October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

FIND usage

find / -type f -name *.jpg -exec cp {} . \;
find /dir -type f -size 0 -print
find . -type f -size +10000 -exec ls -al {} \;
find /var/nmon -mtime +30 | xargs -i rm {}
find /var/nmon -mtime +1 -exec gzip -9 {} \;
find . -atime +1 -type f -exec mv {} TMP \; # mv files older then 1 day to dir TMP
find . -name “-F” -exec rm {} \; # a script error created a file called -F
find . -exec grep -i “vds admin” {} \;
find . \! -name “*.Z” -exec compress -f {} \;
find . -type f \! -name “*.Z” \! -name “.comment” -print | tee -a /tmp/list
find . -name *.ini
find . -exec chmod 775 {} \;
find . -user xuser1 -exec chown -R user2 {} \;
find . -user psoft -exec rm -rf {} \;
find . -name ebtcom*
find . -name mkbook
find . -exec grep PW0 {} \;
find . -exec grep -i “pw0” {} \;
find . -atime +6
find . -atime +6 -exec ll | more
find . -atime +6 -exec ll | more \;
find . -atime +6 -exec ll \;
find . -atime +6 -exec ls \;
find . -atime +30 -exec ls \;
find . -atime +30 -exec ls \; | wc -l
find . -name auth*
find . -exec grep -i plotme10 {};
find . -exec grep -i plotme10 {} \;
find . -ls -exec grep ‘PLOT_FORMAT 22’ {} \;
find . -print -exec grep ‘PLOT_FORMAT 22’ {} \;
find . -print -exec grep ‘PLOT_FORMAT’ {} \;
find . -print -exec grep ‘PLOT_FORMAT’ {} \;
find ./machbook -exec chown 184 {} \;
find . \! -name ‘*.Z’ -exec compress {} \;
find . \! -name “*.Z” -exec compress -f {} \;
find /raid/03c/ecn -xdev -type f -print
find /raid/03c/ecn -xdev -path -type f -print
find / -name .ssh* -print | tee -a ssh-stuff
find . -name “*font*”
find . -name hpmcad*
find . -name *fnt*
find . -name hp_mcad* -print
find . -grep Pld {} \;
find . -exec grep Pld {} \;
find . -exec grep Pld {} \;
find . -exec grep PENWIDTH {} \; | more
find . -name config.pro
find . -name config.pro
find /raid -type d “.local_sd_customize” -print
find /raid -type d -name “.local_sd_customize” -print
find /raid -type d -name “.local_sd_customize” -ok cp /raid/04d/MCAD-apps/I_Custom/SD_custom/site_sd_customize/user_filer_project_dirs {} \;
find /raid -type d -name “.local_sd_customize” -exec cp /raid/04d/MCAD-apps/I_Custom/SD_custom/site_sd_customize/user_filer_project_dirs {} \;
find . -name xeroxrelease
find . -exec grep xeroxrelease {} \;
find . -name xeroxrelease
find . -name xeroxrelease* -print 2>/dev/null
find . -name “*release*” 2>/dev/null
find / -name “*xerox*” 2>/dev/null
find . -exec grep -i xeroxrelease {} \;
find . -print -exec grep -i xeroxrelease {} \;
find . -print -exec grep -i xeroxrelease {} \; > xeroxrel.lis
find . -exec grep -i xeroxrel {} \;
find . -print -exec grep -i xeroxrel {} \;
find . -print -exec grep -i xeroxrel {} \; | more
find /raid/03c/inwork -xdev -type f -print >> /raid/04d/user_scripts/prt_list.tmp
find . -exec grep ‘31.53’ {} \;
find . -ls -exec grep “31/.53” {} \; > this.lis
find . -print -exec grep “31/.53” {} \; > this.lis
find . -print -exec grep 31.53 {} \; > this.lis
find . -exec grep -i pen {} /;
find . -exec grep -i pen {} \;
find . -print -exec grep -i pen {} \; | more
find . -exec grep -i pen {} \;
find . -atime +6 -exec ll | more \;
find . -atime +6 -exec ll \;
find . -atime +6 -exec ls \;
find . -atime +30 -exec ls \;
find . -atime +30 -exec ls \; | wc -l
find . \! -name ‘*.Z’ -exec compress -f {} \;
find . -name ‘cache*’ -depth -exec rm {} \;
find . -name ‘cache*’ -depth -print | tee -a /tmp/cachefiles
find . -name ‘cache[0-9][0-9]*’ -depth -print | tee -a /tmp/cachefiles
find . -name ‘hp_catfile’ ‘hp_catlock’ -depth -print | tee -a /tmp/hp.cats
find . -name ‘hp_catfile’ -name ‘hp_catlock’ -depth -print | tee -a /tmp/hp.cats
find . -name ‘hp_cat*’ -depth -print | tee -a /tmp/hp.cats
find . -name ‘hp_cat[fl]*’ -depth -print | tee -a /tmp/hp.cats
find /raid -name ‘hp_cat[fl]*’ -depth -print
find . \! -name ‘*.Z’ -exec compress -f {} \;
find . -name ‘*’ -exec compress -f {} \;
find . -xdev -name “wshp1*” -print
find . -xdev -name “wagoneer*” -print
find . -name “xcmd” -depth -print
find /usr/contrib/src -name “xcmd” -depth -print
find /raid -type d -name “.local_sd_customize” -exec ls {} \;
find /raid -type d -name “.local_sd_customize” \
-exec cp /raid/04d/MCAD-apps/I_Custom/SD_custom/site_sd_customize/user_filer_project_dirs {} \;
find . -name “rc.conf” -print
find . -name “rc.conf ” -exec chmod o+r ‘{}’ \; -print
find . -not (\ -name “*.v” -o -name “*,v” \) ‘{}’ \; -print
=================================================================
Basic find command examples
This first Linux find example searches through the root filesystem (“/”) for the file named “Chapter1”. If it finds the file, it prints the location to the screen.

find / -name Chapter1 -type f -print

On Linux systems and modern Unix system you no longer need the -print option at the end of the find command, so you can issue it like this:

find / -name Chapter1 -type f

The “-f” option here tells the find command to return only files. If you don’t use it, the find command will returns files, directories, and other things like named pipes and device files that match the name pattern you specify. If you don’t care about that, just leave the “-type f” option off your command.

This next find command searches through only the /usr and /home directories for any file named “Chapter1.txt”:

find /usr /home -name Chapter1.txt -type f

To search in the current directory — and all subdirectories — just use the . character to reference the current directory in your find commands, like this:

find . -name Chapter1 -type f

This next example searches through the /usr directory for all files that begin with the letters Chapter, followed by anything else. The filename can end with any other combination of characters. It will match filenames such as Chapter, Chapter1,Chapter1.bad, Chapter-in-life, etc.:

find /usr -name “Chapter*” -type f

This next command searches through the /usr/local directory for files that end with the extension .html. These file locations are then printed to the screen.

find /usr/local -name “*.html” -type f

Find directories with the Unix find command
Every option you just saw for finding files can also be used on directories. Just replace the -f option with a -d option. For instance, to find all directories named build under the current directory, use this command:

find . -type d -name build

Find files that don’t match a pattern
To find all files that don’t match a filename pattern, use the “-not” argument of the find command, like this:

find . -type f -not -name “*.html”

That generates a list of all files beneath the current directory whose filename DOES NOT end in “.html”, so it matches files like *.txt, *.jpg, and so on.
Finding files that contain text (find + grep)
You can combine the Linux find and grep commands to powerfully search for text strings in many files.

This next command shows how to find all files beneath the current directory that end with the extension .java, and contain the characters StringBuffer. The -l argument to the grep command tells it to just print the name of the file where a match is found, instead of printing all the matches themselves:

find . -type f -name “*.java” -exec grep -l StringBuffer {} \;

(Those last few characters are required any time you want to exec a command on the files that are found. I find it helpful to think of them as a placeholder for each file that is found.)

This next example is similar, but here I use the -i argument to the grep command, telling it to ignore the case of the characters string, so it will find files that contain string, String, STRING, etc.:

find . -type f -name “*.java” -exec grep -il string {} \;

Acting on files you find (find + exec)
This command searches through the /usr/local directory for files that end with the extension .html. When these files are found, their permission is changed to mode 644 (rw-r–r–).

find /usr/local -name “*.html” -type f -exec chmod 644 {} \;

This find command searches through the htdocs and cgi-bin directories for files that end with the extension .cgi. When these files are found, their permission is changed to mode 755 (rwxr-xr-x). This example shows that the find command can easily search through multiple sub-directories (htdocs, cgi-bin) at one time.

find htdocs cgi-bin -name “*.cgi” -type f -exec chmod 755 {} \;

Running the ls command on files you find
From time to time I run the find command with the ls command so I can get detailed information about files the find command locates. To get started, this find command will find all the “*.pl” files (Perl files) beneath the current directory:

find . -name “*.pl”

In my current directory, the output of this command looks like this:

./news/newsbot/old/3filter.pl
./news/newsbot/tokenParser.pl
./news/robonews/makeListOfNewsURLs.pl

That’s nice, but what if I want to see the last modification time of these files, or their filesize? No problem, I just add the “ls -ld” command to my find command, like this:

find . -name “*.pl” -exec ls -ld {} \;

This results in this very different output:

-rwxrwxr-x 1 root root 2907 Jun 15 2002 ./news/newsbot/old/3filter.pl
-rwxrwxr-x 1 root root 336 Jun 17 2002 ./news/newsbot/tokenParser.pl
-rwxr-xr-x 1 root root 2371 Jun 17 2002 ./news/robonews/makeListOfNewsURLs.pl

The “-l” flag of the ls command tells ls to give me a “long listing” of each file, while the -d flag is extremely useful in this case; it tells ls to give me the same output for a directory. Normally if you use the ls command on a directory, ls will list the contents of the directory, but if you use the -d option, you’ll get one line of information, as shown above.
Find and delete
Be very careful with these next two commands. If you type them in wrong, or make the wrong assumptions about what you’re searching for, you can delete a lot of files very fast. Make sure you have backups and all that, you have been warned.

Here’s how to find all files beneath the current directory that begin with the letters ‘Foo’ and delete them.

find . -type f -name “Foo*” -exec rm {} \;

This one is even more dangerous. It finds all directories named CVS, and deletes them and their contents. Just like the previous command, be very careful with this command, it is dangerous(!), and not recommended for newbies, or if you don’t have a backup.

find . -type d -name CVS -exec rm -r {} \;

Find files with different file extensions
The syntax to find multiple filename extensions with one command looks like this:

find . -type f \( -name “*.c” -o -name “*.sh” \)

Just keep adding more “-o” (or) options for each filename extension. Here’s a link to
Case-insensitive file searching
To perform a case-insensitive search with the Unix/Linux find command, use the -iname option instead of -name. So, to search for all files and directories named foo, FOO, or any other combination of uppercase and lowercase characters beneath the current directory, use this command:

find . -iname foo

If you’re just interested in directories, search like this:

find . -iname foo -type d

And if you’re just looking for files, search like this:

find . -iname foo -type f

Find files by modification time
To find all files and directories that have been modified in the last seven days, use this find command:

find . -mtime -7

To limit the output to just files, add the “-type f” option as shown earlier:

find . -mtime -7 -type f

and to show just directories:

find . -mtime -7 -type d

June 6th, 2014 | Category: Linux Commands | Leave a comment

Networking Properties – Oracle Recommed for Java

Networking Properties

There are a few standard system properties used to alter the mechanisms and behavior of the various classes of the java.net package. Some are checked only once at startup of the VM, and therefore are best set using the -D option of the java command, while others have a more dynamic nature and can also be changed using the System.setProperty() API. The purpose of this document is to list and detail all of these properties.

If there is no special note, a property value is checked every time it is used.
IPv4 / IPv6

java.net.preferIPv4Stack (default: false)
If IPv6 is available on the operating system the underlying native socket will be, by default, an IPv6 socket which lets applications connect to, and accept connections from, both IPv4 and IPv6 hosts. However, in the case an application would rather use IPv4 only sockets, then this property can be set to true. The implication is that it will not be possible for the application to communicate with IPv6 only hosts.

java.net.preferIPv6Addresses (default: false)
When dealing with a host which has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer using IPv4 addresses over IPv6 ones. This is to ensure backward compatibility, for example applications that depend on the representation of an IPv4 address (e.g. 192.168.1.1). This property can be set to true to change that preference and use IPv6 addresses over IPv4 ones where possible.

Both of these properties are checked only once, at startup.
Proxies

A proxy server allows indirect connection to network services and is used mainly for security (to get through firewalls) and performance reasons (proxies often do provide caching mechanisms). The following properties allow for configuration of the various type of proxies.

HTTP

The following proxy settings are used by the HTTP protocol handler.

http.proxyHost (default: )
The hostname, or address, of the proxy server

http.proxyPort (default: 80)
The port number of the proxy server.

http.nonProxyHosts (default: localhost|127.*|[::1])
Indicates the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts, separated by the ‘|’ character. In addition the wildcard character ‘*’ can be used for pattern matching. For example -Dhttp.nonProxyHosts=”*.foo.com|localhost” will indicate that every hosts in the foo.com domain and the localhost should be accessed directly even if a proxy server is specified.

The default value excludes all common variations of the loopback address.

HTTPS
This is HTTP over SSL, a secure version of HTTP mainly used when confidentiality (like on payment sites) is needed.

The following proxy settings are used by the HTTPS protocol handler.

https.proxyHost(default: )
The hostname, or address, of the proxy server

https.proxyPort (default: 443)
The port number of the proxy server.

The HTTPS protocol handler will use the same nonProxyHosts property as the HTTP protocol.

FTP

The following proxy settings are used by the FTP protocol handler.

ftp.proxyHost(default: )
The hostname, or address, of the proxy server

ftp.proxyPort (default: 80)
The port number of the proxy server.

ftp.nonProxyHosts (default: localhost|127.*|[::1])
Indicates the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts, separated by the ‘|’ character. In addition the wildcard character ‘*’ can be used for pattern matching. For example -Dhttp.nonProxyHosts=”*.foo.com|localhost” will indicate that every hosts in the foo.com domain and the localhost should be accessed directly even if a proxy server is specified.

The default value excludes all common variations of the loopback address.

SOCKS
This is another type of proxy. It allows for lower level type of tunneling since it works at the TCP level. In effect, in the Java(tm) platform setting a SOCKS proxy server will result in all TCP connections to go through that proxy, unless other proxies are specified. If SOCKS is supported by a Java SE implementation, the following properties will be used:

socksProxyHost (default: )
The hostname, or address, of the proxy server.

socksProxyPort (default: 1080)
The port number of the proxy server.

socksProxyVersion (default: 5)
The version of the SOCKS protocol supported by the server. The default is 5 indicating SOCKS V5, alternatively 4 can be specified for SOCKS V4. Setting the property to values other than these leads to unspecified behavior.

java.net.socks.username (default: )
Username to use if the SOCKSv5 server asks for authentication and no java.net.Authenticator instance was found.

java.net.socks.password (default: )
Password to use if the SOCKSv5 server asks for authentication and no java.net.Authenticator instance was found.

Note that if no authentication is provided with either the above properties or an Authenticator, and the proxy requires one, then the user.name property will be used with no password.

java.net.useSystemProxies (default: false)
On recent Windows systems and on Gnome 2.x systems it is possible to tell the java.net stack, setting this property to true, to use the system proxy settings (both these systems let you set proxies globally through their user interface). Note that this property is checked only once at startup.

Misc HTTP properties

http.agent (default: “Java/”)
Defines the string sent in the User-Agent request header in http requests. Note that the string “Java/” will be appended to the one provided in the property (e.g. if -Dhttp.agent=”foobar” is used, the User-Agent header will contain “foobar Java/1.5.0” if the version of the VM is 1.5.0). This property is checked only once at startup.

http.keepalive (default: true)
Indicates if persistent connections should be supported. They improve performance by allowing the underlying socket connection to be reused for multiple http requests. If this is set to true then persistent connections will be requested with HTTP 1.1 servers.

http.maxConnections (default: 5)
If HTTP keepalive is enabled (see above) this value determines the maximum number of idle connections that will be simultaneously kept alive, per destination.

http.maxRedirects (default: 20)
This integer value determines the maximum number, for a given request, of HTTP redirects that will be automatically followed by the protocol handler.

http.auth.digest.validateServer (default: false)

http.auth.digest.validateProxy (default: false)

http.auth.digest.cnonceRepeat (default: 5)

These 3 properties modify the behavior of the HTTP digest authentication mechanism. Digest authentication provides a limited ability for the server to authenticate itself to the client (i.e. By proving it knows the user’s password). However not all HTTP servers support this capability and by default it is turned off. The first two properties can be set to true to enforce this check for authentication with either an origin or proxy server, respectively.

It is usually not necessary to change the third property. It determines how many times a cnonce value is re-used. This can be useful when the MD5-sess algorithm is being used. Increasing this value reduces the computational overhead on both client and server by reducing the amount of material that has to be hashed for each HTTP request.

http.auth.ntlm.domain (default: )
NTLM is another authentication scheme. It uses the java.net.Authenticator class to acquire usernames and passwords when they are needed. However NTLM also needs the NT domain name. There are 3 options for specifying that domain:

Do not specify it. In some environments the domain is actually not required and the application does not have to specify it.

The domain name can be encoded within the username by prefixing the domain name, followed by a back-slash ‘\’ before the username. With this method existing applications that use the authenticator class do not need to be modified, as long as users are made aware that this notation must be used.

If a domain name is not specified as in method 2) and these property is defined, then its value will be used a the domain name.

All these properties are checked only once at startup.
Address Cache

The java.net package, when doing name resolution, uses an address cache for both security and performance reasons. Any address resolution attempt, be it forward (name to IP address) or reverse (IP address to name), will have its result cached, whether it was successful or not, so that subsequent identical requests will not have to access the naming service. These properties allow for some tuning on how the cache is operating.

networkaddress.cache.ttl (default: see below)
Value is an integer corresponding to the number of seconds successful name lookups will be kept in the cache. A value of -1, or any other negative value for that matter, indicates a “cache forever” policy, while a value of 0 (zero) means no caching. The default value is -1 (forever) if a security manager is installed, and implementation specific when no security manager is installed.

networkaddress.cache.negative.ttl (default: 10)
Value is an integer corresponding to the number of seconds an unsuccessful name lookup will be kept in the cache. A value of -1, or any negative value, means “cache forever”, while a value of 0 (zero) means no caching.

Since these 2 properties are part of the security policy, they are not set by either the -D option or the System.setProperty() API, instead they are set in the JRE security policy file lib/security/java.security.

June 6th, 2014 | Category: JAVA | Leave a comment

IPV6 Can Cause Poor Java Performance

echnote (troubleshooting)

Problem(Abstract)

If the entire network is not IPv6-enabled or capable, users may find that Java programs perform poorly.
Resolving the problem

This document explains that if the entire network is not IPv6-enabled or capable, users may find that Java programs perform poorly.

On IBM i 6.1 and 7.1, the default JVM is the IBM Technology for Java (J9). This JVM runs in the PASE environment. When IPv6 is enabled (which is the default), each DNS entry is checked to see if it is IPv6-capable. When PASE hits a slow or unresponsive DNS entry, it will wait for a reply or timeout. A java thread dump (javacore) will confirm that IPv6 is the source of the poor performance. The stack will show “Inet6AddressImpl” as shown below:


at java/net/Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java/net/InetAddress$2.lookupAllHostAddr(InetAddress.java:949)
at java/net/InetAddress.getAddressFromNameService(InetAddress.java:1318)
at java/net/InetAddress.getLocalHost(InetAddress.java:1505)

Resolution:

Disable IPv6 at JVM invocation by using the following java properties:

o -Dcom.ibm.cacheLocalHost=true
o -Djava.net.preferIPv4Stack=true
o -Djava.net.preferIPv6Addresses=false

Note: These properties can be passed as command-line arguments or added to a SystemDefault.properties file.

If the JVM is a WebSphere Application Server job, use caution when adding these properties. You should review the following technote to fully understand
how these properties could adversely affect your application server environment.

http://www-01.ibm.com/support/docview.wss?uid=swg21498126

If you decide to add the properties to your server, they can be added as generic JVM arguments as shown below. The following graphic shows the properties set in WebSphere Application Server 7.0 Express:

docview.wss

Slow performance or hang in HostName lookup

Technote (troubleshooting)

Problem(Abstract)

There is slow performance or a hang during HostName lookup.
Symptom

Thread dumps or javacores taken during the time of the slow response, or “hang threads” will show threads with the following lines at the top of the stack:

at java.net.Inet6AddressImpl.getLocalHostName(Native Method)
at java.net.InetAddress.getLocalHost(InetAddress.java:123)

Cause

The problem could be lookup issues between IPv6 versus IPv4. If the Domain Name System (DNS) server is not configured to handle IPv6 queries, the application may have to wait for the IPv6 query to time out for IPv6 queries.

These threads are waiting for a response for an IPv6 query. It is likely the the DNS server is not responding to the IPv6 query.

Resolving the problem

If your environment only uses IPv4, set the following argument for each process:

-Djava.net.preferIPv4Stack=true

This will disable IPv6 lookup requests and only use IPv4. To set this in the WebSphere Application Server, do the following:

Open the administrative console and navigate to:

Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties(/Environment Entries)

Add the following name and value pair:

Name: java.net.preferIPv4Stack
Value: true

Click Apply, then save all changes.

Restart the application server.
If your environment uses IPv6, please have your network administrator check the DNS set up to ensure that it can respond properly to IPv6 queries.

June 6th, 2014 | Category: Websphere | Leave a comment

Windows 2012 Features

win 001

win 002

win 003

win 0031

win 004

win 005

win 006

win 007

June 5th, 2014 | Category: Windows | Leave a comment

Add HTTP Strict Transport Security in Apache & Nginx

HSTS (HTTP Strict Transport Security) is a security protocol that force the use of SSL in the comunication between the web browser and the web server. This standard is recently approved (2 october 2012) by the IETF, but the first draft was released in 2010 and it was implemented in some sites like Paypal, Android market, DEF CON website… The motivation of HSTS is to mitigate the SSLStrip attacks, introduced by Moxie Marlinspike in Black Hat conference 2009. SSLStrip consist in a https session hijacking, forcing a https connection becomes a normal http allowing to the attacker read all data sent from the victim. Basically it follows three steps:

  • Victim establishes a HTTP connection with attacker machine.
  • The attacker transforms the http traffic from the victim to https.
  • The attacker establishes the https connection with the real web server.

Configuring HSTS the web server informs to the web browser that connections to the site should always use SSL. Actually the web browser that supports the HSTS headers are Google chrome from 4.0.211.0 version, Firefox from 4 version and Opera from 12 version.
HSTS has a limitation resides in the initial request from the web browser and can be exploited by an attacker, for this reason it’s important to setup a high value for the HSTS expiration value.

Apache implementation

– Load the mod_headers module to allow modify the http headers:

1
# vi /etc/httpd/conf/httpd.conf
1
LoadModule headers_module modules/mod_headers.so

– Add in our vhost statement or in your main apache config file, the next line with an expiration of 6 months including the requests for all the subdomains:

1
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

Nginx implementation

1
add_header Strict-Transport-Security max-age=15768000;includeSubDomains

Capturing HTTP headers from the server with tcpdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# tcpdump -vvvs 1024 -l -A host monitor.local
$p... ..HTTP/1.1 200 OK
Date: Tue, 09 Oct 2012 18:33:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 09 Oct 2012 18:33:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="CAO PSA OUR"
Strict-Transport-Security: max-age=15768000
Content-Length: 1468
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP Strict Transport Security or HSTS is a new security feature in browsers that enables you tell the browser “always use SSL when accessing this site”.

Mozilla has a good blog post explaining HSTS, so I won’t try to replicate that here, but I’d just like to make it clear that if you have a site that should always use SSL, be it Drupal or Django or any other system, this is definitely something you should get set up.

Good examples of these are webmail, server administration and monitoring tools and general admin backends. If you are running a large Drupal-site, you should perhaps consider restricting admin-access to a SSL-protected subdomain.

Currently, it is only supported in Chrome 4 and above, and Firefox 4 beta 5 and beyond, but hopefully the other browser makers will catch up soon. Its fully backwards compatible, in that it will have no effect if the browser does not support HSTS.

How to use it

Setting it up is very simple. In your Apache VHost, where you do your SSL config, just add this line:

Header add Strict-Transport-Security “max-age=15768000”
This will tell the browser to remember that this site is SSL/HTTPS only for the next 6 months. During that time it will simply rewrite any and all requests to that site to use HTTPS instead of HTTP without ever communicating insecurely with the server.

If you use nginx, the syntax is subtly different. Adding this to the server section does the trick:

add_header Strict-Transport-Security max-age=15768000;
Keep your redirects

An important point is that HSTS only works after the user has received the header via HTTPS. So you will still need to have a redirect from your HTTP-site to HTTPS, also for supporting browsers that still do not understand HSTS.

This is easily accomplished using Apache’s mod_rewrite:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Thus, with a few lines of configuration, you can make the web a safer place to be for your users. So, what are you waiting for?

May 28th, 2014 | Category: Apache | Leave a comment

Solaris 11 direct root login access

This will be helpful for those wants to have direct root login locally and via SSH

Comment out the “CONSOLE=/dev/console” line in /etc/default/login.

Modify PermitRootLogin to yes in /etc/ssh/sshd_config

Remove “:type=role” from the root entry in /etc/user_attr

Remove highlighted part

root::::type=role
root:::

May 28th, 2014 | Category: Solaris | Leave a comment

How to rescan the new Storage (LUN) in Linux without reboot

In order to get the fiber channel adapters detail to rescan, list the /sys/class/fc_host
directory. In old RHEL  host you will not be getting this listing. In this case you can use
the /sys/class/scsi_host directory but it will list all internal adapters too.1. In Order to scan New Lun we need to run LIP (Loop Initialization Protocol) on the
interconnect to update the scsi layer to reflect the devices currently on the bus. LIP, is a
bus reset which cause the device addition and removal.

# ls -l /sys/class/fc_host
total 0
drwxr-xr-x 3 root root 0 Feb 27 09:11 host0
drwxr-xr-x 3 root root 0 Feb 27 09:11 host1

2. Make the OS aware of the new storage
#echo “1” > /sys/class/fc_host/host1/issue_lip
#echo “1” > /sys/class/fc_host/host2/issue_lip
#echo “- – -” > /sys/class/scsi_host/host1/scan
#echo “- – -” > /sys/class/scsi_host/host2/scan

 

 

Linux detecting SAN LUN without reboot

Detecting SAN LUN without rebooting the server in Linux

Rescan the bus by echoing the /sys filesystem (only for Linux 2.6 kernels)

For Linux 2.6 kernels only, a rescan can be triggered through the /sys interface without having to unload the host adapter driver or reboot the system. The following command will scan all channels, targets, and LUNs on host H.

echo “- – -” > /sys/class/scsi_host/host_H/scan

Example:

echo “- – -” > /sys/class/scsi_host/host1/scan

echo “- – -” > /sys/class/scsi_host/hos2/scan
echo “- – -” > /sys/class/scsi_host/hos4/scan
echo “- – -” > /sys/class/scsi_host/hos4/scan

OR
for host in `ls /sys/class/scsi_host/`;do
echo “- – -” >/sys/class/scsi_host/${host}/scan
done

Note: Below is the explanation about wild card ..

“- – -” in the above means C T L[“Channel on HBA” “Target SCSI id” “Lun”]
“- – -” is a wild card instead of specifying the C T L.

3. After rescanning, confirm whether you are seeing the new storage disks LUN] by listing the
content under proc
# cat /proc/scsi/scsi | grep scsi | uniq

4. Now we can list the newly scanned LUN using ????fdisk -l???? command.
# fdisk -l

5. If we have multipath configured then we can see as below:
# multipath
# multipath -ll

May 28th, 2014 | Category: Linux | Leave a comment

Apache OpenSSL

Apache v1.X

Download the appropriate intermediate certificate(s). Save it in a text editor such as Notepad as “intermediate.pem”
Copy your SSL certificate from the order fulfillment email or log into your GlobalSign Certificate Center account and download it. Paste it into a text editor. Save as “mydomain.pem.”
Copy “mydomain.crt” and “intermediate.pem” to the directory in which you plan to store your certificates.
Open your “httpd.conf” file with a text editor. Please note that some installations keep the SSL section separately in the “ssl.conf file.” Locate the virtual host section for the site that the SSL certificate will secure.

?Your virtual host section will need to contain the following directives.
SSLCertificateChainFile – This will need to point to the appropriate intermediate root CA certificates.
?SSLCertificateFile – This will need to point to the end entity certificate. This is the certificate you have named “mydomain.crt.”
SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.
Save the changes to the file and quit the text editor.
Restart Apache.

Apache v2.X

Download the appropriate GlobalSign root certificate and save it in a text editor as “gs_root.pem.” Only the ExtendedSSL certificate uses the GlobalSign root CA R2 certificate.
Download the appropriate intermediate certificate(s) and save it in a text editor as “intermediate.pem”.
Copy your SSL certificate from the order fulfillment e-mail or log into your GlobalSign Certificate Center account and download it. Paste it into a text editor. Save the file as “mydomain.crt.”
Copy “mydomain.crt” and “intermediate.pem” to the directory in which you plan to store your certificates.
Open your “httpd.conf” file with a text editor. Please note that some installations keep the SSL section separately in the “ssl.conf” file. Locate the the virtual host section for the site that the SSL certificate will secure.

?Your virtual host section will need to contain the following directives:
SSLCACertificateFile – This will need to point to the appropriate GlobalSign root CA certificate.
SSLCertificateChainFile – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above.
SSLCertificateFile – This will need to point to the end entity certificate. This is the certificate you have called “mydomain.crt.”
SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.
Save the changes to the file. Quit the text editor.
Restart Apache.

May 21st, 2014 | Category: SSL | Leave a comment

ORA-01078: failure in processing system parameters

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=db.rmohan.com)(PORT=1521)))
The listener supports no services
The command completed successfully
[oracle@db ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Tue May 20 00:42:10 2014

Copyright (c) 1982, 2009, Oracle. All rights reserved.

Connected to an idle instance.

SQL> select name from v$datafile;
select name from v$datafile
*
ERROR at line 1:
ORA-01034: ORACLE not available
Process ID: 0
Session ID: 0 Serial number: 0
SQL> startup mount
ORA-01078: failure in processing system parameters
LRM-00109: could not open parameter file ‘/u01/app/oracle/product/11.2.0/db_1/dbs/initDB11G.ora’
SQL> startup
ORA-01078: failure in processing system parameters
LRM-00109: could not open parameter file ‘/u01/app/oracle/product/11.2.0/db_1/dbs/initDB11G.ora’
SQL> exit
Disconnected
[oracle@db ~]$ env|grep ORA|sort
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1
ORACLE_HOSTNAME=db.rmohan.com
ORACLE_SID=DB11G
ORACLE_UNQNAME=DB11G
[oracle@db ~]$ cat /etc/oratab
cat: /etc/oratab: No such file or directory
[oracle@db ~]$ export ORACLE_SID=orcl
[oracle@db ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Tue May 20 00:44:23 2014

Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> startup
ORA-01081: cannot start already-running ORACLE – shut it down first
SQL> shutdown
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup mount
ORACLE instance started.

Total System Global Area 3223535616 bytes
Fixed Size 2217672 bytes
Variable Size 1761610040 bytes
Database Buffers 1442840576 bytes
Redo Buffers 16867328 bytes
Database mounted.
SQL>

May 20th, 2014 | Category: Oracle | Leave a comment

Moving the control, data and redo log file of an Oracle 11g R2 database to a new location

Moving the control, data and redo log file of an Oracle 11g R2 database to a new location

I’m looking into moving the location the control file of my Oracle database into a different location. The new location will be a file system that has been mounted on an IBM Storwize V7000 storage system.

Found some great information at http://psoug.org/reference/control_file.html

Here is what I did on my system.

$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Thu Feb 10 12:01:47 2011

Copyright (c) 1982, 2009, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter control;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
control_file_record_keep_time        integer     7
control_files                        string      /home/test/test1/control01.ctl
                                                 , /home/test/test1/control02.c
                                                 tl
control_management_pack_access       string      DIAGNOSTIC+TUNING
SQL>
SQL> shutdown abort;
ORACLE instance shut down.
SQL> create pfile from spfile;

File created.

SQL>

On the host system, copy the files from their current location(/home/test/test1) to the new location(/oraarch/test1)


$ ls
control01.ctl  redo01.log     redo03.log     system01.dbf   undotbs01.dbf
control02.ctl  redo02.log     sysaux01.dbf   temp01.dbf     users01.dbf
$ pwd
/home/test/test1
$

Next, update the init<instance_name>.ora file under $ORACLE_HOME/dbs with the new location

$ cat inittest1.ora | grep control
*.control_files='/oraarch/test1/control01.ctl','/oraarch/test1/control02.ctl'

Now, create a new spfile with the updated information.

SQL> create spfile from pfile;

File created.

SQL> show parameter control;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
control_file_record_keep_time        integer     7
control_files                        string      /oraarch/test1/control01.ctl,
                                                 /oraarch/test1/control02.ctl
control_management_pack_access       string      DIAGNOSTIC+TUNING
SQL>

There we go, we have the location of the control files updated.

==================================================================

Next we will move the data files to the new location.

isvp17> su - oracle
$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Thu Feb 10 12:59:00 2011

Copyright (c) 1982, 2009, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select name from v$datafile;

NAME
--------------------------------------------------------------------------------
/home/test/test1/system01.dbf
/home/test/test1/sysaux01.dbf
/home/test/test1/undotbs01.dbf
/home/test/test1/users01.dbf

SQL> shutdown abort;
ORACLE instance shut down.
SQL>

Copy the data files to the new location.

$ cp /home/test/test1/system01.dbf /oradata/test1
$ cp /home/test/test1/sysaux01.dbf /oradata/test1
$ cp /home/test/test1/undotbs01.dbf /oradata/test1
$ cp /home/test/test1/users01.dbf /oradata/test1


Start the database in startup mount mode
$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on Thu Feb 10 13:04:41 2011

Copyright (c) 1982, 2009, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> startup mount;
ORACLE instance started.

Total System Global Area 1.0289E+10 bytes
Fixed Size                  2215712 bytes
Variable Size            5301600480 bytes
Database Buffers         4966055936 bytes
Redo Buffers               18743296 bytes
Database mounted.
SQL>
SQL> alter database rename file '/home/test/test1/system01.dbf' to '/oradata/test1/system01.dbf';

Database altered.

SQL> alter database rename file '/home/test/test1/sysaux01.dbf' to '/oradata/test1/sysaux01.dbf';

Database altered.
SQL> alter database rename file '/home/test/test1/undotbs01.dbf' to '/oradata/test1/undotbs01.dbf';

Database altered.

SQL> alter database rename file '/home/test/test1/users01.dbf' to '/oradata/test1/users01.dbf';

Database altered.

SQL> alter database open;

Database altered.

SQL> select name from v$datafile;

NAME
--------------------------------------------------------------------------------
/oradata/test1/system01.dbf
/oradata/test1/sysaux01.dbf
/oradata/test1/undotbs01.dbf
/oradata/test1/users01.dbf

SQL>

==================================================================================

Lastly we will change the location of the redo logs of the database

Found lots of good information on it at http://www.ordba.net/Tutorials/Redolog.htm

Here is how I moved my redlo logs to the new location.

SQL> shutdown abort;
ORACLE instance shut down.
SQL>



$ cp redo0*.log /oralog/test1
$ ls /oralog/test1
redo01.log  redo02.log  redo03.log
$


SQL> startup mount;
ORACLE instance started.

Total System Global Area 1.0289E+10 bytes
Fixed Size                  2215712 bytes
Variable Size            5301600480 bytes
Database Buffers         4966055936 bytes
Redo Buffers               18743296 bytes
Database mounted.
SQL> select member from v$logfile;

MEMBER
--------------------------------------------------------------------------------
/home/test/test1/redo03.log
/home/test/test1/redo02.log
/home/test/test1/redo01.log

SQL>
SQL> alter database rename file '/home/test/test1/redo01.log' to '/oralog/test1/redo01.log';

Database altered.

SQL> alter database rename file '/home/test/test1/redo02.log' to '/oralog/test1/redo02.log';

Database altered.

SQL> alter database rename file '/home/test/test1/redo03.log' to '/oralog/test1/redo03.log';

Database altered.

SQL>
SQL> alter database open;

Database altered.

SQL> select member from v$logfile;

MEMBER
--------------------------------------------------------------------------------
/oralog/test1/redo03.log
/oralog/test1/redo02.log
/oralog/test1/redo01.log

SQL>
May 19th, 2014 | Category: Oracle | Leave a comment
« Newer Entries  
  Older Entries »