Error when trying to connect ODBC SSL

Hi,

I am using opensearch 2.3.0

When I try to configure ODBC driver with SSL I get error like on the screenshot:

What caught my attention is that in error message port number is reduced to 920.

When I change opensearch.yml config to

plugins.security.ssl.http.enabled: false

I can succesfully test connection without SSL.

I will be grateful for any help

Regards,
Andrew

Hi @apt,

have you tried providing the port as per below?

image

Best,
mj

Hi!

Thank you for your reply.
I tried to remove port and HTTP from host.
Unfortunately I am still not able to connect.

image

What stands out, to me, is that the port in your error pop-up is 920 not 9200.

Is your OpenSearch cluster on HTTP or HTTPS?
Would you mind sharing your opensearch.yml file?

Thanks,
mj

Hi,
Like I wrote before
when
plugins.security.ssl.http.enabled: false - there is no error and I can succesfully connect
when
plugins.security.ssl.http.enabled: true - the error pop-up

# ======================== OpenSearch Configuration =========================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.opensearch.org
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: opensearch-mycluster-name
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /mydata/opensearch
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: host_IP_here
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["hotsname_dns1", "hotsname_dns2", "hotsname_dns3"]
#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
cluster.initial_cluster_manager_nodes: ["node-1"]
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#plugins.security.disabled: true

#http.max_content_length
search.max_buckets: 100000


path.repo: ["/myapp/snap"]



######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
#cert Transport
plugins.security.ssl.transport.pemcert_filepath: SSL/Transport/node1.pem
plugins.security.ssl.transport.pemkey_filepath: SSL/Transport/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: SSL/Transport/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.ssl.http.enabled: true



#cert Mycerts
plugins.security.ssl.http.keystore_type: PKCS12
plugins.security.ssl.http.keystore_filepath: SSL/mycerts/opens-keystore.pfx
plugins.security.ssl.http.keystore_password: PASS_WORD
plugins.security.ssl.http.truststore_type: PKCS12
plugins.security.ssl.http.truststore_filepath: SSL/mycerts/opens-keystore.pfx
plugins.security.ssl.http.truststore_password: PASS_WORD

plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
  - "TLSv1.1"
  - "TLSv1"

plugins.security.nodes_dn:
  - 'CN=hotsname_dns1,OU=TS,O=myORG,L=city,ST=dist,C=XX'
  - 'CN=hotsname_dns2,OU=TS,O=myORG,L=city,ST=dist,C=XX'
  - 'CN=hotsname_dns1,OU=TS,O=myORG,L=city,ST=dist,C=XX'

plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=mycn,OU=myou,O=myORG,L=city,ST=dist,C=XX

plugins.security.audit.type: debug
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
#node.max_local_storage_nodes: 3
logger.org.elasticsearch.index.reindex: debug
#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf'
#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab'
######## End OpenSearch Security Demo Configuration ########

I tried installing the ODBC driver on PROD env. where the hostname is slightly shorter.
It seems that the issue with missing last digit in port number in error message is misleading.

Now I get the same error message with full port number. Still am not able to connect with SSL enabled.

opensearch[OpenSearchCommunication::LogMsg]841: Verifying connection options.
opensearch[OpenSearchCommunication::LogMsg]841: Required connection option are valid.
opensearch[OpenSearchCommunication::LogMsg]841: Starting DB connection.
opensearch[OpenSearchCommunication::LogMsg]841: Attempting to establish DB connection.
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200
opensearch[OpenSearchCommunication::LogMsg]841: Dropping DB connection.
connection[CC_set_error_statements]537: entering self=0000013E939FE0C0
connection[CC_log_error]625: CONN ERROR: func=LIBOPENSEARCH_connect, desc='', errnum=202, errmsg='Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200'
connection[CC_log_error]628:             ------------------------------------------------------------
connection[CC_log_error]631:             henv=0000013E90940500, conn=0000013E939FE0C0, status=0, num_stmts=16
connection[CC_log_error]633:             opensearchconn=0000000000000000, stmts=0000013E9093B9F0, lobj_type=-999
connection[CC_log_error]625: CONN ERROR: func=OPENSEARCHAPI_DriverConnect, desc='Error from CC_Connect', errnum=202, errmsg='Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200'
connection[CC_log_error]628:             ------------------------------------------------------------
connection[CC_log_error]631:             henv=0000013E90940500, conn=0000013E939FE0C0, status=0, num_stmts=16
connection[CC_log_error]633:             opensearchconn=0000000000000000, stmts=0000013E9093B9F0, lobj_type=-999
odbcapi30w[SQLGetDiagRecW]181: entering
opensearch[OPENSEARCHAPI_GetDiagRec]23: entering type=2 rec=1
 environ.c[OPENSEARCHAPI_ConnectError]212: entering hdbc=0000013E939FE0C0 <512>
connection[CC_get_error]602: entering
connection[CC_get_error]614: leaving
 environ.c[OPENSEARCHAPI_ConnectError]229: CC_get_error: status = 202, msg = #Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200#
 environ.c[OPENSEARCHAPI_ConnectError]316: 	     szSqlState = '08001',len=199, szError='Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https://MYHOST.XXX.XXX:9200'
opensearch[OPENSEARCHAPI_GetDiagRec]44: leaving 0
win_unicod[utf8_to_ucs2_lf]227: ilen=199 bufcount=512 ocount=199
odbcapi30.[SQLFreeHandle]203: entering
connection[OPENSEARCHAPI_FreeConnect]191: entering...hdbc=0000013E939FE0C0
connection[CC_Destructor]298: entering self=0000013E939FE0C0
connection[CC_cleanup]397: entering self=0000013E939FE0C0
connection[CC_set_error_statements]537: entering self=0000013E939FE0C0
connection[CC_log_error]625: CONN ERROR: func=CC_cleanup, desc='', errnum=1, errmsg='Connection not open'
connection[CC_log_error]628:             ------------------------------------------------------------
connection[CC_log_error]631:             henv=0000013E90940500, conn=0000013E939FE0C0, status=0, num_stmts=16
connection[CC_log_error]633:             opensearchconn=0000000000000000, stmts=0000013E9093B9F0, lobj_type=-999
connection[CC_cleanup]412: after LIBOPENSEARCH_disconnect
dlg_specif[CC_conninfo_init]445: entering opt=1
connection[CC_cleanup]478: leaving
connection[CC_Destructor]305: after CC_Cleanup
connection[CC_Destructor]316: after free statement holders
connection[CC_Destructor]327: leaving
connection[OPENSEARCHAPI_FreeConnect]209: leaving...
odbcapi30.[SQLFreeHandle]203: entering
 environ.c[OPENSEARCHAPI_FreeEnv]53: entering env=0000013E90940500
 environ.c[EN_Destructor]426: entering self=0000013E90940500
 environ.c[EN_Destructor]449: clearing conns count=128
 environ.c[EN_Destructor]461: leaving rv=1
 environ.c[OPENSEARCHAPI_FreeEnv]56:    ok

Hi @apt,

I had a closer look at it, and looks like you will need to configure the following driver options using a DSN or connection string:
a) UseSSL - boolean (0 or 1) Default false (0) - you need to set it to 1
b) HostnameVerification - boolean (0 or 1) - you need to set it to 0 (for testing)

please see more details here: ODBC Driver - OpenSearch Documentation

specifically here: ODBC Driver - OpenSearch Documentation

best,
mj

Hi @Mantas,

Do you mean Advanced Option tab?

This is how it is configured. The Enable SSL option is set automatically when I add https:// in host name. I’ve tried various options, but nothing helps.

image

I tried an older version of this driver (v1.4.0) and despite some issues with it described here -
[BUG] OpenSearch ODBC client will not connect to OpenSearch cluster · Issue #8 · opensearch-project/sql-odbc · GitHub - I was able to successfully connect.

image

1 Like

I think there is still some bug in version 1.5.0

@apt , thanks for sharing your findings - that is good to know.

Best,
mj

@Mantas, thanks for your help!

Regards,
Andrew

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.