Java Applet Permission Security Issue

Due to the security enhancement of Java framework (especially in version 1.7 update 45), user might encounter numbers of problem when running Java Applet. There are 2 things that we need to take notes:

1. The new Java framework will not allow Applet to be run without the permission attribute in the manifest file. To add the attribute:
   1. Create a manifest file with the following sample code:
      Codebase: *
Permissions: all-permissions
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
   2. Update the manifest file into the jar file:
      1. jar uvfm <applet jar file> <manifest file> <class files>
2. The new Java framework will not allow Applet to be run without a Publisher. This is tricky because for development or small organization, they might not have CA certificate (even signed applet will show UNKNOWN publisher if it does not have a CA certificate).  To deal with this, we need to set the Java Security Level at client side to Medium (at the Configure Java menu).

Create Java Applet Jar

To create Java Applet Jar, there are 2 steps need to be taken:

1. Compile the Java files into class files and create a Jar file from the class files:
   1. javac <java files>
   2. jar cvf <applet.jar> <class files>
2. Create a keystore and sign the created applet jar file:
   1. keytool -genkey -keystore <keystore> -alias <alias>
   2. keytool -selfcert -keystore <keystore> -alias <alias>
   3. jarsigner -keystore <keystore> <jar file> <alias>

Now you can deploy the Jar file as Applet.

Transfer SSL Certificate from Tomcat to Apache

After Setup Tomcat with Apache Web Server in Linux, you might want to transfer the SSL certificate from Apache Tomcat Server to Apache Web Server.

1. Convert Tomcat SSL Certificate to Apache Web Server SSL Certificate:
   • keytool -importkeystore -scrkeystore [tomcat key file] -destkeystore [new p12 key file] -srcstoretype jks -deststoretype pkcs12
   • openssl pkcs12 -in [new p12 key file] -out [new pem file]
   • openssl x509 -text -in [new pem file]
   • (command above will show some text, copy the certificate portion and paste to a new certificate file)
2. [Optional] Convert the certificate to run without password
   • openssl rsa -in [new pem file] -out [no password pem file]
   • openssl x509 -text -in [no password pem file]
   • (same as step 1, copy the certificate portion and paste to a new certificate file)
3. Edit httpd.conf:
   • uncomment “Inlucde conf/extra/httpd-ssl.conf”
   • enable mod_ssl
   • enable mod_socache_shmcb
4. Edit httpd-ssl.conf:
   • SSLCertificateFile [certificate file location]
   • SSLCertificateKeyFile [pem file location]
   • add JkMount /[SSL Web] balancer

Setup Tomcat with Apache Web Server in Linux

Tutorial below show how to setup Apache Tomcat as back-end and Apache Web Server as front-end at your Web Server. In this way user can run both PHP and JSP in one single server without setting up different ports, and also make use of the advantage of Apache Web Server Modules like Mod Security. All the installation files mentioned below are in source code format, however you may also install using respective Linux package manager.

(This tutorial is assumed Tomcat is already installed in the server, located at /apache-tomcat)

1. First of all, install httpd by running command below inside the httpd extracted directory  (get it from http://httpd.apache.org). The SSL feature is optional (httpd will be installed at /usr/local/apache2).
   • ./configure –enable-ssl –enable-so –with-ssl=/usr/local/ssl
   • make
   • make install
2. Troubleshoot: the following packages are missing during my installation of httpd, for your reference
   • install apr
     • ./configure
     • make
     • make install
   • install apr-util
     • ./configure –with-apr=/usr/local/apr
     • make
     • make install
   • install pcre
     • ./configure –disable-cpp
     • make
     • make install
3. Install tomcat-connectors (to create mod_jk.so)
   • in terminal, change directory to native folder in the extracted directory and issue following commands:
     • ./configure –with-apxs=/usr/local/apache2/bin/apxs
     • make
     • make install
   • copy native/apache-2.0/mod_jk.so to /usr/local/apache2/modules (it might auto put it into the folder during the installation)
   • copy conf/httpd-jk.conf to /apache-tomcat/conf/mod_jk.conf
   • copy conf/workers.properties to /apache-tomcat/conf/workers.properties
   • edit /usr/local/apache2/conf/httpd.conf
     • add line “Include /apache-tomcat/conf/mod_jk.conf”
   • edit /apache-tomcat/conf/mod_jk.conf (this is the part to specify which url to refer Apahce Tomcat, eg jspSystem)
     • JkWorkersFile workers.properties
     • add line “JkMount /jspSystem/* balancer”
     • add line “JkMount /jspSystem/ balancer”
   • edit /apache-tomcat/conf/workers.properties
     • worker.node1.port=8009
     • worker.node2.activation=D
4. Set Apache Tomcat to run at port 8080.
5. Now you can start Apache Web Server (like using this command /usr/local/apache2/bin/apachectl -k start)

 

Add Local Storage as Raw Disk Mapping in ESX

In newer version of VMWare (example version 5), you can only Raw Disk Mapping (RDM) a SAN storage, and not the local storage or harddisk. However there is a trick to do this:

1. Log in as root through ssh or just go to the console terminal (refer Enable SSH at ESX Host)
2. Now you need to find out the physical disk path that you will be doing RDM, using either the following commands:
   • esxcfg-mpath -l
   • ls -al /vmfs/devices/disks
3. Then you need to map the disk as a virtual disk using following command:
   vmkfstools -r /vmfs/devices/disks/<physical disk path> /vmfs/volumes/<vmfs datastore name>/<folder name>/<virtual disk name>.vmdk

Now you can view the physical disk as virtual disk and add it to VM.

Reference: Add Local Storage (e.g. a SATA disk) as a Raw Disk Mapping (RDM) or Mapped RAW LUN to a virtual machine hosted on ESXi

Enable SSH at ESX Host

In newer version of ESX such as version 5, you have the option to enable the SSH daemon from the console menu (console directly from the host). However for older version like version 3, you need to do some tricks for it to happen:

1. At the console, hit Alt+F1
2. You will enter into console terminal, but you won’t see any prompt. Just key in “unsupported” (without quote) and press enter.
3. Now you can see the prompt, edit /etc/inetd.conf using any editor (vi or nano)
4. Look for the line with ssh, uncomment it.
5. Exit from editor, then you need to stop the inetd process by killing it.
   1. Issue ps|grep inetd
   2. Find out the inetd process id and kill it using kill <process id>
6. Start the inetd daemon by issuing the command inetd

Now you should able to connect the ESX host through SSH.

Reference: Get full control over your ESXi Server

How to adjust Tomcat PermGen Space Size

When we putting more than 3 applications in Tomcat Webapp, we might experience slowness and eventually application crash, even after we have increase Tomcat reserved memory. It is normally refer as Out of Memory Error in PermGen space.

Default PermGen space size is 64MB. To increase it, similar to increase Tomcat reserved memory, we need to edit $TOMCAT/bin/catalina.bat (or catalina.sh in Linux) and look for JAVA_OPTS:

set JAVA_OPTS = ""

Add in -XX:PermSize=500m -XX:MaxPermSize=500m to JAVA_OPTS. If JAVA_OPTS exists with other parameters, just append the new parameters to it.

set JAVA_OPTS = "-Xms2000m -Xmx2000m -XX:PermSize=500m -XX:MaxPermSize=500m"

It is recommended to set size as 1/4 of the reserved memory, eg 1/4 of the 2GB reserved memory will be 500MB PermGen space size.

Other reference: 2 solution of java.lang.OutOfMemoryError in Java

Oracle PL/SQL Script to Find Table(s) Based on Column Name and Value

Here is a simple oracle PL/SQL script, to find table(s) based on a column name and value that match with it. Just copy the scripts below and run it in SQL Plus. It will prompt user to enter the column name, the value you want to match and the schema, then it will show the table name and row count.

set serveroutput on
declare
col varchar2(20) := '&column_input';
val varchar2(20) := '&value_input';
cursor c is select table_name
from dba_tab_columns
where owner = '&owner_input'
and column_name = col;
cnt number;
begin
for r in c loop
cnt := 0;
execute immediate 'select count(*) from ' || r.table_name ||
' where ' || col || ' = ''' || val || '''' into cnt;
dbms_output.put_line(r.table_name || ': ' || cnt);
end loop;
end;
/
set serveroutput off

Setup CRON job to Trigger an URL

The following CRON script can be used to trigger an URL (example below is schedule to run every minute, for other schedule setting please refer to other CRON tutorial).

0 * * * * wget -q -O - http://www.example.com/notify.php >/tmp/cron 2>&1

In Linux, wget is used to download file from internet (or network). -q option means quiet, -O means output file. It is important to put the -O option so that your server won’t end up with annoying CRON output file.

Make Tomcat Auto Start in Linux

Here is another method to install tomcat startup script in Linux (there is another method in my earlier post)

1. Download tomcat and rename the file name from tomcat.doc to tomcat only (remove the extension)
2. Put the file under /etc/inid.d
3. Give execute privilege to the file (chmod +x /etc/init.d/tomcat)
4. Adjust 2 parameters in the file, TOMCAT and JAVA_HOME.
5. Add the file into service list (chkconfig ––add tomcat)
6. Done!

Now you can double check whether tomcat is inside your service list or not by using “chkconfig ––list tomcat”. To start or stop tomcat, simply “service tomcat start” and “service tomcat stop”.