Gab Knowledge Base

Monday, April 11, 2016

setup Liferay 7 tomcat bundle + cluster

OS = CentOS Linux release 7.2.1511 (Core)

Liferay version = liferay-portal-tomcat-7.0-ce-ga1-20160331161017956

Java = java version "1.7.0_79"

===== Liferay =====

1. download java and install it
for mine i download oracle java sdk 7 at
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
download the rpm for easy install and upgrade
# yum localinstall jdk-7u79-linux-x64.rpm

2. download liferay and extract it.
for mine, i extract and put it at /opt
then i rename it to liferay so it will become /opt/liferay

3. go to /opt/liferay/tomcat-8.0.32/bin
test run 1 times to confirm it was working with default settings
# ./startup.sh
use browser and try access it at
<server ip>:8080
and stop it after confirm working
# shutdown.sh

4. install tomcat native for better performance
at bin directory, extract tomcat-native.tar.gz and navigate to native directory inside it
# ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/java/default --with-ssl=/usr/bin/openssl --prefix=/usr
# make
# make install

5. back to bin directory and extract commons-daemon-native.tar.gz
navigate into unix folder
# ./configure --with-java=/usr/java/default
# make
# cp jsvc ../..

6. add tomcat user for liferay to run instead of using root
# useradd tomcat
# chown -R tomcat: /opt/liferay

7. at tomcat bin directory, edit setenv.sh and change the Xmx value to suit your server memory.
for mine, i also had manual set Xms value as well

====== startup script =====

since it is using systemd for centos7, below is the guide on how to add
# cd /etc/systemd/system
# vim tomcat.service

=== tomcat.service ===

# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking
#ExecStart=/etc/init.d/tomcat start
ExecStart=/opt/liferay/tomcat/bin/startup.sh
ExecStop=/opt/liferay/tomcat/bin/shutdown.sh
User=tomcat
Group=tomcat

TimeoutStartSec=0
TimeoutStopSec=600

[Install]
WantedBy=multi-user.target

=== END ===

enable it to run at startup
# systemctl enable tomcat.service

now you can test use systemctl to start and stop to confirm it working
# systemctl start tomcat
# systemctl stop tomcat

monitor the log at /opt/liferay/tomcat/logs/catalina.out
to make sure it fully startup without error

===== Apache =====

you either can use your firewall to redirrect port 8080 to port 80
or
use mod_jk for port 80 to 8080

===== cluster =====

1. edit <liferay>/tomcat/conf/context.xml
change <Context>
to <Context distributable="true">

2. edit server.xml
change <Engine name="Catalina" defaultHost="localhost">
to <Engine name="Catalina" defaultHost="localhost" jvmRoute="node1">
then below it add this as well

=== server.xml ===

<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="6">

<Manager className="org.apache.catalina.ha.session.BackupManager"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"
mapSendOptions="6"/>

<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Membership className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.4"
port="45564"
frequency="500"
dropTime="3000"/>
<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto"
port="5000"
selectorTimeout="100"
maxThreads="6"/>

<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/>
</Channel>

<Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>

<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
=== end ===

3. edit <liferay>/tomcat/conf/Catalina/localhost/ROOT.xml and add this into it

=== ROOT.xml ===

<Resource
name="jdbc/LiferayPool"
auth="Container"
type="javax.sql.DataSource"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://<DB IP>/<DB name>?useUnicode=true&characterEncoding=UTF-8"
username="DB username"
password="DB password"
maxActive="100"
maxIdle="30"
maxWait="60000"
/>

=== end ===

4. then at <liferay>/tomcat/webapps/ROOT/WEB-INF/classes, create portal-ext.properties file and put this into it

=== portal-ext.properties ===

jdbc.default.jndi.name=jdbc/LiferayPool

=== end ===

Wednesday, March 2, 2016

deploy liferay EE into Jboss 6 EAP manually

i am using Jboss EAP 6.4

with java 1.7.0_79

and for liferay, i am deploying Liferay Portal 6.2 EE SP14

with Liferay Portal 6.2 EE SP14 Dependencies
the dependencies is needed in order for liferay to run if you build yourself

unzip the jboss eap and install the java

create a folder call liferay and put extracted jboss into it

for mine, i put the liferay at /opt , it will look like this

/opt/liferay/jboss

1. deploy dependencies

cd to jboss folder and make new dir like this

<jboss>/modules/com/liferay/portal/main

unzip liferay-portal-dependencies-6.2-ee-sp14 and put all into <jboss>/modules/com/liferay/portal/main

put the mysql connector there as well if you using mysql

at the same directory, create a file name module.xml

and put this into it

<?xml version="1.0"?>

<resource-root path="hsql.jar" />

<resource-root path="portal-service.jar" />

<resource-root path="portlet.jar" />

<resource-root path="mysql-connector-java-5.1.38-bin.jar" />

</resources>

</dependencies>

</module>

please edit the mysql name to match yours

2. Jboss configuration

part 1

go to liferay/jboss/standalone/configuration/
and edit standalone.xml
between the </extensions> and <management> (note: should be around line 27 - 30 )
add this into it

<system-properties>

<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>

<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>

</system-properties>

part 2

then search deployment-scanner

and add deployment-timeout="240"

it will look something like this

<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="240"/>

part 3

then search for <subsystem xmlns="urn:jboss:domain:security:1.2">

and add this into it

<security-domain name="PortalRealm">

<authentication>

<login-module code="com.liferay.portal.security.jaas.PortalLoginModule" flag="required" />

</authentication>

</security-domain>

it will look something like this

<security-domains>

<security-domain name="other" cache-type="default">

<login-module code="Remoting" flag="optional">

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

<login-module code="RealmDirect" flag="required">

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

</authentication>

</security-domain>

<security-domain name="jboss-web-policy" cache-type="default">

<policy-module code="Delegating" flag="required"/>

</authorization>

</security-domain>

<security-domain name="jboss-ejb-policy" cache-type="default">

<policy-module code="Delegating" flag="required"/>

</authorization>

</security-domain>

<security-domain name="PortalRealm">

<login-module code="com.liferay.portal.security.jaas.PortalLoginModule" flag="required" />

</authentication>

</security-domain>

</security-domains>

</subsystem>

part 4

search enable-welcome-root and change it to false

<virtual-server name="default-host" enable-welcome-root="false">

3. deploy Liferay war

create ROOT.war folder in liferay/jboss/standalone/deployments

extract the Liferay .war file into the ROOT.war folder

# jar -xvf liferay.war

at the same level with ROOT.war, create empty file call ROOT.war.dodeploy

# touch ROOT.war.dodeploy

In the ROOT.war file, open the WEB-INF/jboss-deployment-structure.xml file. In this file, replace the <module name="com.liferay.portal" /> dependency with the following configuration:

<module meta-inf="export" name="com.liferay.portal">
    <imports>
        <include path="META-INF" />
    </imports>
</module>

This allows OSGi plugins like Audience Targeting to work properly, by exposing the Portal API through the OSGi container.

reference:
1. https://www.liferay.com/group/customer/knowledge/kb/-/knowledge_base/article/23340173 (must login liferay first)

Wednesday, December 30, 2015

Liferay bundle with jboss + RHEL 7

This is the instruction on how to install jboss on Redhat Enterprise Linux 7 (RHEL 7)

you can signup and download Liferay from
https://www.liferay.com/downloads/liferay-portal/available-releases

for my case, i created /opt
and unzip the zip file into it
# unzip liferay-portal-jboss-6.2-ee-sp14-20151105114451508.zip

before we start anything, i had manual downloaded Java JDK 7 release 79 and install it
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

once you extract out liferay, please try to run it to confirm the file you download is working
# cd /opt/<Liferay>/<jboss-version>/bin
# ./standalone.sh

you can test it by access 127.0.0.1:8080 with browser
by default, standalone is listen to 127.0.0.1 only and if your Linux didnt install with gui, you need to mortify it.
CTRL + C to stop the jboss

# cd ..
# cd standalone/configuration/
# vim standalone.xml

---------------- Default -------------------
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>

-------------- Change to -----------------
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:<your server ip>}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:<your server ip>}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:<your server ip>}"/>
</interface>
</interfaces>

----------------------------------------------

restart the jboss liferay and test again using your <server-IP>:8080
# cd ../../bin/
# ./standalone.sh

---------------- Connecting to MySQL Database ---------------------
you need to download the mysql connector from
https://www.mysql.com/products/connector/
choose JDBC Driver for MySQL (Connector/J)
extract the file and copy the mysql-connector-java-5.1.38-bin.jar
to this location
/opt/<Liferay-location/<jboss-version>/modules/com/liferay/portal/main/
edit the module.xml
add this under <resource>
<resource-root path="mysql-connector-java-5.1.38-bin.jar" />

example:

<resources>
<resource-root path="hsql.jar" />
<resource-root path="jtds.jar" />
<resource-root path="mysql-connector-java-5.1.38-bin.jar" />
<resource-root path="portal-service.jar" />
<resource-root path="portlet.jar" />
<resource-root path="postgresql.jar" />
</resources>

------------------ Configure httpd to divert traffic to Liferay jboss ------------------
Download and install httpd-devel
# yum install httpd-devel

download mod_jk from
https://tomcat.apache.org/download-connectors.cgi
extract it the file, configure, make and make install
it will automatic deploy the mod_jk into your apache

If you encounter error saying
no apache given
no netscape given
configure: error: Cannot find the WebServer

then you need to configure --with-apxs
but before that, find out your apxs location
# find / -iname apxs
# ./configure --with-apxs=/usr/bin/apxs

now go to /etc/httpd/conf.d/
create worker.properties file and put this into it
# vim worker.properties

worker.list=worker1,node1,status
worker.jkstatus.type=status

#node1
worker.node1.port=8009
worker.node1.host=172.20.17.64
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.ping_mode=A

# Load-balancing behaviour
worker.worker1.type=lb
worker.worker1.balance_workers=node1
worker.worker1.sticky_session=1

then create mod_jk.conf file and put this into it
# vim mod_jk.conf

LoadModule jk_module modules/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /etc/httpd/conf.d/worker.properties
JkShmFile /var/log/httpd/mod_jk.shm
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info,debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

JkMount /* worker1
</IfModule>

Before we start apache, we need to configure the jboss to listen to port 8009 AJP1.3
by default it was disable at standalone.xml

# cd /opt/liferay-portal-6.2-ee-sp14/jboss-7.1.1/standalone/configuration/
# vim standalone.xml

----- default ------
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<jsp-configuration development="true"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

------- change to --------
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<jsp-configuration development="true"/>
</configuration>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

-----------------------------

Start jboss and httpd service and test it by accessing your server ip without port 8080

once success to see the pages, now we need to create a startup script

---------- startup --------------

by default, in jboss/bin/init.d directory, it already have the startup script name jboss-as-standalone.sh

If you are using RHEL 6 or before, you can just make a symlink from /etc/init.d/jboss and point to this file

for RHEL7, it a bit tricky since it use systemd

but before that, edit the jboss-as-standalone.sh and define the

JBOSS_CONF="/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as.conf"

JBOSS_HOME=/opt/<liferay-location>/<jboss-ver>

then go to /usr/lib/systemd/system
create jboss.service file and put this

[Unit]
Description=Jboss Application Server
After=syslog.target
After=network.target

[Service]
Type=forking
PIDFile=/var/run/jboss-as/jboss-as-standalone.pid
ExecStart=/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as-standalone.sh start
ExecStop=/opt/<liferay-location>/<jboss-ver>/bin/init.d/jboss-as-standalone.sh stop
TimeoutStartSec=300
TimeoutStopSec=300

[Install]
WantedBy=multi-user.target

then go to /etc/systemd/system/multi-user.target.wants and create symlink point to the file just now
then enable this for startup list
# systemctl enable jboss.service

Monday, August 10, 2015

man in the middle - hacking

use netdiscover to find out ip if uncertain which IP range it use
use nmap to find out more info
# nmap 172.20.1.30
or
# nmap 172.20.1.1/24

used command
Arpspoof

Driftnet

setup port forwarding
Change the value in your /proc/sys/net/ipv4/ip_forward from 0 to 1 - See more at: http://www.hacking-tutorial.com/tips-and-trick/how-to-set-up-port-forwarding-in-linux-and-windows/#sthash.YQIMORR4.dpuf

Victim IP address : 192.168.8.90

Attacker network interface : eth0; with IP address : 192.168.8.93

Router IP address : 192.168.8.8

And then setting up arpspoof from to capture all packet from router to victim.

# 168.8.90 192.168.8.8

After step three and four, now all the packet sent or received by victim should be going through attacker machine.
Now we can try to use driftnet to monitor all victim image traffic. According to its website,
Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.
to run driftnet, we just run this
# driftnet -i eth0

To stop driftnet, just close the driftnet window or press CTRL + C in the terminal

For the next step we will try to capture the website information/data by using urlsnarf. To use urlsnarf, just run this code
# urlsnarf -i eth0

and urlsnarf will start capturing all website address visited by victim machine.

When victim browse a website, attacker will know the address victim visited.

Wednesday, July 8, 2015

tomcat 7 setup guide

Tomcat Setup guide
this setup was done on centos 7

Tomcat 7
This is my own setup guide for my server.
you can change according to your need

Download the package from https://tomcat.apache.org/download-70.cgi

Choose “Core” -> tar.gz to download

Tomcat 7.0 is designed to run on Java SE 6 and later. So download the appropriate version

For more info, you can Read the RELEASE-NOTES and the RUNNING.txt file in the distribution for more details.

For easy installation, I download rpm and use localinstall from Oracle website

# yum localinstall jdk-7u80-linux-x64.rpm

Installation

1 Extract the file and put it at /opt

# tar -zxvf apache-tomcat-7.0.62.tar.gz

2 Install tomcat native

# cd /opt/apache-tomcat-7.0.62/bin
# tar -zxvf tomcat-native.tar.gz
# cd tomcat-native-1.1.33-src/jni/native

Build tc-native requires three components to be installed:
- APR library
- OpenSSL libraries
- Java SE Development Kit (JDK)

# yum install apr-devel openssl-devel

Now proceed to install the native using this command

# ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/java/jdk1.7.0_80/ --with-ssl=yes --prefix=/usr

p/s:- Update the java location accordingly

3 Install common-daemon-native

# cd /opt/apache-tomcat-7.0.62/bin
# tar –zxvf commons-daemon-native.tar.gz
# cd commons-daemon-1.0.15-native-src/unix
# ./configure
# cp jsvc ../..

Tuning

1 Edit /opt/apache-tomcat-7.0.62/conf/server.xml

Search connectionTimeout and change the value to 600000

Search maxThreads and change the value to 500 (if got enable)

2 Edit /conf/context.xml

Change all <Context>

To <Context swallowOutput="true">

( it is use to redirect system err to catalina)

3 Edit conf/logging.properties, and add this

1catalina.org.apache.juli.AsyncFileHandler.rotatable = true

( it is use to rotate the log)

4 Create setenv.sh at bin directory and add this into it

---------------------------------------------------------------------------------------------------

JAVA_OPTS="-Xms4096m -Xmx4096m -XX:MaxPermSize=512m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Dhttp.maxConnections=500 -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode"

# Set the -Xms and -Xmx the same, around 50% to 80% of total memory

# Set the PermSize to either 256 or 512, increase it if there’s OutOfMemoryError PermGen space in log

# to see gc memory, add "-XX:+PrintGCDetails -XX:+PrintGCTimeStamps -verbose:gc -Xloggc:/tmp/gc.log"

---------------------------------------------------------------------------------------------------

Startup script

# vim /etc/init.d/tomcat

#!/bin/sh

# Tomcat startup script

# chkconfig: - 85 15

# description: Tomcat Server

# processname: tomcat

# To use this script run it as root - it will switch to the specified user

# Either modify this script for your requirements or just ensure that

# the following variables are set correctly before calling the script.

#define where tomcat is - this is the directory containing directories log, bin, conf etc

CATALINA_HOME=${CATALINA_HOME:-"/opt/tomcat"}

export CATALINA_HOME

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user

TOMCAT_USER=${TOMCAT_USER:-"tomcat"}

export TOMCAT_USER

#make sure java is in your path

JAVA_HOME=${JAVA_HOME:-"/usr/java/jdk"}

export JAVA_HOME

case "$1" in

start)

$CATALINA_HOME/bin/daemon.sh start

;;

stop)

$CATALINA_HOME/bin/daemon.sh stop

rm -rf $TOMCAT_HOME/work/*

;;

restart)

$0 stop

i=0

while [ `ps ax|grep -v grep|grep jsvc|wc -l` -gt 0 -a $i -lt 60 ]

sleep 1

(( i += 1 ))

done

/usr/bin/killall -9 jsvc

$0 start

;;

echo "usage: $0 (start|stop|restart|help)"

esac

edit the java location and tomcat location
then change its permission

# chmod 755 /etc/init.d/tomcat
then create tomcat user

# useradd –s /sbin/nologin tomcat

Change tomcat permission to tomcat

# chown -R tomcat:tomcat apache-tomcat-7.0.62

Add to startup list

# chkconfig --add tomcat

# chkconfig --level 2345 tomcat on

Connect to mysql

Get the JDBC driver and put to lib
http://www.mysql.com/products/connector/

Edit conf/context.xml
Add under <Context swallowOutput="true">
Below is the example format

--------------------------------------------------------------------------------------------------------------
<Resource name="jdbc/TestDB" auth="Container" type="javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="javauser" password="javadude" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/javatest"/>

--------------------------------------------------------------------------------------------------------------

change the word in red accordingly

maxActive = Maximum number of database connections in pool. Make sure you configure your.

mysqld max_connections large enough to handle all of your db connections. Set to -1 for no limit.
maxIdle = Maximum number of idle database connections to retain in pool. Set to -1 for no limit.
maxWait = Maximum time to wait for a database connection to become available in ms, An Exception is thrown if this timeout is exceeded. Set to -1 to wait indefinitely.

Apache

Install apache and fine tune it

1. Install MOD_JK connector

# yum install httpd-devel

Go to https://tomcat.apache.org/download-connectors.cgi and download the source
Configure, make and make install
copy binary file to /etc/http/modules

p/s = if got error saying "error: Cannot find the WebServer"
use this function to find apxs
# find / -iname apxs
then install using this command
# configure --with-apxs=/usr/bin/apxs

# chmod 755 /etc/httpd/modules/mod_jk.so

Create workers.properties
Change the node name according to the same as the servers name. If you follow the startup, location is define in mod_jk.conf

--------------------------------------------------------------------------------------------------------------------
worker.list=worker1,node1,node2,status #node name you want to use add this in server.xml
worker.jkstatus.type=status

#node1
worker.node1.port=8009
worker.node1.host=10.0.3.129
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.ping_mode=A
#worker.node1.cachesize=10

#node2
worker.node2.port=8009
worker.node2.host=10.0.3.130
worker.node2.type=ajp13
worker.node2.lbfactor=3
worker.node2.ping_mode=A
#worker.node2.cachesize=10

# Load-balancing behaviour
worker.worker1.type=lb
worker.worker1.balance_workers=node1,node2
worker.worker1.sticky_session=1

--------------------------------------------------------------------------------------------------------------------

Create mod_jk.conf

-------------------------------------------------------------------------------------------------------------------
LoadModule jk_module modules/mod_jk.so

<IfModule mod_jk.c>
JkWorkersFile /data/sys/etc/httpd/workers.properties
JkShmFile /var/log/httpd/mod_jk.shm
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info,debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

JkMount /app/* worker1 #mount this url, edit as neccessary
# DO NOT MOUNT EVERYTHING!
</IfModule>

------------------------------------------------------------------------------------------------------------------

Thursday, February 12, 2015

Amazon AWS CloudFront setup Custom SSL Certificate

Here i will show how i enable the custom ssl certificate option in CloudFront.

SSL cert preparation
there are few things you need to prepare:-
1. Private key (.pem)
2. public key (.pem)
3. certificate chain file (.pem)

If you have yours private.key & public.crt from CA,
you can use below command to change it to .pem format

openssl rsa -in Private.key -text > Private.pem

openssl x509 -inform PEM -in Public.crt > Public.pem

For the Certificate Chain file,

once you deploy your SSL cert to your server/web

you can use this link to check how is the chain file look like as different provider have different chain
https://ssltools.thawte.com/checker/views/certCheck.jsp

Example 1

For Facebook, there is only 1 Intermediate Cert in chain

Example 2

For this one, it got 2 intermediate cert inside the chain

From AWS documentation, the sample certificate chain will be look like this

So after you check hows your certificate chain look like,
all you need is find that cert and combine it

for example 1 which is Facebook, it only got 1 intermediate cert in chain and thus DigiCert High Assurance CA-3 can directly use as certificate chain

for example 2 which is Gardenbythebay, it got 2 intermediate cert in the chain, then you need to copy and paste follow the sequence like below and save it as certificate_chain.pem

-----BEGIN CERTIFICATE-----

< Thawte SSL CA - G2 >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< thawte Primary Root CA >
-----END CERTIFICATE-----

NOTE,

I am using Thawte as well, so here i provide the link for the both intermediate cert

Thawte SSL CA - G2

Thawte Primary Root CA

Upload into the IAM store

Now you have all 3 file you needed, is time to upload it to the IAM store

I just go to EC2 and launch a micro instance for this purpose.

please choose Amazon linux as your instance for this because it already install with the amazon command. If you use other distro, you need to manual install

1. once you done launch your amazon instance, upload all 3 file into the server.

FOR WINDOWS, you can use winscp to upload, but before that, please go to /etc/sshd_config and enable password authentication and reload the service

2. use this command to upload your file

aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/

example:

aws iam upload-server-certificate --server-certificate-name Facebook2015 --certificate-body file://~/Public.pem --private-key file://~/Private.pem --certificate-chain file://~/certificate_chain.pem --path /cloudfront/Facebook/

once done, you should see something like this as output

{
"ServerCertificateMetadata": {
"ServerCertificateId": "ASCAJR5WQNL4PIB4GMMNE",
"ServerCertificateName": "Facebook2015",
"Expiration": "2017-04-23T23:59:59Z",
"Path": "/cloudfront/Facebook/",
"Arn": "arn:aws:iam::337660227660:server-certificate/cloudfront/Facebook/Facebook2015",
"UploadDate": "2015-02-11T03:36:56.032Z"
}

}

Now you should be able to choose custom SSL at your CLoudFront

OTHER COMMAND

delete certificate object:

aws iam delete-server-certificate --server-certificate-name certificate_object_name

example:

aws iam delete-server-certificate --server-certificate-name Facebook2015

View Certificate object:

aws iam get-server-certificate --server-certificate-name certificate_object_name

example:

aws iam get-server-certificate --server-certificate-name Facebook2015

Friday, September 19, 2014

smokeping for Centos7

I am using Centos7 + smokeping-2.6.9

lets start up by install needed package

before that, we will need to enable Epel repo

You can install EPEL by running yum install epel-release. The package is included in the CentOS Extras repository, enabled by default.

# yum install epel-release

Then follow up by the package for

mod_fcgid
httpd
httpd-devel
rrdtool
perl-CGI-SpeedyCGI
fping
rrdtool-perl
perl
perl-Sys-Syslog

# yum install mod_fcgid httpd httpd-devel rrdtool perl-CGI-SpeedyCGI fping rrdtool-perl perl perl-Sys-Syslog

Then we will needed some package for Cpan to install perl stuff

# yum install perl-CPAN perl-local-lib perl-Time-HiRes

The last one is the package to create installation for smokeping

# yum groupinstall "Development tools"

-----------------------------------------------------------------------------------------------------------------

Now lets download the latest smokeping at http://oss.oetiker.ch/smokeping/pub/

currently the latest i saw is 2.6.9, so i just download that

# wget http://oss.oetiker.ch/smokeping/pub/smokeping-2.6.9.tar.gz

then extract it

# tar -zxvf smokeping-2.6.9.tar.gz

Install the smokeping perl stuff

# cd smokeping-2.6.9/setup

# ./build-perl-modules.sh

it will auto install needed perl

Once done, back to smokeping-2.6.9 folder and you will notice a folder name thirdparty is created

we will need to move it to /opt folder, but before that, lets create smokeping folder at /opt first

then copy the thirdparty folder into it

# mkdir /opt/smokeping

# cp -r thirdparty /opt/smokeping/

# ./configure --prefix=/opt/smokeping

# make install

~ NOTE ~

if you encounter problem, please try make install again
this is because for my situation when i first make install, it pop some error but when i try make install again, the error gone

Now you can go to /opt/smokeping/etc and prepare the config file

# cd /opt/smokeping/etc
# for foo in *.dist; do cp $foo `basename $foo .dist`; done

--------------------------------------------------------------------------------------------------------------

Now is time to prepare for the interface
make sure you had install apache
else please install it using yum install httpd

#vim /etc/httpd/conf/httpd.conf

change:
DirectoryIndex index.html index.html.var
to:
DirectoryIndex index.html index.html.var smokeping.fcgi

then enable this
AddHandler cgi-script .cgi

---------------------------------
# vim /etc/httpd/conf.d/smokeping.conf

<Directory "/var/www/html/smokeping">
Options +ExecCGI
</Directory>
--------------------------------
# mkdir /opt/smokeping/img
# mkdir /opt/smokeping/data
# mkdir /opt/smokeping/var
# mkdir /opt/smokeping/cache
# chown -R apache:apache /opt/smokeping/img
# chown -R apache:apache /opt/smokeping/cache
# ln -s /opt/smokeping/htdocs /var/www/html/smokeping
# ln -s /opt/smokeping/img /var/www/html/smokeping
# ln -s /opt/smokeping/cache /var/www/html/smokeping

# chmod 600 /opt/smokeping/etc/smokeping_secrets
# chmod 600 /opt/smokeping/etc/smokeping_secrets.dist
# chown -R apache:apache /var/www/html/smokeping

Before we start smokeping, please edit your configuration first
edit the smokeping config to your need (change the part in Red color word
# vim /opt/smokeping/etc/config
------------------------------------------
*** General ***

owner = Peter Random
contact = some@address.nowhere
mailhost = my.mail.host (Ignore if you do not have smtp server)
sendmail = /usr/sbin/sendmail
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
imgcache = /opt/smokeping/cache
imgurl = cache
datadir = /opt/smokeping/data
piddir = /opt/smokeping/var
cgiurl = http://some.url/smokeping.cgi
smokemail = /opt/smokeping/etc/smokemail.dist
tmail = /opt/smokeping/etc/tmail.dist
# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no

*** Alerts ***
to = alertee@address.somewhere
from = smokealert@company.xy

+someloss
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times in a row

*** Database ***

step = 300
pings = 20

# consfn mrhb steps total

AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720

*** Presentation ***

template = /opt/smokeping/etc/basepage.html.dist

+ charts

menu = Charts
title = The most interesting destinations

++ stddev
sorter = StdDev(entries=>4)
title = Top Standard Deviation
menu = Std Deviation
format = Standard Deviation %f

++ max
sorter = Max(entries=>5)
title = Top Max Roundtrip Time
menu = by Max
format = Max Roundtrip Time %f seconds

++ loss
sorter = Loss(entries=>5)
title = Top Packet Loss
menu = Loss
format = Packets Lost %f

++ median
sorter = Median(entries=>5)
title = Top Median Roundtrip Time
menu = by Median
format = Median RTT %f seconds

+ overview

width = 600
height = 50
range = 10h

+ detail

width = 600
height = 200
unison_tolerance = 2

"Last 3 Hours" 3h
"Last 30 Hours" 30h
"Last 10 Days" 10d
"Last 400 Days" 400d

#+ hierarchies
#++ owner
#title = Host Owner
#++ location
#title = Location

*** Probes ***

+ FPing

binary = /usr/sbin/fping

*** Slaves ***
secrets=/opt/smokeping/etc/smokeping_secrets.dist
+boomer
display_name=boomer
color=0000ff

+slave2
display_name=another
color=00ff00

*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of xxx Company. \
Here you will learn all about the latency of our network.

+ Server
menu= Targets

++ google

menu = google.com
title = google.com
alerts = someloss
host = www.google.com
-----------------------------------------------------------------

For mine, i had turn off my firewalld as it was mean for private LAN
# systemctl stop firewalld

and i also had turn SeLinux
# setenforce 0

Start the apache service
# systemctl start httpd

start the smokeping services
# ./bin/smokeping --config=/opt/smokeping/etc/config --logfile=smoke.log

For startup script
you can get it from here
http://oss.oetiker.ch/smokeping/pub/contrib/smokeping-start-script
just edit the smokeping path
then put at /etc/init.d/
chmod 755 it

Thanks Will for pointing out the typo and mistake