Thursday, March 30, 2017

Authenticate Mongodb Connection with Selfsigned Certificates



Create a selfsigned SSL Certificate
Reference: http://www.akadia.com/services/ssh_test_certificate.html


# cat mongodb.conf

logpath = /opt/sysAdmin/logs/mongodb.log
dbpath = /opt/sysAdmin
port = 27017

sslMode = requireSSL
sslPEMKeyFile = /home/mongodb/ssl/mongodb.pem
sslPEMKeyPassword = test
sslCAFile = /home/mongodb/ssl/client.pem


Step 1:
http://demarcsek92.blogspot.ca/2014/05/mongodb-ssl-setup.html

Create Certificate for Server
$ openssl req -new -x509 -days 365 -out mongodb-cert.crt -keyout mongodb-cert.key
or

$ openssl req -new -x509 -days 3650 -out server.crt -keyout encrypted-server.key -subj '/C=CA/ST=ON/L=TORONTO/O=GOWEEKEND/OU=FINANCE/CN=127.0.0.1'

You can remove passphrase from key, but make sure limit the permission of the key file

$ cp mongodb-cert.key mongodb-cert.key.encrypted
$ openssl rsa -in mongodb-cert.key.encrypted -out mongodb-cert.key

$ cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

Create Certificate for Client
$ openssl req -new -x509 -days 365 -out client-cert.crt -keyout client-cert.key

OR

$ openssl req -new -x509 -days 3650 -out client.crt -keyout encrypted-client.key -subj '/C=CA/ST=ON/L=Toronto/O=GOWEEKEND/OU=IT/CN=127.0.0.1'


You can remove passphrase from key, but make sure limit the permission of the key file

$ cp client-cert.key client-cert.key.encrypted
$ openssl rsa -in client-cert.key.encrypted -out client-cert.key


$ cat client-cert.key client-cert.crt > client.pem

Startup Server
mongod -f /etc/mongodb.conf

Connect to Database with mongodb
mongo --ssl --sslCAFile ./mongodb.pem --sslPEMKeyFile ./client.pem

Step 2:
https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/

Problem:
Within PHP, below error popped up:
UserNotFound: Could not find user CN=127.0.0.1,OU=FINANCE,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA@$external

$ openssl x509 -in client.pem -inform PEM -subject -nameopt RFC2253
subject= CN=127.0.0.1,OU=WS,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA

Connect to Database

db.getSiblingDB("$external").runCommand(
  {
    createUser: "CN=127.0.0.1,OU=WS,O=GOWEEKEND,L=TORONTO,ST=ON,C=CA",
    roles: [
             { role: 'readWrite', db: 'mydb' },
             { role: 'userAdminAnyDatabase', db: 'admin' }
           ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)

Use Certificate to connect to mongodb server

http://demarcsek92.blogspot.ca/2014/05/mongodb-ssl-setup.html

SVN: pre-commit hook in svn: could not be translated from the native locale to UTF-8

Append below line to httpd.conf

SVNUseUTF8 on

Thursday, March 23, 2017

WebSphere 8.5 and 9.0 Silent Installation

1. Record Response File

#   Windows = imcl.exe -acceptLicense -showProgress
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress 
#     input <response_file_path_and_name> -log <log_file_path_and_name>
# For example:
#   Windows = IBMIM.exe -record c:\temp\responsefiles\WASv85.install.Win32.xml
#     -skipInstall c:\temp\skipInstall\WebSphere_Temp_Registry
#   Linux or UNIX = ./IBMIM -record /home/user/responsefiles/WASv85.install.RHEL64.xml
#     -skipInstall c:\temp\skipInstall\WebSphere_Temp_Registry

2. Install

#
#   Windows = imcl.exe -acceptLicense -showProgress
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress 
#     input <response_file_path_and_name> -log <log_file_path_and_name>
#
# For example:
#   Windows = imcl.exe -acceptLicense -showProgress
#     input c:\temp\responsefile\WASv85.install.Win32.xml
#   Linux, UNIX, IBM i and z/OS = ./imcl -acceptLicense -showProgress
#     input /home/user/responsefile/WASv85.install.RHEL64.xml

Tuesday, March 21, 2017

Remove SeLinux attribute on files or folders

setfattr -h -x security.selinux /tmp

Disable PrivateTmp for Apache in REDHAT


https://www.reddit.com/r/Fedora/comments/35bsym/how_do_i_disable_privatetmp_for_apache/

/usr/lib/systemd/system/httpd.service.

PrivateTmp = false

Tuesday, March 14, 2017

Install Microsoft Driver for unixODBC

Problem:
[unixODBC][Driver Manager]Data source name not found, and no default driver specified (SQL-IM002)
No DBI connect:[unixODBC][Driver Manager]Data source name not found, and no default driver specified (SQL-IM002) at xxxxxxx line 17.


Solution: 
http://www.perlmonks.org/?node_id=1033737

perl -MDBI -e 'DBI->installed_versions'

[root@goweek01 tds]# perl -MDBI -e 'DBI->installed_versions'
  Perl            : 5.024001    (x86_64-linux-thread-multi)
  OS              : linux       (4.10.0-0.rc4.git0.2.fc26.x86_64)
  DBI             : 1.636
  DBD::Sponge     : 12.010003
  DBD::Pg         : 3.5.3
  DBD::PO         : install_driver(PO) failed: Global symbol "@A" requires explicit package name (did you forget to declare "my @A"?) at /usr/local/share/perl5/DBD/PO/Locale/PO.pm line 291, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO/Text/PO.pm line 11, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO/Text/PO.pm line 11, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO/dr.pm line 10, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO/dr.pm line 10, <DATA> line 755.
Compilation failed in require at /usr/local/share/perl5/DBD/PO.pm line 12, <DATA> line 755.
BEGIN failed--compilation aborted at /usr/local/share/perl5/DBD/PO.pm line 12, <DATA> line 755.
Compilation failed in require at (eval 53) line 3, <DATA> line 755.

 at -e line 1.

  DBD::Oracle     : 1.74
  DBD::ODBC       : 1.56
  DBD::Multi      : 0.18
  DBD::Mock       : 1.45
  DBD::Log        : DBD::Log initialisation failed: Can't call method "driver" without a package or object reference at /usr/local/share/perl5/DBD/Log.pm line 219, <DATA> line 755.
 at -e line 1.

  DBD::LDAP       : 0.22
  DBD::Gofer      : 0.015327
  DBD::File       : 0.44
  DBD::ExampleP   : 12.014311
  DBD::DBM        : 0.08

[root@goweek01 tds]# odbcinst -j
unixODBC 2.3.4
DRIVERS............: /etc/odbcinst.ini
SYSTEM DATA SOURCES: /etc/odbc.ini
FILE DATA SOURCES..: /etc/ODBCDataSources
USER DATA SOURCES..: /root/.odbc.ini
SQLULEN Size.......: 8
SQLLEN Size........: 8
SQLSETPOSIROW Size.: 8

[root@goweek01 etc]# odbcinst -q -s
[SQLdev]
[classdata]
[mssqldev]

-bash-4.3$ odbcinst -j
unixODBC 2.3.4
DRIVERS............: /etc/odbcinst.ini
SYSTEM DATA SOURCES: /etc/odbc.ini
FILE DATA SOURCES..: /etc/ODBCDataSources
USER DATA SOURCES..: /home/goweekendweb/.odbc.ini
SQLULEN Size.......: 8
SQLLEN Size........: 8
SQLSETPOSIROW Size.: 8

[MSSQLprod]
Driver          = SQLServer
Description     = goweekendWeb production
Server          = classdata.toronto.ca
TDS_Version     = 7.0
Database        = goweekendWeb


-bash-4.3$ odbcinst -q -s
[MSSQLprod]
[SQLdev]
[classdata]
[mssqldev]

[root@goweek01 parks]# cat /etc/odbc.ini
[SQLdev]
Driver          = SQLServer
Description     = goweekendWeb Dev
Server          = mssds152q.goweekend.ca
Database        = goweekendWeb
Trace           = Yes
TraceFile       = /var/tmp/sqlserver.log


[root@goweek01 parks]# cat /etc/odbcinst.ini
[PostgreSQL]
Description=ODBC for PostgreSQL
Driver=/usr/lib/psqlodbcw.so
Setup=/usr/lib/libodbcpsqlS.so
Driver64=/usr/lib64/psqlodbcw.so
Setup64=/usr/lib64/libodbcpsqlS.so
FileUsage=1

[MySQL]
Description=ODBC for MySQL
Driver=/usr/lib/libmyodbc5.so
Setup=/usr/lib/libodbcmyS.so
Driver64=/usr/lib64/libmyodbc5.so
Setup64=/usr/lib64/libodbcmyS.so
FileUsage=1

[SQLServer]
Description=Microsoft ODBC Driver 13 for SQL Server
Driver=/opt/microsoft/msodbcsql/lib64/libmsodbcsql-13.1.so.4.0
UsageCount=1


Thursday, March 2, 2017

IBM HTTP Server: Startup FAQ and mustgather

http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_startup_doc.html#SOLGSKIT2

On some Solaris/SPARC systems manufactured by Fujitsu, GSKit can hang during startup. To resolve the issue, take the following two steps:

  • Upgrade GSKit to 8.0.50.61 or later (8.5.5.10, 8.0.0.13, or older fixpacks with PI60207)
  • Specify SSLAttributeSet 4007 1 to prevent the FIPS certified ICC 8.4 from being loaded. Note: If using SSLFIPSEnable, you must also opt-in to using a non-certified cryptograhic module with environment variable ICC_IGNORE_FIPS=YES
    Some other instructions may refer to removing a "C/" directory from the GSKit lib directory. This should have the same result as SSLAttributeSet 4007 1 -- disabling the initialization of the FIPS certified cryptographic module inside of GSKit. There is always a 2nd, non-certified cryptographic module that can be used.

  Append below line at the end of httpd.conf

    SSLAttributeSet 4007 1
 
You may need reboot the server.

I tried " SSLAttributeSet 4007 1", it doesn't fix the problem, then I deleted
"C/" directory from the GSKit lib directory, and it works.