Apache NIFI 1.9.2 Connecting to Oracle Using Kerberos - oracle

Please bear with me - its a bit complicated.
The high level goal is to connect NIFI to an Oracle db service - but can only use Kerberos for authentication.
We are running Apache NIFI 1.9.2 and trying to connect to Oracle (using driver version 12.1) via a DBCPConnectionPool controller service. I have configured a KeytabCredentialService controller service and reference it in my DBCP controller service.
I am setting the Oracle driver class name to be "oracle.jdbc.driver.OracleDriver". Full configuration settings here.
When we enable the associated ExecuteSQL processor - we get an Oracle authentication error message.
ORA-01017 - invalid username/password; logon denied.
Full error here.
After some troubleshooting - it seems that the Oracle driver wrapped within NIFI's DBCP service is not even trying to use Kerberos at all.
Outside of NIFI, programmatically we would normally need to add in driver property CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES to "turn on" the kerberos authentication feature, but there is no such option available to us when using NIFI's DBCP Controller service.
Does anyone have any ideas on how we might be able to properly enable Kerberos authentication on the Oracle driver via NIFI's DBCP controller service?
Any help or direction given will be greatly appreciated?

I was able to figure how to "enable" Kerberos on the Oracle driver.
I set the dynamic properties below.
oracle.net.authentication_services = (KERBEROS5)
oracle.net.kerberos5_mutual_authentication = true
Thank you to those that responded.

Related

Tableau Other Databases (JDBC) Connection to SAS datasets

I am trying to get an Other Databases (JDBC) connection from Tableau to SAS using SAS' integrated object model (sasiom jdbc) but running into this error:
Error:
Bad Connection: Tableau could not connect to the data source.
Trying to connect an http1.x server
Generic JDBC connection error
Trying to connect an http1.x server
Configuration Details
I believe my configuration is somewhat correct so far but I think that Tableau is not identifying the correct driver class to use when making a JDBC connection to SAS.
At a high level here is what a JDBC connection to SAS looks like:
JDBC Connection String: jdbc:sasiom://companyserver.company.com:port
Driver class name: com.sas.rio.MVADriver
Driver jar files location for Tableau to access: C:\Program Files\Tableau\Drivers
In this extract below from the Tableau Desktop logs it looks like 'dialect' and 'class' being used are genericjdbc which I think I want the class to be com.sas.rio.MVADriver to use the classname for sasiom but I'm not certain
{"attributes":{":protocol-customizations":"","class":"genericjdbc","dbname":"","dialect":"genericjdbc","jdbcproperties":"","jdbcurl":"jdbc:sasiom://companyserver.company.com:8591","password":"***","schema":"","username":"username","warehouse":""},"closed-protocols-count":"0","connection-limit":"16","group-id":"3","in-construction-count":"0","protocols-count":"0","this":"0x0000018511611140"}}
Properties file attempted without success
I've tried to add a properties file to force the class to be com.sas.rio.MVADriver in the hopes that I get a connection successful or at least a different error if anything else needs to change but no luck with a properties file.
Please provide some help or direction if anyone has successfully created a custom JDBC connection in Tableau and how you got it working? What configuration steps am I missing?
Is there a way to verify that Tableau is using the correct driver class for the jdbc connection? I have not seen the correct class of com.sas.rio.MVADriver referenced at all in the Tableau logs
The answer to this question is a Type 4.0 JDBC Driver is needed to automatically register the driver class name with the JDBC driver manager. The public SAS .jar files contain a Type 2.0 JDBC Driver which requires a manual JDBC driver class specification, which Tableau does not allow to my knowledge. It appears this is not possible currently.

How to sniff Oracle's credentials from a connection attempt to the database?

I have a legacy application, which connects to the configured Oracle database.
It seems it has some logic that alters the database credentials as it is unable to successfully log in to the Oracle database, while sqlplus started on the same machine is able to log in.
The error I am getting is: [DataDirect][ODBC Oracle Wire Protocol driver][Oracle]ORA-01017: invalid username/password; logon denied
How to find out what is the database username and password that are sent to the database?
What I have tried so far:
Enabled auditing of failed sign-on attempts on Oracle (audit create session whenever not successful). It does not solve the issue, because it only logs the username, which seems to be correct, without the password.
Used a sniffer to eavesdrop the network traffic between the machine running the application and the database, but since Oracle's TNS protocol is encrypted, it did not help a lot.
Started a server using netcat on port X, provided port X in the application configuration file. The application did connect to my server, that is how I know the application is connecting to the correct server. But since the TNS protocol is pretty complex (requires a series of messages to be exchanged between the client and the server) I hope there is a simpler why of achiving what I want without having to reverse engineer Oracle and implementing my own server.
Enabled tracing of the JDBC driver (Trace=1, TraceFile, TraceDll). The trace file shows the correct username, but obviously the password is not getting logged.
My environment:
Database: Oracle 11g
Application runs on: Solaris
Application uses: DataDirect ODBC Oracle Wire Protocol v70
I not sure, but if connection established by ODBC driver (as described in question tags) then you can try ODBC sniffing tools like ODBC Tracing.
Citation:
Password "Sniffing" Using Trace
ODBC provides a means for tracing the conversation taking place between the driver and the host database. Used by developers for testing purposes, the tracing feature is designed to help programmers find out exactly what is going on and to help fix problems. However, tracing (also called "sniffing") can be used by nefarious bad guys to retrieve user passwords.
When tracing is enabled, communications with the host are written to a file. This includes the user ID and password, which are captured in plain text.
Update
SQLPlus connects to Oracle with OCI interface, but DataDirect ODBC driver uses it's own proprietary implementation of communication protocol. So, most probable point of failure is driver misconfiguration or incompatibility.
DataDirect provides some tools for ODBC drivers diagnostics, but only option applicable to case described in question is using snoop utility, which acts like a netcat which already tried.
Because connection failed at credential verification stage, the most probable source of error is using localized symbols for user name or password. There are some issues with Oracle authentication process, listed in DataDirect Knowledge Search (search for ORA-01017).
It seems that DataDirect provides two separate version of driver with and without Unicode support, therefore one of possible points of failure is to connecting with non-Unicode version of driver to Unicode version of database and vice verse.
P.S. For now I don't have any experience with DataDirect ODBC driver. So it's only suggestions about possible source of failure.

Websphere CWWIM6004E

I am trying to start an application in Websphere 8, and keep on getting the following error.
From the message, it means we are missing the bindPassword, but we never have to define in WAS 6.1
Currently we are using Standalone LDAP registry. Does anyone have any idea where I should start looking to fix this error?
UserManagemen E com.ibm.ws.wim.management.UserManagementProcess handleNo
tification CWWIM6004E Initialization of the dynamic reload manager failed.
com.ibm.websphere.wim.exception.MissingInitPropertyException: CWWIM0004E The initialization property 'bindPassword' is missing from the configuration.
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeEnvironmentProperties(LdapConnection.java:194
7)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeServers(LdapConnection.java:1904)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initialize(LdapConnection.java:1832)
at com.ibm.ws.wim.adapter.ldap.LdapAdapter.initialize(LdapAdapter.java:235)
at com.ibm.ws.wim.RepositoryManager.initialize(RepositoryManager.java:610)
at com.ibm.ws.wim.RepositoryManager.<init>(RepositoryManager.java:131)
In regards to ".... never have to define in WAS 6.1"
The requirement for a LDAP bind password is enforced by the LDAP server, this is not a WAS requirement
If in fact you didn't define it in WAS v6.1, the LDAP server in use for WAS V6.1 didn't require it.
Based on the error, you've either changed LDAP servers or the LDAP server configuration has changed (or both)
As mentioned in the other post, you can troubleshoot this using a tool like ldapsearch
The technote at http://www-01.ibm.com/support/docview.wss?uid=swg21470063 discusses obtaining "must gather" and troubleshooting these types of issues (refer to the "collecting data manually" section)
You must check your ldap connection to the ldap server
User IBM WebSphere Console, Security settings, LDAP and take note about the LDAP connection settings.
Use a tool like ldapsearch in order to check the connection via shell command line.
It is possible that these bind password is not correct.
If you are using un Novell eDirectory Server you must take special attention in the bind user creation ( field password )

Oracle weblogic access control 11g

Just I have installed Oracle Weblogic Server and configured RESTFul Service. Developer can able use in office network but when I placed it in proxy server then It is supporting.
As per discussed with developer, need to set cross domain access control security. Can anybody help me how to I can set that from Oracle weblogic Administrator control?
Client side they are using javascript & actionscript to call that service.
I would suggest trying to use SOAP UI to test the service through the proxy service and see what the behavior is. You might want to change the proxy server to not cache the result from the URL during testing.
You can use web.xml to configure security roles and map them to WLS credentials/roles. If you have added a username and password then you should be able to test this from SOAPUI.

WebSphere to Oracle - doesn't accept correct password

In WebSphere 6.1 I have created a datasource to an Oracle 11g instance using the thin JDBC client.
In Oracle I have two users, one existing and another newly created.
My websphere datasource is OK if I use the component-managed authentication alias of the existing user, but fails with "invalid user/password" message if I use the alias of the new user. The error message is:
The test connection operation failed for data source MyDB (Non-XA) on
server nodeagent at node MY_node with the following exception:
java.sql.SQLException: ORA-01017: invalid username/password;
logon denied DSRA0010E: SQL State = 72000, Error Code = 1,017.
View JVM logs for further details.
There is nothing in the JVM logs. I have grepped all websphere logs and they do not mention my connection at all.
I can confirm that the username and password are correct by logging in via SQLPlus or (to prove the JDBC connection is OK) via SQuirreL.
I have checked in Oracle that the new user has all the system privs that the existing user has.
Any thoughts on what is going on or how I can debug this further?
Just FYI. I am guessing you are running WebSphere in Network Deployment mode.
This behavior you're experiencing is actually by design.
The reason for it is that the "Test Connection" button you see on the admin console, invokes the JDBC connection test from within the process of the Node Agent. There is no way for the J2C Alias information to propagate to the Node Agent without restarting it; some configuration objects take effect in WebSphere as soon as you save the configuration to the master repository, and some only take effect on a restart. J2C aliases take effect on restarts.
In a Network Deployment topology, you may have any number of server instances controlled by the same Node Agent. You may restart your server instances as you'd like, but unless you restart the Node Agent itself, the "test connection" button will never work.
It's a known WebSphere limitation... Which also exists on version 7.0, so don't be surprised when you test it during your next migration. :-)
If this happens to anyone else, I restarted WebSphere and all my problems went away. It's a true hallmark of quality software.
Oftentimes when people tell me they can't log into Oracle 11g with the correct password, I know they've been caught out by passwords becoming case-sensitive between 10g and 11g.
Try this :
data source definition
security
use the j2c alias both autentication managed by component and autentication managed by container
IBM WAS 8.5.5 Knowledge Center - Managing Java 2 Connector Architecture authentication data entries for JAAS
If you create or update a data source that points to a newly created J2C authentication data alias, the test connection fails to connect until you restart the deployment manager.
After you restart the deployment manager, the J2C authentication data is reflected in the runtime configuration. Any changes to the J2C authentication data fields require a deployment manager restart for the changes to take effect.
The node agent must also be restarted.
I have point my data source to componenet-manage authentication as well as container-managed authentication.Its working fine now........

Resources