-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL - configuration for non-egeria code ie connectors ie JDBC #613
Comments
I've been hitting issues even trying to make a 1 way SSL connect to a DB2 cloud service. Whilst the handling of this particular situation is buggy (10 min timeout instead of immediate failure) by deep debugging, the failing stack is: I think what may be happening here is that when we launch the server chassis (from our assembly, or in our container) we point to a truststore that ONLY includes our certificate authority. In my case I was making an SSL connection to a cloud DB2 server, which was returning a server cert signed by a certificate with a public train of trust. That would normally be resolved by the default system level root authority certs/chain (as it is in my standalone test code). However since our custom cert root does not contain these, validation of the server cert fails. This same issue could affect ANY ssl connection made by the egeria server chassis. The alternatives are:
#1 only requires doc changes, but can be tedious to actually do Open for discussion as to docs vs code.... |
(I think the hang is likely due to db2 driver seeing this as a potentially transient error) |
Adding At a minimum this needs explaining/docs to cover general cases as well as known examples, such as db2 |
When using the JDBC integration connector, the database connection may require the use of SSL.
In this case a variety of parameters may be set (see https://www.ibm.com/docs/en/db2/11.5?topic=SSEPGG_11.5.0/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_r0052038.htm for DB2)
This will typically include certificate information - passwords, types etc, but crucially also PATHS on the local system to
These may not be the same as for the egeria server chassis. Particularly for the key store (the client side certificate) which will be unique.
In order to use these connectors, the relevant certificates need to be present in the local environment where the egeria server chassis is running (in k8s, often through a secret)
This needs documenting as to how to deploy/configure
Additionally in the case of our charts/operator this may need actual deployment code
Opening as a reminder this is part of addressing cert management
The text was updated successfully, but these errors were encountered: