In our firm's Autosys infrastructure, we have a primary environment and a secondary environment and we have a highly available architecture. This means that when one site is down, the other site takes the primary role thanks to the tie breaker. However, I have noticed that when data server is up and EEM is down on one side, we are unable to login to wcc of even the other side. Is this expected behavior?
So you have both EEM's enabled in autosys_secure? You should have both setup there and also under WCC have each pointing to both EEM's as well.
check the EEM on the WCC server:
Connect to WCC server get where wcc_config is and then:
wcc_config -u username --displayeem
It should show you all the EEM's that are configured on it.
Related
I want to start using Vault to rotate credentials for mssql databases, and I need to be able to use a gMSA in my mssql connection string. My organization currently only uses Windows servers and will only provide gMSAs for service accounts.
Specifying the gMSA as the user id in the connection string returns the 400 error error creating database object: error verifying connection: InitialBytes InitializeSecurityContext failed 8009030c.
I also tried transitioning my vault services to use the gMSA as their log on user, but this made nodes unable to become a leader node even though they were able to join the cluster and forward requests.
My setup:
I have a Vault cluster running across a few Windows servers. I use nssm to run them as a Windows service since there is no native Windows service support.
nssm is configured to run vault server -config="C:\vault\config.hcl" and uses the Local System account to run under.
When I change the user, the node is able to start up and join the raft cluster as a follower, but can not obtain leader status, which causes my cluster to become unresponsive once the Local System user nodes are off.
The servers are running on Windows Server 2022 and Vault is at v1.10.3, using integrated raft storage. I have 5 vault nodes in my cluster.
I tried running the following command to configure my database secret engine:
vault write database/config/testdb \
connection_url='server=myserver\testdb;user id=domain\gmsaUser;database=mydb;app name=vault;' \
allowed_roles="my-role"
which caused the error message I mentioned above.
I then tried to change the log on user for the service. I followed these steps to rotate the user:
Updated the directory permissions for everywhere vault is touching (configs, certificates, storage) to include my gMSA user. I gave it read permissions for the config and certificate files and read/write for storage.
Stopped the service
Removed the node as a peer from the cluster using vault operator raft remove-peer instanceName.
Deleted the old storage files
Changed the service user by running sc.exe --% config "vault" obj="domain\gmsaUser" type= own.
Started the service back up and waited for replication
When I completed the last step, I could see the node reappear as a voter in the Vault UI. I was able to directly hit the node using the cli and ui and get a response. This is not an enterprise cluster, so this should have just forwarded the request to the leader, confirming that the clustering portion was working.
Before I got to the last node, I tried running vault operator step-down and was never able to get the leader to rotate. Turning off the last node made the cluster unresponsive.
I did not expect changing the log on user to cause any issue with node's ability to operate. I reviewed the logs but there was nothing out of the ordinary, even by setting the log level to trace. They do show successful unseal, standby mode, and joining the raft cluster.
Most of the documentation I have found for the mssql secret engine includes creating a user/pass at the sql server for Vault to use, which is not an option for me. Is there any way I can use the gMSA in my mssql config?
When you put user id into the SQL connection string it will try to do SQL authentication and no longer try windows authentication (while gMSA is a windows authentication based).
When setting up the gMSA account did you specify the correct parameter for who is allowed to retrieve the password (correct: PrincipalsAllowedToRetrieveManagedPassword, incorrect but first suggestion when using tab completion PrincipalsAllowedToDelegateToAccount)
maybe you need to Install-ADServiceAccount ... on the machine you're running vault on
After rebooting my Windows Server 2016 Standard (SQL Server 2016) my SSIS process that runs this query:
select * from openquery(HRMPROD, 'SELECT QUERY HERE' )
started failing with this error:
I get the same error if I try to run the query in SSMS. I have the same linked server set up on my test instance and the query is successful when I run it there. I have compared the linked server create script on both instances and it is the same.
Any idea where I should look for what is causing the connection issue on the one server but not the other?
Thank you.
Saying the answer is on the Oracle side is just like pointing fingers across the way. Let's just fix the issue here.
There is a connection string that is used from SSIS, (which you also used in SSMS) The connection string contains three main components to connect and would result in the 12154 error if any of them were incorrect:
Host
Instance name (different than Instance on Sql Server, think database name)
port
The port most likely hasn't change, neither has the database name, but the host...No, hasn't changed, but the DNS server used to connect most likely has! I would ping the host and see what returns from the SSIS and your SSMS host that you're using. I would expect it to fail. Find out what IP address the host is using and ping that - see if it returns. I'm guessing that's the change that needs to be updated or your Network folks need to fix a DNS configuration/server issue.
Hope this helps!
Kellyn
Since you are getting a response from the TNS Listener, the problem lies on the Oracle side. See Architecture of Oracle Network Services for an overview of how the Oracle networking handles things. Keep in mind that based on the error message you've reached the TNS Listener, so you only need to check things between TNS and the Oracle database... In other words, your networking and SQL Server settings are fine or you wouldn't be able to get this error message.
I would agree with above that the issue might have to do with the network. I have come across that a few times, where we can set everything up, but a firewall is blocking communication between the two servers.
Open up powershell on the new server and run a tracert to the target to see the hops and identify if is connecting across the network.
If it is, then run a test-netconnect on the specific port, to see if the port is open from the firewalls.
Cheers!
I have created a Google Cloud Project MySQL database to use in conjunction with the Jdbc service provided by Google Apps Script. Everything went as planned with the connection. I am basically connecting as it does in the docs.
var conn = Jdbc.getCloudSqlConnection(dbUrl, user, userPwd);
I shared the file with another account and all of a sudden I am seeing a red error saying:
'Failed to establish a database connection. Check connection string, username and password.'
Nothing changed in the code, but there is an error. When I go back to my original account and run the same bit of code, there is no error. What is happening here? Any ideas?
Jdbc.getConnection works from both: my account and another account:
var conn = Jdbc.getConnection('jdbc:mysql://' + IP + ':3306/' + database_name, user, password)
I'm really confused because the recommended method did not work.
There are two ways of establishing a connection with a Google Cloud
SQL database using Apps Script's JDBC service:
(Recommended) Connecting using Jdbc.getCloudSqlConnection(url)
Connecting using Jdbc.getConnection(url)
Notes:
IP is a Public IP address from the OVERVIEW tab in your database console:
I've allowed any host when created a user:
I am not sure whether this question has been resolved or not, but let me add this answer.
I also faced the same problem but I found the resolution. What I did is:
First, go to the console.
https://console.cloud.google.com
Then, open IAM.
and add the account as a member and add this permission: "Cloud SQL Client".
I think this is a permission issue in your second account. Necessary information are missing in your question. But, the secound account, if run as a another user, won't necessarily have your sqlservice authorization. The permission,
https://www.googleapis.com/auth/sqlservice
Manage the data in your Google SQL Service instances
is required to use Jdbc.getCloudSqlConnection(url), while Jdbc#getConnectionUrl() just requires external link connection permission
https://www.googleapis.com/auth/script.external_request
I believe that you can only connect to sql instances owned by you with getCloudSqlConnection() which doesn't even require external connection permission. This method probably calls your sql instance internally.
References:
Jdbc#getCloudConnection
Jdbc#getConnection
Conclusion
To connect to any external service, you need external_request permission. But, You don't need that permission to connect to your own documents say, Spreadsheets owned by you/have edit access permission - through SpreadsheetApp.openByUrl(). I believe it's the same thing with Jdbc.getCloudSqlConnection(). It calls your Google sql internally - So, even if you grant external request permission, It won't work. What will work for this method is
Installable triggers (which runs as you).
Add the second account also as owner in GCP-IAM (may not work though) See this answer
I'd double-check once again all IP ranges which should be whitelisted. According to your description it worked fine in first account, probably in second account Apps Script uses another IP for connection, which was not whitelisted or whitelisted with some typo. Could you share screenshot how did you exactly whitelist the ranges from this article?
I have a GAS Add-On that uses a Google cloud dB. I initially set this up by:
Whitelisting Google Cloud IP ranges in my SQL instance
Getting the script.external_request scope approved for OAuth Consent screen
This all works great from GAS for the add-on, but I suspect that if this whitelist is not comprehensive and volatile (which I expect it is), I will see intermittent connectivity issues.
I recently added a Firebase web app that needs access to the same dB. I had issues, because Firebase does not conform to those Google IP ranges and does not expose its IP for whitelisting. So I had to create a socket layer connection as if Firebase was an external service.
Which got me thinking, should I put a socket layer in my GAS Add-On? But nothing in the GAS JBDC Class documentation indicates a socket parameter.
Which leads me to a question that was not really answered in this thread:
Does anyone know why Jdbc.getCloudSqlConnection(url) is the "Recommended" approach? The documentation seems to imply that because the IP whitelisting is not required, Jdbc.getCloudSqlConnection(url) is using a socket (or some other secure method) to connect to the dB?
It also seems silly that if that is the case, that I would need two have two sensitive scopes to manage a dB connection. I would rather not go through another OAuth const audit and require my users to accept another scope unless there is a benefit to doing so.
I am trying to use MySQL Cluster 7.5 version , after opening the web browser and clicking on :create new MySQL cluster", and getting in the "define cluster" page , I write the IP of the remote data node in to the host list field ,but I get error which say "there were errors when connecting to the remote hosts, host 172.16.1.129: couldn't open socket to 172.16.1.129 ,press'ok to continue to the next page anyway, or cancel to stay in the previous page"
I turned off windows firewall options too, but no luck,
what is the cause of this error and how to solve it?
What are the essential steps to install/configure in remote pc (data node).?
Thanks a lot
https://www.mysql.com/support/supportedplatforms/cluster.html
Did you check this? if you OS supports?
This has nothing to do with supported platforms. My guess is the credentials you used to connect to nodes are bad. In that version of MySQL NDB Cluster autoinstaller you can provide only Cluster-wide credentials, i.e. one credentials for all the hosts. Those credentials could be a) private key without passphrase (idrsa in ~/.ssh) or b) ordinary username/password. Please see html help file that comes with Autoinstaller for details.
I am trying to set credentials (for running a job) using
cluscfg setcreds /scheduler:scheduler1 /user:domain2\user1 /password:pass
I get "The server has rejected the client credentials"
The client machine is in domain1.
Question:
1. Is this related to crossing the domain?
2. Is this related to some attribute on the account? That the account is not sufficiently
privileged to be able to run an HPC job?
Which domain is the scheduler in? If the scheduler is in domain2 and there's no trust relationship between domain1 and domain2 you may have credential problems. Can you use the Job Manager or Cluster Manager UI to look at scheduler1 from your client machine?
DOMAIN2\user1 needs to be configured as a cluster user (or administrator) on scheduler1. You can do that by manually adding DOMAIN2\user1 in the cluster configuration UI, or you can add some group which contains DOMAIN2\user1 (such as DOMAIN2\DOMAIN USERS).
Sorry for the late response; I don't check StackOverflow as often as I should :-\