I'm dedicated agile security architect/system architect/developer with specialty of open source framework.
December 23, 2013
Why You Should Implement equals() and hashCode() In Hibernate
- Hibernate ORM documentation
http://docs.jboss.org/hibernate/orm/4.3/manual/en-US/html/ch04.html#persistent-classes-equalshashcode
JBoss Community Wiki
https://community.jboss.org/wiki/EqualsAndHashCode
Essential iptables on RHEL
Hardening access to network services with iptables
http://www.redhat.com/resourcelibrary/articles/training-webinars
Hardening RHEL 6
http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120
Packt’s $5 eBook Bonanza is back!
From December 19th, customers will be able to get any eBook or Video from Packt for just $5. This sale covers every title in the 1700+ range and customers can grab as many as they like until January 3rd 2014 – more information is available at http://bit.ly/1jdCr2W.
December 21, 2013
Hardening RHEL5
Guide to the Secure Configuration of Red Hat Enterprise Linux 5
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
December 11, 2013
JBoss Vault in JBoss EAP 6.2.0 uses jceks as Default KeyStore Type
Today I upgraded to JBoss EAP 6.2.0, but ran into some trouble with the keystore I have. I have one for the SSL connector and one for the JBoss Vault.
To be able keep you old JBoss Vault keystore that is stored with the jks format you need to add the KEYSTORE_TYPE vault option.
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="/your/absolute/path/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-3/VY6BIQ1KQ9LdJmX8m9Vn"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="45"/>
<vault-option name="ENC_FILE_DIR" value="/your/absolute/path/vault/"/>
<vault-option name="KEYSTORE_TYPE" value="jks"/>
</vault>
<management>
Reference
December 10, 2013
Changing Broadcom Driver In Ubuntu
I have a Broadcom Wireless Network Adapter and I had all sort of problem with the standard driver, Broadcom STA Wireless driver or wl that the module is called.
To identify which Broadcom chipset you have. Run:
$ lspci -vvnn | grep 14e4
45:00.0 Network controller [0280]: Broadcom Corporation BCM4313 802.11bgn Wireless Network Adapter [14e4:4727] (rev 01)
To identify which modules (driver) you are using (running):
$ egrep 'ssb|wl|brcmfmac|brcmsmac|bcma' /proc/modules
I had the STA or wl module running. To remove all possible Broadcom modules.
$ sudo modprobe -r b43 ssb wl brcmfmac brcmsmac bcma
And to really remove the default STA or wl module, also remove the debian package. After the purge, that remove configuration files as well, I double run apt-get with remove autoremove, which will remove unused package and finally I run clean, to clean the apt-get cache. All for precaution.
$ sudo apt-get purge bcmwl-kernel-source && sudo apt-get autoremove && sudo apt-get clean
Now you must test which driver/module that suites you best. I started with the b43 driver/module.
$ sudo apt-get install firmware-b43-installer
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
b43-fwcutter
The following NEW packages will be installed:
b43-fwcutter firmware-b43-installer
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.8 kB of archives.
After this operation, 120 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
To load the new module/driver.
$ sudo modprobe b43
Now test you installation, if successful reboot and double check, that everything is working correctly..
Other possible driver are b43legacy package firmware-b43legacy-installer and LP-PHY package firmware-b43-lpphy-installer.
For more hardware commands, please read http://magnus-k-karlsson.blogspot.se/2013/01/how-to-install-atheros-ar8161-ethernet.html
Reference
December 7, 2013
The Medibuntu Project has come to an end
For many people the first thing they have done after installing Ubuntu, was to add the Medibuntu repository. But now it is dead. See announcement Here.
But what is the impact? Not much. Ubuntu already offers most of the things that existed in Medibuntu and this only natural progress of the growth of Ubuntu.
December 5, 2013
Managing Network in RHEL 6
Tools
The simplest way to manage network settings is to use the system-config-network tool or the non-graphical variant system-config-network-tui
To start, stop, status all our network devices
$ service network [start|stop|status|restart]
Other useful tools are:
ifconfig | Display our network settings. |
ping | Used for check network connectivity |
route -n | Display routing and Gateway |
traceroute | Display network routing to a host. |
netstat -nr | Display open ports. |
Configuration
Main network configuration file is /etc/sysconfig/network-scripts/ifcfg-<name>.
Hostname
$ hostname
tester1.example.com
Routing
Local routing for e.g. localhost, but also for static routing.
$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Main routing configuration file. Any changes will be overwritten, unless disabled in above sysconfig network-scripts with PEERDNS=no.
$ cat /etc/resolv.conf
$ Generated by NetworkManager
search example.com
nameserver 192.168.1.1
Reference
- network-scripts: /usr/share/doc/initscripts-<version>/sysconfig.txt
November 27, 2013
Using the Automounter Service on RHEL 6
RHEL 6 ships with a convenient network mounter service, the automounter.
To check if the automounter is running.
$ service autofs status
automount (pid 2061) is running...
To use it, simply cd into the /net folder followed by nfs hostname.
$ cd /net/192.168.1.3
[root@tester1 192.168.1.3]# ll
total 0
dr-xr-xr-x. 4 root root 0 Nov 27 22:25 c
The remote network share will be unmounted automatically when unused for a configurable timeout.
$ grep -i timeout /etc/sysconfig/autofs
...
TIMEOUT=300
...
Managing LVM with RHEL 6
Introduction
LVM (Logical Volume Manager) is a flexible way to handle disk space, since you can increase and decrease file systems, that is not possible to the same extent as in MBR (Master Boot Record) partitioning format.
NOTE: "It is generally recommended that you create a single partition that covers the whole disk to label as an LVM physical volume" [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Logical_Volume_Manager_Administration/LVM_components.html#multiple_partitions]
The LVM is build up on three cornerstone.
- Physical Volume, PV
- Volume Group, VG
- Logical Volume, LV
Prerequisite
Create a new partition with type 0x8E Linux LVM.
$ fdisk -cu /dev/sda
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048):
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +1G
Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): L
0 Empty 24 NEC DOS 81 Minix / old Lin bf Solaris
1 FAT12 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT-
2 XENIX root 3c PartitionMagic 83 Linux c4 DRDOS/sec (FAT-
3 XENIX usr 40 Venix 80286 84 OS/2 hidden C: c6 DRDOS/sec (FAT-
4 FAT16 <32M 41 PPC PReP Boot 85 Linux extended c7 Syrinx
5 Extended 42 SFS 86 NTFS volume set da Non-FS data
6 FAT16 4d QNX4.x 87 NTFS volume set db CP/M / CTOS / .
7 HPFS/NTFS 4e QNX4.x 2nd part 88 Linux plaintext de Dell Utility
8 AIX 4f QNX4.x 3rd part 8e Linux LVM df BootIt
9 AIX bootable 50 OnTrack DM 93 Amoeba e1 DOS access
a OS/2 Boot Manag 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O
b W95 FAT32 52 CP/M 9f BSD/OS e4 SpeedStor
c W95 FAT32 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs
e W95 FAT16 (LBA) 54 OnTrackDM6 a5 FreeBSD ee GPT
f W95 Ext'd (LBA) 55 EZ-Drive a6 OpenBSD ef EFI (FAT-12/16/
10 OPUS 56 Golden Bow a7 NeXTSTEP f0 Linux/PA-RISC b
11 Hidden FAT12 5c Priam Edisk a8 Darwin UFS f1 SpeedStor
12 Compaq diagnost 61 SpeedStor a9 NetBSD f4 SpeedStor
14 Hidden FAT16 <3 63 GNU HURD or Sys ab Darwin boot f2 DOS secondary
16 Hidden FAT16 64 Novell Netware af HFS / HFS+ fb VMware VMFS
17 Hidden HPFS/NTF 65 Novell Netware b7 BSDI fs fc VMware VMKCORE
18 AST SmartSleep 70 DiskSecure Mult b8 BSDI swap fd Linux raid auto
1b Hidden W95 FAT3 75 PC/IX bb Boot Wizard hid fe LANstep
1c Hidden W95 FAT3 80 Old Minix be Solaris boot ff BBT
1e Hidden W95 FAT1
Hex code (type L to list codes): 8e
Changed system type of partition 3 to 8e (Linux LVM)
Command (m for help): p
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
/dev/sda3 205826048 207923199 1048576 8e Linux LVM
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
$ reboot
The Most Imported Commands
$ man 8 lvm
...
pvcreate - Initialize a disk or partition for use by LVM.
pvdisplay - Display attributes of a Physical Volume.
...
vgcreate - Create a Volume Group.
vgdisplay - Display attributes of Volume Groups.
vgextend - Add Physical Volumes to a Volume Group.
vgreduce - Reduce a Volume Group by removing one or more Physical Volumes.
...
lvcreate - Create a Logical Volume in an existing Volume Group.
lvdisplay - Display attributes of a Logical Volume.
lvextend - Extend the size of a Logical Volume.
lvreduce - Reduce the size of a Logical Volume.
Create Physical Volume (PV), Volumme Group (VG) and Logical Volume (LV)
First lets create a new physical volume on the prerequisite partition.
$ pvcreate /dev/sda3
Create volume group vg_test that span entire physical volume /dev/sda3
$ vgcreate vg_test /dev/sda3
Volume group "vg_test" successfully created
Create logical volumne with size 500 MB, named lv_test in volume group vg_test.
$ lvcreate -L 500M -n lv_test vg_test
The lvcreate will now create a device block file in /dev/vgName/lvName that we now can create a filesystem on and mount.
$ mkfs -t ext4 /dev/vg_test/lv_test
$ mkdir /data
$ mount /dev/vg_test/lv_test /data
Extends Logical Volume (LV)
Extend the logical volume lv_test with plus 500 MB.
$ lvextend -L +250M /dev/vg_test/lv_test
Rounding size to boundary between physical extents: 252.00 MiB
Extending logical volume lv_test to 752.00 MiB
Logical volume lv_test successfully resized
Now you need to grow the file system.
$ resize2fs -p /dev/vg_test/lv_test
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/vg_test/lv_test is mounted on /data; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 3
Performing an on-line resize of /dev/vg_test/lv_test to 770048 (1k) blocks.
The filesystem on /dev/vg_test/lv_test is now 770048 blocks long.
Verify/test the new size of /data.
$ df -h /data
Reduce Logical Volume (LV)
When reducing a file system, you need to unmount it first.
$ umount /data
Then reduce the actual filesystem.
$ e2fsck -f /dev/vg_test/lv_test
$ resize2fs -p /dev/vg_test/lv_test 512M
resize2fs 1.41.12 (17-May-2010)
Resizing the filesystem on /dev/vg_test/lv_test to 524288 (1k) blocks.
Begin pass 3 (max = 94)
Scanning inode table XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/vg_test/lv_test is now 524288 blocks long.
After the actual file system is reduced, we can now shrink the logical volume.
$ lvreduce -L 512M /dev/vg_test/lv_test
WARNING: Reducing active logical volume to 512.00 MiB
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce lv_test? [y/n]: y
Reducing logical volume lv_test to 512.00 MiB
Logical volume lv_test successfully resized
Finally test/verify, by remounting and check disk space
$ mount /dev/vg_test/lv_test /data
$ df -h /data
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_test-lv_test 496M 11M 461M 3% /data
Extends Volume Group (VG)
First create a new physical volume.
$ pvcreate /dev/sda4
Physical volume "/dev/sda4" successfully created
Now lets extends existing volume group 'vg_test' with our new physical volume.
$ vgextend vg_test /dev/sda4
Volume group "vg_test" successfully extended
And last test/verify.
$ vgdisplay vg_test
--- Volume group ---
VG Name vg_test
System ID
Format lvm2
Metadata Areas 2
Metadata Sequence No 5
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 1
Open LV 0
Max PV 0
Cur PV 2
Act PV 2
VG Size 134.73 GiB
PE Size 4.00 MiB
Total PE 34492
Alloc PE / Size 128 / 512.00 MiB
Free PE / Size 34364 / 134.23 GiB
VG UUID ItBewY-gWvu-tzUx-JIEj-gJb2-d8Jh-HdANUb
Reduce Volume Group (VG)
Remove existing volume group 'vg_test' with physical volume /dev/sda4.
$ vgreduce vg_test /dev/sda4
Removed "/dev/sda4" from volume group "vg_test"
Test/verify
$ vgdisplay vg_test
--- Volume group ---
VG Name vg_test
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 6
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 1
Open LV 0
Max PV 0
Cur PV 1
Act PV 1
VG Size 1020.00 MiB
PE Size 4.00 MiB
Total PE 255
Alloc PE / Size 128 / 512.00 MiB
Free PE / Size 127 / 508.00 MiB
VG UUID ItBewY-gWvu-tzUx-JIEj-gJb2-d8Jh-HdANUb
Reference
- lvm(8): lvm - LVM2 tools
- pvcreate(8): pvcreate - initialize a disk or partition for use by LVM
- vgcreate(8): vgcreate - create a volume group
- lvcreate(8): lvcreate - create a logical volume in an existing volume group
- vgextend(8): vgextend - add physical volumes to a volume group
- vgreduce(8): vgreduce - reduce a volume group
- lvextend(8): lvextend - extend the size of a logical volume
- lvreduce(8): lvreduce - reduce the size of a logical volume
- resize2fs(8): resize2fs - ext2/ext3/ext4 file system resizer
Encrypting Disks with LUKS in RHEL 6
Introduction
LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. LUKS can encrypt both partition and LVM volumes. Here I will encrypt a partition.
Prerequisite
Creata a new partition with fdisk.
$ fdisk -cu /dev/sda
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048):
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +1G
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
$ reboot
Enrypt a Partition
First we need to encrypt the partition.
$ cryptsetup luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Next step is to unlock the partition via luksOpen <blockDeviceFile> <luksname>. The cryptsetup will after create a new mapped blocked device file under /dev/mapper/<luksname>.
$ cryptsetup luksOpen /dev/sda3 luksname
Enter passphrase for /dev/sda3:
Finally we format now the unencrypted partition we a file system and mount it.
$ mkfs -t ext4 /dev/mapper/luksname
$ mkdir /mnt/secret
$ mount /dev/mapper/luksname /mnt/secret
Persistently Mount Encrypted Partition
To make the mounting persisted we normally add the block device file in /etc/fstab, but with encrypted storage we also need to add the encrypted partition to the list of devices to be unlocked during system startup. That is done by adding the luksname and block device file to the /etc/crypttab.
$ vi /etc/crypttab
luksname /dev/sda3
After that extra step, normally edit /etc/fstab.
$ vi /etc/fstab
/dev/mapper/luksname /mnt/secret ext4 defaults 1 2
Automatically Mount Encrypted Partition
To automatically unlock a encrypted partition we need to store the password on disk, has obvious security problems, but if wanted to the following.
$ echo -n "redhat" > /root/lukspassword
$ chown root:root /root/lukspassword
$ chmod 600 /root/lukspassword
$ ll /root/
...
-rw-------. 1 root root 6 Nov 27 12:12 lukspassword
$ cryptsetup luksAddKey /dev/sda3 /root/lukspassword
Now edit /etc/crypttab and add password file.
$ vi /etc/crypttab
luksName /dev/sda3 /root/lukspassword
Reboot and verify, that no password is needed and that encrypted partition is mounted.
Remove Encrypted Partition
- Remove mapped block device file from /etc/fstab.
- Remove luksName from /etc/crypttab.
- unmount the mapped block device: umount /dev/mapper/luksname.
- Lock encrypted partition: cryptsetup luksClose luksname.
Reference
- cryptsetup(8): cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
- crypttab(5): /etc/crypttab - encrypted block device table
- fstab(5): /etc/fstab - static information about the filesystems
November 26, 2013
Managing Swap Space in RHEL 6
Introduction
The swap space is used by the OS to handle overflow for parts of the RAM that are currently not being used.
The recommended size of the swap space is depending on how much RAM you have.
- < 2GB RAM, use 2 * RAM
- >= 2GB RAM, use RAM + 2GB
How to Create a New Swap Partition
$ fdisk -cul /dev/sda
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
$ fdisk -cu /dev/sda
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048):
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +1G
Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): L
0 Empty 24 NEC DOS 81 Minix / old Lin bf Solaris
1 FAT12 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT-
2 XENIX root 3c PartitionMagic 83 Linux c4 DRDOS/sec (FAT-
3 XENIX usr 40 Venix 80286 84 OS/2 hidden C: c6 DRDOS/sec (FAT-
4 FAT16 <32M 41 PPC PReP Boot 85 Linux extended c7 Syrinx
5 Extended 42 SFS 86 NTFS volume set da Non-FS data
6 FAT16 4d QNX4.x 87 NTFS volume set db CP/M / CTOS / .
7 HPFS/NTFS 4e QNX4.x 2nd part 88 Linux plaintext de Dell Utility
8 AIX 4f QNX4.x 3rd part 8e Linux LVM df BootIt
9 AIX bootable 50 OnTrack DM 93 Amoeba e1 DOS access
a OS/2 Boot Manag 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O
b W95 FAT32 52 CP/M 9f BSD/OS e4 SpeedStor
c W95 FAT32 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs
e W95 FAT16 (LBA) 54 OnTrackDM6 a5 FreeBSD ee GPT
f W95 Ext'd (LBA) 55 EZ-Drive a6 OpenBSD ef EFI (FAT-12/16/
10 OPUS 56 Golden Bow a7 NeXTSTEP f0 Linux/PA-RISC b
11 Hidden FAT12 5c Priam Edisk a8 Darwin UFS f1 SpeedStor
12 Compaq diagnost 61 SpeedStor a9 NetBSD f4 SpeedStor
14 Hidden FAT16 <3 63 GNU HURD or Sys ab Darwin boot f2 DOS secondary
16 Hidden FAT16 64 Novell Netware af HFS / HFS+ fb VMware VMFS
17 Hidden HPFS/NTF 65 Novell Netware b7 BSDI fs fc VMware VMKCORE
18 AST SmartSleep 70 DiskSecure Mult b8 BSDI swap fd Linux raid auto
1b Hidden W95 FAT3 75 PC/IX bb Boot Wizard hid fe LANstep
1c Hidden W95 FAT3 80 Old Minix be Solaris boot ff BBT
1e Hidden W95 FAT1
Hex code (type L to list codes): 82
Changed system type of partition 3 to 82 (Linux swap / Solaris)
Command (m for help): p
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
/dev/sda3 205826048 207923199 1048576 82 Linux swap / Solaris
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
$ reboot
After reboot we need to format the new swap partition.
$ mkswap /dev/sda3
Setting up swapspace version 1, size = 1048572 KiB
no label, UUID=b28d9a2c-51a4-45e8-a0d3-d4b457afa359
Next step is to activating it.
$ swapon -a /dev/sda3
To verify/list current swap spaces.
$ swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 4095992 0 -1
/dev/sda3 partition 1048568 0 -2
To make this new swap space persistent, we need to add this new swap space to /etc/fstab.
$ blkid /dev/sda3
/dev/sda3: UUID="b28d9a2c-51a4-45e8-a0d3-d4b457afa359" TYPE="swap"
$ vi /etc/fstab
UUID=b28d9a2c-51a4-45e8-a0d3-d4b457afa359 swap swap defaults 0 02
Reboot and verify that new swap space is active.
How to Remove a Swap Partition
First deactive it.
$ swapoff /dev/sda3
Verify it is no longer active.
$ swapon -s
Filename Type Size Used Priority
/dev/dm-0 partition 4095992 0 -1
IF YOU HAVE ADDED IT TO /etc/fstab, DO NOT FORGET TO REMOVE IT FROM THERE AS WELL!
Managing Partions With RHEL 6
Introduction
Most Linux distrobution, which is also the case with RHEL 6, uses the MBR (Master Boot Record) partitioning format. The MBR is designed to hold up to maximum 4 primary partition. If more is needed, you must use one primary as extended partition. And do not forget to let the extended partition use all remaining disk space. After creating an extended partition, you can create logical partition on the extended partiti
Graphical Tool
In a desktop RHEL, there is the graphical tool for managing our partition - palimpsest.
$ yum install gnome-disk-utility
A never GUI tool that is maybe better is parted. The good thing with this tool is that it also can resize and copy partitions.
$ yum install parted
Command Line
At the command line, you have the fdisk tool. When using the fdisk tool always use the following options:
- -c Switch off DOS-compatible mode.
- -u When listing partition tables, give sizes in sectors instead of cylinders.
Lets get started with fdisk and create a new primary partition.
$ fdisk -cu /dev/sda
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): p
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First sector (205826048-488397167, default 205826048):
Using default value 205826048
Last sector, +sectors or +size{K,M,G} (205826048-488397167, default 488397167): +500M
Command (m for help): p
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
/dev/sda3 205826048 206850047 512000 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
$ reboot
After reboot you can check your new primary partition.
$ fdisk -cul /dev/sda
Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7f3d8c0f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 205826047 102400000 8e Linux LVM
/dev/sda3 205826048 206850047 512000 83 Linux
Now lets create an ext4 file system on the new primary partition.
$ mkfs -t ext4 /dev/sda3
And mount it.
$ mkdir /extra
$ mount /dev/sda3 /extra
If you want RHEL to automatically mount your new partition at boot, you need to add that to /etc/fstab. And the recommended way to identify the partition is with it's UUID.
$ blkid /dev/sda3
$ vi /etc/fstab
UUID=b2b97c2f-f0cb-4b41-b297-7f7d36d2efd0 /extra ext4 defaults 1 2
And finally save and reboot.
November 25, 2013
How to Mount an USB Device in Linux
Short Version
1. Before inserting the USB, check which disks you already have.
$ ll /dev/sd*
brw-rw----. 1 root disk 8, 0 Nov 24 19:41 /dev/sda
brw-rw----. 1 root disk 8, 1 Nov 24 19:41 /dev/sda1
brw-rw----. 1 root disk 8, 2 Nov 24 19:41 /dev/sda2
2. Create a new directory under /mnt to which you will mount your USB.
$ mkdir /mnt/usb
3. Now insert the USB and mount it.
$ mount /dev/sdb <hit tab>
sdb sdb1
$ mount /dev/sdb1 /mnt/usb
4. Now you are ready to read and write to your USB.
5. To unmount.
$ umount /mnt/usb
Longer Version
In Linux a storage device is represented by a device file in /dev/.
The three letter naming convention for storage devices in Linux are:
- s - storage
- d - disc (such as SCSI, USB, SATA), cd - cd or dvd
- litteral order character, starting with a, then b, c, etc
Example: /dev/sda (SCSI, USB, SATA), /dev/sdb (SCSI, USB, SATA), /dev/scd (CD/DVD)
These device files represent the whole drive. Each drive is partitioned into partition. The first partition receives order number one, the next one two, etc
When a new storage device is added it will receive the last character order literal, here it is b (/dev/sdb). Another way to find out the device file is to tail the dmesg log file.
$ less /var/log/dmesg <hit enter>
...
<press shift+f (follow)>
Waiting for data... (interrupt to abort)
<Now insert USB>
sd ... [sdb] Assuming drive cache: write through
<press ctrl+c (quite)>
Here we see that the USB was allocated device name sdb. But when you mount you mount to a partition that contains a file system. And in general, most USB only have one partition, hence sdb1.
November 24, 2013
Securing SSH with Public/Private Key Authentication
The motive for using public/private key authentication are:
- Firstly for convinience, you no longer need to enter password (unless you encrypt your keys with password protected).
- Secondly, ones setup, you can remove password protection, which is a big cracking hole.
Prerequisite
The remote user needs to exist on the remote server. If it does not. Create it. And at least LOGIN ONES, so that it's home directory is created. Otherwise you can eagerly created the home directory when you add the user.
Here I will use the existing user root, for simplicity.
Client Side
Generate public and private keys, with NO password protection. I will here use the RSA algorithm and key length 2048 bits.
$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/magnus/.ssh/id_rsa): <Enter>
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
Your identification has been saved in /home/magnus/.ssh/id_rsa.
Your public key has been saved in /home/magnus/.ssh/id_rsa.pub.
The key fingerprint is:
90:da:b5:5a:db:59:be:34:04:6a:99:81:c3:d5:5d:25 magnus@tester1.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| .. . .E..|
| . + . . . |
| * o . |
| o + * . |
| . . S o |
| + o = |
| . . o + |
| . o |
| . |
+-----------------+
Next make sure that the ssh key directory and private key has proper file permission
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
The last step is to copy the client public key to the server. You can either do that manually, or with the ssh-copy-id tool. Here I will use the tool.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@remoteserver
If you were setting up public/private key authentication for a different user, please replace root in above command with you user.
Server Side
On the server side, open /etc/ssh/sshd_config and enable public/private key authentication
PubkeyAuthentication yes
Then restart the ssh daemon service.
$ service sshd restart
And finally verify that the keys directory and files have the proper file permission and SELinux type for your user.
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
$ restorecon -Rv ~/.ssh
Test
Finally you need to test, to verify the installation. On the client machine switch to the user you had setup for and
$ ssh <your_user>@remoteserver
RHEL: How to Switch Users in Multiuser Runlevels
Switching User
To switch to a different user, e.g. student, run
$ su - student
To switch to root
$ su -
Runlevels
Most Linux distribution can be ran in 5 different runlevels. Runlevel 0 and 6 are special, which you can see below.
- 0 - Shutdown
- 1 - Single user mode, without network
- 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
- 3 - Full multiuser mode, with network.
- 4 - Unused
- 5 - X11, graphical mode with network
- 6 - Reboot
To see the current runlevel, type:
$ runlevel
The default runlevel is set in /etc/inittab.
How to Switch Runlevels
You can switch the runlevel with init, e.g. init 3. But from the graphical mode, there is also a keyboard shortcut.
ctrl + alt + F1 - for init 1, ctrl + alt + F2 - for init 2, etc.
November 23, 2013
Accessing Network Files via NFS and CIFS in Linux
Working with remote file system under Linux is not hard. Below I will show how to use the two most common remote file system used:
- NFS - Network File System
- CIFS - Common Internet File System
NFS
Show the NFS server’s export list.
$ showmount -e nfsserver.domain.com
Mount. Note that the directory /remote must exist before mount, if not create it with mkdir /remotenfs.
$ mount nfsserver.domain.com:/c/media /remotenfs
Unmount file systems
$ umount /remotenfs
CIFS
CIFS is the underlying remote file protocol used for samba server and which is the most common file server when having a mixed client environment with Windows and Linux.
Install client library
$ yum install samba-client
Show the CIFS server’s sharenames.
$ smbclient -L nfsserver.domain.com
Mount. Note that the directory /remote must exist before mount, if not create it with mkdir /remotecifs.
$ mount //cifsserver.domain.com/media /remotecifs
Unmount file systems
$ umount /remotecifs
Common vi commands
Most Linux server runs without a graphical interface and the most sure installed editor for file is the vi editor. But getting used with vi can be a little challenging. Below I will show you the most common vi commands.
Open | vi file.txt |
Close without saving | :q! |
Insert | i |
Quite editing | ESC |
Write and close | :wq |
Copy line and paste line | yy + p |
Delete line and paste line | dd + P (capital) |
Change word | cw |
Browse to next work | w |
Browse to previous work | b |
Go to first line | 1G |
Go to last line | G |
Linux File and Special Permission
File Permission
The simplest file permission in Linux are the r (read), w (write), x (executable). These file permission yields for u (user), g (group) and o (other). They can be set both:
- Symbolically: +-r, +-w, +-x
- Numerically: r=4, w=2, x=1
Special Permission
There are three special permission: setuid, setgid and sticky. They can be both applied to files and directories, but then have different meanings.
Special Permission | File | Directory |
setuid | Only meaning for executable file: The executable file be be run as the file owner, not as the user that executes it. Example /usr/bin/passwd |
No effect. |
setgid | Only meaning for executable file: The executable file be be run as the file group, not as the user that executes it. | All newly created file in directory, will inherit the parent directory group permission. |
sticky | No effect. | All files created with a user that have write permission for a specific file can only remove that file, except for root. Example: /tmp |
To set the special permission:
- Symbolically: setuid=u+s, setgid=g+s, sticky=o+t
- Numerically: setuid=4, setgid=2, sticky=1
October 17, 2013
Java EE 7 released and Packt Publishing is having 50% sales
Before and after Oracle was buying Sun, the development of the Java language slowed down. But now Oracle is picking up speed. The Java Enterprise Edition 6 was released in December 2009 but now this summer, EE 7 was released. Not bad. So if you want to get up to speed with the new feature in EE7 and read ebooks the Packt Publishing is having a 50% sales on all its ebooks, so feel free to check it out on http://bit.ly/1bqvB29 and use the discount code COL50.
October 3, 2013
Keeping track of the different component version in EE 6 and EE 7
The Java Enterprise Edition has changed a lot from previously making heavy usage of XML configuration and now using Annotation instead, which leaves XML files almost empty compared to older EE version. But all these changes is also a headache to developers that must keep track of the different version in the different EE version. A good summary site for that is
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html#6
and for JPA
http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/persistence/index.html
And another good reference site for JPA is
Getting started with GNOME 3 on Fedora 19
At work I usually work at the server side which means in most cases for Java project, working with some sort of Linux distro. One popular Linux distro for server are Red Hat Enterprise Linux, RHEL. But using RHEL is not meant for using at the client side. And the closest thing to RHEL at the client is Fedora (both supported by Red Hat).
It's been a while since I used Fedora and a lot have happened. And for you guys out there that are starting to use Fedora or any other Linux distro that are using GNOME, I can warmly recommend this easy to use site:
On this site you can easily install and configure GNOME 3 tweak, such as my favorite Dash to Dock - https://extensions.gnome.org/extension/307/dash-to-dock/. Which is my first GNOME tweak I installed after installing Fedora 19.
Review of Instant Apache Wicket 6
In the last day I had the pleasure to read a beginners book for Apache Wicket 6 - Instant Apache Wicket 6 http://bit.ly/15w4LEI. The book is good, it takes the reader through the most imported steps to get started with Apache Wicket. Such as creating a new project, how to use the fast jetty web server to view your wicket pages and maybe the most imported thing. How to debug a wicket application with Eclipse IDE. So if you are looking for a beginners book for Apache Wicket 6 I can recommend this book.
But with all beginners book you should always be a little careful when completely copying beginners example code into your production code. Such an example in this book is the login example. Creating safe login code is actually a little tricky and requires extra care. Things that you must take into consideration when creating login code are:
- Login pages must be completely stateless, which means ones submitted from the client, they must be totally forgotten. You do not want sensitive data, such password, be accessible when clicking browse back. Or be kept in server session cache. Apache Wicket is out-of-box almost always stateful.
- Paying extra care of session management is always imported. Use cookie to store client session id and not URL, which are cached in web server log, proxy log, client web browser history, etc.
- Always set session timeout.
- Make cookie not accessible for other sites client script, which you hinder by using http only flag.
- And of course always use SSL, even for login pages.
Above is just a handful of things that you should pay attention to when developing security code.
I'm a great Wicket fan and wicket have a lot of ready to use graphical component, such DatePicket, Paginated List, Sortable List, Multiple File Upload, etc. You can see a lot of them in action on http://www.wicket-library.com/wicket-examples/index.html.
Also if you need more Wicket component, look at the different wicketstuff project. To get an overview on them all search maven central repo at http://search.maven.org/#search|ga|1|org.wicketstuff.
August 22, 2013
Complete Configuration of MySQL 5 DataSource in JBoss EAP 6
Introduction
Here I will describe how to configure a MySQL 5 DataSource for JBoss EAP 6.
Install MySQL JDBC Driver as JBoss EAP 6 Module
Create a new directory under modules and a new module.xml file.
$ mkdir -p $JBOSS_HOME/modules/com/mysql/main/
$ touch $JBOSS_HOME/modules/com/mysql/main/module.xml
Download the MySQL JDBC driver and put it in the same catalog as module.xml. If necessary correct resource path below, with the downloaded jdbc driver file name.
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.mysql">
<resources>
<resource-root path="mysql-connector-java-5.1.19.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
If this is a server installation make sure that the new directories and files get the right permission.
Configure JBoss EAP 6 DataSource
Here we will use JBoss EAP 6 in standalone mode, but if you like to use the domain mode, the configuration is the same. Open $JBOSS_HOME/standalone/configuration/standalone.xml.
<subsystem xmlns="urn:jboss:domain:datasources:1.1">
<datasources>
...
<datasource jndi-name="java:jboss/datasources/ExampleInfinispanDS" pool-name="ExampleInfinispanDS" enabled="true" use-java-context="true" use-ccm="true">
<connection-url>jdbc:mysql://localhost:3306/EXAMPLEINFINISPAN</connection-url>
<driver>mysql</driver>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
<timeout>
<!-- using default timeout values -->
</timeout>
<statement>
<prepared-statement-cache-size>100</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</datasource>
<drivers>
...
<driver name="mysql" module="com.mysql">
<datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlDataSource</datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
Reference
August 21, 2013
Configure UsersRolesLoginModule for JBoss EAP 6
Introduction
In this blog I will show you how to configure a simple JAAS login module, that holds username, passwords and roles in properties file. The login module for this job is org.jboss.security.auth.spi.UsersRolesLoginModule.
Finding the correct source code and documentation for the JBoss EAP 6 login modules, can be a bit tricky and the reason for that, is that the concrete implementation for them are hosted in the sister project Picketbox. For example the exact version that is shipped with JBoss EAP 6.1.0 is 4.0.17.Final-redhat-1. And the jar is located under $JBOSS_HOME/modules/system/layers/base/org/picketbox/main/.
The UsersRolesLoginModule has more to offer than I will show you here, and that is to store the password scrambled and not in clear text. But since the UsersRolesLoginModule is merely for test purpose, I will leave that out here.
Configuration
I will use JBoss EAP 6 in standalone mode, which means that the JBoss configuration file is $JBOSS_HOME/standalone/configuration/standalone.xml. Open it and add the below JAAS security-domain.
<subsystem xmlns="urn:jboss:domain:security:1.2">
...
<security-domains>
<security-domain name="basic-policy" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/basic-user.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/basic-roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
Create Users and Assing Roles
Creating users and theirs associated roles are easy since them are located in clear plain text files located under $JBOSS_HOME/standalone/configuration/. Here I will only create one user and one role, but you can create as many as you please.
$ echo "admin=password" > $JBOSS_HOME/standalone/configuration/basic-user.properties
$ echo "admin=ROLE_FOO" > $JBOSS_HOME/standalone/configuration/basic-roles.properties
Configuration
The easiest way to test the security, is to either take an existing war project or create a new zip file add a welcome file (index.html), web.xml and jboss-web.xml. Either way the relevant configuration for the web.xml is below.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Foo Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<!-- Do not specify http-method, since then only specified http-method
will be authenticated, not e.g. JUNK (attack) -->
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access.</description>
<role-name>ROLE_FOO</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted.</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>basic-policy</realm-name>
</login-config>
<security-role>
<role-name>ROLE_FOO</role-name>
</security-role>
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
<session-config>
<!-- Session timeout after X MINUTES after no user interaction. -->
<session-timeout>15</session-timeout>
<cookie-config>
<!-- XSS attack: make sure that cookie cannot be accessed via client
side scripts -->
<http-only>true</http-only>
<!-- CSRF attack, session hijack attack: require cookie can only be used
for SSL communication. -->
<secure>true</secure>
</cookie-config>
<!-- Do not use URL, since then it can be stored in numerous places: browser
history, proxy server log, referrer logs, web logs, etc. -->
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<!-- Custom error pages are handled in custom ErrorReportValve in jbossweb module -->
</web-app>
And the relevant portion in jboss-web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>/example-app</context-root>
<security-domain>java:/jaas/basic-policy</security-domain>
</jboss-web>
August 20, 2013
Configure ActiveMQ 5.8.0 to use MySQL as Persistence Mechanism
Introduction
In this blog I will show you how to change, the default persistence mechanism in Apache ActiveMQ 5.8.0 from KahaDB to instead use a RDBMS. And here I will use MySQL 5, but ActiveMQ supports most of the major vendor of RDBMS.
Install MySQL JDBC Driver
Download driver from maven central repo:
http://search.maven.org/#artifactdetails%7Cmysql%7Cmysql-connector-java%7C5.1.19%7Cjar.
Copy to $ACTIVEMQ_HOME/lib/optional/.
Create ActiveMQ database
Log into mysql and create ActiveMQ database.
$ mysql -u root -p
Enter password:
mysql> CREATE SCHEMA `activemq` DEFAULT CHARACTER SET utf8 COLLATE utf8_swedish_ci;
Configure MySQL as persistence storage
Open the ActiveMQ configuration, $ACTIVEMQ_HOME/conf/activemq.xml, and add mysql datasource, comment/remove the default KahaDB and finally add the RDBMS persistence adapter.
<beans ...>
...
</bean>
<!-- MySql DataSource Sample Setup -->
<bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost:3306/activemq"/>
<property name="username" value="root"/>
<property name="password" value="root"/>
<property name="maxActive" value="200"/>
<property name="poolPreparedStatements" value="true"/>
</bean>
<broker ...>
...
<!-- Comment out the default storage adapter
<persistenceAdapter>
<kahaDB directory="${activemq.data}/kahadb"/>
</persistenceAdapter>
-->
<persistenceAdapter>
<jdbcPersistenceAdapter dataSource="#mysql-ds" />
</persistenceAdapter>
...
</broker>
...
</beans>
Test
Now we are ready to test the installation. Restart activemq and check the activemq log for errors, $ACTIVEMQ_HOME/data/activemq.log.
You can also open the activemq web console, to verify that things are working:
URL: http://localhost:8161/admin/
Username: admin
Password: admin
Now lets really test the installation from the activemq web console you can send message. From the web console click Send and choose to send a text message to a new queue.
Afterwards we can check that the message is sent to the queue, by clicking on Queue and our new queue foo.bar. And there see your text message.
You could also verify that the message is really persistent in MySQL by querying your database.
$mysql> SELECT ID, CONTAINER, MSGID_PROD, MSGID_SEQ FROM activemq.ACTIVEMQ_MSGS;
August 18, 2013
Configure Redelivery for ActiveMQ 5.8 Resource Adapter in JBoss EAP 6
In this blog I will show you how to setup ActiveMQ resource adapter in JBoss EAP 6 and then test different redelivery policies.
Before we begin, we need to download the latest Apache ActiveMQ binaries and unzip it. To start, stop and check status we use the activemq script located in the bin folder.
$ ACTIVEMQ_HOME/bin/activemq [start|stop|status]
After started the ActiveMQ, we can test the installation by open a web browser and open http://localhost:8161/admin/. The default username is admin and default password is admin.
Now we need to configure JBoss. In this blog we will use JBoss EAP 6.1.0. Download it and unzip it.
The next thing we need to do is to download the Apache ActiveMQ resource adapter. You can find it from maven central repo – http://search.maven.org/remotecontent?filepath=org/apache/activemq/activemq-rar/5.8.0/activemq-rar-5.8.0.rar.
JBoss EAP 6 can be run in two different modes – standalone and domain mode. In this blog we will be using standalone mode, but if you need to run JBoss in domain the below configuration is basically the same.
Now deploy the resource adapter to $JBOSS_HOME/standalone/deployment
Now we are ready to configure JBoss. Open $JBOSS_HOME/standalone/configuration/standalone.xml
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="activemq-rar-5.8.0.rar">
<archive>
activemq-rar-5.8.0.rar
</archive>
<transaction-support>LocalTransaction</transaction-support>
<config-property name="InitialRedeliveryDelay">
1000
</config-property>
<config-property name="MaximumRedeliveries">
5
</config-property>
<config-property name="RedeliveryUseExponentialBackOff">
false
</config-property>
<config-property name="RedeliveryBackOffMultiplier">
5
</config-property>
<config-property name="ServerUrl">
failover:(tcp://127.0.0.1:61616)
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory" jndi-name="java:jboss/activemq/ConnectionFactory" enabled="true" use-java-context="true" pool-name="ConnectionFactory">
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>true</prefill>
</pool>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object class-name="org.apache.activemq.command.ActiveMQQueue" jndi-name="java:jboss/activemq/queue/FooQueue" enabled="true" use-java-context="true" pool-name="FooQueue">
<config-property name="PhysicalName">
FooQueue
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
</resource-adapters>
</subsystem>
The last thing we also need is to configure mdb support for the standalone configuration.
<subsystem xmlns="urn:jboss:domain:ejb3:1.4">
...
</session-bean>
<mdb>
<resource-adapter-ref resource-adapter-name="activemq-rar-5.8.0.rar"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
</mdb>
<pools>
...
</subsystem>
Now we are to test the installation. We do that by creating a simple MDB, that prints out incoming JMS messages and then rollbacks the MDB transaction.
package se.msc.example.mdb;
import javax.annotation.Resource;
import javax.ejb.ActivationConfigProperty;
import javax.ejb.MessageDriven;
import javax.ejb.MessageDrivenContext;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.jms.JMSException;
import javax.jms.Message;
import javax.jms.MessageListener;
@MessageDriven(name = "FooMDB", activationConfig = {
@ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"),
@ActivationConfigProperty(propertyName = "destination", propertyValue = "FooQueue"),
@ActivationConfigProperty(propertyName = "acknowledgeMode", propertyValue = "Auto-acknowledge") })
public class FooMDB implements MessageListener {
@Resource
private MessageDrivenContext mdc;
@TransactionAttribute(TransactionAttributeType.REQUIRED)
public void onMessage(Message msg) {
try {
System.out.println("mdb recieved, redelivered="
+ msg.getJMSRedelivered());
} catch (JMSException e) {
e.printStackTrace();
}
mdc.setRollbackOnly();
}
}
As test client we can send jms message from the ActiveMQ web console
Below follows different test results for different redelivery configuration
InitialRedeliveryDelay=1000 MaximumRedeliveries=5 RedeliveryUseExponentialBackOff=false RedeliveryBackOffMultiplier=5 18:57:51,140 INFO [stdout] (default-threads - 2) mdb recieved, redelivered=false 18:57:52,220 INFO [stdout] (default-threads - 3) mdb recieved, redelivered=true 18:57:53,256 INFO [stdout] (default-threads - 4) mdb recieved, redelivered=true 18:57:54,296 INFO [stdout] (default-threads - 5) mdb recieved, redelivered=true 18:57:55,334 INFO [stdout] (default-threads - 6) mdb recieved, redelivered=true 18:57:56,365 INFO [stdout] (default-threads - 7) mdb recieved, redelivered=true ----------------------------------------------------------------------------------------------- InitialRedeliveryDelay=1000 MaximumRedeliveries=5 RedeliveryUseExponentialBackOff=true RedeliveryBackOffMultiplier=5 19:55:21,453 INFO [stdout] (default-threads - 2) mdb recieved, redelivered=false 19:55:26,495 INFO [stdout] (default-threads - 3) mdb recieved, redelivered=true 19:55:51,503 INFO [stdout] (default-threads - 4) mdb recieved, redelivered=true 19:57:56,510 INFO [stdout] (default-threads - 5) mdb recieved, redelivered=true 20:08:21,516 INFO [stdout] (default-threads - 6) mdb recieved, redelivered=true 21:00:26,523 INFO [stdout] (default-threads - 7) mdb recieved, redelivered=true delta1 = 5s (calculated value 1*5) delta2 = 25s (calculated value 5*5) delta3 = 125s (calculated value 25*5) delta4 = 625s (calculated value 125*5) delta5 = 3125s (calculated value 625*5) ----------------------------------------------------------------------------------------------- InitialRedeliveryDelay=2000 MaximumRedeliveries=5 RedeliveryUseExponentialBackOff=true RedeliveryBackOffMultiplier=5 22:28:52,542 INFO [stdout] (default-threads - 2) mdb recieved, redelivered=false 22:29:02,598 INFO [stdout] (default-threads - 3) mdb recieved, redelivered=true 22:29:52,604 INFO [stdout] (default-threads - 4) mdb recieved, redelivered=true 22:34:02,609 INFO [stdout] (default-threads - 5) mdb recieved, redelivered=true delta1 = 10s (calculated value 2*5) delta2 = 50s (calculated value 10*5) delta3 = 250s (calculated value 50*5) -----------------------------------------------------------------------------------------------
References
July 10, 2013
Make Samsung Galaxy S3 with Android 4 work on Ubuntu
In the latest Ubuntu 13.04, the Ubuntu team has upgraded the MTP support, so you now can connect you mobile phone with Ubuntu. But if you are looking for a more stable version of Ubuntu, I recommend that you use a LTS (Long Term Support) version. Which currently is version 12.04.
But when using 12.04, it lack the Android 4 support. But that can be fixed with following the instruction found here http://www.webupd8.org/2013/01/upgrade-to-gvfs-with-mtp-support-in.html.
June 13, 2013
Configure High-Availability Clustering using TCP Unicast with JBoss EAP 6, HTTPD, mod_cluster on RHEL 6
In my previous blogs I have written about HA in JBoss EAP 6 with Apache Webserver (httpd) and that is all done with UDP multicast. In this blog I will show you how to do it with TCP unicast.
/etc/httpd/conf.d/mod_cluster.conf
# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
MemManagerFile /var/cache/mod_cluster
<IfModule manager_module>
#Listen 6666
<VirtualHost *:80>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
EnableMCPMReceive on
#ServerAdvertise on http://127.0.0.1:6666
ServerAdvertise off
AdvertiseFrequency 5
#AdvertiseSecurityKey secret
#AdvertiseGroup 224.0.1.105:23364
#AllowDisplay On
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
</VirtualHost>
</IfModule>
standalone-ha.xml
In this example we are going to run all JBoss EAP server on the same machine and we are using standalone mode for simplicity reason. But the same apply if you want to run domain mode.
First configure JGroups to use TCP unicast.
<subsystem xmlns="urn:jboss:domain:jgroups:1.1" default-stack="tcpping">
...
<stack name="tcpping">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="TCPPING">
<property name="initial_hosts">127.0.0.1[7600],127.0.0.1[7800]</property>
<property name="port_range">0</property>
<property name="timeout">3600</property>
<property name="num_initial_members">2</property>
</protocol>
<protocol type="MERGE2"/>
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="BARRIER"/>
<protocol type="pbcast.NAKACK"/>
<protocol type="UNICAST2"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="UFC"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
<protocol type="RSVP"/>
</stack>
</subsystem>
Secondly we need to configure modcluster subsystem in JBoss EAP 6 and set advertise="false" and proxy-list="127.0.0.1:80".
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" proxy-list="127.0.0.1:80" advertise="false" connector="ajp">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
Now lets restart Apache Webserver (httpd) and start two JBoss server. And last you must deploy a clusterable application.
$ service httpd restart
$ ./standalone.sh --server-config=standalone-ha.xml -Djboss.node.name=jb1
$ ./standalone.sh --server-config=standalone-ha.xml -Djboss.socket.binding.port-offset=200 -Djboss.node.name=jb2
June 12, 2013
Common JBoss EAP 6 CLI Commands for Managing Domain Clusters
Add ServerGroup
[domain@localhost:9999 /] /server-group=third-server-group:add(profile=ha, socket-binding-group=ha-sockets)
Remove ServerGroup
[domain@localhost:9999 /] /server-group=third-server-group:remove
Add Server to ServerGroup
[domain@localhost:9999 /] /host=host1/server-config=station81Host1:add(group=second-server-group, socket-binding-group=ha-sockets, socket-binding-port-offset=300)
Remove Server from ServerGroup
[domain@localhost:9999 /] /host=host1/server-config=station81Host1:remove
Manage Server on ServerGroup
[domain@localhost:9999 /] /host=host1/server-config=station81Host1:start
[domain@localhost:9999 /] /host=host1/server-config=station81Host1:stop
June 8, 2013
How to Set Hostname on RHEL 6
Hostname is usually set when installing the machine, but sometime you need to change it.
To print current hostname
$ hostname
server1.example.com
To temporarily change the hostname.
$ hostname server99.example.com
To permanently change the hostname, edit the /etc/sysconfig/network and set the HOSTNAME property.
$NETWORKING=yes
HOSTNAME=server99.example.com
After saving the configuration, you will need to reboot your machine.
How to Disable/Enable and SELinux on RHEL 6
On test laptops you are not always interesting in having all security enabled, e.g. when developing or testing a applications. And that is true for SELinux.
To see if SELinux is active
$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
To temporarily disable SELinux - 1 (enable) or 0 (disable).
$ setenforce 0
To permanently disable SELinux, edit /etc/selinux/config and set SELINUX=disabled.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
After saving you need to reboot your machine.
How to setup log4j Syslog Appender in JBoss EAP 6
This solution only works for JBoss EAP 6.0.1 and higher
JBoss ships with a own logging framework and which is used via the org.jboss.logging.Logger class. I myself tend to like to use standardized solution, which is for me - log4j.
Log4j ships with some Appenders, but one especially useful for a Linux environment is SyslogAppender. Here I will show you how to setup log4j org.apache.log4j.net.SyslogAppender with JBoss EAP 6.0.1.
Log4j already is shipped with JBoss, so binaries are required for installation. The configuration is either done in standalone.xml or domain.xml.
<subsystem xmlns="urn:jboss:domain:logging:1.1">
...
<custom-handler name="SYSLOG" class="org.apache.log4j.net.SyslogAppender" module="org.apache.log4j">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<properties>
<property name="syslogHost" value="localhost:514"/>
<property name="facility" value="LOCAL1"/>
<property name="facilityPrinting" value="false"/>
</properties>
</custom-handler>
...
<root-logger>
<level name="INFO"/>
<handlers>
...
<handler name="SYSLOG"/>
</handlers>
</root-logger>
</subsystem>
In the above configuration I'm using a local rsyslog server listening on UDP port 514. The log4j does not have a Syslog Appender that supports TCP. To test this configuration I'm using RHEL 6 and in a default installed RHEL an UDP listener is not default configured. To activate it, open /etc/rsyslog.conf and uncomment the below.
$ Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Now restart rsyslog with:
$ service rsyslog restart
Now start JBoss and watch logging messages in the default log rsyslog message file.
$ less /var/log/messages
After verified the Syslog Appender, you probably want to separate JBoss logging to a separate file. How to configure that is out of the scoop for this blog, but a simplistic configuration in /etc/rsyslog.conf is:
local1.* /var/log/local0.log
After modification, restart rsyslog and rsyslog will automatically create the new log file.
June 7, 2013
How to Install Graphical Printer Configuration Tool on RHEL 6
When installing RHEL 6 with Desktop, you might not get all of the administration tool installed from the beginning. A common tool that is often forgotten is the Printing Configuration tool. To install do the following:
$ yum install system-config-printer
After you can open the printer configuration from System -> Administration -> Printing.
June 3, 2013
New Apache Wicket Book and Good Starting Point for Newbie
You can get a complete list of all Apache Wicket books here http://wicket.apache.org/learn/books/.
And if you want another book I would recommend Wicket in Action.
Another good starting point is to run the components examples (http://www.wicket-library.com/wicket-examples/index.html) on the Apache Wicket page and read the Reference Wiki pages - https://cwiki.apache.org/WICKET/reference-library.html.
The next step if you have not already done that is to start writing codes. When doing so it is good to knew that there is a very good mailing list group for Apache Wicket, which I recommend to search in, if you get stuck - http://wicket.apache.org/help/.
May 21, 2013
JBoss DatabaseServerLoginModule with Added Salt and Iteration Count
http://www.rtner.de/software/PBKDF2.html
How to Encrypt Password in JBoss 7 and EAP 6
So how do we achieve that with JBoss 7 and EAP 6? The shipped solution is JBoss Vault. Here follows a link of using it - https://community.jboss.org/wiki/JBossAS7SecuringPasswords. A note of the example, that you might want to consider:
- The key length of 1024 bytes is quite weak, consider using a longer key.
- You probably want to increase the default validity period, with the -validity flag.
"The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity. This is not 100% security. It only gets away from the problem of clear text passwords in configuration files. There is always a weak link. (As mentallurg suggests in the comments, the keystore password is the weakest link)."
"Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security."
[https://community.jboss.org/wiki/JBossAS7SecuringPasswords#Frequently_Asked_Questions]
And maybe the most obvious question is how to make it stronger. And Red Hat answer that also on the same page. Store the keystore on an external USB device which you mount on bootup and then remove it. Or use a stronger third party solution.
How to enable Tree View in File Browse Nautilus in RHEL 6
- Open Preferences dialog, by clicking Edit -> Preference. See picture 1.
- In first tab select the lowest option Show only folders
- In the second tab select Always open in browser windows. See picture 2.
If you want more extensions to Nautilius, check out the Nautilius extensions page - https://live.gnome.org/Nautilus/Extending.
May 16, 2013
How to Handle Character Encoding in JSP and Servlets
When writing simple web application you might not want to bother to use some web framework and simply use simple JSP and Servlet. This has been the case for me recently, but there is of course pitfalls with that as everything else in life. And one of those is to handle character encoding.
In you JSP be sure you use the below encoding settings:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Insert title here</title>
</head>
<body>
<h1>Empty Page</h1>
</body>
</html>
These encoding settings are important if you are planning to pass get parameters in the URL and those parameters might contain character not covered in ISO-8859-1 character table. You should here be aware of how the HTTP work, that it is stateless by design, which means that the server has no way of knowing how to interpret the url-encoded GET parameters, so it assumes ISO-8859-1.
The next gotcha is when I JSP call a Servlet. Here again the server has no way of knowing how to interpret the url-encoded GET parameters, therefore you must explicitly tell the server how to url encode the passed parameters. That is done via the methods.
req.setCharacterEncoding("UTF-8");
resp.setCharacterEncoding("UTF-8");
If you are planning to send direct HTML response from the Servlet, do not forget to set the response content type.
resp.setContentType("text/html; charset=UTF-8");
May 14, 2013
Problem installing Maven 3 on Ubuntu 13.04 Raring
The following packages have unmet dependencies:
maven : Depends: libwagon2-java (>= 2.2-2) but it is not going to be installed
I searched the official Ubuntu bug report site, https://bugs.launchpad.net/ubuntu/ and found the solution.
https://bugs.launchpad.net/ubuntu/+source/maven2/+bug/1173142
March 16, 2013
How to install IE 8 and 9 on Ubuntu 12.10
When developing web sites you will sooner or later come across different HTML, CSS, Javascript compability issues for different web browser. Firefox and Google Chrome can easily be installed on Ubuntu, but installing Internet Exeplorer requires some more installation.
To begin with whenever you are searching for information about Ubuntu always start with a recognized site and a recognized site is http://askubuntu.com.
After that said now install IE. To begin with you need to install a platform to run you IE and the successor for Wine is PlayOnLinux (PlayOnLinux website). You install it by using Ubuntu Software Center.
Before installing make sure you have a working Internet Connection.
After successfully installed PlayOnLinux start it and you can install IE by clicking on the Install button from the toolbar and then search for 'Internet Explorer'.
February 28, 2013
How to install Swedish Spelling Checking on English Ubuntu 12.10
The most popular system language for an operating system is English when working as a system developer, but when it comes to writing document you probably need a local language spelling package. And in me previous blog I have written how to install swedish spelling package for LibreOffice, but with Ubuntu 12.10 there is a better way. Install the spelling checking package as debian package.
$ sudo apt-get install hunspell-sv-se
Afer installation you need to restart LibreOffice. Then you need to make LibreOffice aware of the the new spelling package. You do that by open Tools -> Options... -> Language Settings -> Writing Aids
Now you can change spelling checking for text or the complete document via Tools -> Language
February 24, 2013
Certified Hardware on Ubuntu, for example TP-LINK Network Card
To get more information about certified hardware for Ubuntu, please look at the Ubuntu homepage:
Component catalog: http://www.ubuntu.com/certification/catalog/
Certified hardware: http://www.ubuntu.com/certification/
February 19, 2013
How to Get Rid of the Close Other Tabs Warning in Firefox
- Open a new tab and enter about:config.
- Enter in the search field browser.tabs.warnOnCloseOther.
- Now double click on the browser.tabs.warnOnCloseOther row to turn its value to false.
- VoilÃ
January 30, 2013
Java SE 6 Reaches End of Life (EOL) in February 2013
Oracle has announced that the end of life (EOL) of Java SE 6 has been set to February 2013. Which means that if you have not already upgraded to Java SE 7, now is the time. You can read more about the Oracle Java SE Support Roadmap here.
And for you folks that think that Java SE 7 is a new thing, well, I'm afraid that you are poorly updated. The Java SE 7 was released in February 2011.