October 2016
« Aug    

MySQL : How to create multiple root user (Super admin)

I have a situation to create multiple root users for managing a large Database. I used to execute ‘ grant all *. user@localhost identified by ‘password’ ” to create super users earlier. But I realized that these users can’t alter the existing users permission set even though they can create same privilege set users.

Knowing that this is a rare case in most of the scenario where no. of DBA are very limited. So one of my collegue found that we need to opt “with grant option” while you creating multiple super root users.

So that you will have FULL access to MySQL user accounts. Amazon RDS service will automatically create such user when you turn out an new RDS instance. But they did not allow you to create ‘super root‘ users sadly :-(

Solution : GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost' IDENTIFIED BY 'password'

Mutt : Emails are not sending from user account

Recent I had switched a script which was running from the root account to normal user account for audit purpose. But it is noticed that script is not sending email which use “mutt” commandline MUA program. I have checked email server log and nothing found useful out there. Also I noticed that email from address was changed having poor reputation ie from address showing ‘ramesh@localhost.localdomain

The solution are,
a. We have to create a mut profile file to set the FROM address header.

b. We may also need to set few other variables in that file in order to send email outside. Otherwise mutt program showing in hanged state. The following values are the added to ~/.muttrc file.
set realname=”Daily validations of invoice history”
set use_from=yes
set envelope_from =”yes”

My muttrc file will looks like

[user1@web01 ~]$ cat ~/.muttrc
set signature='~/.signature'
# Customized headers
unmy_hdr * # remove all extra headers first.
set edit_headers=yes
my_hdr From: Exception Checker
my_hdr Reply-To: Group admins
set realname="Exception Checker "
set use_from=yes
set envelope_from ="yes"
[user1@web01 ~]$

How to create keystore/jks file from SSL certifcate and Private key

Recently I had a challenge to install SSL certificate on Java based web server. The customer has certificate file, CA bundle and private key file. During the Googling it is found that we can not generate JKS file directly from the given certificate and private key file. JKS/keypair creation procedure are showing below,

1. Generate Public-Key Cryptography Standards (PKCS) file from certificate and private key file.

[root@web12]# openssl pkcs12 -export -name s1as -in -inkey -out

2. Create key store file from PKCS12 file.
Note : You should specify the exact name of keystore file name and alias name which was already set in expired certificate file configured on Tomcat/Glassfish server. My case, I’d hard-coded the alias name is s1as and keystore password. So keystore password,keystore file name and Alias names are retained this stage.

[root@web12]# keytool -importkeystore -destkeystore keystore.jks -srckeystore -srcstoretype pkcs12 -alias s1as

3. You need to download the java based SSL certificate bundled file (p7b/p7s format) which provided by the Certificate Authority and install in to created Key store file. This bundled ssl certificate file would have certificate along with their CA bundle/Root certificate included. We just need to import in to our Keystore file.

[root@web12]#keytool -import -keystore keystore.jks -alias s1as -file

Now you have everything included in your JKS (keystore.jks) file which is protected by a keystore password. Keystore password should be set during the JKS file creation time as well as this file is being operated for any activities.

Note : The certificate file mydomain.crt itself resemble is a public key file which will match with private key file used to create during the CSR generation time.

Go and enjoy the SSL protection on your Java based web server.

How to block http /https access to specified hosts /network only

It was quite a long time I’d a visit to my blog. There were 2 reason, I got a new office and was strugging to keep up the rythom with new enviorments. Also there are certain personal stuff at my native place has to fixed which need my physical presence. So I was quite busy with usual weekend travel and hury burry office stuff between the week days. Now I’m wanting to make global presene and so updating the blog again.

One of my project has a requirement to open a public web server for internal purpose for few weeks. So we had to block public access to this host and this is one of the quick platform requirement.

Here we are using 2 private IP block for our Internal LAN those are and network. Here is the required rules to accoumplish the requirement.

iptables -F
/sbin/iptables -I INPUT -s -p tcp --dport 80 -m state --state NEW -j REJECT
/sbin/iptables -I INPUT -s -p tcp --dport 443 -m state --state NEW -j REJECT
/sbin/iptables -I INPUT -s -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j REJECT
/sbin/iptables -I INPUT -s -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j REJECT
iptables -A INPUT -p tcp --dport 80 -s -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I test it.

If we are using the browser to test the http/https avialability which will not much helpful based on my testing. So I added ‘-m state –state NEW’ which will drop all the NEW connections and still allow any existing opned connections. So use another network to confirm or re-open the browser.

Configure Postfix relay server using Amazon SES

Recently I had a requirement to provide a which sent from a server should be reached in user INBOX. certain emails were not been go through the Google App email list. As far as I can see that, the application uses standalone smtp installed on the hosted server which ip/network was not been added in spf list. So this email should have low IP reputation and hence will not be reached on users INBOX all the time. In this scenario, I has to configure a relay server which will be using authorized network/ip sources.

First step

1. Create SMTP users in Amazon SES account. See the following screen,




2. Modify the Postfix main configuration file
Now you need to install certain SASL packages for enabling postfix sasl authentication mechanism.

# yum install mailx cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
#yum install postfix

Then add the following lines at the bottom of the postfix main configuration file (/etc/postfix/ file.

relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_sasl_mechanism_filter = PLAIN LOGIN
smtp_generic_maps = hash:/etc/postfix/generic

relayhost : This is the hostname which postfix push the emails. This will be different based on your SES regional choice.
smtp_sasl_password_maps : This is the file where we put the Amazon SES credentails. Pls note this is not the Access Key and Access ID.

Note: You should create a new user within the Amazon SES settings window itself. Otherwise this IAM account will not be honored.

smtp_generic_maps : This is one of the important settings since each of SES account has to verified the from header domain name and email address. So that you can not impersonate the emails. By default if you send an email from console, FROM address will be root@finaconn-web01.localdomain. So that Amazon will not permit to send such emails where FROM field was not verified.

3. Creating SASL password file
Grab your Amazon smtp server name, user and password from the first step and create a file and arrange the data in a below manner
smtphost:587 username:password

#cat /etc/postfix/sasl_passwd AKIAIBLAAAAAJCA:Alae0CZMzINNNNNNEEEEEAAmYv/pUa

create postfix maping database
#postmap /etc/postfix/sasl_passwd

4. Rewrite FROM address of local domain name to authorized domain name.

Create a file (/etc/postfix/generic) and put all the possible values to be falls on “FROM email header ” which is attaching to each email.

[root@web04 ~]# cat /etc/postfix/generic | tail -n 6

Restart postfix service,

[root@web04 ~]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@web04 ~]#

Now you are completed the configuration for sending email from your local postfix smtp server. which is relaying emails with Amazon SES account.

Now it’s the time to configure your server to become the hub of sending outbound emails from all your local email servers. You have to do two things on this server

On Master Outbound Host end

a. Set mysqdomain nane to your domain name (mydomain =
b. Set this value to all (inet_interfaces = all)
c. Set mynetworks to send emails (mynetworks =, Mostly you have to uncoment the line and edit as needed.
d. Restart your postfix server to become a good relay Master Host.

[root@web04 ~]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@web04 ~]# netstat -nlp | grep ":25"
tcp 0 0* LISTEN 3038/master
[root@web04 ~]#
[root@web04 ~]#

Now the postfix is listening to all the network interface.

6. Config. changes on Relay host End
The only thing what you have to do is, to uncomment the line relayhost and add your new server IP in /etc/postfix/ file.

relayhost =
service postfix restart

Moral of the story : It has been observed that Amazon SES is a lazy email server as we can not send bulk mail easily and should have some delay around 30 – 90 sec delay got in email response. Also I found Amazon documentation of the same purpose was a buggy one. Will not work for me :(

File exists: mod_lua: Failed to create shared memory segment on file /tmp/httpd_lua_shm

This is the one strange error I’m getting from one the staging server. When I’m trying to restart the web server , it’s always showing, pid exists. stopped. It’s a kind of weird incident. As far I know that there are some part of Apache module libraries /programs are loaded in memory and Apache service restart could help to release those program from memory.

[Mon Feb 01 05:23:38.098868 2016] [:emerg] [pid 30647] AH00020: Configuration Failed, exiting
[Mon Feb 01 05:25:16.270747 2016] [suexec:notice] [pid 30668] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Feb 01 05:25:16.289871 2016] [auth_digest:notice] [pid 30669] AH01757: generating secret for digest authentication ...
[Mon Feb 01 05:25:16.290335 2016] [lua:error] [pid 30669] (17)File exists: mod_lua: Failed to create shared memory segment on file /tmp/httpd_lua_shm.30669

I tried to delete the listed files from /tmp location. Noting gonna work. Some while after Googling, it has come to know that reload command will did the trick. It’s worked like a charm. :-)

[root@sh-web02 ~]# service httpd reload
Reloading httpd: [FAILED]
[root@sh-web02 ~]# service httpd status
httpd is stopped
[root@sh-web02 ~]# apachectl restart
httpd not running, trying to start
[root@sh-web02 ~]# service httpd status
httpd (pid 30708) is running...