Friday, April 21, 2017

How to fix ERROR - Driver Connection error: org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "192.168.48.111", user "root", database "apim210_reg", SSL off

Background 

I wanted to access Postgres from a remote machine. When I tried to connect to Postgres given connection information as :5432/ I got a connection refuse. In order to fix it I followed below steps. 

1. Opened postgresql.conf file.
2. modified 'listen_address' to access all ip addresses  (listen_addresses = '*')
3. Restarted Postgres server.

Then when I tried to connect to Postgres database from my application on the remote machine I got below error.

Error

[2017-04-21 05:33:25,799] ERROR - Driver Connection error: 
org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "192.168.48.111", user "root", database "apim210_reg", SSL off
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:438)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:222)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.(PgConnection.java:194)
at org.postgresql.Driver.makeConnection(Driver.java:431)
at org.postgresql.Driver.connect(Driver.java:247)
at org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:278)
at org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:182)
at org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:701)
at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:635)
at org.apache.tomcat.jdbc.pool.ConnectionPool.getConnection(ConnectionPool.java:188)
at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:127)
at org.wso2.carbon.user.core.util.DatabaseUtil.getDBConnection(DatabaseUtil.java:565)
at org.wso2.carbon.user.core.util.UserCoreUtil.isExistingDomain(UserCoreUtil.java:973)
at org.wso2.carbon.user.core.util.UserCoreUtil.persistDomain(UserCoreUtil.java:827)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.persistDomain(AbstractUserStoreManager.java:4064)
at org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.(JDBCUserStoreManager.java:280)
at org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager.(JDBCUserStoreManager.java:222)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:355)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:222)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:127)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:263)
at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:100)
at org.wso2.carbon.user.core.common.DefaultRealmService.(DefaultRealmService.java:113)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:68)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:711)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:702)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:683)
at org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:381)
at org.eclipse.osgi.framework.internal.core.AbstractBundle.resume(AbstractBundle.java:390)
at org.eclipse.osgi.framework.internal.core.Framework.resumeBundle(Framework.java:1176)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:559)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.resumeBundles(StartLevelManager.java:544)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.incFWSL(StartLevelManager.java:457)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.doSetStartLevel(StartLevelManager.java:243)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:438)
at org.eclipse.osgi.framework.internal.core.StartLevelManager.dispatchEvent(StartLevelManager.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)


Fix

1. Open 'pg_hba.conf' file. (In this file you can define how the access should be given to databases 
    for particular database users etc) 


2. Add below entry in order to allow all IP'S and all usernames to connect to all databases and save.

host    all             all             0.0.0.0/0               md5

3. Login as postgres user 

E.g 
$ sudo -i -u postgres

4. Restart Postgres server

E.g
$ /etc/init.d/postgresql restart




Posted by at No comments:

Monday, April 10, 2017

How public-private certificates are used in federation and brokered authentication scenarios with WSO2 Identity Server

When configuring SAML2 SSO federation and brokered authentication using WSO2 Identity Server (IS), configuration related to certificates and the usage of them can be confusing.

In this blog post I'm going to explain how the certificates should be configured and why.

Configuring Certificates.

How the certificates should be configured in the application, service provider (SP) configuration, Identity provider (IDP) configuration and WSO2 IS is depicted in below diagram. 


  1. Application should contain the public certificate of WSO2 IS.
  2. Public certificate of the application should be specified in SP configuration in WSO2 IS.
  3. Public certificates of the application and the external IDP should be added into the 'Client-trustore.jks in WSO2 IS which is located in /repository/resources/security folder.
  4. Public certificate of the external IDP should be specified in IDP configuration in WSO2 IS.
  5. External IDP should contain the public certificate of the WSO2 IS.

Message flow of federated and brokered authentication.


Note: I have considered the message flow when request and response signing are enabled.

 1. Service provider (SP) application sends a signed authentication request to WSO2 IS.

  • When signing the authentication request, the private key of the application is used.
  • In order to WSO2 IS to verify the signature, public certificate of the application should be specified in the SP configuration which represents the application in WSO2 IS.
 2. Once authentication request sent by the application is verified, WSO2 IS sends a signed   
     authentication request to external IDP. 

  • When signing the authentication request, the private key of the WSO2 IS is used.
  • In order to External IDP to verify the signature, public certificate of WSO2 IS should be specified in external IDP side.
3. After verifying the validity of the signature and authenticating the user, external IDP sends a 
    signed SAML response to WSO2 IS.

  • When signing the SAML response private key of the external IDP is used.
  • In order to WSO2 IS to verify the signature, public certificate of the external IDP should be specified in the IDP configuration which represents the external IDP in WSO2 IS.
4. Based on the SAML response received, WSO2 IS builds a SAML response according to the 
    specified SP configuration and sends a signed SAML response to the application.

  • When signing the SAML response private key of WSO2 IS is used.
  • In order to application to verify the signature, public certificate of the WSO2 IS should be exported into its trust store.
Note:
In the above explanation, I focused only on the certificate usage for signing. In addition to this public certificates are also used for encryption (assertion encryption). 

You can also check How to add a certificate as a trusted certificated to a Java KeyStore (JKS file) to know how encryption works and how to import public certificates into the trust store. 



Posted by at No comments:
Subscribe to: Posts (Atom)