asyd's blog

How to convert a PKCS#12 to JKS

asyd — Thu, 02 Jul 2009 13:20:28 +0000

Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
Open your PKCS#12 file, provide the password
Click on Tools/Change KeyStore Type/JKS menu
If you don’t want to use the default password (which is password), click on the menu keystore password
Save it, that’s all folks!

You can know list the contents of your JKS using keytool:

% keytool -list -v -keystore yourkeystore.jks

Quick (and dirty?) howto: Solaris IPMP with VLAN tagging

asyd — Wed, 24 Jun 2009 15:06:20 +0000

Here the following commands I use to create a IPMP (IP Multipathing) groups (master/slave):

#!/bin/sh


# Plumb physical interfaces

ifconfig nge1 plumb

ifconfig nge2 plumb
# Plumb 802.1q interfaces

ifconfig nge544001 plumb

ifconfig nge544002 plumb
# Configure interfaces

ifconfig nge544001 group hosts deprecated -failover up

ifconfig nge544002 group hosts deprecated -failover standby up

# Add logicial interface ifconfig nge544001 addif 10.16.244.60 netmask 255.255.252.0 up

You can also tweak the multipath daemon by editing /etc/default/mpathd to decrease the value to detect a NIC failure.

Solaris 10 IPMP Documentation reference

Writing a daemon in groovy

asyd — Wed, 10 Jun 2009 08:29:38 +0000

I actually need to write a little daemon based on the JVM (I’ll explain why in a future post). As the groovy fan I am, I was looking for a ready to use receipt, this one is interesting but show only how to write, not to read After getting some help from Guillaume here a working sample:

import java.net.ServerSocket
import net.asyd.nagios.Hello
 
def listenPort = 4242
 
def server = new ServerSocket(listenPort)
 
while(true) {
    server.accept { socket ->
        println "new connexion"
 
        socket.withStreams { input, output ->
 
            def reader = input.newReader()
 
            def buffer = reader.readLine() 
 
            output << "Hello world " + buffer + "\n"
 
        }
    }
}

As you can see it’s very simple, thanks to groovy, once again. A thread will be create for each client.

Présentation GUSES : Métrologie des IOs

asyd — Wed, 03 Jun 2009 22:39:59 +0000

Le 16 Juin, à 19h30, se tiendra à Paris, chez Sun (attention, Sun a déménagé) une présentation technique autour de Solaris 10 / OpenSolaris, sur la gestion des IOs. Cette présentation est organisé par l’association GUSES. Au programme :

Les différents composants : logiciel (système de fichiers), matériel
La gestion du cache
Le rôle du matériel
Mesure de performances et optimisation

Comme vous l’aurez sans doute remarqué, cette présentation s’adresse avant tout à des administrateurs systèmes Solaris, mais les concepts abordés sont tout aussi vrai pour les autres UNIX.

Cette présentation sera assurée par Fabrice Bacchella, administrateur système senior.

Afin d’optimiser la place, nous vous serons reconnaissant de vous inscrire.

Test de Glassfish Preview

asyd — Tue, 02 Jun 2009 22:20:29 +0000

Depuis quelques jours (heures ?), Glassfish v3 preview est disponible. Comme Alexis est bien mieux placé que moi pour en parler, je vous engage à lire cet article pour la description de cette version. Au travers de ce petit billet, je résume ma toute première utilisation de Preview. Pour cela, mon cas d’utilisation est tout simple, déployer XWiki en version 1.8 dans un premier temps, mais au travers d’une source de connexions JDBC. Cas d’utilisation donc très simple.

Mes remarques, en vrac :

Nécessite un JDK 1.6 (java -version pour vérifier). Utilisateur d’OS X, vous devez définir JAVA_HOME et PATH, la version par défaut étant encore en 1.5
La commande start-domain ne met que quelques secondes à rendre la main ! Néanmoins, la console d’administration n’est pas disponible avant d’autres longues secondes . Pour rappel, la version 3 de Glassfish est construit autour d’OSGI, un système orienté composant.
L’interface d’administration est proche de la version 2.1, on s’y retrouve donc assez facilement. Néanmoins, il y a une différence notable dans la gestion des applications. Il faut que je creuse le sujet.
Il faut que je vérifie, mais lors de la configuration du pool de connexions JDBC, Glassfish me demandait un restart, que j’ai fait. J’avoue que cela me dérange un peu si c’est vraiment nécessaire, c’est quand même une opération simple !
Temps d’arrêt très rapide, plutôt appréciable.
J’en suis presque surpris (pas taper), mais le déploiement de XWIki est OK du premier coup ! Très bon signe !
L’URL JMX n’est plus affiché lors du démarrage du domaine, c’est bien dommage !
A priori pas de changements sur la taxinomie (namespace) des MBeans, ce qui est plutôt plaisant.

Bref, premier contact plutôt positif, même si j’ai constaté quelques petits soucis dans l’interface web, mais rien de bien méchant. Vivement la première version de production !

How to build and deploy JRDS

asyd — Mon, 25 May 2009 19:15:33 +0000

At my work, we currently use nagios and cacti for monitoring, the “standard” tools. However, why it’s difficult to replace nagios – for many reasons (it use standard flat configuration flies) – I’m looking for a way to replace Cacti. Indeed, it’s written in pure PHP, there is almost no CLI. So, when I add a new host, I need to use my browser, and my mouse, and I don’t like that. By chance, a friend of mine wrote his own tool, called JRDS, in pure Java. I’m actually in test phase, however, here are some pros:

It’s Java, no need for php, whatever.
JRDS use rrd4j, RRDTool Java implementation
Use flat files for configuration, so it’s very easy to manage

However, one of its wort cons i s the lack of documentation! So here some notes to build JRDS :

Fetch and extract JRDS sources from the subversion repository
Fetch and extract RRD4j sources from the subversion repository (note: a dev.java.net account seem to be required)
Build RRD4j
- # cd rrd4j/rrd4j
- # ant
- # cp rrd4j-.jar $JRDS_HOME/trunk/lib
Build JRDS
- If you don’t have it, download ivy and copy its jar in ~/.ant/lib directory
- # cd $JRDS_HOME/trunk
- # ant resolve
- Extrat c.tld from lib/standard.jar and copy the file in the lib/ directory ( # unzip lib/standard.jar META-INF/c.tld ; mv META-INF/c.tld lib/ ; rmdir META-INF
- # cp local.properties.sample local.properties
- Edit local.properties, don’t forget to set jai.home at the end of file
- # ant war
Before deploy jrds.war, you need to create a properties file, and some directories. See the inital setup chapter of JRDS Userguide.
Note: to deploy JRDS on Glassfish, the only way I found to create the property is to defined in the JVM options. I also have sometimes a deadlock, if that appears, you need to kill the Glassfish process and restart it.

jrds.properties

configdir=/Users/bbonfils/tools/jrds/config
rrddir=/Users/bbonfils/tools/jrds/probe
logfile=/Users/bbonfils/tools/jrds/log/jrds.log
libspath=/Users/bbonfils/sources/jrds/trunk/build/probes.jar
#loglevel=debug

config/host-kaoru.xml

 version="1.0" encoding="UTF-8"?>
 name="kaoru.asyd.net">
         community="secret" version="2"/>
         type="TcpSnmp" />
         type="IpSnmp" />
         type="UdpSnmp" />
         type="IcmpSnmp" />
         type="MemLinux" />
         type="CpuRawTimeLinux" />
         type="UcdRawSystemCounter" />
         type="PartitionSpace">
                 type="String" value="/" />
        >
         type="IfSnmp">
                type="String" value="eth0" />
        >
         type="CpuLoadFloat" />
         type="TcpStat" />
>

Create a JDBC Connection Pool using JMX/AMX

asyd — Fri, 22 May 2009 14:20:40 +0000

In my previous post, I demonstrate how to set a property for each http-service in a glassfish domain using groovy and jmx. Here the code to create a new JDBC Connection Pool, still using groovy and JMX/AMX APIs.

 
import javax.management.ObjectName
import javax.management.remote.JMXConnectorFactory as JmxFactory
import javax.management.remote.JMXServiceURL as JmxUrl
import javax.management.MBeanServerConnection
 
 
 
//def uri = 'service:jmx:rmi:///jndi/rmi://portal3:46302/jmxrmi'
def uri = 'service:jmx:rmi:///jndi/rmi://localhost:8686/jmxrmi'
def login = 'admin'
def password = 'adminadmin'
 
import javax.management.Query
 
def jmxurl = new JmxUrl(uri)
def attributes = new Hashtable()
 
def buffer = [ login, password ]
 
attributes.put("jmx.remote.credentials", (String[]) buffer)
 
def server = JmxFactory.connect(jmxurl, attributes).mBeanServerConnection
 
def createJDBCConnectionPool = { name ->
    def objectname = new ObjectName("amx:j2eeType=X-DomainConfig,name=na")
    def options = new ArrayList()
    options.add(name)
    options.add("com.mysql.jdbc.jdbc2.optional.MysqlDataSource")
    def properties = [
        'ResType':'javax.sql.DataSource'
    ]
 
    options.add(properties as Map)
 
    server.invoke(objectname, 
                "createJDBCConnectionPoolConfig",
                options as Object[],
                ["java.lang.String","java.lang.String","java.util.Map"] as String[] )
 
    /* To add other properties, we need to invoke setProperty to new object */
 
    objectname = new ObjectName("amx:j2eeType=X-JDBCConnectionPoolConfig,name=" + name)
 
    server.invoke(objectname, "setPropertyValue", [ "user", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "password", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "databaseName", "xwiki"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "serverName", "localhost"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "port", "3306"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
    server.invoke(objectname, "setPropertyValue", [ "networkProtocol", "tcp"] as Object[], [ "java.lang.String", "java.lang.String"] as String[])
}
 
createJDBCConnectionPool("xwikiPool")

As you probably noticed, I can’t create properties directly using the invokation of createJDBCConnectionPool. Indeed, we can specifly only few properties (take a look at the complete list). However, once the object is created, we can use the setPropertValue to create any properties we want.

Soirée CloudCamp à Paris le 11 Juin

asyd — Tue, 19 May 2009 18:27:11 +0000

Comme tout le monde, vous entendez parler du cloud computing, mais vous ne savez pas forcément ce qui se cache derrière ce terme ? Vous connaissez déjà, mais vous voulez en savoir plus ? Bref, dans tous les cas, si ce sujet vous intéresse, je vous invite à participer à la soirée organiser par cloudcamp. Cette soirée aura lieu le 11 Juin, à partir de 18h30. Pour ma part, je dois y intervenir pour parler de la sécurité.

Je me permet de rappeler, pour mes fidèles lecteurs, que Solaris/OpenSolaris est très proche du concept de cloud computing notamment grâce aux containers (zones + resource shapping), et OpenStorage.

Configure glassfish via JMX and Groovy

asyd — Tue, 19 May 2009 15:31:55 +0000

At my new work, we have a lot of glassfish in production. For some of them, we even have almost 10 instances per DAS (Domain Admin Server). As a (good) system administrator, I’m a lazy man. After having to installed and created a glassfish with 10 instances, I was really tired to click, click, and click again through the web interface. Yes I know, it’s possible to edit the files directly, but I think it’s not very convenient. First, it’s easy to make mistakes, it’s not atomic, and finally you need to restart/reload the instance.

So, I was wondering if it’s possible to proceed some configuration using JMX/AMX (AppServer Management Extensions). I start to browse MBeans using JConsole, and check that’s really possible to modify the configuration, and the answer is yes. Ok, my first try is a simple one, I just want enable access.log, meaning set accessLoggingEnabled property to true for each http-service. Since I’m not really good to write Java, I wrote a groovy script. Here it comes :

 
import javax.management.ObjectName
import javax.management.remote.JMXConnectorFactory as JmxFactory
import javax.management.remote.JMXServiceURL as JmxUrl
import javax.management.MBeanServerConnection
 
def uri = 'service:jmx:rmi:///jndi/rmi://localhost:8686/jmxrmi'
def login = 'admin'
def password = 'adminadmin'
 
import javax.management.Query
 
def jmxurl = new JmxUrl(uri)
def attributes = new Hashtable()
 
def buffer = [ login, password ]
 
attributes.put("jmx.remote.credentials", (String[]) buffer)
 
def server = JmxFactory.connect(jmxurl, attributes).mBeanServerConnection
 
def enableAccessLog = { serviceUri ->
    properties = [ "accessLoggingEnabled", "true" ]
    def signature = [ "java.lang.String", "java.lang.String"]
    server.invoke(serviceUri, "setPropertyValue", properties as Object[], signature as String[] );
}
 
def checkAccessLog = { serviceUri ->
    def properties = [ "accessLoggingEnabled" ]
    def answer = server.invoke(serviceUri, "getPropertyValue", properties as Object[], "java.lang.String");
    println "Access log for: " + serviceUri + " enabled: " + answer
}
 
 
def query = new ObjectName("amx:*,j2eeType=X-HTTPServiceConfig")
 
server.queryNames(query, null).each { service ->
    checkAccessLog(service)
    enableAccessLog(service)
    checkAccessLog(service)
}

That’s magic… Sure I’ll post some others script to manage more complex configuration, like create a connection pool, etc.

Petit amusement du lundi

asyd — Mon, 18 May 2009 12:03:36 +0000

Vu sur un blog sur lequel je suis tombé par hasard :

ZFS ? Un outil de masturbation intellectuelle. Je préfère encore le btrfs des linux.

Enfin, il vaut mieux en rire qu’en pleurer, ah ces linuxiens ! Et dire que j’étais comme ça il y a une certaine (mais lointaine) époque.