I still could not find any methods relating to SSL Client authentication in neo4j-java-driver-4.4.11.jar (java 8).
I knew that was not supported in old version long time ago: https://github.com/neo4j/neo4j-java-driver/issues/513
But 4 years passed so I would like to confirm if SSL Client authentication is supported now in Neo4j java driver version 4.4.11 and above or not?
Any information would be much appreciated. Thank you in advance!
I tried looking inside the code of Neo4j Java driver 4.4.11 but could not find functions related to SSL client authentication, I only found Server authentication method.
I also didn't see any documentation telling that driver 4.4.11 suppports SSL client authentication.
Client SSL auth is not supported in any of the drivers, only server-to-server between members of a Neo4j cluster.
It is requested periodically, and is under consideration.
Out of interest, are you looking for 1st factor authentication (a trusted client certificate is sufficient to log into the DBMS) or 2nd factor (username / password, plus trusted client cert are required)?
Related
I am using Azure IoT Edge where I am using Azure SQL Edge module from the marketplace. I have another module written in Python which makes a connectivity with the SQL Server module on the IoT edge device. To make the connection, I have to hardcode the SQL password in the code.
I thought of storing SQL password on Azure KeyVault and pull it in Python module on edge while making SQL connectivity though this would defeat the purpose of edge. What if there is no internet connection for a while and my module will stop working.
Is there a safe way to store the SQL password on the IoT edge device or What is the recommended way to make the connection on edge? Please advice. Thanks.
I guess you are talking about Azure SQL Edge module. Just wanted to ask how is the device secured? Is it using the TPM, X.509 or Symmetric keys?
Also can you please let me know if the default password was already change to a strong password? Usually, when you change the default password for MSSQL_SA_PASSWORD to a strong password, it is more than enough as no one will have access to the device if it has been secured.
Refer to this document for more clarification -
https://learn.microsoft.com/en-us/azure/azure-sql-edge/deploy-portal#connect-to-azure-sql-edge
I am using solace as middle-ware for client and server communication.
I want to move from none to kerberos authentication.
Servers are unix and already configured for kerberos authentication.
Client is .Net desktop gui application. And there are be multiple users.
I have some question regarding client kerberos authentication.
Do we need keytab file to connect to server and keytab file should be common for all users Or keytab file should be create with each users credentials.
What if the password changes?
Do we need to ask users to install java to get kinit or krb5?
What are the setting/configuration required on client side?
Thanks in advance..!
You do need to add a keytab to Solace's /keytabs directory. To configure the keys from the keytab tab to Solace's registered key table after the file has been added, enter the following Kerberos Keytab Authentication CONFIG CLI command:
solace(config-kerberos keytab)# add-keytab <keytab-filename> <index>
The number of keytab files is completely dependent on your setup. Typically, there will one keytab file per IP address that is common for all users but if your setup requires greater control, you can add up to a total of 48 keytabs.
When you change your Kerberos password, you will need to recreate and re-add all your keytabs.
The client-side API requirements for a client to use Kerberos authentication do include using the appropriate Java distribution or installed Kerberos libraries for the messaging API that is used. For .NET applications, the SSPI that is distributed with Windows is used, so Java is not required.
A client application must also set the authentication scheme to Kerberos for the respective session. In .NET, this is done with the SessionProperties.AuthenticationSchemeKRB session property. You can also set the Service Principle Name with the Session.Properties.KRBServiceName session property.
I'm trying to submit issues to the Team Foundation Server through it's API. we have an "OnDemand" version of the TFT, not the "Onpremises" version.
I'm being unable to find any applicable examples with "OnDemad" API connection using a C#.NET application.
For example: http://www.codeproject.com/Articles/14108/Web-Forms-for-Submitting-Issues-to-Team-Foundation
are there any examples for OnDemand version?
The code used to excersise the TFS API is identical regardless of whether you are using TF Server or TF Service.
The only real difference is authentication. You can either implement Microsoft ID (was Live ID) authentication, which is hard. Or you can use the service credentials. This is how the local build servers are configured to work against the service.
You can use the TFS Credential Manager to retrieve the correct username and password from the online service.
http://nakedalm.com/tfs-service-credential-viewer/
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.
I'd like to authenticate the caller of my SOAP webservice (deployed in Ruby 1.8.7/Rails 2.3.5using datanoise gem in Red Hat enterprise linux 5) using some encrypted tag in the XML requests. Normally the client is a windows program (maybe C#/.Net windows programs - not Java/Ruby) which should generate a varying encrypted key in each call to the webservice based on a key/salt - while my server side would always be able to decode it with the private key. Knowledge of the encrypted token on the wire should not allow a third-party program to simply replicate the fully encrypted token and access the webservice. I am looking into OpenSSL but am a newbie to cryptography. The string being encrypted for identification could be (among other items) the MAC ID of the trusted client, which when decrypted would match the stored value on the server side of the trusted hosts.
I've found lots of possibilities on the Ruby side, but need to ideally ensure that the solution does not impose (or minimizes) any library or installation requirement on the windows client side. What i'm most struggling with is a way to generate a new key each time the call is made, so that anyone sniffing the traffic cannot simply infer the mode to create the encrypted tag by getting access to the key.
As you are authenticating the caller here and not necessarily just the contents of what they send, there's no need to put the authentication mechanism into the SOAP request. Others have tried to do what you are after with WS-Security, so if at all, I'd go with that.
There have been problems with the security of the scheme, though, but probably the biggest deal breaker is that there's no support for it available in Ruby (that I know of at least, please correct me if I'm wrong!).
Probably the easiest way to achieve client authentication on both ends would be using mutually authenticated TLS (the former SSL). This will ensure authentication on the transport level, which should suffice in your case. Actual authentication will then happen by first checking the validity of the certificate that is sent by the client (Ruby OpenSSL takes care of that for you), and once that is established, you check it against a white list of known certificates that you maintain on your server.
Please don't invent your own scheme, cryptographic protocols are among the hardest things to get right (that's why there are problems with WS-Security), TLS is probably as good as it gets right now and it has broad support in any language.