2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (230)
- ftp (5)
- IPTABLES (15)
- SFTP (1)
- swap (3)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (31)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (9)
Ldap (5)
Linux (189)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (36)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

CentOS 7 – Redhat Installation Best practice

Partitioning

By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.

Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:

  Disk OS with LVM (required)
  Disks data with LVM (required)

	type	name	size	mount point
disk 1 (18GB)	static	/dev/sda1	512M	/boot
	LVM	/dev/mapper/rootvg-root	2G	/
	LVM	/dev/mapper/rootvg-usr	6G	/usr
	LVM	/dev/mapper/rootvg-var	2G	/var
	LVM	/dev/mapper/rootvg-opt	1G	/opt
	LVM	/dev/mapper/rootvg-tmp	2G	/tmp
	LVM	/dev/mapper/rootvg-home	2G	/home
	LVM	/dev/mapper/rootvg-swap	2G	swap

Modifying fstab

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.

An example of a decently restricted /etc/fstab file is below:

/dev/mapper/rootvg-root /                       ext4    defaults        1 1
/dev/sda1               /boot                   ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-home /home                   ext4    defaults,nosuid,nodev        1 2
/dev/mapper/rootvg-opt  /opt                    ext4    defaults        1 2
/dev/mapper/rootvg-tmp  /tmp                    ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-usr  /usr                    ext4    defaults        1 2
/dev/mapper/rootvg-var  /var                    ext4    defaults,nosuid        1 2
/dev/mapper/rootvg-swap swap                    swap    defaults        0 0
/dev/mapper/reposvg-reposlv /repos              ext4    defaults        1 2
/dev/mapper/reposvg-repcentoslv /repos/CentOS   ext4    defaults        1 2
/dev/mapper/reposvg-weblv        /var/www ext4      defaults,nosuid,nodev  1 2

Install additional packages

Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories
Add ntp and net-tools (for ifconfig command), and other utilities

yum -y install ntp
yum -y install telnet             #(client only to debug)
yum -y install net-tools          #(ifconfig, arp, netstat)
yum -y install lsof
yum -y install mlocate            #(locate)
yum -y install bind-utils         #(host, nslookup)
yum -y install open-vm-tools      #(VMware Tools)
yum -y install sg3_utils          #(scsi-rescan)
yum -y install cpulimit           #(limit CPU usage per process)
yum -y install nmap-ncat          # nc command

List and remove unused services

On Redhat and CentOS 7, some services are interesting, but more related to mobility than static production, so I’ve disabled some services to replace by their older versions:

NetworkManager.service (network service) I use network.service
chronyd.service (NTP service) I use ntpd.service
firewalld.service (firewall service) I use iptable.service and ip6tables.services

[root@centos7 ~]# systemctl list-unit-files | egrep -i "firew|Network|chrony|postfix|tables|bluetooth"
chrony-wait.service                        disabled
chronyd.service                            enabled
firewalld.service                          disabled
NetworkManager-dispatcher.service          disabled
NetworkManager-wait-online.service         disabled
NetworkManager.service                     disabled
postfix.service                            disabled
network-online.target                      static
network.target                             static
iptables.service                           disabled
ip6tables.service                          disabled
bluetooth.service                          disabled
bluetooth.target                           static

[root@centos7 ~]# systemctl list-units | grep network
network.service                               loaded active exited    LSB: Bring up/down networking
rhel-import-state.service                     loaded active exited    Import network configuration from initramfs
network.target                                loaded active active    Network

Disable unused services

Example of disable/enable services:

[root@centos7 ~]# for i in NetworkManager.service postfix.service firewalld.service chronyd.service bluetooth.service
do
systemctl disable $i
systemctl stop $i
done

Install ntp package and enable some services

network.service, ntpd.service, and if needed iptable.service

[root@centos7 ~]# yum -y install ntp
[root@centos7 ~]# for i in network.service ntpd.service iptable.service
do
systemctl enable $i
systemctl start $i
done
[root@centos7 ~]# systemctl list-unit-files  | grep "ntp"
ntpd.service                               enabled
ntpdate.service                            disabled
[root@centos7 ~]# systemctl list-units | grep "netw"
network.service                                 loaded active exited    LSB: Bring up/down networking
network.target                                  loaded active active    Network

Enable useful services if needed

[root@centos7 scripts]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@centos7 scripts]# systemctl start httpd.service

Remove services that are in LISTEN state

In this example, you could disable the rpcbind.service

[root@centos7 ~]# netstat -an | grep LIST
tcp        0      0 0.0.0.0:51579           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 192.168.22.136:80       0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     14412    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     10242    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     16930    @/tmp/dbus-wEGN6K01Pn
unix  2      [ ACC ]     STREAM     LISTENING     16307    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     17599    /tmp/.ICE-unix/1146
unix  2      [ ACC ]     SEQPACKET  LISTENING     10256    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     15164    /var/run/lsm/ipc/sim
unix  2      [ ACC ]     STREAM     LISTENING     15166    /var/run/lsm/ipc/simc
unix  2      [ ACC ]     STREAM     LISTENING     14413    @ISCSID_UIP_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     14414    /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     14417    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     16306    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     8042     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     18796    /run/user/42/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     1388     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     17778    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     14458    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     18556    /var/run/libvirt/libvirt-sock
unix  2      [ ACC ]     STREAM     LISTENING     18558    /var/run/libvirt/libvirt-sock-ro
unix  2      [ ACC ]     STREAM     LISTENING     17598    @/tmp/.ICE-unix/1146
unix  2      [ ACC ]     STREAM     LISTENING     16036    /var/run/abrt/abrt.socket
unix  2      [ ACC ]     STREAM     LISTENING     17418    @/tmp/dbus-0PYMRpYu
unix  2      [ ACC ]     STREAM     LISTENING     16892    @/tmp/dbus-bKDTQeVf
unix  2      [ ACC ]     STREAM     LISTENING     16893    @/tmp/dbus-Skwj1TBB
unix  2      [ ACC ]     STREAM     LISTENING     17543    @/tmp/dbus-qVKMoS2bff
unix  2      [ ACC ]     STREAM     LISTENING     18410    @/tmp/dbus-V9cHUqaM
unix  2      [ ACC ]     STREAM     LISTENING     17419    @/tmp/dbus-9XjDfCN8
[root@centos7 ~]# lsof -i :111
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243  rpc    7u  IPv4  17780      0t0  UDP *:sunrpc
rpcbind 1243  rpc    9u  IPv4  17782      0t0  TCP *:sunrpc (LISTEN)
[root@lstor2rrd ~]# systemctl list-unit-files  | egrep -i "rpc"
var-lib-nfs-rpc_pipefs.mount               static
rpcbind.service                            enabled
rpcgssd.service                            disabled
rpcidmapd.service                          disabled
rpcsvcgssd.service                         disabled
rpcbind.socket                             enabled
rpcbind.target                             static
[root@centos7 ~]# systemctl list-units  | egrep -i "rpc"
proc-fs-nfsd.mount                                                                               loaded active mounted   RPC Pipe File System
var-lib-nfs-rpc_pipefs.mount                                                                     loaded active mounted   RPC Pipe File System
rpcbind.service                                                                                  loaded active running   RPC bind service
rpcbind.socket                                                                                   loaded active running   RPCbind Server Activation Socket

Configure the network

Change your ifcfg file located in /etc/sysconfig/network-scripts/, to add NM_CONTROLLED=no
Ex:

[root@centos7 network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-eno16780032
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
DEVICE=eno16780032
ONBOOT=yes
NM_CONTROLLED=no
IPADDR=192.168.1.19
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.10
DNS2=192.168.1.11
DOMAIN=centos.org
IPV6_PEERDNS=no
IPV6_PEERROUTES=no

Disable NetworkManager , and enable old network service

[root@centos7 ~]# systemctl disable NetworkManager.service
[root@centos7 ~]# systemctl stop NetworkManager.service
[root@centos7 ~]# chkconfig network on
[root@centos7 ~]# chkconfig --list network
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

Check your IP config and routes

[root@centos7 sysctl.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.19/24 brd 192.168.21.255 scope global eno16780032
       valid_lft forever preferred_lft forever
[root@lproxymail sysctl.d]# ip route
default via 192.168.21.250 dev eno16780032
169.254.0.0/16 dev eno16780032  scope link  metric 1002
192.168.21.0/24 dev eno16780032  proto kernel  scope link  src 192.168.21.194

For information Due to new network adapter naming convention, you ‘ll find network interface called enp6s0 or enp4s2f0 doesn’t satisfy everybody.
Ex:

[root@centos7 ~]# dmesg | grep NIC
[    2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI
[    2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[    3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps

You can switch to the old naming convention eth0, eth1… by changing boot parameters:

grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0"

Stop IPV6 best practice

Disable IPV6 on network adapter

On most current OS, IPV6 is activate by default. It wouldn’t be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!

Create a file /etc/sysctl.d/98-disable_ipv6.conf

[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

To disable in the running system:

[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
[root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
[root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1

Disable IPV6 on SSH server

If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:

(1) Change the line

#AddressFamily any

to

AddressFamily inet

(inet is ipv4 only; inet6 is ipv6 only)

(2) Remove the hash mark (#) in front of the line

#ListenAddress 0.0.0.0

Then restart ssh.

systemctl restart sshd.service

Disable IPV6 on postfix

If problems with starting postfix are encountered on systems with IPv6 disabled, either

edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.

#inet_interfaces = localhost
inet_interfaces = 127.0.0.1

Disable IPV6 on NTP client

Edit the file /etc/ntp.conf, and comment the line related to IPV6

# restrict ::1

Disable IPV6 on RPCBIND

To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:

udp        tpi_clts      v     inet     udp     -       -
tcp        tpi_cots_ord  v     inet     tcp     -       -
#udp6      tpi_clts      v     inet6    udp     -       -
#tcp6      tpi_cots_ord  v     inet6    tcp     -       -
rawip      tpi_raw       -     inet      -      -       -
local      tpi_cots_ord  -     loopback  -      -       -
unix       tpi_cots_ord  -     loopback  -      -       -

WebLogic Server SSL

One-way SSL

One-way SSL simply means that only the server certificate passes from the server to the client but not the other way around. Thus, only the server is authenticated. If we trust the server certificate’s issuer, we can establish an SSL link between our browser and the server [3].

Two-way SSL

When both client and server pass certificates to each other to establish an SSL link, we have mutual authentication via two-way SSL. Both sides now know the identity of the other from their respective certificates. The important thing to realize here is that, while the conditions for one-way SSL remain, the mirrored conditions also apply. In other words, the server also has to trust the issuer of the client certificate. Mutual authentication just means that both sides must trust each other. This forms the basis of Public Key Infrastructure [3].

Fundamentals of PKI

Public Key Infrastructure is a computerized form of message encryption using two keys; one is public and used by the sender to encrypt the message, the other is private and used by the recipient to decrypt the message [1]. It is essentially an arrangement surrounding the issuance of digital certificates and assignment of public keys. The issuance of a digital certificate is ultimately done by a certification authority as the result of the PKI process, which includes the binding of public keys to subscribing user identities after such identities have been validated.

The actual verification of user identities can be done by the certification authority itself, or by a separate registration authority. Once issued, however, the certification authority stamps and seals the PKI certificate with its unique digital signature. As a result the certificate holder is able to secure network communications and online transactions, as well as provide trusted third party, PKI -based, authentication of its business identity [2].

Configuration

Steps to configure CLIENT-CERT authentication-

Step 1: Configure two-way SSL in WebLogic Server
Step 2: Configure Default Identity Asserter
Step 3: Configure Web Application
Step 4: Test the configuration

Configure Two-Way SSL in WebLogic Server

First, we will test with Demo Identity and Demo Trust Store provided with WebLogic server. Later, we will discuss about configuring Custom Identity and Custom Trust Store.

Note: Demo Identity and Demo Trust Store should not be used in production environment.

Load BEA Test CA Certificate into Browser

Out of the box, WebLogic will present a certificate signed by the BEA test CA. You’ll need to add that CA certificate to your browser so that the server certificate will be trusted. Note that what you want to add to your browser is the certificate of the CA that issued the server certificate- not the server certificate itself. If you don’t add the CA certificate, SSL will still work but you will be prompted by your browser about an untrusted certificate [3].

To load the test CA certificate into your browser (Firefox 3.0 in this case) follow these steps-
Step 1: Go to Tools -> Options
Step 2: Select Advanced -> Encryption
Step 3: Click View Certificates
Step 4: Select Authorities
Step 5: Click Import
Step 6: Select $BEA_HOME/wlserver_10.3/server/lib/CertGenCA.der
Step 7: Select “Trust this CA to identify web sites”
Step 8: Click OK to save the settings.

Your browser will now trust certificates issued from the BEA test CA.

Note: Later, when you are done experimenting with the test certificate, be sure to remove the test CA certificate from your browser.

Create a Client Certificate

We will use a utility provided by BEA called CertGen to create a client certificate. This certificate will be issued by the BEA demo CA just like the demo server was. We will configure WLS to trust this client certificate when it is presented. To reiterate, the server trusts the client certificate issuer, not the client certificate directly [3].

To generate client certificate and keystore, follow the steps given below-

Step 1: Run $BEA_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
Step 2: Use CertGen to create a client certificate as follows:

java utils.CertGen -certfile user.cer -keyfile userkey.key -keyfilepass weblogic -cn user

The CertGen command creates both the private key and certificate for the user specified as the CN (Common Name). The files are created in DER and PEM formats. Most browsers don’t recognize PEM/DER files, so we need to convert the key and certificate into a PKCS #12 file.

Step 3: Import key and certificate into a keystore of type PKCS#12 as follows:

java utils.ImportPrivateKey -keystore keystore.p12 -storepass weblogic -storetype pkcs12
-keypass weblogic -alias newalias -certfile user.cer.pem
-keyfile userkey.key.pem -keyfilepass weblogic

Load Client Certificate into Browser

The procedure for loading client certificates is almost the same as loading the CA certificate:
Step 1: Go to Tools -> Options
Step 2: Select Advanced -> Encryption
Step 3: Click View Certificates
Step 4: Select Your Certificates
Step 5: Click Import
Step 6: Select keystore.p12 (keystore generated in the previous step)
Step 7: Enter the store password (weblogic in the example)
Step 8: Click OK to save the settings.

Enforce Client Certificates over Two-Way SSL

To configure two-way SSL, demo identity store, trust store and enforce client certificates, follow the steps given below-
Step 1: Login to WebLogic Server Admin Console
Step 2: Select domain -> Environment -> Servers
Step 3: Select the server (For example: AdminServer)
Step 4: Ensure that SSL Listen Port is enabled (take a note of SSL port)
Step 5: Save the settings
Step 6: Select Keystores tab
Step 7: Select Keystores as Demo Identity and Demo Trust
Step 8: Save the settings
Step 9: Select SSL tab
Step 10: Select Identity and Trust Locations as Keystores
Step 11: Save the settings
Step 12: Click on Advanced in SSL tab
Step 13: Select Two Way Client Cert Behavior as Client Certs Requested and Enforced
Step 14: Restart WebLogic Server for the changes to take effect.

At this point, the server certificate is trusted by the browser since the browser trusts the test CA. The server is configured to trust the test CA, too, since it’s using the DemoTrust keystore. If the browser has a client certificate issued from the test CA, all should be well and SSL should work.

To test it, navigate to the WebLogic Console over SSL (https://localhost:7002/console). You should get prompted to supply a client certificate. Select the certificate and click OK to use it. You should then see the Console login page.

Next, we need to configure Default Identity Asserter to allow authentication using the client certificate.

Configure Default Identity Asserter

To configure Default Identity Store to analyze X.509 client certificate and map it to a valid user, follow the steps given below-
Step 1: Login to WebLogic Server Admin Console
Step 2: Select domain -> Security Realms -> realm
Step 3: Select Providers tab
Step 4: Select Authentication tab
Step 5: Select Default Identity Asserter
Step 6: Select X.509 as one of the Active types by moving it to Chosen box
Step 7: Save the settings
Step 8: Select Provider Specific tab
Step 9: Select Use Default User Name Mapper
Step 10: Select the Username Mapper Attribute Type as CN
Step 11: Remove any delimiter for Default Username Mapper Attribute
Step 12: Save the settings
Step 13: Restart WebLogic Server for the changes to take effect

Note: Default User Name Mapper will map the user name to a valid user in WebLogic user store
Configure Web Application

Web application must specify the authentication method as CLIENT-CERT in web.xml.

Test the Configuration

You are all set to test the configuration. Deploy the application to WebLogic server and request the protected resource. Server will authenticate you using the certificate and grant access to the protected resource.

Custom Identity and Custom Trust

The configuration that we just tested was with the demo identity and trust store provided by WebLogic. Instead of using the demo stores, we can use our custom identity and trust store. For development environment, we can generate a Self-Signed CA certificate using Java and WebLogic tools [See Reference 4].

We will follow these steps to get it done-
Step 1: Set the Environment
Step 2: Generate Server Private Key and Certificate
Step 3: Create the Identity Store
Step 4: Import the Certificate into a new Trust Keystore
Step 5: Install Server Certificate on Client
Step 6: Create a Client Certificate using Self-Signed CA Certificate
Step 7: Bundle Certificate and Key into a Keystore
Step 8: Import Trusted CA Certificate and Client Certificate into Browser
Step 9: Configure WebLogic Server with Identity and Trust Stores

Set the Environment

Run $BEA_HOME/wlserver_10.3/server/bin/setWLSEnv.sh script to set the environment.

Generate Server Private Key and Certificate

Use CertGen to create server private key and certificate as given below:

java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer
-keyfile MyOwnSelfKey.key -keyfilepass mykeypass
-cn “My Own Self CA”

Create the Identity Store

CertGen created a unique and secret Private Key for the server we are using and the Self-signed Root Certificate for us. But Java wants them packaged up neatly into a keystore. Fortunately BEA are a smart bunch and created a utility to help. Just to make sure there was no confusion about what it does, they called it ImportPrivateKey. Now run this-

java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass identitypass
-keypass keypassword -alias trustself
-certfile MyOwnSelfCA.cer.pem
-keyfile MyOwnSelfKey.key.pem -keyfilepass mykeypass

Import the Certificate into a new Trust Keystore

When the client asks the server for a connection, the server will only allow access if it trusts the signer of the client’s certificate. This is going to be the “My Own Self CA” and to make it happen we need our trusty MyOwnSelf certificate packed up into a separate keystore called the Trust Keystore. When the client presents it’s certificate, this is where the server will look to see if it trusts the signature of the CA. Now run this-

keytool -import -trustcacerts -alias trustself -keystore TrustMyOwnSelf.jks -file MyOwnSelfCA.cer.der -keyalg RSA

Install Server Certificate on Client

To have the client trust the server permanently, we need to install the certificate. You can follow the steps mentioned under Load BEA Test CA Certificate into Browser and import the certificate MyOwnSelfCA.cer.der into your browser. Alternatively, you can double click the certificate file and choose Install.

Create a Client Certificate using Self-Signed CA Certificate

It’s time to generate the certificate for the client. This time we want the Certificate to identify the client machine (usually the user of the machine – you can set up one client certificate per user and have more than one on a machine if you need to), and we want to ensure that the Client is linked to the Trusted CA Root Certificate we fabricated earlier. (This is why the ou (operating unit) of the client certificate must match the identity of the Trusted CA Certificate – in this case “My Own Self CA”.)

java utils.CertGen -certfile MyClientCert.cer -keyfile MyClientKey.key -keyfilepass clientkeypass
-cacert MyOwnSelfCA.cer.der -cakey MyOwnSelfKey.key.der -cakeypass mykeypass
-cn “My Client” -e “my.own@self.com” -ou “My Own Self CA”

Bundle Certificate and Key into a Keystore

Run the command as shown below-

java utils.ImportPrivateKey -keystore MyClientCert.p12 -storepass clientpass -storetype pkcs12
-keypass clientkeypass -alias clientcert -certfile MyClientCert.cer.pem
-keyfile MyClientKey.key.pem -keyfilepass clientkeypass

Import Client Certificate into Browser

Follow the steps mentioned under Load Client Certificate into Browser. Here, the keystore will be MyClientCert.p12 and store password will be clientpass.
Configure WebLogic Server with Identity and Trust Stores

In sections Create the Identity Store and Import the Certificate into a new Trust Keystore, we generated an Identity Keystore for Server to Client communication (to supply certificates to the client) and a Trust Keystore for Client to Server communication (to accept certificates supplied by the client). We now need to tell WebLogic to use them.

In the WebLogic Admin Console, jump to the Keystores tab (See Enforce Client Certificates over Two-Way SSL) and choose “Custom Identity and Custom Trust”. Enter the locations of your Identity and Trust keystores, the passphrases identitypass and trustpass respectively.

Now switch to SSL tab and enter the alias and the Private Key password (i.e ‘trustself’ and ‘keypassword’, respectively, in the example). When you have saved and activated your changes in the admin console, check the WebLogic command output window to verify that your Identity and Trust keystores were loaded with no problems.

You have now successfully configured the two-way SSL with Custom Identity and Custom Trust store. Rest of the configuration is same in both the cases. You need to configure Default Identity Asserter and make required changes to applications web.xml as mentioned earlier.

Troubleshooting

First step should be to enable the security log for your server. To enable the logs, follow the steps given below-
Step 1: Login to WebLogic Admin Console
Step 2: Select domain -> Environment -> Servers
Step 3: Select the Server (For example: AdminServer)
Step 4: Select Debug tab
Step 5: Expand the weblogic debug scope and enable security log
Step 6: Save the settings and restart server (if required)

After logging is enabled, you can check the server logs and look for a possible cause.

Note: You might see a lot of NoSuchAlgorithm exception that are being eaten by WebLogic server. WebLogic server looks for the best algorithm and in the process it generates those exceptions. Just ignore them.

How to set Access/Restrictions on users logins

Time Based Restrictions
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:

account required /lib/security/pam_time.so

The remaining lines should be placed in /etc/security/time.conf.

1. Only allow user mohan to login during on weekdays between 7 am and 5 pm.

2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.

If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.

Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:

account required /lib/security/pam_access.so

1. Deny mohan login access on all terminals except for tty1:

-:mohan:ALL EXCEPT tty1

2. Users in the group operator are only allowed to login from a local terminal:

-:operator:ALL EXCEPT LOCAL

3. Allow user A to only login from a trusted server:

How to set Access/Restrictions on users logins

account required /lib/security/pam_time.so

The remaining lines should be placed in /etc/security/time.conf.

1. Only allow user mohan to login during on weekdays between 7 am and 5 pm.

2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.

Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:

account required /lib/security/pam_access.so

1. Deny mohan login access on all terminals except for tty1:

-:mohan:ALL EXCEPT tty1

2. Users in the group operator are only allowed to login from a local terminal:

-:operator:ALL EXCEPT LOCAL

3. Allow user A to only login from a trusted server:

vsftp on CentOS6.6

CentOS6.6

2?vsftpd-2.2.2

Second, the installation

$ yum install -y vsftpd

[root@oracledbserver mohan]# yum install vsftpd
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* extras: mirror.vodien.com
* updates: mirror.vastspace.net
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Resolving Dependencies
–> Running transaction check
—> Package vsftpd.x86_64 0:2.2.2-13.el6_6.1 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

Transaction Summary
============================================================================================================================================================================================================
Install 1 Package(s)

Total download size: 151 k
Installed size: 332 k
Is this ok [y/N]: y
Downloading Packages:
vsftpd-2.2.2-13.el6_6.1.x86_64.rpm | 151 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-13.el6_6.1.x86_64 1/1
Verifying : vsftpd-2.2.2-13.el6_6.1.x86_64 1/1

Installed:
vsftpd.x86_64 0:2.2.2-13.el6_6.1

Complete!

Third, the configuration

$ vi /etc/vsftpd/vsftpd.conf

isten_address=192.168.1.61
listen_port=21 # specified listening port
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022 # local user to upload a file mask
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
ftpd_banner=Welcome to Mohan FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
tcp_wrappers=YES
userlist_file=/etc/vsftpd/user_list
pasv_enable=YES
pasv_min_port=65400
pasv_max_port=65410

listen_address=192.168.1.61 # specified listen address
listen_port=21 # specified listening port
anonymous_enable=NO # does not allow anonymous access
local_enable=YES # allow local users
write_enable=YES # allowed to upload
local_umask=022 # local user to upload a file mask
dirmessage_enable=YES #
xferlog_enable=YES # Enable the log
connect_from_port_20=YES # 20-port connection using ftp
xferlog_file=/var/log/xferlog # specified log file location
xferlog_std_format=YES # specify the log format to standard output
chroot_local_user=YES # Allow Directory Jump
chroot_list_enable=YES # allow the user to specify the file directory permissions Jump
chroot_list_file=/etc/vsftpd/chroot_list # in the file specifies the user can jump
listen=YES # allows you to specify the listener
pam_service_name=vsftpd # define pam module file name (The module may not be used, has been userlist substitute)
userlist_enable=YES # allowed to file in the user login
userlist_deny=NO # specified file in addition to the user can log in, the other not and will not allow
userlist_file=/etc/vsftpd/user_list # In this configuration file to specify which users can log on
tcp_wrappers=YES # allows the firewall to allow and block specific ip
pasv_enable=YES # run in passive mode
pasv_min_port=65400 # assign the starting port
pasv_max_port=65410 # distribution end port

Fourth, run
$ chkconfig vsftpd on
$ chkconfig –list vsftpd
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
$ /etc/init.d/vsftpd start
/etc/init.d/vsftpd Start
$ setenforce 0 or echo “SELINUX=disabled”> /etc/selinux/config (restart to take effect)

# Develop a data port 21 and port 20 will automatically open

$ iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT

Port # open passive mode
$ iptables -A INPUT -m state –state NEW -p tcp –dport 65400:65410 -j ACCEPT
$ useradd mohan -s /sbin/nologin
$ echo “mohan”|passwd mohan123 –stdin

Fifth, check

Six customers to upload test

# Install the client
$ Yum install -y ftp

Configuring FTP server and Restricting their access

Configuration FTP server:

VSFTPD is responsible for the FTP service.

open: /etc/vsftpd/vsftpd.conf

Change Configuration File: vsftpd.conf

###Allow anonymous FTP? (Beware – allowed by default if you comment this out).

#Restrict Annonomous Users to be logged in

anonymous_enable=NO

### Restrict the ftp users to their home directories

chroot_local_user=YES

~~Save & Close

# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file

#### Restrict specific users to use ftp.

open: vi user_list

# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
# Users that are not allowed to login via ftp

add user names not allowed to use ftp access

Open: /etc/vsftpd/ftpusers

By adding the name of the users we can restrict or, allow any user to use ftp

~~Save & Close

#####Creating a group to give access ftp access & Creating Home Directories to be restricted:

# creating groups:

groupadd ftp-usrs

# creating a home directories:

Creating An FTP server:

###VSFTPD is responsible for the FTP service.

open: /etc/vsftpd/vsftpd.conf

Change Configuration File: vsftpd.conf

### Allow anonymous FTP? (Beware – allowed by default if you comment this out).

#Restrict Annonomous Users to be logged in

anonymous_enable=NO

### Restrict the ftp users to their home directories

chroot_local_user=YES

~~Save & Close

# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file

### Restrict specific users to use ftp.

open: vi user_list

add user names not allowed to use ftp access

Open: /etc/vsftpd/ftpusers

By adding the name of the users we can restrict or, allow any user to use ftp

~~Save & Close

#####Creating a group to give access ftp access & Creating Home Directories to be restricted:

# creating groups:

groupadd ftp-usrs

# creating a home directories:
mkdir /home/ftp-docs
man chmod
chmod 750 /home/ftp-docs
chown root:ftp-usrs /home/ftp-docs

# creating users to be entered in the specific group:

usradd -g ftp-usrs -d /home/ftp-docs f1
passwd f1

##### Restricting sftp service to limited groups:

open: /etc/ssh/sshd_config

#### Deny groups or, users who cant not use the sftp protocols

#write:

DenyUsers alice f1
DenyGroups ftp-usrs

#Allowing groups or, users access

write:

AllowUsers alice f1
AllowGroups ftp-usrs

~~Save & Close

@@@@@@

Restart ftp & stfp service

service vsftpd restart

/etc/init.d/sshd restart

!!!!!!!!

Access the file by restricted ftp & sftp service

mkdir /home/ftp-docs
man chmod
chmod 750 /home/ftp-docs
chown root:ftp-usrs /home/ftp-docs

# creating users to be entered in the specific group:

usradd -g ftp-usrs -d /home/ftp-docs f1
passwd f1

##### Restricting sftp service to limited groups:

open: /etc/ssh/sshd_config

#### Deny groups or, users who cant not use the sftp protocols

#write:

DenyUsers alice f1
DenyGroups ftp-usrs

#Allowing groups or, users access

write:

AllowUsers alice f1
AllowGroups ftp-usrs

~~Save & Close

@@@@@@

Restart ftp & stfp service

service vsftpd restart

/etc/init.d/sshd restart

!!!!!!!!

Access the file by restricted ftp & sftp service

RedHat Enterprise Linux 6.6 with CentOS Apache

[root@oracledbserver ~]# yum install httpd* -y
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* extras: mirror.vodien.com
* updates: mirror.vastspace.net
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Package httpd-2.2.15-39.el6.centos.x86_64 already installed and latest version
Package httpd-tools-2.2.15-39.el6.centos.x86_64 already installed and latest version
Resolving Dependencies
–> Running transaction check
—> Package httpd-devel.x86_64 0:2.2.15-39.el6.centos will be installed
–> Processing Dependency: apr-util-devel for package: httpd-devel-2.2.15-39.el6.centos.x86_64
–> Processing Dependency: apr-devel for package: httpd-devel-2.2.15-39.el6.centos.x86_64
—> Package httpd-manual.noarch 0:2.2.15-39.el6.centos will be installed
–> Running transaction check
—> Package apr-devel.x86_64 0:1.3.9-5.el6_2 will be installed
—> Package apr-util-devel.x86_64 0:1.3.9-3.el6_0.1 will be installed
–> Processing Dependency: openldap-devel for package: apr-util-devel-1.3.9-3.el6_0.1.x86_64
–> Processing Dependency: expat-devel for package: apr-util-devel-1.3.9-3.el6_0.1.x86_64
–> Running transaction check
—> Package expat-devel.x86_64 0:2.0.1-11.el6_2 will be installed
—> Package openldap-devel.x86_64 0:2.4.39-8.el6 will be installed
–> Processing Dependency: cyrus-sasl-devel >= 2.1 for package: openldap-devel-2.4.39-8.el6.x86_64
–> Running transaction check
—> Package cyrus-sasl-devel.x86_64 0:2.1.23-15.el6_6.2 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

Total download size: 2.7 M
Installed size: 12 M
Downloading Packages:
(1/7): apr-devel-1.3.9-5.el6_2.x86_64.rpm (2/7): apr-util-devel-1.3.9-3.el6_0.1.x86_64.rpm (3/7): cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64.rpm (4/7): expat-devel-2.0.1-11.el6_2.x86_64.rpm (5/7): httpd-devel-2.2.15-39.el6.centos.x86_64.rpm (6/7): httpd-manual-2.2.15-39.el6.centos.noarch.rpm (7/7): openldap-devel-2.4.39-8.el6.x86_64.rpm ———————&# Total Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : apr-devel-1.3.9-5.el6_2.x86_64 Installing : expat-devel-2.0.1-11.el6_2.x86_64 Installing : cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64 Installing : openldap-devel-2.4.39-8.el6.x86_64 Installing : apr-util-devel-1.3.9-3.el6_0.1.x86_64 Installing : httpd-devel-2.2.15-39.el6.centos.x86_64 Installing : httpd-manual-2.2.15-39.el6.centos.noarch Verifying : apr-devel-1.3.9-5.el6_2.x86_64 Verifying : openldap-devel-2.4.39-8.el6.x86_64 Verifying : cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64 Verifying : apr-util-devel-1.3.9-3.el6_0.1.x86_64 Verifying : expat-devel-2.0.1-11.el6_2.x86_64 Verifying : httpd-manual-2.2.15-39.el6.centos.noarch Verifying : httpd-devel-2.2.15-39.el6.centos.x86_64 | 176 kB 00:00
| 69 kB 00:00
| 303 kB 00:00
| 120 kB 00:00
| 152 kB 00:00
| 785 kB 00:00
| 1.1 MB 00:01
8212;————————————————————————————————————————————————————————————
424 kB/s | 2.7 MB 00:06
1/7
2/7
3/7
4/7
5/7
6/7
7/7
1/7
2/7
3/7
4/7
5/7
6/7
7/7

Installed:
httpd-devel.x86_64 0:2.2.15-39.el6.centos httpd-manual.noarch 0:2.2.15-39.el6.centos

Dependency Installed:
apr-devel.x86_64 0:1.3.9-5.el6_2 apr-util-devel.x86_64 0:1.3.9-3.el6_0.1 cyrus-sasl-devel.x86_64 0:2.1.23-15.el6_6.2 expat-devel.x86_64 0:2.0.1-11.el6_2 openldap-devel.x86_64 0:2.4.39-8.el6

Complete!
[root@oracledbserver ~]#

Complete!
[root@oracledbserver ~]# /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]

[root@oracledbserver ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.61 oracledbserver.rmohan.com oracledbserver

The following set your own publishing directory (if not the default directory, then /var/www/html/)

vi /etc/httpd/conf/httpd.conf

#ServerName www.example.com:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set “Off”, Apache will use the Hostname and Port supplied
# by the client. When set “On”, Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
#DocumentRoot “/var/www/html”
DocumentRoot “/home/mohan”

vi /home/mohan/index.html

Welcome to test page of mohan

[root@oracledbserver mohan]# /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 293 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]
Because permissions selinux is not enough, so we have to release security context to the default directory is set:

Modify the security context of the software installation:

[root@oracledbserver home]# yum install policycore* -y
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.vodien.com
* extras: mirror.vodien.com
* updates: mirror.vastspace.net
Package policycoreutils-2.0.83-19.47.el6_6.1.x86_64 already installed and latest version
Resolving Dependencies
–> Running transaction check
—> Package policycoreutils-gui.x86_64 0:2.0.83-19.47.el6_6.1 will be installed
–> Processing Dependency: setools-console for package: policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: gtkhtml2 for package: policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: gnome-python2-gtkhtml2 for package: policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64
—> Package policycoreutils-newrole.x86_64 0:2.0.83-19.47.el6_6.1 will be installed
—> Package policycoreutils-python.x86_64 0:2.0.83-19.47.el6_6.1 will be installed
–> Processing Dependency: libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: audit-libs-python >= 1.4.2-1 for package: policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: setools-libs-python for package: policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: libcgroup for package: policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64
—> Package policycoreutils-sandbox.x86_64 0:2.0.83-19.47.el6_6.1 will be installed
–> Processing Dependency: xorg-x11-server-Xephyr for package: policycoreutils-sandbox-2.0.83-19.47.el6_6.1.x86_64
–> Processing Dependency: matchbox-window-manager for package: policycoreutils-sandbox-2.0.83-19.47.el6_6.1.x86_64
–> Running transaction check
—> Package audit-libs-python.x86_64 0:2.3.7-5.el6 will be installed
—> Package gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6 will be installed
—> Package gtkhtml2.x86_64 0:2.11.1-7.el6 will be installed
—> Package libcgroup.x86_64 0:0.40.rc1-15.el6_6 will be installed
—> Package libsemanage-python.x86_64 0:2.0.43-4.2.el6 will be installed
—> Package matchbox-window-manager.x86_64 0:1.2-6.20070628svn.1.el6 will be installed
–> Processing Dependency: libmb.so.1()(64bit) for package: matchbox-window-manager-1.2-6.20070628svn.1.el6.x86_64
—> Package setools-console.x86_64 0:3.3.7-4.el6 will be installed
–> Processing Dependency: setools-libs = 3.3.7-4.el6 for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libsefs.so.4(VERS_4.0)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libseaudit.so.4(VERS_4.1)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libqpol.so.1(VERS_1.5)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libpoldiff.so.1(VERS_1.3)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libpoldiff.so.1(VERS_1.2)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libapol.so.4(VERS_4.1)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libsefs.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libseaudit.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libqpol.so.1()(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libpoldiff.so.1()(64bit) for package: setools-console-3.3.7-4.el6.x86_64
–> Processing Dependency: libapol.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64
—> Package setools-libs-python.x86_64 0:3.3.7-4.el6 will be installed
—> Package xorg-x11-server-Xephyr.x86_64 0:1.15.0-26.el6.centos.0.1 will be installed
–> Processing Dependency: xorg-x11-server-common >= 1.15.0-26.el6.centos.0.1 for package: xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64
–> Processing Dependency: libxcb-keysyms.so.1()(64bit) for package: xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64
–> Processing Dependency: libxcb-image.so.0()(64bit) for package: xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64
–> Processing Dependency: libxcb-icccm.so.4()(64bit) for package: xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64
–> Running transaction check
—> Package libmatchbox.x86_64 0:1.9-6.1.el6 will be installed
—> Package setools-libs.x86_64 0:3.3.7-4.el6 will be installed
—> Package xcb-util-image.x86_64 0:0.3.9-4.el6 will be installed
—> Package xcb-util-keysyms.x86_64 0:0.3.9-5.el6 will be installed
—> Package xcb-util-wm.x86_64 0:0.3.9-5.el6 will be installed
—> Package xorg-x11-server-common.x86_64 0:1.15.0-26.el6.centos will be updated
—> Package xorg-x11-server-common.x86_64 0:1.15.0-26.el6.centos.0.1 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================
Installing:
policycoreutils-gui x86_64 2.0.83-19.47.el6_6.1 updates 211 k
policycoreutils-newrole x86_64 2.0.83-19.47.el6_6.1 updates 114 k
policycoreutils-python x86_64 2.0.83-19.47.el6_6.1 updates 346 k
policycoreutils-sandbox x86_64 2.0.83-19.47.el6_6.1 updates 113 k
Installing for dependencies:
audit-libs-python x86_64 2.3.7-5.el6 base 62 k
gnome-python2-gtkhtml2 x86_64 2.25.3-20.el6 base 22 k
gtkhtml2 x86_64 2.11.1-7.el6 base 154 k
libcgroup x86_64 0.40.rc1-15.el6_6 updates 129 k
libmatchbox x86_64 1.9-6.1.el6 base 46 k
libsemanage-python x86_64 2.0.43-4.2.el6 base 81 k
matchbox-window-manager x86_64 1.2-6.20070628svn.1.el6 base 97 k
setools-console x86_64 3.3.7-4.el6 base 328 k
setools-libs x86_64 3.3.7-4.el6 base 400 k
setools-libs-python x86_64 3.3.7-4.el6 base 222 k
xcb-util-image x86_64 0.3.9-4.el6 base 12 k
xcb-util-keysyms x86_64 0.3.9-5.el6 base 8.9 k
xcb-util-wm x86_64 0.3.9-5.el6 base 21 k
xorg-x11-server-Xephyr x86_64 1.15.0-26.el6.centos.0.1 updates 884 k
Updating for dependencies:
xorg-x11-server-common x86_64 1.15.0-26.el6.centos.0.1 updates 50 k

Total download size: 3.2 M
Downloading Packages:

Total download size: 3.2 M
Downloading Packages:
(1/19): audit-libs-python-2.3.7-5.el6.x86_64.rpm | 62 kB 00:00
(2/19): gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64.rpm | 22 kB 00:00
(3/19): gtkhtml2-2.11.1-7.el6.x86_64.rpm | 154 kB 00:00
http://mirror.vastspace.net/centos/6.6/updates/x86_64/Packages/libcgroup-0.40.rc 1-15.el6_6.x86_64.rpm: [Errno 12] Timeout on http://mirror.vastspace.net/centos/ 6.6/updates/x86_64/Packages/libcgroup-0.40.rc1-15.el6_6.x86_64.rpm: (28, ‘Operat ion too slow. Less than 1 bytes/sec transfered the last 30 seconds’)
Trying other mirror.
(4/19): libcgroup-0.40.rc1-15.el6_6.x86_64.rpm | 129 kB 00:00
(5/19): libmatchbox-1.9-6.1.el6.x86_64.rpm | 46 kB 00:00
(6/19): libsemanage-python-2.0.43-4.2.el6.x86_64.rpm | 81 kB 00:00
(7/19): matchbox-window-manager-1.2-6.20070628svn.1.el6. | 97 kB 00:00
(8/19): policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64. | 211 kB 00:00
(9/19): policycoreutils-newrole-2.0.83-19.47.el6_6.1.x86 | 114 kB 00:00
(10/19): policycoreutils-python-2.0.83-19.47.el6_6.1.x86 | 346 kB 00:00
(11/19): policycoreutils-sandbox-2.0.83-19.47.el6_6.1.x8 | 113 kB 00:00
(12/19): setools-console-3.3.7-4.el6.x86_64.rpm | 328 kB 00:00
(13/19): setools-libs-3.3.7-4.el6.x86_64.rpm | 400 kB 00:00
(14/19): setools-libs-python-3.3.7-4.el6.x86_64.rpm | 222 kB 00:00
(15/19): xcb-util-image-0.3.9-4.el6.x86_64.rpm | 12 kB 00:00
(16/19): xcb-util-keysyms-0.3.9-5.el6.x86_64.rpm | 8.9 kB 00:00
(17/19): xcb-util-wm-0.3.9-5.el6.x86_64.rpm | 21 kB 00:00
(18/19): xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1 | 884 kB 00:00
(19/19): xorg-x11-server-common-1.15.0-26.el6.centos.0.1 | 50 kB 00:00
——————————————————————————–
Total 76 kB/s | 3.2 MB 00:43
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : setools-libs-3.3.7-4.el6.x86_64 1/20
Installing : gtkhtml2-2.11.1-7.el6.x86_64 2/20
Installing : gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64 3/20
Installing : setools-libs-python-3.3.7-4.el6.x86_64 4/20
Installing : setools-console-3.3.7-4.el6.x86_64 5/20
Installing : libcgroup-0.40.rc1-15.el6_6.x86_64 6/20
Installing : libmatchbox-1.9-6.1.el6.x86_64 7/20
Installing : matchbox-window-manager-1.2-6.20070628svn.1.el6.x86_64 8/20
Installing : libsemanage-python-2.0.43-4.2.el6.x86_64 9/20
Installing : audit-libs-python-2.3.7-5.el6.x86_64 10/20
Installing : policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64 11/20
Installing : xcb-util-image-0.3.9-4.el6.x86_64 12/20
Installing : xcb-util-wm-0.3.9-5.el6.x86_64 13/20
Updating : xorg-x11-server-common-1.15.0-26.el6.centos.0.1.x86_64 14/20
Installing : xcb-util-keysyms-0.3.9-5.el6.x86_64 15/20
Installing : xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64 16/20
Installing : policycoreutils-sandbox-2.0.83-19.47.el6_6.1.x86_64 17/20
Installing : policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64 18/20
Installing : policycoreutils-newrole-2.0.83-19.47.el6_6.1.x86_64 19/20
Cleanup : xorg-x11-server-common-1.15.0-26.el6.centos.x86_64 20/20
Verifying : xcb-util-keysyms-0.3.9-5.el6.x86_64 1/20
Verifying : policycoreutils-gui-2.0.83-19.47.el6_6.1.x86_64 2/20
Verifying : xorg-x11-server-common-1.15.0-26.el6.centos.0.1.x86_64 3/20
Verifying : policycoreutils-newrole-2.0.83-19.47.el6_6.1.x86_64 4/20
Verifying : setools-libs-python-3.3.7-4.el6.x86_64 5/20
Verifying : xcb-util-wm-0.3.9-5.el6.x86_64 6/20
Verifying : gtkhtml2-2.11.1-7.el6.x86_64 7/20
Verifying : xorg-x11-server-Xephyr-1.15.0-26.el6.centos.0.1.x86_64 8/20
Verifying : xcb-util-image-0.3.9-4.el6.x86_64 9/20
Verifying : setools-console-3.3.7-4.el6.x86_64 10/20
Verifying : setools-libs-3.3.7-4.el6.x86_64 11/20
Verifying : matchbox-window-manager-1.2-6.20070628svn.1.el6.x86_64 12/20
Verifying : gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64 13/20
Verifying : policycoreutils-python-2.0.83-19.47.el6_6.1.x86_64 14/20
Verifying : audit-libs-python-2.3.7-5.el6.x86_64 15/20
Verifying : libsemanage-python-2.0.43-4.2.el6.x86_64 16/20
Verifying : libmatchbox-1.9-6.1.el6.x86_64 17/20
Verifying : policycoreutils-sandbox-2.0.83-19.47.el6_6.1.x86_64 18/20
Verifying : libcgroup-0.40.rc1-15.el6_6.x86_64 19/20
Verifying : xorg-x11-server-common-1.15.0-26.el6.centos.x86_64 20/20

Installed:
policycoreutils-gui.x86_64 0:2.0.83-19.47.el6_6.1
policycoreutils-newrole.x86_64 0:2.0.83-19.47.el6_6.1
policycoreutils-python.x86_64 0:2.0.83-19.47.el6_6.1
policycoreutils-sandbox.x86_64 0:2.0.83-19.47.el6_6.1

Dependency Installed:
audit-libs-python.x86_64 0:2.3.7-5.el6
gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6
gtkhtml2.x86_64 0:2.11.1-7.el6
libcgroup.x86_64 0:0.40.rc1-15.el6_6
libmatchbox.x86_64 0:1.9-6.1.el6
libsemanage-python.x86_64 0:2.0.43-4.2.el6
matchbox-window-manager.x86_64 0:1.2-6.20070628svn.1.el6
setools-console.x86_64 0:3.3.7-4.el6
setools-libs.x86_64 0:3.3.7-4.el6
setools-libs-python.x86_64 0:3.3.7-4.el6
xcb-util-image.x86_64 0:0.3.9-4.el6
xcb-util-keysyms.x86_64 0:0.3.9-5.el6
xcb-util-wm.x86_64 0:0.3.9-5.el6
xorg-x11-server-Xephyr.x86_64 0:1.15.0-26.el6.centos.0.1

Dependency Updated:
xorg-x11-server-common.x86_64 0:1.15.0-26.el6.centos.0.1

Complete!

Security context modification /home/mohan of

semanage fcontext -a -t httpd_sys_content_t ‘/home(/.*)?’

[root@oracledbserver home]# semanage fcontext -a -t httpd_sys_content_t ‘/home(/.*)?’

restorecon -RvvF /home/

[root@oracledbserver home]# restorecon -RvvF /home/
restorecon reset /home/mohan context unconfined_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.gnome2 context unconfined_u:object_r:gnome_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.mozilla context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.mozilla/extensions context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.mozilla/plugins context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.bashrc context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.bash_logout context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohan/.bash_profile context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle context unconfined_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.gnome2 context unconfined_u:object_r:gnome_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.mozilla context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.mozilla/extensions context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.mozilla/plugins context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.bashrc context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.kshrc context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.bash_logout context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/oracle/.bash_profile context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm context unconfined_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.gnome2 context unconfined_u:object_r:gnome_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.mozilla context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.mozilla/extensions context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.mozilla/plugins context unconfined_u:object_r:mozilla_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.bash_history context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.bashrc context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.kshrc context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.bash_logout context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mqm/.bash_profile context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohanweb context unconfined_u:object_r:home_root_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/mohanweb/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

http://192.168.1.61

Welcome to test page of mohan

WORDPRESS VS JOOMLA VS DRUPAL + CMS “COMPARISON CHART”

WordPress, Joomla and Drupal have established themselves as the leaders for online content management systems.

To be honest, they are all incredible systems, and can make creating a website quick and easy, no matter how little one knows about computers and technology. Even, better – they are all open-source with means they are all FREE to use.

Choosing which system to use can be difficult, but it is an important choice to make. For most people, once they’ve started with one, they won’t want to change, so let’s take a few minutes to review each of these three content management systems to see which one is right for you.

Let’s compare those three:

WordPress – Best pick for beginners, works well for small to medium sized websites & blogs.
Joomla – Good for E-commerce type of sites, but require at least some level of technical coding.
Drupal – The most difficult one, but also the most powerful CMS.

… and now for the more in-depth review

WordPress
WordPress is the world’s most popular content management system. It started out as a platform exclusively for blogging, but has grown and advanced significantly over the years. Today, over 40% of sites using CMS’s are using WordPress. In addition, over 60 millions websites are using WordPress which shows just how popular it is. WordPress offers many advantages to those looking to create a website or a blog, including the following:

Easy to Install – Many web hosting companies (also Bluehost) offer automatic installation of WordPress sites, which means you can have a new site up and running in well under five minutes. Even with manual installation, you can create a new site in less than a hour.
Customizable – WordPress has significantly more plug-ins, themes and other customizations available for it than any other CMS. This is largely because it is the most popular, so the designers of these items almost always create them for WordPress.
Free – WordPress is free to install and use for anyone who wants it. There are thousands of free plug-ins and themes available to choose from. In addition, there are also paid premium themes and plug-ins, which some people will want to use, but they are not required, especially not for beginners.
Community Support – With millions of people using WordPress, there are a lot of people out there to help you through any problems you may have. Several websites are set up by users offering free support to other WordPress website owners. If you have some time, you can check out their support forum where contributors can help you within minutes. Awesome, right?
Of course, WordPress isn’t perfect in every way. Some common complaints about WordPress are that if the site grows to large, it can require significant server resources to keep up. The framework of WordPress is also difficult to change, so those looking to make back-end changes to their websites may have some trouble using WordPress.

These concerns are much more significant for sites that start getting hundreds of thousands of visitors per day, at which point a more robust server may be required to run the page. However, for a beginner, this is probably the most suitable platform to build a site.

Drupal
Drupal is the second most popular content management system available today. It is a fully open source program, which many people prefer, especially those who are more technically minded.

The Drupal platform is extremely powerful, and is less resource intensive than that of WordPress. Drupal can be set up for anything from a simple blog to a content portal used by large corporations. Some of the most significant benefits to Drupal include the following:

Technically Advanced – Drupal is the most technically advanced of these three content management systems. It doesn’t use nearly as many system resources as WordPress, so people won’t have to worry about upgrading to a more expensive hosting option as quickly.
Improved Performance – Drupal pages typically load more quickly, and have faster response times than those made with WordPress or Joomla. Of course, as you add in plug-ins and make other changes, this can quickly change.
Customizable – Drupal is easy to customize with many different plug-ins, themes and other configurable options. For those with sufficient programming knowledge, it is possible to edit even the root files of the program, making it the most flexible of the three content management systems.
Free – You can download the Drupal software for free, and install it on your own hosting server. There is no option to have a website hosted on Drupal servers, however, so you will need a web hosting available to run the site. You’ll also need your own domain name, which typically costs some money.
Drupal is the most powerful content management system out of the box, but with that power comes some additional difficulties for the website owner.

Having at least basic knowledge of HTML, PHP and other common web programming languages is highly recommended for anyone considering using Drupal. You don’t need to be an expert, but being able to troubleshoot error messages, and identify problems with coding will be a significant benefit.

If your website grows beyond a basic blog or small business page, you’ll likely require some technical support to run it properly. If you don’t have those skills yourself, that may mean you need to hire someone, or outsource the support of your page. Another potential concern is that since Drupal requires some in depth knowledge of the programming and technology behind it, finding support can be more difficult. If you run into a problem, you may have to pay someone to log on and help you fix it.

Joomla
Joomla is often thought of as the compromise between WordPress and Drupal. It is a powerful content management system, which can run smoothly on most web servers without any problems. It doesn’t require the same level of technical experience to run as Drupal, but it still offers many of the extra features. Like Drupal and WordPress, Joomla does have a lot of plug-ins and themes available to choose from, so you can customize your site to look and function in any way you desire. Other reasons people choose Joomla include:

Social Networking – This is perhaps the biggest benefit of Joomla. Of the three, Joomla makes it the easiest to create social networks. Social networks can be a powerful asset for many sites, and with Joomla, you can have one up and running extremely quickly and easily.
Commerce Sites – If you want to set up an online store; that is also very simple with Joomla. While it is certainly possible with Drupal and WordPress, Joomla makes it faster and easier, and has more native support for these types of things.
Not too Technical – Joomla has, in many people’s opinion, found that middle ground between the ease of managing a WordPress website, and the power of a Drupal site. Most people will be able to run a great Joomla site without any significant technical support, though there may be some issues which you’ll need to reach out for help on.
Help Portal – Joomla offers a great help portal for asking questions and getting technical support. It isn’t going to be as fast or extensive as the community based support pages of WordPress, but it is quicker (and cheaper) than technical support most people get for Drupal.
Free – Like Drupal, Joomla is free to use on your own web servers, but there is no option to have it hosted for free like WordPress offers.
Many Joomla users love Joomla because it is powerful, yet easy to use. Joomla has done an excellent job at combining the benefits of WordPress and Drupal, and adding in some great features of its own. It has been growing in popularity over the past several years, and it is likely to continue to do so. Joomla seems to have found a big market of people who are ready for something a little more powerful than WordPress, but easier to manage than Drupal.

Making your choice
Fans of each of these three content management systems will argue fiercely that the one they prefer is the best option out there.

The fact is, each situation will require something different, and taking the time to look at all your options is the best way to go. For those looking to set up a small, personal blog, or a website for their small business, WordPress is likely the way to go.

If you’re setting up a site which you believe will grow rapidly from day one, and require extensive features for the users, Drupal may be more in line with what you need. Joomla is great for those somewhere in the middle, or anyone looking to add social networking to their pages.

It isn’t an easy choice to make, but if you take the time to look at your specific needs, and have an honest look at your own technical abilities (or your willingness to pay for technical support), you can make the right choice.

Is it possible to migrate from one to another?

If you feel you’re on the wrong content management system for your specific needs, it is possible to migrate from one to another. In most cases, this can be done fairly easily without too much hassle. Of course, whenever making major changes to a website like switching CMS’s, it is important to make sure you have the time and expertise available to help you through any problems you happen to run into.

My favourite is WordPress…

I’ll be honest. I like WordPress. My own site (the one you are currently reading) is also built on WordPress. As you can see, it doesn’t look bad at all. I really like the fact that it’s so easy to add new content, it has security updates, there are tons of free plugins and layouts I can choose from and I can easily change and tweak basically anything I want to without needing to know much about CSS, HTML etc…

If you are just starting out, go with WordPress. Once your website is big enough (tons of posts and truckloads of visitors), it’s perhaps time to move onto more robust system, such as Joomla or Drupal, but it’s not essential.

Boot Into Single User Mode (Reset Root Password)

To reset the root password of your server, you will need to boot into single user mode.

Access the Manage section of your server in the customer portal and follow these steps. The option depends on the bootloader version on the machine:

CentOS 6

Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
You will see a GRUB boot prompt telling you to press any key – you have only a few seconds to press a key to stop the automated booting process. (If you miss this prompt you will need to restart the VM again)
At the GRUB prompt, type “a” to append to the boot command.
Add the text “single” and press enter.
System will boot and you will see the root prompt. Type “passwd” to change the root password and then reboot again.

Debian, Ubuntu, CentOS 7

Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
As soon as the boot process starts, press ESC to bring up the GRUB boot prompt. You may need to turn the system off from the control panel and then back on to reach the GRUB boot prompt.
You will see a GRUB boot prompt – press “e” to edit the first boot option. (If you do not see the GRUB prompt, you may need to press any key to bring it up before the machine boots)
Find the kernel line (starts with “linux /boot/”) and add init=”/bin/bash” at the end of the line
Press CTRL-X or F10 to boot.
System will boot and you will see the root prompt. Type “mount -rw -o remount /” and then “passwd” to change the root password and then reboot again.

FreeBSD

The boot menu has an option to boot into single user mode. Press the key for single user mode (2). At the root prompt, type “passwd” to change the root password and then reboot again.

CoreOS

CoreOS by default uses SSH key authentication. On Vultr, a root user and password are created. If an SSH key is selected when creating the VPS, this SSH key can be used to login as user “core”.

It is possible to reset the standard root login by executing “sudo passwd” as user “core”. Login as “core” using the SSH key first.

If you lost your SSH key, then you can login as the “core” user by editing the grub loader. Follow these steps:

Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
You will see a GRUB boot prompt – press “e” to edit the first boot option. (If you do not see the GRUB prompt, you may need to press any key to bring it up before the machine boots)
At the end of the line that begins with “linux$” add ” coreos.autologin=tty1″ (no quotes).
Press CTRL-X or F10 to boot. You will be logged in as “core” when the system boots.
Remember to reboot your server after you have reset your login.

The WebLogic Admin Server 11g just hangs upon startup

Problem:

Due to our disk space having filled up, I shutdown the Oracle WebLogic AdminServer 11g (11.1.1.3), cleared some logs, and restarted it.

However, when I start it up, it just stops at the entry below. No movement in the log whatsoever, and nothing is happening on the server.

oracle@oradev:/u01/app/oracle/middleware/user_projects/domains/soa_domain/bin> ./startWebLogic.sh
*****************************************************
** Setting up SOA specific environment…
*****************************************************
EXTRA_JAVA_PROPERTIES= -da:org.apache.xmlbeans…
.
LD_LIBRARY_PATH=/u01/app/oracle/middleware/patch_wls1033/profiles/default/native:/u01/app/oracle/middleware/Oracle_SOA1/lib:/u01/app/oracle/middleware/wlserver_10.3/server/native/linux/x86_64:/u01/app/oracle/middleware/wlserver_10.3/server/native/linux/x86_64/oci920_8:/u01/app/oracle/middleware/Oracle_SOA1/soa/thirdparty/edifecs/XEngine/bin
.
USER_MEM_ARGS=-Xms768m -Xmx768m -XX:PermSize=256m -XX:MaxPermSize=512m
.
*****************************************************
** End SOA specific environment setup
*****************************************************
.
.
JAVA Memory arguments: -Xms768m -Xmx768m -XX:PermSize=256m -XX:MaxPermSize=512m
.
WLS Start Mode=Production
.
CLASSPATH=/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/user-patch.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/soa-startup.jar::/u01/app/oracle/middleware/patch_wls1033/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/app/oracle/jdk1.6.0_21/lib/tools.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic.jar:/u01/app/oracle/middleware/modules/features/weblogic.server.modules_10.3.3.0.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/webservices.jar:/u01/app/oracle/middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/u01/app/oracle/middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/oracle.soa.common.adapters_11.1.1/oracle.soa.common.adapters.jar:/u01/app/oracle/middleware/oracle_common/soa/modules/commons-cli-1.1.jar:/u01/app/oracle/middleware/oracle_common/soa/modules/oracle.soa.mgmt_11.1.1/soa-infra-mgmt.jar:/u01/app/oracle/middleware/oracle_common/modules/oracle.xdk_11.1.0/xsu12.jar:/u01/app/oracle/middleware/modules/features/weblogic.server.modules.xquery_10.3.1.0.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/db2jcc4.jar:/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/soa-infra:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/fabric-url-handler_11.1.1.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/quartz-all-1.6.5.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/oracle.soa.fabric_11.1.1/oracle.soa.fabric.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/oracle.soa.adapter_11.1.1/oracle.soa.adapter.jar:/u01/app/oracle/middleware/Oracle_SOA1/soa/modules/oracle.soa.b2b_11.1.1/oracle.soa.b2b.jar:/u01/app/oracle/middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf.jar:/u01/app/oracle/middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/u01/app/oracle/middleware/wlserver_10.3/server/lib/xqrl.jar:/u01/app/oracle/middleware/Oracle_SOA1/lib:/u01/app/oracle/middleware/jdk160_18/lib
.
PATH=/u01/app/oracle/middleware/wlserver_10.3/server/bin:/u01/app/oracle/middleware/modules/org.apache.ant_1.7.1/bin:/u01/app/oracle/jdk1.6.0_21/jre/bin:/u01/app/oracle/jdk1.6.0_21/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:.
.
***************************************************
* To start WebLogic Server, use a username and   *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console        *
***************************************************
starting weblogic with Java version:
java version “1.6.0_21”
Java(TM) SE Runtime Environment (build 1.6.0_21-b06)
Java HotSpot(TM) 64-Bit Server VM (build 17.0-b16, mixed mode)
Starting WLS with line:
/u01/app/oracle/jdk1.6.0_21/bin/java -server   -Xms768m -Xmx768m -XX:PermSize=256m -XX:MaxPermSize=512m -Dweblogic.Name=AdminServer -Djava.security.policy=/u01/app/oracle/middleware/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true   -da -Dplatform.home=/u01/app/oracle/middleware/wlserver_10.3 -Dwls.home=/u01/app/oracle/middleware/wlserver_10.3/server -Dweblogic.home=/u01/app/oracle/middleware/wlserver_10.3/server -Ddomain.home=/u01/app/oracle/middleware/user_projects/domains/soa_domain -Dcommon.components.home=/u01/app/oracle/middleware/oracle_common -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Djrockit.optfile=/u01/app/oracle/middleware/oracle_common/modules/oracle.jrf_11.1.1/jrocket_optfile.txt -Doracle.domain.config.dir=/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig -Doracle.server.config.dir=/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig/servers/AdminServer -Doracle.security.jps.config=/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig/jps-config.xml -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Digf.arisidbeans.carmlloc=/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig/carml -Digf.arisidstack.home=/u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig/arisidprovider -Dweblogic.alternateTypesDirectory=/u01/app/oracle/middleware/Oracle_SOA1/modules/oracle.ossoiap_11.1.1,/u01/app/oracle/middleware/Oracle_SOA1/modules/oracle.oamprovider_11.1.1 -Dweblogic.jdbc.remoteEnabled=true -Doracle.security.jps.policy.migration.validate.principal=false -da:org.apache.xmlbeans… -Dsoa.archives.dir=/u01/app/oracle/middleware/Oracle_SOA1/soa -Dsoa.oracle.home=/u01/app/oracle/middleware/Oracle_SOA1 -Dsoa.instance.home=/u01/app/oracle/middleware/user_projects/domains/soa_domain -Dtangosol.coherence.clusteraddress=227.7.7.8 -Dtangosol.coherence.clusterport=9778 -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dcom.sun.management.jmxremote -Djava.protocol.handler.pkgs=oracle.mds.net.protocol|oracle.fabric.common.classloaderurl.handler|oracle.fabric.common.uddiurl.handler|oracle.bpm.io.fs.protocol -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Djavax.net.ssl.trustStore=/u01/app/oracle/middleware/wlserver_10.3/server/lib/DemoTrust.jks -Dem.oracle.home=/u01/app/oracle/middleware/oracle_common -Djava.awt.headless=true -Dbam.oracle.home=/u01/app/oracle/middleware/Oracle_SOA1 -Dums.oracle.home=/u01/app/oracle/middleware/Oracle_SOA1 -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/u01/app/oracle/middleware/patch_wls1033/profiles/default/sysext_manifest_classpath weblogic.Server
<Dec 22, 2010 2:46:25 PM EST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 17.0-b16 from Sun Microsystems Inc.>
<Dec 22, 2010 2:46:26 PM EST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.3.0 Fri Apr 9 00:05:28 PDT 2010 1321401 >
<Dec 22, 2010 2:46:30 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Dec 22, 2010 2:46:30 PM EST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Dec 22, 2010 2:46:30 PM EST> <Notice> <Log Management> <BEA-170019> <The server log file /u01/app/oracle/middleware/user_projects/domains/soa_domain/servers/AdminServer/logs/AdminServer.log is opened. All server side log events will be written to this file.>

Solution:

I worked an Oracle Support analyst and we reset some passwords and were able to bring up the server again. I am somewhat convinced that this was related to our disk being full.

This is what we proceeded doing:

1. Shutdown the Admin Server

2. Remove the “cache”, “date”, and “tmp” folders from the server AdminServer location

rm -rf /u01/app/oracle/middleware/user_projects/domains/soa_domain/servers/AdminServer/cache

rm -rf /u01/app/oracle/middleware/user_projects/domains/soa_domain/servers/AdminServer/data

rm -rf /u01/app/oracle/middleware/user_projects/domains/soa_domain/servers/AdminServer/tmp

This did not solve our problem.

3. Reset the weblogic password by running this command:

java weblogic.security.utils.AdminAccount weblogic welcome1 .

… and resetting the password in:

./servers/AdminServer/security/boot.properties

This partially resolved the problem.

4. We noticed that the “system-jazn-data.xml” file was zero bytes in size:

ll /u01/app/oracle/middleware/user_projects/domains/soa_domain/config/fmwconfig

-rw-r—– 1 oracle ldba 0 Dec 21 20:49 system-jazn-data.xml

I copied the file from a separate server, and the Admin Server now started up.

The question remains… why was the “system-jazn-data.xml” file zero bytes?

Most likely when the disk was full, some process was probably trying to save to it but was unable to, thus blanking out the file. This is my only explanation for this.

Also, since the “system-jazn-data.xml” file that I copied over was not exactly identical, I had to recreate some user accounts.

Applicable Versions:

Oracle WebLogic Server 11g (10.3.3)
Oracle SOA Suite 11g (11.1.1.3)

Reset the AdminServer Password in WebLogic 11g and 12c

If you forget the AdminServer password for your WebLogic 11g domain, you can reset it from the command line using the following process.

Set up the following environment variables. They are not necessary for the process itself, but will help you navigate. In this case my domain is called “ClassicDomain”. Remember to change the value to match your domain.
```
export MW_HOME=/u01/app/oracle/middleware
export DOMAIN_HOME=$MW_HOME/user_projects/domains/ClassicDomain
```
Shut down the WebLogic domain.
```
$ $DOMAIN_HOME/bin/stopWebLogic.sh
```

Rename the data folder.

$ mv $DOMAIN_HOME/servers/AdminServer/data $DOMAIN_HOME/servers/AdminServer/data-old

Set the environment variables.
```
$ . $DOMAIN_HOME/bin/setDomainEnv.sh
```
Reset the password using the following command. Remember to substitute the appropriate username and password.
```
$ cd $DOMAIN_HOME/security
$ java weblogic.security.utils.AdminAccount <username> <password> .
```
Update the “$DOMAIN_HOME/servers/AdminServer/security/boot.properties” file with the new username and password. The file format is shown below.
```
username=<username>
password=<password>
```
Start the WebLogic domain.
```
$ $DOMAIN_HOME/bin/startWebLogic.sh
```

Add date to bash history

Need to add date to bash history, knowing when some commands were fired.

Before the change:

root@host# history
1 ifconfig
2 ifup eth0
3 ifconfig
4 shutdown -r now

Now, make appripriate changes in your bash profile:

echo ‘export HISTTIMEFORMAT=”%d/%m/%y %T “‘ >> ~/.bash_profile
echo ‘export HISTTIMEFORMAT=”%d/%m/%y %T “‘ >> ~/.bash_profile

Open another SSH session and check

Shell

1 Dec/28 – 12:22:13 ifconfig
2 Dec/28 – 12:23:37 ifup eth0
3 Dec/28 – 12:24:51 ifconfig
4 Dec/28 – 12:25:45 shutdown -r now

Recent Posts

Pages

Categories

Archives

Recent Comments

Categories

CentOS 7 – Redhat Installation Best practice

Partitioning

Modifying fstab

Install additional packages

List and remove unused services

Disable unused services

Install ntp package and enable some services

Remove services that are in LISTEN state

Configure the network

Stop IPV6 best practice

Disable IPV6 on network adapter

Disable IPV6 on SSH server

Disable IPV6 on postfix

Disable IPV6 on NTP client

Disable IPV6 on RPCBIND

WebLogic Server SSL

How to set Access/Restrictions on users logins

How to set Access/Restrictions on users logins

vsftp on CentOS6.6

RedHat Enterprise Linux 6.6 with CentOS Apache

WORDPRESS VS JOOMLA VS DRUPAL + CMS “COMPARISON CHART”

Boot Into Single User Mode (Reset Root Password)

CentOS 6

Debian, Ubuntu, CentOS 7

FreeBSD

CoreOS

The WebLogic Admin Server 11g just hangs upon startup

Reset the AdminServer Password in WebLogic 11g and 12c

Add date to bash history

PRODUCTS