not reach to a conclusion to do it from Internet-->local network .
As an example - An aws server running the application on ip 54.123.11.98 which has a GUI with a button to open terminal. I want to open terminal of a local machine which is in a local network somewhere behind some public ip on local ip 192.168.1.7.
Can the above example be achieved using some sort of solutions where i can use xterm.js so that I don't have to go for building a web based terminal? What are the major security concerns I should keep in mind while exposing the terminals this way ?
I was thinking in line with using a fixed intermediate server between AWS and local network ip and use some sort of reverse ssh tunnel process to do this but I am not sure if this is the right way or could there be a more simple/better way to achieve this.
I know digital ocean, google cloud , they all do this but they have to connect to a computer which has public ip while I have a machine in a local network. I don't really want to configure router to do any kind of setup .
After a bit of research here is working code.
Libraries:
1) https://socket.io/
This library is used for transmit package from client to server.
2) https://github.com/staltz/xstream
This library is used for terminal view.
3) https://github.com/mscdex/ssh2
This is the main library which is used for establishing a connection with your remote server.
Step 1: Install Library 3 into your project folder
Step 2: Start from node side create a server.js file for open socket
Step 3:
Connection client socket to node server (both are in local machine)
The tricky logic is how to use socket and ssh2.
On emission of socket you need to trigger an SSH command using the ssh2 library. On response of the ssh2 library (from server) you need to transmit the socket package to the client. That's it.
Click here to find an example.
That example will have these files & folders:
Type Name
------------
FILE server.js
FILE package.json
FOLDER src
FOLDER xtream
First you need to configure your server IP, user and password or cert file on server.js and just run node server.js.
P.S.: Don't forget to run npm install
Let me know if you have any questions!
After some research later I came across this service : https://tmate.io/ which does the job perfectly. Though if you need a web-based terminal of tmate you have to use their ssh servers as a reverse proxy which ideally I was not comfortable with. However, they provide tmate-server which can be used to host your own reverse proxy server but lacks web UI. But to build a system where you have to access a client behind NAT over ssh on web, below are the steps.
Install and configure tmate-server on some cloud machine.
Install tmate on the client side and configure to connect to a cloud machine.
Create a nodejs application using xterm.js(easy because of WebSocket based communication) which connects to your tmate-server and pass commands to the respective client. (Beware of security issues of exposing this application, since you will be passing Linux commands ).
Depending on your use case you might need a small wrapper around tmate client on client-side to start/stop it automatically or via some UI/manual action.
Note: I wrote a small wrapper on client-side as well to start/stop and pass on the required information to an API server (written in nodejs) which then pass on the information to another API which connects the browser to the respective client session. Since we had written this application it included authentication as well as command restrictions of what can be run on terminal. You can customize it a lot.
I am trying to configure Celery on my Django web server securely and I can figure out two alternatives on achieving this. Either securing the broker or signing the messages.
Celery, needs a message broker in which case is RabbitMQ.
I am using a "RabbitMQ as a service" implementation, which means that the RabbitMQ server is reached through the internet using the amqp protocol.
The service provider distributes an amqp uri, and also supports amqps:
The "amqps" URI scheme is used to instruct a client to make an secured connection to the server.
Apparently, this is what I need, otherwise all my messages will be circulating around the net, naked on the wire.
In order to use amqps, celery needs the following configuration:
import ssl
BROKER_USE_SSL = {
'keyfile': '/var/ssl/private/worker-key.pem',
'certfile': '/var/ssl/amqp-server-cert.pem',
'ca_certs': '/var/ssl/myca.pem',
'cert_reqs': ssl.CERT_REQUIRED
}
Question:
Where can I find those .pem files?
According to RabbitMQ docs, I have to create them myself and configure the RabbitMQ server to use them.
However, I am not running the server. As stated above I have a "RabbitMQ as a service" provider who supports amqps. Should I ask him to provide me with those .pem files?
Celery, can also sign messages.
(Trying this approach, I get a No encoder installed for auth error which I reported.)
Question: Does this mean that I can use my certificates to secure the connection as an alternative configuration to BROKER_USE_SSL?
There is also a note regarding message signing:
auth serializer won’t encrypt the contents of a message, so if needed
this will have to be enabled separately.
Subquestion: Does encrypting the contents of a message protect me from the "current" RabbitMQ server administrator while "message signing" only protects me while on the wire towards that server?
Apparently I am somehow confused but I would not like to create any kind of insecure traffic over the internet for any reason. I would appreciate your help.
When configuring for CloudAMQP, you need to set BROKER_USE_SSL to True and the BROKER_URL as shown below:
BROKER_USE_SSL = True
BROKER_URL = 'amqp://user:pass#hostname:5671/vhost'
Note the port number 5671, and keep 'amqp'.
If you are running your own Rabbit setup checkout this to make it secure.
https://www.rabbitmq.com/ssl.html
If i connect to a remote server that uses SSL my browser would request its digital certificate from the server and the server would get it from its key-store am i correct ?
Is java key-store tool being used to perform the same action ?
The Java keytool.exe utility is used to maintain digital certificates and their associated keys in a key-store file. It can also be used to generate key-pairs, signing requests and for other security-data oriented functions.