I have a bareos client trying to communicate with aws s3 server.
As per http://doc.bareos.org/master/html/bareos-manual-main-reference.html#x1-400006
I can use TLS Enable & TLS Require options to enable TLS in client also in inter daemon communication.
I want to disable inter daemon TLS communication but enable TLS in bareos client communicating with s3 server.
Also this TLS config
https://github.com/scality/Droplet/wiki/Configuration-File for droplet file doesn't seems to be working.
Is there any way to configure this???
Related
I work on a remote server via ssh, I ran a service locally on the remote server but how can I hit API's from my local machine's Postman to the service API's on remote server.
I am able to make curl requests from the remote server but I am not able to do the ssh tunneling in Postman, what are the steps I should follow?
While both ssh and HTTP are protocols to communicate between client and server. The basic difference between SSH and HTTP;
I guess you know, but just for others/clarification - SSH means “Secure Shell”. It has a built-in username/password authentication system to establish a connection. Thing is, it uses Port 22 to perform the negotiation or authentication process for connection. Authentication of the remote system is done by providing a public-key from your machine.
The default Port for most Web-Servers to listen for requests is either Port 80 for HTTP or 443 for HTTPS
To make it work
You can either expose a Port on your remote server by defining a firewall rule (even though 80 should probably be open) and make your server listen to incoming requests on that Port.
OR
Now, if you wan't to making it publicly available
put both, your remote Server and your local machine in the same VPN Network - still your server needs to listen for HTTP requests on some Port.
If you are not using some kind of reverse proxy, make sure to specify the port you are contacting the server on e.g. http://localhost:8080
In MSK to communicate with brokers by using TLS(SSL) we have used 9094 port and able to communicate MSK cluster with the required keystore and truststore configurations.
And to communicate with brokers by using SASL_SCRAM we have used 9096 port and able to communicate MSK cluster with username and password configurations.
And now we want to configure both SASL_SSL to authenticate client while connecting to broker nodes as a mandatory configurations at client side.
NOTE: We are able to configure both SASL_SSL security protocol on 9096 port but the client configuration considered as the TLS configurations are optional because if we remove TLS properties, still it is able to connect broker nodes.
Im testing this connection with kafka console producer like below:
./bin/kafka-console-producer.sh --broker-list b-1.xxx:9096,b-2xx:9096 --producer.config ./bin/client_sasl_ssl.properties --topic TestTopicSASLSSL
File: client_sasl_ssl.properties
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
#ssl.truststore.location=/path/to/kafka.client.truststore.jks
#ssl.keystore.location=/path/to/kafka.client.keystore.jks
#ssl.keystore.password=psswd
#ssl.key.password=psswd
Please note that im able to produce data with or without the above commented ssl properties, which seems optional.
Any option to mandate both SASL and TLS auth protocol to restrict client connection.
According to the AWS documentation, "WebSockets and Secure WebSockets support is available natively and ready for use on an Application Load Balancer."
However, when I select Application Load Balancer in EC2, I don't have any option other than HTTP and HTTPS:
I would like to use the secure websocket protocol (wss://) which I believe would be over TLS:8888.
How can I input this option?
The solution was to use HTTPS for the listener protocol, even though the browser is making requests to wss://.
For port number, configuring both the listener and environment instance to port 8888 works.
I have a Java application configured with some self signed certificates that communicates with ActiveMQ version 5.13.0 over SSL/TLS version 1.2. The relevant self signed certificates reside in their respective keystores and truststores. This connection over TLS works just fine on my local Windows machine, clients without the proper certificates are unable to communicate with the broker and clients with the proper certificates can.
However, this does not work when the same code and keystores are used on an AWS EC2 instance. I have the same version of ActiveMQ installed there and am using the very same keystores and truststores on the broker and client side. Clients without any certificates configured are able to connect to the broker and communicate.
I would like to understand if SSL/TLS for ActiveMQ must be configured differently on a Linux machine or if there is something else that I am missing.
Snippets from the activemq.xml file that enable activemq to use SSL/TLS:
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/broker.ks"
keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="changeit"/>
</sslContext>
<transportConnectors>
<!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxInactivityDuration=300000&wireFormat.maxFrameSize=104857600&jms.messagePrioritySupported=false"/>
<transportConnector name ="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
Answering my own query.
I handle the Java client and that client connects to port 61714 that is designated for SSL.
The folks dealing with the IoT device side told me that these devices default to port 1883 for MQTT connections and port 8883 for secure MQTT connections.
This can be configured by adding the below line to the transport connectors :
<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
The device has some constraints due to which it cannot connect to an SSL port and publish MQTT messages. The Java client on the other hand has no issues connecting to the SSL port and publishing and consuming MQTT messages, so adding the above line resolved this.
If needed, one could comment out the transport connector for port 1883 so that no clients without the needed certificates are able to connect to the MQTT broker.
Question
If client A is using TLS 1.2 protocol and client B is using SFTP protocol (SSH),
Can client A or B, be able send files between them without having security conflict, Or do they need to be on the same protocol?
(SFTP is a layer on top of the SSH protocol)
The SSH protocol and TLS have nothing to do with each other. Each is a layer sitting on top of TCP. Both provide the same function: to create a secure channel/tunnel for the communication of arbitrary byte streams.
If a client is "speaking" TLS, then it must be talking to a server "speaking" the server-side of the TLS protocol.
Likewise, if a client is "speaking" SSH, it can only be talking to a server speaking "SSH". This is the meaning of "protocol" -- a well defined set of rules for communications. A client speaking one protocol cannot communicate with a server speaking a different protocol. An FTP client cannot speak FTP with an IMAP server speaking the IMAP protocol. It would make no sense, just like it makes no sense for a TLS client to be speaking with an SSH server.
It is possible, however, to tunnel TLS through SSH.
See: https://www.example-code.com/csharp/socket_tlsSshTunnel.asp
or you can tunnel other protocols through SSH.
See: https://www.example-code.com/csharp/sshTunnel.asp
you can also do other things, like run SSH through HTTP:
https://www.example-code.com/csharp/sftp_http_proxy.asp