JBoss - Start, Stop Shell

start-stop-shell-setting

start, stop shell setting

redhat

Test Environment

  • Test OS : CentOS 7.2
  • Test Version : JBoss EAP 6.4

shell

TIP Change password to input method when it comes with security

. ./config/config1.sh
start(){
        PID=`ps -ef | grep jboss | grep "=$NODE_NAME " | awk '{print $2}'`
        if [ e$PID != "e" ]
                then
                echo "###############################################"
                echo "JBOSS PID = $NODE_NAME $PID                    "
                echo "JBoss SERVER - $NODE_NAME is already RUNNING..."
                echo "###############################################"
        exit;
        fi
        echo "#######################"
        echo "   Starting JBoss EAP  "
        echo "#######################"
             nohup $JBOSS_HOME/bin/standalone.sh --server-config=standalone-ha.xml -Djboss.server.base.dir=$SERVER_HOME -bmanagement $SERVER_IP -b $SERVER_IP 1> /dev/null 2>&1 &

        sleep 5
        _up=`netstat -an | grep $CONTROLLER_PORT | grep -v grep | wc -l`
              if [[ "${_up}" != "0" ]]; then
                 echo "###############################################"
                 echo "JBoss Server is Up!! $NODE_NAME  And Running.!!"
                 echo "###############################################"
              else
                 echo "###############################################"
                 echo "JBoss Server is Down!! $NODE_NAME              "
                 echo "###############################################"
              fi;
}

stop(){
        echo "#######################"
        echo "    Stopping JBoss     "
        echo -e " password : \c "
        read PASSWORD
        echo "#######################"
        $JBOSS_HOME/bin/jboss-cli.sh -c --controller=$SERVER_IP:$CONTROLLER_PORT --connect command=:shutdown --user=$USER --password=$PASSWORD

#        $JBOSS_HOME/bin/jboss-cli.sh -c --controller=$SERVER_IP:$CONTROLLER_PORT --connect command=:shutdown --user=$USER --password=$PASSWD
}

status() {
                echo Checking JBoss Status..
                echo Wait for a while...
                        _up=`netstat -an | grep $CONTROLLER_PORT | grep -v grep | wc -l`
                        if [[ "${_up}" != "0" ]]; then
                                echo "###############################################"
                                echo "JBoss Server is Up!! $NODE_NAME  And Running.!!"
                                echo "###############################################"
                        else
                                echo "##################################"
                                echo "JBoss Server is Down!! $NODE_NAME "
                                echo "##################################"
                        fi;
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status
        ;;
  *)
        echo "Usage: jboss {start|stop|status}"
        exit 1
esac
exit 0

Config shell

Start reading the settings for the instance from the file below

#!/bin/sh
DATE=`date +%Y%m%d%H%M%S`

##### Configration File #####
#export CONFIG_FILE=standalone-full-ha.xml
export CONFIG_FILE=standalone-ha.xml
export JBOSS_HOME=/SW/was/JBoss
export USER=admin
export SERVER_HOME=/SW/was/JBoss/TEST/TESTServer11
export SERVER_IP=10.252.16.25
export LOG_PATH=/app/logs/was
export NODE_NAME=TESTServer11
export PORT_OFFSET=750
export JBOSS_USER=admin

##### Bind Address #####
#export BIND_ADDR=10.252.16.24
export MULTICAST_ADDR=230.1.0.1
export JMS_MULTICAST_ADDR=231.7.0.1
export MODCLUSTER_MULTICAST_ADDR=224.0.1.105
export MGMT_ADDR=10.252.16.25
export CONTROLLER_IP=$MGMT_ADDR
let CONTROLLER_PORT=9999+$PORT_OFFSET
export CONTROLLER_PORT

#export LAUNCH_JBOSS_IN_BACKGROUND=true
##### JBoss System module and User module directory #####
#export JBOSS_MODULEPATH=$JBOSS_HOME/modules:$JBOSS_HOME/modules.ext

# JVM Options : Server
export JAVA_OPTS="-server $JAVA_OPTS"

# JVM Options : Memory
export JAVA_OPTS=" $JAVA_OPTS -Xms1024m -Xmx2048m -XX:MaxPermSize=256m"
export JAVA_OPTS=" $JAVA_OPTS -XX:+PrintGCTimeStamps "
export JAVA_OPTS=" $JAVA_OPTS -XX:+PrintGCDetails "
export JAVA_OPTS=" $JAVA_OPTS -Xloggc:$LOG_PATH/log/gclog/gc_$DATE.log "
export JAVA_OPTS=" $JAVA_OPTS -XX:+UseParallelGC "
#export JAVA_OPTS=" $JAVA_OPTS -XX:+UseConcMarkSweepGC "
export JAVA_OPTS=" $JAVA_OPTS -XX:+ExplicitGCInvokesConcurrent "
export JAVA_OPTS=" $JAVA_OPTS -XX:-HeapDumpOnOutOfMemoryError "
export JAVA_OPTS=" $JAVA_OPTS -XX:HeapDumpPath=$LOG_PATH/heap/$NODE_NAME "

# Linux Large Page Setting
#export JAVA_OPTS=" $JAVA_OPTS  -XX:+UseLargePages "
#export JAVA_OPTS=" $JAVA_OPTS -verbose:gc"
export JAVA_OPTS=" $JAVA_OPTS -Djava.net.preferIPv4Stack=true"
export JAVA_OPTS=" $JAVA_OPTS -Dorg.jboss.resolver.warning=true"
export JAVA_OPTS=" $JAVA_OPTS -Dsun.rmi.dgc.client.gcInterval=3600000 "
export JAVA_OPTS=" $JAVA_OPTS -Dsun.rmi.dgc.server.gcInterval=3600000"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.modules.system.pkgs=org.jboss.byteman"
export JAVA_OPTS=" $JAVA_OPTS -Djava.awt.headless=true"
export JAVA_OPTS=" $JAVA_OPTS -DjvmRoute=$NODE_NAME "
export JDBCDRIVER=oracle.jdbc.pool.OracleConnectionPoolDataSource
export TOKEN_NODE=01

#for darwin
export JAVA_OPTS=" $JAVA_OPTS -Djboss.server.log.dir=$LOG_PATH/$NODE_NAME"
#export JAVA_OPTS=" $JAVA_OPTS -Djboss.server.base.dir=$DOMAIN_BASE/$SERVER_NAME"
#export JAVA_OPTS=" $JAVA_OPTS -Djboss.server.log.dir=$JBOSS_LOG_DIR"
#export JAVA_OPTS=" $JAVA_OPTS -Djboss.external.deployments=$EXTERNAL_DEPLOYMENT"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.socket.binding.port-offset=$PORT_OFFSET"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.node.name=$NODE_NAME"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.bind.address.management=$MGMT_ADDR"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.bind.address=$BIND_ADDR"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.bind_addr=$MULTICAST_ADDR"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.default.jgroups.stack=tcp"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.default.multicast.address=$MULTICAST_ADDR"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.messaging.group.address=$JMS_MULTICAST_ADDR"
export JAVA_OPTS=" $JAVA_OPTS -Djboss.modcluster.multicast.address=$MODCLUSTER_MULTICAST_ADDR"
#export JAVA_OPTS=" $JAVA_OPTS -Dserver.mode=local"
# Use log4j in application
export JAVA_OPTS=" $JAVA_OPTS -Dorg.jboss.as.logging.per-deployment=false "
echo "Config OK"




0 Read More →

WebSphere 디렉토리 리스팅 제거

WebSphere 디렉토리 리스팅 제거

Test Environment

  • Test OS : CentOS 7.2
  • Test Version : IBM HTTPServer v8.5.0.0

fileServingEnabled 기본값이 false이지만 보안 취약점으로 잡힌다면 아래와 같이 xml, xmi에 직접 적용 디렉토리 리스팅 제거

  1. ibm-web-ext.xmi ibm-web-ext.xml 예제:

    • enable-directory-browsing value="false"

  1. 웹 컨테이너 설정
    (서버 > 서버 유형 > WebSphere Application Server > server_name > 웹 컨테이너 설정 > 웹 컨테이너)

  2. fileServingEnabled, directoryBrowsingEnabled

이름 기본값
fileServingEnabled true
directoryBrowsingEnabled false

0 Read More →

openssl 사설 인증서 만들기

##openssl로 사설 인증서 만들기

Test Environment

  • Test OS : CentOS 7.2
  • Test Version : apache

###command line

[root@lopdzmb-web01 test]# openssl genrsa -des3 -out test.vn.key 2048..........................+++e is 65537 (0x10001)Enter pass phrase for test.vn.key:[root@lopdzmb-web01 test]# openssl genrsa -des3 -out test.vn.key 2048..........................+++e is 65537 (0x10001)Enter pass phrase for test.vn.key:-----Country Name (2 letter code) [XX]:VNPlease enter the following 'extra' attributesto be sent with your certificate request#개인키 패스워드 지우기#인증서 생성#openssl x509 -req -days 365 -in test.vn.csr -signkey test.vn.key -out test.vn.crt#개인키 확인[root@lopdzmb-web01 test]# cat test.vn.key | head -3-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA9JYu6T71jmxqeu3rKhDL73sojqBSXJlmODPT3wEcdkoJwUl7#사설인증서 확인[root@lopdzmb-web01 test]# cat test.vn.csr | head -3-----BEGIN CERTIFICATE REQUEST-----MIIC3jCCAcYCAQAwZTELMAkGA1UEBhMCVk4xDjAMBgNVBAgMBUhhbm9pMQ4wDAYD#httpd.conf 설정SSLEngine on

openssl genrsa -des3 -out test.vn.key 2048

Generating RSA private key, 2048 bit long modulus
........+++
small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for test.vn.key:
Verifying - Enter pass phrase for test.vn.key:
#openssl req -new -key test.vn.key -out test.vn.csr
Generating RSA private key, 2048 bit long modulus
........+++


140564056057760:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for test.vn.key:
Verifying - Enter pass phrase for test.vn.key:
[root@lopdzmb-web01 test]# openssl req -new -key test.vn.key -out test.vn.csr
Enter pass phrase for test.vn.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.


State or Province Name (full name) []:Hanoi
Locality Name (eg, city) [Default City]:lotte
Organization Name (eg, company) [Default Company Ltd]:admin
Organizational Unit Name (eg, section) []:admin
Common Name (eg, your name or your server's hostname) []:*.test.vn
Email Address []:


A challenge password []:Admin12#$
An optional company name []:Admin12#$

#cp test.vn.key test.vn.key.old
#openssl rsa -in test.vn.key.old -out test.vn.key

[root@lopdzmb-web01 test]# openssl rsa -in test.vn.key.old -out test.vn.key
Enter pass phrase for test.vn.key.old:
writing RSA key

[root@lopdzmb-web01 test]# openssl x509 -req -days 365 -in test.vn.csr -signkey test.vn.key -out test.vn.crt
Signature ok
subject=/C=VN/ST=Hanoi/L=lotte/O=admin/OU=admin/CN=*.test.vn
Getting Private key

KwyUN+98KhWkbxBKX8slvaGmOPU6IBQAam2vXJf9mpbREfMPjYAE4MaSs5G1sjiP
VQQHDAVsb3R0ZTEOMAwGA1UECgwFYWRtaW4xDjAMBgNVBAsMBWFkbWluMRYwFAYD
  • SSLCertificateFile /etc/httpd/conf/test.vn.crt
  • SSLCertificateKeyFile /etc/httpd/conf/test.vn.key

, 0 Read More →

IBM HTTPServer - HTTP 메소드 차단

WebServer 메소드 차단

WebServer 메소드 차단 방법

  • Test OS : CentOS 7.2
  • Test Version : IBM HTTPServer v8.5

IBM HTTPServer 에서 보안상의 이유로 HTTP 메소드 차단 요청이 들어와 테스트한 내용 정리.

  • IHS의 경우 apache 기반이기 때문에 해당 설정은 apache에서도 같이 적용이 가능.

httpd.conf 파일 수정

#GET, POST를 제외한 메소드 제한
<Directory />
Options FollowSymLinks
AllowOverride None
 <LimitExcept GET POST>
 Order allow,deny
 Deny from all
 </LimitExcept>
</Directory>

보통 디렉토리 속성안에 넣어서 사용하지만 디렉토리 속성을 안사용할경우 로케이션을 사용.

<Location "/*">
  <LimitExcept GET POST>
  Order allow,deny
  Deny from all
  </LimitExcept>
</Location>

다른 방안으로 rewrite 사용하는 방법도 있다.

LoadModule rewrite_module modules/mod_rewrite.so
<IfModule mod_rewrite.c>
 RewriteEngine On
 # GET, POST를 제외하고 모두 405 페이지로 이동
 RewriteCond %{REQUEST_METHOD} !^(GET|POST)
 RewriteRule .* - [R=405,L]
</IfModule>

메소드 차단 테스트로는 해당 메소드 파일을 만들어서 요청하는 방법도 있지만, 간단하게 telnet으로 테스트 가능.

$telnet {domain_address} 80
OPTIONS http://{domain_address}/ HTTP/1.0
OPTIONS http://google.com/ HTTP/1.0
Enter Enter

#모든 메소드 허용의 경우
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 01:44:40 GMT
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/html

#메소드가 차단된 경우
HTTP/1.0 405 Method Not Allowed
Allow: GET, HEAD
#
HTTP/1.1 403 Forbidden
Allow: GET, HEAD

위와 같은 방법으로 안대는 경우

web.xml에 secutity-constraint 속성으로 해당 메소드 제한

#web.xml 아래와 같이 메소드 제한 설정
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
</security-constraint>




0 Read More →

IBM HTTPServer version info

IHS v8.5, v9.0 apache version Info


PS E:\app\was\HTTPServer\bin> .\apache.exe -V
Server version: IBM_HTTP_Server/8.5.5.0 (Win32)
Apache version: 2.2.8 (with additional fixes)
Server built:   Feb 20 2013 13:50:05
Build level:    IHS90/webIHS1307.02
Server's Module Magic Number: 20051115:21
Server loaded:  APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Architecture:   32-bit
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/winnt"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/apache"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error.log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2005-3352  CVE-2005-3357  CVE-2006-3918  CVE-2006-3747
  CVE-2007-4465  CVE-2007-1862  CVE-2006-5752  CVE-2007-3304
  CVE-2007-1863  CVE-2007-3847  CVE-2008-0005  CVE-2007-5000
  CVE-2007-6388  CVE-2007-6422  CVE-2007-6421  CVE-2006-7225
  CVE-2007-6420  CVE-2008-2364  CVE-2008-2939  CVE-2009-1195
  CVE-2009-1955  CVE-2009-0023  CVE-2009-1956  CVE-2009-1890
  CVE-2009-1891  CVE-2009-2412  CVE-2009-1191  CVE-2009-3094
  CVE-2009-3095  CVE-2009-3555  CVE-2010-0408  CVE-2010-0434
  CVE-2010-1452  CVE-2010-1623  CVE-2009-3560  CVE-2009-3720
  CVE-2011-0419  CVE-2011-1928  CVE-2011-3192  CVE-2011-3348
  CVE-2011-3368  CVE-2011-3639  CVE-2011-4317  CVE-2011-3607
  CVE-2012-0717  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883
  CVE-2012-2190  CVE-2012-2191  CVE-2012-2687  CVE-2012-4558
  CVE-2012-3499  CVE-2012-4557  


PS E:\software\IBM\HTTPServer9\bin> .\apache.exe -V
Server version: IBM_HTTP_Server/9.0.0.0-PI56034 (Win32)
Apache version: 2.4.12 (with additional fixes)
Server built:   Apr 18 2016 20:28:53
Build level:    RIHSX.IHS/webIHS1616.01
Server's Module Magic Number: 20120211:57
Server loaded:  APR 1.5.1, APR-UTIL 1.5.2
Compiled using: APR 1.5.1, APR-UTIL 1.5.2
Architecture:   32-bit
Operating System: Windows
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/apache"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error.log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
  CVE-2009-1191  CVE-2009-1890  CVE-2009-3094  CVE-2009-3095
  CVE-2010-0434  CVE-2010-0425  CVE-2010-0408  CVE-2009-3555
  CVE-2010-1452  CVE-2010-1623  CVE-2011-3368  CVE-2011-3607
  CVE-2011-3192  CVE-2011-3348  CVE-2011-4317  CVE-2012-0021
  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883  CVE-2012-2687
  CVE-2012-3502  CVE-2012-4558  CVE-2012-3499  CVE-2013-2249
  CVE-2013-1896  CVE-2013-4352  CVE-2013-6438  CVE-2014-0098
  CVE-2014-0963  CVE-2014-0231  CVE-2014-0118  CVE-2014-0226
  CVE-2014-3523  CVE-2014-0117  CVE-2013-5704  CVE-2014-8109
  CVE-2014-3581  CVE-2014-3583  CVE-2015-0253  CVE-2015-3185
  CVE-2015-3183  CVE-2015-1829  CVE-2014-8730  CVE-2015-0228
  CVE-2015-4947  CVE-2015-1283  CVE-2015-7420  CVE-2016-0201

0 Read More →

이 블로그 검색

Popular Posts

WEB&&WAS

OS

Reviews