WebSphere - How to disable X-Powered-By header

Test Version

• Test OS : CentOS 7.2
• Test WAS : WebSphere v.8.5

X-Powered-By disable setting

• 보안 취약점 사항

You can set the property 'com.ibm.ws.webcontainer.disablexPoweredBy' to true as described in the section

setting link : https://www.ibm.com/support/knowledgecenter/ko/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rweb_custom_props.html#com.ibm.ws.webcontainer.DisableXPoweredByHeader

설정 이후 서버 재 기동 필요.

파일 업로드후 개행 문자 제거 방법

---

Test environment

OS : AIX

Issue

windows 에서 작업후 파일 업로드하고 vi로 열면 아래와 같이 개행 문자가 보임.

vi로 열면 아래와 같이 개행 문자가 보임

#!/bin/sh^M
#./startServer.sh server_name^M
#./stopServer.sh server_name -username username -password password^M

• Perl 명령어를 통해 개행 문자 제거
  
  perl -pi -e 's/^M//g' {file_name}

test1 root [/was8/bin]#perl -pi -e 's/^M//g' stopWasAll.sh
perl -pi -e 's/\015//g' startWeb.sh
perl -pi -e 's/\015//g' stopWeb.sh

vi로 열어 보면 이제 개행 문자가 사라진 모습을 확인 할 수 있다.

test1 root [/was8/bin]#vi stopW*.sh
#!/bin/sh
#./startServer.sh server_name
#./stopServer.sh server_name -username username -password password
#PropFilePasswordEncoder.sh
#export LANG=en_us.utf8

apache 설치 가이드

실 사용 환경에서 필요한 내용만 정리

---

Test environment

OS : CentOS 7 3.10.0-957.el7.x86_64

사전 작업

Install APR (Apache Protable Runtime)

컴파일방식으로 설치 하기 때문에 사전에 APR을 다운로드

최신 Apache HTTP Server 사용하기 위해서는 버전에 맞는 APR 설치가 필요.

• 패키지 사전 설치 확인
  
  yum -y install gcc make gcc-c++ pcre-devel

apr

Download link : https://apr.apache.org/download.cgi

[root@was11 apr]$ ./configure --prefix=/SW/web/tools/apr
[root@was11 apr]$ make && make install

apr-util

#압축 해제
[root@was11 apr-util]$ ./configure --prefix=/SW/web/tools/apr-util --with-apr=/SW/web/tools/apr
[root@was11 apr-util]$ make && make install

PCRE

https://www.pcre.org/

[root@was11 pcre]# ./configure --prefix=/SW/web/tools/pcre
[root@was11 pcre]# make && make install

openssl

Download link : https://www.openssl.org/source/

[root@was11 openssl]# ./config --openssldir=/SW/web/tools/openssl

make

make uninstall

주요 내용

[root@was11 httpd24]$ tar -zxvf httpd-2.4.41.tar.gz
[root@was11 openssl]# make && make install

configure command

[root@was11 httpd24]# ./configure -prefix=/SW/web/httpd24 -enable-so -enable-rewrite --enable-proxy -enable-ssl -enable-mods-shared=all -enable-modules=shared -enable-mpms-shared=all --with-mpm=worker --with-apr=/SW/web/tools/apr --with-apr-util=/SW/web/tools/apr-util --with-pcre=/SW/web/tools/pcre --with-ssl=/SW/web/tools/openssl --enable-ssl -enable-unique-id

[root@was11 httpd24]# make && make install

start

/SW/web/httpd24/bin/apachectl start

find 명령어 간단 사용법

실 사용 환경에서 필요한 내용만 정리.

---

Test environment

OS : CentOS 7 3.10.0-957.el7.x86_64

주요 내용

기본 명령어

find ~ -name readme.txt
find [-H] [-L] [-P] [path...] [expression]

• 이름으로 파일 찾기

[root@localhost /]# find /sw -name "Mem.sh"
/sw/Mem.sh

• 이름으로 현재 디렉토리의 파일 찾기 (.)

[root@localhost /]# find . -name "Mem.sh"
find: ‘./run/user/1000/gvfs’: Permission denied
./sw/Mem.sh

• 대소문자 구분 없이 파일 찾기 (iname)

[root@localhost sw]# find /sw -iname "Mem.sh"
/sw/Mem.sh
/sw/MEM.sh

• n일 이내의 변경된 파일 찾기

[root@localhost /]# find /sw -name "*.sh" -mtime -1
/sw/Mem.sh
/sw/Mem1.sh
/sw/MEM.sh

• 검색된 파일의 문자열 찾기

[root@localhost /]# find /sw -name "*.sh" -mtime -1 | xargs grep "Mem"
/sw/Mem.sh:MEMINFO=`cat /proc/meminfo | grep 'MemTotal\|MemFree\|Buffers\|Cached'`
/sw/Mem1.sh: TOTAL=`free | grep ^Mem: | awk '{print $2}'`
/sw/Mem1.sh: USED=`free | grep ^Mem: | awk '{print $3}'`
/sw/Mem1.sh: FREE=`free | grep ^Mem: | awk '{print $4}'`
/sw/Mem1.sh: BUFFER=`free | grep ^Mem: | awk '{print $6}'`

파일 소유자 및 그룹 변경

실 사용 환경에서 필요한 내용만 정리.

---

Test environment

OS : CentOS 7 3.10.0-957.el7.x86_64

주요 내용

A file's owner can be changed using the chown command.

chown [OPTION]... [OWNER][:[GROUP]] FILE...

• chown 을 이용해서 파일 및 디렉토리 사용자, 그룹 변경

[root@localhost sw]# chown -R root:root *
[root@localhost sw]# ls -alrt
total 8
dr-xr-xr-x. 18 root root 234 Feb  5 01:49 ..
drwxrwxrwx.  2 root root   6 Feb  5 01:49 img
drwx------.  2 root root   6 Feb  5 01:49 was
drwx------.  2 root root   6 Feb  5 01:49 web
drwxr-xr-x.  2 root root   6 Feb  5 01:49 app
drwxr-xr-x.  2 root root   6 Feb  5 01:49 java
drwxr-xr-x.  2 root root   6 Feb  5 01:49 bin
drwxr-xr-x.  2 root root   6 Feb  7 21:26 logs
-rwxr-xr-x.  1 root root 428 Feb  8 01:16 Mem.sh
-rwxr-xr-x.  1 root root 446 Feb  8 06:01 Mem1.sh
drwxr-xr-x.  9 root root 114 Feb  8 06:01 .
[root@localhost sw]# chown wasadm:wasadm img
[root@localhost sw]# chown wasadm:wasadm was
[root@localhost sw]# chown wasadm:wasadm Mem.sh
[root@localhost sw]# ls -alrt
total 8
dr-xr-xr-x. 18 root   root   234 Feb  5 01:49 ..
drwxrwxrwx.  2 wasadm wasadm   6 Feb  5 01:49 img
drwx------.  2 wasadm wasadm   6 Feb  5 01:49 was
drwx------.  2 root   root     6 Feb  5 01:49 web
drwxr-xr-x.  2 root   root     6 Feb  5 01:49 app
drwxr-xr-x.  2 root   root     6 Feb  5 01:49 java
drwxr-xr-x.  2 root   root     6 Feb  5 01:49 bin
drwxr-xr-x.  2 root   root     6 Feb  7 21:26 logs
-rwxr-xr-x.  1 wasadm wasadm 428 Feb  8 01:16 Mem.sh
-rwxr-xr-x.  1 root   root   446 Feb  8 06:01 Mem1.sh
drwxr-xr-x.  9 root   root   114 Feb  8 06:01 .

메모리 사용률 확인

사용 환경에서 필요한 내용만 정리.

시스템 환경

OS : CentOS 7 3.10.0-957.el7.x86_64

실행 명령어

centos 6.x 버전 밑 버전에서 메모리 읽는 방식이 7에서 부터는 변경이 되었다.
(-/+ buffers/cache 부분이 사라졌다.)

메모리 사용량 (%) = 메모리used/(메모리used+메모리free)*100

• 사용 예시

[root@localhost sw]# free -m
              total        used        free      shared  buff/cache   available
Mem:           7803         892        4686         263        2224        6277
Swap:          8064           0        8064

메모리 사용률 계산
$$Memusage=\frac{used}{total}*100
$$

sar -r 1 명령어를 통해서도 사용률 확인 가능 (%memused) 확인

• 초 단위로 버퍼 캐쉬 영역 분리 해서 메모리 확인

[root@localhost sw]# free -mw -s 1
              total        used        free      shared     buffers       cache   available
Mem:           7803         900        4627         308           2        2273        6224
Swap:          8064           0        8064

              total        used        free      shared     buffers       cache   available
Mem:           7803         900        4627         308           2        2273        6224
Swap:          8064           0        8064

Parameters

Parameters
total	총 메모리 크기
used	사용중인 메모리 (free-buff/cache)
free	여유 메모리 (used-buff/cache)
shared	tmpfs, ramfs등에 사용되는 공유 메모리
buffer/cache	커널 버퍼 / 페이지 캐시 slab 메모리
available	swapping 없이 new ps에 할당 가능한 메모리 예상 크기

리눅스에 설치 된 JAVA 경로 확인 방법

사용 환경에서 필요한 내용만 정리.

시스템 환경

OS : CentOS 7 3.10.0-957.el7.x86_64

실행 명령어

사용 명령어 which, readlink

• which : 명령어의 경로를 확인하는 명령어
• readlink : 심볼릭 링크의 원본 위치를 찾는 명령어 (-f : 최종 파일의 절대경로)

ll 명령어를 통해 찾아도 되지만, 심볼릭 링크가 여러번 사용되어 있는 경우 readlink 명령어로 찾는게 편함.

#which 
[wasadm@localhost sw]$ which java
/usr/bin/java

#readlink
[wasadm@localhost sw]$ readlink -f /usr/bin/java
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java

#ll
[wasadm@localhost sw]$ ll /usr/bin/java
lrwxrwxrwx. 1 root root 22 Feb  5 01:36 /usr/bin/java -> /etc/alternatives/java
[wasadm@localhost sw]$ ll /etc/alternatives/java
lrwxrwxrwx. 1 root root 71 Feb  5 01:36 /etc/alternatives/java -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java

파일 및 경로 권한 부여 방법

사용 환경에서 필요한 내용만 정리.

시스템 환경

OS : CentOS 7 3.10.0-957.el7.x86_64

사용 방법

Change the mode of each FILE to MODE.

주의 할 점으로 chmod 의 경우 현재 상태의 권한을 변경.

• Permission Change
  
  • 주로 사용 하는 예시

[wasadm@localhost sw]$ chmod -R 700 ./was
[wasadm@localhost sw]$ chmod -R 700 ./web
[wasadm@localhost sw]$ chmod -R 755 ./bin
[wasadm@localhost sw]$ chmod -R 777 ./img

하위 디렉토리 속성 까지 변경

-R, --recursive change files and directories recursively

Options

There are two ways to modify permissions, with numbers or with letters.

1. 문자열 모드

Parameters
u	User (the owner of the file) 소유자
g	group (any member of the file's defined group) 그룹
o	Other (anyone else) 기타 사용자
a	All (equivalent to ugo) ugo 전체 사용자
+	add permission
-	remove permission
=	set permission

2. 숫자 모드 (많이 사용하는 모드)

Parameters	symbol	Permission
1	---	No Permission
2	--x	Execute
3	-w-	Write
4	-wx	Write and Execute
5	r--	Read
6	rw-	Read and Exceute
7	rwx	all

How to encrypt datasource password in JBoss EAP 7.x Case 2

---

Test Environment

• Test Version : JBoss EAP 7.2

---

Set Up a Password Vault

Case 2

Encrypt the data source password.
use below command to encrypt database password,

Case1

#!/bin/sh
echo "####################################"
echo database password changes Encoded
echo -e        " password : \c "
read PASSWORD
echo "####################################"

/SW/was/java1.8/bin/java -cp $JBOSS_HOME/modules/system/layers/base/org/picketbox/main/picketbox-5.0.3.Final-redhat-3.jar:$JBOSS_HOME/modules/system/layers/base/org/jboss/logging/main/jboss-logging-3.3.2.Final-redhat-00001.jar:$CLASSPATH org.picketbox.datasource.security.SecureIdentityLoginModule $PASSWORD 

• Run View
  
  

Case2

#!/bin/sh

# config setting
export JAVA_HOME="/SW/was/java1.8"
export PATH="/SW/was/java1.8/bin":$PATH
JBOSS_HOME="/SW/was/JBoss7.2"
OVERLAY_DIRECTORY="$JBOSS_HOME/modules/system/layers/base/.overlays"

# password 
echo ""
read -p " password : " PASSWORD
echo ""

if [ -d "$OVERLAY_DIRECTORY" ]; then
    PATCH_SUBDIRECTORY=$(ls -dt $OVERLAY_DIRECTORY/* | grep "CP" | head -n 1)   
    echo patch subdirectory is: "$PATCH_SUBDIRECTORY"
    SEARCH_DIRECTORY="$PATCH_SUBDIRECTORY/org/picketbox/main"
else
    SEARCH_DIRECTORY="$JBOSS_HOME/modules/system/layers/base/org/picketbox/main"
fi

export CLASSPATH=$(find $(cd "$SEARCH_DIRECTORY"; pwd) -name "*.jar" -print | tr '\n' ':')$CLASSPATH

echo "####################################################"
java org.picketbox.datasource.security.SecureIdentityLoginModule "$PASSWORD"
echo "####################################################"
echo ""

• Run View
  
  

Security Doamin

• Add Security Doamin
  
  
• Add Authernticatgion Module
  
  
• Module Option(key=value)
  
  
  
  
• Add Datasource > Security > Security Domain
  
  
• Test Connecation
  
  

• Standalone.xml or domain.xml 에서 직접 수정시 아래 내용 참고.

               <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                    <driver>h2</driver>
                    <security>
                        <security-domain>encryptedSecurityDB</security-domain>
                    </security>
                </datasource>
.
.
.
                <security-domain name="encryptedSecurityDB" cache-type="default">
                    <authentication>
                        <login-module name="encryptedSecurityDB" code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                            <module-option name="username" value="sa"/>
                            <module-option name="password" value="9fdd42c2a7390d3"/>
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM"/>
                        </login-module>
                    </authentication>
                </security-domain>

JBoss - EAP7.x domain mode

Test Environment

• OS : Windows NT
• Version : JBoss EAP 7.2

---

add-user

• 사용자 계정 추가

F:\app\Redhat\JBoss7.2\bin>add-user.bat

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : admin
User 'admin' already exists and is enabled, would you like to...
 a) Update the existing user password and roles
 b) Disable the existing user
 c) Type a new username
(a): a
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password should be different from the username
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
Updated user 'admin' to file 'F:\app\Redhat\JBoss7.2\standalone\configuration\mgmt-users.properties'
Updated user 'admin' to file 'F:\app\Redhat\JBoss7.2\domain\configuration\mgmt-users.properties'
Updated user 'admin' with groups  to file 'F:\app\Redhat\JBoss7.2\standalone\configuration\mgmt-groups.properties'
Updated user 'admin' with groups  to file 'F:\app\Redhat\JBoss7.2\domain\configuration\mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="YWRtaW4xMiMk" />

domain mode 사용시 <secret value="YWRtaW4xMiMk" /> 값을 저장

Summary

Every host running in a managed domain must have a unique host name. To ease administration and allow for the use of the same host configuration files on multiple hosts, the server uses the following precedence for determining the host name.

1. If set, the host element name attribute in the host.xml configuration file.
2. The value of the jboss.host.name system property.
3. The value that follows the final period (".") character in the jboss.qualified.host.name system property, or the entire value if there is no final period (".") character.
4. The value that follows the period (".") character in the HOSTNAME environment variable for POSIX-based operating systems, the COMPUTERNAME environment variable for Microsoft Windows, or the entire value if there is no final period (".") character.

This topic describes how set the name of the host in the configuration file, using either a system property or a hard-coded name.

1. Edit the host-master.xml or host-slave.xml located in configuration

master

# host name 
<host xmlns="urn:jboss:domain:8.0" name="test-master"> 

slave

# host name
<host xmlns="urn:jboss:domain:8.0" name="slave-node01">

#slave의 jboss.management.http.port port 변경 (one box)
        <management-interfaces>
            <http-interface security-realm="ManagementRealm">
                <http-upgrade enabled="true"/>
                <socket interface="management" port="${jboss.management.http.port:19990}"/>
            </http-interface>
        </management-interfaces>

2. Check the host-master.xml Domain controller

   <domain-controller>
      <local/>
   </domain-controller>

3. Edit the host-slave.xml

   <server-identities>
      <secret value="YWRtaW4xMiMk" />
   </server-identities>

Start domain Windows

master
For example:

F:\app\Redhat\JBoss7.2\bin\domain.bat -Djboss.domain.base.dir="F:\app\Redhat\JBoss7.2\master" -b=192.168.0.6 -bmanagement=192.168.0.6 --host-config=host-master.xml 

slave
For example:

# none01
F:\app\Redhat\JBoss7.2\bin\domain.bat -Djboss.domain.base.dir="F:\app\Redhat\JBoss7.2\node01" -b=192.168.0.6 -bmanagement=192.168.0.6 --host-config=host-slave.xml --master-port=9990 --master-address=192.168.0.6 -Djboss.socket.binding.port-offset=1000 

# none02
F:\app\Redhat\JBoss7.2\bin\domain.bat -Djboss.domain.base.dir="F:\app\Redhat\JBoss7.2\node02" -b=192.168.0.6 -bmanagement=192.168.0.6 --host-config=host-slave.xml --master-port=9990 --master-address=192.168.0.6 -Djboss.socket.binding.port-offset=2000 

JBoss EAP 7.2 documentation Runtime Arguments

구성 화면

sample - A practical script for shutting start or stop a server

options:

/host=HOST_NAME/server-config=SERVER_NAME:stop

/host=HOST_NAME/server-config=SERVER_NAME:start

For example:

# stop
F:\app\Redhat\JBoss7.2\bin>jboss-cli.bat --connect controller=192.168.0.6:9990 /host=slave-node01/server-config=test01:stop
{
    "outcome" => "success",
    "result" => "STOPPING"
}

# start
F:\app\Redhat\JBoss7.2\bin>jboss-cli.bat --connect controller=192.168.0.6:9990 /host=slave-node01/server-config=test01:start
{
    "outcome" => "success",
    "result" => "STARTING"
}