Installing MySQL on brand new Ubuntu VM

siddjain@engblog:~$ sudo apt update
Hit:1 bionic InRelease
Get:2 bionic-updates InRelease [88.7 kB]
Get:3 bionic-backports InRelease [74.6 kB]
Get:4 bionic-security InRelease [88.7 kB]
Get:5 bionic-updates/main amd64 Packages [753 kB]
Get:6 bionic-updates/main Translation-en [271 kB]
Get:7 bionic-updates/restricted amd64 Packages [15.7 kB]
Get:8 bionic-updates/restricted Translation-en [4956 B]
Get:9 bionic-updates/universe amd64 Packages [1012 kB]
Get:10 bionic-updates/universe Translation-en [312 kB]
Get:11 bionic-updates/multiverse amd64 Packages [7884 B]
Get:12 bionic-updates/multiverse Translation-en [3944 B]

siddjain@engblog:~$ sudo apt install mysql-server
Unpacking libcgi-fast-perl (1:2.13-1) …
Selecting previously unselected package libencode-locale-perl.
Preparing to unpack …/07-libencode-locale-perl_1.05-1_all.deb …
Unpacking libencode-locale-perl (1.05-1) …
Selecting previously unselected package libhtml-template-perl.
Preparing to unpack …/08-libhtml-template-perl_2.97-1_all.deb …
Unpacking libhtml-template-perl (2.97-1) …
Selecting previously unselected package libtimedate-perl.
Preparing to unpack …/09-libtimedate-perl_2.3000-2_all.deb …
Unpacking libtimedate-perl (2.3000-2) …
Selecting previously unselected package libhttp-date-perl.
Preparing to unpack …/10-libhttp-date-perl_6.02-1_all.deb …
Unpacking libhttp-date-perl (6.02-1) …
Selecting previously unselected package libio-html-perl.
Preparing to unpack …/11-libio-html-perl_1.001-1_all.deb …
Unpacking libio-html-perl (1.001-1) …
Selecting previously unselected package liblwp-mediatypes-perl.
Preparing to unpack …/12-liblwp-mediatypes-perl_6.02-1_all.deb …
Unpacking liblwp-mediatypes-perl (6.02-1) …
Selecting previously unselected package libhttp-message-perl.
Preparing to unpack …/13-libhttp-message-perl_6.14-1_all.deb …
Unpacking libhttp-message-perl (6.14-1) …
Selecting previously unselected package mysql-server.
Preparing to unpack …/14-mysql-server_5.7.27-0ubuntu0.18.04.1_all.deb …
Unpacking mysql-server (5.7.27-0ubuntu0.18.04.1) …
Setting up libhtml-tagset-perl (3.20-3) …
Setting up libevent-core-2.1-6:amd64 (2.1.8-stable-4build1) …
Setting up libencode-locale-perl (1.05-1) …
Setting up libtimedate-perl (2.3000-2) …
Setting up libio-html-perl (1.001-1) …
Setting up liblwp-mediatypes-perl (6.02-1) …
Setting up libaio1:amd64 (0.3.110-5ubuntu0.1) …
Setting up liburi-perl (1.73-1) …
Setting up libhtml-parser-perl (3.72-3build1) …
Setting up libcgi-pm-perl (4.38-1) …
Setting up mysql-client-core-5.7 (5.7.27-0ubuntu0.18.04.1) …
Setting up libfcgi-perl (0.78-2build1) …
Setting up libhttp-date-perl (6.02-1) …
Setting up libhtml-template-perl (2.97-1) …
Setting up mysql-server-core-5.7 (5.7.27-0ubuntu0.18.04.1) …
Setting up libcgi-fast-perl (1:2.13-1) …
Setting up libhttp-message-perl (6.14-1) …
Setting up mysql-client-5.7 (5.7.27-0ubuntu0.18.04.1) …
Setting up mysql-server-5.7 (5.7.27-0ubuntu0.18.04.1) …
update-alternatives: using /etc/mysql/mysql.cnf to provide /etc/mysql/my.cnf (my.cnf) in auto mode
Renaming removed key_buffer and myisam-recover options (if present)
Created symlink /etc/systemd/system/ → /lib/systemd/system/mysql.service.
Setting up mysql-server (5.7.27-0ubuntu0.18.04.1) …
Processing triggers for libc-bin (2.27-3ubuntu1) …
Processing triggers for systemd (237-3ubuntu10.26) …
Processing triggers for man-db (2.8.3-2ubuntu0.1) …
Processing triggers for ureadahead (0.100.0-21) …

siddjain@engblog:~$ sudo mysql_secure_installation

Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: Y

There are three levels of password validation policy:

LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Please set the password for root here.

New password: enter your password for root user

Re-enter new password: re-enter the password

Estimated strength of the password: 100
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production

Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y

Normally, root should only be allowed to connect from
‘localhost’. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y

By default, MySQL comes with a database named ‘test’ that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y
– Dropping test database…

– Removing privileges on test database…

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y

All done!

siddjain@engblog:~$ cat /etc/mysql/my.cnf
# The MySQL database server configuration file.
# You can copy this to one of:
# – “/etc/mysql/my.cnf” to set global options,
# – “~/.my.cnf” to set user-specific options.
# One can use all long options that the program supports.
# Run program with –help to get a list of available options and with
# –print-defaults to see which it would actually understand and use.
# For explanations see

# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with ‘.cnf’, otherwise they’ll be ignored.

!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/

let’s change the data directory. We have attached a 1TB disk and mounted it at /data. Let’s store our data there so that we can back it up and attach to a different VM if need be.

Find the line in the [mysqld] block that begins with datadir=, which is separated from the block heading with several comments. Change the path which follows to reflect the new location. In addition, since the socket was previously located in the data directory, we’ll need to update it to the new location:

so change the file to

siddjain@engblog:~$ cat /etc/mysql/my.cnf
# The MySQL database server configuration file.
# You can copy this to one of:
# – “/etc/mysql/my.cnf” to set global options,
# – “~/.my.cnf” to set user-specific options.
# One can use all long options that the program supports.
# Run program with –help to get a list of available options and with
# –print-defaults to see which it would actually understand and use.
# For explanations see

# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with ‘.cnf’, otherwise they’ll be ignored.

!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/




above is assuming you have a mysql.sock under /var/run/mysqld (you should. check it)

Now when you run mysqld –initialize you will get error:

siddjain@engblog:~$ mysqld –initialize
mysqld: Can’t create directory ‘/data/mysql/’ (Errcode: 13 – Permission denied)
2019-10-18T17:27:43.696325Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use –explicit_defaults_for_timestamp server option (see documentation for more details).
2019-10-18T17:27:43.704308Z 0 [ERROR] Aborting

siddjain@engblog:~$ ls -al /data
total 24
drwxr-xr-x 3 root root 4096 Oct 18 16:37 .
drwxr-xr-x 24 root root 4096 Oct 18 16:54 ..
drwx—— 2 root root 16384 Oct 18 16:37 lost+found

creating the /data/mysql will also not work

siddjain@engblog:~$ sudo mkdir /data/mysql
siddjain@engblog:~$ mysqld –initialize
mysqld: Can’t create directory ‘/data/mysql/’ (Errcode: 17 – File exists)
2019-10-18T17:30:01.441271Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use –explicit_defaults_for_timestamp server option (see documentation for more details).
2019-10-18T17:30:01.442894Z 0 [ERROR] Aborting

I found the solution to the problem in Here are the steps to fix it:

siddjain@engblog:~$ aa-disable /usr/sbin/mysqld

Command ‘aa-disable’ not found, but can be installed with:

sudo apt install apparmor-utils

siddjain@engblog:~$ sudo apt install apparmor-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
python3-apparmor python3-libapparmor
Suggested packages:
The following NEW packages will be installed:
apparmor-utils python3-apparmor python3-libapparmor
0 upgraded, 3 newly installed, 0 to remove and 47 not upgraded.
Need to get 157 kB of archives.
After this operation, 961 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 bionic-updates/main amd64 python3-libapparmor amd64 2.12-4ubuntu5.1 [26.8 kB]
Get:2 bionic-updates/main amd64 python3-apparmor amd64 2.12-4ubuntu5.1 [79.5 kB]
Get:3 bionic-updates/main amd64 apparmor-utils amd64 2.12-4ubuntu5.1 [50.6 kB]
Fetched 157 kB in 0s (1270 kB/s)
Selecting previously unselected package python3-libapparmor.
(Reading database … 56820 files and directories currently installed.)
Preparing to unpack …/python3-libapparmor_2.12-4ubuntu5.1_amd64.deb …
Unpacking python3-libapparmor (2.12-4ubuntu5.1) …
Selecting previously unselected package python3-apparmor.
Preparing to unpack …/python3-apparmor_2.12-4ubuntu5.1_amd64.deb …
Unpacking python3-apparmor (2.12-4ubuntu5.1) …
Selecting previously unselected package apparmor-utils.
Preparing to unpack …/apparmor-utils_2.12-4ubuntu5.1_amd64.deb …
Unpacking apparmor-utils (2.12-4ubuntu5.1) …
Setting up python3-libapparmor (2.12-4ubuntu5.1) …
Setting up python3-apparmor (2.12-4ubuntu5.1) …
Setting up apparmor-utils (2.12-4ubuntu5.1) …
Processing triggers for man-db (2.8.3-2ubuntu0.1) …

siddjain@engblog:~$ aa-disable /usr/sbin/mysqld
Cannot write to profile directory.
Please run as a user with appropriate permissions.

ERROR: Cannot write to profile directory: /etc/apparmor.d

siddjain@engblog:~$ sudo aa-disable /usr/sbin/mysqld
Disabling /usr/sbin/mysqld.

siddjain@engblog:~$ mysqld –initialize
mysqld: Can’t create directory ‘/data/mysql/’ (Errcode: 13 – Permission denied)
2019-10-18T17:34:44.069428Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use –explicit_defaults_for_timestamp server option (see documentation for more details).
2019-10-18T17:34:44.070995Z 0 [ERROR] Aborting

siddjain@engblog:~$ sudo mysqld –initialize

siddjain@engblog:~$ ls /data/mysql
ls: cannot open directory ‘/data/mysql’: Permission denied

siddjain@engblog:~$ sudo ls -al /data/mysql
total 110628
drwxr-x— 5 mysql mysql 4096 Oct 18 17:34 .
drwxr-xr-x 4 root root 4096 Oct 18 17:34 ..
-rw-r—– 1 mysql mysql 56 Oct 18 17:34 auto.cnf
-rw-r—– 1 mysql mysql 424 Oct 18 17:34 ib_buffer_pool
-rw-r—– 1 mysql mysql 50331648 Oct 18 17:34 ib_logfile0
-rw-r—– 1 mysql mysql 50331648 Oct 18 17:34 ib_logfile1
-rw-r—– 1 mysql mysql 12582912 Oct 18 17:34 ibdata1
drwxr-x— 2 mysql mysql 4096 Oct 18 17:34 mysql
drwxr-x— 2 mysql mysql 4096 Oct 18 17:34 performance_schema
drwxr-x— 2 mysql mysql 12288 Oct 18 17:34 sys

Next do these steps from

siddjain@engblog:~$ sudo mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> SELECT user,authentication_string,plugin,host FROM mysql.user;
| user             | authentication_string                     | plugin                | host      |
| root             |                                           | auth_socket           | localhost |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| debian-sys-maint | *010C9471FCE4F110170C3E413171A2C851FB1BA6 | mysql_native_password | localhost |
4 rows in set (0.00 sec)
mysql> ALTER USER ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘the password you used when you initialized mysql’;
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user,authentication_string,plugin,host FROM mysql.user;
| user             | authentication_string                     | plugin                | host      |
| root             | *ABEBE63231FB19D0B0FBD0F85598362C89574205 | mysql_native_password | localhost |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost |
| debian-sys-maint | *010C9471FCE4F110170C3E413171A2C851FB1BA6 | mysql_native_password | localhost |
4 rows in set (0.00 sec)
mysql> CREATE USER ‘mysqldbadmin’@’localhost’ IDENTIFIED BY ‘enter password for mysqldbadmin’;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO ‘mysqldbadmin’@’localhost’ WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)


test everything working
siddjain@engblog:~$ systemctl status mysql.service

● mysql.service – MySQL Community Server
   Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-10-18 17:07:46 UTC; 48min ago
 Main PID: 3264 (mysqld)
    Tasks: 29 (limit: 9513)
   CGroup: /system.slice/mysql.service
           └─3264 /usr/sbin/mysqld –daemonize –pid-file=/run/mysqld/
Oct 18 17:07:45 engblog systemd[1]: Starting MySQL Community Server…

Oct 18 17:07:46 engblog systemd[1]: Started MySQL Community Server.

Posted in Software | 3 Comments

Vancouver 5 Day Itinerary

Day 1: Seattle to Vancouver. Take lunch at Tandoori Flame. Have paan at Royal Paan (not to be missed). Check in at hotel. Spend evening exploring Gastown. Eat at Steamworks and there is a large paid parking lot next to it where you can park.

Day 2: Capilano Bridge and Grouse Mountain. Dine at Meet in Gastown.

Day 3: Day trip to Whistler. Drive to Whistler Village. Don’t waste time walking/strolling in Whistler Village. Eat at Indian Masala Bistro. Buy the 360 Day Pass and head over to the Whistler mountain. From there take chairlift to suspension bridge. Come back and then take Peak 2 Peak Gondola from Whistler Mountain to Blackcomb Mountain. There are two lines for Peak 2 Peak gondola. One line for normal gondola and another line with longer wait time for gondola with a glass bottom. Take the normal gondola. The glass bottom gondola will require you to wait for a long time and the glass window is small and tiny – not worth the wait. From Blackcomb mountain, take gondola down to Upper Whistler Village. All this will take 2hrs minimum. Now when you are back you can spend some time exploring Whistler Village. Drive back to Vancouver.

Alternative to Whistler is day trip to Victoria (Butchart Gardens) since you already did the mountains on Day 2

Day 4: Lynn Canyon Park. Take suspension bridge to twin falls and back. Head over to Bai Bua Thai Restaurant for lunch. Spend rest of day exploring the waterfront and Canada Place. Park at Shaw Tower. Have dinner at House of Dosas.

Lynn Canyon Park

Day 5: Begin the morning with a tour of the Vancouver Chinese Garden and the neighboring Chinatown. The Chinese Garden does not have any parking. You can park on the street but have some Canadian quarters handy to pay for metered street parking. Begin drive back to Seattle. Eat at Tasty Indian Bistro in Surrey and don’t forget paan at Royal Paan.

Where To Eat:
– Tandoori Flame (Surrey)
– Tasty Indian Bistro (Surrey)
– Bai Bua Thai Cuisine (Vancouver)
– House of Dosas (Vancouver)
– Steamworks (Vancouver)
– Meet in Gastown (Vancouver)
– Indian Masala Bistro (Whistler)
– Royal Paan (Surrey)

– Have Canadian quarters handy to pay for street parking

Posted in Travel | Leave a comment

What blockchain platform should you use to develop a permissioned blockchain?

When I started my blockchain journey I was shocked to find as many as 21 platforms for developing blockchain applications on some article I read on the web. That immediately sent my head spinning. What platform should I choose to develop my application? Perhaps you are struggling with this question as well.

I was drawn to Fabric because it was built for the enterprise from the ground-up, supported writing chaincode (also known as smart contracts) in Javascript,
boasted high throughput in comparison to Ethereum verified by independent tests, had good enterprise footprint thanks to work of IBM with Merck, Walmart etc.,
did not require a cryptocurrency to function, and was backed by Linux Foundation which is a trusted name in computing and open-source. However by no means take this as an endorsement of Fabric as I have found the developer experience to be very unsatisfactory.

In the age of clever marketing where every blockchain platform appears to offer the best in class, performance, features etc. I think perhaps the most important criteria should be the footprint of the platform i.e., how many businesses and users are using it. Sadly I don’t know of a website that tracks the “market share” of permissioned blockchain platforms similar to sites that track market share of web browsers for example. That is understandable. It is very difficult to know how many businesses are using a certain platform.

But not all is lost. The question count on StackOverflow can be used as a proxy for market share. After all, the more a platform is used, the more there will be buzz about it, the more questions will get asked on StackOverflow. The hypothesis is validated by looking at the question count of programming languages. Javascript, Java and C# are some of the most popular languages and also have the highest question count on SO.

So let’s see where the platforms land in terms of the question count on SO. Very luckily SO provides a web based query engine that can be used for data mining and this answer on SO gave me exactly what I needed. Here is the adapted query for our case:

And the results are…

Fabric is the winner!

Posted in Software | Leave a comment

Suggested 5 day itinerary for Seattle

Day 1: Space Needle, Chihuly Garden, Waterfront, Pike Place, Downtown. Park at Pike Place Garage $4/hr. Seattle Center Parking is $14 for 2 hours

Space Needle

Day 2: Snoqualmie Falls, Snoqualmie Downtown, Snoqualmie Lower Falls (can get to the river)

Day 3: Boating at UW. UW Campus tour. University Village

Day 4: Arboretum, Japanese Garden

Day 5: Mt. Rainier

If you have more time…

Day 6: Zoo

Day 7: Boeing Factory tour, Seattle Premium Outlets

Day 8: Museum of Flight

Day 9: Alki Beach

Day 10: Kirkland Waterfront, Redmond Town Center, Bellevue Downtown, Microsoft Visitor Center

Day 11: Argosy Cruise

Posted in Travel | Leave a comment

Worst Programs Ever

Worst Build Tool: Maven
Worst IDE: IntelliJ (will not even consider Eclipse)
Worst Document Editor: MS Word

Posted in Software | Leave a comment

Visitor Insurance Compile


  • Atlas America: Please stay away from ATLAS INSURANCE FROM HCC MEDICAL INSURANCE . This is the worst insurance i have seen and this is my first insurance for my parents who are listed from India .My Mother Visited ARC Hospital in Austin In July 2014 for her severe stomach pain and Dr. Examined her and then prescribed Medicine for Diverticulitis .After that HCC has sent a claim form which i have filled and sent back to then and now HCC has sent an Explanation of Benefit for Claim saying saying Reason Code # 86 which mens This file has been closed due to lack of requested information from our Provider .I was searching other websites like IMMIHELP,INSUBUY and saw the same review like HCC MEDICAL INSURANCE always deny customers claims even though we provide all information . It is like they will always try to harass us wherever possible .My sincere request from my experience is that , don’t buy this insurance and also don’t buy this from INSUBUY who acts as an agent who will not support when you are in need .source
  • Patriot America: Folks, I took 100K coverage with IMG through the agent insubuy.Unfortunately one week before my dad left, I had to take him to ER as he had an attack. The bills came out to 50K+, the insurance company denied all claims saying it is pre-existing. The hospital and the doctor who attended him at ER as well as the hospital gave me a letter saying it is not pre-existing. But insurance company will not accept it.The guy at the agent, talks nicely but he says we cannot do anything, just go in understanding with the hospital and pay it in installments. He also says do not file any law suit it is not useful.All this is total scam, i did pay a huge premium but now i have lots of bills to pay.So i agree with others, please do your research properly. And do not believe sales guys or agents, they will talk very nicely but when it comes to claims you are on your own… source
  • Beacon:Azimuth were absolutely terrible. Poor quality lines when you call them with the line constantly breaking up and lack of help of which provider to visit. Azimuth 24 hour service were equally poor with every detail having to be repeating multiple times over, even when they should have the basic details such as policy number or name.Azimuth also claimed that my policy did not cover pre-existing conditions, something that was covered in my policy and clearly noted in it’s own section. If this becomes an issue we will pursue legally and request a full refund for this aweful policy. Waste of money? Yes. source Until last month I was a customer with this company for two years, but I never had a claim until midway through last year. I have never had such poor service from an insurance company in my life, and everyone expects insurance companies to be difficult to deal with. Communication and customer service were terrible and 7 months on I’m still having to file complaints with Lloyd’s of London, the State Insurance commissioners office and Better Business Bureau, to try and get them to resolve the problems. Some are as simple as faxing doctors a piece of paper. They have major administrative problems! I whole heartedly do NOT recommend this company. source
  • KVRao: Try from american company. One of my friend had problems with claims when bought insurance from K.V Rao.Any insurance is fine if you are not claiming. The real trouble comes, when you need to use the insurance and claim money back.No insurance covers pre-existing condition source
  • Trawick International (Safe Travels):We received the policy before our trip with all exclusions. Appendicitis was not among them. In the middle of the trip I suffered an acute appendix and ended up in the hospital for nearly 3 weeks. I was in constant contact with the company, as was the hospital, and nothing seemed amiss. Two days before I was discharged, I was told by Trawick that I was no longer covered by the policy (the agent had confused period of coverage with period of benefits), and I was send a NEW and DIFFERENT policy which listed appendicitis among the exclusions. I consider this completely fraudulent and unacceptable, and the hospital as well as I, will be taking legal action if my claim is not paid. When my wife called Squaremouth for clarification, they were complete unhelpful, and an irate letter from her to Trawick and Squaremouth has, as yet, gone unanswered source
  • Seven Corners (Liasion):STAY AWAY FROM SEVEN CORNERS!!I filed for reimbursement on March 22nd 2015. Today it has been almost two months and my claim has not been paid yet. I must have sent at least 10 emails and also called a few times. It is so frustrating to deal with them.They have agreed that my claim is valid but sometimes they tell me that my claim has been paid. Sometimes they tell me that the claim would be paid soon. If you call customer service they always say that they have to follow up with the funding department and would get back in a few days. But no one ever follows up. I have not received anything in my bank account.I am going to give them till the end of this week, otherwise, I am planning to initiate legal action against them. I also plan to file a complain at BBB and write to my senator/congress rep. IMO this company is a fraud and people should never ever buy from them. source
  • patriot america plus: Sharing my personal experience which will hopefully save folks some money. I purchased the patriot america plus plan for my parents (indian citizens) visiting USA (have been doing for past several years). I bought that plan as it was comprehensive, had PPO network and covered “acute onset” of pre-existing conditions. My mom had no “pre-existing” condition and she always got a full medical checkup and a clean bill of health from one of the best hospitals in India before visiting US. This time unfortunately, she had a a cardiac arrest while in US and had to under go emergent bypass surgery. I had a horrible experience working through IMG and seeing the ugly side of american healthcare system. First they denied the “pre-approval” for surgery which takes a whopping 5 days to process. So you’ve already had the surgery by the time they decide on even the pre-approval. The reason for denial was “pre-existing” condition. They also denied all the claims after the fact as “pre-existing” as well. No explanation for how they came to that conclusion. Just the 2 words – “pre-existing”. I went through their appeal process and submitted mom’s comprehensive medical records for last 3 years which showed all her vitals, labs in green. They finally gave me an answer that heart conditions are considered chronic. Even if the patient didn’t know about it, and none of the tests showed it, artery blockage doesn’t happen overnight. Wow.. Human bodies deteriorate over time. So from that perspective everything (short of an accident) in the world is pre-existing. I have given up on the fight with IMG and patriot america. Hopefully this review will help people save some money or at least be informed of the risks. My recommendation would be to never invite parents over unless you can buy a comprehensive plan which covers pre-existing conditions for travelers. And that does not exist to the best of my knowledge. source.
  • safe travels usa: I won’t make the mistake to get a visitor travel insurance from this company again in my entire life. I will cancel my entire travel plan if need be, before even thinking about getting an insurance from them. I bought visitors safe travel insurance for my in-laws when they came to visit us in the US from India. They were above 60 years old, so I was confused what insurance I should get. The customer service provided me a list and I selected the plan from this list. When my in-laws arrived, my mother-in-law had an episode of mini-stroke, so we rushed her to hospital in Emergency care. We got pre-authorization from GBG as was suggested. The hospital decided to admit her after some initial tests. They released her the next day. Since the hospital was under PPO scheme with the insurance company, the hospital directly sent them the bill. The struggle started at this point. There was no update on reviewing the claims in 2 months until I called them for updates. It is at this point that GBG wanted me to fill up some forms and email them whereas I understand that they should have reached out to me if they needed any information. So I sent them all the requested documents and again for another month there was no update. I had been receiving emails about renewing the insurance but no update on the submitted claims. I called them again. At this time they wanted me to send them the same documents again, but this time by post. In the meantime, the bills were outstanding as three months had passed since the bills were issued. Finally in another two months, i.e. in total 5 months the Insurance company decided they would give me a vague one line explanation as to why they won’t pay a single penny towards the hospital bill. At this point I was dejected enough not to give them a call again to let them know how grateful I was for their cooperation. I was utterly frustrated with the entire experience and the mental pressure over this. Not only that they didn’t pay anything towards the bill but also delayed it so much in vain. I will strongly reccomend to anyone who is looking for a visitor travel insurance: DO AVOID THIS COMPANY. Dealing with this entire process with GBG was the worst experience I had in literally anything in my entire life. source

2 Pre-existing conditions

  • Beacon:Preexisting Conditions – Except for Sudden Onset of Pre-existing Condition, charges resulting directly or indirectly from or relating to any Pre-existing Condition are excluded from coverage under this insurance.

Have a story to share? Send it to me using the contact form and I will post it anonymously.

Posted in Travel | 1 Comment

Hyperledger Fabric: Running fabric-ca-server with LDAP


Fabric-ca-server’s main purpose is to act as a CA (certificate authority) that can be used to obtain X509 public cert and private key – something needed in order to write records to fabric ledger. Why? because every entry is signed by the author and provides attestation (think about paper records and statements that require a signature to prove authenticity). The public cert and private key-pair is obtained by making an enroll call against the fabric-ca-server. But before a user can be enrolled, they need to exist in the first place. This is done by making a register call against the fabric-ca-server (when running in non-LDAP mode) which does the same thing as when a user signs up to use a service like Facebook – a record is created in a database with their username and password.

Although fabric-ca-server can be used to register users, that is not its main purpose. LDAP is a more commonly used technology to register users. In addition to user registration, LDAP also provides user authentication; this is something fabric-ca-server does not provide and hence the motivation for running it with LDAP.

Why run Fabric-ca-server with LDAP?

Fabric-ca-server can be run without using LDAP – in fact that is the default setting as it is simple and avoids dependency. In that case it creates a sqlite3 db by default as a store of usernames and passwords. The db can be changed to mysql or postgres. However, the problem running in this mode is that the fabric-ca-server does not provide any API for user-authentication. In any practical application, there would be a web frontend through which chaincode invocations would happen. This web-frontend would require user-authentication [1]. There are various ways to achieve the authentication:

  • one could keep on using the sqlite3 db of fabric-ca-server and build an API on top of the sqlite3 db that the web app can call for authenticating users. sqlite3 by itself does not come with such an API. In fact sqlite3 db stores data in a local file. It does not provide any server. Also it has no support for multi-threading and data corruption will happen if db is accessed concurrently from multiple threads. What if we are running not one but two (or three) fabric-ca servers? Each server will need its own local copy of the db. The usual issues creep in – copies need to be in sync etc. sqlite3 db has no support for any of these.
  • so at minimum it looks like one would need to replace sqlite3 db with MySql or Postgres that provides a server that both fabric-ca as well as the web app could use for authentication.
  • yet another alternative is to store usernames, passwords and other user-metadata (emails, full name, etc.) in a LDAP server. This server would be used by both the web-app as well as the fabric-ca server(s) for user-authentication. One advantage of using LDAP vs. MySql or Postgres is that LDAP comes with standardized APIs for IAM.

Below are some tips to help you run fabric-ca-server with LDAP:

  • Use openssl CLI to generate ID certificate(s) (single cert if using self-signed) for your fabric-ca-server and TLS certificates:
    • LDAP server will need a TLS key-pair and a trusted CA file if clientauth is enabled
    • fabric-ca-server will need 2 key-pairs. One when its acting as a server (when fabric-ca-client connects to it) and another one when its acting as a client (when it connects to OpenLDAP). It will also need trusted CA file if clientauth is enabled
    • one key-pair will be needed for fabric-ca-client if clientauth is enabled
    • it is possible to re-use the same key-pair and trusted CA file
  • you have to choose an LDAP server. OpenLDAP is free. Use the dockerized version available here. It is based on alpine. we found it better than the more popular osixia/docker-openldap image.
  • Fix the docker image above so that it stores hashed passwords [1]. This is done by enabling the ppolicy overlay and setting olcPPolicyHashCleartext: TRUE. The olcPasswordHash setting just controls the format in which password will be hashed. It is an important setting but it will have no effect unless password hashing is enabled in the first place which is done by setting olcPPolicyHashCleartext: TRUE. More on password hashing [2]
  • Follow steps here to initialize the database
  • set GODEBUG=netdns=go when running fabric-ca-server to avoid SIGSEGV
  • configure fabric-ca-server to use LDAP by setting ldap.enabled to true [3]
  • The node sdk for Hyperledger Fabric does not support connecting to a fabric-ca-server that has clientauth enabled [5] (another example of many bugs with HL fabric). because of this we need to set --tls.clientauth.type to noclientcert otherwise bad things gonna happen. when the issue with node-sdk has been addressed (if it does), then change it to requireandverifyclientcert which is the most secure setting.
  • in this mode, no bootstrap user:password needs to be given to fabric-ca-server (the -b option)
  • in this mode, you will never run fabric-ca-client register. Instead users will be registered in the LDAP server using ldapadd or ldapjs from a node app.
  • if your CA server is an ICA, no parent server URL needs to be given (the -u option). You provide the complete chain of certificates from your CA server to the root via the --ca.chainfile option.
  • fabric-ca-server will not be able to establish TLS connection on port 389 using starttls (the recommended way). So to use TLS we have to use port 636. [4]
  • the fabric-ca-server-config.yaml file is needed to solve following issue
  • the sqlite3 db is still needed by fabric-ca-server to store the certificates
  • Use promised-ldap to communicate and interact with the openldap server from your node based web app

adding link to a thread that discusses using Microsoft AD with Fabric CA:

Posted in Software | Leave a comment