PostgreSQL SSL connection

Good day, all.  We're exploring using OpenNMS after a hiatus of several
years.  We would like to separate the OpenNMS polling/collection/web
from the database.  This seemed to work very well in the installation
after editing opennms-datasources.xml with one problem - no SSL.  Thus,
I suspect we are also going to fail if we try to use SSL after
installation

We had defined the access control for the connection in pg_hba.conf with
hostssl.  The psql client from the OpenNMS server connects just fine to
the database but the installation routine failed until we changed
hostssl to simply host.

Is there something we're missing to make OpenNMS use SSL to speak to the
database or has the java database connector been compiled without SSL
support? If the latter is the case, might we suggest compiling it with
SSL? We hesitated to move to a different JDK rather than the one in the
OpenNMS repository.  By the way, we are running on CentOS 5.3 in an
x86_64 VServer guest.  Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On 9/18/09 9:15 PM, John A. Sullivan III wrote:
> Good day, all.  We're exploring using OpenNMS after a hiatus of several
> years.  We would like to separate the OpenNMS polling/collection/web
> from the database.  This seemed to work very well in the installation
> after editing opennms-datasources.xml with one problem - no SSL.  Thus,
> I suspect we are also going to fail if we try to use SSL after

From what I can tell by the PostgreSQL web site, you just need to add
?ssl=true to the end of the JDBC URL and it should work.

--
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/




------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On Fri, 2009-09-18 at 23:15 -0400, Benjamin Reed wrote:
> On 9/18/09 9:15 PM, John A. Sullivan III wrote:
> > Good day, all.  We're exploring using OpenNMS after a hiatus of several
> > years.  We would like to separate the OpenNMS polling/collection/web
> > from the database.  This seemed to work very well in the installation
> > after editing opennms-datasources.xml with one problem - no SSL.  Thus,
> > I suspect we are also going to fail if we try to use SSL after
>
> From what I can tell by the PostgreSQL web site, you just need to add
> ?ssl=true to the end of the JDBC URL and it should work.
<snip>
Ah, I tried adding it to the opennms-datasources.xml file.  I'll give
that a try.  Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On 9/19/09 6:22 AM, John A. Sullivan III wrote:

>> From what I can tell by the PostgreSQL web site, you just need to add
>> ?ssl=true to the end of the JDBC URL and it should work.
> <snip>
> Ah, I tried adding it to the opennms-datasources.xml file.  I'll give
> that a try.  Thanks - John

Right, that's what I meant.  IE:

  <jdbc-data-source name="opennms"
          database-name="opennms"
          class-name="org.postgresql.Driver"
          url="jdbc:postgresql://localhost:5432/opennms?ssl=true"
          user-name="opennms"
          password="opennms" />

  <jdbc-data-source name="opennms-admin"
          database-name="template1"
          class-name="org.postgresql.Driver"
          url="jdbc:postgresql://localhost:5432/template1?ssl=true"
          user-name="postgres"
          password="" />


--
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/




------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On Sat, 2009-09-19 at 12:02 -0400, David Hustace wrote:
<snip>
Sorry to take so long to get back to everyone; I was away this weekend.

It is failing.  I had tried adding it to opennms-datasources.xml as a
parameter,i.e., ssl="true".  That did not work.

I've just tried making it part of the url and it also fails but
differently.  Here is my (expunged) opennms-datasources.xml with the
attempt:

<?xml version="1.0" encoding="UTF-8"?>
<datasource-configuration xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasources
                      http://www.opennms.org/xsd/config/opennms-datasources.xsd ">
  <jdbc-data-source name="opennms"
                    database-name="opennms"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/opennms?ssl=true"
                    user-name="non-default"
                    password="passphrase" />

  <jdbc-data-source name="opennms-admin"
                    database-name="template1"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/template1?ssl=true"
                    user-name="postgres"
                    password="passphrase" />
</datasource-configuration>

Restarting opennms then gives me:

Starting OpenNMS: org.postgresql.util.PSQLException: The connection attempt failed.
OpenNMS runs better if you start up the database first.
                                                           [FAILED]
Changing opennms-datasources.xml so that it reads (expunged):

<?xml version="1.0" encoding="UTF-8"?>
<datasource-configuration xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasources
                      http://www.opennms.org/xsd/config/opennms-datasources.xsd ">
  <jdbc-data-source name="opennms"
                    database-name="opennms"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/opennms"
                    user-name="non-default"
                    password="passphrase" />

  <jdbc-data-source name="opennms-admin"
                    database-name="template1"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/template1"
                    user-name="postgres"
                    password="passphrase" />
</datasource-configuration>

results in a different error:

Starting OpenNMS: org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "172.x.x.31", user "postgres", database "template1", SSL off
OpenNMS runs better if you start up the database first.

pg_hba.conf does indeed have:
hostssl template1 postgres      172.x.x.31/32         md5

Changing just the template1 entry to host instead of hostssl but leaving
the rest as hostssl and setting the opennms connection to use ?ssl=true,
we do not get the error message on the stdout when starting opennms but
it still fails. The logs show:

An error occurred while attempting to start the "OpenNMS:Name=Eventd" service (class org.opennms.netmgt.eventd.jmx.Eventd).  Shutting down and exiting.
javax.management.RuntimeMBeanException: RuntimeException thrown in operation init
        at com.sun.jmx.mbeanserver.StandardMetaDataImpl.wrapRuntimeException(StandardMetaDataImpl.java:994)
        at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:430)
        at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
        at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
        at org.opennms.netmgt.vmmgr.Invoker.invoke(Invoker.java:313)
        at org.opennms.netmgt.vmmgr.Invoker.invokeMethods(Invoker.java:236)
        at org.opennms.netmgt.vmmgr.Starter.start(Starter.java:253)
        at org.opennms.netmgt.vmmgr.Starter.startDaemon(Starter.java:127)
        at org.opennms.netmgt.vmmgr.Controller.start(Controller.java:197)
        at org.opennms.netmgt.vmmgr.Controller.main(Controller.java:169)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.opennms.bootstrap.Bootstrap$3.run(Bootstrap.java:368)
        at java.lang.Thread.run(Thread.java:595)
Caused by: org.springframework.beans.factory.access.BootstrapException: Unable to return specified BeanFactory instance: factory key [eventDaemonContext], from group with resource name [classpath*:beanRefContext.xml]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'eventDaemonContext' defined in URL [jar:file:/opt/opennms/lib/opennms-services-1.6.6.jar!/beanRefContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.context.support.ClassPathXmlApplicationContext]: Constructor threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'daemon' defined in class path resource [META-INF/opennms/applicationContext-eventDaemon.xml]: Invocation of init method failed; nested exception is org.springframework.jdbc.UncategorizedSQLException: Hibernate operation: could not inspect JDBC autocommit mode; uncategorized SQLException for SQL [???]; SQL state [null]; error code [0]; Connections could not be acquired from the underlying  database!; nested exception is java.sql.SQLException: Connections could not be acquired from the underlying database!
        at org.springframework.beans.factory.access.SingletonBeanFactoryLocator.useBeanFactory(SingletonBeanFactoryLocator.java:405)
        at org.opennms.core.utils.BeanUtils.getBeanFactory(BeanUtils.java:58)
        at org.opennms.core.utils.BeanUtils.getFactory(BeanUtils.java:101)
        at org.opennms.netmgt.daemon.AbstractSpringContextJmxServiceDaemon.init(AbstractSpringContextJmxServiceDaemon.java:80)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)


What am I doing wrong? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On 9/22/09 2:27 PM, John A. Sullivan III wrote:

> What am I doing wrong? Thanks - John

Honestly, I have never actually tried connecting OpenNMS up to
PostgreSQL using SSL, so I don't know why it's going wrong.  What you're
doing doesn't seem wrong to me; you could try replacing the JDBC driver
in $OPENNMS_HOME/lib with a newer version to see if it works better, but
we don't really do anything special at the connection-level as far as
I'm aware...

Maybe someone else on the list can speak up who's tried it...

--
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/




------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

It could be a certificate issue where java is unable to validate the
remote CA certificate.

Try using

       
url="jdbc:postgresql://pg01:5432/opennms?sslfactory=org.postgresql.ssl.N
onValidatingFactory&ssl=on"
 
To see if that works. That's what the line looks like in my
opennms-datasources.xml file.

-----Original Message-----
From: John A. Sullivan III [mailto:[hidden email]]
Sent: Tuesday, September 22, 2009 1:27 PM
To: General OpenNMS Discussion
Subject: Re: [opennms-discuss] PostgreSQL SSL connection

On Sat, 2009-09-19 at 12:02 -0400, David Hustace wrote:
<snip>
Sorry to take so long to get back to everyone; I was away this weekend.

It is failing.  I had tried adding it to opennms-datasources.xml as a
parameter,i.e., ssl="true".  That did not work.

I've just tried making it part of the url and it also fails but
differently.  Here is my (expunged) opennms-datasources.xml with the
attempt:

<?xml version="1.0" encoding="UTF-8"?>
<datasource-configuration
xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 
xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasour
ces
 
http://www.opennms.org/xsd/config/opennms-datasources.xsd ">
  <jdbc-data-source name="opennms"
                    database-name="opennms"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/opennms?ssl=true"
                    user-name="non-default"
                    password="passphrase" />

  <jdbc-data-source name="opennms-admin"
                    database-name="template1"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/template1?ssl=true"
                    user-name="postgres"
                    password="passphrase" /> </datasource-configuration>

Restarting opennms then gives me:

Starting OpenNMS: org.postgresql.util.PSQLException: The connection
attempt failed.
OpenNMS runs better if you start up the database first.
                                                           [FAILED]
Changing opennms-datasources.xml so that it reads (expunged):

<?xml version="1.0" encoding="UTF-8"?>
<datasource-configuration
xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 
xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasour
ces
 
http://www.opennms.org/xsd/config/opennms-datasources.xsd ">
  <jdbc-data-source name="opennms"
                    database-name="opennms"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/opennms"
                    user-name="non-default"
                    password="passphrase" />

  <jdbc-data-source name="opennms-admin"
                    database-name="template1"
                    class-name="org.postgresql.Driver"
                    url="jdbc:postgresql://pg01:5432/template1"
                    user-name="postgres"
                    password="passphrase" /> </datasource-configuration>

results in a different error:

Starting OpenNMS: org.postgresql.util.PSQLException: FATAL: no
pg_hba.conf entry for host "172.x.x.31", user "postgres", database
"template1", SSL off OpenNMS runs better if you start up the database
first.

pg_hba.conf does indeed have:
hostssl template1 postgres      172.x.x.31/32         md5

Changing just the template1 entry to host instead of hostssl but leaving
the rest as hostssl and setting the opennms connection to use ?ssl=true,
we do not get the error message on the stdout when starting opennms but
it still fails. The logs show:

An error occurred while attempting to start the "OpenNMS:Name=Eventd"
service (class org.opennms.netmgt.eventd.jmx.Eventd).  Shutting down and
exiting.
javax.management.RuntimeMBeanException: RuntimeException thrown in
operation init
        at
com.sun.jmx.mbeanserver.StandardMetaDataImpl.wrapRuntimeException(Standa
rdMetaDataImpl.java:994)
        at
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl
.java:430)
        at
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
        at
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBea
nServerInterceptor.java:815)
        at
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
        at org.opennms.netmgt.vmmgr.Invoker.invoke(Invoker.java:313)
        at
org.opennms.netmgt.vmmgr.Invoker.invokeMethods(Invoker.java:236)
        at org.opennms.netmgt.vmmgr.Starter.start(Starter.java:253)
        at
org.opennms.netmgt.vmmgr.Starter.startDaemon(Starter.java:127)
        at
org.opennms.netmgt.vmmgr.Controller.start(Controller.java:197)
        at org.opennms.netmgt.vmmgr.Controller.main(Controller.java:169)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.opennms.bootstrap.Bootstrap$3.run(Bootstrap.java:368)
        at java.lang.Thread.run(Thread.java:595)
Caused by: org.springframework.beans.factory.access.BootstrapException:
Unable to return specified BeanFactory instance: factory key
[eventDaemonContext], from group with resource name
[classpath*:beanRefContext.xml]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'eventDaemonContext' defined in URL
[jar:file:/opt/opennms/lib/opennms-services-1.6.6.jar!/beanRefContext.xm
l]: Instantiation of bean failed; nested exception is
org.springframework.beans.BeanInstantiationException: Could not
instantiate bean class
[org.springframework.context.support.ClassPathXmlApplicationContext]:
Constructor threw exception; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'daemon' defined in class path resource
[META-INF/opennms/applicationContext-eventDaemon.xml]: Invocation of
init method failed; nested exception is
org.springframework.jdbc.UncategorizedSQLException: Hibernate operation:
could not inspect JDBC autocommit mode; uncategorized SQLException for
SQL [???]; SQL state [null]; error code [0]; Connections could not be
acquired from the underlying  database!; nested exception is
java.sql.SQLException: Connections could not be acquired from the
underlying database!
        at
org.springframework.beans.factory.access.SingletonBeanFactoryLocator.use
BeanFactory(SingletonBeanFactoryLocator.java:405)
        at
org.opennms.core.utils.BeanUtils.getBeanFactory(BeanUtils.java:58)
        at
org.opennms.core.utils.BeanUtils.getFactory(BeanUtils.java:101)
        at
org.opennms.netmgt.daemon.AbstractSpringContextJmxServiceDaemon.init(Abs
tractSpringContextJmxServiceDaemon.java:80)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl
.java:414)


What am I doing wrong? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------
------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay ahead of the curve. Join us from November 9-12, 2009. Register
now! http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of
this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On Tue, 2009-09-22 at 14:33 -0400, Benjamin Reed wrote: <snip>
Is it possible the jdk supplied in the opennms repository has been
compiled without ssl support? We could use a different jdk but are
hesitant to stray away from that provided in the opennms repository.
Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

On Tue, 2009-09-22 at 13:39 -0500, Roskens, Ronald wrote: <snip>
That worked but leaves me with some reservations.  Since this is turning
into more of a jdbc thread than opennms and reflects my ignorance of
jdbc, I'll go ahead and drop this thread if no one know the answers
readily.

I'm concerned about man-in-the-middle attacks by not validating the cert
(we are a moderately secure environment).  I tried to figure out how to
tell opennms to validate the cert.  All my attempts failed.

I first tried to import our CA cert into
the /usr/java/jdk1.5.0_18/lib/security/cacerts keystore.  The import was
successful but the connection failed.  I then imported the database
server's cert (after converting it to der format from pem) into the same
keystore with the same results (import succeeded, connection failed).  I
tried with the default password (changeit) and a different password.

Does anyone know how to have opennms validate the database server's cert
to establish an SSL connection? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Check your opennms.properties file to see if you have uncommented out
the entries for javax.net.ssl.keyStore and javax.net.ssl.trustStore. If
these are set, they override the jdk defaults
/usr/java/jdk1.5.0_18/lib/security/... files.

Then import your CA certificate into both of those files, and I believe
that will let you have a verified ssl connection to the database.

Ron

-----Original Message-----
From: John A. Sullivan III [mailto:[hidden email]]
Sent: Tuesday, September 22, 2009 4:36 PM
To: General OpenNMS Discussion
Subject: Re: [opennms-discuss] PostgreSQL SSL connection

On Tue, 2009-09-22 at 13:39 -0500, Roskens, Ronald wrote: <snip>
That worked but leaves me with some reservations.  Since this is turning
into more of a jdbc thread than opennms and reflects my ignorance of
jdbc, I'll go ahead and drop this thread if no one know the answers
readily.

I'm concerned about man-in-the-middle attacks by not validating the cert
(we are a moderately secure environment).  I tried to figure out how to
tell opennms to validate the cert.  All my attempts failed.

I first tried to import our CA cert into the
/usr/java/jdk1.5.0_18/lib/security/cacerts keystore.  The import was
successful but the connection failed.  I then imported the database
server's cert (after converting it to der format from pem) into the same
keystore with the same results (import succeeded, connection failed).  I
tried with the default password (changeit) and a different password.

Does anyone know how to have opennms validate the database server's cert
to establish an SSL connection? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------
------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay ahead of the curve. Join us from November 9-12, 2009. Register
now! http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of
this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Hmm . . . I don't see those entries.  I do see a
 #org.opennms.netmgt.jetty.https-keystore = /opt/opennms/etc/jetty.keystore

All those settings seem to be about enabling https to the web interface
and not the database.

I did a grep for ssl on the entire /opt/opennms/etc directory but it
turns up very little:

capsd-configuration.xml:        <property key="usessl" value="false" />
datacollection-config.xml:        <mibObj oid=".1.3.6.1.4.1.3375.2.1.1.2.9.2"  instance="0" alias="f5CsslCurConns" type="integer" />
datacollection-config.xml:        <mibObj oid=".1.3.6.1.4.1.3375.2.1.1.2.10.2" instance="0" alias="f5SsslCurConns" type="integer" />
javamail-configuration.properties:#org.opennms.core.utils.smtpssl.enable=false
poller-configuration.xml:      <parameter key="usessl" value="false" />

So, alas, I'm still at a loss about how to implement verified SSL
communication with the database.  Thanks - John

On Wed, 2009-09-23 at 12:21 -0500, Roskens, Ronald wrote: <snip>


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

John, have you seen and followed the PostgreSQL JDBC documentation for
setting up the JDBC client to use SSL?

http://jdbc.postgresql.org/documentation/80/ssl-client.html


        - djg

On Wed, 23 Sep 2009 19:29 -0400, "John A. Sullivan III"
<[hidden email]> wrote:
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Yes, indeed. That's where I started but it doesn't mean I understood it
properly being the java ignoramus I am! I also tried several variations.

I first tried using just the CA cert hoping it would trust the database
server cert by virtue of the CA cert.  I did not convert the CA cert to
der format but keytool seemed to import it correctly and listed it back
correctly.  This was into the default security/cacerts file so I did not
change the java command line.

When that didn't work, I converted the database server cert to der
format, imported it into the cacerts file and it still failed.  I tried
it with the default password on the keystore and with a custom password
on the keystore.

I did indeed add ?ssl=true.  So far, the only way I've gotten it to work
is with the NonValidatingFactory.  In other words, this works:

url="jdbc:postgresql://pg01:5432/opennms?sslfactory=org.postgresql.ssl.NonValidatingFactory&ssl=on"

but this doesn't:

url="jdbc:postgresql://pg01:5432/opennms?ssl=true"

with the database configured the same way in each case.  Thanks for the
pointer. I just with I knew more about java syntax, conventions, and ssl
handling - John


On Thu, 2009-09-24 at 11:07 -0400, DJ Gregor wrote: --
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Just in case I'm braincramping, I'll walk through the steps again and
post them below in case someone can see what I'm doing wrong.  My
apologies for the top post but that seems to be the way this thread has
developed.

The steps are executed as root on a KVM guest on CentOS 5.3.  I did not
install postgresql-jdbc.x86_64 from the CentOS repository.  I assume it
was pulled in during the OpenNMS installation from the opennms
repository.  Actual values and names have been altered for security.

/usr/java/jdk1.5.0_18/lib/security does not exist so
mkdir /usr/java/jdk1.5.0_18/lib/security
cd /usr/java/jdk1.5.0_18/bin
./keytool -import -keystore /usr/java/jdk1.5.0_18/lib/security/cacerts -alias pg01 -file /etc/pki/tls/certs/pg01c.der
Enter keystore password:  changeit
Owner: CN=pg01.mycompany.com, OU=DBs, DC=mycompany, DC=com
Issuer: CN=MyCA, OU=Sec, DC=mycompany, DC=com
Serial number: 14
Valid from: Mon May 04 16:15:54 GMT-05:00 2009 until: Fri Jun 03 16:15:54 GMT-05:00 2011
Certificate fingerprints:
         MD5:  14:92:B4:B9:DA:1B:1C:12:86:54:EB:43:23:C4:32:07
         SHA1: 1C:C4:4D:AE:EA:9B:2F:14:C6:81:C4:C7:FE:31:1F:BF:D8:E8:DD:71
Trust this certificate? [no]:  yes
Certificate was added to keystore

>From opennms-datasources.xml:
url="jdbc:postgresql://pg01:5432/opennms?ssl=true"

[root@onms01 etc]# service opennms restart
Stopping OpenNMS:                                          [  OK  ]
Starting OpenNMS: org.postgresql.util.PSQLException: The connection attempt failed.
OpenNMS runs better if you start up the database first.
                                                           [FAILED]

What did I miss? Thanks - John

On Thu, 2009-09-24 at 11:39 -0400, John A. Sullivan III wrote: --
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Ron made a similar suggestion for our problems using SSL with LDAP
authentication.  It worked for LDAPS but is still failing for the
database connection.

We created a non-default keystore as follows:

cd /usr/java/jdk1.5.0_18/bin
./keytool -import -alias myca -keystore /etc/pki/tls/certs/cacerts.jks -file /etc/pki/tls/certs/MyCA.pem -trustcacerts
./keytool -import -alias myca -keystore /etc/pki/tls/private/keystore.jks -file /etc/pki/tls/certs/MyCA.pem -trustcacerts
chmod 600 /etc/pki/tls/private/keystore.jks
./keytool -storepasswd -keystore /etc/pki/tls/certs/cacerts.jks
./keytool -storepasswd -keystore /etc/pki/tls/private/keystore.jks
history -c (the passwords are echoed in the clear)

Then we edited /opt/opennms/etc/opennms.properties. Before doing so, we
tightened security so nothing leaks out via the file or backup versions:
chmod o-rwx /opt/opennms/etc/opennms.properties Then we edited the file
by adding:

# SSL Configuration
javax.net.ssl.keyStore=/etc/pki/tls/private/keystore.jks
javax.net.ssl.keyStorePassword=newpassword
javax.net.ssl.trustStore=/etc/pki/tls/certs/cacerts.jks
javax.net.ssl.trustStorePassword=newpassword

We restarted OpenNMS and LDAPS worked.  We then tried reverting our jdbc
urls to:

url="jdbc:postgresql://pgsql01:5432/opennms?ssl=true"

but we failed to connect to the database.

We also tried:

url="jdbc:postgresql://pgsql01:5432/opennms?ssl=true&keystore=/etc/pki/tls/private/keystore.jks"

but that didn't work either.  What's the next step in troubleshooting
why we cannot verify the database certificate via the CA certificate?
Thanks - John


On Wed, 2009-09-23 at 12:21 -0500, Roskens, Ronald wrote: --
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

I enabled javax.net.debug=all and tried again to use a verified SSL
connection to the database.  Strangely, no data at all was added to
output.log.  When I use an unverified SSL connection, I see tons of
entries for communication with the database server.  It's as if it
didn't even try.  Is there some other file rather than
opennms.properties that points opennms to the correct certificate store
for the database connection? Thanks - John

On Thu, 2009-09-24 at 20:21 -0400, John A. Sullivan III wrote: --
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss

Finally got it to work.  As expected, it was just my ignorance of Java.
I needed to import my CA cert into the default cacerts store:

/usr/java/jdk1.5.0_18/jre/bin/keytool
-keystore /usr/java/jdk1.5.0_18/jre/lib/security/cacerts -import
-trustcacerts -file /etc/pki/tls/certs/MyCA.pem -alias MyCA

Now I can simply set the url in opennms-datasources.xml to
url="jdbc:postgresql://pgsql:5432/opennms?ssl=on"

On Fri, 2009-09-25 at 14:40 -0400, John A. Sullivan III wrote: --
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
[hidden email]

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss