Activities

October 2017
M T W T F S S
« Apr    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

How to delete the PU protocol from Glassfish 3

I have created PU protocol on Glassfish server in order to serving SSL pages forcefully. The main issue is this is the only way to redirect all the non-http requests to https. I did not find any other option for ‘SSL forcing’ in Glassfish 3 version. But here I want to get the same domain.xml file without having the PU ( port unification) protocal enabled. Becasue we enabled many other customer variables on domain.xml and wanted to move all the ssl parts under the loadbalencer (ssl offloading)

1. How to create PU protocol to use force https

[root@web03 ~]# cd /var/glassfish/domains/domain1/config
[root@web03 ~]#/home/glassfish/bin/asadmin create-protocol --securityenabled=false http-redirect
[root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-filter --protocol http-redirect --classname com.sun.grizzly.config.HttpRedirectFilter redirect-filter
[root@web03 ~]#/home/glassfish/bin/asadmin create-protocol --securityenabled=false pu-protocol
[root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-listener-2 --classname com.sun.grizzly.config.HttpProtocolFinder http-finder
[root@web03 ~]#/home/glassfish/bin/asadmin create-protocol-finder --protocol pu-protocol --targetprotocol http-redirect --classname com.sun.grizzly.config.HttpProtocolFinder http-redirect
[root@web03 ~]#/home/glassfish/bin/asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=pu-protocol​

Here is the reverse process of the activities remove PU protocol

1. Assuming that Glassfish is installed on (/home/glassfish/bin) folder and execute the below commands.

#/var/glassfish/bin/asadmin set  configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=http-listener-1
#/var/glassfish/bin/asadmin delete-protocol-finder  --protocol pu-protocol    http-redirect
#/var/glassfish/bin/asadmin delete-protocol-filter --protocol http-redirect redirect-filter
#/var/glassfish/bin/asadmin delete-protocol  pu-protocol
#/var/glassfish/bin/asadmin delete-protocol http-redirect

MySQL : ERROR 1217 (23000): Cannot delete or update a parent row: a foreign key constraint fails

While I’ve been working with MySQL host more frequently, I’d to drop a database due to storage space constraint. When I’m executing the drop command,it showing an error that

"ERROR 1217 (23000): Cannot delete or update a parent row: a foreign key constraint fails"

.

Some strange error but not severe since MySQL database is still working.

Solution : This is due to foreign key reference. Few of the tables in test database was linked with other table on the other database. So MySQL engine will not allow us to drop the database and throws me an exception.

Strange !! You may need to set SET FOREIGN_KEY_CHECKS=0; and will be able to drop the database. What this command will do is, it will disable the foreign keys checks against the query we’ve been executed.

Note : Do not keep the SET FOREIGN_KEY_CHECKS=0; in any of production server. I execute this query on off peak hours to minimize the impact and set it to enabled once after the database was removed.

mysql> SET FOREIGN_KEY_CHECKS=0;
Query OK, 0 rows affected (0.00 sec)
mysql> drop database test;
Query OK, 1 row affected (0.14 sec)

mysql> SET FOREIGN_KEY_CHECKS=1;
Query OK, 0 rows affected (0.00 sec)

MySQL : How to create multiple root user (Super admin)

I have a situation to create multiple root users for managing a large Database. I used to execute ‘ grant all *. user@localhost identified by ‘password’ ” to create super users earlier. But I realized that these users can’t alter the existing users permission set even though they can create same privilege set users.

Knowing that this is a rare case in most of the scenario where no. of DBA are very limited. So one of my collegue found that we need to opt “with grant option” while you creating multiple super root users.

So that you will have FULL access to MySQL user accounts. Amazon RDS service will automatically create such user when you turn out an new RDS instance. But they did not allow you to create ‘super root‘ users sadly 🙁

Solution :

GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost' IDENTIFIED BY 'password'
WITH GRANT OPTION;

Mutt : Emails are not sending from user account

Recent I had switched a script which was running from the root account to normal user account for audit purpose. But it is noticed that script is not sending email which use “mutt” commandline MUA program. I have checked email server log and nothing found useful out there. Also I noticed that email from address was changed having poor reputation ie from address showing ‘ramesh@localhost.localdomain

The solution are,
a. We have to create a mut profile file to set the FROM address header.

b. We may also need to set few other variables in that file in order to send email outside. Otherwise mutt program showing in hanged state. The following values are the added to ~/.muttrc file.
set realname=”Daily validations of invoice history”
set use_from=yes
set envelope_from =”yes”

My muttrc file will looks like

[user1@web01 ~]$ cat  ~/.muttrc
set signature='~/.signature'
# Customized headers
unmy_hdr *                      # remove all extra headers first.
set edit_headers=yes
my_hdr From:  Exception Checker   <support@mydomain.com>
my_hdr Reply-To: Group admins <support@mydomain.com>
set realname="Exception Checker "
set use_from=yes
set envelope_from ="yes"
[user1@web01 ~]$

How to create keystore/jks file from SSL certifcate and Private key

Recently I had a challenge to install SSL certificate on Java based web server. The customer has certificate file, CA bundle and private key file. During the Googling it is found that we can not generate JKS file directly from the given certificate and private key file. JKS/keypair creation procedure are showing below,

1. Generate Public-Key Cryptography Standards (PKCS) file from certificate and private key file.

[root@web12]# openssl pkcs12 -export -name s1as  -in mydomain.com.crt -inkey mydomain.com.key -out mydomain.com.p12

2. Create key store file from PKCS12 file.
Note : You should specify the exact name of keystore file name and alias name which was already set in expired certificate file configured on Tomcat/Glassfish server. My case, I’d hard-coded the alias name is s1as and keystore password. So keystore password,keystore file name and Alias names are retained this stage.

[root@web12]# keytool -importkeystore -destkeystore keystore.jks -srckeystore mydomain.com.p12 -srcstoretype pkcs12 -alias s1as

3. You need to download the java based SSL certificate bundled file (p7b/p7s format) which provided by the Certificate Authority and install in to created Key store file. This bundled ssl certificate file would have certificate along with their CA bundle/Root certificate included. We just need to import in to our Keystore file.

[root@web12]#keytool -import -keystore  keystore.jks  -alias s1as  -file  mydomain.com.p7b

Now you have everything included in your JKS (keystore.jks) file which is protected by a keystore password. Keystore password should be set during the JKS file creation time as well as this file is being operated for any activities.

Note : The certificate file mydomain.crt itself resemble is a public key file which will match with private key file used to create during the CSR generation time.

Go and enjoy the SSL protection on your Java based web server.

How to block http /https access to specified hosts /network only

It was quite a long time I’d a visit to my blog. There were 2 reason, I got a new office and was strugging to keep up the rythom with new enviorments. Also there are certain personal stuff at my native place has to fixed which need my physical presence. So I was quite busy with usual weekend travel and hury burry office stuff between the week days. Now I’m wanting to make global presene and so updating the blog again.

One of my project has a requirement to open a public web server for internal purpose for few weeks. So we had to block public access to this host and this is one of the quick platform requirement.

Here we are using 2 private IP block for our Internal LAN those are 192.20.10.0/24 and 172.10.0.0/24 network. Here is the required rules to accoumplish the requirement.

iptables -F
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 80    -m state --state NEW  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 443    -m state --state NEW  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 80    -m state --state ESTABLISHED,RELATED  -j REJECT
/sbin/iptables -I INPUT -s  0.0.0.0  -p tcp --dport 443  -m state --state ESTABLISHED,RELATED  -j REJECT
iptables -A INPUT  -p tcp --dport 80  -s 192.20.10.0/24  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 443  -s 192.20.10.0/24  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 443  -s 172.10.0.0/16  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p tcp --dport 80  -s 172.10.0.0/16  -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I test it.

If we are using the browser to test the http/https avialability which will not much helpful based on my testing. So I added ‘-m state –state NEW’ which will drop all the NEW connections and still allow any existing opned connections. So use another network to confirm or re-open the browser.