Friday, May 29, 2015

Configuring Apache and Tomcat with SSL/TLS, Launch HTTPS Website

With a secure web server, clients can connect to your server secure in the knowledge both that it is who it claims to be and that the transaction is well-encrypted so their data is safe.

SSL (Secure Sockets Layer) is a protocol for cryptographically securing transactions between a web browser and a web server. In most cases, only the server end is authenticated, which means that the client has a guarantee that the server is who it claims to be, but not vice versa.

This article shows you how to launch a web server with SSL. We choose Apache and Tomcat.

Creating a Certificate

The first step is certificate creation. To get a certificate signed by a CA such as Verisign, you first need to create a keypair and a certificate request:

$ openssl req -new -newkey rsa:4096 -keyout key.pem -out csr.pem

The command will therefore generate a key (private key) and certificate request (public key inside, pem format), but not a certificate.

Note

You can create your certificate either with or without a passphrase. The major disadvantage of using a passphrase is that it must be typed every time the web server starts up. So it won't start unattended or automatically on boot, for example, after a power cut. Depending on your setup, this may or may not be significant for you. To clear the passphrase, you can use this command:

openssl rsa -in key.pem -out server.key

Note

PEM is a X.509 certificate (whose structure is defined using ASN.1), encoded using the ASN.1 DER (distinguished encoding rules), then run through Base64 encoding and stuck between plain-text anchor lines (BEGIN ENCRYPTED PRIVATE KEY and END ENCRYPTED PRIVATE KEY, BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST, BEGIN CERTIFICATE and END CERTIFICATE).

The next stage, then, is to send that csr.pem file to the CA. The CA will sign your CSR and serve back the certificate. The certificate is save as file server.crt.

Configuring Apache 2 with SSL

1. Make sure the mod_ssl is installed in Apache. Please check whether the file exists.

/etc/httpd/modules/mod_ssl.so

2. If the OS is Centos, please run the following command to install mod_ssl.

# yum install mod_ssl

3. Upload your private key server.key and certificate server.crt to your Linux server.

/etc/httpd/certs/server.crt

/etc/httpd/certs/server.key

4. Edit /etc/httpd/conf.d/ssl.conf, change the path of certificate and key.

Default settings:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Change it to:

SSLCertificateFile /etc/httpd/certs/server.crt

SSLCertificateKeyFile /etc/httpd/certs/server.key

5. Restart the apache, and visit the site via https://www.yourdomain.com/

Note

If your apache server is not dedicated server for one domain/website, you need to configure the VirtualHost for each website. The certificate of each website should be specified in <VirtualHost>. The sample of www.gtdreport.com is listed below.

DocumentRoot /var/www/gtd

ServerName www.gtdreport.com:443

SSLEngine on

SSLCertificateFile /etc/httpd/certs/server.crt

SSLCertificateKeyFile /etc/httpd/certs/server.key

ErrorLog logs/gtdreport-error_log

CustomLog logs/gtdreport-access_log combined

</VirtualHost>

Configuring Tomcat with SSL

It is very easy. Please edit this file: TOMCAT_HOME/conf/server.xml. Add the content like this:

The problem is how to get the file server.pkcs12. Please run the following command:

$ openssl pkcs12 -export -in server.crt -inkey key.pem -out server.pkcs12

You need to input password for key.pem, and input password (keystorePass) that is used to protect server.pkcs12.

Self-Signed Certificate

Perhaps you cannot get a certificate signed by CA, you can also create self-signed certificate.
Please see this page:

http://developer.kaazing.com/documentation/html5/3.5/security/p_tls_clientapp.html

Java-Rep2excel with SSL

The Java-Rep2excel v1.64 supports SSL.

Please edit the rep2excel.properities, add the ssl configuration.

# Sample for SSL

# sslPort, optional.

# keystoreFile, required, path of keystore file. for example: C:\\certificate-gtdreport\\server.jks

# keystoreType, required, options: JKS/JCEKS/PKCS12/BKS/UBER

#sslPort=443

#keystoreFile=server.pkcs12

#keystorePass=changeit

#keystoreType=PKCS12

About the Author

Williams Voon, experienced java programmer. Chief system analyst of the 3 software: Rep2excel, EasyHA System Monitoring Tool. GTD Excel Report Server.

Facebook: http://tinyurl.com/mqbhpct

Google Plus: http://gplus.to/williamsvoon

Wednesday, May 27, 2015

EasyHA Release Notes Version 1.02

Version 1.02, May 28, 2015/5/28

What is new

1. Add disk free monitoring items in bulk.

Select one or more hosts.

Check the box on left if you want to monitor the file system. And then click submit, the items will be added in bulk.

Download

Free Version: http://www.lv2000.com/products/setupEasyHA.zip

Monday, May 25, 2015

Connecting to any server behind a firewall through putty and 3proxy

There are two ways to create an SSH tunnel, local and remote port forwarding. In this post I will discuss remote port forwarding.

Say that you’re developing a distributed system monitoring application on your local machine, and you’d like to show it to a volunteer tester (IP: 12.34.56.78). Unfortunately your ISP didn’t provide you with a public IP address, so it’s not possible to connect to your machine directly via the internet.

Sometimes this can be solved by configuring NAT (Network Address Translation) on your router, but this doesn’t always work, and it requires you to change the configuration on your router, which isn’t always desirable. This solution also doesn’t work when you don’t have admin access on your network.

To fix this problem you need to have another computer, which is publicly accessible and have SSH access to it. It can be any server on the internet, as long as you can connect to it. We’ll tell SSH to make a tunnel that opens up a new port on the server, and connects it to a local port on your machine.

Many tutorials show you connect to a Linux server from local Linux server, and create SSH tunnel by this means. The command looks like:

$ ssh -R 9000:localhost:3000 user@example.com

In this post I will use putty on Windows.

Step by Step Guide

Note: First you should please download putty and 3proxy. They are both free software.

1. Connect to 85.125.100.20 from local computer 192.168.1.99.

2. Click SSH -> Tunnels, and fill in information like this.

3. Click Add button. Dialog looks like:

4. Click Open, fill in user name and password, and connect to 85.125.100.20.

Now the tunnel is established. If you access 85.125.100.20:1080, the request will be forwarded to 192.168.1.99:1080.

To access all computers in LAN 192.168.1.0/24, we need to start a sock5 proxy on 192.168.1.99.

Download the 3proxy from http://3proxy.ru/

Please unzip the 3proxy installation package, and create a file named my.cfg by notepad. The content of my.cfg is listed below:

timeouts 1 5 30 60 180 1800 15 60
log "c:\temp\3proxy.log\3proxy.log" D
logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
internal 127.0.0.1
auth none
allow *
nserver 192.168.1.1
nscache 65536
socks

And then start the proxy server in dos prompt.

Now the 12.34.56.78 is able to access all servers behind the NAT. For example you want to access SSH server 192.168.1.100:22. The proxy setting similar to:

About the Author

Williams Voon, experienced java programmer. Chief system analyst of the 3 software: Rep2excel, EasyHA System Monitoring Tool. GTD Excel Report Server.

Facebook: http://tinyurl.com/mqbhpct

Saturday, May 23, 2015

Resolve ORA-12505 with a JDBC thin client

Recently Katyuska, a volunteer tester of EasyHA MonitoringTool reported a bug. When the EasyHA connected to Oracle database and retrieve data, the EasyHA failed to connect and the job was stoped.

The log showed that the jdbc connection was not created successfully.

Caused by: oracle.net.ns.NetException: Listener refused the connection with the following error:

ORA-12505, TNS:listener does not currently know of SID given in connect descriptor

at oracle.net.ns.NSProtocol.connect(NSProtocol.java:385)

at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1042)

at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:301)

... 24 more

The JDBC connection URL is

jdbc:oracle:thin:@localhost:1521:XE

And then I suggest change the URL to

jdbc:oracle:thin:@localhost:1521/XE

Note: Between 1521 and XE should be “/”, not “:”.

Update of EasyHA

The “Help Dialog” of JDBC connection settings has been updated.

Thanks

Thank Katyuska for reporting the bug. If you want to be volunteer tester of EasyHA, please contact me via Facebook or LinkedIn.

More Information on Oracle 1521.

A widely seen situation with ORA-12505 concerns "JDBC Thin Connection Confusion between Service and SID Results in ORA-12505" This issue is seen in version 11.5.10 on all platforms, and occurs when the JDBC thin connector tries to connect between the RAC with the Service name instead of SID.

The problem here is that the JDBC connect string des not have the appropriate SID name, causing ORA-12505 to interfere.

Osama Mustafa offers this listener solution to resolve ORA-12505 with a JDBC thin client.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=SCAN-LISTENER-NAME)(PORT=1530))(CONNECT_DATA=(SERVICE_NAME=Service-name)))

For more information, please see this page: http://www.dba-oracle.com/sf_ora_12505_tns_listener_does_not_currently_know_of_sid_given_in_connect_descriptor.htm

Monday, May 18, 2015

Find out why cron is not running my job

Cron jobs are commands that your service runs at a specified interval and, as such, can be difficult to troubleshoot.

Some of the most common cron mistakes are:

1. Using relative paths. If your cron job is executing a script of some kind, you must be sure to use only absolute paths inside that script. For example, if your script is located at /path/to/script.phpand you're trying to open a file called file.php in the same directory, you cannot use a relative path such as fopen(file.php). The file must be called from its absolute path, like this: fopen(/path/to/file.php). This is because cron jobs do not necessarily run from the directory in which the script is located, so all paths must be called specifically.

2. Permissions are too strict. Please be sure all scripts, files, and folders that are being used are set to executable. In the case of writing to a file or folder, it MUST be writable.

In your server's shell, this is the command that will make a file executable:

chmod +x <file>

3. Not specifying what type of file you are running. For instance, if you are trying to run a PHP script via the cron job, you must specify that the file being run requires the PHP language to run it. For instance, if the file is /directory/script.php, the cron should read php /directory/script.php. This goes for all scripts, regardless of the interpreter.

Troubleshooting Skills

1. Add a job that job that will be executed every minute.

· * * * * * echo `date` `pwd` >> /home/userid/out.txt

2. And then reload the Crond, make the job take effect.

Check the output file of the job, the file out.txt will be updated every minute.

If the file is not generated, please restart crond.

service crond restart

3. If the time is different to what you see by run “date” command on your shell, please

Run the following command to check configuration of you server.

echo $TZ

ll /etc/localtime

Cron uses the local time. /etc/default/cron and other TZspecifications in the crontab just specify what TZ should be using for the processes started by cron, it doesn't impact the start time.

So if your localtime is UTC, like this

lrwxrwxrwx 1 root root 23 Mar 9 2014 /etc/localtime -> /usr/share/zoneinfo/UTC

And the TZ environment of your shell is others, you should please change system timezone. Note: setting the TZ variable is a temporary solution, and might act as a "mask" sometimes.

cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime

And then restart the service

service crond restart

4. If the problem still exists, please check log file for more information.

cat /var/log/cron

About the author

Williams Voon, devote to excel reporting solution. Product: GTD Excel Report Server.

Thursday, May 14, 2015

Download and analyze log file automatically via scp, expect and php

Recently I want to test new features of EasyHA Monitoring Tool on log file analysis. The log file is stored on Linux server. Unfortunately I am not permitted to change any file on the server. I am permitted to read the file, of cause, I can download them from other Linux server.

The log file analysis is scheduled. It is launched automatically every morning. To download the log file, I have to input the password. How can I do this?

Step 1: Install Expect

Provided the log files is stored on server A, and I want to download it from server B. First I install expect on server B. Expect is a tool for automating interactive applications. Expect allows you to pass the password for the Linux login account from the program, instead of entering the password on the terminal.

The Linux distribution on the server B is centOS. So I just run the following command as root.

# yum install expect

And then run “ls /usr/bin/expect”, check whether the file exists.

Step 2: Build Expect Script to Download File

The script downloadfile.sh is listed below:

#!/usr/bin/expect

set timeout 10

set host [lindex $argv 0]

set username [lindex $argv 1]

set password [lindex $argv 2]

set src_file [lindex $argv 3]

set dest_file [lindex $argv 4]

set port [lindex $argv 5]

spawn scp -P $port $username@$host:$src_file $dest_file

expect {

"(yes/no)?"

{

send "yes\n"

expect "*assword:" { send "$password\n"}

}

"*assword:"

{

send "$password\n"}

}

expect "100%"

expect eof

To test the script, please invoke the script like this:

$ expect downloadfile.sh 10.22.21.180 jboss thepwd /jboss/ log/cls-stat.log /home/lion 22

Step 3: Create Bash Shell Script to Download File and Analyze.

The script sample code:

expect downloadfile.sh 10.22.21.180 jboss thepwd /jboss/ log/cls-stat.log /home/lion 22

php runtime-exception-analyze.php /home/lion/css-stat.log

Note: To call expect script, you should use expect, other than sh, the following command is incorrect.

$ sh downloadfile.sh 10.22.21.180 jboss thepwd /jboss/ log/cls-stat.log /home/lion 22

The script is named analyze.sh.

Step 4: Schedule Tasks on Linux Using Crontab.

To edit the list of cronjobs you can run:

$ crontab -e

This will open a the default editor to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are saved into crontab. Cronjobs are written in the following format:

0 1 * * * sh /home/lion/ analyze.sh > /home/lion/analyze.log

The script will be executed every day 1AM.

Contact me

If you have any question or suggestion, please contact me. williams.voon # gmail.

Tuesday, May 12, 2015

How To Use both HTTP and Socks Proxy In Java

The simplest way is use global setting, for example you can specify the proxy in command line.

java -Dhttp.proxyHost=webcache.example.com -Dhttp.proxyPort=8080

-DsocksProxyHost=socks.example.com GetURL

You can also configure proxy in you java code.

System.setProperty("http.proxyHost", "webcache.example.com");

System.setProperty("http.proxyPort", "8080");

By the ways above, you can use one proxy only. If you want to connect proxy requires username and password, or select proxy for each connection, please refer to java sample code below.

Note

1. If you use HTTP proxy, you can use many proxies in your single java process. For example, Thread A connect to Proxy P1, and Thread B connect to Proxy P2.

2. If you use Socks proxy, the socks proxy setting is global setting. In other words, only one proxy is supported. So if you change proxy, the setting will take effect in all threads.

Sample java code that use multi-proxy with authentication.

The EasyHA supports both Http and Socks proxy. Perhaps you want to upload data to cloud, and your server is behind proxy, so you need to connect to the Http Proxy. You may want to monitor a Linux server behind a firewall, and EasyHA cannot connect to the server directly, so you have to configure socks proxy. There are many free socks5 proxies. For example: 3proxy.

Here is the sample code in EasyHA:

java.net.Proxy proxy=null;

String Proxy_Authorization_headerValue=null;

if(item.getProxyId()!=null){

final ProxyConf conf=MonitorDaemon.getInstance().getProxyConfById(item.getProxyId());

if(conf!=null){

SocketAddress sa=InetSocketAddress.createUnresolved(conf.getHost(), conf.getPort());

if( conf.getProxyType().equals("http") ){

proxy=new Proxy(Proxy.Type.HTTP, sa);

if(conf.getUserName()!=null&&conf.getUserName().length()>0

&&conf.getPassword()!=null&&conf.getPassword().length()>0){

Proxy_Authorization_headerValue= "Basic " + Base64.encode( (conf.getUserName()+":"+conf.getPassword()).getBytes("UTF-8")) ;

}

}else{

proxy=new Proxy(Proxy.Type.SOCKS, sa);

if(conf.getUserName()!=null&&conf.getUserName().length()>0

&&conf.getPassword()!=null&&conf.getPassword().length()>0){

java.net.Authenticator authenticator = new java.net.Authenticator() {

@Override

protected java.net.PasswordAuthentication getPasswordAuthentication() {

return new java.net.PasswordAuthentication(conf.getUserName(), conf.getPassword().toCharArray());

}

};

java.net.Authenticator.setDefault(authenticator);

}

if(proxy==null){

httpUrlConn = (java.net.HttpURLConnection) url.openConnection();

}else{

httpUrlConn = (java.net.HttpURLConnection) url.openConnection(proxy);

if(Proxy_Authorization_headerValue!=null){

String headerKey = "Proxy-Authorization";

httpUrlConn.setRequestProperty(headerKey, Proxy_Authorization_headerValue);

}

if(cookie!=null){

httpUrlConn.setRequestProperty( "cookie" , cookie);

}

httpUrlConn.setConnectTimeout(1000*3);

Saturday, May 9, 2015

Tablespace growth and usage monitoring

Tablespace growth and usage monitoring by EasyHA

I want to create a mechanism to monitor growth of our tablespaces and how much space is used in them.

Step by Step Guide

1. Provided you have install the free version of EasyHA, before you monitor your databases and business data (like tablespace usage), you should please create JDBC database connection to your Oracle database.

To create JDBC connection, please click “Setup” menu, and then click “Databases Overview” button. In the “Jdbcs” page, please click “Add Jdbc” button.

The “New Jdbc” form appears, it is very easy to fill in the form. You can also click “Help” link if you don’t know how to fill in URL box.

Now I have created a connection named gnbsprd-ozq. The settings of the connection is listed below:

2. Create item that will monitor your tablespace usage.

a. Click “Items” menu.

b. Now you will see the list of items.

c. Click “Add Item” button in right upper corner.

d. Select “Biz Data Monitor” from item type list.

e. Select DB and fill in the SQL statement.

f. Fill other fields like interval and description of field #1.

g. Submit the form and review the item. The item looks like this:

The SQL statement is very critical. This is sample SQL.

SELECT

　　D.TOT_GROOTTE_MB "SIZE MB",

　　D.TOT_GROOTTE_MB - F.TOTAL_BYTES "USED SPACE MB"

　　FROM (SELECT TABLESPACE_NAME,

　　ROUND(SUM(BYTES) / (1024 * 1024), 2) TOTAL_BYTES,

　　ROUND(MAX(BYTES) / (1024 * 1024), 2) MAX_BYTES

　　FROM SYS.DBA_FREE_SPACE

　　GROUP BY TABLESPACE_NAME) F,

　　(SELECT DD.TABLESPACE_NAME,

　　 ROUND(SUM(DD.BYTES) / (1024 * 1024), 2) TOT_GROOTTE_MB

　　FROM SYS.DBA_DATA_FILES DD

WHERE dd.TABLESPACE_NAME='TABLESPACE1'

　　GROUP BY DD.TABLESPACE_NAME) D

　　WHERE D.TABLESPACE_NAME = F.TABLESPACE_NAME

ORDER BY 1

If you want to monitor specified table, for example named “emp”, the sql like:

SELECT SUM(bytes)/1024/1024 Mbytese

FROM dba_segments

WHERE tablespace_name ='TABLESPACE1'

AND SEGMENT_NAME='EMP'

ORDER BY Mbytese DESC

3. View the tablespace growth a few days later.

a. Click “View” manu.

b. Click “Graph View” button.

c. Select item, and fill in date range, and click submit button.

The graph looks like: