Monday, 31 July 2017

Amazon Cloud Storage Options::

AWS Storage Options::
==================

S3 - Simple Storage Services
EBS - Elastic Block Storage
EFS - Elastic File System

EBS -  As the name suggests, it is a block storage system in which data is stored as blocks. It is suitable for OS or database. EBS works best for server disks. High performance read and write. Replicated with AZ and could be mounted to one EC2 at a time  in the same AZ

S3:- It is an object storage option which is suitable for write once read many or read once write many options.

For example:- It is suitable to store huge data such as backups, logs etc which won't be retrieved very often.  Or it can be used for hosting static websites where the contents are not altered often and read many times. It is scalable. We don't need to mention the size. Not suitable for OS or Database.

EFS:- This is best when a filesystem need to be shared among multiple resources. It is replicated across AZ in a region. Could be mounted to multiple EC2/On premise servers  at the same time via VPN. No sizing to be done.

Wednesday, 5 April 2017

Postfix Mail Server Setup with Dovecot and Squirrelmail Configuration::

Postfix Mail Server Setup with  Dovecot and Squirrelmail Configuration::
============================================================

The below configuration steps are for configuring mail server and client locally in an office atmosphere, so that users in the  office can send and receive mails under the same domain locally.

If you want to sent mails to public domains, you need to register your domain and should have a dedicated Ipaddress for this server and MX record  pointed to the server in the ISP.

Postfix is a secure MTA mainly suitable for medium sized users. For example, can be used in  a medium sized organization. It can be configured along with Dovecot and Squirrelmail as in  exim and qmail.

If your requirement have thousand of email users, and different domains as in a shared hosting scenario, preferably exim is a better choice.


I have disabled firewall for the time being for test configuration.

Postfix Installation::

# yum install postfix

After installation edit /etc/postfix/main.cf
# vi /etc/postfix/main.cf
Add the below entries based on your hostname and domain

myhostname = linuxgeeknotes.com
mydomain = linuxgeeknotes.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.240.0/24, 127.0.0.0/8
home_mailbox = Maildir/

# systemctl start postfix

Now create test users  for eg:- test1, test2, test3 etc with passwords,  using useradd command.


Dovecot Installation::

# yum install dovecot

After installation edit the configuration files [[  dovecot.conf,  10-mail.conf,   10-auth.conf,  10-master.conf  ]] as follows::

# vi /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp

# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir

# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login

# vi /etc/dovecot/conf.d/10-master.conf
Make changes as shown below:
#mode = 0600
   user = postfix
   group = postfix
[...]

# systemctl start dovecot

Squirrelmail installation::

# yum install squirrelmail

After installation change to /usr/share/squirrelmail/config/ directory:

# cd /usr/share/squirrelmail/config/

..and run
# ./conf.pl

Now read carefully and complete the squirrelmail configuration steps:-

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color off
S Save data
Q Quit

Command >> 1

The following wizard will open. Enter “1” again to modify your organization details:

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Organization Preferences
1. Organization Name : SquirrelMail
2. Organization Logo : ../images/sm_logo.png
3. Org. Logo Width/Height : (308/111)
4. Organization Title : SquirrelMail $version
5. Signout Page :
6. Top Frame : _top
7. Provider link : http://squirrelmail.org/
8. Provider name : SquirrelMail

R Return to Main Menu
C Turn color off
S Save data
Q Quit

Command >> 1

Set your Organization name and press Enter:

We have tried to make the name SquirrelMail as transparent as
possible. If you set up an organization name, most places where
SquirrelMail would take credit will be credited to your organization.

If your Organization Name includes a '$', please precede it with a \.
Other '$' will be considered the beginning of a variable that
must be defined before the $org_name is printed.
$version, for example, is included by default, and will print the
string representing the current SquirrelMail version.

[SquirrelMail]: linuxgeeknotes.com

Similarly, set all the details such as organization title, logo, provider name in the above wizard. Once you done, press “S” to save the changes, and press “R” to return back to your main menu:

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Organization Preferences
1.  Organization Name      : linuxgeeknotes
2.  Organization Logo      : ../images/sm_logo.png
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : SquirrelMail $version
5.  Signout Page             :
6.  Top Frame                : _top
7.  Provider link             : http://squirrelmail.org/
8.  Provider name          : Linuxgeeknotes Mail

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> S

Now, enter “2” to setup mail Server settings such as domain name and mail agent etc.:

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >> 2

Enter “1”, Enter your mail domain (ex. linuxgeeknotes) and press Enter key.

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Server Settings

General
-------
1. Domain : localhost
2. Invert Time : false
3. Sendmail or SMTP : Sendmail

A. Update IMAP Settings : localhost:143 (uw)
B. Change Sendmail Config : /usr/sbin/sendmail

R Return to Main Menu
C Turn color off
S Save data
Q Quit

Command >> 1

[localhost]: linuxgeeknotes.com

Enter “3” and change from sendmail to Postfix MTA (i.e. SMTP):

SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
Server Settings

General
-------
1.  Domain                  : linuxgeeknotes.com
2.  Invert Time            : false
3.  Sendmail or SMTP       : Sendmail

A.  Update IMAP Settings   : localhost:143 (uw)
B.  Change Sendmail Config : /usr/sbin/sendmail

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Command >> 3

Enter “2” to switch from sendmail MTA to postfix.

You now need to choose the method that you will use for sending
messages in SquirrelMail.  You can either connect to an SMTP server
or use sendmail directly.

  1.  Sendmail
  2.  SMTP
Your choice [1/2] [1]: 2

Now enter “S” followed by “Q” to save and exit Squirrelmail configuration.

Create a squirrelmail vhost in apache config file:

vi /etc/httpd/conf/httpd.conf

Add the following lines at the end:

Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
 Options Indexes FollowSymLinks
 RewriteEngine On
 AllowOverride All
 DirectoryIndex index.php
 Order allow,deny
 Allow from all
</Directory>

Restart the Apache service:

# systemctl restart httpd

Access Webmail

Now browse http://ip-address/webmail or http://domain-name/webmail from your browser. You should be able to login to the webmail with the users created before and send mails.

Tuesday, 28 February 2017

Configure Postgres Hot Standby Server Using Log Shipping::

 Configure Postgres Hot Standby Server Using Log Shipping::
=============================================

Configure two identical database server machines. My version is (PostgreSQL) 9.6.2. Differences in database version can cause conflicts during log shipping.

Server 1 -  dbmaster.local - 192.168.1.1
Server 2 -  dbslave.local   - 192.168.1.2

* Created the user postgres on both machines.
* Enabled ssh key authentication for postgres user

Master configuration::
 
Edit postgresql.conf

wal_level = hotstandby
archive_mode = on
archive_command = 'scp  %p  postgres@dbslave.local:archive_logs/archive%f '

listen_addresses = '*'
archive_timeout = 120
max_wal_senders =1

Edit pg_hba.conf
host     all                      all             192.168.1.0/24        trust
host     replication     rep            192.168.1.2/24        trust

Monday, 27 February 2017

Iptables and Firewalld Configuration

Iptables Commands::

===============

Iptables contains 4 builtin tables ::

1. Filter Table

    INPUT chain – Incoming to firewall. For packets coming to the local server.
    OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
    FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2. NAT Table

    PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
    POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
    OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle Table

    PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
    POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
    OUTPUT chain – NAT for locally generated packets on the firewall.

4. Raw Table

    PREROUTING chain
    OUTPUT chain

Some simple commands , Please try to understand the use of these commands.

# iptables -n -L -v --line-numbers   , where  -L : List rules, -v : Display detailed information., -n : Display IP address and port in numeric format.

To prevent accessing a website, for example linuxgeeknotes.blogspot.in::

# host -t a  linuxgeeknotes.blogspot.in gives ipaddress 67.123.116.0
# whois 67.123.116.0 | grep CIDR

# iptables -A OUTPUT -p tcp -d 67.123.116.0/17 -j DROP
# iptables -A OUTPUT -p tcp -d linuxgeeknotes.blogspot.in -j DROP



To log and block IP spoofing on public interface called eth1::

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A:"
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP


Drop and Accept traffic using mac address::

# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT


Block and allow ping requests::

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

To open a range of ports::

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

To allow a range of ip to port 80

# iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT


Replace ACCEPT with DROP to block port:
Open port ssh tcp port 22

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT 

Open cups (printing service) udp/tcp port 631 for LAN users ##

# iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT   Allow time sync via NTP for lan users (open udp port 123) ##

# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Open tcp port 25 (smtp) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

Open dns server ports for all ##
# iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

Open http/https (Apache) server port to all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Open tcp port 110 (pop3) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

Open tcp port 143 (imap) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

Open access to Samba file server for lan users only ##
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

## open access to proxy server for lan users only #
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## open access to mysql server for lan users only #
# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

Limiting the number of connections for a particular service.

# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

# iptables -F      , -F Deleting (flushing) all the rules. # iptables -X      , -X Delete chain. # iptables -t nat -F , -t table_name # iptables -t nat -X # iptables -t mangle -F

# iptables -t mangle -X



Firewalld Commands::
====================


The firewalld daemon manages groups of rules using entities called zones.

Firewalld uses zones and services instead of chain and rules.

Some of the firewalld commands are as follows. Please look into it and try to understand::

# systemctl start firewalld

# systemctl enable firewalld

# systemctl stop firewalld

# systemctl disable firewalld

# firewall-cmd --state

# systemctl status firewalld

# firewall-cmd --reload

# firewall-cmd --zone=public --add-service=http --permanent

# firewall-cmd --zone=public --remove-service=http --permanent

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'

# firewall-cmd --zone=public --add-port=12345/tcp --permanent

# firewall-cmd --zone=public --remove-port=12345/tcp --permanent

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.1.2 accept'

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.2" port port=22 protocol=tcp reject'

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="10.1.0.3" forward-port port=80 protocol=tcp to-port=6532'

Tuesday, 21 February 2017

389 Directory Server - Multi-Master Replication::

389 Directory Server - Multi-Master Replication::
==========================================
Setup as follows::
Directory Server 1 :  192.168.1.1 (dirs1.test.int)
Directory Server 2 :  192.168.1.2 (dirs2.test.int)

 Pre-requisites on both servers ::

# Add /etc/hosts entries on both  servers.
# Install apache webserver on both.
# Whitelist ports 389,9830 and 636 and both server ip's in the firewall.

# Add the following lines at the end  of  /etc/sysctl.conf  file.
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

# Add the following lines at the end  of   /etc/security/limits.conf file
*               soft     nofile          8192  
*               hard     nofile          8192

# Set ulimit as follows and add it in /etc/profile
 ulimit -n 8192

Install the 389 Server packages on both the servers as follows::

# yum install 389-ds-base openldap-clients idm-console-framework 389-adminutil 389-admin 389-admin-console 389-console 389-ds-console

# setup-ds-admin.pl

You will be prompted for configuration questions. Configure accordingly for your use.

Start the services
#  systemctl start dirsrv.target
#  systemctl start dirsrv-admin.service
#  /httpd-2.4/bin/apachectl start

Multi-Master Replication Configuration:: 

Server 1 Configuration:

# Login to 389-console on server 1 using the credentials given during setup-admin.pl


Double Click "Directory Server" on the left pane--->Click Directory tab
Right Click "Config" menu on left pane  and Create new user there( This is the replication user which is used for replication)
In my case I created the user "rep"

Now go to Configuration Tab and Click replication.
Enable Changelog-->Select the path for the log and Click Save

Under Replication-->userRoot-->Enter replication settings
Replication Role : MultiMaster
Set Purge Delay as : Never
Enter New supplier DN as : uid-rep,cn=config (as my user is rep)
Click Save.

Now Right Click userRoot-->New Replication Agreement
Enter a name for the agreement and Click Next.

Enter the consumer details(Here in this server, Supplier is Server1 and Consumer is Server2)
Enter the host name and port details of Consumer.

Enter the replication username and password and Click Next to complete the replication.

Server 2 Configuration:

# Login to 389-console on server 2 using the credentials given during setup-admin.pl

Double Click "Directory Server" on the left pane--->Click Directory tab
Right Click "Config" menu on left pane  and Create new user there( This is the replication user which is used for replication)
In my case I created the user "rep"

Now go to Configuration Tab and Click replication.
Enable Changelog-->Select the path for the log and Click Save

Under Replication-->userRoot-->Enter replication settings
Replication Role : MultiMaster
Set Purge Delay as : Never
Enter New supplier DN as : uid-rep,cn=config (as my user is rep)
Click Save.

Now Right Click userRoot-->New Replication Agreement
Enter a name for the agreement and Click Next.

Enter the consumer details(Here in this server, Supplier is Server2 and Consumer is Server1)
Enter the host name and port details of Consumer.

Enter the replication username and password and Click Next to complete the replication.


Once done, Try creating ldap users via 389-console under the domains on both the servers. The users will be automatically replicated and listed on both the servers.

Monday, 20 February 2017

Import ssl certificate to Java Key Store::

Import SSL certificates to Java Key Store::
=================================
Download the certificate to the home directory of the domain and run the keytool utility to import the certificate to Java Key Store


===========

Command to convert .pfx certificate to .crt

#  openssl pkcs12 -in ind-vmn-vm3.win12vmn.test.int.pfx -clcerts -nokeys -out ind-vmn-vm3.win12vmn.test.int.crt

The self-signed certificate generated in windows is in  .pfx format.
===========


# keytool --import --file certificate.cer --keystore  name


# keytool -import -trustcacerts -alias testaliasname -file ind-vmn-vm3.win12vmn.test.int.crt -keystore /opt/java/jdk1.8.0_121/jre/lib/security/cacerts

To list the installed certificate:
# keytool -list -v -keystore /opt/java/jdk1.8.0_121/jre/lib/security/cacerts  | grep Alias | grep gigtest

It will be stored in /opt/username/jdk1.8.0_121/jre/lib/security/cacerts

Backup cacerts before running the java keytool.

Sunday, 12 February 2017

Postgresql-9.6.1 Database Streamline Replication from Master to Slave

Postgresql-9.6.1 Database Streamline Replication from Master to Slave:
=====================================================
I have two VM's with Centos 7 and Ip's are as follows::

Master :  192.168.1.1
Slave   :  192.168.1.2

Master Configuration::

Create user postgres 
Download postgresql-9.6.1.tar.gz and untar it

# ./configure --prefix=/home/postgres/pgsql
# make
# make install


Initialize new database:

#  /home/postgres/pgsql/bin/initdb -D /home/postgres/pgsql/data
# /home/postgres/pgsql/bin/pg_ctl -D /home/postgres/pgsql/data/ -l logfile start
# /home/postgres/pgsql/bin/pg_ctl -D /home/postgres/pgsql/data/ -l logfile stop
Edit pg_hba.conf

Add entries for host ips to connect and the replications slave details as follows::

# host            all                                   all                          192.168.1.0/24                                        trust


Edit postgresql.conf
listen_addresses = '*'
wal_level = hot_standby
checkpoint_segments = 8
archive_mode = on
max_wal_senders = 3
wal_keep_segments = 8

# /home/postgres/pgsql/bin/psql -U 

Create replication user on master::

postgres=# CREATE ROLE rep WITH REPLICATION PASSWORD '********' LOGIN





Client Configuration ::

Create user postgres 

Download postgresql-9.6.1.tar.gz and untar it

# ./configure --prefix=/home/postgres/pgsql
# make
# make install

Initialize new database:

#  /home/postgres/pgsql/bin/initdb -D /home/postgres/pgsql/data

Rename the main directory in the slave as follows:
mv /home/postgres/pgsql/data  /home/postgres/pgsql/data.backup

pg_basebackup -h 192.168.1.1 -D /home/postgres/pgsql/data -U rep -v -P



Edit pg_hba.conf

Add entries for host ips to connect and the replications slave details as follows::

# host            all                                   all                          192.168.1.0/24                                        trust
# host            replication                    rep                        192.168.1.2/24                                        trust


Now create recovery.conf and add the entries as follows in slave


vi /home/postgres/pgsql/data/recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=192.168.1.1 port=5432 user=rep password=password'
trigger_file = '/tmp/postgresql.trigger.5432'
 
or  
standby_mode = 'on'
primary_conninfo = 'host=192.168.240.41 port=5432 user=rep'
trigger_file = '/tmp/postgresql.trigger.5432'
and create .pgpass file under the home directory of the postgres user as follows 
192.168.240.41:5432:*:rep:123456
 
Now configure pgadmin on your desktop and create tables on the master database server. 
It should be automatically replicated to the slave server.

Wednesday, 8 February 2017

High Availability Configuration and LoadBalancing for webservers using HAProxy::

High Availability  Configuration and LoadBalancing for webservers using HAProxy::
=============================================================
My scenario is as follows:

HA Proxy is installed on 192.168.1.100

I have one application hosted on four Tomcat instances as follows sharing the same database.
192.168.1.10:8084
192.168.1.10:8085
192.168.1.10:8086
192.168.1.10:8087

Database server 192.168.1.50

I have four Apache instances installed on another server which is connected to the tomcat instances mentioned above using mod_jk connector

192.168.1.20:8040 --> 192.168.1.10:8084
192.168.1.20:8050 --> 192.168.1.10:8085
192.168.1.20:8060 --> 192.168.1.10:8086
192.168.1.20:8070 --> 192.168.1.10:8087

So once configured, when I browse  192.168.1.100, I should get the any of the four tomcat pages

Please check the previous thread for apache-mod_jk configurations


HAproxy installation steps:-
# yum install haproxy

Edit /etc/haproxy/haproxy.cfg and add the frontend and backend entries at the bottom of the file.

Comment off any default entries.
========================

frontend http-service
    bind 192.168.1.100:80
    acl url path_beg /
    default_backend http-server
    mode http

backend http-server
    balance roundrobin
    option httpchk HEAD /
    server service1 192.168.1.20:8040 check
    server service2 192.168.1.20:8050 check
    server service3 192.168.1.20:8060 check
    server service4 192.168.1.20:8070 check

===========================
Disable  SELinux and  Restart the service.

Monday, 30 January 2017

Postgres Installation in Windows Server 2012::

Postgres 9.5.5 Installation  and Table Space creation in Windows Server 2012::
=========================================================

Download Postgres from
https://get.enterprisedb.com/postgresql/postgresql-9.5.5-1-windows-x64.exeRun the windows installer

The default installation path will  be C:\Program Files\PostgreSQL\9.5

The default database created will be 'postgres' with  port '5432'
Set Database password when prompted during the installation.

PgAdmin-3 will be  automatically installed with postgresql.

Once installation is completed try connecting to the database using pgadmin  with the default username and password

For remote connections edit the file
C:\Program Files\PostgreSQL\9.5\data\pg_hba.conf and add the ip as follows based on your network. In my case it is::

host    all             all              192.168.240.0/24                md5

To create table space create folders under D:\
fiscaud
fiscmon
fiscmon
and give all permissions for "Network Service"  for the above folders.

Goto PgAdmin and right click tablespace-->Add Table Space and enter the table space details and path.

Tuesday, 24 January 2017

Connect to Apache Tomcat 9.0.0 via IIS-8 using ISAPI redirector in Windows Server 2012::

Connect to Apache Tomcat 9.0.0 via   IIS-8 using ISAPI redirector in Windows Server 2012::
===================================================================

* Download latest JDK from the url http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html and run the exe file
You can find it installed in the default path C:\Program Files\Java\jdk1.8.0
Set environment path for JAVA_HOME as C:\Program Files\Java\jdk1.8.0

 * Download latest apache tomcat  from the url https://tomcat.apache.org/download-90.cgi and install it  under C:\Program Files\Apache Software Foundation\Tomcat9.0
 Set environment path for CATALINA_HOME as C:\Program Files\Apache Software Foundation\Tomcat9.0


* Download  ISAPI redirector  and extract it in the C:\ drive as C:\Jakarta_Isapi_Redirector_64-bit-Intel

Configure the files  under  C:\Jakarta_Isapi_Redirector_64-bit-Intel\conf as follows


uriworkermap.properties
 ===================================
 /*=wlb
 /jkmanager=jkstatus
====================================

 workers.properties
 ===================================
 worker.list=wlb, jkstatus
 worker.wlb.port=8009
 worker.wlb.host=localhost
 worker.wlb.type=ajp13
 worker.wlb.type=lb
 worker.wlb.balance_workers=ajp13w1
 worker.jkstatus.type=status
===================================

iis_redirect.reg
===================================
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0]
"extension_uri"="\Jakarta_Isapi_Redirector_64-bit-Intel\bin\isapi_redirect.dll"
"log_file"="C:\\Jakarta_Isapi_Redirector_64-bit-Intel\\logs\\iis_redirect.log"
"log_level"="emerg"
"worker_file"="C:\\Jakarta_Isapi_Redirector_64-bit-Intel\\conf\\workers.properties"
"worker_mount_file"="C:\\Jakarta_Isapi_Redirector_64-bit-Intel\\conf\\uriworkermap.properties"
===================================

Run the file iis_redirect.reg

 * Install IIS-8 in windows server 2012  with cgi and ISAPI modules.

After the IIS installation configure ISAPI redirector in IIS-8 as follows
The roles required  for this is as follows::

Application Development Roles:
CGI, ISAPI Extensions. ISAPI Filters

Management Roles:
IIS Management Console

Goto IIS Manager and right click the "Default Website" and click "Add Virtual Directory"
Enter Alias as "Jakarta"
and Physical Path as "C:\Jakarta_Isapi_Redirector_64-bit-Intel\bin"
Click OK.

Now click "Jakarta" under "Default Website" and click Handler Mappings-->Edit Feature Permissions. Check "Read", "Script", "Execute" and click OK.


Again IIS Manager-->Default Website-->ISAPI Filters-->Add
Enter "Filter name" as "jakarta" and "Executable" as "C:\Jakarta_Isapi_Redirector_64-bit-Intel\bin\isapi_redirect.dll"

Now go back to IIS Manager and select the Windows server name.
Double click "ISAPI and CGI Restrictions"-->Add
Set "ISAPI or CGI path" as  "C:\Jakarta_Isapi_Redirector_64-bit-Intel\bin\isapi_redirect.dll" and Description as "jakarta"

Click OK.

Now restart Apache tomcat and IIS-8.
You should be able to access the  tomcat page via IIS-8
http://192.168.1.1 and http://192.168.1.1:8080 should display the tomcat page.

Monday, 23 January 2017

Enabling Godmode in Windows 10 and installing SSL in IIS-8::

Enabling Godmode in Windows 10 ::
==========================

* Create a New folder on the desktop
* Rename it as GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Instead of Godmode you can use whatever name you would want to try. For example
GeekMode.{ED7BA470-8E54-465E-825C-99712043E01C}

It is easy as we get all the windows settings, tools  and features under a single click.



Installing SSL in IIS-8 ::
===================

Goto Windows server 2012-- IIS Manager
Click Server Name --> Server Certificates-->Create Self Signed Certificate

Give a user friendly name for the certificate and select certificate store for the new certificate.

Click Default Website and Select bindings from the right pane.

Select https and port  443 and mention the hostname and click OK.



389 Directory Server and Remote Admin console configuration:

389 Directory Server and Remote Admin console configuration:::
================================================

# Set server ipaddress in /etc/hosts
192.168.1.1

# Whitelist ports 389,9830 and 636 in the firewall

# Add the following lines at the end  of  /etc/sysctl.conf
 file.

net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
 
# Add the following lines at the end  of   /etc/security/limits.conf file 
*               soft     nofile          8192   
*               hard     nofile          8192
# Set ulimit as follows and add it in /etc/profile
 
ulimit -n 8192
 
# Create an ldapuser and set password for the user.
 
# yum install 389-ds-base openldap-clients idm-console-framework 389-adminutil 389-admin 389-admin-console 389-console 389-ds-console
 
# setup-ds-admin.pl
You will be prompted for configuration questions. Configure accordingly for your use.
 
Start the services 
#  systemctl start dirsrv.target
#  systemctl start dirsrv-admin.service
#  /httpd-2.4/bin/apachectl start  
 
#  The configuration files are under /etc/dirsrv/ directory 
and the log files at /var/log/dirsrv/
 
Now download the ldap admin client application on a remote server and try connecting to the 389 directory server
 
You can download the latest ldapbrowser from the url
http://www.ldapadministrator.com/download.htm
 
 
Install it on your windows machine 

Friday, 20 January 2017

Configure multiple Postgres instances on the server and connect via PgAdmin

Configure multiple Postgres instances on the server and connect via PgAdmin::
=======================================================
Server : 192.168.1.1
Postgresuser1 : postgres1
Postgresuser2 : postgres2

login as postgres1
#wget https://ftp.postgresql.org/pub/source/v9.6.1/postgresql-9.6.1.tar.gz
#tar -zxvf postgresql-9.6.1.tar.gz
#cd  postgresql-9.6.1
#./configure   --prefix=/home/postgres1/pgsql/
#make
#make install
Now we need to create the database
# /home/postgres1/pgsql/bin/initdb  -D /home/postgres1/pgsql/data/
 
Run this command as root 
#/sbin/ldconfig /home/postgres1/pgsql/lib


You will now be able to connect to the database with the below command from the localhost shell
# /home/postgres1/pgsql/bin/psql -U postgres1 postgres
# /home/postgres1/pgsql/bin/psql -U postgres1 postgres -p 5432
psql (9.6.1)
Type "help" for help.

postgres=# alter user postgres password '123456';
postgres=# GRANT ALL ON DATABASE postgres  TO postgres1;


Check the version of postgresql installed
# /home/postgres1/pgsql/bin/psql --version

Now we need to access the database from outside network. For that we need to edit two configuration file under /home/postgres1/pgsql/data/

1.)Edit postgresql.conf
listen_addresses = '*'
port = 5432

2.)Edit  pg_hba.conf(Host Based Authentication File) based on your network ipaddress. In my case it is as folows

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
host    all             all             192.168.200.0/24            trust

Now restart postgresql service as follows::
/home/postgres1/pgsql/bin/pg_ctl -D /home/postgres1/pgsql/data/ -l logfile start

Repeat the same steps for the second user 'postgres2'
Give another port for the second user in  postgresql.conf


Once the installation is completed. Try installing pgAdmin on your Desktop and connect to the postgres server.

Download pgadmin from https://ftp.postgresql.org/pub/pgadmin3/release/v1.22.2/win32/pgadmin3-1.22.2.zip

Install it and give the server ip  port address  and password to connect.

You should be able to connect to the server. You can use the same credentials to connect from different applications to the database server.


We can create table space via pgAdmin.
Once the table space is created, check it in the backend under the directory '/home/postgres1/pgsql/data/pg_tblspc'

[postgres1@ind pg_tblspc]$ ll
total 0
lrwxrwxrwx 1 postgres1 postgres1 23 Jan 20 17:23 16389 -> /home/postgres1/tablespace1
lrwxrwxrwx 1 postgres1 postgres1 23 Jan 20 17:23 16390 -> /home/postgres1/tablespace2
lrwxrwxrwx 1 postgres1 postgres1 23 Jan 20 17:24 16391 -> /home/postgres1/tablespace3
drwx------ 2 postgres1 postgres1  6 Jan 20 16:54 tablespace1
drwx------ 2 postgres1 postgres1  6 Jan 20 16:54 tablespace2
drwx------ 2 postgres1 postgres1  6 Jan 20 16:54 tablespace3

Wednesday, 18 January 2017

Multiple Tomcat Instances connected via apache using mod-jk connector configuration::

Multiple Tomcat Instances connected via apache using mod-jk connector configuration::
================================================================
# yum install gcc

Creating the users and group::
# groupadd apache
# useradd -g apache -m -d /home/linuxgeek1 linuxgeek1

Install apache as mentioned in previous thread.

Download latest java from the url

cd /opt/ linuxgeek1/
# wget  http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz
untar it

Goto the home directory of the user  ' linuxgeek1' and edit .bash_profile as below  to set the PATH

PATH=$PATH:$HOME/.local/bin:$HOME/bin:$HOME/httpd/bin:/opt/linuxgeek1/jdk1.8.0_121/bin
#export JAVA_HOME=/opt/linuxgeek1/jdk1.8.0_121
export PATH

Check the installed java version
# java -version

java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)




Download latest Apache Tomcat into the home directory and untar it
# wget http://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.11/bin/apache-tomcat-8.5.11.tar.gz
# tar -zxvf  apache-tomcat-8.5.11.tar.gz
# cd  apache-tomcat-8.5.11

Download latest mod-jk connector into the home directory and untar it.
# wget  http://www-us.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.42-src.tar.gz
#  tar -zxvf tomcat-connectors-1.2.42-src.tar.gz
#  cd  tomcat-connectors-1.2.42-src/native
#  ./configure  --with-apache=/home/linuxgeek1/httpd  –-with-apxs=/home/linuxgeek1/httpd/bin/apxs
or 
#  ./configure  --with-apxs=/home/iaas1idm/httpd/bin/apxs

Now goto apache home directory and under conf dir, create two files workers.properties and  mod_jk.conf with the contents as follows:

# vi  workers.properties
===========================
workers.tomcat_home=/home/linuxgeek1/apache-tomcat
workers.java_home=/opt/linuxgeek1/jdk1.8.0_121
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.port=8029
worker.worker1.host=localhost
worker.worker1.lbfactor=1
# Set properties
===========================

# vi mod_jk.conf
===========================
# Where to find workers.properties
JkWorkersFile /home/linuxgeek1/httpd/conf/workers.properties
# location of log file
JkLogFile /home/linuxgeek1/httpd/logs/mod_jk.log
# log level
JkLogLevel info
# Select the log format
#JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
#JkRequestLogFormat “%w %V %T”
#Send everything for context /test to worker ajp13
JkMount /* worker1
============================

Now edit the httpd.conf file and entries for virtual host, port and mod_jk module details

#vi httpd.conf

Listen 192.168.1.1:8010 
LoadModule jk_module modules/mod_jk.so  (add this line in the load module section)

At the bottom of the httpd.conf file add the virtual host entries as folows::


====================================
#mod_jk
Include conf/mod_jk.conf
#JkWorkersFile "conf/workers.properties"
#JkLogFile "/home/linuxgeek1/httpd/logs/mod_jk.log"
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"

<VirtualHost *:80>
#ServerAdmin admin@www.mydomain1.com
DocumentRoot "/home/linuxgeek1/apache-tomcat/webapps/ROOT"
#ServerName http://www.mydomain1.com
#ErrorLog logs/www.mydomain1.com_log
#CustomLog logs/www.mydomain1.com_log combined

#JkMount /  worker1
JkMount /* worker1

</VirtualHost>
====================================


Also edit the port details in tomcat configuration file "server.xml". We need to mention different port numbers for shutdown, tomcat thread and AJP for  different users. Below mentioned configuration is for the user linuxgeek1.
====================================
<Server port="8011" shutdown="SHUTDOWN">

  <Connector port="8082" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8082" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8029" protocol="AJP/1.3" redirectPort="8443" />
===================================
Now restart apache  and tomcat and try accessing the url 192.168.1.1:8010 and 192.168.1.1:8082

Both the pages will display the apache tomcat default page.

Repeat the same steps above with different users and different ports for multiple instances