FIPS error with Cosmos Postgresql DB while running stored procedure

Vipal Mehta 40 Reputation points
2024-12-19T17:59:18.16+00:00

Hi Team,

I am facing a strange error while executing stored proc which executes a query on another DB.

The same proc works fine in our staging DB hosted on Cosmos Postgresql.

We have similar configuration and settings for both the DB and we checked all the parameters, however there are no mismatch.

Please see below error we are facing with our CosmosDB Production instance

ERROR: could not establish connection DETAIL: connection to server at "db.amazonaws.com" , port 5432 failed: could not encrypt password: disabled for FIPS fe_sendauth: error sending password authentication.

Please note that there are no changes made on DB cluster on either side. Interesting thing is it is working on other CosmosDB which we have running

@Oury Ba-MSFT

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,710 questions
{count} votes

Accepted answer
  1. Mahesh Kurva 1,625 Reputation points Microsoft Vendor
    2024-12-26T05:53:06.8+00:00

    Hi @Vipal Mehta,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

    Issue:

    Hi Team,

    I am facing a strange error while executing stored proc which executes a query on another DB.

    The same proc works fine in our staging DB hosted on Cosmos Postgresql.

    We have similar configuration and settings for both the DB and we checked all the parameters, however there are no mismatch.

    Please see below error we are facing with our CosmosDB Production instance

    ERROR: could not establish connection DETAIL: connection to server at "db.amazonaws.com" , port 5432 failed: could not encrypt password: disabled for FIPS fe_sendauth: error sending password authentication.

    Please note that there are no changes made on DB cluster on either side. Interesting thing is it is working on other CosmosDB which we have running

    Solution:

    I had raised it with support team on a different chain. They have reverted some changes and disabled FIPS, it has started working now.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sina Salam 14,616 Reputation points
    2024-12-22T16:50:11.44+00:00

    Hello Vipal Mehta,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having FIPS error with Cosmos Postgresql DB while running stored procedure.

    If your production Cosmos PostgreSQL instance has continuous backups enabled and that the retention period includes December 19th, there are four areas I will like you to check:

    Firstly, you will need to diagnose and confirm Azure-Side changes: Use the Azure Service Health dashboard to identify if any updates were applied to CosmosDB or the hosting infrastructure, particularly related to FIPS enforcement. - https://portal.azure.com/#blade/Microsoft_Azure_Health/AzureHealthBrowseBlade/serviceIssues

    Secondly, check if FIPS compliance has been enabled in your production environment unexpectedly:

    • Run SHOW config_file; in PostgreSQL to locate the configuration file.
    • Look for parameters like password_encryption and confirm if they are set to SCRAM-SHA-256 or similar.
    • On the host or application level, ensure that FIPS mode is disabled if it is causing issues. This might involve updating operating system policies or PostgreSQL configurations.

    Ensure both staging and production instances have the same authentication methods in pg_hba.conf (e.g., scram-sha-256 or md5), and if using SSL/TLS, confirm that certificates are valid and correctly configured in both environments.

    Lastly, this is an immediate action, run Diagnostic Queries using SQL to SHOW assword_encryption; and SHOW ssl; Compare the output between staging and production. Also, use tools like telnet or nc to test connectivity to the target database (db.amazonaws.com) on port 5432 from the CosmosDB production instance. If the issue persists, escalate to Microsoft Azure Support. Hopefully, @Oury Ba-MSFT will respond if she is not on vacation.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.