I have 2 pods of Redmine deployed with Kubernetes the problem due to this the issue of session management is happening so some users are unable to login due to this so I came up with the idea to store the cache of both the pods in Redis server with Kubernetes(Centralized).
I am giving the below configuration inside the Redmine pod in location.
/opt/bitnami/redmine/config/application.rb
configuration
config.cache_store = :redis_store, {
host: "redis-headless.redis-namespace", #service name of redis
port: 6379,
db: 0,
password: "xyz",
namespace: "redis-namespace"
}, {
expires_in: 90.minutes
}
But this is not working as supposed .Need help where I am doing wrong.
Redmine doesn't store any session data in its cache. Thus, configuring your two Redmines to use the same cache won't help.
By default Redmine stores the user sessions in a signed cookie sent to the user's browser without any server-local session storage. Since the session cookie is signed with a private key, you need to make sure that all installations using the same sessions also use the same application secret (and code and database).
Depending on how you have setup your Redmine, this secret is typically either stored in config/initializers/secret_token.rb or config/secrets.yml (relative to your Redmine installation directory). Make sure that you use the same secret here on both your Redmines.
Related
I'm deploying my Spring boot application into Heroku server via git deployment. There are passwords and api secrets in my application.yml. Those properties are encrypted with Jasypt. One thing I don't understand is: how to pass jasypt decryption password into deployed application for startup?
Heroku has Config Vars, but they do not seem secure, considering that all of them could be revealed on the dashboard
Is there a secure way to send a password into deployment?
the Config Vars is the accepted mechanism to pass runtime information to the apps upon deployment;
It is pretty secure if the access to the Dashboard is controlled of course (those settings are never exposed or logged), only the owner can reveal the values.
I have a strange use case running spring boot microservices, the services lives inside an openshift cluster and the problem I face is due to a database password renewal policy.
The app uses JDBC connection to access an oracle database and the DB password is retrieved during container startup from a homegrown vault. The issue is the password keeps change once every 90 days.
The application uses JDBC connection pool to talk to the database and the service is expected to receive a high volume of traffic, therefore an increased number of sessions. In the middle of a session if the password gets renewed how do we ensure we use the working password to run queries always in the jdbc connection pool.
We tried a couple of things running a separate service that would retrieve the password momentarily and the consumer service which requires the password would simply use the last successful password from the database service, its kind of an ugly implementation.
Tried multi-container pods with an Auxillary pod listening for database changes and that was a lame idea as well.
The core problem is loading up JDBC connection pool which already has the auth to establish to connection and communicate with the database. So in the middle of a session how do we update the password?
Any ideas ?
I suppose you are using a secret store (e.g.: Vault, AWS Secrets Manager, etc.) to get the password. If so, I think you are halfway done.
Check out #RefreshScope, you can refresh the spring context which will fetch the new configuration (the password) and recreate some beans (the datasource).
I created an Ubuntu server on Amazon AWS.
Then I registered for Forge, and now trying to configure it.
I selected source control to be Bitbucket.
I selected Amazon in Server Provider Section,but now I am not sure what to put in key and secret
I found the answer to this question,
We need to create a IAM user and opt for api access key and secret.
also remember to give access to at least FullEC2Admin Access to this user before initiating the process to create and provision the server via forge.
I am facing very dramatic behavior caused by Amazon EC2 server. I have one web application deployed at Amazon ec2 server which is developed using Spring and Java. For every request new session is created here. I have one scenario where i need to store some data into httpsession object but due to session changing at every time I lost my data.
Your response is respectable.
Thanks.
Please add comment if forget something to mention here and its required to understand.
Let me explain my scenario completely:
I have two machines which have apache installed and integrated with tomcat server using mod_jk connector eg. app0 and app1 machines, this both machines are requested by load balancer of ec2 server. To replicate session for each instance of server i have used DeltaManager jdbc store setting because ec2 does not support SimpleTCPCluster setting.
DeltaManger code:
<Manager className="org.apache.catalina.session.PersistentManager"
saveOnRestart="true"
minIdleSwap="-1"
maxIdleSwap="-1"
maxIdleBackup="20"
processExpiresFrequency="1">
<Store className="org.apache.catalina.session.JDBCStore"
connectionURL="jdbc:mysql://localhost:3306/tomcat"
driverName="com.mysql.jdbc.Driver"
connectionName="username"
connectionPassword="password"
sessionIdCol="session_id"
sessionValidCol="valid_session"
sessionMaxInactiveCol="max_inactive"
sessionLastAccessedCol="last_access"
sessionTable="sessions"
sessionAppCol="app_name"
sessionDataCol="session_data"
/>
</Manager>
This all works fine on my local machine but failed on production as there are two machines and they are handled by ec2 load balancer.
Please comment if any thing else required.
Issue with session was that jsessionid cookie was removed from the request due to the different path. App has a "/" (root) as a path and jsessionid had a path "/". This was causing jsessionid to be removed from the request and since server never received the jsessionid it was creating the new one all the time.
We fixed the issue by adding parameter - emptySessionPath="true" - to all connectors in /etc/tomcat6/server.xml.
I have an issue to retrieve current sessions in Openam.
When I connect with the amAdmin user on the first server and go to the session item on the administration page, I cannot see the session on the second server.
I got the following error :
Failed to get the valid sessions from the specified server.
But sometimes I can see the sessions on the second server.
But when I connect with the amAdmin user on the second server and go to the session item, I can only see the open sessions on the second server (only the current sessions on the second server are displayed instead of the open sessions for the first server)
I have restarted web container after configuring both servers and also I have checked keystore.jk (it the same on both servers)
The session failover is configured as recommended in openam documentation.
After checking /sso/debug -> Session
I get the following message:
ERROR: Session:getValidSession :
com.iplanet.dpro.session.SessionException: AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..* Invalid session ID.AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..*
at com.iplanet.dpro.session.Session.getSessionResponseWithoutRetry(Session.java:1583)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1340)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1201)
at com.sun.identity.console.session.model.SMProfileModelImpl.initSessionsList(SMProfileModelImpl.java:111)
at com.sun.identity.console.session.model.SMProfileModelImpl.getSessionCache(SMProfileModelImpl.java:307)
at com.sun.identity.console.session.SMProfileViewBean.beginDisplay(SMProfileViewBean.java:190)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
Did you have any ideas to fix this issue?
Best regards
OpenAM uses an HTTP url connection to the other instance url (listed under 'Servers & Sites' to retrieve the session information.
if the OpenAM server instance urls have scheme 'https', make sure the deployment container trusts the issuer of the cert ... that's plain JSSE (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html), not OpenAM related.
Session failover means 'failover', not session replication.
The issue has been resolved after modifing settings in the openam config file 'bootstrap'.
Some settings are not correctly saved in this file.