Menu

Saturday, 15 May 2021

Scripts for HeapDump Generation On JBoss || Tomcat

 ##To Capture the 1 HeapDmp file with CPU usage on Tomcat & JBoss application.

Step 1: Create a file "heap_dump_script.sh" and add below script codes.

##Codes for heapdump generation.
***********************************************************
#!/bin/sh
JAVA_HOME=/u01/jdk1.8.0_121
# Number of times to collect data.
LOOP=1
# Interval in seconds between data points.
INTERVAL=1
 
for ((i=1; i <= $LOOP; i++))
do
   _now=$(date)
   echo "${_now}" >>high-cpu-Heap.out
   top -b -n 1 -H -p $1 >>high-cpu-Heap.out
   echo "${_now}" >>high-cpu-Heapdump.out
  $JAVA_HOME/bin/jmap -dump:format=b,file=heapdump_`date +"%Y-%m-%d-%T"`.hprof $1
   echo "heap dump captured #" $i
   if [ $i -lt $LOOP ]; then
      echo "Sleeping..."
      sleep $INTERVAL
   fi
done
 ***********************************************

Step 2: How to Run the "heap_dump_script.sh" script.

./heap_dump_script.sh JVM_PID


For HeapDump analysis , use Memory Analyzer (MAT) tool.

Download Address: https://www.eclipse.org/mat/downloads.php


Thanks :-)

Scripts for ThreadDump Generation On JBoss & Tomcat

 ###To Capture 6 ThreadDump with 20seconds interval + 6 High CPU Threads output with 20seconds interval.

Step 1: create a file  & write below codes.


#script code "high_cpu_linux_jstack.sh"
************************************************************

#!/bin/sh

JAVA_HOME=/u01/jdk1.8.0_121

# Number of times to collect data.

LOOP=6

# Interval in seconds between data points.

INTERVAL=20

 

for ((i=1; i <= $LOOP; i++))

do

   _now=$(date)

   echo "${_now}" >>high-cpu.out

   top -b -n 1 -H -p $1 >>high-cpu.out

   echo "${_now}" >>high-cpu-tdump.out

  $JAVA_HOME/bin/jstack -l $1 >>high-cpu-tdump.out

   echo "thread dump #" $i

   if [ $i -lt $LOOP ]; then

      echo "Sleeping..."

      sleep $INTERVAL

   fi

done

************************************************************

How to Run the "high_cpu_linux_jstack.sh" script.

./ high_cpu_linux_jstack.sh JVM_PID


Analysis of high_cpu_linux_jstack.sh can be easily done from REDHAT LABS:

Step 1 : GO to Address: https://access.redhat.com/labs/jvmpeg/

 Step 2: DROP your output files for HIGH CPU easy analysis with modifying CPU Threshold.

Snap:-

Thanks :-)

Thursday, 6 May 2021

How to install opensource mod_security on Apache 2.4

 Step 1: Download the mod_security  binaries 

https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.1/modsecurity-2.9.1.tar.gz

 Or 

https://src.fedoraproject.org/lookaside/pkgs/mod_security/


Step 2: tar -zxvf modsecurity-2.9.1.tar.gz

 

Step 3: cd modsecurity-2.9.1

 

Step 4: Run below commands:

            ./configure --with-apxs=$Apache_Home/bin/apxs

make

make install

 

 Step 5: Add/Enable module in httpd.conf file.

LoadModule unique_id_module modules/mod_unique_id.so

LoadModule security2_module modules/mod_security2.so

 

 Step 6: for version disclosed add below parameters in httpd.conf

           ########################################

Header unset Server

Header unset Etag

ServerTokens Prod

ServerSignature off

Header always unset "X-Powered-By"

Header unset "X-Powered-By"

 

<IfModule security2_module>

    SecRuleEngine Off

    ServerTokens Full

    SecServerSignature " "

</IfModule>

#########################################

 Thanks :-)

 How to install opensource mod_security on Apahce 2.4

How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade).

 Step 1: Install below rpm on Linux server.

yum install openssl-devel

yum install pcre-devel

yum install pcre

yum install expat-devel

yum install openssl

yum install gcc

yum install libxml2-devel

 

Step 2: Download the latest version and copy on server & extract http://httpd.apache.org/

 

Step 3: Locate to OLD version $Apache_Home/build folder copy the "config.nice" to New Apache binaries location.

  

Step 4: Locate to New Apache binaries location and run below commands:

 Commands:

$ ./config.nice

$ make

$ make install

 

 Step 5: Check the OLD apache version , it must be updated.

$Apache_Home/bin/httpd -V

 

Thanks :-) 

How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade).

Sunday, 11 April 2021

Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions

For, javax.net.ssl.SSLException: SSLSocketFactory is null. This can occur if javax.net.ssl.SSLSocketFactory.getDefault() is called to create a socket and javax.net.ssl.* properties are not set.

 

1. Locate to /app/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/java.security file

 

2. Add below parameters for SSL factory.

****************************************

 ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl

 ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

 ****************************************




for , Caused by: javax.net.ssl.SSLException: Received fatal alert: protocol_version while client was trying to connect with lower TLS version. 

1. locate to application JAVA_OPTIONS

2. Add below parameters for SSL for Specifying simply jdk.tls.client.protocols="TLSv1.2" will cause any type of ClientHello to use TLSv1.2 (https included). The https.protocols is only valid if the Client Application us using HttpsURLConnection class or URL.openStream() operations.

****************************************

-Dhttps.protocols=TLSv1.2

-Djdk.tls.client.protocols=TLSv1.2 

****************************************




For, Force application Controller to use TLS 1.2

1. locate to application JAVA_OPTIONS

2. Add below parameters for SSL for Specifying, To enable and force TLS 1.2 you need to append two java runtime arguments:

 ****************************************

-Dcom.ibm.jsse2.overrideDefaultTLS=true

-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

 ****************************************




For, JVM arguments: Client TLS1.2 , Truststore & SSL debug

1. locate to application JAVA_OPTIONS

2. Add below parameters for SSL for Client TLS1.2 , Truststore & SSL debug.

 ****************************************

-Djavax.net.ssl.trustStore=/app/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts 

-Djavax.net.ssl.trustStorePassword=changeit 

-Djavax.net.ssl.trustStoreType=jks 

-Dhttps.protocols=TLSv1.2 

-Djdk.tls.client.protocols=TLSv1.2 

-Dcom.ibm.jsse2.overrideDefaultTLS=true 

-Djavax.net.debug=ssl,handshake,data,trustmanager

 ****************************************



For,javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip address found.) - LDAP

 1. locate to application JAVA_OPTIONS

2. Add below parameters for LDAP disableEndpointIdentification.

****************************************

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

****************************************


Thanks :-)

SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4 REDHAT)

Environment: Apache 2.4 (Linux)

Note: Take backup of /conf directives.

1. Locate to FileName: ssl.conf / http-ssl.conf file 


2. Add below parameters in virtual-host tag of  ssl.conf / http-ssl.conf with SSL Protocol.

(only TLSv1.2 is enabled)


*************************************************

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1


SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!LOW:!EXP

*************************************************


3. Restart the JBoss server JVM.


4: Check with openssl command for ciphers

"openssl s_client -connect <IP/Host:443> -servername www.example.com" 


5. Reference link.

https://access.redhat.com/articles/2598471


Thanks :-)

Redirection HTTP to HTTPS on JBoss EAP 7.2

Environment: Linux 7 & JBoss 7.2

Note: Take backup of JBoss /configuration directives.

1. Locate to standalone.xml file & check for undertow subsystem.


2. Add http-to-https on host-name  tagwith corresponded to filters tag rewrite rule (e.g from port 8084/8081 to 8443) along with https.

<!-- hostname configurations -->

  <host name="default-host" alias="localhost">

                 <filter-ref name="http-to-https" predicate="equals(%p,8084) or equals(%p,8081)"/>

  </host>


<!-- reference filters configurations -->

 <filters>

             <rewrite name="http-to-https" target="https://www.test.int:8443%U" redirect="true"/>

</filters>



3. Check for below highlighted configuration.


****************************************************************

        <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">

            <buffer-cache name="default"/>

            <server name="default-server">

                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

                <host name="default-host" alias="localhost">

                   <filter-ref name="http-to-https" predicate="equals(%p,8084) or equals(%p,8081)"/>

                   <filter-ref name="host-checker"/>

                  <http-invoker security-realm="ApplicationRealm"/>

                </host>

            </server>

            <servlet-container name="default">

                <jsp-config x-powered-by="false"/>

                <session-cookie http-only="true" secure="true"/>

                <websockets/>

            </servlet-container>

            <filters>

            <rewrite name="http-to-https" target="https://www.test.int:8443%U" redirect="true"/>

                <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, www.test.int:8443)) -> response-code(403)"/>

          </filters>

        </subsystem>

****************************************************************


4. Restart the JBoss server JVM.


5. To test the host-Header injection using curl command, https:// must be thown in output.

command:

curl -I http://www.test.int:8084/calendar


Thanks :-)

Host Header injection on JBOSS EAP 7.2 (standalone.xml)

 Environment: Linux 7 & JBoss 7.2

Note: Take backup of JBoss /configuration directives.

1. Locate to standalone.xml file & check for undertow subsystem.


2. Add host-checker on host-name  tag, with corresponded to expression-filter name="host-checker" for 403 http  error code output.

<!-- hostname configurations -->

  <host name="default-host" alias="localhost">

                   <filter-ref name="host-checker"/>

  </host>


<!-- reference filters configurations -->

 <filters>

             <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, www.test.int:8443)) -> response-code(403)"/>

</filters>



3. Check for below highlighted configuration.

****************************************************************

        <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">

            <buffer-cache name="default"/>

            <server name="default-server">

                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

                <host name="default-host" alias="localhost">

                   <filter-ref name="http-to-https" predicate="equals(%p,8084)"/>

                   <filter-ref name="host-checker"/>

                  <http-invoker security-realm="ApplicationRealm"/>

                </host>

            </server>

            <servlet-container name="default">

                <jsp-config x-powered-by="false"/>

                <session-cookie http-only="true" secure="true"/>

                <websockets/>

            </servlet-container>

            <filters>

            <rewrite name="http-to-https" target="https://www.test.int:8443%U" redirect="true"/>

                <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, www.test.int:8443)) -> response-code(403)"/>

          </filters>

        </subsystem>


****************************************************************


4. Restart the JBoss server JVM.


5. To test the host-Header injection using curl command, 403 http error must be thrown.

Command:-

curl -i -s -k -X $'GET' -H $'Host: wwww.example.com' $'https://www.test.int:8443/we/services/portal'


Thanks:-)

Encrypting Datasource Passwords using Vault in JBOSS EAP 6 / EAP 7 (standalone.xml)

Environment: Windows (O.S) & JBoss EAP 6.2 / 7

Note: Take backup of JBoss bin , configuration directives.

1. Create a Keystore.

"C:\Program Files\Java\jdk1.6.0_45\bin\keytool" -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -validity 730 -keystore "E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore"


2. Initialize the Password Vault.

"E:\JBOSS Software\jboss-eap-6.2\bin\vault.bat" --keystore "E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore" --keystore-password vault22 --alias vault --vault-block vb --attribute dspassword --sec-attr Secret_Password --enc-dir "E:\JBOSS Software\jboss-eap-6.2\bin\vault" --iteration 120 --salt 1234abcd


Where, the following parameters will be needed:

o Keystore URL (--keystore) : The file system path or URI of the keystore file. The examples use EAP_HOME/vault/vault.keystore.

o Keystore password (--keystore-password) : The password used to access the keystore.

o Salt (--salt) : The salt value is a random string of eight characters used, together with the iteration count, to encrypt the content of the keystore.

o Keystore Alias (--alias) : The alias by which the keystore is known.

o Iteration Count (--iteration) : The number of times the encryption algorithm is run.

o Directory to store encrypted files (--enc-dir) : The path in which the encrypted files are to be stored. This is typically the directory containing the password vault. It is convenient but not mandatory to store all of your encrypted information in the same place as the key store. This directory should be only accessible to limited users. At a minimum the user account under which JBoss EAP 7 is running requires read-write access. The keystore should be located in the directory used for Step 1. Note that the trailing backslash or forward slash on the directory name is required. Ensure the correct file path separator is used: / (forward slash) for Red Hat Enterprise Linux and similar operating systems, \ (backslash) for Microsoft Windows Server.

o Vault Block (--vault-block) : The name to be given to this block in the password vault.

o Attribute (--attribute) : The name to be given to the attribute being stored.

o Security Attribute (--sec-attr) : The actual value that is being secured in the vault, in this case, the password.



3. Locate to standalone.xml file and add output results from command prompt.

Also need to add  parameters , in standalone.xml file

****************************************************************

        <extension module="org.jboss.as.pojo"/>

        <extension module="org.jboss.as.remoting"/>

        <extension module="org.jboss.as.sar"/>

        <extension module="org.jboss.as.weld"/>

    </extensions>


    <system-properties>

        <property name="org.apache.coyote.http11.Http11Protocol.SERVER" value="DONTKNOW"/>

        <property name="org.jboss.as.sendServerHeader" value="false"/>

        <property name="DATA_SOURCE" value="java:orads"/>

        <property name="DATE_FORMAT" value="dd/mm/yyyy"/>

        <property name="JNDI_XPLUS_EC" value="xplus_ec"/>

        <property name="JNDI_LOOKUPS" value="lookups"/>

        <property name="JNDI_ADMINISTRATION" value="administration"/>

        <property name="application.home.dir" value="E:/JBOSS Software/jboss-eap-6.2/standalone/deployments/calendar.ear"/>

        <property name="org.apache.tomcat.util.http.Parameters.MAX_COUNT" value="10000"/>

        <property name="org.apache.tomcat.util.http.Parameters.COMPRESSION" value="on"/>

        <property name="org.apache.tomcat.util.http.Parameters.COMPRESSION_MIME_TYPES" value="text/javascript,text/css,text/html,application/xml,application/json"/>

    </system-properties>


    <paths>

        <path name="application.home.dir" path="E:/JBOSS SOFTWARE/jboss-eap-6.2/standalone/deployments/calendar.ear"/>

    </paths>

                           <!--- below configuration is copied from Command line prompt --> 

    <vault>

        <vault-option name="KEYSTORE_URL" value="E:\JBOSS Software\jboss-eap-6.2\bin\vault\vault.keystore"/>

        <vault-option name="KEYSTORE_PASSWORD" value="MASK-5dOaAVafCSd"/>

        <vault-option name="KEYSTORE_ALIAS" value="vault"/>

        <vault-option name="SALT" value="1234abcd"/>

        <vault-option name="ITERATION_COUNT" value="120"/>

        <vault-option name="ENC_FILE_DIR" value="E:\JBOSS Software\jboss-eap-6.2\bin\vault\"/>

    </vault>


 <!--- format to store password in encrypted form, where VAULT::vb::dspassword::1 is password --> 

<username>Datasource_username</username>

<password>${VAULT::vb::dspassword::1}</password>

<!-- Remember highlighted brackets -->

****************************************************************


4. Restart the JBoss server JVM.