Wednesday, March 26, 2014

JBOSS 5.1 GA Windows Startup Error

Problem
Installed JBOSS 5.1 GA on Windows 7
Executing run.sh -b 0.0.0.0 reported the following error.

15:44:39,691 INFO  [ServerInfo] VM arguments: -Dprogram.name=run.bat -Xms128M -X
mx512M -XX:MaxPermSize=256M -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dg
c.server.gcInterval=3600000 -Dorg.jboss.resolver.warning=true -Djava.endorsed.di
rs=C:\custom-programs\jboss-5.1.0.GA\lib\endorsed
15:44:39,712 INFO  [JMXKernel] Legacy JMX core initialized
15:44:40,608 ERROR [AbstractKernelController] Error installing to Instantiated:
name=AttachmentStore state=Described
java.lang.IllegalArgumentException: Wrong arguments. new for target java.lang.re
flect.Constructor expected=[java.net.URI] actual=[java.io.File]
        at org.jboss.reflect.plugins.introspection.ReflectionUtils.handleErrors(
ReflectionUtils.java:395)
        at org.jboss.reflect.plugins.introspection.ReflectionUtils.newInstance(R
eflectionUtils.java:153)
        at org.jboss.reflect.plugins.introspection.ReflectConstructorInfoImpl.ne
wInstance(ReflectConstructorInfoImpl.java:106)

Solution
Edit server\default\conf\bootstrap\profile.xml

Change from 
<!-- The attachment store -->
<bean name="AttachmentStore" class="org.jboss.system.server.profileservice.repository.AbstractAttachmentStore">
<constructor><parameter><inject bean="BootstrapProfileFactory" property="attachmentStoreRoot" /></parameter></constructor>

to
<!-- The attachment store -->
<bean name="AttachmentStore" class="org.jboss.system.server.profileservice.repository.AbstractAttachmentStore">
<constructor><parameter class="java.io.File"><inject bean="BootstrapProfileFactory" property="attachmentStoreRoot" /></parameter></constructor>



Thursday, February 20, 2014

Wildfly 8 installation

Download software 8.0.0 Final (wildfly-8.0.0.Final.tar.gz) from http://www.wildfly.org/downloads/
gunzip wildfly-8.0.0.Final.tar.gz
tar -xvf wildfly-8.0.0.Final.tar
mv wildfly-8.0.0.Final wildfly-8.0.0
cd wildfly-8.0.0/bin
./standalone.sh -b 0.0.0.0

Thursday, February 21, 2013

Splunk - Logged in users


Search query to find out currently logged in users

index=_audit action="login attempt" "info=succeeded"

Wednesday, June 6, 2012

Splunk - Remove Index

To remove the index completely

purge the index and delete the index config from indexes.conf

Friday, May 25, 2012

Splunk - Purge events based on age

Purge event data older than 30 days in a specific index.

Update indexes.conf 

[my-index]
coldPath = $SPLUNK_DB/my-index/colddb
homePath = $SPLUNK_DB/my-index/db
thawedPath = $SPLUNK_DB/my-index/thaweddb
frozenTimePeriodInSecs = 2592000



Thursday, March 31, 2011

Splunk - Map users to roles

1) Navigate to Manager > Access controls > Authentication method > LDAP Groups
2) Click on the group to select the roles desired. Ex: user
3) You can search for a user name from the top to identify the groups
4) If you do not see the required LDAP group, modify Group Base DN from Manager > Access controls > Authentication method > LDAP strategies > ActiveDirectory (or your LDAP)

Thursday, March 17, 2011

Setup X-Forwarded Proto in Apache

<VirtualHost *:80>
 RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>

<VirtualHost *:443>
 RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

Apache SSL setup on Windows

Download the software and go through the default installation process. I downloaded the one with openssl -
Win32 Binary including OpenSSL 0.9.8o (MSI Installer)
Start the apache from programs menu.
By default, port 80 works.

To setup SSL, follow these instructions.
1) Uncomment the following lines from httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

2) Edit these lines from extra/httpd-ssl.conf file
 Add NameVirtualHost *:443 under Listen 443
 Modify to <VirtualHost _default_:443> to <VirtualHost *:443>

3) Create self signed certficate using openssl.
Launch openssl from Apache binary folder
a) OpenSSL> req -config c:\openssl.cnf -out c:\myserver.csr -new -newkey rsa:2048 -nodes -keyout c:\myserver-privkey.key
Fill out the required parameters.
b) openssl x509 -req -days 3000 -in c:\myserver.csr -signkey c:\myserver-
privkey.key -out c:\myserver.crt

4) Update httpd-ssl.conf with the correct path for these attributes.
SSLCertificateFile "C:\apachessl\myserver.crt"
SSLCertificateKeyFile "C:\apachessl\myserver-privkey.key"

5) Restart server.

6) Access
http://localhost/ https://locahost/
There will be certificate warning because it is self signed.


Common Issues:

Problem
Syntax error on line 56 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a
module not included in the server configuration
Note the errors or messages above, and press the <ESC> key to exit. 

Solution
Uncomment these line from httpd-conf.
LoadModule ssl_module modules/mod_ssl.so

Problem
Unable to load config info from /usr/local/ssl/openssl.cnf
Solution
OpenSSL requires a config file. Refer to step 3a) above to specify "-config c:\apache-conf-folder\openssl.cnf"

Problem
Syntax error on line 63 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
SSLSessionCache: Invalid argument: size has to be >= 8192 bytes
Note the errors or messages above, and press the <ESC> key to exit. 

Solution
The error message is due to the default installation path which is lengthy
Create a shortcut c:\apache2.2 pointing to C:\Program Files (x86)\Apache Software Foundation\Apache2.2 and update your configuration accordingly.

Friday, March 11, 2011

Splunk Credit Card Search

You can use this regex to list credit card patterns in tabular form.
* | rex field=_raw "(?<Visa>4[0-9]{12})" | rex field=_raw "(?<AMEX>5[1-5][0-9]{14})" | table Visa, AMEX

Splunk Credit Card Masking

Create/update /opt/splunk/etc/apps/search/local/props.conf file with the following content. The file should be placed in each splunk client or forwarder.

[source::.../*server.log]
SEDCMD-ccard = s/(4[0-9]{12}(?:[0-9]{3})?|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}|3(?:0[0-5]|[68][0-9])[0-9]{11}|5[1-5][0-9]{14})/xxxx-xxxx-xxxx-xxxx/g

... in source means server.log is searched under all directories
SEDCMD pretty much works like Unix sed.

Thursday, March 10, 2011

IBM ILOG Team Server Setup on JBOSS EAP 5.1

1) Download the software from IBM passport advantage website
a) IBM WebSphere ILOG BRMS JRules V7.1.1 for UNIX Multilingual(CZLX6ML) - JRules_V711_CZLX6ML.bin
b) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1 for UNIX Multilingual(CZM2UML) - RTS_V711_CZM2UML.bin
c) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1.1 for UNIX Multilingual(CZUW0ML) - RTS_V7111_CZUW0ML.bin
d) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1 for Multiplatform Multilingual(CZLY1ML) - JRules_JBoss_V711_CZLY1ML.jar
e) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1.1 for Multiplatform Multilingual(CZUW8ML) - JRules_JBoss_V7111_CZUW8ML.jar

2) Install JDK on the server and make sure Java runtime is set.

3) Install the ILOG software in the above order (a through e) and select the default install options
./JRules_V711_CZLX6ML.bin
./RTS_V711_CZM2UML.bin
./RTS_V7111_CZUW0ML.bin
java -jar JRules_JBoss_V711_CZLY1ML.jar
java -jar JRules_JBoss_V7111_CZUW8ML.jar
Note: These installations can happen on any other machine and ear file can be copied over to target team server.

4) Install JBOSS EAP 5.1 on server. I slimmed JBOSS to bare minimum with no admin or jmx console and deleted all additional package. Follow the IBM ILOG infocenter instructions on cleaning up the environment under JBOSS section.
Some of the directories I deleted include
cd /opt/jboss-eap-5.1
rm -Rf mod_cluster picketlink resteasy seam
cd /opt/jboss-eap-5.1/jboss-as/server
rm -Rf production minimal all standard web


5) Create a local transaction data source (jdbc_ilogDataSource-ds.xml) with <jndi-name>jdbc/ilogDataSource</jndi-name>

6) Copy the jrules-teamserver-JBOSS5.ear from the teamserver directory to the deploy folder.
Expand the EAR file

7) If you have any custom groups to be added, append security roles to files
a) jrules-teamserver-JBOSS5.ear/META-INF/application.xml.
b) jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml
I have added two custom groups ilog-readonly and ilog-readwrite
  <security-role>
    <role-name>ilog-readonly</role-name>
  </security-role>
  <security-role>
    <role-name>ilog-readwrite</role-name>
  </security-role>

8) Add the following application security policy to jboss-eap-5.1/jboss-as/server/default/conf/login-config.xml
<application-policy name="jldap">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.provider.url">ldap://servername:389</module-option>
<module-option name="bindDN">CN=ldapbindid,OU=_Service Accounts,dc=something,dc=com</module-option>
<module-option name="bindCredential">ldapbindid-password</module-option>
<module-option name="baseCtxDN">DC=something,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=ILOG,OU=_SECURITY GROUPS,OU=something,DC=something,DC=COM</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="trace">true</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/ilog-users.properties</module-option>
<module-option name="rolesProperties">props/ilog-roles.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>

9) Create these files under jboss-eap-5.1/jboss-as/server/default/conf/props directory
ilog-users.properties  file is empty bcoz we use ldap authentication

ilog-roles.properties
user1=rtsUser,ilog-readonly
user2=rtsUser,ilog-readwrite
rtsAdmin=rtsAdministrator,rtsInstaller,ilog-readwrite
rtsConfig=rtsConfigManager,ilog-readwrite
ilogadminuser1=rtsAdministrator,rtsConfigManager,rtsInstaller,rtsUser

10) Update jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml to use the above application policy.
<jboss-web>
         <security-domain>java:/jaas/jldap</security-domain>
         <context-root>teamserver</context-root>
        <resource-ref>
                <res-ref-name>jdbc/ilogDataSource</res-ref-name>
                <jndi-name>java:/jdbc/ilogDataSource</jndi-name>
        </resource-ref>
</jboss-web>

11) Delete *jsf* JARs from jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

12) Place any Dynamic Domain jar under jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

13) Start the jboss ilog server

14) If your login is slow or you get IBM URL messages in logs, add the following line to /etc/hosts
127.0.0.1  publib.boulder.ibm.com

15) Access the team server
http://ip_addr:8080/teamserver

Splunk - Purge Data

http://www.splunk.com/base/Documentation/4.1.7/Admin/RemovedatafromSplunk
- To purge all indexed data
1. Stop splunk
$SPLUNK_HOME/bin/splunk stop
2. Purge all data
$SPLUNK_HOME/bin/splunk clean eventdata -f
(-f option is to avoid being asked if you really delete the index.)
This command delete all the data in $SPLUNK_HOME/var/lib/splunk/
3. Start splunk
$SPLUNK_HOME/bin/splunk start

- If you want to purge a specific index, for example, "main" index
$SPLUNK_HOME/bin/splunk clean eventdata main -f

Monday, December 13, 2010

JBOSS session timeout

JBOSS session timeout is specified in $JBOSS_HOME/server/production/deployers/jbossweb.deployer/web.xml.
   <session-config>
      <session-timeout>30</session-timeout>
   </session-config>

The default session timeout in JBOSS is 30 minutes.

Wednesday, December 8, 2010

JBOSS transaction timeout

Transaction timeout is set in $JBOSS_HOME/server/production/deploy/transaction-jboss-beans.xml
 <property name="transactionTimeout">300</property>

Friday, December 3, 2010

Java Heap Dump

Take java  heap dump using this command in 64 bit server:

jmap -J-d64 -dump:format=b,file=/opt/jbosslogs/heap.hprof $java_pid

Tuesday, November 23, 2010

Tealeaf Password Masking

When you have custom form field names, user name and password are displayed when replaying session using Tealeaf viewer. You can mask the password value with the following steps.

1) Login into Tealeaf Portal
2) Tealeaf -> TMS
3) Master -> Transport Service -> Privacy Filter Configuration -> View/Edit (Raw)
4) Append a Rule to existing set of rules. You can position the rule as needed. Define an Action.
Place these lines into Raw file.

[Rule3]
Enabled=true
Actions=password_block

[password_block]
Action=Block
Field=j_password

In this case, my html form field name is j_password.

5) Save and restart transport service.

Monday, November 15, 2010

Tealeaf Capture Sessions for new website

Steps to add new website to track sessions through Tealeaf.

1) Login to PCP appliance URL.
http://ip_addr:8080/interface.php

2) Navigate to Filter Rules section.
Specify Host: {ip_address_of _website_to monitor} Port1: 80 Port2: 443
Click Add and Save changes.
If you are not using SSL, no need to add port 443.

3) Setup SSL
If you are monitoring SSL, you need to have the private keys for decryption.
Login into physical host of the appliance.
It is recommended you have the keys in PEM format.
If you have private key in .key file, simply rename the file from .key to .pem extension.
Copy the private keys to /usr/local/ctccap/etc directory in Tealeaf capture device.

Execute these commands:
cd /usr/local/ctccap/etc
mv mycert.key mycert.pem (optional)
tealeaf pem2ptl mycert.pem
PEM  file will be converted to PTL format.
On successful conversion, you should see the message
pem2ptl: notice: Successfully converted PEM file "mycert.pem" to PTL file: mycert.ptl

4) Login to Capture device console again.
http://ip_addr:8080/keys.php
If you are already in the console, navigate to SSL Keys
Select private keys to view -> Check Loaded

Add a private key:
Label:myappname File:/usr/local/ctccap/etc/mycert.ptl
Click Add and Save changes.

Optional: You can also verify the configuration in /usr/local/ctccap/etc/ctc-conf.xml.

5) Restart Tealeaf capture device
# tealeaf stop capture
# tealeaf start capture


6) Your new website sessions should now be tracked in Tealeaf.
Login into the Tealeaf portal and search for your sessions. Restart portal just in case you have any issues.

Monday, November 8, 2010

JDK 32 or 64 bit

To find out if JDK is 32 or 64 bit, run java -version.

/opt/jdk/bin/java -version

A 64 bit JDK would  output
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

A 32 bit JDK would  output
java version "1.6.0_21"
Java(TM) SE Runtime Environment (build 1.6.0_21-b06)
Java HotSpot(TM) Server VM (build 17.0-b16, mixed mode)

If you don't see 64 bit in your output, most probably the JDK is 32-bit

Saturday, November 6, 2010

Splunk Search App Customization

By default, Splunk search option All time is selected. To change the default option,

1) Login to Splunk server
2) From App dropdown at the top right, choose Manage Apps
3) Click view configuration corresponding to search link
4) Click dashboard
5) Change the selected param to Last 15 minutes instead of All time.
       <module name="TimeRangePicker">
            <param name="selected">Last 15 minutes</param>
You can choose any of the text value from search dropdown.
6) Your default search value is 15 minutes!

Thursday, October 7, 2010

Tomcat

1) Tomcat installation on RHEL 5
Download the apache-tomcat-6.0.29.tar.gz and extract it to /opt folder

2) Change ports (if required)
If you would like to change ports from default Tomcat installation, edit /opt/apache-tomcat-6.0.29/conf/server.xml with desirable ports.

3) Security
Edit /opt/apache-tomcat-6.0.29/conf/tomcat-users.xml.
Add these lines
<role rolename="manager"/>
<user username="tomcatadm" password="tomcatadm" roles="manager"/>
Save

4) Start server
Execute /opt/apache-tomcat-6.0.29/conf/startup.sh

5) Hit
http://ip_address:8080/
Click on Tomcat Manager
Login using tomcatadm/tomcatadm and access manager

6) Enable Clustering
Uncomment the following line in server.xml
 <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

Friday, September 10, 2010

JBOSS ClassNotFoundException

Problem
java.lang.ClassNotFoundException: com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl

Solution
Download Sun SAAJ jar and place it in profile/lib (e.g.production/lib) amd restart the server
One of the commonly available download location:
http://download.java.net/maven/1/com.sun.xml.messaging.saaj/jars/

Tuesday, August 24, 2010

JBOSS APR Error

Problem: 
Application reports APR exception as below
javax.servlet.ServletException: Not in a valid Comet configuration (use an APR or NIO connector)
at org.granite.gravity.jbossweb.AbstractHttpEventServlet.service(AbstractHttpEventServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.ja
dsda

Solution:
Install JBOSS native libraries and set LD_LIBRARY_PATH
1) Download  jboss-eap-native-5.0.1-RHEL5-i386.zip for Linux.
2) Extract the zip file to temporary location and move the native folder to jboss-eap-5.0.1 directory (one level above jboss home directory).
The structure looks like this.
jboss-eap-5.0.1
   |__jboss
   |__native
3) Update install account's profile (/home/jbossadm/.bash_profile)
Add this line to the .bash_profile 
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$JBOSS_HOME/../native/lib
4) Exit from Unix shell 
5) Restart JBOSS server

Tuesday, August 17, 2010

Port forwarding

IP tables port forwarding can be used to direct requests from one port to another. It is extremely helpful in situation where you need to run your application as non-root but still need to serve the app on port 80. This will also eliminate the need for root/sudo privileges.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000

To save the changes permanently, execute the save command.
service iptables save

To look at the saved configuration,
more /etc/sysconfig/iptables

You can also execute the stop and start conmands as required.
service iptables stop
service iptables start

Friday, August 13, 2010

JBOSS Database Connection Leak

If you suspect database connection leak code issues, you can apply this fix.
From JBOSS deploy directory, edit Cached Connection Manager section in jca-jboss-beans.xml.

<bean name="CachedConnectionManager" class="org.jboss.resource.connectionmanager.CachedConnectionManager">
<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.jca:service=CachedConnectionManager", exposedInterface=org.jboss.resource.connectionmanager.CachedConnectionManagerMBean.class)</annotation>
<!-- Whether to track unclosed connections and close them -->
<property name="debug">true</property>
<!-- Whether to throw an error for unclosed connections (true) or just log a warning (false) -->
<property name="error">true</property>
  
<!-- The transaction manager -->
<property name="transactionManager"><inject bean="TransactionManager" property="transactionManager"/></property>
</bean>
--------------------------------------------------------------------------
The following message will be reported in the logs when unclosed connections are detected and closed.

ERROR [org.apache.catalina.connector.CoyoteAdapter] (http-172.22.85.83-8080-2) An exception or error occurred in the container during the request processing
javax.servlet.ServletException: Error invoking cached connection manager
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:174)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.resource.ResourceException: Some connections were not closed, see the log for the allocation stacktraces
at org.jboss.resource.connectionmanager.CachedConnectionManager.popMetaAwareObject(CachedConnectionManager.java:251)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:164)

Splunk Errors and Solutions

Problem
Splunk reports error "Your maximum disk usage quota has been reached. The search was not run" when doing searches.

Solution
 Login to Splunk.
 Click on Jobs link on top right corner.
 Delete the jobs and run search again.

Thursday, August 12, 2010

Tealeaf Report to track Apache and JBOSS servers

You can build a Tealeaf report template to identify which web and app servers are hit by the users. This can save your troubleshooting time and get to the root cause quickly.

I) Setup an Event
1) Launch RealiTeaPro viewer.
2) Navigate to Edit -> Event Editor -> Attributes
3) Create an Attribute jk-attr-webserver with Attribute Type as Text.

4) Navigate to Edit -> Event Editor -> Categories
5) Create a Category jk-ctg-webserver
 Flag: Active selected
 Match Type: 0-String pattern
 Case: Insensitive
 Encoding: No Translation
 Buffer: Request
 Start Tag: \njk-webserver-req-set-field=
 End Tag: \r

6) Navigate to Edit -> Event Editor -> Events
7) Create an Event jk-evt-webserver
Group: SysOps
Value Tyoe: Default
Match Type: 16-Data is NOT null
Buffer: Filtered by Category
Flag: Interesting Event selected
Event Result Type: Text
Attribute Name: jk-attr-webserver
Category: jk-ctg-webserver

8) Save and Commit the changes.

II) Setup Privacy Filter
1) From the browser, login to Tealeaf portal.
http://{tealeaf-server}/portal/TMS.aspx
2) Navigate to WorldView -> Transport Service -> Privacy Filter configuration -> View/Edit Raw

3) Create or Edit one of the rules
[Rule3]
Enabled=true
Actions=IndexRemote_Addr, IndexRequest_Method, ReqSetTLTURL, ReqSetjk-action-webserver

4) Add the action 
[ReqSetjk-action-WebServer]
Section=cookies
Action=ReqSet
Field=BIGipServer{cookienameforwebserver}
Inclusive=true
ReqSetField=jk-webserver-req-set-field
ReqSetSection=appdata

BIGipServer{cookienameforwebserver}. You can find this field/cookie name from Request data when replaying the Tealeaf session. In my case, BigIP LTM injects a cookie with prefix BIGipServer. This can be any cookie injected by the server.

5) Save the config
6) Click on Transport Service and restart.

III) Build a Tealeaf Report Template
1) From the browser, login to Tealeaf portal.
http://{tealeaf-server}/portal/SearchTemplateConfig.aspx
2) Create a new template 'Operations Template' or add the relevant columns to the existing template.

3) Add the WebServer column
Title: WebServer
Field: Session Attribute Value
Attribute: jk-attr-webserver
Operation: Display Field Value
4) Save.

Your report now displays the column titled WebServer with cookie value. With this cookie value, you can find out which server is being hit. The same procedure can be repeated to track JBOSS appserver by reading the corresponding cookie.

If you are using BigIP LTM, you can track the server using cookie. Please refer
 
http://techwaver.blogspot.com/2008/12/decode-bigip-cookie-to-identify-pool.html

Monday, August 9, 2010

JBOSS LDAP Password Encryption

Please make sure your JBOSS LDAP connection works fine with clear password before proceeding with encryption.

1) Create a mbean file named encrypt-service.xml and place it in the deploy folder.
encrypt-service.xml
------------------------------------------------------------------------------
   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security">
      <constructor>
         <arg type="java.lang.String" value="jk-ldap-security"></arg>
      </constructor>
      <attribute name="KeyStorePass">rchitect</attribute>
      <attribute name="Salt">rchitect</attribute>
      <attribute name="IterationCount">66</attribute>
   </mbean>
------------------------------------------------------------------------------
Note: The Salt value should be 8 bytes long. More than 8 bytes is not accepted at the moment.

2) Restart the server if required.

3) Login to jmx-console http://{ip-address}:8080/jmx-console/

4) From the left hand side navigation Object Name Filter, select jboss.security and click on the link domain=jk-ldap-security,service=JaasSecurityDomain

5) Go to Operation -> encode64 -> Type your LDAP Bind Password and click Invoke.
6) The encrypted password will be displayed on the screen. Please save this.
7) Update your login-config.xml 
Replace
<module-option name="bindCredential">clear-text-password</module-option>
with 
<module-option name="bindCredential">{encrypted-password-from-above}</module-option>
<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=jk-ldap-security</module-option>
8) Restart the server.

Your ldap bind password is now encrypted!

9) As you can notice above, KeyStorePass is still in clear text form. In order to encrypt Keystore pass, create a file server.password in conf directory using the command below substituting with proper parameters.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword $saltvalue $iterationcountvalue $password $JBOSS_SERVER_HOME/conf/server.password
e.g.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.FilePassword rchitect 66 rchitect $JBOSS_SERVER_HOME/conf/server.password

10)  Replace the clear text KeyStorePass with the folllowing in encrypt-service.xml
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>

If you prefer not to use mbean for encryption, you can also use the following command to encrypt the ldap bind password.

java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils $saltvalue $iterationcountvalue $password $encryptpassword
e.g.
java -cp common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils rchitect 66 rchitect  ldap-bind-clear-password

Friday, August 6, 2010

Splunk Dashboard

Splunk search dashboard summary displays sources, sourcetypes and hosts. These hosts will list your actual server name. If you would like to have user friendly name for your hosts, follow these steps.
1) Navigate to http://{splunk_agent_host}:8000 and login to Splunk agent on target host.
2) Manager -> System settings -> General settings -> Index settings.
3) Update the Default host name (optional) field to have user friendly name
4) SSH into splunk agent and run these commands
 $SPLUNK_HOME/bin/splunk stop
 $SPLUNK_HOME/bin/splunk clear all
 $SPLUNK_HOME/bin/splunk start
5) Login to Splunk server and check the dashboard for discovery of user friendly host.
Note: The password may get reset due to clear all command.
------------------------------------------------------------------------------

By default, Splunk dashboard lists 10 hosts. When you have large no. of hosts, navigating 10 hosts at a time might be cumbersome. To increase the size of hosts displayed,
1) Navigate to Manager -> User interface -> Views -> Select 'search' as app context from dropdown -> dashboard.
2) Update this block in the section after  <!-- The list of hosts -->
        <module name="Paginator">
            <param name="count">25</param>
            <param name="entityName">settings</param>
            <param name="maxPages">25</param>
            <module name="SearchLinkLister">
3) Restart splunk server

Friday, July 16, 2010

JBOSS LDAP Integration

JBOSS Active Directory LDAP Integration

1) Edit the required application policy in $JBOSS_SERVER_HOME/conf/login-config.xml
For example, if you want to secure the web-console application of jboss, edit the following application policy.

<application-policy name="ldap-encrypted">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.provider.url">ldap://{server_name}:389</module-option>
<module-option name="bindDN">CN=bindid,OU=something,dc=something,dc=com</module-option>
<module-option name="bindCredential">passwordgoeshere</module-option>
<module-option name="baseCtxDN">dc=something,dc=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">dc=something,dc=com</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="trace">true</module-option>
<module-option  name="java.naming.referral">follow</module-option>
<module-option  name="defaultRole">JBossAdmin</module-option>
</login-module>
</authentication>
</application-policy>

2) Please note that the role JBossAdmin defined above is referenced from WEB-INF/web.xml of the application.
   <security-role>
      <role-name>JBossAdmin</role-name>
   </security-role>

3) Please note that <application-policy name="web-console"> specified above is referenced from jboss-web.xml within app.
<jboss-web>
   <security-domain>java:/jaas/ldap-encrypted</security-domain>
   <depends>jboss.admin:service=PluginManager</depends>
</jboss-web>

Monday, June 21, 2010

Splunk forwarding and receving

1) Install Splunk server
2) Install Splunk on host machines you want to monitor. Please have splunk forwarder license on the host.
3) Setup Splunk server as a receiver and the splunk on other target systems as forwarder

4) Setup Receiver
Navigate to Manager > Forwarding and Receiving > Receive data > Configure receiving > New
Set up port as 8090 or any available  port
Restart splunk

5) Setup Forwarder
Navigate to Manager > Forwarding and Receiving > Forward data > Configure forwarding > New
Provide {splunk_server_ip_from_step4):8090
Restart splunk

Note: If you are copying splunk install from one machine another, please do this step
Login to Splunk
Navigate to Manager > System settings > General settings
Splunk server name and Default host name should match the host name
Save and restart.

Wednesday, June 16, 2010

JON LDAP integration

JON integration with Active Directory LDAP
1) Login into JON
2) Navigate to Administration > System Configuration > Settings
3) In the LDAP configuration Properties, update the following parameters
 Check the flag use LDAP Authentication
 URL: ldap://{active_directory_server_name}
 Username:{specify your bind id using complete dn}
 Search Base:{specify base dn}
 Login Property: sAMAccountName
 Click ok
4) Login into JON database (Oracle)
 Execute the query: select * from RHQ_SYSTEM_CONFIG
 Notice the property key for CAM_LDAP_BIND_PW has the default password. Update the password of Active Directory Bind Account.
SQL> update RHQ_SYSTEM_CONFIG set property_value='password' where property_key='CAM_LDAP_BIND_PW';
SQL> commit;
5) Restart JON
6) Login to JON admin as user default: rhqadmin
7) Create desired roles using Administration > Security > Roles.
8) Login using AD account and logout
9) Login using rhqadmin and assign AD user to the desired roles.
10) Login again using  AD account and perform operations

Friday, June 11, 2010

Splunk installation and LDAP integration

The installation steps are for RHEL 5 64 bit

1) Create user
#useradd -m splunkadm
#passwd splunkadm
Login an splunkadm

2) Install Splunk
Download splunk-4.1.3-80534-Linux-x86_64.tgz from splunk.com
Copy to /opt or install folder
#tar -xvf splunk-4.1.3-80534-Linux-x86_64.tgz
The contents will be extracted to /opt/splunk

3) Start Splunk
/opt/splunk/bin/splunk start
Launch the web console http://{ip_address}:8000
Login using user admin and password changeme

4) Check status
/opt/splunk/bin/splunk status

5) Import License
Navigate to Manager -> License. Paste your license.
Restart Splunk
/opt/splunk/bin/splunk restart

6) Email Settings
Navigate to Manager > System settings > Email alert settings
Set appropriate parameters. PDF report option can be selected.

7) Setup Authentication
a) Navigate to Manager > Access controls > Authentication method
Set appropriate parameters.
For Active Directory
Host: {your_ad_host}
Port: 389
Bind DN: {your_bind_user_id}
Bind DN Password: {your_bind_user_id_password}
User Base DN: {as appropriate}
User base filter: {Leave empty: set it later}

User name attribute: samaccountname
Real name attribute: cn
Group mapping attribute: dn
Group base DN: {as appropriate}
Group name attribute: cn
Group member attribute: member
Save

b) You should see a new link Configure LDAP role mapping
If you see any errors, correct the LDAP settings.
Click on the Configure LDAP role mapping link.
Select a group and asssign the desired roles.

Thursday, June 3, 2010

JBOSS Clustering and Buddy Replication

1) Enable the buddy replication in JBOSS in
$JBOSS_SERVER_HOME/deploy/cluster/jboss-cache-manager.sar/META-INF/jboss-cache-manager-jboss-beans.xml

<property name="buddyReplicationConfig">
<bean class="org.jboss.cache.config.BuddyReplicationConfig">
<!--  Just set to true to turn on buddy replication -->
<property name="enabled">true</property>

2) In order for the HTTP session replication to work, make sure the application is distributable.

Please add this tag <distributable/> in WEB-INF/web.xml
 <distributable/>
</web-app>

Wednesday, June 2, 2010

Multicast addressing in JBOSS

Reference:
http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00802d4643.shtml

Wednesday, May 12, 2010

Using Apache mod_proxy and JBOSS

Add these lines to your apache conf file. Make sure you have proxy modules enabled in apache.

ProxyPass /myuri http://{specify jboss_ip or load balancer ip}:8080/myuri
ProxyPassReverse /myuri http://{specify jboss_ip or load balancer ip}:8080/myuri
ProxyPreserveHost On (The parameter will help to preserve the domain name for applications dependent on domain URL)
ProxyTimeout 180
ProxyStatus On
SetEnv proxy-sendextracrlf
SetEnv proxy-initial-not-pooled (Help prevent 502 errors)

You can use the same for ajp. The URL will be ajp://{specify jboss_ip or load balancer ip}:8009/myuri

Tuesday, May 4, 2010

JBOSS - Replace Hypersonic database with Oracle

1) Copy $JBOSS_HOME/docs/examples/jms/oracle-persistence-service.xml to $JBOSS_HOME/server/{your_profile}/deploy/messaging directory with no changes

2) Delete $JBOSS_HOME/server/{your_profile}/deploy/messaging/hsqldb-persistence-service.xml file

3) Delete $JBOSS_HOME/server/{your_profile}/deploy/hsqldb-ds.xml file

4) Create a datasource file (filename-ds.xml) under deploy directory with <jndi-name>DefaultDS</jndi-name>

5) Restart server

Friday, April 30, 2010

CAS Authentication setup on Tomcat

1) Download and extract Apache Tomcat to location /opt/apache-tomcat-6.0.26

2) Download CAS Server 3.4.2 final from 
http://www.jasig.org/cas/download

3) I imported cas.war into eclipse IDE to make the required changes.

4) Edit these parameters in WEB-INF/cas.properties
cas.securityContext.serviceProperties.service=https://mydomain.com/cas/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://mydomain.com/cas/login
cas.securityContext.ticketValidator.casServerUrlPrefix=https://mydomain.com/cas
host.name=cmydomain.com

Note: You can also use http instead of https for initial testing and also specify the port if you are standalone server. Ex: http://mydomain.com:8080/cas/services/j_acegi_cas_security_check

5) If you are using LDAP, edit WEB-INF/deployerConfigContext.xml with the following content. The following snippet is for using Microsoft Active Directory LDAP.

----------------------------------------------------------------

<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
  <property name="credentialsToPrincipalResolvers">
    <list>

      <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
      <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
     </list>
   </property>
   <property name="authenticationHandlers">
    <list>
    <bean   class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
       <property name="httpClient" ref="httpClient" />
</bean>

    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
      <property name="filter" value="sAMAccountName=%u" />
      <property name="contextSource" ref="contextSource" />
      <property name="searchBase" value="OU=something,DC=something,DC=com"/>
      <property name="ignorePartialResultException" value="yes" />
     </bean>
    </list>
   </property>
  </bean>

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
   <property name="pooled" value="false"/>
   <property name="urls"><list><value>ldap://{ldaphostname}:389/</value></list></property>
   <property name="userDn" value="{specify DN of your ldap bind ID}" />
   <property name="password" value="encrypted_password" />
   <property name="baseEnvironmentProperties">
        <map>
          <entry>
            <key><value>java.naming.security.authentication</value></key>
          <value>simple</value>
  </entry>
          <entry>
           <key><value>com.sun.jndi.ldap.connect.timeout</value></key>
           <value>10000</value>
         </entry>
         <entry>
           <key><value>com.sun.jndi.ldap.read.timeout</value></key>
           <value>10000</value>
         </entry>
       </map>
  </property>
</bean>

<sec:user-service id="userDetailsService">
    <sec:user name="someusername" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
----------------------------------------------------------------


6) You can replace the default header and footer by replacing WEB-INF/view/jsp/default/ui/includes/bottom.jsp and top.jsp.

7) Customize WEB-INF/view/jsp/default/ui/casLoginView.jsp with your content

8) Replace the logo image referenced in file WebContent/css/cas.css
 /* HEADER --------------------------------- */
#header {position:relative; top:0; left:0; padding-top:52px; background:#fff url(../images/your-logo.jpeg) no-repeat scroll 25px 10px;}

9) Export the war file from Eclipse as cas.war and copy to webapps folder in tomcat server.

10) Optional: Edit server.xml file with these lines
 <Engine name="Catalina" defaultHost="mydomain.com">
 <Host name="mydomain.com"  appBase="webapps"

11) Start tomcat in debug mode '/opt/apache-tomcat-6.0.26/bin/catalina.sh run debug' to capture any errors in case there any issues. 

12) If authentication is successful, you can use startup.sh and shutdown.sh tomcat scripts.

Tuesday, April 6, 2010

JBOSS operations script

The scripts are tested on RHEL 5

start_jboss.sh (for clustered environment)
--------------------------------------------------------------------------
JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MaxPermSize=256m
-Dorg.jboss.resolver.warning=true
-Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
-Dsun.lang.ClassLoader.allowArraySyntax=true"
JAVA_OPTS="$JAVA_OPTS {you can add your custom JVM / application properties here}"

MULTICAST_ADDR={specify multicast addr}
BIND_ADDR=`getip.sh`
PARTITION=appname-partition1
SERVER={specify profile name}
SERVER_PEER_ID=`getserverpeerid.sh`

$JBOSS_HOME/bin/run.sh -b $BIND_ADDR -c $SERVER -g $PARTITION -u $MULTICAST_ADDR -Djboss.messaging.ServerPeerID=$SERVER_PEER_ID $JAVA_OPTS
echo "JBOSS start operation completed"
--------------------------------------------------------------------------
Note: One of the reasons to pass JVM arguments in the startup script is because the same startup script can be used for all servers in the cluster. Any parameter change can be made in this single file. You can also specify it in run.conf but you might want to sync run.conf in all servers.

getip.sh 
--------------------------------------------------------------------------
grep IPADDR /etc/sysconfig/network-scripts/ifcfg-eth0  |awk -F= '{print $2}'
--------------------------------------------------------------------------

getserverpeerid.sh 
--------------------------------------------------------------------------
HOST=`cat /proc/sys/kernel/hostname`
echo ${HOST:(-2)}
--------------------------------------------------------------------------
Note: you can customize the script to provide a numeral server peer id. This script gets the last two digits of host name.

Wednesday, March 31, 2010

JVM options

Use these JVM options as applicable for your environment

-XX:+AggressiveOpts
-XX:+DoEscape
-XX:+UseLargePages

Linux Tuning Optimization

1) Commands to check current settings before updating sys parameters
---------------------------------------------------------
cat /proc/sys/fs/file-max

ulimit -n

cat /proc/sys/net/core/rmem_default
cat /proc/sys/net/core/wmem_default
cat /proc/sys/net/core/rmem_max
cat /proc/sys/net/core/wmem_max

/sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 
          inet addr: Bcast: Mask:
          inet6 addr: fe80::250:56ff:febf:7f5a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9313376 errors:0 dropped:0 overruns:0 frame:0

cat /proc/sys/kernel/shmmax 
cat /proc/sys/vm/nr_hugepages 
---------------------------------------------------------

2) Edit /etc/sysctl.conf and append these values
---------------------------------------------------------
# Set File Max
set fs.file-max=102642

# Increase default socket send and receive buffers
net.core.rmem_default=262122

net.core.wmem_default=262122
net.core.rmem_max=262122
net.core.wmem_max=262122
---------------------------------------------------------

3) Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and append MTU
# recommended for gigabit ethernet to reduce packet fragmentation
MTU=9000

4) echo 2147483647 > /proc/sys/kernel/shmmax or update sysctl.conf
5) echo 1000 > /proc/sys/vm/nr_hugepages

6) Edit /etc/limits.conf and set ulimit value

JBOSS virtual hosts

Edit /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml to include your virtual hosts.

<Engine name="jboss.web" defaultHost="vhosts-mydomain">
   <Host name="vhosts-mydomain">
      <Alias>www.mydomain.com</Alias>
      <Alias>secure.mydomain.com</Alias>
      <Alias>somename.mydomain.com</Alias>
   </Host>
</Engine>

JBOSS thread dump using jstack

To take a threaddump on running java process in JBOSS,
ps -ef | grep java
find the process id (pid)
jstack {pid}> thread-dump.log

Monday, March 29, 2010

JBOSS Encrypt passwords

To encrypt the passwords stored in JBOSS configuration files:

1) Create a script: encrypt_password.sh with the content
------------------------------------------------------------
cd $JBOSS_HOME
echo "Please enter the password to be encrypted"
read password
java -cp lib/jboss-logging-spi.jar:common/lib/jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule $password
------------------------------------------------------------

2) Execute the script.
Ex:
./encrypt_password.sh

Please enter the password to be encrypted
test
Encoded password: 48e90df5bc00051e

Friday, March 26, 2010

Using Apache mod_jk with BigIP LTM and JBOSS

1) Make sure your JBOSS is running and listening on AJP port 8009

2) LTM Load Balancer Configuration
a) Create a TCP monitor jboss-tcp-monitor using parent profile TCP
b) Create a Virtual Server with port 8009
c) Create a Pool
d) Create a Pool member with port 8009. The member will be JBOSS server IP and port 8009
e) Associate Pool with jboss-tcp-monitor
Reference: 
http://jbossadmin.blogspot.com/2010/03/ltm-configuration-for-apache.html

3) Configure mod_jk in apache
Reference: http://jbossadmin.blogspot.com/2010/03/apache-jboss-integration.html
Update these values to read as

worker.node1.port=8009
worker.node1.host={ltm-loadbalancer-vip}
worker.node1.type=ajp13

4) Test the browser website URL

Wednesday, March 24, 2010

JBOSS Oracle XA Datasource Configuration

1) Copy the sample file from /opt/jboss-eap-5.0/jboss-as/docs/examples/jca/oracle-xa-ds.xml.

Note: For Oracle 10g, type name is used as Oracle 9i

Rename the file as required and edit to read as follows
<?xml version="1.0" encoding="UTF-8"?>
<!-- ===================================================================== -->
<!-- ATTENTION:  DO NOT FORGET TO SET Pad=true IN transaction-service.xml  -->
<!-- ===================================================================== -->

<datasources>
  <xa-datasource>
    <jndi-name>jdbc/{your-jndi-name}</jndi-name>
    <!-- uncomment to enable interleaving <interleaving/> -->
    <isSameRM-override-value>false</isSameRM-override-value>
    <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
    <xa-datasource-property name="URL">jdbc:oracle:thin:@{db-server-name}:1526:{db-name}</xa-datasource-property>

    <xa-datasource-property name="User">{db-user-name}</xa-datasource-property>

    <xa-datasource-property name="Password">{db-password}</xa-datasource-property>
    <valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleValidConnectionChecker</valid-connection-checker-class-name>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
    <no-tx-separate-pools/>
      <metadata>
         <type-mapping>Oracle9i</type-mapping>
      </metadata>
  </xa-datasource>

  <mbean code="org.jboss.resource.adapter.jdbc.vendor.OracleXAExceptionFormatter"
         name="jboss.jca:service=OracleXAExceptionFormatter">
    <depends optional-attribute-name="TransactionManagerService">jboss:service=TransactionManager</depends>
  </mbean>
</datasources>

2) Copy the ojdbc14_g.jar (oracle jdbc client jar) to location /opt/jboss-eap-5.0/jboss-as/server/default/lib
3) Copy {filename}-ds.xml file to /opt/jboss-eap-5.0/jboss-as/server/default/deploy or any directory defined in bootstrap/profile.xml
4) Restart the server if required. You should automatically see the data sources through the console.

5) If you want to encrypt the data source login information

5a) Edit /opt/jboss-eap-5.0/jboss-as/server/default/conf/login.xml and append the following application policy inside policy tags.
<application-policy name="{your-policy-name}">
<authentication>
<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username">ejb</module-option>
<module-option name="password">{db-encrypted-password}</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/{your-jndi-name},service=XATxCM</module-option>
</login-module>
</authentication>
</application-policy>
where jboss.jca:name=jdbc/{your-jndi-name} is the same value defined in oracle-ds file

5b) Edit oracle-xa-ds.xml file.
Replace these lines

   <xa-datasource-property name="User">{db-user-name}</xa-datasource-property>
   <xa-datasource-property name="Password">{db-password}</xa-datasource-property>
with 
   <security-domain>{your-policy-name}</security-domain>

5c) Restart the server

JBOSS Application deployment

1) Standalone server
Copy or move war files to the deploy directory configured in /opt/jboss-eap-5.0/jboss-as/server/default/conf/bootstrap/profile.xml



      ${jboss.server.home.url}conf/bindingservice.beans
      ${jboss.server.home.url}conf/jboss-service.xml
      ${jboss.server.home.url}deployers
      
  
                                ${jboss.server.home.url}deploy
                                file:///opt/customApps
                      
              
                ${jboss.server.data.dir}/attachments
                
      

2) Farm (for clustered environment)
Farming is enabled by default in JBOSS environments
The configuration files related to farming are located in
/opt/jboss-eap-5.0/jboss-as/server/all/deploy/cluster/farm-deployment-jboss-beans.xml
/opt/jboss-eap-5.0/jboss-as/server/all/deploy/cluster/timestamps-jboss-beans.xml

3) Enable Hot Deployment
Refer to the config file/opt/jboss-eap-5.0/jboss-as/server/default/deploy/hdscanner-jboss-beans.xml for scan frequency and other settings.

4) Disable Hot Deployment
Remove the file /opt/jboss-eap-5.0/jboss-as/server/default/deploy/hdscanner-jboss-beans.xml to disable hotdeploy

Slim JBOSS

Slim configuration based on production profile:

# Following directories can be deleted from JBOSS at will.
rm -Rf /opt/jboss-eap-5.0/resteasy
rm -Rf /opt/jboss-eap-5.0/seam

rm -Rf /opt/jboss-eap-5.0/jboss-as/client
rm -Rf /opt/jboss-eap-5.0/jboss-as/docs

# Any ununused profiles can be deleted from this location
/opt/jboss-eap-5.0/jboss-as/server

# Remove EJB services
cd $JBOSS_SERVER_HOME/deploy
rm ejb*.xml
cd $JBOSS_SERVER_HOME/deployers
rm jboss-ejb3-*.jar

# Remove JUDDI 7
cd $JBOSS_SERVER_HOME/deploy
rm -Rf juddi-service.sar
# Remove Key Generator
rm -Rf uuid-key-generator.sar

# Turn off hot deployment
rm hdscanner-jboss-beans.xml

Temp/Log directories that can be deleted on startup
/opt/jboss-eap-5.0/jboss-as/server/log/*
/opt/jboss-eap-5.0/jboss-as/server/temp/*
/opt/jboss-eap-5.0/jboss-as/server/work/*
/opt/jboss-eap-5.0/jboss-as/server/data/*

JON Configuration

Linux Server Configuration

Navigate to Linux Server -> Inventory -> Connection -> Edit
Enable Content Delivery
Enable Internal Yum Server
Specify Yum Server Port

Under Event Logs
Add New

Log Tracking Enabled: Yes
Minimum Severity: Information
Log Tracking Type: File
Syslog File Path:  /var/log/messages

JBOSS Configuration
Navigate to JBOSS server from JON console
JBOSS server -> Inventory -> Connection ->. Edit

Provide additional info:

Principal: admin
Credentials: jboss
Start script: /home/jbossadm/scripts/start_jboss.sh (you can provide direct path to run.sh or custom start script)
Stop script: /home/jbossadm/scripts/stop_jboss.sh (you can provide direct path to shutdown.sh or custom stop script)
Shutdown Method: shutdown script
Bind Address: {jboss-server-ip-addr}
Java Home: /opt/jre1.6.0_18



Tuesday, March 23, 2010

Reload JON configuration

./rhq-agent.sh --cleanconfig -c conf/agent-configuration.xml
or
./rhq-agent.sh -l -c conf/agent-configuration.xml

External Links

Download connectors for Apache
http://svn.hyperic.org/?root=Hyperic+HQ+Connectors

JBOSS supported configurations
http://www.jboss.com/products/platforms/application/supportedconfigurations/

JBOSS Profiler
http://labs.jboss.com/jbossprofile

Multicast address assignment
http://www.29west.com/docs/THPM/multicast-address-assignment.html

Test Multicast
http://www.jgroups.org/

JON Agent update

To update IP address, run the command
setconfig rhq.communications.connector.bind-address={new-ip-addr}
(or)
Update agent-configuration file if required and follow --cleanconfig steps.
Restart Agent.

JON - Create Dyna groups

Dyna group is similar to logical group.

Create Dyna Group
Groups -> New group definition

To group all RHQ agents,
Name: custom-AgentGroup
Expression:

resource.type.plugin = RHQAgent
resource.type.name = RHQ Agent

Recursive: true

Calculate groups manually which will discover resources based on the Expression
Set Interval for automatic recalculation

JON Agent commands

Reload JON agent configuration

./rhq-agent.sh --cleanconfig -c conf/agent-configuration.xml
or
./rhq-agent.sh -l -c conf/agent-configuration.xml

Force discovery of agent
/opt/jon-server-2.3.1.GA/bin/rhq-agent.sh
> discovery -f  


JON agent operations
/opt/jon-server-2.3.1.GA/bin/rhq-agent.sh
> start
> shutdown

Oracle - Login as sysdba with lost sysdba password

cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin
. ./oracle_env.sh
set ORACLE_SID=XE


-bash-3.2$ sqlplus

SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 23 11:31:46 2010

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter user-name:
-bash-3.2$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 23 11:31:53 2010

Copyright (c) 1982, 2005, Oracle.  All rights reserved.


Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL>

Monday, March 22, 2010

JON Activities

Modify Server Configuration using file:
/opt/jon-server-2.3.1.GA/bin/rhq-server.properties

Test Email configuration, agents, sql etc..
http://{ip_addr}:7080/admin/test/email.jsp

Uninventory resources
Resources -> Platform -> Uninventory the required resource



Apache JON integration

1) Install JON agent. It is better to install JON agent using the same account as Apache install.

2) Import the server/agent into JON

3) Navigate to Host -> Inventory -> Manually add Apache HTTP server -> Specify required parameters.
Server Root: /opt/apache
Config File: /opt/apacheconf/httpd.conf
SNMP Agent: {apache-server-ip-address}
SNMP Agent Port: 1691 (or applicable to your environment)
Error Log File Path: /opt/apachelogs/error_log

4) Navigate to the auto discovery queue and import Apache manually.

5) Enable RT metrics (optional)
Login to JON
Administration > System Configuration > Templates | Apache HTTP Server > Apache Virtual
Host-> Edit Metric Template
Select HTTP Response Time
Select Update schedules for existing resources of marked type
Specify "Collection Interval for Selected"
Hit Start (>) button

Enable mod_headers in Apache


#cd /opt/software/httpd-2.2.14/modules/metadata
#/opt/apache/bin/apxs -i -a -c mod_headers.c

Output:
/opt/apache/build/libtool --silent --mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -O2 -pthread -I/opt/apache/include -I/opt/apache/include -I/opt/apache/include -c -o mod_headers.lo mod_headers.c && touch mod_headers.slo
/opt/apache/build/libtool --silent --mode=link gcc -o mod_headers.la -rpath /opt/apache/modules -module -avoid-version mod_headers.lo
/opt/apache/build/instdso.sh SH_LIBTOOL='/opt/apache/build/libtool' mod_headers.la /opt/apache/modules
/opt/apache/build/libtool --mode=install cp mod_headers.la /opt/apache/modules/
cp .libs/mod_headers.so /opt/apache/modules/mod_headers.so
cp .libs/mod_headers.lai /opt/apache/modules/mod_headers.la
cp .libs/mod_headers.a /opt/apache/modules/mod_headers.a
chmod 644 /opt/apache/modules/mod_headers.a
ranlib /opt/apache/modules/mod_headers.a
PATH="$PATH:/sbin" ldconfig -n /opt/apache/modules
----------------------------------------------------------------------
Libraries have been installed in:
/opt/apache/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /opt/apache/modules/mod_headers.so
[activating module `headers' in /opt/apache/conf/httpd.conf]

Wednesday, March 17, 2010

Apache tuning

Prefork tuning parameters:

Say,
Resident Memory Size = 8 MB (determined process memory when load testing)
Available Memory to use by Apache = 6 GB = 6114 B

Calculate:
MaxClients = 6114 MB / 8 MB = 768
ServerLimit = MaxClients

ServerLimit 768
StartServers 512
MinSpareServers 50
MaxSpareServers 100
MaxClients 768
MaxRequestsPerChild 10000

KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 100
Timeout 20

Adjust slow ramp up time on LTM to avoid flooding on webservers


Include http-default.conf
UseCanonicalName On

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" custom-interval

Tuesday, March 16, 2010

Apache commands

Custom script to start Apache (start_apache.sh)

#!/bin/sh
echo "------------------------"
echo "Verify Configuration"
echo "------------------------"
/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -t -S

echo "------------------------"
echo "Start Apache"
echo "------------------------"

/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -k start

echo "------------------------"
echo "List HTTP Processes"
echo "------------------------"
sleep 3
ps -ef | grep http

Custom script to stop Apache (stop_apache.sh)
#!/bin/sh

echo "------------------------"
echo "Stop Apache"
echo "------------------------"
/opt/apache/bin/httpd -f /opt/apacheconf/httpd.conf -k stop

echo "------------------------"
echo " List HTTP Processes"
echo "------------------------"
sleep 3
ps -ef | grep http

rm /opt/apachelogs/*

List statically compiled modules
/opt/apache/bin/httpd -l or /opt/apache/bin/apachectl -l

Which mpm is used by apache?
/opt/apache/bin/apachectl -l

List all loaded modules
/opt/apache/bin/httpd -t -D DUMP_MODULES

Enable SSL in JBOSS

1) Create a keystore using keytool utility

#keytool can be found from Java runtime - /opt/jre1.6.0_18/bin/keytool
# Enter values as required

mkdir $JBOSS_HOME/ssl
cd $JBOSS_HOME/ssl

$ keytool -genkey -alias jboss -keyalg RSA -keystore jboss.keystore -validity 3650
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: US
Is valuescorrect?
[no]: yes

Enter key password for
(RETURN if same as keystore password):
Re-enter new password:

A .keystore file will be created in the current directory. 

2) Update /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml with correct keystore values.

<Connector protocol="HTTP/1.1" SSLEnabled="true"

port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore"
keystorePass="{your-password}" sslProtocol = "TLS" />

3) Restart the server. Test using https://{ip_address}:8443/context-root/filename.jsp

JBOSS/JON URLs

JBOSS
http://{ip_address}:8080/admin-console
http://{ip_address}:8080/jmx-console
http://{ip_address}:8080/web-console
http://{ip_address}:8080/web-console/status

JON
http://{ip_address}:7080
http://{ip_address}:7080/agentupdate/download
http://{ip_address}:7080/agentupdate/version
http://{ip_address}:7080/admin/test/email.jsp







Monday, March 15, 2010

Apache JBOSS integration

1) Download mod_jk module from
http://www.gtlib.gatech.edu/pub/apache/tomcat/tomcat-connectors/jk/binaries/linux/jk-1.2.28/i586/

2) Copy mod_jk-1.2.28-httpd-2.2.X.so to /opt/apacheconf

3) Edit the httpd.conf and add the following line
Include /opt/apacheconf/mod-jk.conf

4) Create /opt/apacheconf/mod-jk.conf file with the following content
LoadModule jk_module /opt/apacheconf/mod_jk-1.2.28-httpd-2.2.X.so
JkWorkersFile /opt/apacheconf/workers.properties
JkLogFile /opt/apachelogs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
JkOptions +ForwardKeySize +ForwardURICompatUnparsed -ForwardDirectories
JkRequestLogFormat "%w %V %T"

JkMountFile /opt/apacheconf/uriworkermap.properties
JkShmFile /opt/apachelogs/jk.shm

<Location /jkstatus>
JkMount status
#Order deny,allow
#Deny from all
#Allow from 127.0.0.1
</Location>

5) Create /opt/apacheconf/uriworkermap.properties file with the following content
# Simple worker configuration file
# Mount the Servlet context to the ajp13 worker
/jmx-console=loadbalancer
/jmx-console/*=loadbalancer
/web-console=loadbalancer
/web-console/*=loadbalancer
/testWeb/*=loadbalancer
!/testWeb/images/*=loadbalancer

6) Create /opt/apacheconf/workers.properties file with the following content
worker.list=loadbalancer,status
# Define Node1
# modify the host as your host IP or DNS name.
worker.node1.port=8009
worker.node1.host={jboss-server-ip-address goes here}
worker.node1.type=ajp13
worker.node1.lbfactor=1
worker.node1.prepost_timeout=10000 #Not required if using ping_mode=A
worker.node1.connect_timeout=10000 #Not required if using ping_mode=A
worker.node1.ping_mode=A #As of mod_jk 1.2.27
# worker.node1.connection_pool_size=10 (1)

# Define Node2
# modify the host as your host IP or DNS name.
#worker.node2.port=8009
#worker.node2.host= node2.mydomain.com
#worker.node2.type=ajp13
#worker.node2.lbfactor=1
#worker.node2.prepost_timeout=10000 #Not required if using ping_mode=A
#worker.node2.connect_timeout=10000 #Not required if using ping_mode=A
#worker.node2.ping_mode=A #As of mod_jk 1.2.27
# worker.node1.connection_pool_size=10 (1)

# Load-balancing behaviour
worker.loadbalancer.type=lb
#worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.balance_workers=node1

# Status worker for managing load balancer
worker.status.type=status

The above configuration is to test with one app server functionally.

7) Update /opt/apacheconf/httpd-vhosts.conf with JkMount
Listen 9080
NameVirtualHost *
<VirtualHost *>
ServerName {server-name}
ServerAlias {alias}
JkMount /testWeb loadbalancer
JkMount /testWeb/* loadbalancer
</VirtualHost>

8) Update the following line to include jvmRoute in /opt/jboss-eap-5.0/jboss-as/server/default/deploy/jbossweb.sar/server.xml

<Engine name="jboss.web" defaultHost="localhost" jvmRoute="domain-name-goes-here">

9) Restart Apache and JBOSS server

10) Test the web server URL http://{domain-name}/testWeb/test.jsp



Apache installation

Apache 2.2.14 installation on RHEL 5 (statically linked Apache binary)

Benefit of a statically built Apache server is that at compile time users have to examine all modules needed. This insures the smallest memory footprint for the Apache binary, and can also result in a more secure server by limiting exposure to loaded modules. Once you build and run your Apache binary, you will know exactly the memory footprint of each child or
worker

1) Create user
#useradd -m apacheadm
#passwd apacheadm

2) Login as apacheadm

3) Download httpd-2.2.14.tar.gz source distribution to /opt/software

4) Prepare for install

chmod 755 httpd-2.2.14.tar.gz
gunzip httpd-2.2.14.tar.gz
tar -xvf httpd-2.2.14.tar
rm httpd-2.2.14.tar
cd httpd-2.2.14
./configure --prefix=/opt/apache --enable-headers --enable-proxy --enable-rewrite --with-included-apr
make

Optional:

i) To include modules of your choice: ./configure --prefix=/opt/apache --with-included-apr --enable-ssl --enable-module=proxy
ii) Compile Apache for dynamic loading: ./configure --prefix=/opt/apache --enable-so

5) Install Apache
make install

References:
Apache website
F5 LTM deployment guide for Apache


Wednesday, March 10, 2010

JON Agent installation

Prerequisite:
Install JRE6 Runtime environment
Download jre-6u18-linux-i586.bin from Sun website.
Copy to the install folder /opt
#./jre-6u18-linux-i586.bin
This should install JRE under directory jre1.6.0_18

1) Download agent from installed JON server
http://{ip_address}:7080/agentupdate/download
or Copy the file from JON Server location
/opt/jon-server-2.3.1.GA/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/rhq-enterprise-agent-1.3.1.GA.jar

Save the file rhq-enterprise-agent-1.3.1.GA.jar to /opt/software on JBOSS server

2) Install agent
# cd /opt/software
#java -jar rhq-enterprise-agent-1.3.1.GA.jar --install=/opt

3) Setup agent configuration
Edit /opt/rhq-agent/conf/agent-configuration.xml

Update the following with correct JON server address
Uncomment the following lines and edit the values to read as:
<entry key="rhq.agent.configuration-setup-flag" value="true" />
<entry key="rhq.agent.server.bind-address" value="{jon-server-ip-address}" />
<entry key="rhq.agent.agent-update.version-url" value="http://{jon-server-ip-address}:7080/agentupdate/version" />
<entry key="rhq.agent.agent-update.download-url" value="http://{jon-server-ip-address}:7080/agentupdate/download" />
<entry key="rhq.agent.agent-update.version-url" value="http://{jon-agent-ip-address}:7080/agentupdate/version" />
<entry key="rhq.communications.connector.bind-address" value="{jon-agent-ip-address}" />

Optional line to uncomment.
<entry key="rhq.agent.name" value="{agent-name}"/>

Optional lines to uncomment. These two lines should be done together preferably and multicast should be supported by the network.
<entry key="rhq.agent.server-auto-detection" value="true" />
<entry key="rhq.communications.multicast-detector.enabled" value="true" />

cd /opt/rhq-agent/bin
./rhq-agent.sh --config ../conf/agent-configuration.xml

If the setup flag is enabled as above, check agent logs.
If the setup flag is not enabled as above, you will see the following:
Agent Name [agent-server-name] :
Agent Hostname or IP Address [!*] :
Agent Port [16163] :
RHQ Server Hostname or IP Address [jon-server-name] :
RHQ Server Port [7080] :

Leave the above values to default as you have already edited agent config.

3) Check agent.log for messages

4) Start or stop agent in background

/opt/rhq-agent/bin/rhq-agent-wrapper.sh start
/opt/rhq-agent/bin/rhq-agent-wrapper.sh stop

/opt/rhq-agent/bin/rhq-agent.sh start
/opt/rhq-agent/bin/rhq-agent.sh stop

5) Update /opt/rhq-agent/bin/rhq-agent-env.sh to run the process in foreground or background with desired parameters

Oracle Express Edition (XE) database installation

Oracle installation

1. Download Oracle 10g Express Edition free version (oracle-xe-univ-10.2.0.1-1.0.i386.rpm).
Oracle docs are available at http://www.oracle.com/pls/xe102/homepage

2. Set Tuning Parameters
Edit vi /etc/sysctl.conf and add the following tuning parameters
--------------------------------------------------
# Parameters for Oracle 10g XE database
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.shmall = 268435456
# SEMMSL, SEMMNS, SEMOPM, and SEMMNI
kernel.sem=250 32000 100 128
fs.file-max=65536
net.ipv4.ip_local_port_range=1024 65000
--------------------------------------------------

3. Installation
Copy oracle rpm to /opt/software/oracle-10g-express-universal
Login as root
#cd /opt/software/oracle-10g-express-universal
[root@bvaiiwq01 oracle-10g-express-universal]# rpm -ivh oracle-xe-univ-10.2.0.1-1.0.i386.rpm
Preparing... ########################################### [100%]
1:oracle-xe-univ ########################################### [100%]
Executing Post-install steps...
You must run '/etc/init.d/oracle-xe configure' as the root user to
configure the database.

[root@bvaiiwq01 oracle-10g-express-universal]# /etc/init.d/oracle-xe configure

Oracle Database 10g Express Edition Configuration
-------------------------------------------------
This will configure on-boot properties of Oracle Database 10g Express
Edition. The following questions will determine whether the database should
be starting upon system boot, the ports it will use, and the passwords that
will be used for database accounts. Press to accept the defaults.
Ctrl-C will abort.

Specify the HTTP port that will be used for Oracle Application Express [8080]:

Specify a port that will be used for the database listener [1521]:

Specify a password to be used for database accounts. Note that the same
password will be used for SYS and SYSTEM. Oracle recommends the use of
different passwords for each database account. This can be done after
initial configuration:
Confirm the password: oracle (or any password)

Do you want Oracle Database 10g Express Edition to be started on boot (y/n) [y]:y

Starting Oracle Net Listener...Done
Configuring Database...Done
Starting Oracle Database 10g Express Edition Instance...Done
Installation Completed Successfully.
To access the Database Home Page go to "http://{ip_address}:8080/apex"

4. Set Oracle environment parameters
cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin
. ./oracle_env.sh

5. Start the database
[root@bvaiiwq01 oracle-10g-express-universal]# /etc/init.d/oracle-xe start
Starting Oracle Database 10g Express Edition Instance.

6. Perform this step for providing remote web access console

[root@bvaiiwq01 client]# sqlplus system

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Mar 8 19:13:20 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter password:

Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL> EXEC DBMS_XDB.SETLISTENERLOCALACCESS(FALSE);

PL/SQL procedure successfully completed.

7. Access the database web console
To access the Database Home Page go to "http://{ip_address}:8080/apex"
user: system password: oracle (password set during install)
user:sysdba password: oracle (password set during install)

Friday, February 26, 2010

JON installation

JON 2.3.1 installation on Linux (RHEL 5)

1) Create required system user for JON installation
#useradd -m jbossadm
#passwd jbossadm

2) Install JRE6 Runtime environment
Download jre-6u18-linux-i586.bin from Sun website.
Copy to the install folder /opt
#./jre-6u18-linux-i586.bin
This should install JRE under directory jre1.6.0_18

3) Download required JON installable files
Download jon-server-2.3.1.GA.zip (JON) from RedHat
Download jon-plugin-pack-eap-2.3.1.GA.zip (JON for EAP) from RedHat
Download License with Monitoring (Right click and download XML)
Copy to the files to Unix server /opt/software

4) Peform Oracle installation
You can use required database of your choice. Oracle and Postgresql are supported right now.

5) Run these SQL scripts (should be run with dba priviliges - user: SYSTEM)
CREATE USER jon IDENTIFIED BY jon;
GRANT connect, resource TO jon;
show parameter db_block_size;
CONNECT sys/oracle AS sysdba;
GRANT SELECT ON sys.dba_pending_transactions TO jon;
GRANT SELECT ON sys.pending_trans$ TO jon;
GRANT SELECT ON sys.dba_2pc_pending TO jon;
GRANT EXECUTE ON sys.dbms_system TO jon;

6) Install JON
#cp /opt/software/jon-server-2.3.1.GA.zip /opt
#mkdir /opt/jon-server-2.3.1.GA
#unzip jon-server-2.3.1.GA.zip

7) Install JON EAP Plugin

Unzip jon-plugin-pack-eap-2.3.1.GA.zip to any temp location
From the extracted location, move the jar files to /opt/jon-server-2.3.1.GA/jbossas/server/default/deploy/rhq.ear.rej/rhq-downloads/rhq-plugins directory
Delete jon-plugin-pack-eap-2.3.1.GA temp directory

8) Update the .profile to set the environment variables
update the .bash_profile file to read as:
PATH=$PATH:$HOME/bin
JAVA_HOME=/opt/jre1.6.0_18
RHQ_SERVER_JAVA_HOME=$JAVA_HOME
RHQ_SERVER_HOME=/opt/jon-server-2.3.1.GA
export PATH=$JAVA_HOME/bin:$RHQ_SERVER_HOME/bin:$PATH
export RHQ_SERVER_JAVA_HOME RHQ_SERVER_HOME

cd /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/bin
. ./oracle_env.sh
cd ~

9) Start the server
/opt/jon-server-2.3.1.GA/bin/rhq-server.sh start

10) Continue JON Install
Access URL: http://localhost:7080 and click here to continue install

Database Type: oracle 10g
Database Connection URL: jdbc:oracle:thin:@172.25.32.120:1521:XE
Database JDBC Driver Class: oracle.jdbc.driver.OracleDriver
Database XA DataSource Class: oracle.jdbc.xa.client.OracleXADataSource
Database User Name: jon
Database Password: jon

Test connection
Install server
Wait for confirmation message

11) Access JON admin console
http://{ip_address}:7080/Login.do
default user name: rhqadmin
default password: rhqadmin

12) Update Parameters
#cd /opt/jon-server-2.3.1.GA/bin
#vi rhq-server.properties
uncomment java.rmi.server.hostname

Edit this section as approprite
# Email
rhq.server.email.smtp-host=ken-exfe2.ii-corpnet.com
rhq.server.email.smtp-port=25
rhq.server.email.from-address=rhqadmin@JON-QA

# Embedded RHQ Agent
rhq.server.embedded-agent.enabled=false
rhq.server.embedded-agent.name=
rhq.server.embedded-agent.reset-configuration=true
rhq.server.embedded-agent.disable-native-system=false

‹Older