Activities

March 2017
M T W T F S S
« Feb    
 12345
6789101112
13141516171819
20212223242526
2728293031  

How do I enable TLS on postfix mail server

One of the clients complaints me that they are getting warning on the email those sent to Gmail.com domain. They are using 25 smtp port to send email using sql based mail server. So anybody in between the network can tap the email content since it been send through non-encrypted emails.

So my plan is to enable tls handshake on my Postfix smtp server.

No-tls_smtp

The above screenshot says me that our mails are non-encrypted while communicating with outside. So we need to tweak some postfix setting in order to enable tls encryption. Edit the file “/etc/postfix/main.cf” file and add the lines at the bottom. Pls note that I’m using a valid ssl certificate for tls handshaking. You can also create self signed certificate for this purpose. No need to buy SSL for this.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/postfix.key -out /etc/httpd/ssl/private/postfix.crt
############### Enabling tls on postfix ###############
# logging
smtpd_tls_loglevel = 1
# Allow use of TLS but make it optional
smtp_use_tls=yes
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
# keys
smtp_tls_cert_file = /etc/httpd/ssl/private/postfix.crt
smtp_tls_key_file = /etc/httpd/ssl/private/postfix.key

Next restart postfix server and test it.

 [root@Web01 liju]#/etc/init.d/postfix restart

Now you should be able to send email over tls encryption.

TLS_working

How Do enable the MySQL audit using MariaDB Audit Plugin

We are using Oracle MySQL community 5.7 version which does not have capability of auditing user activities. There will be some option to audit the MySQL statements by enabling General log ( for whole sql activity) and Slow log ( to identify the culprit sql which slow down the system.

Neither of above does not help top give you a complete solution if somebody change the table values with or without a proper approval like accidental data deletion or query execution against a wrong window.

My Best advise is, ever ever use a unique database name or user name on other environments to avoid accidental disaster or data loss. Our team has already found McAfee MySQL Audit Plugin become useful to track down the users activity. See the how to link,

https://github.com/mcafee/mysql-audit/wiki/Installation. But this plugin does not have certain feature what we expect like readability of output file and identifying fail statements. Our prime importance is to identify the broken sql statements prior to the up-gradation from MySQL 5.5 to 5.7. Once we able to record all the ‘failed statements‘ then we could operate and work with equivalent sql statements on MySQL 5.7. FAILED denotes the connection error and 1045 is error code.

Download the MariaDB plugins from https://downloads.mariadb.com/Audit-Plugin/MariaDB-Audit-Plugin/ link which is not been published.

Install MariaDB-Audit-Plugin

root@Db01#wget https://downloads.mariadb.com/Audit-Plugin/MariaDB-Audit-Plugin/server_audit-1.4.0.tar.gz
 root@Db01#tar -zxvf server_audit-1.4.0.tar.gz
 root@Db01#cd server_audit-1.4.0
 root@Db01# cd linux-x86-64

Next you need to find the MySQL plugin location using the below command.

1. Install Plugins

mysql> SHOW GLOBAL VARIABLES LIKE 'plugi%';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)

Then copy the plugin file to plugin_install location.

 root@Db01#cp server_audit.so /usr/local/mysql/lib/plugin/

2. Active the plugins at runtime

install plugin server_audit SONAME "server_audit.so";

3. How to test the plugin installation

-4.1# mysql -e "show plugins;" | grep "SERVER"
SERVER_AUDIT    ACTIVE  AUDIT   server_audit.so GPL
-bash-4.1#
mysql> SHOW  VARIABLES LIKE 'SERVER%';
+-------------------------------+--------------------------------------+
| Variable_name                 | Value                                |
+-------------------------------+--------------------------------------+
| server_audit_events           |                                      |
| server_audit_excl_users       |                                      |
| server_audit_file_path        | server_audit.log                     |
| server_audit_file_rotate_now  | OFF                                  |
| server_audit_file_rotate_size | 1000000                              |
| server_audit_file_rotations   | 9                                    |
| server_audit_incl_users       |                                      |
| server_audit_loc_info         |                                      |
| server_audit_logging          | OFF                                  |
| server_audit_mode             | 1                                    |
| server_audit_output_type      | file                                 |
| server_audit_query_log_limit  | 1024                                 |
| server_audit_syslog_facility  | LOG_USER                             |
| server_audit_syslog_ident     | mysql-server_auditing                |
| server_audit_syslog_info      |                                      |
| server_audit_syslog_priority  | LOG_INFO                             |
| server_id                     | 0                                    |
| server_id_bits                | 32                                   |
| server_uuid                   | 045804e0-eec9-11e6-9146-90e2ba073ca0 |
+-------------------------------+--------------------------------------+
19 rows in set (0.00 sec)
mysql>

4. How to activate the audit plugin

mysql> set GLOBAL server_audit_logging=On;
Query OK, 0 rows affected (0.00 sec)
mysql>

Happy

How to change default JMS port on Glassfish server

Yesterday I was doing a task to fecilitate another Glassfish instance on the same IP but on using different port. I have modified all the ports those are mentioned specifically in domain.xml file. But yo u remember, I have another Glassfish server installed on the same hosting using default port values. While I’m verifying the ports which Glassfish initiated, found that JMS default port was not been changed and using the default port 7676 till now. So I can not accommodate another Glassfish instance. But I could not see these port number defined no where in that domain.xml file. So I’m confused and become helpless

Today I was turned to look at the asadmin commands to listout the variable of ports and found it’s still using 7676 and knowing that it can be changed only using asadmin command. So I’ m looking in to that option.

Solution

Before

[root@~]# /var/glassfish-mysqltest/bin/asadmin get \* | grep 7676
configs.config.default-config.system-property.JMS_PROVIDER_PORT.value=37676
configs.config.default-config.admin-service.jmx-connector.system.port=27676
configs.config.default-config.jms-service.jms-host.default_JMS_host.port=37676
configs.config.server-config.jms-service.jms-host.default_JMS_host.port=7676

Execute this command

/var/glassfish-mysqltest/bin/asadmin set configs.config.server-config.jms-service.jms-host.default_JMS_host.port=37676

After

[root@ ~]# /var/glassfish-mysqltest/bin/asadmin get \* | grep 7676
configs.config.default-config.system-property.JMS_PROVIDER_PORT.value=37676
configs.config.default-config.admin-service.jmx-connector.system.port=27676
configs.config.default-config.jms-service.jms-host.default_JMS_host.port=37676
configs.config.server-config.jms-service.jms-host.default_JMS_host.port=37676

That’s it I can able to change the JMS default port to 37676

How to pull single table data from full database backup file.

At some time, you would ask to restore a particular table from a full backup. So you have to follow the below steps.

1. Request backup team to provide the backup
2. Decompress the backup.
3. Move the file to target server.
4. Restore entire backup which take long time based of the volume.
5. Pull particular table backup and provide it to the requestee.

The below single line of bash command will help you to get single table backup which stored into a particular file. Here I’m going to pull the table backup of help_category from a database.

#sed -n -e '/DROP TABLE.*`help_category`/,/UNLOCK TABLES/p' /tmp/fullbackup.sql  > tabledump.sql

Note : Note : You may need to remember this activity will open a single file, sometime GB file which would harm the entire server resources and not advisable to execute this script on any Production server. Also you may need more CPU/RAM for this activity.

Collecting the JVM data for identifying the bottleneck

WE all are developing jave application for various area as it is one of the secure and non-hackle platform. So it’s consider is most secured programming platform to choose. Here One of our servers went heavily loaded and we did not find any specific reasons to happen this. At the same time observed the CPU consumed heavily and RAM is barely used . So its seems like some memory leakage or code brake happening at web server end as we did not see any load conjunction on web server end.

So we need to dig the issue by collecting the Garbage collection data to a file. Based on the information which I’d given, There are 3 basic types data that we need to identify the a root cause of a Java application.

1. Collecting the Heap dump
This is basically pull what all the data are present in the system Memory. So this would help us to identify which function/code is currently loaded in memory.

How do I take thread dump : Execute the below command

 /var/jdk/bin/jmap  -histo $(pgrep java)   > ~/heapdump_$(date +"%Y-%m-%d_%H%M").log

The above command will pull the headp dump data to a dated separated file for future reference.

2. Collecting Thread dump
This is basically used for identify the programming side libraries/functions/forms those are being used in that particular time. This will be very useful to identify the functionality fix or brakes. So we had instructed to keep this data strictly up on any application outage.

  • How to pull the Thread dump
  •  /var/jdk/bin/jstack  -l $(pgrep java)  > ~/thread_dump_$(date +"%Y-%m-%d_%H%M").log

    Note : This command will pull the backup of all the java thread currently being executed in the memory and written it as a dated file. You also need to take these logs for a period of time to understand the history of the function loaded in memory. So I used to execute this commands 3 times in one minute interval.

    3. Verifying java application is heavily used using jstat.

    There is a utility (jstat) which collect the statistics of Garbage collection data which including the gcutils (used to check the usage of heap areas, the number of GC performed, and the total accumulated time for GC operations).

    [root@web232 ~]# /var/jdk/bin/jstat -gcutil $(pgrep java) 250 700
      S0     S1     E      O      P     YGC     YGCT    FGC    FGCT     GCT
      0.00  76.33 100.00 100.00  38.71    133   15.991   229 1465.177 1481.168
      0.00  76.33 100.00 100.00  38.71    133   15.991   229 1465.177 1481.168
      0.00  94.96 100.00 100.00  38.71    133   15.991   229 1466.212 1482.203
      0.00 100.00 100.00 100.00  38.71    133   15.991   230 1466.212 1482.203
      0.00 100.00 100.00 100.00  38.71    133   15.991   230 1466.212 1482.203
      0.00 100.00 100.00 100.00  38.71    133   15.991   230 1466.212 1482.203
      0.00 100.00 100.00 100.00  38.71    133   15.991   230 1466.212 1482.203
      0.00 100.00 100.00 100.00  38.71    133   15.991   230 1466.212 1482.203

    The above logs showing that Old space and Eden space was fully occupied by GC cycle. So any pending GC request will be keep in queue and web server remains running in hanging states appears even though it is working correctly. The only culprit is GC collection killing the web server and keep it forzhen. So restarting webserver will help to release the GC and hence platform bring it back quickly.

    If you see Eden space (E) and Old area (O) are showing the value 100. you application was driven in poor performance and may not be working correctly. So the options are restart the web server or kill the jave process.

    How do I kill the java process.

    /bin/kill -9 $(pgrep java)​

    How to delete the PU protocol from Glassfish 3

    I have created PU protocol on Glassfish server in order to serving SSL pages forcefully. The main issue is this is the only way to redirect all the non-http requests to https. I did not find any other option for ‘SSL forcing’ in Glassfish 3 version. But here I want to get the same domain.xml file without having the PU ( port unification) protocal enabled. Becasue we enabled many other customer variables on domain.xml and wanted to move all the ssl parts under the loadbalencer (ssl offloading)

    1. How to create PU protocol to use force https

    [root@web03 ~]# cd /var/glassfish/domains/domain1/config
    [root@web03 ~]#/home/glassfish/bin/asadmin create-protocol --securityenabled=false http-redirect
    [root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-filter --protocol http-redirect --classname com.sun.grizzly.config.HttpRedirectFilter redirect-filter
    [root@web03 ~]#/home/glassfish/bin/asadmin create-protocol --securityenabled=false pu-protocol
    [root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-listener-2 --classname com.sun.grizzly.config.HttpProtocolFinder http-finder
    [root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-redirect --classname com.sun.grizzly.config.HttpProtocolFinder http-redirect
    [root@web03 ~]#/home/glassfish/bin/asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=pu-protocol​

    Here is the reverse process of the activities remove PU protocol

    1. Assuming that Glassfish is installed on (/home/glassfish/bin) folder and execute the below commands.

    #/var/glassfish/bin/asadmin set  configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=http-listener-1
    #/var/glassfish/bin/asadmin delete-protocol-finder  --protocol pu-protocol    http-redirect
    #/var/glassfish/bin/asadmin delete-protocol-filter --protocol http-redirect redirect-filter
    #/var/glassfish/bin/asadmin delete-protocol  pu-protocol
    #/var/glassfish/bin/asadmin delete-protocol http-redirect