Using client certs to authenticate

[grtjn]

I am trying to use DBeaver to setup a connection to an ODBC server. Using a non-ssl-enabled port works fine. Using an ssl-enabled port works fine too, even with verify-ca. Using a client cert to login fails however. I keep getting the message that I am not providing a valid password (which I left blank intentionally). Looking at the code of mljdbc, I wonder if using client certs to authenticate is supported at all. Does anyone know?

https://developer.marklogic.com/code/jdbc/#authentication provides good detail on how to setup an SSL connection to an ODBC app server with SSL enabled, but doesn't go as far as telling whether using client certs to authenticate is possible, and if so, how. I was told by Support however, to have a look here: https://www.postgresql.org/docs/10/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT. That page speaks about sslcert and sslkey properties, which are easily configured in DBeaver, which is showing a nice list of Driver properties to pick from.

PS: the link to https://basildoncoder.com/blog/postgresql-jdbc-client-certificates.html on the mentioned DMC page is dead..

[bobstarbird]

I have not tried it (yet). Maybe the following information might be useful: The documentation for the Postgres JDBC driver SSL is here: https://jdbc.postgresql.org/documentation/ssl/ The community version of the ML JDBC driver is older than this documentation. https://jdbc.postgresql.org/documentation/use/#connection-parameters/ sslrootcert= or possibly using Java trust store configuration:

…

-Djavax.net.ssl.keyStore=/path/to/local.keystore -Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.trustStore=/path/to/local.keystore -Djavax.net.ssl.trustStorePassword=changeme -Djavax.net.ssl.keyStoreType=JKS

On Wed, Nov 30, 2022 at 5:09 AM Geert ***@***.***> wrote: I am trying to use DBeaver to setup a connection to an ODBC server. Using a non-ssl-enabled port works fine. Using an ssl-enabled port works fine too, even with verify-ca. Using a client cert to login fails however. I keep getting the message that I am not providing a valid password (which I left blank intentionally). Looking at the code of mljdbc, I wonder if using client certs to authenticate is supported at all. Does anyone know? https://developer.marklogic.com/code/jdbc/#authentication provides good detail on how to setup an SSL connection to an ODBC app server with SSL enabled, but doesn't go as far as telling whether using client certs to authenticate is possible, and if so, how. I was told by Support however, to have a look here: https://www.postgresql.org/docs/10/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT. That page speaks about sslcert and sslkey properties, which are easily configured in DBeaver, which is showing a nice list of Driver properties to pick from. PS: the link to https://basildoncoder.com/blog/postgresql-jdbc-client-certificates.html on the mentioned DMC page is dead.. — Reply to this email directly, view it on GitHub <#25>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOG6G464NIJKQ7KA2C53A3WK4RWXANCNFSM6AAAAAASPOJ3IA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Robert Starbird Software Professional Services Cell: (781) 548-9427 ***@***.*** http://www.linkedin.com/in/robertstarbird

[bobstarbird]

The README https://github.com/marklogic-community/ml-jdbc-driver Shows an example of 1-way authentication `jdbc:marklogic://localhost:8077/?ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify-ca&sslrootcert=certificate.crt&loggerLevel=TRACE` I believe 2-way mutual authentication should be possible with the additional parameters: &sslcert= &sslkey= On Wed, Nov 30, 2022 at 7:49 AM Robert Starbird ***@***.***> wrote:

…

I have not tried it (yet). Maybe the following information might be useful: The documentation for the Postgres JDBC driver SSL is here: https://jdbc.postgresql.org/documentation/ssl/ The community version of the ML JDBC driver is older than this documentation. https://jdbc.postgresql.org/documentation/use/#connection-parameters/ sslrootcert= or possibly using Java trust store configuration: -Djavax.net.ssl.keyStore=/path/to/local.keystore -Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.trustStore=/path/to/local.keystore -Djavax.net.ssl.trustStorePassword=changeme -Djavax.net.ssl.keyStoreType=JKS On Wed, Nov 30, 2022 at 5:09 AM Geert ***@***.***> wrote: > I am trying to use DBeaver to setup a connection to an ODBC server. Using > a non-ssl-enabled port works fine. Using an ssl-enabled port works fine > too, even with verify-ca. Using a client cert to login fails however. I > keep getting the message that I am not providing a valid password (which I > left blank intentionally). Looking at the code of mljdbc, I wonder if using > client certs to authenticate is supported at all. Does anyone know? > > https://developer.marklogic.com/code/jdbc/#authentication provides good > detail on how to setup an SSL connection to an ODBC app server with SSL > enabled, but doesn't go as far as telling whether using client certs to > authenticate is possible, and if so, how. I was told by Support however, to > have a look here: > https://www.postgresql.org/docs/10/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT. > That page speaks about sslcert and sslkey properties, which are easily > configured in DBeaver, which is showing a nice list of Driver properties to > pick from. > > PS: the link to > https://basildoncoder.com/blog/postgresql-jdbc-client-certificates.html > on the mentioned DMC page is dead.. > > — > Reply to this email directly, view it on GitHub > <#25>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAOG6G464NIJKQ7KA2C53A3WK4RWXANCNFSM6AAAAAASPOJ3IA> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> > -- Robert Starbird Software Professional Services Cell: (781) 548-9427 ***@***.*** http://www.linkedin.com/in/robertstarbird

-- Robert Starbird Software Professional Services Cell: (781) 548-9427 ***@***.*** http://www.linkedin.com/in/robertstarbird

[grtjn]

Yes, I have all of that.. ssl=true, sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory, sslmode=verify-ca, sslrootcert=ca-bundle.crt, and sslcert and sslkey are pointing to a .crt and .key pair for a MarkLogic user (some svc_datahub user). I am getting 'ERROR: XDMP-INTERNAL: Internal error: Unauthorized user' however.

Looking at the trace log, I see it tries to login with 'josten' (which is my username on my Windows laptop, not the sslcert name), and that it seems to go into the function to attempt user/pwd authentication. That made me look at the code, and I could not see logic to authenticate using sslkey/cert, hence my question if that ought to work or not..