DSEE7: design 


- The command line management and monitoring tools, dsconf(1M) and dpconf(1M), require only LDAP access to the servers that you manage.

- DSCC is a web application. DSCC runs inside the framework known as Sun Java Web Console. You typically install DSCC on only one system in your deployment. You then manage all your servers from that installation of DSCC.

- DSCC requires LDAP access to the servers for online management operations. DSCC also requires Java Management Extension (JMX) access to agents installed alongside the servers. The agents perform server process management operations on behalf of DSCC, operations that cannot be performed through LDAP on a running server. DSCC contacts the agents over the network using a specific port number.

- The agents run inside a common agent container on the server system. This common agent container provides its agents with a single external port for management applications. The common agent container also consolidates resources to save resources on systems where multiple local agents share the container. For troubleshooting purposes, a common agent container can be managed independently using the cacaoadm command.

- When you install DSCC you also install Directory Server software. DSCC uses its own private instance of Directory Server to store configuration information.

- When you install DSCC on the administration host, you must be root. However, you can then use DSCC installed on the administration host to manage server hosts installed as non-root.



Directory Service Control Center not initialized: App server was runnig as a non-root user and directory server was runnig as a different non-root user. It worked when both these non-root users are set to identical. Sun Java System Directory Server Discussion Thread.


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
http://www.temnokomornik.com/ 
http://www.temnokomornik.com/

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
DSEE7: query LDAP aci (ACL) records with ldapsearch 
* show all ACLs in dc=example,dc=com

[root@dhcppc2 ~]# ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "dc=example,dc=com" -s sub "(objectClass=*)" aci 


* show all objectclassed available in schema

ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=schema" -s sub "(objectClass=*)" objectClasses


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
DSEE7: removing, adding and registering (to dscc, cacao) instances  
* recreating default ads instance

[root@dhcppc2 ~]# dsadm delete /usr/local/dsee7/var/dcc/ads
[root@dhcppc2 ~]# dsccsetup ads-create
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/var/dcc/ads
[root@dhcppc2 ~]# dsadm list-running-instances


* start Cacao, deploy Cacao init-script, register the DSCC agent in Common Agent Container

[root@dhcppc2 ~]# cacaoadm start
[root@dhcppc2 ~]# cacaoadm enable
[root@dhcppc2 ~]# dsccsetup cacao-reg


* create and deploy war file, start Glassfish

[root@dhcppc2 ~]# dsccsetup war-file-create
[root@dhcppc2 ~]# /opt/glassfish/bin/asadmin start-appserv


* connect to Glassfish

https://10.0.0.3:8181/dscc7/


* vytvoření dsInstanceEXAMPLE instance

[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 3200 -P 3201 /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 4200 -P 4201 /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsadm create -u [user] -g [group] -p 5200 -P 5201 /usr/local/dsee7/dsInstanceEXAMPLE3


* start instance

[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsadm start /usr/local/dsee7/dsInstanceEXAMPLE3


* přidání instance ads do DSEE

[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE
[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE2
[root@dhcppc2 ~]# dsccreg add-server /usr/local/dsee7/dsInstanceEXAMPLE3


* list instancí

[root@dhcppc2 ~]# dsccreg list-servers
Enter DSCC administrator's password:
Enter DSCC administrator's password:Hostname Port sPort Type Owner Flags iPath Description
-------- ---- ----- ---- ----- ----- ----------------------------------- -----------
dhcppc2 4000 4001 DS root /usr/local/dsee7/dsInstanceEXAMPLE2
dhcppc2 5200 5201 DS root /usr/local/dsee7/dsInstanceEXAMPLE3
dhcppc2 3200 3201 DS root /usr/local/dsee7/dsInstanceEXAMPLE
3 server instance(s) found in DSCC on localhost.


* create suffix

[root@dhcppc2 ~]# dsconf create-suffix -h [hostname] -p [port] dc=example.dc=com


* import data to instance

[root@dhcppc2 ~]# dsconf import -h [hostname] -p [port] [file.ldif] dc=example,dc=com


* or import data offline

[root@dhcppc2 ~]# dsadm import $DSHOME/slapd-ldap1 $DSHOME/prod.ldif dc=example,dc=com


* create index on attribute

[root@dhcppc2 ~]# dsconf create-index -h [hostname] -p [port] 'dc=example,dc=com' [attributeName]


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Sun DSEE7, úpravy nastavení 
* atributy souborů vytvořené instance:

[root@dhcppc2 dsInstanceEXAMPLE]# cd /usr/local/dsee7/dsInstanceEXAMPLE/
[root@dhcppc2 dsInstanceEXAMPLE]# find . -type d | xargs chmod 770
[root@dhcppc2 dsInstanceEXAMPLE]# find . -type f | xargs chmod 660

[root@dhcppc2 dsInstanceEXAMPLE]# find . | xargs ls -l
-rw-rw---- 1 ldapadm ldapadm 1624 Aug 14 12:32 ./alias/certmap.conf
-rw-rw---- 1 ldapadm ldapadm 16384 Aug 14 12:32 ./alias/secmod.db
-rw-rw---- 1 ldapadm ldapadm 65536 Aug 14 12:32 ./alias/slapd-cert8.db
-rw-rw---- 1 ldapadm ldapadm 16384 Aug 14 12:32 ./alias/slapd-key3.db
-rw-rw---- 1 ldapadm ldapadm 12 Aug 14 12:32 ./config/certdb.txt
-rw-rw---- 1 ldapadm ldapadm 80048 Aug 14 14:12 ./config/dse.ldif
-rw-rw---- 1 ldapadm ldapadm 70902 Aug 14 14:12 ./config/dse.ldif.bak
-rw-rw---- 1 ldapadm ldapadm 65343 Aug 14 12:35 ./config/dse.ldif.startOK
-rw-rw---- 1 ldapadm ldapadm 77945 Aug 14 12:32 ./config/schema/00core.ldif
-rw-rw---- 1 ldapadm ldapadm 7403 Aug 14 12:32 ./config/schema/00ds6pwp.ldif
-rw-rw---- 1 ldapadm ldapadm 1842 Aug 14 12:32 ./config/schema/05rfc2247.ldif


*** doplnit pro adresář, /usr/local/dsee7/dsInstance${NAME|$CLASS}/plugins/signatures
(cert7.db, key3.db, secmod.db)

* CACAO bind

[root@dhcppc2 bin]# cacaoadm stop
[root@dhcppc2 bin]# cacaoadm list-params
[root@dhcppc2 bin]# cacaoadm set-param network-bind-address=127.0.0.1
[root@dhcppc2 bin]# cacaoadm start


* CACAO file rights

[root@dhcppc2 local]# cacaoadm verify-configuration
CONFIG ERROR : File access rights of [/usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security/snmp] are wrong [rwxrwxrwx] should be [rwxr-xr-x].
CONFIG ERROR : File access rights of [/usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security/snmp/jdmk.acl] are wrong [rwxrwxrwx] should be [rw-------].


* není vhodné logovat do adresáře instance

[root@dhcppc2 dsee7]# INSTANCE_LOG="/var/log/dsee7/dsInstanceEXAMPLE/logs"
[root@dhcppc2 dsee7]# mkdir -p $INSTANCE_LOG
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/error
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/logs/audit
[root@dhcppc2 dsee7]# touch $INSTANCE_LOG/access
[root@dhcppc2 dsee7]# chown -R ldapadm.ldapadm $INSTANCE_LOG

[ldapadm]$ ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-errorlog
nsslapd-errorlog: /var/log/dsee7/dsInstanceEXAMPLE/logs/errors
replace: nsslapd-accesslog
nsslapd-accesslog: /var/log/dsee7/dsInstanceEXAMPLE/logs/access
replace: nsslapd-auditlog
nsslapd-auditlog: /var/log/dsee7/dsInstanceEXAMPLE/logs/audit

[ldapadm]$ ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-permissions
nsslapd-auditlog-permissions: 660
replace: nsslapd-accesslog-permissions
nsslapd-accesslog-permissions: 660
replace: nsslapd-errorlog-permissions
nsslapd-errorlog-permissions: 660
modifying entry cn=config


* změna defaultní úrovně logování

[ldapadm]$  ldapmodify -h dhcppc2 -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 256
replace: nsslapd-infolog-level
nsslapd-infolog-level: 256


* ověření nastavení

[ldapadm]$ ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=config" -s base "(objectclass=*)" 


Core Server Configuration Reference

* password policy
[ldapadm]$ ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=Password Policy,cn=config" -s sub "(objectclass=*)"
version: 1
dn: cn=Password Policy,cn=config
objectClass: top
objectClass: ldapsubentry
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: passwordPolicy
cn: Password Policy
pwdAttribute: userPassword
passwordStorageScheme: SSHA
passwordChange: on
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
passwordRootdnMayBypassModsChecks: off
passwordNonRootMayResetUserpwd: on
passwordInHistory: 0
pwdInHistory: 0
passwordMinAge: 0
pwdMinAge: 0
passwordCheckSyntax: off
pwdCheckQuality: 0
passwordMinLength: 6
pwdMinLength: 6
passwordMustChange: off
pwdMustChange: FALSE
passwordExp: off
passwordMaxAge: 0
pwdMaxAge: 0
passwordWarning: 86400
pwdExpireWarning: 86400
passwordExpireWithoutWarning: on
pwdGraceAuthNLimit: 0
pwdKeepLastAuthTime: FALSE
passwordLockout: off
pwdLockout: FALSE
passwordMaxFailure: 3
pwdMaxFailure: 3
passwordResetFailureCount: 600
pwdFailureCountInterval: 600
pwdIsLockoutPrioritized: TRUE
passwordUnlock: on
passwordLockoutDuration: 3600
pwdLockoutDuration: 3600



[ add comment ] ( 1 view )   |  [ 0 trackbacks ]   |  permalink
Sun's DSEE7, some command basics 
Directory Service Control Center: Directory Service Control Center (DSCC) is a user interface that enables you to manage Directory Servers and Directory Proxy Servers by using a browser.

* OS user. Creates a server instance and is the only user who has the right to run operating system commands on a server instance by using the dsadm command. DSCC might request the OS user password in some cases. This user must have a password and must be able to create directory server instances.

* Directory Manager. The LDAP superuser for a server. The default DN is cn=Directory Manager.

* Directory Administrator. Administers a Directory Server. This user has the same rights as the Directory Manager but are subject to access controls, password policies, and authentication requirements. You can create as many Directory Administrators as you need.

* Directory Service Manager. Manages server configuration and data on multiple machines through DSCC. This user has the same rights as the Directory Manager for each of the servers registered in DSCC and is a member of the Directory Administrators Group.


---------------------------------------------------------------
---------------------- dscc commands --------------------------
--------- dsccmon dsccreg dsccsetup ---------------
---------------------------------------------------------------


*** dsccmon: Monitor servers registered with the DSCC registry
view-repl-agmts   Displays replication agreement monitoring view  
view-servers Displays server monitoring view
view-suffixes Displays suffix monitoring view

[root@dhcppc2 dsee7]# dsccmon view-repl-agmts
Enter DSCC administrator's password:
Suffix Source Destination Status Status Details
------ ------ ----------- ------ --------------

[root@dhcppc2 dsee7]# dsccmon view-suffixes
Enter DSCC administrator's password:
Role Suffix Server Entry# Agmt# State NMC AMC Status Details
---- ----------------- ------------ ------ ----- -------------- --- --- --------------
- dc=example,dc=com dhcppc2:1389 160 0 Not-Replicated - - -

[root@dhcppc2 dsee7]# dsccmon view-servers
Enter DSCC administrator's password:
Server Status Version Entry# Suffix# Roles
------------ ------ ------- ------ ------- -----
dhcppc2:1389 DOWN - 0 0 ---


*** dsccsetup: Manage DSCC initialization and registration
ads-create       Create the DSCC Registry  
ads-delete Delete the DSCC Registry
cacao-reg Register DSCC agent in Cacao
cacao-unreg Unregister DSCC agent from Cacao
dismantle Undo DSCC initialization by performing cacao-unreg, ads-delete and war-file-delete
initialize Initialize DSCC by performing cacao-reg, ads-create and war-file-create
mfwk-reg Register DS in JESMF
mfwk-unreg Unregister DS from JESMF
prepare-patch Performs actions required before applying patch
status Displays status of DSCC registration and initialization
war-file-create Generate the WAR file for deploying DSCC in an application server
war-file-delete Delete the WAR file

[root@dhcppc2 dsee7]# dsccsetup status -v
***
## /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm is present
## /usr/local/dsee7/lib/jar/nquickmodule.jar is present
## /usr/local/dsee7/ext/cacao_2/.configured is present
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm list-modules -r
DSCC Agent is registered in Cacao
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm status
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm get-param network-bind-address
## Running /usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm get-param jmxmp-connector-port
Cacao is down. Start it using:
/usr/local/dsee7/ext/cacao_2/cacao2/bin/cacaoadm start
***
## /usr/local/dsee7/bin/dsadm is present
DSCC Registry has been created
Path of DSCC registry is /usr/local/dsee7/var/dcc/ads
Port of DSCC registry is 3998
***


*** dsccreg: Manage the DSCC registry
add-server     Add a server instance to the DSCC registry  
list-servers List server instances added to DSCC registry
remove-server Remove a server instance from the DSCC registry

[root@dhcppc2 dsee7]# dsccreg list-servers
Enter DSCC administrator's password:
Hostname Port sPort Type Owner Flags iPath Description
-------- ---- ----- ---- ----- ----- ----------------- -----------
dhcppc2 1389 1636 DS root /usr/local/dsInst
1 server instance(s) found in DSCC on localhost.



---------------------------------------------------------------
------------------------ ds commands --------------------------
------------------- dsutil dsadm dsconf -----------------------
---------------------------------------------------------------


*** dsutil: Commands for inactivating/activating user accounts
account-activate    Re-enable bind operation for a single user or users member of a role  
account-inactivate Disable bind operation for a single user or users member of a role
account-status Indicates whether a user or role is activated

[root@dhcppc2 dsee7]# dsutil account-status --secure-port 1636 -D "cn=Directory Manager" \
> "uid=bjensen,ou=people,dc=example,dc=com"
Enter "cn=Directory Manager" password:
"uid=bjensen,ou=people,dc=example,dc=com" is activated.

[root@dhcppc2 dsee7]# dsutil account-inactivate --secure-port 1636 -D "cn=Directory Manager" \
"uid=bjensen,ou=people,dc=example,dc=com"
Enter "cn=Directory Manager" password:
"uid=bjensen,ou=people,dc=example,dc=com" has been inactivated.


*** dsadm: Manages a Directory Server instance, administration commands that must be run directly on the local host. For example: Starting and stopping the server, Creating a server Instance. You must have OS access permissions to the server instance path.
add-cert                Adds a certificate to the certificate database
add-selfsign-cert Creates and adds a selfsign certificate to the certificate database
analyze-indexes Analyzes indexes and displays statistics on their values
backup Backs up Directory Server instance
create Creates Directory Server instance
delete Deletes Directory Server instance
export Creates LDIF representation of Directory Server instance
export-cert Exports a certificate and its keys from the database
get-flags Displays optional Directory Server instance flag values
import Populates existing suffix with LDIF data
import-cert Adds a new certificate and its keys to the cert database
import-selfsign-cert Adds a new selfsign certificate and its keys to the cert database
info Displays Directory Server instance status and some configuration info
list-certs Lists all certificates in the database
list-running-instances Displays running instances on this host
reindex Regenerates existing indexes
remove-cert Removes a certificate from the database
renew-cert Renews a certificate
renew-selfsign-cert Renews a selfsign certificate
repack Repacks existing suffix
request-cert Generates a certificate request
restart Restarts Directory Server instance
restore Restores Directory Server instance from backup archive
set-flags Sets optional Directory Server instance flags
show-access-log Displays lines from access log
show-cert Displays a certificate
show-error-log Displays lines from error log
start Starts Directory Server instance
stop Stops Directory Server instance
stop-running-instances Stops Directory Server instances
upgrade Upgrades Directory Server instance from version 6 to version 7

[root@dhcppc2 dsee7]# dsadm start /usr/local/dsInst
Directory Server instance '/usr/local/dsInst' started: pid=10617

[root@dhcppc2 dsee7] dsadm list-running-instances
PID Instance path
----- --------------------------
1391 /opt/dsee7/var/dcc/ads
17999 /opt/dsee7/dsInst

[root@dhcppc2 dsee7]# dsadm show-access-log /usr/local/dsInst/
[13/Aug/2010:22:51:26 +0200] conn=22 op=12 msgId=-1 - closing from 127.0.0.1:48730 - U1 - Connection closed by unbind client -
[13/Aug/2010:22:51:26 +0200] conn=22 op=10 msgId=11 - RESULT err=0 tag=105 nentries=0 etime=0


*** dsconf: Configures a Directory Server Instance, Administration commands that can be run from a remote host. For example: Enabling replication, Setting cache size. The server must be running. You must have LDAP access permissions to configuration data, for example, as the user cn=admin,cn=Administrators,cn=config. You don't need to have OS access.
accord-repl-agmt               Ensures the authentication properties of the destination suffix are in accord with those of the replication agreement  
analyze-index-filters Analyzes index filters and displays a status
backup Backs up Directory Server data (cn=config excluded)
change-repl-dest Changes the remote replica pointed to by an existing replication agreement
create-encrypted-attr Creates an encrypted attribute
create-index Creates an index
create-plugin Creates a plugin
create-repl-agmt Creates replication agreement for existing suffix
create-repl-priority Creates a prioritized replication rule on a master
create-suffix Creates suffix and empty data
delete-encrypted-attr Deletes an encrypted attribute
delete-index Deletes an index
delete-plugin Deletes a plugin
delete-repl-agmt Deletes replication agreement
delete-repl-priority Deletes a prioritized replication rule
delete-suffix Deletes suffix configuration and data
demote-repl Demotes an existing replicated suffix
disable-index-filter-analyzer Disables the index filter analyzer
disable-plugin Disables a plugin
disable-repl Abandons replication for replicated suffix
disable-repl-agmt Disables replication with another directory
enable-index-filter-analyzer Enables the index filter analyzer
enable-plugin Enables a plugin
enable-repl Enables replication by assigning a role to an existing suffix
enable-repl-agmt Enables replication with another directory
export Exports suffix data to LDIF format
get-index-prop Displays index property values
get-log-prop Displays server log property values
get-plugin-prop Displays plugin property values
get-repl-agmt-prop Displays replication agreement property values
get-server-prop Displays server property values
get-suffix-prop Displays suffix property values
help-properties Lists properties exposed by subcommands
import Populates an existing suffix with LDIF data
info Displays information about server configuration
init-repl-dest Launches total update of remote replica from local suffix
list-encrypted-attrs Lists encrypted attributes and displays their property values
list-indexes Lists indexes
list-plugins Lists plugins
list-repl-agmts Lists replication agreements
list-repl-priorities Lists prioritized replication rules and displays their property values
list-suffixes Lists suffixes
promote-repl Promotes an existing replicated suffix
pwd-compat Changes Directory Server password compatibility mode
reindex Rebuilds indexes of an existing suffix
restore Restores Directory Server data from backup archive
rotate-log-now Launches a rotation of a log file
set-index-prop Sets index property values
set-log-prop Sets server log property values
set-plugin-prop Sets plugin property values
set-repl-agmt-prop Sets replication agreement property values
set-server-prop Sets server property values
set-suffix-prop Sets suffix property values
show-repl-agmt-status Displays a comparison of a source and destination suffix configuration and the status of the replication agreement
show-task-status Displays a status of Directory Server active tasks
update-repl-dest-now Forces updates of remote replica from local suffix

[root@dhcppc2 dsee7]# dsconf create-suffix -h dhcppc2 -p 3200 dc=example,dc=com
Certificate "CN=dhcppc2, CN=3201, CN=Directory Server, O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: y
Enter "cn=Directory Manager" password: >dsInstanceEXAMPLE<



----------------------------------------------------
---------------------- cacao -----------------------
----------------------------------------------------


The short CACAO overview from Ludovic is taken from here. The CACAO homepage can be found at https://common-agent-container.dev.java.net/. DS depends on the common agent container for remote managent and monitoring.

The common agent container is also known by the nickname of Cacao (which is the French version of cocoa). It's a Solaris process used to host several Agents under the same process. DSEE has an agent for DS and DPS, that are required by DSCC to be able to do remote actions on the servers (such as start / stop).

Also we have an Agent for the JMX Monitoring of DS (which also requires the JavaES Monitoring Framework agents installed).

Common Agent Container Security Files. The cacaoadm utility is the command line interface for managing the common agent container’s management daemon.

The common agent container’s management daemon provides a modular infrastructure that hosts both a management agent and service modules. Several instances of the common agent container’s management daemon can run at the same time. Use the -i instancename option to specify a specific instance on which the action will be performed. If you specify the default instancename (called default), then the files are associated with the default daemon instance. This default instance is created automatically and cannot be deleted.

cacaoadm: The cacaoadm utility is the command line interface for managing the common agent containerâs management daemon.
 disable          Disable the automatic start or stop of the common agent
container daemon during system boot or shutdown.
enable Enable the common agent container daemon to startup
automatically during subsequent system boots and
to stop gracefully during system shutdown.
restart Stop and subsequently start the common agent container daemon.
start Start the common agent container daemon.
stop Stop the common agent container daemon.
status Display the common agent container daemon status.
get-param Display a parameter value.
set-param Set a parameter value.
list-params Display the list of parameters.
list-modules Display the list of all modules deployed.
undeploy Undeploy a module.
lock Lock a module.
unlock Unlock a module.
deploy Deploy a module.
get-filter Get the value associated with a filter.
set-filter Set a run-time filter level.
list-filters Display the list of all available filters along with their
levels.
create-keys Generate keys for the common agent container.
delete-keys Delete security keys of the common agent container.
list-instances Display the list of all created and not removed instances.
create-instance Create a new instance of the common agent container.
delete-instance Delete a common agent container instance.
show-trusted-cert
Display a trusted certificate.
add-trusted-cert
Add a trusted certificate.
list-trusted-certs
Display the list of all trusted certificates.
show-cert-chain Display the common agent container certificate chain.
register-module Register a module so that the module starts the next
time the common agent container's management daemon starts.
unregister-module
Unregister a module so that the module does not start the
next time the common agent container's management daemon
starts.
verify-configuration
Check the validity of the common agent container
configuration.
rebuild-dependencies
Redetect all dependencies.
prepare-uninstall
Stop all the running instances and remove their startup
resources. To be used just before uninstalling Cacao.

[root@dhcppc2 local]# cacaoadm delete-keys
[root@dhcppc2 local]# cacaoadm create-keys

[root@dhcppc2 bin]# cacaoadm list-params
snmp-adaptor-port=21161
snmp-adaptor-trap-port=21162
jmxmp-connector-port=21162
commandstream-adaptor-port=21163
rmi-registry-port=0
secure-webserver-port=0
java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8
-Djava.endorsed.dirs=/opt/dsee7/ext/cacao_2/cacao2/share/lib/endorsed
micro-agent=false
java-home=/opt/dsee7/jre
jdmk-home=/opt/dsee7/lib/private
nss-lib-home=/opt/dsee7/lib/private
nss-tools-home=/opt/dsee7/bin
retries=4
log-file-limit=1000000
log-file-count=3
log-file-append=true
enable-instrumentation=false
user=root
group=root
network-bind-address=0.0.0.0
watchdog-heartbeat-timeout=60

[root@dhcppc2 local]# cacaoadm set-param network-bind-address=0.0.0.0

[root@dhcppc2 local]# netstat -tnl | grep 21162
tcp 0 0 ::ffff:127.0.0.1:21162 :::* LISTEN

[root@dhcppc2 bin]# ./cacaoadm list-trusted-certs
cacao_ca

[root@dhcppc2 bin]# ./cacaoadm show-trusted-cert -i default cacao_ca
-----BEGIN CERTIFICATE-----
MIIBoTCCAQqgAwIBAgIEehsXwzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApkaGNwcGMyX2Nh
MB4XDTY5MDYxMzIzMjkwM1oXDTMwMDgxMzIzMjkwM1owFTETMBEGA1UEAwwKZGhjcHBjMl9jYTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygzWP+T4dPzE3qvhfYNIJrCdNSLZjy4hUVsFl2kp
vogooT37II9YxCxkINML2vV7ZXFjrUoAT1sLDRYBTIxayCZZ8/GqDiwVppbSdmnx28/QgzPnR517
Aj0rBdweu4/Js0yinK4prT7Zj0tcHuaaNuH8w8QQwWDiLsvM5xl84lkCAwEAATANBgkqhkiG9w0B
AQUFAAOBgQA57SpU04VlLYlblSqRLe0mp1cXJ8Crofk4ie7+GV02Gao+DgXj43aZVFNrbgWShVgZ
re/Qh7FkFIwAMATh0zhRw1X3Upa6AIKje5jnfPWHGqqZmTHjDU2J6BWhSGbJlAO0KVN+RRSFOMiY
TQ7UCHwcM5Rgyt/KIRkQNx6R9zWPhQ==
-----END CERTIFICATE-----


[root@dhcppc2 bin]# cacaoadm status
default instance is ENABLED at system startup.
Current retries count : 0/4
Processes:
23766
Uptime: 0 day(s), 0:0


Project OpenDMK has the same features and code base as the Java DMK version 5.1, patch level 3, with the exception of some legacy or deprecated APIs which were removed. The examples, documentation, and source code contributions that can be found in the commercial Java Dynamic Management Kit are not included in this release.


* now: https://opendmk.dev.java.net/
* Java DMK 5.1 (June 2004)
* Java DMK 5.0 (June 2002)
* Java DMK 4.2 (December 2000)
* Java DMK 4.1 (April 2000)
* Java DMK 4.0 (December 1999)
* Java DMK 3.2 (March 1999)
* Java DMK 3.0 (November 1998)
* Java DMK 2.0 (February 1998)


Java Dynamic Management Kit (Java DMK) is a Java technology based toolkit that allows developers to rapidly create smart agents based on the Java Management Extensions (JMX) specification. The power of the JMX framework is that it supports multiple protocol access to management information residing in the agent.

[root@dhcppc2 dsee7]# vi /usr/local/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/private/cacao.properties
# Location of dependencies : Java, JDMK, NSSjava.home=/usr/java/jre1.6.0_21
jdmk.home=/usr/local/dsee7/lib/private
nss.lib.home=/usr/local/dsee7/lib/private
nss.tools.home=/usr/local/dsee7/lib/private
watchdog.heartbeat.timeout=60
# Define username and groupname for cacao process
process.username=root
process.groupname=root
# Audit configuration
audit.enabled=true
audit.reads=false
audit.daemon=false

[root@dhcppc2 dsee7]# more ././ext/mfwk/config/security/snmp/jdmk.acl
# Copyright 2004-2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "$Revision: 1.5 $ SMI"

# communities: can be comma separated strings
# access: can take only "read-only" or "read-write" values
# managers: can be a hostname, ipaddress or netmask
# - hostname: hubble
# - ip v4 and v6 addresses: 123.456.789.12 , fe80::a00:20ff:fe9b:ea82
# - subnet mask: 123!255!255!255 (its an IPO address where "." are replaced by "!"). This way of expressing the subnet is deprecated,
use the prefix notation.
# - ip v4 and v6 netmask prefix notation : 123.456.789.12/24, fe80::a00:20ff:fe9b:ea82/64
#

acl = {
{
communities = mfwk
access = read-only
managers = 255!255!255!255
}
# {
# communities = private
# access = read-write
# managers = hostname
# }
}

#trap = {
# {
# trap-community = public
# hosts = hostname
# }
#}


[ 2416 comments ]   |  [ 0 trackbacks ]   |  permalink
SSH 
Vytvoření RSA privátního a veřejného klíče bez hesla:
# ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa


zkopírování veřejného klíče do ~/.ssh/authorized_keys
# ssh-copy-id user@remote.example.com


Odstranění hesla z privátního klíče:
# openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa


Zašifrování privátního klíče heslem:
# openssl rsa -des3 -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa


Správná práva na soubory .ssh
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/id_rsa
# chmod 644 ~/.ssh/id_rsa.pub
# chmod 644 ~/.ssh/authorized_keys
# chmod 644 ~/.ssh/known_hosts


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Nagios check template pro kontrolu pres SSH (Linux audit system) 
#!/bin/sh
# Nagios check
# check name: sec_auditd
# uses: ssh and private key to check the server
# log: logs the result using system log

# script args
# $0 - full path to command (default system)
# $1 - user parameter (host to check)
# $2 - user parameter (none)

# SSH credentials
SSH_HOST_TO_CHECK=$1
SSH_USERNAME="user"
SSH_PRIVATE_KEY="/home/nagios/.ssh/id_rsa.plain"
SYSLOG_FACILITY="user"
SYSLOG_SEVERITY="info"

# nagios check result states (default)
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# check pid, run date, name of the check, output to file
MY_PID=$$
DATE=`date`
SCRIPT_NAME=`basename $0`
CHECK_RESULT="/tmp/$MY_PID.tmp"

> $CHECK_RESULT
chown nagios.nagios $CHECK_RESULT

#######################
# check id the ssh command proceeded
function ssh_reachable {
# if host is not reachable exit with STATE_UNKNOWN
if [ $? -ne 0 ]; then
echo "UNKNOWN: host is not reachable"
rm $CHECK_RESULT
exit $STATE_UNKNOWN
fi
}

#######################
# the actual check body

# the following device names of tty lines are filtered: pts, pty
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 \
-l $SSH_USERNAME -i $SSH_PRIVATE_KEY $SSH_HOST_TO_CHECK 'ps -ef' > $CHECK_RESULT

ssh_reachable

# log the ssh output
while read line
do
logger -t "$SCRIPT_NAME[$SSH_HOST_TO_CHECK]" -p "$SYSLOG_FACILITY.$SYSLOG_SEVERITY" "$line"
done < $CHECK_RESULT

# result evaluation
# should mirror the content of /etc/securetty
if [ `cat $CHECK_RESULT | grep [a]uditd | wc -l` -eq 0 ]; then
echo "CRITICAL: audit subsystem is not installed"
rm $CHECK_RESULT
exit $STATE_CRITICAL
fi

if [ `cat $CHECK_RESULT | grep [a]uditd | wc -l` -lt 2 ]; then
echo "WARNING: auditd service is not running"
rm $CHECK_RESULT
exit $STATE_WARNING
fi
rm $CHECK_RESULT
echo "OK: auditd is running"
exit $STATE_OK


[ 8 comments ]   |  [ 0 trackbacks ]   |  permalink
Nagios check template pro kontrolu pres SSH (console login) 
#!/bin/sh
# Nagios check
# check name: sec_console
# uses: ssh and private key to check the server
# log: logs the result using system log

# script args
# $0 - full path to command (default system)
# $1 - user parameter (host to check)
# $2 - user parameter (none)

# SSH credentials
SSH_HOST_TO_CHECK=$1
SSH_USERNAME="user"
SSH_PRIVATE_KEY="/home/nagios/.ssh/id_rsa.plain"
SYSLOG_FACILITY="user"
SYSLOG_SEVERITY="info"

# nagios check result states (default)
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# check pid, run date, name of the check, output to file
MY_PID=$$
DATE=`date`
SCRIPT_NAME=`basename $0`
CHECK_RESULT="/tmp/$MY_PID.tmp"

> $CHECK_RESULT
chown nagios.nagios $CHECK_RESULT

#######################
# check id the ssh command proceeded
function ssh_reachable {
# if host is not reachable exit with STATE_UNKNOWN
if [ $? -ne 0 ]; then
echo "UNKNOWN: host is not reachable"
rm $CHECK_RESULT
exit $STATE_UNKNOWN
fi
}

#######################
# the actual check body

# the following device names of tty lines are filtered: pts, pty
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 \
-l $SSH_USERNAME -i $SSH_PRIVATE_KEY $SSH_HOST_TO_CHECK 'w -h' > $CHECK_RESULT

ssh_reachable

# log the ssh output
while read line
do
logger -t "$SCRIPT_NAME[$SSH_HOST_TO_CHECK]" -p "$SYSLOG_FACILITY.$SYSLOG_SEVERITY" "$line"
done < $CHECK_RESULT

# result evaluation
# should mirror the content of /etc/securetty
if [ `cat $CHECK_RESULT | grep -v pts | grep -v pty | grep days | grep root | wc -l` -gt 0 ]; then
echo "CRITICAL: root console session active for more than a day"
rm $CHECK_RESULT
exit $STATE_CRITICAL
fi

if [ `cat $CHECK_RESULT | grep -v pts | grep -v pty | grep days | wc -l` -gt 0 ]; then
echo "WARNING: user console session active for more than a day"
rm $CHECK_RESULT
exit $STATE_WARNING
fi
rm $CHECK_RESULT
echo "OK: no long-term console session found"
exit $STATE_OK


[ 11 comments ]   |  [ 0 trackbacks ]   |  permalink
Google Chrome, vypnutí překladu 
Google Chrome je docela dobrý prohlížeč, na obrazovce je mnohem více místa pro webové stránky a je docela rychlý. Zatím jediné, čím kvalitně nasere je neustálé nabízení překladu stránky. Kde že se to dá vypnout?

Montážní klíč, Francouzák(vpravo nahoře)->Možnosti->Pod Pokličkou->Změnit nastavení písma a jazyka->přidat angličtina->ok

Při příchodu na anglickou stránku nabídne Chrome ZASE překlad, ale navíc vpravo v možnostech přibude: "Jazyk angličtina nikdy nepřekládat". To stačí zaškrtnout a otravný dialog je pryč. Pokud by to nepomohlo, v konfiguračním dialogu "Pod pokličnou" je hned pod změnou nastavená proxy checkbox s textem "Nabízet překlad stránek, které nejsou v jazyce, kterému rozumím".

[ add comment ] ( 1 view )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | Next> Last>>