venerdì 23 settembre 2016

Two path to run http server as non-root user

When you install and configure your HTTP server on linux and you need to run it with a non-root user,
you can't bind your service on port 80 or 443, because non-root user can't use port lower then 1024.

in this case if you have ipTables active in your server you can redirect your http/s traffic to another ports, in my case i choose ports 1080 and 1443.

you can configure a specific NAT rule to redirect it like:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 1080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 1043

if you need use localhost you must add following rules

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 1080
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 1443


to check your configuration

iptables -t nat --line-numbers -n -L

Chain PREROUTING (policy ACCEPT)                                                   
num  target     prot opt source     destination                                    
1    REDIRECT   tcp  --  0.0.0.0/0  0.0.0.0/0          tcp dpt:80 redir ports 1080 2    REDIRECT   tcp  --  0.0.0.0/0  0.0.0.0/0          tcp dpt:443 redir ports 1443


In other case if you have not iptables, you can add your user as "sudoers" in your linux machine.

1. 'Touch' the log files:
   touch /opt/IBM/HTTPServer/logs/access_log
   touch /opt/IBM/HTTPServer/logs/error_log
2. Make the following changes in httpd.conf (ensure user 'was run' and group 'was runners' has been created already)
         User wasrun
         Group wasrunners

3. Change ownership of IHS files:
   chown -R wasadmin:wasadmin /opt/IBM/HTTPServer

4. Edit sudoers file (visudo), add the following line:

%wasrunners ALL = (root) NOPASSWD: /opt/IBM/HTTPServer/bin/apachectl *

This means any user in the 'wasrunners' group (prefixed with %) can control (start/stop) the IHS instance as root without needing to enter password. If you only want to allow the user 'wasadmin' to perform this, then remove the '%' to denote a user.



venerdì 16 settembre 2016

dockerize it

Using doker environment you can deploy and shipped in a very short time your applcation.

Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

You can:

  • ACCELERATE DEVELOPERS
  • Stop wasting hours setting up developer environments, spinning up new instances, and making copies of production code to run locally. With Docker, you simply take copies of your live environment and run them on any new endpoint running a Docker engine.
  • DISTRIBUTE & SHARE CONTENT 
    Store, distribute, and manage Docker images in Docker Hub with your team. Image updates, changes, and history are automatically shared across your organization.
  • QUICKLY SCALE
    Docker containers spin up and down in seconds, making it easy to scale application services to satisfy peak customer demand, and then reduce running containers when demand ebbs.

and now IBM how doing?

IBM announces zSystem for Docker

IBM and Docker offer integrated container solutions that can meet the diverse needs of enterprises.

Supporting the creation and deployment of multi-platform, multi-container workloads across hybrid infrastructures,
IBM and Docker accelerate application delivery and enable application lifecycle management for Dockerized containers.




IBM announces Docker on IBM PureApplication System
 The good news is that Docker is now supported on IBM PureApplication v2.1! You can now use Docker containers in the virtual system patterns that you create and you can reference Docker images that are stored on Docker Hub or in a private Docker registry that runs inside PureApplication. Taking advantage of the Docker containers on PureApplication is as easy as building patterns.






if you need more information follow me on slideshare

martedì 26 aprile 2016

you never stop learning :-)

Today I have discovered how to reset the password of a user in the file Registry.xml few simple steps and if you forgot the password for your user you can share ...


open "wsadmin"  in offline mode from the profile


./wsadmin -conntype NONE -lang jython


and launch the jython command


AdminTask.changeFileRegistryAccountPassword
('-userid Wpsadmin -password newpassword')

AdminConfig.save



reboot your jvm and you're done :-)

non si finisce mai di imparare :-)

Oggi ho scoperto come resettare la password di un utente nel file Registry.xml pochi semplici passi e se vi siete dimenticati la password del vostro utente potete ripartire...

aprire wsadmin in modalita non connesso dal profilo

./wsadmin -conntype NONE -lang jython

e lanciare il comando jython

AdminTask.changeFileRegistryAccountPassword
 ('-userId wpsadmin -password newpassword')
AdminConfig.save
 
riavviate la vostra jvm ed il gioco è fatto :-)
 
 

mercoledì 22 luglio 2015

Security Bulletin: Fix Available for Denial of Service Vulnerability in IBM WebSphere Portal (CVE-2015-1943)

BM WebSphere Portal is vulnerable to a denial of service. By sending a malicious request, a remote attacker could exploit this vulnerability to cause the consumption of all CPU or memory resources to cause a denial of service.

more info....

domenica 21 giugno 2015

Attention, to install IBM Security Directory Server 6.3.x on RedHAT

/media/ibm_im_64bit/tools/imcl -input installITDS63.rsp -acceptLicense

ERROR: Error during "install" phase:

  ERROR:   GLPINS005E The IBM Security Directory Server licenses cannot be installed.


with: -

 <message>Cannot run program "/opt/ibm/ldap/V6.3.1/tmp/license/idsLicense": java.io.IOException: error=2, No such file or directory</message>
in the IIM log ( /var/ibm/InstallationManager/logs/20141018_1816.xml ).

Read the Technote


...
Cause

The shebang line of the idsLicense script requires ksh
...

Install the missing ksh RPM

yum install ksh

Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ksh.x86_64 0:20120801-10.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================
 Package               Arch                     Version                            Repository                Size
==================================================================================================================
Installing:
 ksh                   x86_64                   20120801-10.el6                    server                   756 k

Transaction Summary
==================================================================================================================
Install       1 Package(s)

Total download size: 756 k
Installed size: 1.7 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ksh-20120801-10.el6.x86_64                                                                     1/1
  Verifying  : ksh-20120801-10.el6.x86_64                                                                     1/1

Installed:
  ksh.x86_64 0:20120801-10.el6                                                                                  

Complete!