Skip navigation
All People > Patrick-Dussault > Patrick Dussault's Blog

# mkdir /root/sandbox/samples
# export JBOSS_HOME=/opt/jboss-eap-6.4
# export EAP7_HOME=/opt/jboss-eap-6.4
# cd /root/sandbox/samples
# git clone https://github.com/jboss-developer/jboss-eap-quickstarts.git
# cd jboss-eap-quickstarts/
# ls
# git tag
# git checkout tags/6.4.0.GA

 

  (you need to create the next file. The next steps are to protect the kitchensink application)

 

# nano -w /root/sandbox/samples/jboss-eap-quickstarts/kitchensink-ear/web/src/main/webapp/WEB-INF/web.xml

 

(you need to create the next file)

 

 <web-app>
 <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
                <web-resource-name>admin resource</web-resource-name>
                <description/>
                <url-pattern>/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
                <description/>
                <role-name>adminRole</role-name>
        </auth-constraint>
 </security-constraint>
 <security-role>
        <description/>
        <role-name>adminRole</role-name>
 </security-role>
 <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name/>
 </login-config>
 </web-app>

 

 nano -w jboss-web.xml

 

(you need to create the next file)

 

# nano -w /root/sandbox/samples/jboss-eap-quickstarts/kitchensink-ear/web/src/main/webapp/WEB-INF/jboss-web.xml

 

 <jboss-web>
 <valve>
   <class-name>com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6BasicAuthenticator</class-name>
 </valve>
        <security-domain>java:/jaas/SiteMinderDomain</security-domain>
 </jboss-web>

 

# mvn install -s settings.xml -Dmaven.test.skip=true

 

Now you have the .ear ready to deploy in the JBoss server.

Fast Tracks to installof JBoss 6.4.0.GA with Java jdk1.8.0_92 on RedHat 6 64bit

 

# mv jboss-eap-6.4.0.zip /opt
# cd /opt
# unzip jboss-eap-6.4.0.zip
# cd /opt/jboss-eap-6.4/bin/
# cp -p standalone.conf standalone.conf.orig

 

Now to integrate with Agent for JBoss

 

# nano -w standalone.conf
  at the end of the file, add :

 

  # Agent for JBoss
  SOA_HOME=/opt/CA/JBossAgent
  export SOA_HOME

 

  JAVA_OPTS="$JAVA_OPTS -DNETE_TXM_ROOT=$SOA_HOME -DJAVA_AGENT_ROOT=$SOA_HOME -Dsmasa.home=$SOA_HOME -DSM_AGENT_LOGGING_EXTERNAL_CONFIG=true"

 

# export PATH=/opt/jdk1.8.0_92/jre/bin:${PATH}
# export JAVA_HOME=/opt/jdk1.8.0_92/jre
# ./standalone.sh

 

on your PC in a Dos console :

 

start /B iexplore "http://mymachine.mydomain.com:8888/"

 

You should see in the browser :

 

Your Red Hat JBoss Enterprise Application Platform is running.

 # unzip jboss-eap-5.1.0-GA.zip -d /usr/java/
 # ln -s /usr/java/jboss-eap-5.1 /opt/java/jboss
 # nano -w /etc/profile.d/jboss.sh
   --
   #
   # Java
   #

 

   JBOSS_HOME=/opt/java/jboss
   PATH=$PATH:$JBOSS_HOME/bin

 

   export JBOSS_HOME PATH
   --
   # chmod 755 /etc/profile.d/jboss.sh
   # useradd -m -d /opt/java/jboss jboss
   # chown -Rf jboss.jboss /opt/java/jboss
   # su - jboss
 
   bash-3.2$ /opt/java/jboss/bin/run.sh -b 0.0.0.0
 
     Open a browser on your PC and type :
 
     http://host.domain.com:8080/
 
     You should get the RedHat Jboss page.

# unzip oracle-xe-11.2.0-1.0.x86_64.rpm.zip
# rpm -Uvh Disk1/oracle-xe-11.2.0-1.0.x86_64.rpm
#

 

oracle install

 

# /etc/init.d/oracle-xe configure
# Specify the HTTP port that will be used for Oracle Application Express [8080]: 8181
# Specify a port that will be used for the database listener [1521]:
# Specify a password to be used for database accounts.  Note that the same
  password will be used for SYS and SYSTEM.  Oracle recommends the use of
  different passwords for each database account.  This can be done after
  initial configuration:password
  Confirm the password:password
# Do you want Oracle Database 11g Express Edition to be started on boot (y/n) [y]:y

 

  Starting Oracle Net Listener...Done
  Configuring database...Done
  Starting Oracle Database 11g Express Edition instance...Done
  Installation completed successfully.

 

# source /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh
# sqlplus system

 

  SQL*Plus: Release 11.2.0.2.0 Production on Wed Mar 15 04:42:55 2017

 

  Copyright (c) 1982, 2011, Oracle.  All rights reserved.

 

  Enter password: password

 

  Connected to:
  Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

 

  SQL> EXEC DBMS_XDB.SETLISTENERLOCALACCESS(FALSE);

 

  PL/SQL procedure successfully completed.

 

  SQL>

 

NOTES to create tablespace :
-----

 

SELECT TABLESPACE_NAME, FILE_NAME FROM DBA_DATA_FILES ORDER BY TABLESPACE_NAME;
CREATE SMALLFILE TABLESPACE "PSTORE" DATAFILE 'C:\APP\ORACLE\ORADATA\PSTORE\DATAFILE\my_data01.dbf' SIZE 100M AUTOEXTEND ON NEXT 100M MAXSIZE 8G LOGGING DEFAULT NOCOMPRESS ONLINE EXTENT MANAGEMENT LOCAL AUTOALLOCATE SEGMENT SPACE MANAGEMENT AUTO;
alter user SMUSER  default tablespace PSTORE temporary tablespace temp;
grant connect, resource to SMUSER;

Here are the fast track to install and configure an Active Directory Server 2012 R2
in with a specific Windows Domain.

 

First of all, let's list the machine details :

 

      DNS Domain : training.com
      Machine host name : "MyMachine-3799"
      Active Directory Forest Domain : TRAINING
      machine IP : 192.168.1.2

 

Before installing the Active Directory service, if you run an antivirus, disable it. In my machine
I have the McAfee antivirus running. I'm disabling it that way :

 

    c:\> mvadm disable

 

After having done the installation you enable it again :

 

    c:\> mvadm enable

 

Install all available Microsoft Windows updates, so we don't run a bug on the pieces we want to
install :

 

    Click on "Control Panel"
    Click on "System and Security";
    Click on "Windows Update";
    Click on "Check for updates";
          install all availables update by clicking on "Install updates" if any;
    Click on "Restart now" to reboot the machine;

 

Install DNS server. I like to get this service and use this DNS with the other trusted machines I use.

 

    c:\> mvadm disable

 

    Click on "Server Manager";
    Click on "Add roles and features";
    In "Before you begin" pane, click "Next";
    in "Select installation pane, select "Role-based or feature-based installation";
    Click "Next";
    In "Select destination server", make sure "Select a server from the server pool" and
       that the current machine is selected in "Server Pool" section.
    Click "Next";
    In "Select server roles", check "DNS Server";
    Click "Add Features";
    You can ignore the validation results if it has found that the IP isn't static. No matter. Click "Continue";
    Click "Next";
    Click "Next";
    Click "Next";
    Click "Install";

 

    When you see "Installation succeeded on " then click on "Close";

 

Configure the DNS for the Domain we will use for Active Directory :

 

    Click Start > Administrative Tools;
    Double click on "DNS";
    Expand the "MyMachine-3799" on the left menu;
    Right-click on "Forward Lookup Zones" and select "New Zone...";
    Click "Next";
    Select "Primary zone";
    Click "Next";
    In "Zone name:", write "training.com";
    Click "Next";
    Click "Next";
    Select "Allow both nonsecure and secure dynamic updates";
    Click "Next";
    Click "Finish";

 

Add the current machine resolution in the domain training.com
    
    Click Start > Administrative Tools;
    Double click on "DNS";
    Expand the "MyMachine-3799" on the left menu;
    Click on "Forward Lookup Zones";
    Right-click on "training.com" and select "New Host (A or AAAA)...";
    In "Name", writes "MyMachine-3799";
    In "IP_address:" writes "192.168.1.2";
    Click "Add Host";
    Click "OK";
    Click "Done";

 

    Right-click on "Reverse Lookup Zones";
    Select the "New Zone...";
    Click "Next";
    Select "Primary zone";
    Click "Next";
    Select "IPV4 Reverse Lookup Zone";
    Click "Next";
    Select "Network ID:"
           In the field, writes "192.168.1"
    Click "Next";
    Click "Next";    
    Select "Allow both nonsecure and secure dynamic    updates";
    Click "Next";        
    Click "Finish";

 

    Click on "Forward Lookup Zones";
    Click on "training.com"
    Right-click on "MyMachine-3799" and select "Properties";
    Check "Update associated pointer (PTR) record";
    Click "Apply";
    Click "OK";

 

Install Active Directory

 

    c:\> mvadm disable
    Click Start > Administrative Tools;
    Double click on "Service";
    Right-click Remote Registry and open the "Properties" menu;
    From the *Startup type:" drop-down menu, select "Automatic".
    Under "Service Status", select "Start";

 

    The remote registry service will start.

 

Install then the Active Directory :

 

  Click on "Server Manager";

 

  Click on "Add roles and features";
  In "Before you begin" pane, click "Next";
   in "Select installation pane, select "Role-based or feature-based installation";
  Click "Next";
  In "Select destination server", make sure "Select a server from the server pool" and
   that the current machine is selected in "Server Pool" section.
  Click "Next";
  In "Select server roles", check "Active Directory Domain Services";
  Click "Add Features";
  Click "Next";
  Click "Next";
  Click "Next";
  Click "Install";

 

  When you see the message "Configuration required. Installation succeeded on " then restart the
  machine.

 

  Click "Close";

 

Finally, configure the Active Directory using the Active Directory Domain Services Configuration Wizard :

 

  Click on "Server Manager";

 

  Open the "Notifications" pane by selecting the "Notifications" icon from the
   top of the Server Manager. From the notification regarding configuring AD DS,
   click "Promote this server to a domain controller";
  Select "Add a new forest"
  In "Root domain name" writes "training.com"
  Click Next;
  In "Forest functional level" select "Windows Server 2012 R2"
  In "Domain functional level" select "Windows Server 2012 R2"
  In "Specify domain controller capabilities", select "Domain Name System (DNS) server" and "Global Catalog (GC)"
  In "Type the Directory Service Restore Mode (DSRM) password, type for "Password" : mypassword, and for "Confirm password" : mypassword
  Click Next;
  In DNS Option pane, Click "Next";
  In "Additional Option", verify that you have filled in "The NetBIOS domain name" "TRAINING", Click "Next";
  In "Paths", Click "Next";
  In "Review Options" Click "Next";
  In "Prerequisites Check" Click "Install";

 

  After the installation, the reboot the machine.

 

Login to the machine with TRAINING\administrator or TRAINING.COM\administrator and the password of the machine that you have for this user before installing the Active Directory.
Note that the password you gave during the configuration of the Active Directory is only if you run the machine in "Restore Mode". This password doesn't replace the administrator password.

Patrick-Dussault

Federation Metadata

Posted by Patrick-Dussault Employee Jan 24, 2017

To handle Federation metadata issues, here 2 documents about the required fields and attributes,

some are required [1,x] and other optional [0,x]

 

http://www.datypic.com/sc/saml2/s-saml-schema-metadata-2.0.xsd.html

https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

Patrick-Dussault

Linux and Entropy

Posted by Patrick-Dussault Employee Dec 23, 2016

Entropy determine how predictable the second random number might be.
So if you have low entropy around 200, then the random numbers are
more predictable than if you have a pool of 2000. This might have the
impact on the kernel to face delay to get the most unpredictable
random number.

 

To get enough entropy on Linux system, close to the max of 4096bits, run
the rngd command as following :

 

# rngd -r /dev/urandom

 

You'll see the entropy pool increasing.

 

# cat /proc/sys/kernel/random/entropy_avail
4096
# cat /proc/sys/kernel/random/entropy_avail
3072

 

etc.

If you have launched a program in your PuTtY SSH session on Linux or Unix

box, and unfortunatly, you need to leave and you do not want to interrupt the execution

of the program, you can use the disown command to make your program not get the SIGHUP

when closing the session and keep it running in the background :

 

 

1 - Hit "ctrl+z" to pause the program and get back to the shell;

2 - Type "bg" to run it in the background;

3 - Type "disown -h [job-spec]" where [job-spec] is the job number;

 

To illustrate that :

 

$ XPSImport export.xml -fo -passphrase password -vT -l export.log -e export_error.log

(hit ctrl+z)

[1]+ Stopped XPSImport

$ bg

[1]+ XPSImport &

$ disown -h %1

 

then you can close or exit your session and the process will keep

running on the machine in the background.

Compiling Apache 2.4.16 64bit for Linux with ssl and all available modules

 


  # for i in download sandbox; do mkdir $i; done;
  # yum install gcc
  # export CC=gcc
  # export CFLAGS=-m64
  # export CPP_FLAGS=-m64

 

Get the packages :

 

----------------

 

  # cd download/

 

  # for i in bz2 bz2.asc; do wget http://archive.apache.org/dist/apr/apr-1.5.1.tar.$i; done;
  # for i in bz2 bz2.asc; do wget http://archive.apache.org/dist/apr/apr-util-1.5.3.tar.$i; done;
  # wget http://archive.apache.org/dist/apr/KEYS
  # gpg --import KEYS
  # gpg --verify apr-1.5.1.tar.bz2.asc apr-1.5.1.tar.bz2
  # gpg --verify apr-util-1.5.3.tar.bz2.asc apr-util-1.5.3.tar.bz2

 

  # wget --no-check-certificate https://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz.sig
  # wget --no-check-certificate https://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz

 

  # gpg --verify pcre-8.30.tar.gz.sig pcre-8.30.tar.gz

 

  # wget --no-check-certificate https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.gz
  # wget --no-check-certificate https://archive.apache.org/dist/httpd/httpd-2.4.16.tar.gz.asc
  # wget --no-check-certificate https://archive.apache.org/dist/httpd/KEYS
  # gpg --import KEYS
  # gpg --verify apr-1.5.1.tar.bz2.asc apr-1.5.1.tar.bz2

 

Uncompress the packages and check the result :

 

--------------------------------------------

 

  # for i in `ls *.gz`; do gunzip $i; done; ls -ltr; for j in `ls *.tar`; do tar -xvf $j; done; ls -ltr

  # for i in apr-util-1.5.3 apr-1.5.1; do bunzip2 $i.tar.bz2; tar xvf $i.tar; done;

  # for i in pcre-8.30 apr-util-1.5.3 httpd-2.4.16 apr-1.5.1; do chown -R root:root $i; done; ls -ltr

 

 

Compile PCRE :

 

------------
 
  # cd pcre-8.30
  # ./configure --prefix=/opt/pcre --disable-cpp
  # make
  # make install

 

Move source of APR to the Apache source files :

 

---------------------------------------------

 

  # cd /root/download/
  # mv apr-util-1.5.3 httpd-2.4.16/srclib/apr-util
  # mv apr-1.5.1 httpd-2.4.16/srclib/apr

 

Compile Apache :

 

--------------

 

  # cd httpd-2.4.16
  # export LIBS=-lpthread
  # ./configure --enable-module=so --prefix=/opt/apache2416 --with-included-apr --with-pcre=/opt/pcre --enable-ssl=shared --enable-mods-shared=all
  # make
  # make install

 


Then you test it :

 

----------------

 


  # /opt/apache2416/bin/apachectl start

 

 
Open a browser and try to reach the machine on port 80, you should see in browser "It works !".

How to make shell script in debug and get all debug log in a file and trace all system calls and
signals.

 

Here's 2 command lines to gather all debug logs with system calls for troubleshooting an installer, configurator or stop and start scripts on Unix / Linux

 

These samples are for the Policy Server "stop-all" command :

 

Unix :

 

/ * make a security copy * /

 

  # cp -p stop-all stop-all.orig

 

/ * set the shell script to debug * /

 

  # vi stop-all

 

   add :
   Modify the script ./stop-all and add "set -x" on the line
   right after the shebang like this :

 

   #!/bin/sh
   set -x

 

/ * Run the shell command script wrapped with truss command * /

 

  # truss –adefl –o output.txt ./stop-all > runstop.txt 2>&1

 

Gather output.txt and runstop.txt for the traces.

 

Linux :

 

/ * make a security copy * /

 

   # cp -p stop-all stop-all.orig

 

/ * set the shell script to debug * /

 

   # nano -w stop-all

 

    add :
    Modify the script ./stop-all and add "set -x" on the line
    right after the shebang like this :

 

    #!/bin/sh
    set -x

 

# strace -o run.dump -t -ff ./stop-all > run-output.txt 2>&1

 

Gather all run.dump* and run-output.txt for the traces.

To create quickly a Certificate to configure Apache or SPS with ssl :

 

#  mkdir certificate
#  cd certificate/
#  openssl genrsa -des3 -out server.key 1024
#  openssl req -config /etc/ssl/openssl.cnf -new -key server.key -out server.csr

here's a sample of the configuration  :

 

Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Barcelona
Locality Name (eg, city) []:Barcelona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:lodsun28d.ca.com
Email Address []:

 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 


#  openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
       give the password you give when creating the server.key

 

Then use the server.key along with the server.crt to configure ssl for your server.

 

To remove the passphrase from the server.key :

 

# cp -p server.key server.key.orig
# openssl rsa -in server.key -out server.key.new
Enter pass phrase for server.key:
writing RSA key
# cp server.key.new /opt/apache2416/conf/server.key
# cp: overwrite ‘/opt/apache2416/conf/server.key’? y

 

Note that on some distributions, the default openssl configuration file is located here :

 

/etc/pki/tls/openssl.cnf

 

So you probably want to adjust the openssl command accordingly where this path is needed.

Here are the fast tracks to compile the NSS libraries on your Linux box :

 

To install and compile NSS Library 32bit on RedHat 6 64bit.

 

1 - Download nss-3.20.2-with-nspr-4.10.10.tar.gz

 

    from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_20_2_RTM/src/

 

2 - Insure that sqlite 32bit libraries are available on the system

 

    # yum install sqlite-devel.i686

 

3 - Decompress and unarchive the package and get in the repository :

 

    # tar zxvf nss-3.20.2-with-nspr-4.10.10.tar.gz
    # cd nss-3.20.2

 

4 - Compile the NSS Libraries :

 

    # export CFLAGS=-m32 && gmake BUILD_OPT=1 \
    NSPR_INCLUDE_DIR=/usr/include USE_SYSTEM_ZLIB=1 ZLIB_LIBS=-lz \
    NSS_USE_SYSTEM_SQLITE=1 -j1 nss_build_all

 

5 - You'll find then the binaries libraries in :

 

    nss-3.20.2/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/

In order to read a CRL and check if a specific serial number has been revoked, download the crl file to your computer, and run the following command :

 

# openssl crl -inform DER -text -noout -in your_crl_:file.crl

If you need full debug of the Web Agent or Policy Server installer script until it install the product

you can run the installer that way :

 

# sh -x ./ca-wa-12.52-sp01-cr05-linux-x86-64.bin -i console 2>&1 | tee installer.txt

 

Installer.txt will show the output like this, which might help you to troubleshoot issues with disk space, etc.

 

+ PATH=/usr/lib64/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/CA/SharedComponents/bin:/opt/CA/SharedComponents/ccs/cam/bin:/root/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin

+ BLOCKSIZE=32768

+ JRESTART=4

+ JREREALSIZE=32424781

+ ARCHSIZE=261

+ RESSIZE=2546

+ RESREALSIZE=83421891

+ ARCHREALSIZE=8522990

+ LAX_NL_CURRENT_VM=jre/bin/java

+ LAX_INSTALLER_UNIX_INTERNAL_PROPERTY_0=bin/java

+ DEFAULTPERMS=002

+ INSTALLER_OVERRIDE_VMLIST=1.6+

+ INSTALLER_STDERR_REDIRECT=

+ INSTALLER_STDOUT_REDIRECT=

+ INSTALLER_HEAP_SIZE_INITIAL=16777216

+ INSTALLER_HEAP_SIZE_MAX=50331648

+ INSTALLER_OPTIONAL_ARGS=

+ RESOURCE_DIR=Linux

+ DEFAULT_UI_MODE=GUI

+ GREP=grep

++ uname

+ '[' Linux = SunOS -a -x /usr/xpg4/bin/grep ']'

+ case `uname -s` in

++ uname -s

+ TR=/usr/bin/tr

+ uimodeuse='not set'

+ hasSeenIUse=false

+ tmpArgsUse=

+ origArgsUse='-i console'

+ for arg in '"$@"'

+ '[' -i '!=' '' ']'

+ tmpArgsUse=' "-i"'

+ '[' -i = -i -o -i = -I ']'

+ hasSeenIUse=true

+ for arg in '"$@"'

+ '[' console '!=' '' ']'

+ tmpArgsUse=' "-i" "console"'

+ '[' console = -i -o console = -I ']'

+ '[' true = true ']'

 

etc...

In root user, get the smpolicysrv process PID.

 

and run the following command :

 

# top -d 60 -p <Policy server PID> -b > top-ouput.txt

 

you'll get each minute all the OS stats about CPU and memory, and the full status of the Policy Server process.