Open arssycro opened 5 months ago
arssycro
commented
5 months ago Did a bit more digging myself and looks like there is maybe a second self-signed cert created for Mongo. If I instead add the cert at /u01/ords/self-signed.crt, everything works.
Would it be possible to get this exposted through a jks truststore?
aosingh
commented
5 months ago Hi @arssycro
Yeah, we generate a self signed cert for ORDS. A quick workaround is to update the client's truststore
podman cp adb-free:/u01/ords/self-signed.crt adb_container_ords.cert
sudo cp adb_container_ords.cert /etc/pki/ca-trust/source/anchors
sudo update-ca-trustFor JDK truststore update, you can use keytool
Linux example:
sudo keytool -import -alias adb_container_ords -keystore $JAVA_HOME/lib/security/cacerts -file adb_container_ords.cert
MacOS example:
sudo keytool -import -alias adb_container_ords -keystore /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home/lib/security/cacerts -file adb_container_ords.cert
did you already do this ?
Meanwhile, we will plan to add self.signed.cert to the wallet's truststore.jks
arssycro
commented
5 months ago We can do that, but it runs into some problems using it for automation. Getting it into the truststore.jks provides a simpler mechanism for us to use System properties to ensure our tests can access the DB.
amoghparab1805
commented
5 months ago Hi @arssycro ,
Run the following podman command before copying the wallet. This will add to truststore.jks
podman exec -it adb-free keytool -import -trustcacerts -file /u01/ords/self-signed.crt -keystore /u01/app/oracle/wallets/tls_wallet/truststore.jksThis command will prompt for wallet password used during container startup.
We will fix this issue in the upcoming release.
aosingh
commented
4 months ago @arssycro
This is fixed in the latest released image version
docker pull ghcr.io/oracle/adb-free:23.10.2.4
Trying to use this image to POC using Autonomous JSON DB and running into some issues trying to get the Mongodb libraries working.
Using a connection string like "mongodb://[user]:[password]@localhost:27017/[user]?authMechanism=PLAIN&authSource=$external&ssl=true&retryWrites=false&loadBalanced=true" which is exactly what's in the log when the image opens. Using this string, I'm able to connect through something like MongoDB Compass immediately, but I'm having trouble in Java/Kotlin.
If I do not add to the cacerts, I get "unable to find valid certification path to requested target" when trying to get a count of records. If I do add to the caccerts, I get "Bad signature length: got 512 but was expecting 256".
Any suggestions or ideas on what I might be missing?