Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

I don't know the purpose for accessing the embedded database.
But it is a simple task.
Embedded database is based on PostgreSQL. If you select System -> Network Settings: Cluster Configuration > Configuration Database You may find the location of your database. I assume it is "Local to the cluster". To get a copy, just use "Database export" and you get a copy of the data.

You can do the same thing for the Runtime database.

------------------------------
Joao Goncalves
Pyxis, Lda.
------------------------------

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

Exporting the database is not the same than accessing it.

I need to access it to modify an existing OAuth Policy (without deleting it and having to recreate it and reconfigure the dependencies as the policy ID will change).

This is something I have done on our environments running on an external database, but I don't know how to do it on the embedded database.


Is this something possible from the CLI or is there any way to expose the embedded database to the outside ?

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: Fri April 23, 2021 04:53 AM
From: Joao Goncalves
Subject: Acessing ISAM embeddeddatabase

I don't know the purpose for accessing the embedded database.
But it is a simple task.
Embedded database is based on PostgreSQL. If you select System -> Network Settings: Cluster Configuration > Configuration Database You may find the location of your database. I assume it is "Local to the cluster". To get a copy, just use "Database export" and you get a copy of the data.

You can do the same thing for the Runtime database.

------------------------------
Joao Goncalves
Pyxis, Lda.

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

I have to look on how to do it. But another simple option, is export the database out of ISAM, use it as an external database (multiple are supported, including openLDAP, DB2, Oracle). Now, it will be easy to access it.

By the way, using External Databases is recommended by IBM.

------------------------------
Joao Goncalves
Pyxis, Lda.
------------------------------

Original Message:
Sent: Fri April 23, 2021 05:09 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Exporting the database is not the same than accessing it.

I need to access it to modify an existing OAuth Policy (without deleting it and having to recreate it and reconfigure the dependencies as the policy ID will change).

This is something I have done on our environments running on an external database, but I don't know how to do it on the embedded database.


Is this something possible from the CLI or is there any way to expose the embedded database to the outside ?

------------------------------
André Leruitte

Original Message:
Sent: Fri April 23, 2021 04:53 AM
From: Joao Goncalves
Subject: Acessing ISAM embeddeddatabase

I don't know the purpose for accessing the embedded database.
But it is a simple task.
Embedded database is based on PostgreSQL. If you select System -> Network Settings: Cluster Configuration > Configuration Database You may find the location of your database. I assume it is "Local to the cluster". To get a copy, just use "Database export" and you get a copy of the data.

You can do the same thing for the Runtime database.

------------------------------
Joao Goncalves
Pyxis, Lda.

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

Had a quick look and I suspect it may not be possible

I logged into an appliance here and browsed to the tools section where I used the connections command. Output there suggested postgres was being used and that the embedded databases were using ports 2020 and 2024, listening on localhost.

I used the telnet command in the same section. I could connect on both of those ports, although obviously not do anything because it is telnet. Typing some random rubbish closed the connection, proving at least a connection was established.

Trying to reach those ports on the appliance interface failed, connection refused. With no on-board database client, and seemingly no external connection possible, I can't see a way to access the database

Seems to make sense to me, we're talking about internal configuration for which there is normally no reason to even want access. I think it would be a weakness in the security model to allow external access. Your motivation isn't so much driven by necessity but a perceived short coming in the design of the interface and configuration editing tools provided, or just a desire make a change in a more convenient way to save time. Understandable, of course, I've done similar things.  The "best" fix, which is no help to you right now. would probably be for IBM to provide a database client on the appliance itself like it does for IGI to allow for "hacks" and troubleshooting without providing a target for hackers to exploit

------------------------------
Dennis English
------------------------------

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

Hi Dennis,

Thank you very much for having looked into it.

I agree with both your conclusions and the best way to proceed is to simply move the database to an external one, as in our acceptance and production environments.

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: Mon April 26, 2021 05:14 AM
From: Dennis English
Subject: Acessing ISAM embeddeddatabase

Had a quick look and I suspect it may not be possible

I logged into an appliance here and browsed to the tools section where I used the connections command. Output there suggested postgres was being used and that the embedded databases were using ports 2020 and 2024, listening on localhost.

I used the telnet command in the same section. I could connect on both of those ports, although obviously not do anything because it is telnet. Typing some random rubbish closed the connection, proving at least a connection was established.

Trying to reach those ports on the appliance interface failed, connection refused. With no on-board database client, and seemingly no external connection possible, I can't see a way to access the database

Seems to make sense to me, we're talking about internal configuration for which there is normally no reason to even want access. I think it would be a weakness in the security model to allow external access. Your motivation isn't so much driven by necessity but a perceived short coming in the design of the interface and configuration editing tools provided, or just a desire make a change in a more convenient way to save time. Understandable, of course, I've done similar things.  The "best" fix, which is no help to you right now. would probably be for IBM to provide a database client on the appliance itself like it does for IGI to allow for "hacks" and troubleshooting without providing a target for hackers to exploit

------------------------------
Dennis English

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

Hi André,

I faced the same problem recently, i.e. I needed to access the internal ISVA hvdb postgres database. I noticed that port forwarding is available so you should be able to ssh like "ssh -L 2024:localhost:2024 <isva>". That will allow you to connect to the database using a normal postgres client using the account www-data, no authentication needed.

Regards,

Peter 

------------------------------
Peter Lindqvist
------------------------------

Original Message:
Sent: Mon April 26, 2021 07:28 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi Dennis,

Thank you very much for having looked into it.

I agree with both your conclusions and the best way to proceed is to simply move the database to an external one, as in our acceptance and production environments.

------------------------------
André Leruitte

Original Message:
Sent: Mon April 26, 2021 05:14 AM
From: Dennis English
Subject: Acessing ISAM embeddeddatabase

Had a quick look and I suspect it may not be possible

I logged into an appliance here and browsed to the tools section where I used the connections command. Output there suggested postgres was being used and that the embedded databases were using ports 2020 and 2024, listening on localhost.

I used the telnet command in the same section. I could connect on both of those ports, although obviously not do anything because it is telnet. Typing some random rubbish closed the connection, proving at least a connection was established.

Trying to reach those ports on the appliance interface failed, connection refused. With no on-board database client, and seemingly no external connection possible, I can't see a way to access the database

Seems to make sense to me, we're talking about internal configuration for which there is normally no reason to even want access. I think it would be a weakness in the security model to allow external access. Your motivation isn't so much driven by necessity but a perceived short coming in the design of the interface and configuration editing tools provided, or just a desire make a change in a more convenient way to save time. Understandable, of course, I've done similar things.  The "best" fix, which is no help to you right now. would probably be for IBM to provide a database client on the appliance itself like it does for IGI to allow for "hacks" and troubleshooting without providing a target for hackers to exploit

------------------------------
Dennis English

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------

Hi Peter,

Thanks a lot for your clever workaround! I'd never thought that port forwarding would be possible!

This could help us in the future with other "internal issues".

Regards,

André

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: Tue May 30, 2023 03:46 AM
From: Peter Lindqvist
Subject: Acessing ISAM embeddeddatabase

Hi André,

I faced the same problem recently, i.e. I needed to access the internal ISVA hvdb postgres database. I noticed that port forwarding is available so you should be able to ssh like "ssh -L 2024:localhost:2024 <isva>". That will allow you to connect to the database using a normal postgres client using the account www-data, no authentication needed.

Regards,

Peter 

------------------------------
Peter Lindqvist

Original Message:
Sent: Mon April 26, 2021 07:28 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi Dennis,

Thank you very much for having looked into it.

I agree with both your conclusions and the best way to proceed is to simply move the database to an external one, as in our acceptance and production environments.

------------------------------
André Leruitte

Original Message:
Sent: Mon April 26, 2021 05:14 AM
From: Dennis English
Subject: Acessing ISAM embeddeddatabase

Had a quick look and I suspect it may not be possible

I logged into an appliance here and browsed to the tools section where I used the connections command. Output there suggested postgres was being used and that the embedded databases were using ports 2020 and 2024, listening on localhost.

I used the telnet command in the same section. I could connect on both of those ports, although obviously not do anything because it is telnet. Typing some random rubbish closed the connection, proving at least a connection was established.

Trying to reach those ports on the appliance interface failed, connection refused. With no on-board database client, and seemingly no external connection possible, I can't see a way to access the database

Seems to make sense to me, we're talking about internal configuration for which there is normally no reason to even want access. I think it would be a weakness in the security model to allow external access. Your motivation isn't so much driven by necessity but a perceived short coming in the design of the interface and configuration editing tools provided, or just a desire make a change in a more convenient way to save time. Understandable, of course, I've done similar things.  The "best" fix, which is no help to you right now. would probably be for IBM to provide a database client on the appliance itself like it does for IGI to allow for "hacks" and troubleshooting without providing a target for hackers to exploit

------------------------------
Dennis English

Original Message:
Sent: Fri April 23, 2021 03:01 AM
From: André Leruitte
Subject: Acessing ISAM embeddeddatabase

Hi all,

I would like to be able to access ISAM internal CONFIG and RUNTIME databases.
On our development platform we use the embedded database, and I have no idea how to access it.

Does anyone have an idea how this could be done ?


Thank you

------------------------------
André Leruitte
------------------------------