asyd’s blog

It’s the first time I’m using pound (a http reverse proxy), and I was a little disappointed about its configuration. My use case is very simple, for a given virtual host (idp.asyd.net in my case) I want to redirect from / to /opensso. Since pound seems not very well documented, here my configuration to achieve that:

ListenHTTP
   Address  0.0.0.0
   Port  80
   Service
      HeadRequire "Host: idp.asyd.net"
      URL "^/$"
      Redirect "http://idp.asyd.net/opensso"
   End
   Service
      HeadRequire "Host: idp.asyd.net"
      Backend
         Address 127.0.0.1
         Port 8080
      End
   End
End

Sysadmin

As a new owner of an yubikey, I was looking the best way to integrate it with the web application I already use. While there is already an available OpenID provider which support Yubikey authentication, I prefer to manage my own system, using OpenSSO for sure

First, let me introduce the yubikey. This USB key act as an OTP (One Time Password) device, each time you press the button, the key compute a new password. This pasword must be verify, in the case of Yubikey, this is done by query a Webservices on a yubico (the company) server. Yubikey offers a lot of advantages than others classical OTP devices, including:

• The yubikey is see as an USB keyboard (class HID), no driver required!
• No battery, more longlife than anothers devices
• Very cheap, around 20 euros (ordered by 10, from France), transport and taxes included

So, why choose OpenSSO? For few years know, OpenSSO provides an extension to act as an OpenID provider, and an authentication class is available for the Yubikey.

References:

• Build the OpenSSO extension for OpenID
• Build the Yubikey authentication class

IAM, Security, Sysadmin openid, opensso, yubikey

I actually manage a LDAP directory with a lot of entries (almost 1,5 millions entries in the same OU). In order to check the replication state, I was looking for a way to count the number of entries in this OU. Thanks to Ludovic Poitou (once again), this information is available via an hidden attribute in the OU.


% ldapsearch -Wxh ldap1 -D "cn=Directory Manager" -b 'ou=people,ou=ssousers,dc=asyd,dc=net' -s base '(objectClass=*)' 'numsubordinates'
[..]
dn: ou=people,ou=ssousers,dc=asyd,dc=net
numsubordinates: 1386931


Depends on the directory server, it’s also possible to get the number of entries for a given backend (the following code was tested for Sun Directory Server 5.2):


% ldapsearch -Wxh ldap1 -D 'cn=Directory Manager' -b 'cn=monitor' -s base '(objectclass=*)' 'backendmonitordn'
[..]
dn: cn=monitor
backendmonitordn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
backendmonitordn: cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config
backendmonitordn: cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config



% ldapsearch -Wxh lynx -D 'cn=Directory Manager' -b 'cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config' -s base '(objectclass=*)' 'ldapentrycount'
[..]
dn: cn=monitor, cn=ssoUsers, cn=ldbm database, cn=plugins, cn=config
ldapentrycount: 1408974


Sysadmin

Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

1. Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
2. Open your PKCS#12 file, provide the password
3. Click on Tools/Change KeyStore Type/JKS menu
4. If you don’t want to use the default password (which is password), click on the menu keystore password
5. Save it, that’s all folks!

You can know list the contents of your JKS using keytool:


% keytool -list -v -keystore yourkeystore.jks


Security, Sysadmin

Here the following commands I use to create a IPMP (IP Multipathing) groups (master/slave):


#!/bin/sh

# Add logicial interface
ifconfig nge544001 addif 10.16.244.60 netmask 255.255.252.0 up


You can also tweak the multipath daemon by editing /etc/default/mpathd to decrease the value to detect a NIC failure.

• Solaris 10 IPMP Documentation reference

Solaris, Sysadmin

I actually need to write a little daemon based on the JVM (I’ll explain why in a future post). As the groovy fan I am, I was looking for a ready to use receipt, this one is interesting but show only how to write, not to read After getting some help from Guillaume here a working sample:

import java.net.ServerSocket
import net.asyd.nagios.Hello
 
def listenPort = 4242
 
def server = new ServerSocket(listenPort)
 
while(true) {
    server.accept { socket ->
        println "new connexion"
 
        socket.withStreams { input, output ->
 
            def reader = input.newReader()
 
            def buffer = reader.readLine() 
 
            output << "Hello world " + buffer + "\n"
 
        }
    }
}

As you can see it’s very simple, thanks to groovy, once again. A thread will be create for each client.

Sysadmin groovy

Le 16 Juin, à 19h30, se tiendra à Paris, chez Sun (attention, Sun a déménagé) une présentation technique autour de Solaris 10 / OpenSolaris, sur la gestion des IOs. Cette présentation est organisé par l’association GUSES. Au programme :

• Les différents composants : logiciel (système de fichiers), matériel
• La gestion du cache
• Le rôle du matériel
• Mesure de performances et optimisation

Comme vous l’aurez sans doute remarqué, cette présentation s’adresse avant tout à des administrateurs systèmes Solaris, mais les concepts abordés sont tout aussi vrai pour les autres UNIX.

Cette présentation sera assurée par Fabrice Bacchella, administrateur système senior.

Afin d’optimiser la place, nous vous serons reconnaissant de vous inscrire.

OpenSolaris, Solaris, Sysadmin guses, io, performances, Solaris

Depuis quelques jours (heures ?), Glassfish v3 preview est disponible. Comme Alexis est bien mieux placé que moi pour en parler, je vous engage à lire cet article pour la description de cette version. Au travers de ce petit billet, je résume ma toute première utilisation de Preview. Pour cela, mon cas d’utilisation est tout simple, déployer XWiki en version 1.8 dans un premier temps, mais au travers d’une source de connexions JDBC. Cas d’utilisation donc très simple.

Mes remarques, en vrac :

• Nécessite un JDK 1.6 (java -version pour vérifier). Utilisateur d’OS X, vous devez définir JAVA_HOME et PATH, la version par défaut étant encore en 1.5
• La commande start-domain ne met que quelques secondes à rendre la main ! Néanmoins, la console d’administration n’est pas disponible avant d’autres longues secondes . Pour rappel, la version 3 de Glassfish est construit autour d’OSGI, un système orienté composant.
• L’interface d’administration est proche de la version 2.1, on s’y retrouve donc assez facilement. Néanmoins, il y a une différence notable dans la gestion des applications. Il faut que je creuse le sujet.
• Il faut que je vérifie, mais lors de la configuration du pool de connexions JDBC, Glassfish me demandait un restart, que j’ai fait. J’avoue que cela me dérange un peu si c’est vraiment nécessaire, c’est quand même une opération simple !
• Temps d’arrêt très rapide, plutôt appréciable.
• J’en suis presque surpris (pas taper), mais le déploiement de XWIki est OK du premier coup ! Très bon signe !
• L’URL JMX n’est plus affiché lors du démarrage du domaine, c’est bien dommage !
• A priori pas de changements sur la taxinomie (namespace) des MBeans, ce qui est plutôt plaisant.

Bref, premier contact plutôt positif, même si j’ai constaté quelques petits soucis dans l’interface web, mais rien de bien méchant. Vivement la première version de production !

Java, Sysadmin glassfish, xwiki

At my work, we currently use nagios and cacti for monitoring, the “standard” tools. However, why it’s difficult to replace nagios – for many reasons (it use standard flat configuration flies) – I’m looking for a way to replace Cacti. Indeed, it’s written in pure PHP, there is almost no CLI. So, when I add a new host, I need to use my browser, and my mouse, and I don’t like that. By chance, a friend of mine wrote his own tool, called JRDS, in pure Java. I’m actually in test phase, however, here are some pros:

• It’s Java, no need for php, whatever.
• JRDS use rrd4j, RRDTool Java implementation
• Use flat files for configuration, so it’s very easy to manage

However, one of its wort cons i s the lack of documentation! So here some notes to build JRDS :

1. Fetch and extract JRDS sources from the subversion repository
2. Fetch and extract RRD4j sources from the subversion repository (note: a dev.java.net account seem to be required)
3. Build RRD4j
   • # cd rrd4j/rrd4j
   • # ant
   • # cp rrd4j-<version>.jar $JRDS_HOME/trunk/lib
4. Build JRDS
   • If you don’t have it, download ivy and copy its jar in ~/.ant/lib directory
   • # cd $JRDS_HOME/trunk
   • # ant resolve
   • Extrat c.tld from lib/standard.jar and copy the file in the lib/ directory ( # unzip lib/standard.jar META-INF/c.tld ; mv META-INF/c.tld lib/ ; rmdir META-INF
   • # cp local.properties.sample local.properties
   • Edit local.properties, don’t forget to set jai.home at the end of file
   • # ant war
5. Before deploy jrds.war, you need to create a properties file, and some directories. See the inital setup chapter of JRDS Userguide.
6. Note: to deploy JRDS on Glassfish, the only way I found to create the property is to defined in the JVM options. I also have sometimes a deadlock, if that appears, you need to kill the Glassfish process and restart it.

jrds.properties

configdir=/Users/bbonfils/tools/jrds/config
rrddir=/Users/bbonfils/tools/jrds/probe
logfile=/Users/bbonfils/tools/jrds/log/jrds.log
libspath=/Users/bbonfils/sources/jrds/trunk/build/probes.jar
#loglevel=debug

config/host-kaoru.xml

<?xml version="1.0" encoding="UTF-8"?>
<host name="kaoru.asyd.net">
        <snmp community="secret" version="2"/>
        <probe type="TcpSnmp" />
        <probe type="IpSnmp" />
        <probe type="UdpSnmp" />
        <probe type="IcmpSnmp" />
        <probe type="MemLinux" />
        <probe type="CpuRawTimeLinux" />
        <probe type="UcdRawSystemCounter" />
        <probe type="PartitionSpace">
                <arg type="String" value="/" />
        </probe>
        <probe type="IfSnmp">
               <arg type="String" value="eth0" />
        </probe>
        <probe type="CpuLoadFloat" />
        <probe type="TcpStat" />
</host>

Java, Sysadmin jrds

In my previous post, I demonstrate how to set a property for each http-service in a glassfish domain using groovy and jmx. Here the code to create a new JDBC Connection Pool, still using groovy and JMX/AMX APIs.

 
import javax.management.ObjectName
import javax.management.remote.JMXConnectorFactory as JmxFactory
import javax.management.remote.JMXServiceURL as JmxUrl
import javax.management.MBeanServerConnection
 
 
 
//def uri = 'service:jmx:rmi:///jndi/rmi://portal3:46302/jmxrmi'
def uri = 'service:jmx:rmi:///jndi/rmi://localhost:8686/jmxrmi'
def login = 'admin'
def password = 'adminadmin'
 
import javax.management.Query
 
def jmxurl = new JmxUrl(uri)
def attributes = new Hashtable()
 
def buffer = [ login, password ]
 
attributes.put("jmx.remote.credentials", (String[]) buffer)
 
def server = JmxFactory.connect(jmxurl, attributes).mBeanServerConnection
 
def createJDBCConnectionPool = { name ->
    def objectname = new ObjectName("amx:j2eeType=X-DomainConfig,name=na")
    def options = new ArrayList()
    options.add(name)
    options.add("com.mysql.jdbc.jdbc2.optional.MysqlDataSource")
    def properties = [
        'ResType':'javax.sql.DataSource'
    ]
 
    options.add(properties as Map)
 
    server.invoke(objectname, 
                "createJDBCConnectionPoolConfig",
                options as Object[],
                ["java.lang.String","java.lang.String","java.util.Map"] as String[] )
 
    /* To add other properties, we need to invoke setProperty to new object */
 
    objectname = new ObjectName("amx:j2eeType=X-JDBCConnectionPoolConfig,name=" + name)
 
    server.invoke(objectname, "setPropertyValue", [ "user", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "password", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "databaseName", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "serverName", "localhost"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "port", "3306"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "networkProtocol", "tcp"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
}
 
createJDBCConnectionPool("xwikiPool")

As you probably noticed, I can’t create properties directly using the invokation of createJDBCConnectionPool. Indeed, we can specifly only few properties (take a look at the complete list). However, once the object is created, we can use the setPropertValue to create any properties we want.

Java, Sysadmin glassfish, groovy