We are in process to migrate a new nexus repo.
The below are the platform information:
Nexus Repo Server: HTTPS only supports TLS 1.2
Application server: FUSE 6.1
Java(TM) SE Runtime Environment (build 1.7.0_141-b31)
Java HotSpot(TM) 64-Bit Server VM (build 24.141-b31, mixed mode)
However, when we run karaf command "features:addurl <...> ", we are keeping getting javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
We have set the following JVM options:
-Djavax.net.ssl.trustStore="<....>"
-Djavax.net.ssl.trustStorePassword="<...>"
-Djavax.net.debug=all
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
The issue has been resolved and we need to add the following JVM option to resolve SSL Handshake exception:
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Related
as the title says I'm facing the error:
WebSocket connection failure. Due to security constraints in your web
browser, the reason for the failure is not available to this Neo4j
Driver…​
My neo4j DB is running on a Ubuntu Linux machine:
Unbungu 20.04.04 LTS, Release 20.04
Neo4j Community Edition, Version 4.4.8
I can connect to the db via:
http://localhost:7474/browser/
but not under
https://localhost:7473/browser/ or bolt+s://localhost:7687
I already tried multiple "solutions" but none of them work.
Here is what I changed in my config.
dbms.default_listen_address=0.0.0.0
dbms.connectors.default_list_address=0.0.0.0
dbms.connector.bolt.enabled=true
dbms.connector.bolt.address=0.0.0.0:7687
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=0.0.0.0:7473
I also generated SSL certificates:
Bolt SSL configuration
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=certificates/bolt
dbms.ssl.policy.bolt.private_key=private.key
dbms.ssl.policy.bolt.public_certificate=public.crt
dbms.ssl.policy.bolt.client_auth=NONE
Https SSL configuration
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
dbms.ssl.policy.https.private_key=private.key
dbms.ssl.policy.https.public_certificate=public.crt
dbms.ssl.policy.https.client_auth=NONE
Any ideas?
*Edit: Typo
I'm able to connect to a data base from Windows (Windows 10, via SQL Developer), but not via Linux (Ubuntu,via SQL Developer).
The two operating systems run on the same client computer
I use exactly the same connection information (I compared the screens from windows and linux), therefore the connection information is correct
SQL Developer Version is exactly the same (Version 18.3.0.277 Build 277.23.54)
Screenshot
The firewall in ubuntu (ufw) is disabled, and telnet to [data-base-host]:[port] works. The data base server logs show that the ubuntu-client is connecting.
The error message which appears in oracle sql developer:
Status : Failure -Test failed: IO Error: Connection reset by peer, Authentication lapse 0 ms.Error message in Oracle SQL Developer
In Ubuntu I also tried with a different random source as suggested in Oracle JDBC intermittent Connection Issue, which didn't help. I also tried to connect with intellij idea and DB Driver versions (V12.1.0.2, V11.2.0.4) with the same results. The error message in IntelliJ:
Connection to XXXX failed. [08006][17002] IO Error: Connection reset.
Version Details:
Java Version: \openjdk version "1.8.0_191" OpenJDK Runtime Environment
(build 1.8.0_191-8u191-b12-0ubuntu0.18.10.1-b12) OpenJDK 64-Bit Server
VM (build 25.191-b12, mixed mode)
OS: Ubuntu Kernel Version:
4.18.0-11-generic
Oracle SQL Developer Version: 18.3.0.277 Build 277.23.54
[Update]
With Oracle JDK 8, I still receive the same error.
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode)
In ~/.sqldeveloper/18.3.0/product.conf I changed the configuration to following settings, as suggested by thatjeffsmith. However the outcome was the same.
SetJavaHome /usr/lib/jvm/java-8-oracle/
AddVMOption -Djava.security.egd=file:/dev/./urandom
Any ideas?
I'm launching beeline to test Sentry using account added in Kerberos:
beeline -u "jdbc:hive2://IP:10000/;principal=test_table/domain_name#HADOOP.COM"
but
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
scan complete in 3ms
Connecting to jdbc:hive2://IP:10000/;principal=test_table/domain_name#HADOOP.COM
Error: Could not open client transport with JDBC Uri: jdbc:hive2://IP:10000/;principal=test_table/domain_name#HADOOP.COM: Peer indicated failure: GSS initiate failed (state=08S01,code=0)
Beeline version 1.1.0-cdh5.5.0 by Apache Hive
However, if I connect with account hive, it works!
beeline -u "jdbc:hive2://IP:10000/;principal=hive/domain_name#HADOOP.COM"
Why could this happen? By the way, I used kinit to the account on my client.
For beeline, the principal param in '!connect' must be hive#domainname, but who you are and what you can do in hive is controlled by the kerberos' tgt ,which is assigned by kinit.
Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?
The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.
Today I tried to update (via Installation Manager)
IBM WebSphere Application Server Liberty Network Deployment 8.5.5.0
to 8.5.5.1
Update failed with message:
Error during "post-install configure" phase:
CRIMA1076E: Error executing the /bin/sh command: status=1.
For more information, see the agent log file: /home/dsidelnikov/var/ibm/InstallationManager/logs/native/20131112_1734.log
Explanation: The installation operation failed due to an error executing the exec command.An issue has occurred with the package that cannot be resolved by Installation Manager.
User Action: Identify the package that has the issue. Contact IBM Support.
log file contains one message:
/bin/sh: /home/dsidelnikov/IBM/WebSphere/Liberty/lib/versions/service.fingerprint: No such file or directory
I checked, file service.fingerprint exists.
Is it known issue?