| From: | "McDermott, Becky" <bmcderm(at)sandia(dot)gov> |
|---|---|
| To: | Dave Cramer <davecramer(at)postgres(dot)rocks> |
| Cc: | Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, "pgsql-jdbc(at)lists(dot)postgresql(dot)org" <pgsql-jdbc(at)lists(dot)postgresql(dot)org> |
| Subject: | RE: [EXTERNAL] Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256) |
| Date: | 2022-03-30 13:49:18 |
| Message-ID: | BY3PR09MB86274FC105861F2063BF8FFBC81F9@BY3PR09MB8627.namprd09.prod.outlook.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
>> From: Dave Cramer <davecramer(at)postgres(dot)rocks>
>> Sent: Wednesday, March 30, 2022 7:19 AM
>> Please post your findings here. We really appreciate it when people find a solution and post the solution so that others can benefit.
Here is what I did to get things working:
1. Used the same source code that I posted before and compiled it into a “runnable jar” (pg.jar)
2. Created a Dockerfile that looks like:
FROM openjdk:11
USER 0
WORKDIR /opt/gms
COPY out/artifacts/pg_jar/pg.jar .
RUN set -ex && \
umask 027 && \
groupadd --gid 1001 gms && \
useradd --gid 1001 --uid 1001 -d /opt/gms gms && \
chown -R gms:gms /opt/gms
# gms uid
USER 1001
CMD ["java", "-jar", "pg.jar"]
1. Built the Dockerfile to generate a local image by running:
docker build --pull --tag my-docker-registry.sandia.gov/pg-test/pg-test:test .
2. Pushed the image into our Docker registry (Artifactory) by running:
docker push gms-docker-registry.sandia.gov/pg-test/pg-test:test
3. Created Kubernetes yaml files to deploy the example program to an existing namespace called “jasontest” where we have a Postgres database running (used the Kubernetes service name in the JDBC connection string and the postgres pod’s expected username/password)
* Yaml file that describes a Kubernetes Service Account, Role, Role Binding (for pod permissions)
* Yaml file that describes how to deploy my app as a Kubernetes “Deployment” object
1. Deployed the java application by running:
kubectl apply -f rbac.yaml
kubectl apply -f pgtest_pod.yaml
2. Ran a command to make sure the new pod reached a running state:
watch kubectl get pod -n jasontest
and observed that a pod was created and placed in the “Running” state: pg-test-6b94476c95-8kvgh
3. Ran a command to display the pod logs for the test program
kubectl logs -n jasontest pg-test-6b94476c95-8kvgh
Observed the pod output:
About to try connecting to postreSQL database ...
Connected to the PostgreSQL server successfully
Successfully connected to the database!! Try running a query
Inside main - about to enter a long loop
Looping a set number of times ... Loop Iteration: 1
Looping a set number of times ... Loop Iteration: 2
Looping a set number of times ... Loop Iteration: 3
Previously running this command showed logs with Java exceptions
As an aside, we need to get the Red Hat UBI 8 based image (distributed by Iron Bank – hardened container images) with openjdk working as well (it still has a problem). We believe that FIPS may not be turned on in that image but now that we know it “can work”, we can figure out how to make it work in the Iron Bank image.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | McDermott, Becky | 2022-03-30 14:21:42 | RE: [EXTERNAL] Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256) |
| Previous Message | Dave Cramer | 2022-03-30 13:18:59 | Re: [EXTERNAL] Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256) |