Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Can't access the PostgreSQL database running in the Clearpass VM

  • 1.  Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 05:26 AM

    Hi,

    I've booted up the Aruba Networks PolicyManager 6.6 VM

    I'm trying to setup API guest users and part of the documentation i've received to do this suggests that I login to the DB manually to add the users (strange method, but OK)

    I've found that the PostgreSQL server is running on port 5432 of the VM. I've confirmed that using a port scan "5432/tcp open postgresql"

    But when I attempt to login using a macOS PostgreSQL client (PSequel), I get the following error: "FATAL: no pg_hba_confg entry for host '192.168.1.100' user 'appuser;, database 'postgres' SSL off"

    This error is strange as the IP of my VM is 192.168.1.101 (Could be the issue here?)

    Regardless, after Googling, it seems I need to update the pg_hba.conf file upon the box but I can't get bash shell on the VM. I can login to the policy manager but i'm restricted to a handful of commands

    Can anybody help me on this one? Is there a better method to add an API user? My *only* task on this project is to add an API user so I can authenticate against http://vm/api/oauth. Nothing else matters. This is
    purely to test on a local development environment and no other features of the VM are required 

    Thanks in advance,



  • 2.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 08:51 AM

    You should either upgrade to the latest version of 6.6.X or move to 6.7.

     

    The ClearPass REST API does not use external SQL connections. I'm trying to understand what your end goal is. The ClearPass REST API can use a password or client_credential grant. The password grant using existing identity stores to authenticate users/devices.



  • 3.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 09:54 AM

    We have an external system which we want to allow Clearpass users to be able to authenticate on, using their Clearpass credentials. So the only endpoint I need to work with is /api/oauth

    I have logged into the Clearpass GUI and created accounts - https://ibb.co/YhBS6yY

    I think I have done the work to enable Oauth - https://ibb.co/cNXKxsj

    But the following request to /api/oauth returns that the credentials are invalid, although each field value in the requeset body looks correct to me - https://ibb.co/6yYztCk

    We have been given a REST setup document which suggests I need to edit the DB manually - https://ibb.co/nw7ws0G

    If there's anything you can sugguest, i'd very grateful

    Stephen,



  • 4.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:03 AM

    You created Guest accounts, not local user accounts. Use [Guest User Repository] as the auth source.



  • 5.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:07 AM

    I don't appear to have the option to set an auth source in either the OAuth config nor the account config:
      - https://ibb.co/Zg6Nwss
      - https://ibb.co/HgGdtz7

    I have found the guest user repository in the Policy Manager but I don't see an option to link it to the guest user auth source - https://ibb.co/wSBdrK5



  • 6.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:10 AM
    In your OAuth 2.0 application service, change the auth source.


  • 7.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:13 AM

    I'm not able to find the section you're referencing

    Is it within Policy Manager, Gues Management or something else?

     



  • 8.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:13 AM

    I'm not able to find the section you're referencing

    Is it within Policy Manager, Guest Management or something else?

     



  • 9.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:16 AM
    Configuration > Services.


  • 10.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:21 AM

    I have made the updates I think are required but Oauth authentication still fails:

     

     - https://ibb.co/vPY5wWX
     - https://ibb.co/QQCZ4VG
     - https://ibb.co/KxqyFbH
     - https://ibb.co/93PWPjm

     

     



  • 11.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 10:29 AM
    What does Access Tracker show for the request?


  • 12.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 11:01 AM

    Access tracker full list - https://ibb.co/jLH2Tsx

    Most recent row:
      - Summary: https://ibb.co/yQtyZXp
      - Input: https://ibb.co/qm12KyV
      - Output: https://ibb.co/zRqJ4q2
      - Alerts: https://ibb.co/0Z3qBd5



  • 13.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 11:07 AM
    The alerts tab shows the problem.


  • 14.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 11:09 AM

    I see that but any previous attempt at updating the password has still caused an auth failure. Even now, i've just updated the password again. Copied and pasted it into the request body and a failure still occurs



  • 15.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 11:11 AM

    I've just tried a different user that has a different role. The error is now "Access denied by policy"



  • 16.  RE: Can't access the PostgreSQL database running in the Clearpass VM

    Posted Feb 07, 2019 11:13 AM
    Please work with Aruba TAC.