Nova postagem

Pesquisar

Artigo
· Nov. 9, 2023 3min de leitura

Connecting to Cloud SQL with DBeaver using SSL/TLS

#Melhores Práticas #Nuvem #JDBC #Segurança #SQL #SSL #InterSystems IRIS

With the release of InterSystems IRIS Cloud SQL, we're getting more frequent questions about how to establish secure connections over JDBC and other driver technologies. While we have nice summary and detailed documentation on the driver technologies themselves, our documentation does not go as far to describe individual client tools, such as our personal favourite DBeaver. In this article, we'll describe the steps to create a secure connection from DBeaver to your Cloud SQL deployment.

📺If you prefer popcorn over scrolling, check out this video in which we walk you through the steps captured below.

Step 0: Creating your deployment

First, log into the Cloud Services Portal and create a Cloud SQL deployment. The one thing you need to be mindful of is to check the box to enable external connections. Other than that, all the default settings should work fine.

Step 1: Installing the certificate

In order to connect securely, we'll use certificates to encrypt everything that gets sent over the wire. You can download the certificate from the deployment details page through the "Get X.509 certificate" button:

We then need to store this certificate in a trusted keystore using the keytool utility. This is a standard piece of Java infrastructure, so nothing specific to IRIS or DBeaver at this point. Use the command below to import the certificate. The location of your certificateSQLaaS.pem certificate file does not matter after running this command, so you can delete it from your downloads folder afterwards. The location of the keystore.jks file does matter, so make sure you run the command from a folder where it makes sense and is safe from uninstall or upgrade surprises, such as a cert directory in your user's home dir. The -alias is optional, but helpful when you intend to reuse the same keystore file to store multiple certificates.

keytool -importcert -file path-to-cert/cert-file.pem -keystore keystore.jks -alias myDeploymentName

For more details, see the documentation.

Step 2: Create an SSLConfig.properties file

Next, we'll need to tell the IRIS JDBC driver how to find this keystore, which is accomplished through an SSLConfig.properties file. This simple text file needs to be placed in the working directory of the Java program that'll open the JDBC connection. On Windows, that's %LOCALAPPDATA%\DBeaver, which translates to C:\Users\<you>\AppData\Local\DBeaver. On Mac, it's typically /Applications/DBeaverEE.app/Contents/MacOS. As an alternative, you can also create the file elsewhere and set the full path as an environment variable named com.intersystems.SSLConfigFile.

In its simplest form, this file only needs to point to the keystore and include the password. Note that the path to your keystore.jks file needs to be properly escaped for Java to read it, so on windows you'll need to use double backslashes.

trustStore=/path/to/keystore/keystore.jks
trustStorePassword=keystore-password

There are many additional settings you can configure through this file described in the docs, including named configurations, but the above is sufficient.

Step 3: Create your DBeaver connection

Now that we installed our certificate and specified where IRIS JDBC can find it, we can create our DBeaver connection. All of the settings for the "main" tab in the connection creation dialog can be found in the deployment details screen as pasted above:

The only thing left to do is to tell DBeaver to enable encryption, which is accomplished by setting the "connection security level" to 10 in the "Driver properties" tab:

That's it! If you click "Test Connection", you should get a thumbs up, or a useful error message. In the latter case, check out this troubleshooting document if it's not obvious what to change.

Note for Mac users

If you're using a mac there seems to be a bug in DBeaver where the above may not be sufficient. The work around is unconventional but it does work. In the Database/Schema field, where you'd normally put 'USER' put this full string instead:

USER:sslConnection=true;sslTrustStoreLocation=/pathToTruststore/truststore.jks;sslTrustStorePassword=123456;

Tip and misc other wisdom courtesy of @Rick Guidice 

21 Comments
Discussão (21)5
Entre ou crie uma conta para continuar
Pergunta
· Nov. 7, 2023

Creation of namespace and database using CLI

#Integração Contínua #Docker #Caché #InterSystems IRIS

Hello everyone,

I am attempting to implement continuous integration using Docker with Caché 2018.1, and I am in the process of creating an image for our client. I have already installed Caché 2018.1 on the RedHat server, but I am working on a script to create the database and namespace. For the database, I used the following code:

do ##class(SYS.Database).CreateDatabase("/usr/cachepoc/cache2018/mgr/poc/")

However, I have encountered some issues with this code. For instance, I am unable to view this local database in the portal's list:

In the end, I have tried various approaches to create the namespace programmatically, but I haven't been able to resolve this issue.

Could someone please assist me in finding the correct command to create a namespace and explain why we are unable to see the database that was created in the portal's list?

I am aware that we already have some images with InterSystems IRIS, but the client is not ready to update the database at this time.

4 Comments
Discussão (4)2
Entre ou crie uma conta para continuar
Pergunta
· Nov. 6, 2023

CSP issue with only one instance on a new machine

#CSP #Web Gateway #Caché

We have a machine that serves 4 instances of Cache on VMS systems, one of them is password protected and works fine as they all do. we decided we wanted something beefier and copied it to a server, well all but the one you have to login to works so 3 of the 4 do.  and the odd part is I can no longer get to the management page from anywhere on any machine, http://localhost/csp/bin/Systems/Module.cxw  I get a 404.8 error, I have tried adjusting security and same thing. and a server availability error.

I think it something on the new machine/server that is missing but why only 1 of the 4.  oh and we tried to turn off the authentication required with no success.

 

thanks

Paul

5 Comments
Discussão (5)0
Entre ou crie uma conta para continuar
Discussão (2)2
Entre ou crie uma conta para continuar
Artigo
· Nov. 4, 2023 5min de leitura
Open Exchange

Connecting InterSystems IRIS and Firebase Cloud Firestore

#Importação e Exportação de Dados #Docker #Embedded Python #Interoperabilidade #Health Connect #InterSystems IRIS

I recently had the need to monitor from HealthConnect the records present in a NoSQL database in the Cloud, more specifically Cloud Firestore, deployed in Firebase. With a quick glance I could see how easy it would be to create an ad-hoc Adapter to make the connection taking advantage of the capabilities of Embedded Python, so I got to work.

Preparing the environment

To start, we need an instance of the database on which we can perform the tests. By accessing the Firebase console, we have created a new project to which we have added the Firestore database.

Next we create a collection on our database called data_poc and in which we include 3 documents that we will later recover from our production.

With the database deployed we are going to obtain our json file with the necessary keys to make the connection from our production in IRIS. To do this, from the console of our Firebase project we open the account services page that we find from the project configuration (Project Settings -> Service Accounts) and we generate a new private key:

This will download a json file that we will place in a path on our server, in this example we will leave it in the /shared/durable folder of our Docker

Creating the adapter

In order to be able to connect to our database in Firebase, we will have to create a specific adapter that makes the connection. As we mentioned before, we will use the capabilities that Embedded Python offers us, so we will install the library that allows us to connect, firebase-admin

With our library already installed we can now create our adapter:

Class Local.Adapter.FirebaseInboundAdapter Extends Ens.InboundAdapter
{

Property KeyPath As %String(MAXLEN = 100);
Property DocName As %String(MAXLEN = 100);
Parameter SETTINGS = "KeyPath,DocName";
Method OnTask() As %Status
{
    $$$TRACE("Connecting")
    set tSC = $$$OK
    set listOfDocs = ##class("%Library.ListOfDataTypes").%New()
    if ('$DATA(^$GLOBAL("^LASTFIREBASE"))) {
        set ^LASTFIREBASE(..DocName) = 0
    }
    
    do ..ConnectAndQuery(..KeyPath, ^LASTFIREBASE(..DocName), listOfDocs, ..DocName)

    for i = 1:1:listOfDocs.Count() {
        set msg = ##class(Local.Message.FirebaseDocRequest).%New()
        set msg.Doc = listOfDocs.GetAt(i)
        set tSC=..BusinessHost.ProcessInput(msg)
        set docRead = ##class(%DynamicAbstractObject).%FromJSON(msg.Doc)
        set ^LASTFIREBASE(..DocName) = docRead.id
        $$$TRACE("Index: "_^LASTFIREBASE(..DocName))
    }
    $$$TRACE("Finishing connection")

    Quit tSC
}

/// Using Embedded Python to connect with Firebase
ClassMethod ConnectAndQuery(keyPath As %String, lastId As %String, ByRef listOfDocs As %List, docName As %String) [ Language = python ]
{
        import iris
        import firebase_admin
        from firebase_admin import credentials
        from firebase_admin import firestore

        if not firebase_admin._apps:
            cred = credentials.Certificate(keyPath)
            firebase_admin.initialize_app(cred)

        db = firestore.client()

        # Read Data
        docs_refer = db.collection(docName)
        docs = docs_refer.where("id",">",lastId).stream()
        # docs = docs_refer.stream()

        for doc in docs:
            # listOfDocs.Insert(doc.to_dict())            
            listOfDocs.Insert(str(doc.to_dict()).replace("'", '"'))
        return 1
}

}

As you can see we are using an identifier field id as a criterion to obtain the latest documents registered in the system, for each reading of a new document we take its identifier and store it in a global. We have included two parameters in the adapter:

  • KeyPath: where we indicate the path and name of the json file that contains the keys to access our database in Firebase.
  • DocName: in which we define the name of the collection or document that we store in the database. For each type of collection we must add a new Business Service by modifying this parameter:

With the connection keys we can now connect to the database using the function developed using the Embedded Python functionality. We have previously installed the firebase-admin library that will allow us to manage the connection and which you can find in the requirements.txt file of the associated project. Once the connection is made, we will recover all the documents with an identifier after the last one we read. We will insert the recovered documents into a string list that we will later scan and send to our Business Service. 

# Read Data
docs_refer = db.collection(docName)
docs = docs_refer.where("id",">",lastId).stream()
# docs = docs_refer.stream()

for doc in docs:
    listOfDocs.Insert(str(doc.to_dict()).replace("'", '"'))

With the developed adapter we only need to implement our Business Service to be able to use it in our production:

Class Local.BS.FirebaseBS Extends Ens.BusinessService
{

Parameter ADAPTER = "Local.Adapter.FirebaseInboundAdapter";
Method OnProcessInput(pRequest As Local.Message.FirebaseDocRequest, pResponse As %RegisteredObject) As %Status
{
        $$$TRACE(pRequest.Doc)

        Quit $$$OK
}

}

For our example we will only define the writing of a trace with the message received from the adapter, the message will only have a property of type String that we have called Doc and that will contain the recovered document.

Testing the adapter

We already have everything we need to retrieve documents from our database, so we only need to configure our production.

Perfect! We already have our BS configured to make queries to the database every 5 seconds, let's start production and check the log:

Here we have our documents, let's see now what happens if we add a new one to our database:

There we have our new record. Well ready, we now have our adapter working.

Well, that's it for today's article, if you have any questions or suggestions, don't hesitate to write them in the comments.

2 Comments
Discussão (2)2
Entre ou crie uma conta para continuar