August 2025
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories

August 2025
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Install tomcat and Apache centos 7

yum install gcc-c++

yum install openssl-devel.x86_64

cd /usr/local/src

wget http://mirror.nus.edu.sg/apache//httpd/httpd-2.4.18.tar.gz
wget http://ftp.ps.pl/pub/apache//apr/apr-1.5.2.tar.gz
wget http://ftp.ps.pl/pub/apache//apr/apr-util-1.5.4.tar.gz

tar xvfz apr-1.5.1.tar.gz

tar xvfz apr-util-1.5.3.tar.gz

tar xvfz httpd-2.4.18.tar.gz

tar xvf pcre-8.35.tar.bz2

cd /usr/local/src/apr-1.5.1

./configure –prefix=/usr/local/apr

make

make install

cd /usr/local/src/apr-util-1.5.3

./configure –prefix=/usr/local/apr-util –with-apr=/usr/local/apr

make

make install

cd /usr/local/src/pcre-8.35

./configure –prefix=/usr/local

make

make install

cd /usr/local/src/httpd-2.4.18

./configure  –prefix=/usr/local/apache \

–enable-rule=SHARED_CORE  \

–enable-so  \

–enable-rewrite  \

–enable-vhost-alias  \

–enable-ssl  \

–enable-proxy  \

–enable-shared=max  \

–enable-modules=shared  \

–enable-mods-shared=all  \

–with-apr=/usr/local/apr  \

–with-charset=utf-8  \

–with-mpm=prefork \

–with-apr-util=/usr/local/apr-util

make

make install

wget http://apache.mirror.cdnetworks.com/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.40-src.tar.gz -O connector.tar.gz

tar -zxvf connector.tar.gz

cd tomcat-connectors-1.2.40-src/native/

./configure –with-apxs=/usr/local/apache/bin/apxs

make && make install

cd /usr/local/apache/conf/

vi workers.properties

worker.list=pem

worker.pem.port=8009

worker.pem.host=localhost

worker.pem.type=ajp13

vi /usr/local/apache2/conf/httpd.conf

#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

LoadModule jk_module modules/mod_jk.so

<IfModule jk_module>

JkWorkersFile conf/workers.properties

JkLogFile logs/mod_jk.log

JkLogLevel error

</IfModule>

#Include conf/extra/httpd-vhosts.conf

Include conf/extra/httpd-vhosts.conf

#Listen 9090

vi /usr/local/apache/conf/extra/httpd-vhosts.conf

Listen 9090

<VirtualHost *:9090>

ServerAdmin rmohan@rmohan.com

DocumentRoot /data/test/webapp

ServerName www.rmohan.com

ErrorLog “logs/dummy-host.example.com-error_log”

CustomLog “logs/dummy-host.example.com-access_log” common

JkMount  /*.jsp          pem

JkMount  /*.phyjax      pem

JkMount  /*.phy        pem

JkMount  /*.phyin        pem

JkMount /               pem

JkMount /j_spring_security_logout pem

JkMount /j_spring_security_check pem

<Directory “/home/test/webapp”>

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

Require all granted

</Directory>

</VirtualHost>

chown apache:apache -R /usr/local/apache

cd /usr/local/apache/bin

chmod +s httpd

vi /usr/lib/systemd/system/apache.service

[Unit]

Description=apache2 Service
After=syslog.target
After=network.target

[Service]

Type=forking

ExecStart=/usr/local/apache/bin/apachectl start

ExecStop=/usr/loacal/apache/bin/apachectl graceful-stop

ExecReload=/usr/local/apache/bin/apachectl graceful

PrivateTmp=true

LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

systemctl enable apache

 

 

 
Centos 7  tomcat  ( systemclt )

# vi /usr/lib/systemd/system/tomcat.service

tomcat.service

[Unit]
Description=Tomcat7 Service
After=syslog.target
After=network.target

[Service]
Type=forking
ExecStart=/usr/tomcat/bin/catalina.sh start
ExecStop=/usr/tomcat/bin/catalina.sh stop

[Install]
WantedBy=multi-user.target

February 5th, 2016 | Category: Apache, Centos RHEL 7 | Leave a comment

Harden the Apache Web Server on CentOS 7

Harden the Apache Web Server on CentOS 7

[root@clusterserver1 conf]# yum install httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* epel: mirrors.hustunique.com
* extras: mirror.vodien.com
* updates: mirror.vodien.com
Resolving Dependencies
–> Running transaction check
—> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed
–> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================
Package                  Arch                      Version                                 Repository               Size
==========================================================================================================================
Installing:
httpd                    x86_64                    2.4.6-40.el7.centos                     base                    2.7 M

Transaction Summary
==========================================================================================================================
Install  1 Package

Total download size: 2.7 M
Installed size: 9.4 M
Is this ok [y/d/N]: y
Downloading packages:
httpd-2.4.6-40.el7.centos.x86_64.rpm                                                               | 2.7 MB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : httpd-2.4.6-40.el7.centos.x86_64                                                                       1/1
Verifying  : httpd-2.4.6-40.el7.centos.x86_64                                                                       1/1

Installed:
httpd.x86_64 0:2.4.6-40.el7.centos

Complete!

Hide the Apache version

Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.

If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:

[root@clusterserver1 test]# curl -I http://localhost/tetete
HTTP/1.1 404 Not Found
Date: Sun, 03 Jan 2016 17:20:18 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=iso-8859-1

echo “Change Apache Security”

sed -i “s/^ServerTokens OS$/ServerTokens Prod/” /etc/httpd/conf/httpd.conf
sed -i “s/^ServerSignature On$/ServerSignature Off/” /etc/httpd/conf/httpd.conf

echo “ServerTokens Prod”  >> /etc/httpd/conf/httpd.conf
echo “ServerSignature Off”  >> /etc/httpd/conf/httpd.conf
echo “UseCanonicalName On” >> /etc/httpd/conf/httpd.conf
echo “TraceEnable Off” >> /etc/httpd/conf/httpd.conf

systemctl restart httpd

cat /etc/httpd/conf/httpd.conf | egrep ‘ServerTokens|ServerSignature’

[root@clusterserver1 test]# curl -I http://localhost/tetete
HTTP/1.1 404 Not Found
Date: Sun, 03 Jan 2016 17:22:35 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

[root@clusterserver1 test]#

Turn off directory listing

Directory listing in the absence of an index file is enabled by default in Apache.

Directory listing displays all the files from the Apache web root directory. If this is enabled,
then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.
vi /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html and add -Indexes in the Options directive:
<Directory /var/www/html/>
Options -Indexes
AllowOverride None
Require all granted
</Directory>

Save the file and restart Apache service to reflect these changes.
systemctl restart httpd

Disable Apache directory indexes

sed -i \
-e ‘s~^IndexOptions \(.*\)$~#IndexOptions \1~g’ \
-e ‘s~^IndexIgnore \(.*\)$~#IndexIgnore \1~g’ \
-e ‘s~^AddIconByEncoding \(.*\)$~#AddIconByEncoding \1~g’ \
-e ‘s~^AddIconByType \(.*\)$~#AddIconByType \1~g’ \
-e ‘s~^AddIcon \(.*\)$~#AddIcon \1~g’ \
-e ‘s~^DefaultIcon \(.*\)$~#DefaultIcon \1~g’ \
-e ‘s~^ReadmeName \(.*\)$~#ReadmeName \1~g’ \
-e ‘s~^HeaderName \(.*\)$~#HeaderName \1~g’ \
/etc/httpd/conf/httpd.conf

Disable unnecessary modules

By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.

You can list all enabled modules on your server using the following command

/etc/httpd/conf.modules.d

mv 00-dav.conf 00-dav.conf.bk

mv 00-lua.conf 00-lua.conf.bk

systemctl restart httpd

sed -i \
-e ‘s~^LanguagePriority \(.*\)$~#LanguagePriority \1~g’ \
-e ‘s~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g’ \
-e ‘s~^AddLanguage \(.*\)$~#AddLanguage \1~g’ \
/etc/httpd/conf/httpd.conf

sed -i \
-e ‘s~^\(LoadModule .*\)$~#\1~g’ \
-e ‘s~^#LoadModule mime_module ~LoadModule mime_module ~g’ \
-e ‘s~^#LoadModule log_config_module ~LoadModule log_config_module ~g’ \
-e ‘s~^#LoadModule setenvif_module ~LoadModule setenvif_module ~g’ \
-e ‘s~^#LoadModule status_module ~LoadModule status_module ~g’ \
-e ‘s~^#LoadModule authz_host_module ~LoadModule authz_host_module ~g’ \
-e ‘s~^#LoadModule dir_module ~LoadModule dir_module ~g’ \
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \
-e ‘s~^#LoadModule expires_module ~LoadModule expires_module ~g’ \
-e ‘s~^#LoadModule deflate_module ~LoadModule deflate_module ~g’ \
-e ‘s~^#LoadModule headers_module ~LoadModule headers_module ~g’ \
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \
/etc/httpd/conf.modules.d/00-base.conf

Disable Apache language based content negotiation

# sed -i \
-e ‘s~^LanguagePriority \(.*\)$~#LanguagePriority \1~g’ \
-e ‘s~^ForceLanguagePriority \(.*\)$~#ForceLanguagePriority \1~g’ \
-e ‘s~^AddLanguage \(.*\)$~#AddLanguage \1~g’ \
/etc/httpd/conf/httpd.conf

Turn off server-side includes (SSI) and CGI execution

Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.

To do this, edit the main Apache config file:

/etc/httpd/conf/httpd.conf</code></pre>

Find the section that begins with Directory /var/www/html, Add -ExecCGI and -Includes in option directive:
<Directory /var/www/html/>
Options -Indexes -FollowSymLinks -ExecCGI -Includes
AllowOverride None
Require all granted
</Directory>

nano /etc/httpd/conf/httpd.conf

Add the following line:
<Directory /var/www/html/www.vhost1.com/>
Options -Includes -ExecCGI
</Directory>

Save the file and restart Apache.

Limit request size

By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.

You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.

Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.

You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.

For example, to limit the request size for the /var/www/html/www.example.com directory to 200K:

/etc/httpd/conf/httpd.conf

Add the following line:
<Directory /var/www/html/www.example.com>
LimitRequestBody 204800
</Directory>

Disallow browsing outside the document root

Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.

You can secure the root directory / with Allow and Deny options in the httpd.conf file.

/etc/httpd/conf/httpd.conf

Add/edit the following line:
<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

Save the file and restart Apache:
sudo apachectl restart

•Options None : This will turn off all options
•Order deny,allow : The order in which the allow and deny commands are applied
•Deny from all : This will deny request from all to the root directory

Secure Apache from clickjacking attacks

Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

You can do this by editing the httpd.conf file:
sudo nano /etc/httpd/conf/httpd.conf

Add the following line:
Header append X-FRAME-OPTIONS “SAMEORIGIN”

Disable ETag

ETags (entity tags) are a well-known point of vulnerability in Apache web server.
ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

To prevent this vulnerability, disabling ETag is recommended.

You can do this by editing httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
FileETag None

HTTP request methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol.
Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Save the file and restart Apache:

Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
</IfModule>

HTTP request methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

You can do this by editing the httpd.conf file:
sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Save the file and restart Apache:

sudo apachectl restart

Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

/etc/httpd/conf/httpd.conf

Add the following line:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
</IfModule>

February 5th, 2016 | Category: Apache | Leave a comment

HDFS Command Syntax

HDFS Command Syntax Overview:
hadoop fs : Ex.: hadoop fs -ls 
hadoop version : check hadoop installed properly

HELP:
help [cmd]: hopefully this is self-describing 

Inspect files:
ls/lsr : list all files in
cat : print on stdout
tail [-f] : output the last part of the
test : return attributes of file and directory
touchz : create new emty file size 0
du/dus : show space utilization
count : no. of directories, files, and bytes
setrep : (-r) change the replication factor of file/directory
stat : info about the specified path
Create/remove files:
mkdir : create a directory
mv : move (rename) files
cp : copy files
rm/rmr : remove files
Copy/Put files from remote m/c into the HADOOP cluster:
copyFromLocal : copy a local file to the HDFS
copyToLocal : copy a file on the HDFS to the local disk
cp : copies one or more files
get : copies files to the local file system
put : copies files from the local file system
mv : moves one or more files

Hadoop Namenode Commands:
hadoop namenode -format: Format HDFS filesystem from Namenode
hadoop namenode -upgrade: Upgrade the NameNode
start-dfs.sh Start: HDFS Daemons
stop-dfs.sh Stop: HDFS Daemons
start-mapred.sh: Start: MapReduce Daemons
stop-mapred.sh Stop: MapReduce Daemons
hadoop namenode -recover -force: Recover namenode metadata after a cluster failure (may lose data) 

Hadoop Configuration Files:
core-site.xml : Parameters for entire Hadoop cluster
hdfs-site.xml : Parameters for HDFS and its clients
mapred-site.xml : Parameters for MapReduce and its clients
yarn-site.xml : Parameters for nodemanager and resource manager
masters : Host machines for secondary Namenode
slaves : List of slave hosts
hadoop-env.sh : Sets ENV variables for Hadoop 
set JAVA_HOME=%JAVA_HOME%
set HADOOP_PREFIX=D:\Hadoop
Hadoop Job Commands
hadoop job -submit : Submit the job
hadoop job -status : Print job status completion percentage
hadoop job -list all : List all jobs
hadoop job -list-active-trackers : List all available TaskTrackers
hadoop job -set-priority : Set priority for a job. Valid priorities : VERY_HIGH, HIGH, NORMAL, LOW, VERY_LOW
hadoop job -kill-task : Kill a task
hadoop job -history : Display job history including job details, failed and killed jobs
Hadoop mradmin Commands
hadoop mradmin -safemode get : Check Job tracker status
hadoop mradmin -refreshQueues : Reload mapreduce configuration
hadoop mradmin -refreshNodes : Reload active TaskTrackers
hadoop mradmin -refreshServiceAcl : Force Jobtracker to reload service ACL
hadoop mradmin -refreshUserToGroupsMappings : Force jobtracker to reload user group mappings
Hadoop fsck Commands
hadoop fsck / : Filesystem check on HDFS
hadoop fsck / -files : Display files during check
hadoop fsck / -files -blocks : Display files and blocks during check
hadoop fsck / -files -blocks -locations : Display files, blocks and its locationhadoop fsck / -files -blocks -locations -racks : Display network topology for data-node locations
hadoop fsck -delete : Delete corrupted files
hadoop fsck -move : Move corrupted files to /lost+found directory
Hadoop Balancer Commands
start-balancer.sh : Balance the cluster
hadoop dfsadmin -setBalancerBandwidth : Adjust bandwidth used by the balancer
hadoop balancer -threshold 20 : Limit balancing to only 20% resources in the cluster
Hadoop Safe Mode (Maintenance Mode) Commands
The following dfsadmin commands helps the cluster to enter or leave safe mode, which is also called as maintenance mode.
In this mode, Namenode does not accept any changes to the name space, it does not replicate or delete blocks.
hadoop dfsadmin -safemode enter : Enter safe mode
hadoop dfsadmin -safemode leave : Leave safe mode
hadoop dfsadmin -safemode get : Get the status of mode
hadoop dfsadmin -safemode wait : Wait until HDFS finishes data block replication
hadoop dfsadmin -report : total usage on the cluster

Launching Hadoop Jobs:
hadoop jar [mainClass] args... : Launch job via jar file
hadoop jar com.twitter.scalding.Tool [mainClass] args : A Scalding job is launched using 
mapred job -kill : If you need to kill a map-reduce job  

Commonly Used Administration Commands:
Format the namenode: hadoop namenode -format
Starting Secondary namenode: hadoop secondrynamenode
Run namenode : hadoop namenode
Run data node: hadoop datanode
Cluster Balancing: hadoop balancer
Run MapReduce job tracker node: hadoop jobtracker
Run MapReduce task tracker node: hadoop tasktracker

Start/Stop Yarn (starts resourcemanager and nodemanager)and DFS (Starts namenode and data node) from sbin directory:
start-yarn, stop-yarn
start-dfs, stop-dfs

Start and Stop ALL daemon from sbin directory:
start-all, stop-all


Check All 5 daemons (Namenode,Secoundary Node,Job Tracker, DataNode, Task Tracker ) are up:
jps

February 4th, 2016 | Category: Hadoop | Leave a comment

keytool commands

Public and private keys from a Java Key Store

Step 1: Creating the “public-private” key-pair.
keytool -genkey -alias client -validity 365 -keystore keystore.jks 

Step 2: Validate the “public-private” key pair.
keytool -list -v -keystore keystore.jks

Step 3: Extract the “public key” from the “public-private”
keytool -export -alias client -keystore keystore.jks -rfc -file public.cert

Step 4: Check the extracted public key (public.cert)
type public.cert

Step 5: Time to create the truststore using the public key, which was extracted.
keytool -import -alias client -file public.cert -keystore server.truststore
keytool -list -v -keystore server.truststore

Steps Private Keys Export : It is required to save the private key in the PKCS#12 format
and we can convert that to a text file using openssl:
Step 1: keytool -v -importkeystore -srckeystore keystore.jks -srcalias client -destkeystoremyp12file.p12 -deststoretype PKCS12
Step 2: openssl pkcs12 -in myp12file.p12 -out private.pem

Other Keytool Commands:
– keytool -delete -alias client -keystore keystore.jks
– keytool -storepasswd -new new_storepass -keystore keystore.jks
– keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
– Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

February 4th, 2016 | Category: Linux Commands | Leave a comment

OPENSSL CERTIFICATE REQUEST WITH SHA256 SIGNATURE

Technically at the moment there isn’t anything really wrong with the SHA-1 hash function, but it is now quite old and is starting to show potential cracks. Hence the reason that the security industry is advising to move to something better. In this case SHA-256.

1. Generate a SSL Key File

Firstly you will need to generate a key  file. The example below will generate a 2048 bit key file with a SHA-256 signature.

openssl genrsa -out key_name.key 2048

If you want extra security you could increase the bit lengths.

openssl genrsa -out key_name.key 4096

** Please note that both these examples will not add a password to the key file. To do that you will need to add -des3 to the command.

2. Create a Certificate Signing Request (CSR)

This step will create the actually request file that you will submit to the Certificate Authority (CA) of your choice.

openssl req -out CSR.csr -key key_name.key -new -sha256

You can check that your Certificate Signing Request (CSR) has the correct signature by running the following.

openssl req -in CSR.csr -noout -text

It should display the following if the signature is correct.

Signature Algorithm: sha256WithRSAEncryption

3. Install the Certificate (CRT)

This step is very dependant of the software you use and I won’t really cover. All I will say is that these certificates are supported by a multitude of software, including Apache HTTPD and NGINX.

4. Test your installed Certificate

This step is extremely important and will show you any security problems with your SSL configuration.

Qualys have a free hosted service that tests the SSL configuration of Internet facing web servers for SSL issues. The sites tested are rated from A to F, and a report is generated. This report is really useful for tuning your SSL configuration.

https://www.ssllabs.com/

The SSL Labs tests are regularly updated when new issues are discovered. This means that if your server is rated as A today, next week it maybe rated as C

 

2. Optional: Check to see if the CSR really has 256bit signatures

openssl req -in CertificateRequest.csr -text -noout

You should see “Signature Algorithm: sha256WithRSAEncryption”

3. Create the certificate

We use the CSR and sign it with the private key and create a public certificate

openssl x509 -req -days 365 -sha256 -in CertificateRequest.csr – signkey PrivateKey.key -out my256.crt

4. Create PKCS key pair

This combines the certificate with the private key to produce the public/private key- pair and a password to allow import into PingFederate

openssl pkcs12 -export -in my256.crt -inkey PrivateKey.key -out my256.p12

Enter Export Password:
Verifying – Enter Export Password:

Use this password when importing the certificate into PingFederate

5. You now have 2 certificates

my256.crt -this is the public key to give to the partner
my256.p12 – signed private / public key for PingFederate “Digital Signature Settings”

 

February 4th, 2016 | Category: Linux | Leave a comment

OpenSSL Commands

OpenSSL Commands

After you applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your host certificate into the host which you will be administering.

You will need to use openssl commands after you export your personal/host certificate bundle from your browser to convert them into different formats like “.pem” files.

Here are some useful openssl commands for managing certificates using the OpenSSL toolkit which is available on most platforms.Windows version of OpenSSL is also available

 

Converting a p12 / pfx bundle to a user certificate and private key file e.g. after exporting from a browser or the CertWizard

$> openssl pkcs12 -clcerts -nokeys -out usercert.pem -in cert.p12
$> openssl pkcs12 -nocerts -out userkey.pem -in cert.p12

Please remember after doing this to protect your keys by running chmod 644 usercert.pem and chmod 400 userkey.pem.

Converting a p12 / pfx bundle to a server/service certificate and private key file e.g. after exporting from a browser

$> openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in cert.p12
$> openssl pkcs12 -nocerts -nodes -out hostkey.pem -in cert.p12

Please remember after doing this to protect your keys by running chmod 644 hostcert.pem and chmod 400 hostkey.pem

Convert a certificate and private key file into a p12 bundle e.g. for importing into a browser

$> openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "name for certificate"

Passphrase management

To remove the passphrase of a server/service private key in PEM format (note that this should only be done on server/service certificates – user certificates must always be protected by a passphrase)

$> openssl rsa -in hostkey.pem -out hostkey.pem.new
Enter pass phrase for userkey.pem: ****************
writing RSA key
$> mv hostkey.pem.new hostkey.pem

Checking whether a certificate is valid

If you have the certificate loaded into a browser, you can go to the CA Portal’s Login page and it will show the status of your certificate (if valid).

Alternatively, if you are on a system with the an up-to-date installation of the CA information in (typically) /etc/grid-security/certificates, you can test your certificate like this:

$> openssl verify -CApath /etc/grid-security/certificates usercert.pem

Extracting information from a certificate

Display the Distinguished Name (DN) from a public key in PEM format

$> openssl x509 -in usercert.pem -noout -subject | sed 's/subject= //'

Display the contents of a private key in PEM format

$> openssl des -in userkey.pem -noout -text

Display the Distinguished Name (DN) of a p12 file

$> openssl pkcs12 -in cert.p12 -nokeys -clcerts | openssl x509 -noout -subject | sed 's/subject= //'

Extracting information from other objects

Display the contents of a Certificate Revocation List (CRL) in DER format

$>  openssl crl -inform der -noout -text < importCRL

Remove a passphrase from a host private key

To remove a passphrase from the private key of a host certificate

$> openssl rsa -in hostkey.pem -out hostkey.pem

Add a passphrase to a host private key

To add a passphrase to the private key of a host certificate

$> openssl rsa -in hostkey.pem -out hostkey.pem -des3

 Check whether a certificate and a private key match

Perhaps surprisingly, the private key contains the public key, as does the certificate. This example shows a host certificate but of course it works for all certificates:

$> openssl rsa -in hostkey.pem -pubout

$> openssl x509 -in hostcert.pem -pubkey -noout

Now compare the public key blocks printed – do they look the same? In more advanced Unix shells like bash and zsh, you can do it in one line:

$> diff -qs <(openssl rsa -in hostkey.pem -pubout) <(openssl x509 -in hostcert.pem -pubkey -noout)
February 4th, 2016 | Category: Linux Commands | Leave a comment

MYSQL on CENTOS 7

Install MySQL on CentOS 7
Introduction
MySQL is a popular open source relational database. The popularity of MySQL means there is an abundance of information online and well documented client libraries available.
MySQL supports many common database features such as replication, partitioning, triggers, views, and stored procedures. A plugin storage architecture allows support for multiple storage engines.
Requirements
    Single server instance with external connectivity
CentOS 7 or Red Hat Enterprise Linux 7
MySQL 5.6
Add the Repository
Most Linux distributions will already provide the MySQL packages in the default distribution repository. The following steps will describe adding an official YUM repository provided by Oracle which will provide the latest version available.
The YUM repository configuration can be downloaded from the MySQL website.
http://dev.mysql.com/downloads/repo/yum/
Choose the desired distribution (Red Hat Enterprise Linux 7 / Oracle Linux 7 for this tutorial) and click Download.
The download link can be retrieved without registering for an Oracle account. Locate the No thanks, just start my download link and pass the link URL as a parameter to rpm.
sudo rpm -Uvh http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm
Install MySQL Packages
MySQL server can now be installed using YUM. The MySQL client package will be included with the server package.
sudo yum -y install mysql-community-server
Any required changes to MySQL configuration file, /etc/my.cnf, should be made after the install has completed.
Start MySQL Server
The MySQL daemon should be enabled to start on boot.
sudo /usr/bin/systemctl enable mysqld
The server can now be started.
sudo /usr/bin/systemctl start mysqld
Secure MySQL
Once the MySQL server has started, the service will then need to be secured. The mysql_secure_installation script will assist with this process by presenting several questions. It is recommended to accept the default action for all questions which is yes.
sudo /usr/bin/mysql_secure_installation
    Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
Firewall Rules
It is highly recommended that the ProfitBricks firewall and/or local Linux firewall be used to restrict access to the MySQL server. Only hosts requiring connectivity to the MySQL server should be granted network access.
MySQL listens on TCP port 3306 by default.
If the CentOS firewall is enabled, then a rule allowing access to the MySQL server on port 3306/tcp from host192.0.2.10 can be added.
firewall-cmd –permanent –zone=trusted –add-source=192.0.2.10/32
firewall-cmd –permanent –zone=trusted –add-port=3306/tcp
firewall-cmd  –reload
Create Database User
Never configure a web application to use the root user to access MySQL. An individual, application-specific user should be used instead. First log into MySQL with an administrative user.
mysql -u root -p mysql
The following steps will describe creating a new database named appdb and granting the appuser full access to the new database. Adjust the hostname from which the user will be connecting and password as necessary.
mysql> create database appdb;
mysql> grant all on appdb.* to ‘appuser’@’localhost’ identified by ‘password’;
mysql> quit
You should test access to the database with the new application user.
mysql -u appuser -p -h localhost appdb
January 30th, 2016 | Category: Centos RHEL 7 | Leave a comment

SSH timeouts make with CentOS 7

I like using CentOS on my servers and desktop machine. After I start using, my ssh connections terminate so quickly

like using CentOS on my servers and desktop machine. After I start using, my ssh connections terminate so quickly if I do not type anything at terminal in a few minutes, may be seconds. It is very annoying when you loose a active connection.
The message is
Write failed: Broken pipe
The situation is very annoying. Hence I find a workaround for this problem. .ssh/config tricks help me prevent this problem. The reason of the problem is keep alive messages. These messages are used for indicating if the connection is still in use. After Centos 7 installation ssh client’s keep alives have this problem. The setting about this problem is ServerAliveInterval. When typing connection parameters, if we set this parameter to 10 (seconds), we won’t get timeouts. The tricks is at setting the value at ./ssh/config file. This file is user manageable and no needs any root permissions. An example is
Host *
ServerAliveInterval 10
January 30th, 2016 | Category: Centos RHEL 7 | Leave a comment

nginx on RHEL 7 with tomcat on Systemd

Tomcat implement multi-instance use systemd  centos 7 RHEL 7

rpm -ivh jdk-8u60-linux-x64.rpm

getent group tomcat || groupadd -r tomcat
getent passwd tomcat || useradd -r -d /opt -s /bin/nologin tomcat

cd /opt
wget http://mirror.nus.edu.sg/apache/tomcat/tomcat-8/v8.0.30/bin/apache-tomcat-8.0.30.tar.gz
tar xzf jdk-8u40-linux-i586.tar.gz

mv apache-tomcat-8.0.30 tomcat01
chown -R tomcat:tomcat tomcat01

tar zxvf apache-tomcat-8.0.30.tar.gz
mv apache-tomcat-8.0.30 tomcat02
chown -R tomcat:tomcat tomcat02

sed -i ‘s/8080/8081/g’ /opt/tomcat01/conf/server.xml
sed -i ‘s/8005/8001/g’ /opt/tomcat01/conf/server.xml
sed -i ‘s/8080/8082/g’ /opt/tomcat02/conf/server.xml
sed -i ‘s/8005/8002/g’ /opt/tomcat02/conf/server.xml

sed -i ‘/8009/d’ /opt/tomcat01/conf/server.xml
sed -i ‘/8009/d’ /opt/tomcat01/conf/server.xml

cd /usr/lib/systemd/system
cat >tomcat01.service <<EOF
[Unit]
Description=Apache Tomcat 7
After=network.target
[Service]
Type=oneshot
ExecStart=/opt/tomcat01/bin/startup.sh
ExecStop=/opt/tomcat01/bin/shutdown.sh
RemainAfterExit=yes
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
EOF

sed ‘s/tomcat01/tomcat02/g’ tomcat01.service > tomcat02.service

systemctl enable tomcat01
systemctl enable tomcat02
systemctl start tomcat01
systemctl start tomcat02

proxy_cache_path /var/cache/nginx/proxy_cache levels=1:2 keys_zone=static:10m inactive=30d max_size=1g;

upstream tomcat {
ip_hash       ;
#hash           $remote_addr consistent;
server          127.0.0.1:8081 max_fails=1 fail_timeout=2s ;
server          127.0.0.1:8082 max_fails=1 fail_timeout=2s ;
keepalive       16;
}

server {
listen          80;
server_name     tomcat.example.com;

charset         utf-8;
access_log      /var/log/nginx/tomcat.access.log  main;
root            /usr/share/nginx/html;
index           index.html index.htm index.jsp;

location / {
proxy_pass              http://tomcat;
proxy_redirect          off;
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;

proxy_connect_timeout   300;
proxy_send_timeout      300;
proxy_read_timeout      300;
proxy_http_version      1.1;
proxy_set_header        Connection “”;

add_header              X-Backend “$upstream_addr”;
}

location ~* ^.+\.(js|css|ico|gif|jpg|jpeg|png)$ {
proxy_pass              http://tomcat ;
proxy_redirect          off;
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;

proxy_connect_timeout   300;
proxy_send_timeout      300;
proxy_read_timeout      300;
proxy_http_version      1.1;
proxy_set_header        Connection “”;

proxy_cache             static;
proxy_cache_key         $host$uri$is_args$args;
proxy_cache_valid       200 302 7d;
proxy_cache_valid       404 1m;
proxy_cache_valid       any 1h;
add_header              X-Cache $upstream_cache_status;

#log_not_found off;
#access_log off;
expires max;
}

location ~ /\.ht {
deny  all;
}

}

January 27th, 2016 | Category: Nginx | Leave a comment

nginx has load balancer

nginx is a high performance web server software. It is a much more flexible and lightweight program than apache.

yum install epel-release

yum install nginx

ifconfig eth0 | grep inet | awk ‘{ print $2 }’

wget –no-cookies –no-check-certificate –header “Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie” “http://download.oracle.com/otn-pub/java/jdk/8u60-b27/jdk-8u60-linux-x64.tar.gz”
wget http://mirror.nus.edu.sg/apache/tomcat/tomcat-8/v8.0.30/bin/apache-tomcat-8.0.30.tar.gz
tar xzf jdk-8u40-linux-i586.tar.gz
mkdir /usr/java/

cd /usr/java/jdk1.8.0_40/
[root@cluster1 java]# ln -s /usr/java/jdk1.8.0_40/bin/java /usr/bin/java
[root@cluster1 java]# alternatives –install /usr/java/jdk1.8.0_40/bin/java java /usr/java/jdk1.8.0_40/bin/java 2

alternatives –install /usr/java/jdk1.8.0_40/bin/java java /usr/java/jdk1.8.0_40/bin/java 2
alternatives –config java

vi /etc/profile.d/java.sh
export JAVA_HOME=/usr/java/jdk1.8.0_25
PATH=$JAVA_HOME/bin:$PATH
export PATH=$PATH:$JAVA_HOME
export JRE_HOME=/usr/java/jdk1.8.0_25/jre
export PATH=$PATH:/usr/java/jdk1.8.0_25/bin:/usr/java/jdk1.8.0_25/jre/bin

Three, Tomcat load balancing configuration

When Nginx start loading default configuration file /etc/nginx/nginx.conf, while nginx.conf in references /etc/nginx/conf.d catalog all .conf files.

Therefore, some of their own custom configuration can be written to a separate .conf files, as long as the files are placed /etc/nginx/conf.d this directory can be, and easy maintenance.

Create tomcats.conf: vi /etc/nginx/conf.d/tomcats.conf, which reads as follows:

/usr/tomcat/apache-tomcat-8.0.30/bin/startup.sh

vi /etc/nginx/conf.d/tomcats.conf

upstream tomcats {
ip_hash;
server 192.168.1.60:8080;
server 192.168.1.62:8080;
server 192.168.0.63:8080;
}

Modify default.conf: vi /etc/nginx/conf.d/default.conf, amend as follows:
vi /etc/nginx/conf.d/default.conf
need to amend the below lines
#location / {
#   root   /usr/share/nginx/html;
#    index  index.html index.htm;
#}

# new configuration default forwards the request to tomcats. conf configuration upstream processing
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://tomcats;
}

After saving reload the configuration: nginx -s reload

Four separate static resource configuration

Modify default.conf: vi /etc/nginx/conf.d/default.conf, add the following configuration:
vi /etc/nginx/conf.d/default.conf

All js, css requests related static resource files processed by Nginx

location ~.*\.(js|css)$ {
root    /opt/static-resources;
expires     12h;
}

Request # All photos and other multimedia-related static resource files is handled by Nginx

location ~.*\.(html|jpg|jpeg|png|bmp|gif|ico|mp3|mid|wma|mp4|swf|flv|rar|zip|txt|doc|ppt|xls|pdf)$ {
root    /opt/static-resources;
expires     7d;
}

Create a Directory for the Certificate
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

server {
listen 80;
listen 443 default ssl;
server_name cluster1.rmohan.com;
keepalive_timeout   70;
# ssl on;
ssl_certificate     /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;
}

January 27th, 2016 | Category: Nginx | Leave a comment
« Newer Entries  
  Older Entries »