Blog Archives

Tomcat https and automatic redirect

Here is an example tomcat configuration that configures SSL and a automatic redirect from TCP 80 (HTTP) to TCP 443 (HTTPS).

This may sound obvious, but in order to allow the automatic redirect to work you need to be sure that you also configure the connector for port 80 in conjunction with the 443 port in the server.xml configuration file.

Next create an ssl directory inside the tomcat directory. If you are going to use a different path, make sure tomcat can access these files. I usually try to keep all application server related files inside the catalina home.

cd /opt/tomcat   #or any other path you used
mkdir ./ssl

First create the keyfile and a csr file for the certificate using openssl. My advice would be to execute the following command inside the ssl directory you created previously.

cd /opt/tomcat/ssl #or any other directory you used.
#alter the names to match your requirements
openssl req -newkey 4096 -nodes -keyout dev.amis.nl.key -out dev.amis.nl.csr

This file will output a dev.amis.nl.key file and (after answering the questions) an dev.amis.nl.csr file. In the configuration i have also added a date portion to the file names for future reference. You can use the CSR (Certificate Request File) to either get a valid public certificate or generate a self signed certificate (google the answer on how this is done). Make sure you finally get these files available in the ${catalina.base}\ssl directory.

#alter the names to match your own requirements, best practice usually includes creating self descriptive filenames.
dev.amis.nl.ddmmyyy.cer
dev.amis.nl.ddmmyyy.key

If you have the private-key and certificate in place you can create the connectors inside the server.xml needed by Catalina (tomcat) to handle the network requests that will be made by remote users on ports 80(http), 443(https). Default Catalina is configured on port 8080. You can safely delete the default entry and replace it with the config below.

Make sure that the <Connector> entries are added between the <Service name=”Catalina”> XML Tags.

Open the server.xml file and create the following connectors. Tweak the settings to match you own requirements.


<!-- Connector definition for TCP port 80 -->
<Connector port="80"
           maxHttpHeaderSize="8192"
           maxThreads="150"
           useBodyEncodingForURI="true"
           enableLookups="false"
           acceptCount="100"
           connectionTimeout="20000"
           disableUploadTimeout="true"
           compression="on"
           compressionMinSize="2048"
           noCompressionUserAgents="gozilla, traviata"
           compressableMimeType="text/html,text/xml"/>

<!-- Connector definition for SSL port 443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150"
               compression="on"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/ssl/dev.amis.nl.16032011.cer"
               SSLCertificateKeyFile="${catalina.base}/ssl/dev.amis.nl.16032011.key"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript"/>

In some occasions you want tomcat to automatically redirect any incomming request on TCP port 80 (HTTP) to be redirected to TCP port 443 (HTTPS). If this is required then this this behavior can be forced by adding the following to the web.xml configuration located in
${catalina.base}/conf/ directory

Make sure you add this entry just before the ending </web-app> tag.

  <!-- Automatisch alle requests redirecten naar https -->
  <security-constraint>
        <web-resource-collection>
                <web-resource-name>Automatic SSL Forward</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>
  </security-constraint>

If you also want to redirect someone from the /* (ROOT) location to a deployed application in a tomcat subdir you might add the following to the default index.jsp inside the ${catalina.base}/webapps/ROOT directory. Make sure this is added in the top of the file before any content is send to the receiving browser. Else an error will occur. The cleanest way is to remove all content except the entry below.

<%
    String redirectURL = "/appname";
    response.sendRedirect(redirectURL);
%>

Hope this helped, any comments clarifications please post them below 🙂 🙂

peimg.exe missing? here is how to fix it :)

Facts.

peimg is not being used anymore in the WAIK for windows 7. Instead you need to use the dism command. because the help is hidden pretty well, here is the Help you prob. are looking for 🙂

To get all the available options on the “offline” wim image provided by dism you need to run the following.


# Mount the image as usual (use the WAIK command line from the start menu

imagex /mountrw C:\path\to\image.wim {1/2}* C:\path\to\mount-dir\

*There can be multiple images in a wim image, for boot.wim these are 1 = Microsoft Windows PE, 2= Microsoft Windows Setup. The 1 or 2 in the given command selects the required image.

#To get all the dism options type the following;
dism /image:C:\path\to\mount-dir /?

Keep in mind that sub options have new help menus. For example, adding additional drivers has new help instructions that are accasible by calling;

dism /image:c:\path\to\mounted\image /add-driver /?

All the base options provided by dism

Image Version: 6.1.7600.16385

The following commands may be used to service the image:

UNATTEND SERVICING COMMANDS:
/Apply-Unattend - Applies an unattend file to an image.

DRIVER SERVICING COMMANDS:
/Remove-Driver - Removes driver packages from an offline image.
/Add-Driver - Adds driver packages to an offline image.
/Get-DriverInfo - Displays information about a specific driver
in an offline image or a running operating system.
/Get-Drivers - Displays information about all drivers in
an offline image or a running operating system.

WINDOWS PE COMMANDS:
/Apply-Profiles - Applies profiles to the Windows PE image.
/Disable-Profiling - Disables profiling.
/Enable-Profiling - Enables profiling.
/Get-PESettings - Displays Windows PE image information.
/Get-Profiling - Gets the enabled/disabled state of the Windows PE
profiler.
/Get-ScratchSpace - Gets the configured amount of Windows PE system
volume scratch space.
/Get-TargetPath - Gets the target path of the Windows PE image.
/Set-ScratchSpace - Sets the scratch space of the Windows PE image.
/Set-TargetPath - Sets the target path of the Windows PE image.

INTERNATIONAL SERVICING COMMANDS:
/Set-LayeredDriver - Sets keyboard layered driver.
/Set-UILang - Sets the default system UI language that is used
in the mounted offline image.
/Set-UILangFallback - Sets the fallback default language for the system
UI in the mounted offline image.
/Set-UserLocale - Sets the user locale in the mounted offline image.
/Set-SysLocale - Sets the language for non-Unicode programs (also
called system locale) and font settings in the
mounted offline image.
/Set-InputLocale - Sets the input locales and keyboard layouts to
use in the mounted offline image.
/Set-TimeZone - Sets the default time zone in the mounted offline
image.
/Set-AllIntl - Sets all international settings in the mounted
offline image.
/Set-SKUIntlDefaults - Sets all international settings to the default
values for the specified SKU language in the
mounted offline image.
/Gen-LangIni - Generates a new lang.ini file.
/Set-SetupUILang - Defines the default language that will be used
by setup.
/Get-Intl - Displays information about the international
settings and languages.

PACKAGE SERVICING COMMANDS:
/Add-Package - Adds packages to the image.
/Remove-Package - Removes packages from the image.
/Enable-Feature - Enables a specific feature in the image.
/Disable-Feature - Disables a specific feature in the image.
/Get-Packages - Displays information about all packages in
the image.
/Get-PackageInfo - Displays information about a specific package.
/Get-Features - Displays information about all features in
a package.
/Get-FeatureInfo - Displays information about a specific feature.
/Cleanup-Image - Performs cleanup and recovery operations on the
image.

For more information about these servicing commands and their arguments,
specify a command immediately before /?.

Examples:
DISM.exe /Image:C:\test\offline /Apply-Unattend /?
DISM.exe /Image:C:\test\offline /Get-Features /?
DISM.exe /Online /Get-Drivers /?

Recovering from Mcafee DAT 5958 update.

Yesterday Mcafee released a new DAT update that caused mcafee to identify svchost.exe as an infected file. Mcafee next attempts to quarantine this file which results in windows rebooting with a shutdown message some of us will remember from the Sass worm chaos.

Result of this is that the machine can be used anymore. svchost.exe is a name for general hostprocesses ran from DLLs, and pretty important for windows. If you would like to get an idea of the impact on you system this article might be all you need 🙂
http://support.microsoft.com/kb/314056

Now how to recover?
1st i would advice to follow any manual mcafee brings out describing how to recover using the mcafee scanner console. In the cases where the quarantine is deleted (some of our machines) follow the instructions below…

If you are unable to restore svchost.exe from the quarantine you might follow these steps to recover your system.

0. Get the corrected Superdat from Mcafee and put it on a USB, CD or other available media, No network locations.
1. Boot from the windows CD and select the recovery console.
2. Select the correct windows partition and logon as the local administrator.
3. Browse to C:\windows\system32 using the command : cd \windows\system32\
4. open de CD-rom player using the allocated drive letter, usually D:\ by typing D:
5. Browse to the i386 directory located on the CD using : cd \i386\
6. copy the original svchost.ex_ to your windows drive using the command:
expand svchost.ex_ C: (C: is the drive you where on in step 3, this might differ,
in which case you need to change the drive letter to your system specific drive)
7. Boot the system in savemode. The selection can be done by pressing F8 repeatedly during boot.
8. While in savemode run and execute the superdat you accuired in step 0.
9. After the update reboot your system normally.

This is a pretty long road, but will fix the problem in all cases.

Thanks to Benjamin van Ditmars for suggesting the Expand option. We used a “good” copy of svchost before this suggestion. The expand option is “saver” 🙂

Adding Statical Routes.

SUSE

#Replace the eth0 in ifroute-# with the actual interface in your box.
vim /etc/sysconfig/network/ifroute-eth0

#Add the following rule with this structure
#[Dest IP Addr] [GW IP Addr] [Subnet Mask] [Device]
10.0.0.2 100.0.0.1 255.255.255.255 eth0

#Save the file

RHEL/ OEL

#Replace the eth0 in route-# whti the actual interface in your box.
vim /etc/sysconfig/network-scripts/route-eth0

#Add the route information like so;
ADDRESS0=10.0.0.2
NETMASK0=255.255.255.255
GATEWAY0=100.0.0.1

ADDRESS1=ip.ip.ip.ip
NETMASK1=msk.msk.msk.msk
GETWAY1=gw.gw.gw.gw

#Save the file

WINDOWS

route -p add 10.0.0.2 mask 255.255.255.255 100.0.0.1 metric 1

# Stored in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

OEL5.3

Howto Linux X-Server on windows.

Whats this?
Oke here a small but hopefully “strong” little tutorial on how to “display” linux X compontents on your windows desktop. This might help you administer linux machines easier without the need to install a VNC deamon or have X enabled or even installed on the remote Linux box.

Read the rest of this entry

Adding perfmon counters using nrpe and centreon

In this little tutorial a detailed description on how to succesfully monitor and add various windows counters using the check_nrpe command and the NSClient++ agent for windows using the Centreon configuration and Monitoring GUI for Nagios. Yup, its all open source, and free for usage…
Read the rest of this entry

wait in Bash..

This is an alternative for sleep [i]n[/i]

function wait(){
    BOGUS=`read -n1 -t1 any_key`
    BOGUS=''
}

If you have sleep available, you rather use sleep then this method! i.e.

$N=1;
while :
do
    echo "$N"
    sleep 1
    let N=$N+1;
done