JBOSS Admin

Apache SSL setup on Windows

Download the software and go through the default installation process. I downloaded the one with openssl -
Win32 Binary including OpenSSL 0.9.8o (MSI Installer)
Start the apache from programs menu.
By default, port 80 works.

To setup SSL, follow these instructions.
1) Uncomment the following lines from httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

2) Edit these lines from extra/httpd-ssl.conf file
Add NameVirtualHost *:443 under Listen 443
Modify to <VirtualHost _default_:443> to <VirtualHost *:443>

3) Create self signed certficate using openssl.
Launch openssl from Apache binary folder
a) OpenSSL> req -config c:\openssl.cnf -out c:\myserver.csr -new -newkey rsa:2048 -nodes -keyout c:\myserver-privkey.key
Fill out the required parameters.
b) openssl x509 -req -days 3000 -in c:\myserver.csr -signkey c:\myserver-
privkey.key -out c:\myserver.crt

4) Update httpd-ssl.conf with the correct path for these attributes.
SSLCertificateFile "C:\apachessl\myserver.crt"
SSLCertificateKeyFile "C:\apachessl\myserver-privkey.key"

5) Restart server.

6) Access http://localhost/ https://locahost/
There will be certificate warning because it is self signed.

Common Issues:

Problem
Syntax error on line 56 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a
module not included in the server configuration
Note the errors or messages above, and press the <ESC> key to exit.

Solution
Uncomment these line from httpd-conf.
LoadModule ssl_module modules/mod_ssl.so

Problem
Unable to load config info from /usr/local/ssl/openssl.cnf
Solution
OpenSSL requires a config file. Refer to step 3a) above to specify "-config c:\apache-conf-folder\openssl.cnf"

Problem
Syntax error on line 63 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
SSLSessionCache: Invalid argument: size has to be >= 8192 bytes
Note the errors or messages above, and press the <ESC> key to exit.

Solution
The error message is due to the default installation path which is lengthy
Create a shortcut c:\apache2.2 pointing to C:\Program Files (x86)\Apache Software Foundation\Apache2.2 and update your configuration accordingly.

Splunk Credit Card Search

You can use this regex to list credit card patterns in tabular form.
* | rex field=_raw "(?<Visa>4[0-9]{12})" | rex field=_raw "(?<AMEX>5[1-5][0-9]{14})" | table Visa, AMEX

Splunk Credit Card Masking

Create/update /opt/splunk/etc/apps/search/local/props.conf file with the following content. The file should be placed in each splunk client or forwarder.

[source::.../*server.log]
SEDCMD-ccard = s/(4[0-9]{12}(?:[0-9]{3})?|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}|3(?:0[0-5]|[68][0-9])[0-9]{11}|5[1-5][0-9]{14})/xxxx-xxxx-xxxx-xxxx/g

... in source means server.log is searched under all directories
SEDCMD pretty much works like Unix sed.

IBM ILOG Team Server Setup on JBOSS EAP 5.1

http://www.splunk.com/base/Documentation/4.1.7/Admin/RemovedatafromSplunk
- To purge all indexed data
1. Stop splunk
$SPLUNK_HOME/bin/splunk stop
2. Purge all data
$SPLUNK_HOME/bin/splunk clean eventdata -f
(-f option is to avoid being asked if you really delete the index.)
This command delete all the data in $SPLUNK_HOME/var/lib/splunk/
3. Start splunk
$SPLUNK_HOME/bin/splunk start

- If you want to purge a specific index, for example, "main" index
$SPLUNK_HOME/bin/splunk clean eventdata main -f

JBOSS session timeout

JBOSS session timeout is specified in $JBOSS_HOME/server/production/deployers/jbossweb.deployer/web.xml.
   <session-config>
      <session-timeout>30</session-timeout>
   </session-config>

The default session timeout in JBOSS is 30 minutes.

JBOSS transaction timeout

Transaction timeout is set in $JBOSS_HOME/server/production/deploy/transaction-jboss-beans.xml
<property name="transactionTimeout">300</property>

Java Heap Dump

Take java heap dump using this command in 64 bit server:

jmap -J-d64 -dump:format=b,file=/opt/jbosslogs/heap.hprof $java_pid

Tealeaf Password Masking

When you have custom form field names, user name and password are displayed when replaying session using Tealeaf viewer. You can mask the password value with the following steps.

1) Login into Tealeaf Portal
2) Tealeaf -> TMS
3) Master -> Transport Service -> Privacy Filter Configuration -> View/Edit (Raw)
4) Append a Rule to existing set of rules. You can position the rule as needed. Define an Action.
Place these lines into Raw file.

[Rule3]
Enabled=true
Actions=password_block

[password_block]
Action=Block
Field=j_password

In this case, my html form field name is j_password.

5) Save and restart transport service.

Tealeaf Capture Sessions for new website

Steps to add new website to track sessions through Tealeaf.

1) Login to PCP appliance URL.
http://ip_addr:8080/interface.php

2) Navigate to Filter Rules section.
Specify Host: {ip_address_of _website_to monitor} Port1: 80 Port2: 443
Click Add and Save changes.
If you are not using SSL, no need to add port 443.

3) Setup SSL
If you are monitoring SSL, you need to have the private keys for decryption.
Login into physical host of the appliance.
It is recommended you have the keys in PEM format.
If you have private key in .key file, simply rename the file from .key to .pem extension.
Copy the private keys to /usr/local/ctccap/etc directory in Tealeaf capture device.

Execute these commands:
cd /usr/local/ctccap/etc
mv mycert.key mycert.pem (optional)
tealeaf pem2ptl mycert.pem
PEM file will be converted to PTL format.
On successful conversion, you should see the message
pem2ptl: notice: Successfully converted PEM file "mycert.pem" to PTL file: mycert.ptl

4) Login to Capture device console again.
http://ip_addr:8080/keys.php
If you are already in the console, navigate to SSL Keys
Select private keys to view -> Check Loaded

Add a private key:
Label:myappname File:/usr/local/ctccap/etc/mycert.ptl
Click Add and Save changes.

Optional: You can also verify the configuration in /usr/local/ctccap/etc/ctc-conf.xml.

5) Restart Tealeaf capture device
# tealeaf stop capture
# tealeaf start capture

6) Your new website sessions should now be tracked in Tealeaf.
Login into the Tealeaf portal and search for your sessions. Restart portal just in case you have any issues.

JDK 32 or 64 bit

To find out if JDK is 32 or 64 bit, run java -version.

/opt/jdk/bin/java -version

A 64 bit JDK would output
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

A 32 bit JDK would output
java version "1.6.0_21"
Java(TM) SE Runtime Environment (build 1.6.0_21-b06)
Java HotSpot(TM) Server VM (build 17.0-b16, mixed mode)

If you don't see 64 bit in your output, most probably the JDK is 32-bit

Splunk Search App Customization

By default, Splunk search option All time is selected. To change the default option,

1) Login to Splunk server
2) From App dropdown at the top right, choose Manage Apps
3) Click view configuration corresponding to search link
4) Click dashboard
5) Change the selected param to Last 15 minutes instead of All time.
<module name="TimeRangePicker">
<param name="selected">Last 15 minutes</param>
You can choose any of the text value from search dropdown.
6) Your default search value is 15 minutes!

Tomcat

1) Tomcat installation on RHEL 5
Download the apache-tomcat-6.0.29.tar.gz and extract it to /opt folder

2) Change ports (if required)
If you would like to change ports from default Tomcat installation, edit /opt/apache-tomcat-6.0.29/conf/server.xml with desirable ports.

3) Security
Edit /opt/apache-tomcat-6.0.29/conf/tomcat-users.xml.
Add these lines
<role rolename="manager"/>
<user username="tomcatadm" password="tomcatadm" roles="manager"/>
Save

4) Start server
Execute /opt/apache-tomcat-6.0.29/conf/startup.sh

5) Hit http://ip_address:8080/
Click on Tomcat Manager
Login using tomcatadm/tomcatadm and access manager

6) Enable Clustering
Uncomment the following line in server.xml
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

JBOSS ClassNotFoundException

Problem
java.lang.ClassNotFoundException: com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl

Solution
Download Sun SAAJ jar and place it in profile/lib (e.g.production/lib) amd restart the server
One of the commonly available download location: http://download.java.net/maven/1/com.sun.xml.messaging.saaj/jars/

JBOSS APR Error

Problem:

Application reports APR exception as below

javax.servlet.ServletException: Not in a valid Comet configuration (use an APR or NIO connector)

at org.granite.gravity.jbossweb.AbstractHttpEventServlet.service(AbstractHttpEventServlet.java:217)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.ja

dsda

Solution:

Install JBOSS native libraries and set LD_LIBRARY_PATH

1) Download jboss-eap-native-5.0.1-RHEL5-i386.zip for Linux.

2) Extract the zip file to temporary location and move the native folder to jboss-eap-5.0.1 directory (one level above jboss home directory).

The structure looks like this.

jboss-eap-5.0.1

|__jboss

|__native

3) Update install account's profile (/home/jbossadm/.bash_profile)

Add this line to the .bash_profile

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$JBOSS_HOME/../native/lib

4) Exit from Unix shell

5) Restart JBOSS server

Port forwarding

IP tables port forwarding can be used to direct requests from one port to another. It is extremely helpful in situation where you need to run your application as non-root but still need to serve the app on port 80. This will also eliminate the need for root/sudo privileges.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000

To save the changes permanently, execute the save command.
service iptables save

To look at the saved configuration,
more /etc/sysconfig/iptables

You can also execute the stop and start conmands as required.
service iptables stop
service iptables start

JBOSS Database Connection Leak

If you suspect database connection leak code issues, you can apply this fix.
From JBOSS deploy directory, edit Cached Connection Manager section in jca-jboss-beans.xml.

<bean name="CachedConnectionManager" class="org.jboss.resource.connectionmanager.CachedConnectionManager">
<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.jca:service=CachedConnectionManager", exposedInterface=org.jboss.resource.connectionmanager.CachedConnectionManagerMBean.class)</annotation>

<property name="debug">true</property>

<property name="error">true</property>


<property name="transactionManager"><inject bean="TransactionManager" property="transactionManager"/></property>
</bean>
--------------------------------------------------------------------------
The following message will be reported in the logs when unclosed connections are detected and closed.

ERROR [org.apache.catalina.connector.CoyoteAdapter] (http-172.22.85.83-8080-2) An exception or error occurred in the container during the request processing
javax.servlet.ServletException: Error invoking cached connection manager
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:174)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.resource.ResourceException: Some connections were not closed, see the log for the allocation stacktraces
at org.jboss.resource.connectionmanager.CachedConnectionManager.popMetaAwareObject(CachedConnectionManager.java:251)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:164)

Splunk Errors and Solutions

Problem
Splunk reports error "Your maximum disk usage quota has been reached. The search was not run" when doing searches.

Solution
Login to Splunk.
Click on Jobs link on top right corner.
Delete the jobs and run search again.

Tealeaf Report to track Apache and JBOSS servers

You can build a Tealeaf report template to identify which web and app servers are hit by the users. This can save your troubleshooting time and get to the root cause quickly.

I) Setup an Event
1) Launch RealiTeaPro viewer.
2) Navigate to Edit -> Event Editor -> Attributes
3) Create an Attribute jk-attr-webserver with Attribute Type as Text.

4) Navigate to Edit -> Event Editor -> Categories
5) Create a Category jk-ctg-webserver
Flag: Active selected
Match Type: 0-String pattern
Case: Insensitive
Encoding: No Translation
Buffer: Request
Start Tag: \njk-webserver-req-set-field=
End Tag: \r

6) Navigate to Edit -> Event Editor -> Events
7) Create an Event jk-evt-webserver
Group: SysOps
Value Tyoe: Default
Match Type: 16-Data is NOT null
Buffer: Filtered by Category
Flag: Interesting Event selected
Event Result Type: Text
Attribute Name: jk-attr-webserver
Category: jk-ctg-webserver

8) Save and Commit the changes.

II) Setup Privacy Filter
1) From the browser, login to Tealeaf portal.
http://{tealeaf-server}/portal/TMS.aspx
2) Navigate to WorldView -> Transport Service -> Privacy Filter configuration -> View/Edit Raw

3) Create or Edit one of the rules
[Rule3]
Enabled=true
Actions=IndexRemote_Addr, IndexRequest_Method, ReqSetTLTURL, ReqSetjk-action-webserver

4) Add the action

[ReqSetjk-action-WebServer]

Section=cookies

Action=ReqSet

Field=BIGipServer{cookienameforwebserver}

Inclusive=true

ReqSetField=jk-webserver-req-set-field

ReqSetSection=appdata

BIGipServer{cookienameforwebserver}. You can find this field/cookie name from Request data when replaying the Tealeaf session. In my case, BigIP LTM injects a cookie with prefix BIGipServer. This can be any cookie injected by the server.

5) Save the config
6) Click on Transport Service and restart.

III) Build a Tealeaf Report Template
1) From the browser, login to Tealeaf portal.
http://{tealeaf-server}/portal/SearchTemplateConfig.aspx
2) Create a new template 'Operations Template' or add the relevant columns to the existing template.

3) Add the WebServer column
Title: WebServer
Field: Session Attribute Value
Attribute: jk-attr-webserver
Operation: Display Field Value
4) Save.

Your report now displays the column titled WebServer with cookie value. With this cookie value, you can find out which server is being hit. The same procedure can be repeated to track JBOSS appserver by reading the corresponding cookie.

If you are using BigIP LTM, you can track the server using cookie. Please refer
http://techwaver.blogspot.com/2008/12/decode-bigip-cookie-to-identify-pool.html

JBOSS LDAP Password Encryption

Please make sure your JBOSS LDAP connection works fine with clear password before proceeding with encryption.

1) Create a mbean file named encrypt-service.xml and place it in the deploy folder.
encrypt-service.xml
------------------------------------------------------------------------------
   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
   name="jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security">
   <constructor>
   <arg type="java.lang.String" value="jk-ldap-security"></arg>
   </constructor>
   <attribute name="KeyStorePass">rchitect</attribute>
   <attribute name="Salt">rchitect</attribute>
   <attribute name="IterationCount">66</attribute>
   </mbean>
------------------------------------------------------------------------------
Note: The Salt value should be 8 bytes long. More than 8 bytes is not accepted at the moment.

2) Restart the server if required.

3) Login to jmx-console http://{ip-address}:8080/jmx-console/

4) From the left hand side navigation Object Name Filter, select jboss.security and click on the link domain=jk-ldap-security,service=JaasSecurityDomain

5) Go to Operation -> encode64 -> Type your LDAP Bind Password and click Invoke.

6) The encrypted password will be displayed on the screen. Please save this.

7) Update your login-config.xml

Replace

<module-option name="bindCredential">clear-text-password</module-option>

with

<module-option name="bindCredential">{encrypted-password-from-above}</module-option>

<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security</module-option>

8) Restart the server.

Your ldap bind password is now encrypted!

9) As you can notice above, KeyStorePass is still in clear text form. In order to encrypt Keystore pass, create a file server.password in conf directory using the command below substituting with proper parameters.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword $saltvalue $iterationcountvalue $password $JBOSS_SERVER_HOME/conf/server.password
e.g.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword rchitect 66 rchitect $JBOSS_SERVER_HOME/conf/server.password

10) Replace the clear text KeyStorePass with the folllowing in encrypt-service.xml
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>

If you prefer not to use mbean for encryption, you can also use the following command to encrypt the ldap bind password.

java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils $saltvalue $iterationcountvalue $password $encryptpassword

e.g.

java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils rchitect 66 rchitect ldap-bind-clear-password

Splunk Dashboard

Splunk search dashboard summary displays sources, sourcetypes and hosts. These hosts will list your actual server name. If you would like to have user friendly name for your hosts, follow these steps.
1) Navigate to http://{splunk_agent_host}:8000 and login to Splunk agent on target host.
2) Manager -> System settings -> General settings -> Index settings.
3) Update the Default host name (optional) field to have user friendly name
4) SSH into splunk agent and run these commands
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk clear all
$SPLUNK_HOME/bin/splunk start
5) Login to Splunk server and check the dashboard for discovery of user friendly host.
Note: The password may get reset due to clear all command.
------------------------------------------------------------------------------

By default, Splunk dashboard lists 10 hosts. When you have large no. of hosts, navigating 10 hosts at a time might be cumbersome. To increase the size of hosts displayed,
1) Navigate to Manager -> User interface -> Views -> Select 'search' as app context from dropdown -> dashboard.
2) Update this block in the section after 
   <module name="Paginator">
   <param name="count">25</param>
   <param name="entityName">settings</param>
   <param name="maxPages">25</param>
   <module name="SearchLinkLister">
3) Restart splunk server

JBOSS LDAP Integration

JBOSS Active Directory LDAP Integration

1) Edit the required application policy in $JBOSS_SERVER_HOME/conf/login-config.xml

For example, if you want to secure the web-console application of jboss, edit the following application policy.

<application-policy name="ldap-encrypted">

<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

<module-option name="java.naming.security.authentication">simple</module-option>

<module-option name="java.naming.provider.url">ldap://{server_name}:389</module-option>

<module-option name="bindDN">CN=bindid,OU=something,dc=something,dc=com</module-option>

<module-option name="bindCredential">passwordgoeshere</module-option>

<module-option name="baseCtxDN">dc=something,dc=com</module-option>

<module-option name="baseFilter">(sAMAccountName={0})</module-option>

<module-option name="rolesCtxDN">dc=something,dc=com</module-option>

<module-option name="roleFilter">(sAMAccountName={0})</module-option>

<module-option name="roleAttributeIsDN">true</module-option>

<module-option name="roleAttributeID">memberOf</module-option>

<module-option name="roleNameAttributeID">cn</module-option>

<module-option name="roleRecursion">-1</module-option>

<module-option name="allowEmptyPasswords">false</module-option>

<module-option name="searchScope">SUBTREE_SCOPE</module-option>

<module-option name="trace">true</module-option>

<module-option name="java.naming.referral">follow</module-option>

<module-option name="defaultRole">JBossAdmin</module-option>

</login-module>

</authentication>

</application-policy>

2) Please note that the role JBossAdmin defined above is referenced from WEB-INF/web.xml of the application.
   <security-role>
   <role-name>JBossAdmin</role-name>
   </security-role>

3) Please note that <application-policy name="web-console"> specified above is referenced from jboss-web.xml within app.
<jboss-web>
<security-domain>java:/jaas/ldap-encrypted</security-domain>
<depends>jboss.admin:service=PluginManager</depends>
</jboss-web>

Splunk forwarding and receving

1) Install Splunk server
2) Install Splunk on host machines you want to monitor. Please have splunk forwarder license on the host.
3) Setup Splunk server as a receiver and the splunk on other target systems as forwarder

4) Setup Receiver
Navigate to Manager > Forwarding and Receiving > Receive data > Configure receiving > New
Set up port as 8090 or any available port
Restart splunk

5) Setup Forwarder
Navigate to Manager > Forwarding and Receiving > Forward data > Configure forwarding > New
Provide {splunk_server_ip_from_step4):8090
Restart splunk

Note: If you are copying splunk install from one machine another, please do this step
Login to Splunk
Navigate to Manager > System settings > General settings
Splunk server name and Default host name should match the host name
Save and restart.

JON LDAP integration

JON integration with Active Directory LDAP
1) Login into JON
2) Navigate to Administration > System Configuration > Settings
3) In the LDAP configuration Properties, update the following parameters
Check the flag use LDAP Authentication
URL: ldap://{active_directory_server_name}
Username:{specify your bind id using complete dn}
Search Base:{specify base dn}
Login Property: sAMAccountName
Click ok
4) Login into JON database (Oracle)
Execute the query: select * from RHQ_SYSTEM_CONFIG
Notice the property key for CAM_LDAP_BIND_PW has the default password. Update the password of Active Directory Bind Account.
SQL> update RHQ_SYSTEM_CONFIG set property_value='password' where property_key='CAM_LDAP_BIND_PW';
SQL> commit;
5) Restart JON
6) Login to JON admin as user default: rhqadmin
7) Create desired roles using Administration > Security > Roles.
8) Login using AD account and logout
9) Login using rhqadmin and assign AD user to the desired roles.
10) Login again using AD account and perform operations

Splunk installation and LDAP integration

The installation steps are for RHEL 5 64 bit

1) Create user

#useradd -m splunkadm

#passwd splunkadm

Login an splunkadm

2) Install Splunk

Download splunk-4.1.3-80534-Linux-x86_64.tgz from splunk.com

Copy to /opt or install folder

#tar -xvf splunk-4.1.3-80534-Linux-x86_64.tgz

The contents will be extracted to /opt/splunk

3) Start Splunk

/opt/splunk/bin/splunk start

Launch the web console http://{ip_address}:8000

Login using user admin and password changeme

4) Check status

/opt/splunk/bin/splunk status

5) Import License

Navigate to Manager -> License. Paste your license.

Restart Splunk

/opt/splunk/bin/splunk restart

6) Email Settings

Navigate to Manager > System settings > Email alert settings

Set appropriate parameters. PDF report option can be selected.

7) Setup Authentication
a) Navigate to Manager > Access controls > Authentication method
Set appropriate parameters.
For Active Directory
Host: {your_ad_host}
Port: 389
Bind DN: {your_bind_user_id}
Bind DN Password: {your_bind_user_id_password}
User Base DN: {as appropriate}
User base filter: {Leave empty: set it later}

User name attribute: samaccountname
Real name attribute: cn
Group mapping attribute: dn
Group base DN: {as appropriate}
Group name attribute: cn
Group member attribute: member
Save

b) You should see a new link Configure LDAP role mapping
If you see any errors, correct the LDAP settings.
Click on the Configure LDAP role mapping link.
Select a group and asssign the desired roles.

JBOSS Clustering and Buddy Replication

1) Enable the buddy replication in JBOSS in
$JBOSS_SERVER_HOME/deploy/cluster/jboss-cache-manager.sar/META-INF/jboss-cache-manager-jboss-beans.xml

<property name="buddyReplicationConfig">
<bean class="org.jboss.cache.config.BuddyReplicationConfig">

<property name="enabled">true</property>

2) In order for the HTTP session replication to work, make sure the application is distributable.

Please add this tag <distributable/> in WEB-INF/web.xml
<distributable/>
</web-app>

Multicast addressing in JBOSS

Reference:
http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00802d4643.shtml

Using Apache mod_proxy and JBOSS

Add these lines to your apache conf file. Make sure you have proxy modules enabled in apache.

ProxyPass /myuri http://{specify jboss_ip or load balancer ip}:8080/myuri
ProxyPassReverse /myuri http://{specify jboss_ip or load balancer ip}:8080/myuri
ProxyPreserveHost On (The parameter will help to preserve the domain name for applications dependent on domain URL)
ProxyTimeout 180
ProxyStatus On
SetEnv proxy-sendextracrlf
SetEnv proxy-initial-not-pooled (Help prevent 502 errors)

You can use the same for ajp. The URL will be ajp://{specify jboss_ip or load balancer ip}:8009/myuri

JBOSS - Replace Hypersonic database with Oracle

1) Copy $JBOSS_HOME/docs/examples/jms/oracle-persistence-service.xml to $JBOSS_HOME/server/{your_profile}/deploy/messaging directory with no changes

2) Delete $JBOSS_HOME/server/{your_profile}/deploy/messaging/hsqldb-persistence-service.xml file

3) Delete $JBOSS_HOME/server/{your_profile}/deploy/hsqldb-ds.xml file

4) Create a datasource file (filename-ds.xml) under deploy directory with <jndi-name>DefaultDS</jndi-name>

5) Restart server

CAS Authentication setup on Tomcat

1) Download and extract Apache Tomcat to location /opt/apache-tomcat-6.0.26

2) Download CAS Server 3.4.2 final from http://www.jasig.org/cas/download

3) I imported cas.war into eclipse IDE to make the required changes.

4) Edit these parameters in WEB-INF/cas.properties
cas.securityContext.serviceProperties.service=https://mydomain.com/cas/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://mydomain.com/cas/login
cas.securityContext.ticketValidator.casServerUrlPrefix=https://mydomain.com/cas
host.name=cmydomain.com

Note: You can also use http instead of https for initial testing and also specify the port if you are standalone server. Ex: http://mydomain.com:8080/cas/services/j_acegi_cas_security_check

5) If you are using LDAP, edit WEB-INF/deployerConfigContext.xml with the following content. The following snippet is for using Microsoft Active Directory LDAP.

----------------------------------------------------------------

<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
  <property name="credentialsToPrincipalResolvers">
   <list>

   <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
   <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
   </list>
   </property>
   <property name="authenticationHandlers">
   <list>
   <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
   <property name="httpClient" ref="httpClient" />
</bean>

   <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
   <property name="filter" value="sAMAccountName=%u" />
   <property name="contextSource" ref="contextSource" />
   <property name="searchBase" value="OU=something,DC=something,DC=com"/>
   <property name="ignorePartialResultException" value="yes" />
   </bean>
   </list>
   </property>
  </bean>

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
   <property name="pooled" value="false"/>
   <property name="urls"><list><value>ldap://{ldaphostname}:389/</value></list></property>
   <property name="userDn" value="{specify DN of your ldap bind ID}" />
   <property name="password" value="encrypted_password" />
   <property name="baseEnvironmentProperties">
   <map>
   <entry>
   <key><value>java.naming.security.authentication</value></key>
         <value>simple</value>
  </entry>
   <entry>
   <key><value>com.sun.jndi.ldap.connect.timeout</value></key>
   <value>10000</value>
   </entry>
   <entry>
   <key><value>com.sun.jndi.ldap.read.timeout</value></key>
   <value>10000</value>
   </entry>
   </map>
  </property>
</bean>

<sec:user-service id="userDetailsService">
   <sec:user name="someusername" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
----------------------------------------------------------------

6) You can replace the default header and footer by replacing WEB-INF/view/jsp/default/ui/includes/bottom.jsp and top.jsp.

7) Customize WEB-INF/view/jsp/default/ui/casLoginView.jsp with your content

8) Replace the logo image referenced in file WebContent/css/cas.css
/* HEADER --------------------------------- */
#header {position:relative; top:0; left:0; padding-top:52px; background:#fff url(../images/your-logo.jpeg) no-repeat scroll 25px 10px;}

9) Export the war file from Eclipse as cas.war and copy to webapps folder in tomcat server.

10) Optional: Edit server.xml file with these lines

<Host name="mydomain.com" appBase="webapps"

11) Start tomcat in debug mode '/opt/apache-tomcat-6.0.26/bin/catalina.sh run debug' to capture any errors in case there any issues.

12) If authentication is successful, you can use startup.sh and shutdown.sh tomcat scripts.

JBOSS operations script

The scripts are tested on RHEL 5

start_jboss.sh (for clustered environment)
--------------------------------------------------------------------------
JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MaxPermSize=256m
-Dorg.jboss.resolver.warning=true
-Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
-Dsun.lang.ClassLoader.allowArraySyntax=true"
JAVA_OPTS="$JAVA_OPTS {you can add your custom JVM / application properties here}"

MULTICAST_ADDR={specify multicast addr}
BIND_ADDR=`getip.sh`
PARTITION=appname-partition1
SERVER={specify profile name}
SERVER_PEER_ID=`getserverpeerid.sh`

$JBOSS_HOME/bin/run.sh -b $BIND_ADDR -c $SERVER -g $PARTITION -u $MULTICAST_ADDR -Djboss.messaging.ServerPeerID=$SERVER_PEER_ID $JAVA_OPTS

echo "JBOSS start operation completed"

--------------------------------------------------------------------------

Note: One of the reasons to pass JVM arguments in the startup script is because the same startup script can be used for all servers in the cluster. Any parameter change can be made in this single file. You can also specify it in run.conf but you might want to sync run.conf in all servers.

getip.sh

--------------------------------------------------------------------------

grep IPADDR /etc/sysconfig/network-scripts/ifcfg-eth0 |awk -F= '{print $2}'

--------------------------------------------------------------------------

getserverpeerid.sh

--------------------------------------------------------------------------

HOST=`cat /proc/sys/kernel/hostname`

echo ${HOST:(-2)}

--------------------------------------------------------------------------

Note: you can customize the script to provide a numeral server peer id. This script gets the last two digits of host name.

JVM options

Use these JVM options as applicable for your environment

-XX:+AggressiveOpts
-XX:+DoEscape
-XX:+UseLargePages

Linux Tuning Optimization

1) Commands to check current settings before updating sys parameters

---------------------------------------------------------

cat /proc/sys/fs/file-max

ulimit -n

cat /proc/sys/net/core/rmem_default
cat /proc/sys/net/core/wmem_default

cat /proc/sys/net/core/rmem_max

cat /proc/sys/net/core/wmem_max

/sbin/ifconfig -a

eth0 Link encap:Ethernet HWaddr

inet addr: Bcast: Mask:

inet6 addr: fe80::250:56ff:febf:7f5a/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9313376 errors:0 dropped:0 overruns:0 frame:0

cat /proc/sys/kernel/shmmax

cat /proc/sys/vm/nr_hugepages

---------------------------------------------------------

2) Edit /etc/sysctl.conf and append these values

---------------------------------------------------------
# Set File Max
set fs.file-max=102642

# Increase default socket send and receive buffers
net.core.rmem_default=262122

net.core.wmem_default=262122

net.core.rmem_max=262122

net.core.wmem_max=262122

---------------------------------------------------------

3) Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and append MTU
# recommended for gigabit ethernet to reduce packet fragmentation

MTU=9000

4) echo 2147483647 > /proc/sys/kernel/shmmax or update sysctl.conf

5) echo 1000 > /proc/sys/vm/nr_hugepages

6) Edit /etc/limits.conf and set ulimit value

JBOSS virtual hosts

Edit /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml to include your virtual hosts.

<Engine name="jboss.web" defaultHost="vhosts-mydomain">
   <Host name="vhosts-mydomain">
   <Alias>www.mydomain.com</Alias>
   <Alias>secure.mydomain.com</Alias>
   <Alias>somename.mydomain.com</Alias>
   </Host>
</Engine>

JBOSS thread dump using jstack

To take a threaddump on running java process in JBOSS,
ps -ef | grep java
find the process id (pid)
jstack {pid}> thread-dump.log

JBOSS Encrypt passwords

To encrypt the passwords stored in JBOSS configuration files:

1) Create a script: encrypt_password.sh with the content
------------------------------------------------------------
cd $JBOSS_HOME
echo "Please enter the password to be encrypted"
read password

java -cp lib/jboss-logging-spi.jar:common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule $password
------------------------------------------------------------

2) Execute the script.
Ex:
./encrypt_password.sh

Please enter the password to be encrypted
test
Encoded password: 48e90df5bc00051e

Using Apache mod_jk with BigIP LTM and JBOSS

1) Make sure your JBOSS is running and listening on AJP port 8009

2) LTM Load Balancer Configuration
a) Create a TCP monitor jboss-tcp-monitor using parent profile TCP
b) Create a Virtual Server with port 8009
c) Create a Pool
d) Create a Pool member with port 8009. The member will be JBOSS server IP and port 8009
e) Associate Pool with jboss-tcp-monitor
Reference: http://jbossadmin.blogspot.com/2010/03/ltm-configuration-for-apache.html

3) Configure mod_jk in apache
Reference: http://jbossadmin.blogspot.com/2010/03/apache-jboss-integration.html
Update these values to read as

worker.node1.port=8009
worker.node1.host={ltm-loadbalancer-vip}
worker.node1.type=ajp13

4) Test the browser website URL

JBOSS Oracle XA Datasource Configuration

1) Copy the sample file from /opt/jboss-eap-5.0/jboss-as/docs/examples/jca/oracle-xa-ds.xml.

Note: For Oracle 10g, type name is used as Oracle 9i

Rename the file as required and edit to read as follows
<?xml version="1.0" encoding="UTF-8"?>




<datasources>
  <xa-datasource>
   <jndi-name>jdbc/{your-jndi-name}</jndi-name>
   
   <isSameRM-override-value>false</isSameRM-override-value>
   <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
   <xa-datasource-property name="URL">jdbc:oracle:thin:@{db-server-name}:1526:{db-name}</xa-datasource-property>

<xa-datasource-property name="User">{db-user-name}</xa-datasource-property>

   <xa-datasource-property name="Password">{db-password}</xa-datasource-property>
   <valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleValidConnectionChecker</valid-connection-checker-class-name>
   <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
   <no-tx-separate-pools/>
   <metadata>
   <type-mapping>Oracle9i</type-mapping>
   </metadata>
  </xa-datasource>

  <mbean code="org.jboss.resource.adapter.jdbc.vendor.OracleXAExceptionFormatter"
   name="jboss.jca:service=OracleXAExceptionFormatter">
   <depends optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>
  </mbean>
</datasources>

2) Copy the ojdbc14_g.jar (oracle jdbc client jar) to location /opt/jboss-eap-5.0/jboss-as/server/default/lib
3) Copy {filename}-ds.xml file to /opt/jboss-eap-5.0/jboss-as/server/default/deploy or any directory defined in bootstrap/profile.xml
4) Restart the server if required. You should automatically see the data sources through the console.

5) If you want to encrypt the data source login information

5a) Edit /opt/jboss-eap-5.0/jboss-as/server/default/conf/login.xml and append the following application policy inside policy tags.
<application-policy name="{your-policy-name}">
<authentication>
<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username">ejb</module-option>
<module-option name="password">{db-encrypted-password}</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/{your-jndi-name},service=XATxCM</module-option>
</login-module>
</authentication>
</application-policy>

where jboss.jca:name=jdbc/{your-jndi-name} is the same value defined in oracle-ds file

5b) Edit oracle-xa-ds.xml file.
Replace these lines

<xa-datasource-property name="User">{db-user-name}</xa-datasource-property>

<xa-datasource-property name="Password">{db-password}</xa-datasource-property>

with

<security-domain>{your-policy-name}</security-domain>

5c) Restart the server

JBOSS Application deployment

1) Standalone server
Copy or move war files to the deploy directory configured in /opt/jboss-eap-5.0/jboss-as/server/default/conf/bootstrap/profile.xml

   ${jboss.server.home.url}conf/bindingservice.beans
   ${jboss.server.home.url}conf/jboss-service.xml
   ${jboss.server.home.url}deployers


   ${jboss.server.home.url}deploy
   file:///opt/customApps


   ${jboss.server.data.dir}/attachments



2) Farm (for clustered environment)
Farming is enabled by default in JBOSS environments
The configuration files related to farming are located in
/opt/jboss-eap-5.0/jboss-as/server/all/deploy/cluster/farm-deployment-jboss-beans.xml
/opt/jboss-eap-5.0/jboss-as/server/all/deploy/cluster/timestamps-jboss-beans.xml

3) Enable Hot Deployment
Refer to the config file/opt/jboss-eap-5.0/jboss-as/server/default/deploy/hdscanner-jboss-beans.xml for scan frequency and other settings.

4) Disable Hot Deployment
Remove the file /opt/jboss-eap-5.0/jboss-as/server/default/deploy/hdscanner-jboss-beans.xml to disable hotdeploy

Slim JBOSS

Slim configuration based on production profile:

# Following directories can be deleted from JBOSS at will.
rm -Rf /opt/jboss-eap-5.0/resteasy

rm -Rf /opt/jboss-eap-5.0/seam

rm -Rf /opt/jboss-eap-5.0/jboss-as/client

rm -Rf /opt/jboss-eap-5.0/jboss-as/docs

# Any ununused profiles can be deleted from this location

/opt/jboss-eap-5.0/jboss-as/server

# Remove EJB services
cd $JBOSS_SERVER_HOME/deploy
rm ejb*.xml
cd $JBOSS_SERVER_HOME/deployers
rm jboss-ejb3-*.jar

# Remove JUDDI 7
cd $JBOSS_SERVER_HOME/deploy
rm -Rf juddi-service.sar
# Remove Key Generator
rm -Rf uuid-key-generator.sar

# Turn off hot deployment
rm hdscanner-jboss-beans.xml

Temp/Log directories that can be deleted on startup
/opt/jboss-eap-5.0/jboss-as/server/log/*
/opt/jboss-eap-5.0/jboss-as/server/temp/*
/opt/jboss-eap-5.0/jboss-as/server/work/*
/opt/jboss-eap-5.0/jboss-as/server/data/*

JON Configuration

Linux Server Configuration

Navigate to Linux Server -> Inventory -> Connection -> Edit
Enable Content Delivery
Enable Internal Yum Server
Specify Yum Server Port

Under Event Logs
Add New

Log Tracking Enabled: Yes
Minimum Severity: Information
Log Tracking Type: File
Syslog File Path: /var/log/messages

JBOSS Configuration
Navigate to JBOSS server from JON console
JBOSS server -> Inventory -> Connection ->. Edit

Provide additional info:

Principal: admin
Credentials: jboss
Start script: /home/jbossadm/scripts/start_jboss.sh (you can provide direct path to run.sh or custom start script)
Stop script: /home/jbossadm/scripts/stop_jboss.sh (you can provide direct path to shutdown.sh or custom stop script)
Shutdown Method: shutdown script
Bind Address: {jboss-server-ip-addr}
Java Home: /opt/jre1.6.0_18

Reload JON configuration

./rhq-agent.sh --cleanconfig -c conf/agent-configuration.xml
or
./rhq-agent.sh -l -c conf/agent-configuration.xml

External Links

Download connectors for Apache
http://svn.hyperic.org/?root=Hyperic+HQ+Connectors

JBOSS supported configurations
http://www.jboss.com/products/platforms/application/supportedconfigurations/

JBOSS Profiler
http://labs.jboss.com/jbossprofile

Multicast address assignment
http://www.29west.com/docs/THPM/multicast-address-assignment.html

Test Multicast
http://www.jgroups.org/

JON Agent update

To update IP address, run the command
setconfig rhq.communications.connector.bind-address={new-ip-addr}
(or)
Update agent-configuration file if required and follow --cleanconfig steps.
Restart Agent.

JON - Create Dyna groups

Dyna group is similar to logical group.

Create Dyna Group
Groups -> New group definition

To group all RHQ agents,
Name: custom-AgentGroup
Expression:

resource.type.plugin = RHQAgent
resource.type.name = RHQ Agent

Recursive: true

Calculate groups manually which will discover resources based on the Expression
Set Interval for automatic recalculation

JON Agent commands

Reload JON agent configuration

./rhq-agent.sh --cleanconfig -c conf/agent-configuration.xml

or

./rhq-agent.sh -l -c conf/agent-configuration.xml

Force discovery of agent

/opt/jon-server-2.3.1.GA/bin/rhq-agent.sh

> discovery -f

JON agent operations
/opt/jon-server-2.3.1.GA/bin/rhq-agent.sh
> start
> shutdown

Oracle - Login as sysdba with lost sysdba password

cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin
. ./oracle_env.sh
set ORACLE_SID=XE

-bash-3.2$ sqlplus

SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 23 11:31:46 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter user-name:
-bash-3.2$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 23 11:31:53 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL>

JON Activities

Modify Server Configuration using file:
/opt/jon-server-2.3.1.GA/bin/rhq-server.properties

Test Email configuration, agents, sql etc..
http://{ip_addr}:7080/admin/test/email.jsp

Uninventory resources

Resources -> Platform -> Uninventory the required resource

Apache JON integration

1) Install JON agent. It is better to install JON agent using the same account as Apache install.

2) Import the server/agent into JON

3) Navigate to Host -> Inventory -> Manually add Apache HTTP server -> Specify required parameters.

Server Root: /opt/apache

Config File: /opt/apacheconf/httpd.conf

SNMP Agent: {apache-server-ip-address}

SNMP Agent Port: 1691 (or applicable to your environment)

Error Log File Path: /opt/apachelogs/error_log

4) Navigate to the auto discovery queue and import Apache manually.

5) Enable RT metrics (optional)

Login to JON

Administration > System Configuration > Templates | Apache HTTP Server > Apache Virtual

Host-> Edit Metric Template

Select HTTP Response Time

Select Update schedules for existing resources of marked type

Specify "Collection Interval for Selected"

Hit Start (>) button

Enable mod_headers in Apache

#cd /opt/software/httpd-2.2.14/modules/metadata

#/opt/apache/bin/apxs -i -a -c mod_headers.c

Output:

/opt/apache/build/libtool --silent --mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -O2 -pthread -I/opt/apache/include -I/opt/apache/include -I/opt/apache/include -c -o mod_headers.lo mod_headers.c && touch mod_headers.slo

/opt/apache/build/libtool --silent --mode=link gcc -o mod_headers.la -rpath /opt/apache/modules -module -avoid-version mod_headers.lo

/opt/apache/build/instdso.sh SH_LIBTOOL='/opt/apache/build/libtool' mod_headers.la /opt/apache/modules

/opt/apache/build/libtool --mode=install cp mod_headers.la /opt/apache/modules/

cp .libs/mod_headers.so /opt/apache/modules/mod_headers.so

cp .libs/mod_headers.lai /opt/apache/modules/mod_headers.la

cp .libs/mod_headers.a /opt/apache/modules/mod_headers.a

chmod 644 /opt/apache/modules/mod_headers.a

ranlib /opt/apache/modules/mod_headers.a

PATH="$PATH:/sbin" ldconfig -n /opt/apache/modules

----------------------------------------------------------------------

Libraries have been installed in:

/opt/apache/modules

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

- add LIBDIR to the `LD_LIBRARY_PATH' environment variable

during execution

- add LIBDIR to the `LD_RUN_PATH' environment variable

during linking

- use the `-Wl,--rpath -Wl,LIBDIR' linker flag

- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

chmod 755 /opt/apache/modules/mod_headers.so

[activating module `headers' in /opt/apache/conf/httpd.conf]

Apache tuning

Prefork tuning parameters:

Say,

Resident Memory Size = 8 MB (determined process memory when load testing)

Available Memory to use by Apache = 6 GB = 6114 B

Calculate:

MaxClients = 6114 MB / 8 MB = 768

ServerLimit = MaxClients

MaxRequestsPerChild 10000

KeepAlive On

KeepAliveTimeout 2

MaxKeepAliveRequests 100

Timeout 20

Adjust slow ramp up time on LTM to avoid flooding on webservers

Include http-default.conf

UseCanonicalName On

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" custom-interval

Apache commands

Custom script to start Apache (start_apache.sh)

#!/bin/sh

echo "------------------------"

echo "Verify Configuration"

echo "------------------------"

/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -t -S

echo "------------------------"

echo "Start Apache"

echo "------------------------"

/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -k start

echo "------------------------"

echo "List HTTP Processes"

echo "------------------------"

sleep 3

ps -ef | grep http

Custom script to stop Apache (stop_apache.sh)

#!/bin/sh

echo "------------------------"

echo "Stop Apache"

echo "------------------------"

/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -k stop

echo "------------------------"

echo " List HTTP Processes"

echo "------------------------"

sleep 3

ps -ef | grep http

rm /opt/apachelogs/*

List statically compiled modules

/opt/apache/bin/httpd -l or /opt/apache/bin/apachectl -l

Which mpm is used by apache?

/opt/apache/bin/apachectl -l

List all loaded modules

/opt/apache/bin/httpd -t -D DUMP_MODULES

Enable SSL in JBOSS

1) Create a keystore using keytool utility

#keytool can be found from Java runtime - /opt/jre1.6.0_18/bin/keytool

# Enter values as required

mkdir $JBOSS_HOME/ssl
cd $JBOSS_HOME/ssl

$ keytool -genkey -alias jboss -keyalg RSA -keystore jboss.keystore -validity 3650

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:

What is the two-letter country code for this unit?

[Unknown]: US

Is valuescorrect?

[no]: yes

Enter key password for

(RETURN if same as keystore password):

Re-enter new password:

A .keystore file will be created in the current directory.

2) Update /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml with correct keystore values.

<Connector protocol="HTTP/1.1" SSLEnabled="true"

port="8443" address="${jboss.bind.address}"

scheme="https" secure="true" clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore"

keystorePass="{your-password}" sslProtocol = "TLS" />

3) Restart the server. Test using https://{ip_address}:8443/context-root/filename.jsp

JBOSS/JON URLs

JBOSS
http://{ip_address}:8080/admin-console
http://{ip_address}:8080/jmx-console
http://{ip_address}:8080/web-console

http://{ip_address}:8080/web-console/status

JON
http://{ip_address}:7080
http://{ip_address}:7080/agentupdate/download
http://{ip_address}:7080/agentupdate/version
http://{ip_address}:7080/admin/test/email.jsp

Apache JBOSS integration

1) Download mod_jk module from

http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-connectors/jk/binaries/linux/jk-1.2.28/i586/

2) Copy mod_jk-1.2.28-httpd-2.2.X.so to /opt/apacheconf

3) Edit the httpd.conf and add the following line

Include /opt/apacheconf/mod-jk.conf

4) Create /opt/apacheconf/mod-jk.conf file with the following content

LoadModule jk_module /opt/apacheconf/mod_jk-1.2.28-httpd-2.2.X.so

JkWorkersFile /opt/apacheconf/workers.properties

JkLogFile /opt/apachelogs/mod_jk.log

JkLogLevel info

JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

JkOptions +ForwardKeySize +ForwardURICompatUnparsed -ForwardDirectories

JkRequestLogFormat "%w %V %T"

JkMountFile /opt/apacheconf/uriworkermap.properties

JkShmFile /opt/apachelogs/jk.shm

JkMount status

#Order deny,allow

#Deny from all

#Allow from 127.0.0.1

</Location>

5) Create /opt/apacheconf/uriworkermap.properties file with the following content

# Simple worker configuration file

# Mount the Servlet context to the ajp13 worker

/jmx-console=loadbalancer

/jmx-console/*=loadbalancer

/web-console=loadbalancer

/web-console/*=loadbalancer

/testWeb/*=loadbalancer

!/testWeb/images/*=loadbalancer

6) Create /opt/apacheconf/workers.properties file with the following content

worker.list=loadbalancer,status

# Define Node1

# modify the host as your host IP or DNS name.

worker.node1.port=8009

worker.node1.host={jboss-server-ip-address goes here}

worker.node1.type=ajp13

worker.node1.lbfactor=1

worker.node1.prepost_timeout=10000 #Not required if using ping_mode=A

worker.node1.connect_timeout=10000 #Not required if using ping_mode=A

worker.node1.ping_mode=A #As of mod_jk 1.2.27

# worker.node1.connection_pool_size=10 (1)

# Define Node2

# modify the host as your host IP or DNS name.

#worker.node2.port=8009

#worker.node2.host= node2.mydomain.com

#worker.node2.type=ajp13

#worker.node2.lbfactor=1

#worker.node2.prepost_timeout=10000 #Not required if using ping_mode=A

#worker.node2.connect_timeout=10000 #Not required if using ping_mode=A

#worker.node2.ping_mode=A #As of mod_jk 1.2.27

# worker.node1.connection_pool_size=10 (1)

# Load-balancing behaviour

worker.loadbalancer.type=lb

#worker.loadbalancer.balance_workers=node1,node2

worker.loadbalancer.balance_workers=node1

# Status worker for managing load balancer

worker.status.type=status

The above configuration is to test with one app server functionally.

7) Update /opt/apacheconf/httpd-vhosts.conf with JkMount

Listen 9080

NameVirtualHost *

ServerName {server-name}

ServerAlias {alias}

JkMount /testWeb loadbalancer

JkMount /testWeb/* loadbalancer

</VirtualHost>

8) Update the following line to include jvmRoute in /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml

9) Restart Apache and JBOSS server

10) Test the web server URL http://{domain-name}/testWeb/test.jsp

Apache installation

Apache 2.2.14 installation on RHEL 5 (statically linked Apache binary)

Benefit of a statically built Apache server is that at compile time users have to examine all modules needed. This insures the smallest memory footprint for the Apache binary, and can also result in a more secure server by limiting exposure to loaded modules. Once you build and run your Apache binary, you will know exactly the memory footprint of each child or

worker

1) Create user

#useradd -m apacheadm

#passwd apacheadm

2) Login as apacheadm

3) Download httpd-2.2.14.tar.gz source distribution to /opt/software

4) Prepare for install

chmod 755 httpd-2.2.14.tar.gz

gunzip httpd-2.2.14.tar.gz

tar -xvf httpd-2.2.14.tar

rm httpd-2.2.14.tar

cd httpd-2.2.14

./configure --prefix=/opt/apache --enable-headers --enable-proxy --enable-rewrite --with-included-apr
make

Optional:

i) To include modules of your choice: ./configure --prefix=/opt/apache --with-included-apr --enable-ssl --enable-module=proxy

ii) Compile Apache for dynamic loading: ./configure --prefix=/opt/apache --enable-so

F5 LTM deployment guide for Apache

JON Agent installation

Prerequisite:

Install JRE6 Runtime environment

Download jre-6u18-linux-i586.bin from Sun website.

Copy to the install folder /opt

#./jre-6u18-linux-i586.bin

This should install JRE under directory jre1.6.0_18

1) Download agent from installed JON server

http://{ip_address}:7080/agentupdate/download

or Copy the file from JON Server location

/opt/jon-server-2.3.1.GA/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/rhq-enterprise-agent-1.3.1.GA.jar

Save the file rhq-enterprise-agent-1.3.1.GA.jar to /opt/software on JBOSS server

2) Install agent

# cd /opt/software

#java -jar rhq-enterprise-agent-1.3.1.GA.jar --install=/opt

3) Setup agent configuration

Edit /opt/rhq-agent/conf/agent-configuration.xml

Update the following with correct JON server address

Uncomment the following lines and edit the values to read as:

Optional line to uncomment.

Optional lines to uncomment. These two lines should be done together preferably and multicast should be supported by the network.

cd /opt/rhq-agent/bin

./rhq-agent.sh --config ../conf/agent-configuration.xml

If the setup flag is enabled as above, check agent logs.

If the setup flag is not enabled as above, you will see the following:

Agent Name [agent-server-name] :

Agent Hostname or IP Address [!*] :

Agent Port [16163] :

RHQ Server Hostname or IP Address [jon-server-name] :

RHQ Server Port [7080] :

Leave the above values to default as you have already edited agent config.

3) Check agent.log for messages

4) Start or stop agent in background

/opt/rhq-agent/bin/rhq-agent-wrapper.sh start

/opt/rhq-agent/bin/rhq-agent-wrapper.sh stop

/opt/rhq-agent/bin/rhq-agent.sh start

/opt/rhq-agent/bin/rhq-agent.sh stop

5) Update /opt/rhq-agent/bin/rhq-agent-env.sh to run the process in foreground or background with desired parameters

Oracle Express Edition (XE) database installation

Oracle installation

1. Download Oracle 10g Express Edition free version (oracle-xe-univ-10.2.0.1-1.0.i386.rpm).

Oracle docs are available at http://www.oracle.com/pls/xe102/homepage

2. Set Tuning Parameters

Edit vi /etc/sysctl.conf and add the following tuning parameters

--------------------------------------------------

# Parameters for Oracle 10g XE database

kernel.shmmax = 536870912

kernel.shmmni = 4096

kernel.shmall = 268435456

# SEMMSL, SEMMNS, SEMOPM, and SEMMNI

kernel.sem=250 32000 100 128

fs.file-max=65536

net.ipv4.ip_local_port_range=1024 65000

--------------------------------------------------

3. Installation

Copy oracle rpm to /opt/software/oracle-10g-express-universal

Login as root

#cd /opt/software/oracle-10g-express-universal

[root@bvaiiwq01 oracle-10g-express-universal]# rpm -ivh oracle-xe-univ-10.2.0.1-1.0.i386.rpm

Preparing... ########################################### [100%]

1:oracle-xe-univ ########################################### [100%]

Executing Post-install steps...

You must run '/etc/init.d/oracle-xe configure' as the root user to

configure the database.

[root@bvaiiwq01 oracle-10g-express-universal]# /etc/init.d/oracle-xe configure

Oracle Database 10g Express Edition Configuration

-------------------------------------------------

This will configure on-boot properties of Oracle Database 10g Express

Edition. The following questions will determine whether the database should

be starting upon system boot, the ports it will use, and the passwords that

will be used for database accounts. Press to accept the defaults.

Ctrl-C will abort.

Specify the HTTP port that will be used for Oracle Application Express [8080]:

Specify a port that will be used for the database listener [1521]:

Specify a password to be used for database accounts. Note that the same

password will be used for SYS and SYSTEM. Oracle recommends the use of

different passwords for each database account. This can be done after

initial configuration:

Confirm the password: oracle (or any password)

Do you want Oracle Database 10g Express Edition to be started on boot (y/n) [y]:y

Starting Oracle Net Listener...Done

Configuring Database...Done

Starting Oracle Database 10g Express Edition Instance...Done

Installation Completed Successfully.

To access the Database Home Page go to "http://{ip_address}:8080/apex"

4. Set Oracle environment parameters

cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin

. ./oracle_env.sh

5. Start the database

[root@bvaiiwq01 oracle-10g-express-universal]# /etc/init.d/oracle-xe start

Starting Oracle Database 10g Express Edition Instance.

6. Perform this step for providing remote web access console

[root@bvaiiwq01 client]# sqlplus system

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Mar 8 19:13:20 2010

Enter password:

Connected to:

Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL> EXEC DBMS_XDB.SETLISTENERLOCALACCESS(FALSE);

PL/SQL procedure successfully completed.

7. Access the database web console

To access the Database Home Page go to "http://{ip_address}:8080/apex"

user: system password: oracle (password set during install)

user:sysdba password: oracle (password set during install)

JON installation

JON 2.3.1 installation on Linux (RHEL 5)

1) Create required system user for JON installation

#useradd -m jbossadm

#passwd jbossadm

2) Install JRE6 Runtime environment

Download jre-6u18-linux-i586.bin from Sun website.

Copy to the install folder /opt

#./jre-6u18-linux-i586.bin

This should install JRE under directory jre1.6.0_18

3) Download required JON installable files

Download jon-server-2.3.1.GA.zip (JON) from RedHat

Download jon-plugin-pack-eap-2.3.1.GA.zip (JON for EAP) from RedHat

Download License with Monitoring (Right click and download XML)

Copy to the files to Unix server /opt/software

4) Peform Oracle installation

You can use required database of your choice. Oracle and Postgresql are supported right now.

5) Run these SQL scripts (should be run with dba priviliges - user: SYSTEM)

CREATE USER jon IDENTIFIED BY jon;

GRANT connect, resource TO jon;

show parameter db_block_size;

CONNECT sys/oracle AS sysdba;

GRANT SELECT ON sys.dba_pending_transactions TO jon;

GRANT SELECT ON sys.pending_trans$ TO jon;

GRANT SELECT ON sys.dba_2pc_pending TO jon;

GRANT EXECUTE ON sys.dbms_system TO jon;

6) Install JON

#cp /opt/software/jon-server-2.3.1.GA.zip /opt

#mkdir /opt/jon-server-2.3.1.GA

#unzip jon-server-2.3.1.GA.zip

7) Install JON EAP Plugin

Unzip jon-plugin-pack-eap-2.3.1.GA.zip to any temp location

From the extracted location, move the jar files to /opt/jon-server-2.3.1.GA/jbossas/server/default/deploy/rhq.ear.rej/rhq-downloads/rhq-plugins directory

Delete jon-plugin-pack-eap-2.3.1.GA temp directory

8) Update the .profile to set the environment variables

update the .bash_profile file to read as:

PATH=$PATH:$HOME/bin

JAVA_HOME=/opt/jre1.6.0_18

RHQ_SERVER_JAVA_HOME=$JAVA_HOME

RHQ_SERVER_HOME=/opt/jon-server-2.3.1.GA

export PATH=$JAVA_HOME/bin:$RHQ_SERVER_HOME/bin:$PATH

export RHQ_SERVER_JAVA_HOME RHQ_SERVER_HOME

cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin

. ./oracle_env.sh

cd ~

9) Start the server

/opt/jon-server-2.3.1.GA/bin/rhq-server.sh start

10) Continue JON Install

Access URL: http://localhost:7080 and click here to continue install

Database Type: oracle 10g

Database Connection URL: jdbc:oracle:thin:@172.25.32.120:1521:XE

Database JDBC Driver Class: oracle.jdbc.driver.OracleDriver

Database XA DataSource Class: oracle.jdbc.xa.client.OracleXADataSource

Database User Name: jon

Database Password: jon

Test connection

Install server

Wait for confirmation message

11) Access JON admin console

http://{ip_address}:7080/Login.do

default user name: rhqadmin

default password: rhqadmin

12) Update Parameters

#cd /opt/jon-server-2.3.1.GA/bin

#vi rhq-server.properties

uncomment java.rmi.server.hostname

Edit this section as approprite

# Email

rhq.server.email.smtp-host=ken-exfe2.ii-corpnet.com

rhq.server.email.smtp-port=25

rhq.server.email.from-address=rhqadmin@JON-QA

# Embedded RHQ Agent

rhq.server.embedded-agent.enabled=false

rhq.server.embedded-agent.name=

rhq.server.embedded-agent.reset-configuration=true

rhq.server.embedded-agent.disable-native-system=false

Wednesday, March 26, 2014

Thursday, February 20, 2014

Thursday, February 21, 2013

Wednesday, June 6, 2012

Friday, May 25, 2012

Thursday, March 31, 2011

Thursday, March 17, 2011

Friday, March 11, 2011

Thursday, March 10, 2011

Monday, December 13, 2010

Wednesday, December 8, 2010

Friday, December 3, 2010

Tuesday, November 23, 2010

Monday, November 15, 2010

Monday, November 8, 2010

Saturday, November 6, 2010

Thursday, October 7, 2010

Friday, September 10, 2010

Tuesday, August 24, 2010

Tuesday, August 17, 2010

Friday, August 13, 2010

Thursday, August 12, 2010

Monday, August 9, 2010

Friday, August 6, 2010

Friday, July 16, 2010

Monday, June 21, 2010

Wednesday, June 16, 2010

Friday, June 11, 2010

Thursday, June 3, 2010

Wednesday, June 2, 2010

Wednesday, May 12, 2010

Tuesday, May 4, 2010

Friday, April 30, 2010

Tuesday, April 6, 2010

Wednesday, March 31, 2010

Monday, March 29, 2010

Friday, March 26, 2010

Wednesday, March 24, 2010

Tuesday, March 23, 2010

Monday, March 22, 2010

Wednesday, March 17, 2010

Tuesday, March 16, 2010

Monday, March 15, 2010

Wednesday, March 10, 2010

Friday, February 26, 2010

About Me

Posts

Archives