AWS VPC Drops Cisco ASA VPN link

We have a VPN link into AWS, we have not really used it with any anger, but we are now trialing cool bit of replication technology.

 

This involves replicating the full server into the cloud see www.cloudendure.com

Well everything works in terms of the software but my link kept dropping, well this is not strictly true, the link was up but not data would traverse the link !!!!!

 

After speaking to AWS support they pointed me, well they did not really point me in any direction :).

 

So to Google I went, there was nothing really about AWS and the ASA configuration or issues you may have, only how to debug how to get it working. http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html

 

Nothing on why it suddenly stops. I then stumbled up on this post.

https://supportforums.cisco.com/discussion/10811986/asa-site-site-vpn-stops-when-traffic-volume-rekey-reached

which then pointed me in the direction of the SA lifetime configuration. After then finding https://community.spiceworks.com/topic/764490-what-is-security-association-lifetime-cisco-site-to-site-vpn I concluded that there is a bug in the IOS and because of the amount of data traversing the link, the timeout was being reached and not renewing.

 

You therefore need to configure the timeout time to hit before the data transfer.

 

For me this was 10 minutes with the data set to 2147483647, I found setting this to 3 minutes just interrupted the whole transfer and therefore settle for 10.

So the line in my config were

crypto map amzn-vpn-map 1 set security-association lifetime seconds 600
crypto map amzn-vpn-map 1 set security-association lifetime kilobytes 2147483647

 

 

Advertisements

Installing Community Edition Infobright Server

We are a creating our Pentaho environment in the Amazon cloud, we ustilise the Infobright ICE column database for the analyser tool. This allows the software to work extremley fast. The information provide to get this server working is some what limited, and the following is an amalgamation of much research around many of the areas and also snippets from the INSTALL and README files that are supplied. The following instructions were written as I installed and fixed the issues, It should not contain errors as I tried to record everything as I did it. There is always issues with this and I am sure that I have missed some small detail out. Just drop me a line if you spot and error or know of a better way to achieve something. The creation of the server will require a mounted disk to store the database information. Due to the nature of the Amazon this will be a little bit of an experiment. We will create a server with a large EBS volume and a standard server with a large EBS volume attached. We will then bench mark the performance!!!! Good luck and lets get started. Please note unless the instructions say to use the Yum package manger please compile from source, I have had many instances where the package manager has installed the wrong version and software installs just do not work There is an assumption that you know your way arround AWS and the notes that relate to the configuration is where it maybe obscure. You Amazon skills must be around EC2 instance creation including security groups, volume creation and route 53, route 53 is not so important but will make your like a whole lot easier in many circumstances. This will be the server with the Volume mounted Create a Amazon micro instance to start with, will make this a large instance when we are finished, choose a 64 bit version as we may need RAM if the data got large. DO NOT create the 100GB volume when creating the server, I did this and I could not get the disk to format or mount. Create the 100GB volume and attach it to the newly created server. Lauch the server.

fdisk -l

You should get an output some thing like this

Disk /dev/xvda1: 8589 MB, 8589934592 bytes 255 heads, 63 sectors/track, 1044 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000

Disk /dev/xvda1 doesn’t contain a valid partition table

Disk /dev/xvdf: 107.4 GB, 107374182400 bytes 255 heads, 63 sectors/track, 13054 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000

Disk /dev/xvdf doesn’t contain a valid partition table

You are looking for the 100GB disk in this case it is /dev/xvdf

mkdir -p /u10
mkfs -t ext4 /dev/xvdf
vi /etc/fstab

Add this line to the bottom of the file

/dev/xvdf   /u10       ext4    defaults              0 0

The assumption here is that you will mount the disk under u10 To mount the disk

mount -a

To see the size of the disks and the mount state etc..

df

You should get an output something like this

Filesystem           1K-blocks      Used Available Use% Mounted on /dev/xvda1             8361916   1077896   7200160  14% / tmpfs                   304800         0    304800   0% /dev/shm /dev/xvdf            104693300   1673096  97777324   2% /u10

Now for the installation of Infobright You need some prerequisites:

yum install -y gcc libtool zlib-devel perl bison zlib make gcc-c++
 

Create the user and group that will run the Infobright

groupadd mysql
useradd -g mysql mysql

Must of the rest is taken from the README file that you get when you unpack Infobright. If you follow this guide you will not go wrong though. Boost is required for the installation of Infobright

mkdir -p /opt/software/
cd  /opt/software/

Donwload the 1.42.0 version, I tried the 1.50.0 and there was and error relating to the boost_thread when compiling Infobright.

configure: error: Could not link against boost_thread !

wget http://sourceforge.net/projects/boost/files/boost/1.42.0/boost_1_42_0.tar.gz/download
tar -xvzf boost_1_42_0.tar.gz
cd boost*

Review the Boost web site for all of the explanation of the paths etc.. but if you use the paths below you will not go wrong. PLEASE NOTE the – – in front of the prefix

./bootstrap.sh --prefix=/usr/local/boost_1_42_0
 ./bjam install
export BOOST_ROOT=/usr/local/boost_1_42_0

To avoid the following error when compiling Infobright

checking for termcap functions library… configure: error: No curses/termcap library found

cd /opt/software
wget ftp://ftp.gnu.org/gnu/termcap/termcap-1.3.1.tar.gz
tar -xvzf  termcap-1.3.1.tar.gz
cd termcap*
./configure
make
make install

Now to install lsb_release which is needed when installing the last parts of Infobright

wget http://sourceforge.net/projects/lsb/files/lsb_release/1.4/lsb-release-1.4.tar.gz/download
tar -xvzf lsb-release-1.4.tar.gz
cd lsb-release*
make
make install
cd /opt/software/

We would normally get the tar and install it via the instructions below. This though does not work and will error. Miss this chunk out and scroll down a few lines to “Start the install here”

wget https://www.infobright.org/downloads/ice/infobright-4.0.7-0-linux-i686-ice.tar.gz

tar -xvzf infobright-4.0.7-0-*.tar.gz
cp -r infobright-4.0.7-i686 /usr/local

ln -s /usr/local/infobright-4.0.7-i686 /usr/local/infobright
cd /usr/local/infobright
./install-infobright.sh --datadir=/u10/infobright/data \
--cachedir=/u10/infobright/cache --config=/etc/my-ib.cnf --port=5029 \
--socket=/u10/infobright/mysql-ib.sock \
--user=mysql --group=mysql

This will error  This error was received install-infobright.sh: line 234: lsb_release: command not found Installing default databases… Installing MySQL system tables… 130903 12:56:24 [ERROR] Fatal error: Can’t change to run as user ‘mysql’ ; Please check that the user exists! 130903 12:56:24 [ERROR] Aborting 130903 12:56:24 [Note] /usr/local/infobright/bin/mysqld: Shutdown complete Start the install here

wget https://www.infobright.org/downloads/ice/infobright-4.0.7-0-x86_64-ice.rpm

rpm -i infobright-4.0.7-0-x86_64-ice.rpm

wget ftp://rpmfind.net/linux/sourceforge/f/fu/fuduntu/sources/redhat-lsb-4.0-7.fu2012.src.rpm

rpm -Uvh redhat-lsb-4.0-7.fu2012.src.rpm

We now need to download the source and compile this

cd /op/software
wget http://www.infobright.org/downloads/ice/infobright-4.0.7-0-src-ice.tar.gz

tar -xzvf infobright-4.0.7-0-src-ice.tar.gz

cd /opt/software/infobright*

make EDITION=community release 

make EDITION=community install-release 
cp src/build/pkgmt/my-ib.cnf /etc/
cd /usr/local/infobright

When you start Infobright you make encounter this error

error while loading shared libraries: libboost_filesystem.so.1.42.0: cannot open shared object file: No such file or directory

To fix this:

find /. -name libboost_filesystem.so.1.42.0

This will give you a location, on my server

/usr/local/boost_1_42_0/lib

Make sure there is no reference to  /usr/local/boost_1_42_0/lib in your path statement echo $PATH Create a file called boost and add the path statement found above

vi /etc/ld.so.conf.d/boost.conf

/usr/local/boost_1_42_0/lib

Write the file and then

ldconfig

To make sure it has worked

ldconfig -p | grep libboost_filesystem.so

When starting a service the mysqld-ib needs to access lsb init-functions I am installing on a 64 bit Amazon (red-hat based) so

wget ftp://rpmfind.net/linux/sourceforge/f/fu/fuduntu/yum/2012/STABLE/RPMS/redhat-lsb-4.0-5.fu14.x86_64.rpm

To find your version if rpm based http://rpmfind.net/linux/rpm2html/search.php?query=redhat-lsb or search for your distributions rpm There are some prerequisites.

 yum install -y gettext mailx patch

Now we need to create mysql-ib etc.. This is done by copying some files from the source into the installation directory and then running and install script. To avoid this error when installing “error while loading shared libraries: libboost_filesystem.so.1.42.0: cannot open shared object file: No such file or directory” make sure you do the LD_LIBRARY_PATH element of the instructions When copying the files just ensure that you overwrite all of them when prompted

export PATH=$PATH:/usr/local/bin
cp -r /opt/software/infobright-4.0.7/build/community/release/vendor/support-files .
cp -r /opt/software/infobright-4.0.7/src/build/pkgmt/*.in support-files/
cp -r /opt/software/infobright-4.0.7/build/community/release/vendor/scripts/ .
cp -r /opt/software/infobright-4.0.7/src/build/pkgmt/confman.sh .
cp -r /opt/software/infobright-4.0.7/src/build/pkgmt/install-infobright-linux.sh .
install-infobright-linux.sh

Now we need to change the mysqld-ib file so that when starting libboost_filesystem.so.1.42.0 can be found.

cd /etc/init.d
vi mysqld-ib

Find the line that look like this

PATH=/sbin:/usr/sbin:/bin:/usr/bin:$basedir/bin

Copy this line and change it to this

PATH=$PATH:$basedir/bin

This will protect you path statement if you have added more entries in ./bashrc Now add the following lines after the export PATH statement

NEWLDPATH=/usr/local/boost_1_42_0/lib
LDP=$LD_LIBRARY_PATH
if [ "${LDP}" == "" ]; then
LD_LIBRARY_PATH+=$NEWLDPATH
else
if [ -d "$NEWLDPATH" ] && [[ ! $PATH =~ (^|:)$1(:|$) ]]; then
 LD_LIBRARY_PATH+=:$NEWLDPATH
fi
fi
export LD_LIBRARY_PATH

Save the file I needed the normal version of mysql also on the server, this is needed so I can insert and update the tables, which will then be exported into the infobright tables.

yum install mysql-server mysql

Because I am using the faster disk I want to change the data directory for mysql

service mysqld stop
vi /etc/my.cnf

Add the following line

datadir = /u10/mysql

Now copy the data directory to the new location

cp -R /var/lib/mysql /u10
rm -r -f /var/lib/mysql
chown -R mysql:mysql /u10/mysql
vi /etc/selinux/config

set the line SELINUX=enforcing to SELINUX=disabled

to just disable selinux so you do not have to reboot

echo 0 >/selinux/enforce
service mysqld start

To make sure that this works

service mysqld-ib start

Now we have it working we need to secure the database with passwords and removing the test database etc.. Because I have installed mysql you need to do a temporary work around, or change the scripts.

service mysqld stop

mv /usr/bin/mysql  /usr/bin/mysql_org

ln -s /usr/local/infobright/bin/mysql /usr/bin/mysql

/usr/local/infobright/bin/mysql_secure_installation

service mysqld-ib stop

rm -f /usr/bin/mysql

mv /usr/bin/mysql_org /usr/bin/mysql

This can be used if you installed the rpm and then copied in the compiled elements of the code

./postconfig.sh

Infobright post configuration ————————————– Using postconfig you can: ————————————– (1) Move existing data directory to other location, (2) Move existing cache directory to other location, (3) Configure server socket, (4) Configure server port, (5) Relocate datadir path to an existing data directory.

Please type ‘y’ for option that you want or press ctrl+c for exit.

Current configuration:

————————————– Current config file: [/etc/my-ib.cnf] Current brighthouse.ini file: [/usr/local/infobright-4.0.7-x86_64/data/brighthouse.ini] Current datadir: [/usr/local/infobright-4.0.7-x86_64/data] Current CacheFolder in brighthouse.ini file: [/usr/local/infobright/cache] Current socket: [/tmp/mysql-ib.sock] Current port: [5029] ————————————–

(1) Do you want to copy current datadir [/usr/local/infobright-4.0.7-x86_64/data] to a new location? [y/n]:y Give new datadir path (e.g. /opt/datadirnewpath/data):/u10/infobright/data (2) Option to change CacheFolder is disabled when option 1 is chosen! (3) Do you want to change current socket [/tmp/mysql-ib.sock]? [y/n]:y Give new socket::/u10/infobright/mysql-ib.sock (4) Do you want to change current port [5029]? [y/n]:n (5) Relocation is disabled when options 1-4 are chosen!

————————————– Datadir(/usr/local/infobright-4.0.7-x86_64/data) is going to be copied to /u10/infobright/data New socket is going to be :/u10/infobright/mysql-ib.sock ————————————–

Please confirm to proceed? [y/n]:y Copying /usr/local/infobright-4.0.7-x86_64/data to /u10/infobright/data …is done. You can now remove/backup your old /usr/local/infobright-4.0.7-x86_64/data … Done!

./postconfig.sh

(1) Do you want to copy current datadir [/usr/local/infobright-4.0.7-x86_64/data] to a new location? [y/n]:n

(2) Do you want to move current CacheFolder [/usr/local/infobright-4.0.7-x86_64/cache] to a new location? [y/n]:y

Give new CacheFolder path:/u10/infobright/cache

Please confirm to proceed? [y/n]:y

(1) Do you want to copy current datadir [/u10/infobright/data] to a new location? [y/n]:n

(2) Do you want to move current CacheFolder [/u10/infobright/cache] to a new location? [y/n]:n

(3) Do you want to change current socket [/tmp/mysql-ib.sock]? [y/n]:n

Please confirm to proceed? [y/n]:y

cd /usr/local/infobright/data
rm -f -r  *

To avoid the following error when starting the database

mysqld_safe mysqld from pid file /u10/infobright/data/ip-10-226-137-80.pid ended 120723 21:42:03 mysqld_safe Starting mysqld daemon with databases from /u10/infobright/data 120723 21:42:03 [Warning] options –log-slow-admin-statements, –log-queries-not-using-indexes and –log-slow-slave-statements have no effect if –log_slow_queries is not set 120723 21:42:03 [ERROR] Fatal error: Can’t change to run as user ‘mysql’ ; Please check that the user exists!

120723 21:42:03 [ERROR] Aborting 120723 21:42:03 [Note] /usr/local/infobright-4.0.7-x86_64/bin/mysqld: Shutdown complete

chown -R mysql:mysql /usr/local/infobright-4.0.7
chown -R mysql:mysql /usr/local/infobright-4.0.7-i686 
chown -R mysql:mysql /usr/local/infobright 
chown -R mysql:mysql /u10/infobright
cd /usr/local/infobright-4.0.7-x86_64

We now have a working server. Not much use if you can not connect to it 🙂 The first thing is to allow external access to the database

vi /etc/my-ib.cnf

add these two lines

skip-host-cache
skip-name-resolve

Your file should look something like this # The MySQL server [mysqld] skip-host-cache skip-name-resolve You also need to ensure that skip_networking is commented, your files should look like. #skip-networking #server-id=1 # log-bin=mysql-bin So to get on and set the security so that you can access it from an external server you set it up just like a MYSQL server.

mysql-ib -u root -p

This will get you a sql prompt. You will use the normal mysql to create and grant options.

create database userdatabase;
create user 'user'@'%' identified by 'userpassword';
grant all privileges on userdatabase.* to 'user'@'%' with grant option;

Amazon AWS Mysql Database Full

Arrrgghhhh our web site decided to fill the 5GB database it uses !!!!!!!

When you use the AWS console you get the following error

The specified database instance is currently in the storage-full state. The only modification permitted on a database instance in this state is an increase …”

You have to use the RDS command line tools, you can see how to install them in my riveting post 🙂 Change the max_allowed_packet Amazon RDS

Once installed and working make a note of the database instance either using the management console or use

rds-describe-db-instances

Issue this command to increase the size of the database to 10GB, XXXXXXXXX is the database instance name

rds-modify-db-instance XXXXXXXX --allocated-storage 10 --apply-immediately

Once the process was started it took about 10 minutes for the database to increase in size and be back on line.

Good luck with yours !!!!

Al


Using Amazon SES service as email server Oracle APEX

As we run most of our environment in Amazon AWS it would be stupid not to use their email servers to send email from the APEX applications. The cost is not much and the service is very reliable.

 

You will need a working SES configuration.  As with all AWS services there is a brilliant guide  Amazon Simple Email Service (SES) Documentation

But as per usual just to get you up and running and to put it into some context then you can follow this guide

Login to your AWS account and choose the SES service.

The first thing to do is to verify your domain and an email address.

You will need access to your DNS records for Domain verification

 

To verify you email address

You will be a sent and email, just click on the link it is that easy 🙂

The domain verification is a bit harder, not that hard though

 

Click on Verify this domain

You will be presented with the details of the DNS entry that you are required to enter into your records. I can not talk you through this as all DNS servers and vendors  are different. But it is usually very straight forward, in fact many ISP have a hostmaster team that will do this for you.

Once you have added these entries it is time to create the user that will be used for for authentication to the SMTP server.

Click on SMTP Settings

 

Make a note of the Server Name as you will need this later, press the Create My SMTP Credentials

This will create a new IAM user for the SMTP service, press the create button

 

This will create the SMTP username and password that you will require in the Apex Email configuration. (I deleted this account straight after I created it)

DO NOT looses these details and you can not get the username and password back, you have to delete the IAM user and start again.

You are now ready to configure the APEX installation.

https://FQDN:8181/apex/apex_admin

Manage Instance

Instance Settings

Find the email settings area

Enter the details based on the credentials and settings that you have generated. The example below is based on the settings that were created in this example.

 

 

Note that Amazon requires SSL/TLS authentication.


Installing Oracle 11g XE and Apex 4.11 in Amazon AWS

I have written about how to install Apex and XE on Linux, this one takes those thoughts and applies them to Amazon AWS.

There is some improvement on my ramblings of Linux Apex installation as well 🙂

If you want to run a highly resilient APEX installation then I would suggest that you run an Oracle RDS instance and a separate APEX web server, details of how to do this can be found at APEX within the Oracle RDS environment

 

One thing to note, if you are installing on an Amazon Ec2 image. Create a separate security group for this server and allow the following ports 8080,8181,37339. You obviously have to allow all of your standard ports 22 etc, but this is based of how you access the server. This is just note to highlight that there are some special ports that are required.

I am installing this on an Amazon Linux 64 bit image and I will be using the llg express edition

mkdir -p /opt/software/oracle
cd /opt/software/oracle

Download the oracle database and upload it to this folder. I have yet to work out how to you lynx on this site so I have to use a GUI browser. http://www.oracle.com/technetwork/products/express-edition/downloads/index.html?ssSourceSiteId=ocomen

You will also need to download the Apex software

unzip oracle-xe-11.2.0-1.0.x86_64.rpm.zip 
rpm -Uvh oracle-xe-11.2.0-1.0.x86_64.rpm

You will probably get this error

Preparing… ########################################### [100%]

This system does not meet the minimum requirements for swap space. Based on
the amount of physical memory available on the system, Oracle Database 11g
Express Edition requires 1190 MB of swap space. This system has 0 MB
of swap space. Configure more swap space on the system and retry the
installation.

error: %pre(oracle-xe-11.2.0-1.0.x86_64) scriptlet failed, exit status 1
error: install: %pre scriptlet failed (2), skipping oracle-xe-11.2.0-1.0

 Do not worry just follow these instructions on creating swap space  and then get right back to this document 🙂

rpm -Uvh oracle-xe-11.2.0-1.0.x86_64.rpm

Once installed you will get the following message

Executing post-install steps…
You must run ‘/etc/init.d/oracle-xe configure’ as the root user to configure the database.

/etc/init.d/oracle-xe configure

Oracle Database 11g Express Edition Configuration
————————————————-
This will configure on-boot properties of Oracle Database 11g Express
Edition. The following questions will determine whether the database should
be starting upon system boot, the ports it will use, and the passwords that
will be used for database accounts. Press <Enter> to accept the defaults.
Ctrl-C will abort.

Specify the HTTP port that will be used for Oracle Application Express [8080]:

Specify a port that will be used for the database listener [1521]:

Specify a password to be used for database accounts. Note that the same
password will be used for SYS and SYSTEM. Oracle recommends the use of
different passwords for each database account. This can be done after
initial configuration:

Confirm the password:

Do you want Oracle Database 11g Express Edition to be started on boot (y/n) [y]:

Starting Oracle Net Listener…Done
Configuring database…Done
Starting Oracle Database 11g Express Edition instance…Done
Installation completed successfully.

To test the connection

ln -s /u01/app/oracle/product/11.2.0/xe/bin/sqlplus /usr/bin/sqlplus

If you ran sqplus from the command line you would get the following error

P2-0667: Message file sp1<lang>.msb not found
SP2-0750: You may need to set ORACLE_HOME to your Oracle software directory

To correct this you need to set the ORACLE_HOME

vi /etc/profile

Insert the following lines at the bottom

export ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
export ORACLE_HOMEexport ORACLE_SID=XEexport NLS_LANG=AMERICAN.AL32UTF8
export PATH=$PATH:$ORACLE_HOME/bin

You need to run the profile to get the variables

. /etc/profile

Note the space between . /

It is also worth adding these lines to the .bashrc file in the home directory

echo $ORACLE_HOME

This will see if you have set the directory correctly

To see if you have Oracle working correctly then:

sqlplus sys@localhost as sysdba

Enter the password that you set at the start of the installation

This should give you a SQL> prompt

select sysdate from dual;

This will return today’s date

Change host name of server and allow Oracle to start properly.

Due to the nature of the installation in Amazon there are a few workarounds required, these consist of changing the host name and reconfiguring the tnsnames.ora and listener.ora files in Oracle.

The host name must be registered in a DNS server, I use Route 53 for this as it gives me ultimate control over the servers in the Amazon infrastructure.

vi /etc/sysconfig/network

Find the following entry HOSTNAME=localhost.localhost.com

Change this to your FQDN as per what is registered in your DNS.

You will need a reboot of the server

reboot

Now you have completed this part you need to change the Oracle ora files, I have taken care of this for you in the following post Starting an Oracle XE listener on Amazon EC2 instance

Now to install APEX

Please be careful if copying and pasting some of the ‘ get replace which will result in errors in the scripst

We need to change some parameters in Oracle

sqlplus sys/password@localhost as sysdba
ALTER SYSTEM SET SHARED_POOL_SIZE='100M' SCOPE=spfile;
exit
service oracle-xe restart
cd /opt/software/oracle/apex
sqlplus sys/password@localhost as sysdba

The creation of this environment will be based on the table space being called apex

So at the SQL> prompt

create tablespace apex
  logging
  datafile '/u01/app/oracle/oradata/XE/apex.dbf' 
  size 32m 
  autoextend on 
  next 32m maxsize 2048m
  extent management local;

The command we will use is as follows

@@apexins tablespace_apex tablespace_files tablespace_temp images

e.g.

@@apexins apex apex temp /i/

Now we will set the password for the admin of the site

@apxchpwd

Enter a password for the ADMIN user Enter admin password that you want

ALTER USER APEX_PUBLIC_USER ACCOUNT UNLOCK
ALTER USER APEX_PUBLIC_USER IDENTIFIED BY ENTER PASSWORD;

Once the user and passwords have been set we can exit from the SQL> screen

exit

Now to install and set-up the Glassfish server

cd  /opt/software
mkdir glassfish
cd  glassfish

Download the server from the Oracle Glassfish site to this directory

unzip  ogs*.zip
cp -r glassfish3 /opt/
mkdir -p /opt/glassfish3/glassfish/domains/domain1/docroot/i

Note: The ‘i’ directory is very important, again not from any notes that I have seen, might have missed this. Got it from a YouTube demo installation.

cd /opt/software/oracle/apex/images
cp -r * /opt/glassfish3/glassfish/domains/domain1/docroot/i
cd /opt/glassfish3/glassfish/bin
./asadmin start-domain

This domain requires an administrative password to be set before
the domain can be started. Please specify an administrative password. 
Enter an admin password for user “admin”>

Enter an admin password for user “admin” again>

You possibly will get the following error
Waiting for domain1 to start …………………………Error starting domain domain1.
The server exited prematurely with exit code 0.
Before it died, it produced the following output:

Launching GlassFish on Felix platform
[#|2012-07-28T16:59:02.488+0000|INFO|oracle-glassfish3.1.2|com.sun.enterprise.server.logging.GFFileHandler|_ThreadID=1;_ThreadName=main;|Running GlassFish Version: Oracle GlassFish Server 3.1.2.2 (build 5)|#]

[#|2012-07-28T16:59:02.777+0000|INFO|oracle-glassfish3.1.2|org.glassfish.ha.store.spi.BackingStoreFactoryRegistry|_ThreadID=10;_ThreadName=main;|Registered org.glassfish.ha.store.adapter.cache.ShoalBackingStoreProxy for persistence-type = replicated in BackingStoreFactoryRegistry|#]

[#|2012-07-28T16:59:03.521+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=11;_ThreadName=Grizzly-kernel-thread(1);|Grizzly Framework 1.9.50 started in: 59ms – bound to [0.0.0.0:4848]|#]

[#|2012-07-28T16:59:03.522+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=12;_ThreadName=Grizzly-kernel-thread(1);|Grizzly Framework 1.9.50 started in: 92ms – bound to [0.0.0.0:8181]|#]

[#|2012-07-28T16:59:03.533+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=13;_ThreadName=Grizzly-kernel-thread(1);|Grizzly Framework 1.9.50 started in: 37ms – bound to [0.0.0.0:3700]|#]

[#|2012-07-28T16:59:03.548+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.services.impl|_ThreadID=14;_ThreadName=Grizzly-kernel-thread(1);|Grizzly Framework 1.9.50 started in: 14ms – bound to [0.0.0.0:7676]|#]

[#|2012-07-28T16:59:10.723+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=10;_ThreadName=main;|Oracle GlassFish Server 3.1.2.2 (5) startup time : Felix (7,610ms), startup services(10,613ms), total(18,223ms)|#]

[#|2012-07-28T16:59:10.724+0000|SEVERE|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=10;_ThreadName=main;|Shutting down v3 due to startup exception : No free port within range: 8080=com.sun.enterprise.v3.services.impl.monitor.MonitorableSelectorHandler@68d448a1|#]

[#|2012-07-28T16:59:11.679+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.tools.admin.com.sun.enterprise.v3.admin|_ThreadID=15;_ThreadName=Thread-21;|Server shutdown initiated|#]

[#|2012-07-28T16:59:11.685+0000|INFO|oracle-glassfish3.1.2|javax.enterprise.system.core.com.sun.enterprise.v3.server|_ThreadID=15;_ThreadName=Thread-21;|Already stopped, so just returning|#]

Command start-domain failed.

The following will delete and recreate the domain that is required (Note that there are 2 dashes in front of nopassword)

./asadmin delete-domain domain1
./asadmin create-domain domain

Enter admin user name [Enter to accept default “admin” / no password]> admin
Enter the admin password [Enter to accept default of no password]> Enter the password
Enter the admin password again> Enter the password

You will get following output
Using default port 4848 for Admin.
Default port 8080 for HTTP Instance is in use. Using 37339
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Using default port 8181 for HTTP_SSL.
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Using default port 6666 for OSGI_SHELL.
Using default port 9009 for JAVA_DEBUGGER.
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=ip-10-248-83-138.eu-west-1.compute.internal,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=ip-10-248-83-138.eu-west-1.compute.internal-instance,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
No domain initializers found, bypassing customization step
Domain domain created.
Domain domain admin port is 4848.
Domain domain admin user is “admin”.
Command create-domain executed successfully.

You need to recreate the directory and copy the files again

mkdir -p /opt/glassfish3/glassfish/domains/domain/docroot/i
cp -r /opt/software/oracle/apex/images/* /opt/glassfish3/glassfish/domains/domain/docroot/i
./asadmin start-domain

Waiting for domain to start …………
Successfully started the domain : domain
domain Location: /opt/glassfish3/glassfish/domains/domain
Log File: /opt/glassfish3/glassfish/domains/domain/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.

You now have a working Glassfish server ready for the listener and Apex to be deployed.

Configure the Apex Listner

You need to obtain the latest listner from the Oracle web site

Once downloaded unzip the file, you will need this later when you have configured the Glassfish server.

mkdir /opt/software/apexlistener
cd /opt/software/apexlistener
unzip apex*.zip

Configure Glassfish

Navigate to http://FQDN:4848 (where FQDN is your server name)

Login with the credentials that you specified when creating the domain

You will probably get this error Secure Admin must be enabled to access the DAS remotely.

cd /opt/glassfish3/bin

To get the asadmin prompt

./asadmin

asadmin> get secure-admin.enabled

Enter admin user name> admin
Enter admin password for user “admin”>
secure-admin.enabled=false
Command get executed successfully.

asadmin> enable-secure-admin

Enter admin user name> admin
Enter admin password for user “admin”>

You must restart all running servers for the change in secure admin to take effect.
Command enable-secure-admin executed successfully.

asadmin> stop-domain
Waiting for the domain to stop ….
Command stop-domain executed successfully.

asadmin> start-domain
Waiting for domain1 to start ……
Successfully started the domain : domain
domain Location: /u01/app/glassfish3/glassfish/domains/domain1
Log File: /u01/app/glassfish3/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.

asadmin> get secure-admin.enabled
secure-admin.enabled=true
Command get executed successfully.

Configure the Glassfish Server

Navigate to http://FQDN:4848 (where FQDN is your server name)

Login with the credentials that you specified when creating the domain

From the left hand pain pick server-config

Apex Security configurtion

When the security screen is displayed

Select the check box next to Default Principal to Role Mapping.

Don’t forget to press the save button

This is from the Apex install guide

From the web console.

Select the realm to which to add your user (for example, file).

The Edit Realm page appears.

On the Edit Realm page, click the Manage Users button.

The File Users page appears.

On the File Users page, click New.

The New File Realm User page appears.

On the New File Realm User page, create an Admin user:

User ID – Enter the name of the Oracle Application Express Listener administrator:

User ID: adminlistener

Group List – Enter the role to which the user belong:

Group List: Admin

New Password – Enter a unique password.

Confirm New Password – Enter the password again.

Click OK.

Repeat the previous steps and create another user for the Oracle Application Express Listener manager, by specifying the following:

User ID: managerlistener

Group List: Manager

Click OK.

APEX Listener installation and configuration

We now need to install the apex listner that we downloaded earlier on.

On the navigation tree, click the Application node.

The Applications page displays.

Click the Deploy button.

The Deploy Applications or Modules page displays.

Choose the  “Local Packaged File or Directory That Is Accessible from GlassFish Server”  and enter the location of the apex.war file

/opt/software/apexlistener/apex_listener.1.1.4.195.00.12/apex.war

Complete the other field as shown below

This will upload the war file and deploy it in the server.

There seems to be some additional security in 11g version of Oracle, so from the installation guide from Oracle

Enable Network Services in Oracle Database 11g
By default, the ability to interact with network services is disabled in Oracle Database
11g release 1 or 2. Therefore, if you are running Oracle Application Express with
Oracle Database 11g release 1 or 2, you must use the new DBMS_NETWORK_ACL_
ADMIN package to grant connect privileges to any host for the APEX_040100 database
user.”

mkdir -p /opt/glassfish3/configpackage

cd /opt/glassfish3/configpackage

vi createpackages.sql

Paste the following in to the file

DECLARE
ACL_PATH VARCHAR2(4000);
BEGIN
— Look for the ACL currently assigned to ‘*’ and give APEX_040100
— the “connect” privilege if APEX_040100 does not have the privilege yet.
SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS
WHERE HOST = ‘*’ AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(ACL_PATH, ‘APEX_040100’,
‘connect’) IS NULL THEN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL_PATH,
‘APEX_040100’, TRUE, ‘connect’);
END IF;
EXCEPTION
— When no ACL has been assigned to ‘*’.
WHEN NO_DATA_FOUND THEN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(‘power_users.xml’,
‘ACL that lets power users to connect to everywhere’,
‘APEX_040100’, TRUE, ‘connect’);
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(‘power_users.xml’,’*’);

END;

/
COMMIT;

DECLARE
ACL_PATH VARCHAR2(4000);
BEGIN
— Look for the ACL currently assigned to ‘localhost’ and give APEX_040100
— the “connect” privilege if APEX_040100 does not have the privilege yet.
SELECT ACL INTO ACL_PATH FROM DBA_NETWORK_ACLS
WHERE HOST = ‘localhost’ AND LOWER_PORT IS NULL AND UPPER_PORT IS NULL;
IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(ACL_PATH, ‘APEX_040100’,
‘connect’) IS NULL THEN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(ACL_PATH,
‘APEX_040100’, TRUE, ‘connect’);
END IF;
EXCEPTION
— When no ACL has been assigned to ‘localhost’.
WHEN NO_DATA_FOUND THEN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(‘local-access-users.xml’,
‘ACL that lets users to connect to localhost’,
‘APEX_040100’, TRUE, ‘connect’);
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(‘local-access-users.xml’,’localhost’);
END;
/
COMMIT;

sqlplus sys/password@localhost as sysdba

@@createpackages.sql

Access Oracle Application Express Listener Administration

Once you have completed the above steps and uploaded the apex.war file you can now launch the application.

Navigate to the Applications section in the navigation tree. You will see the apex line with “Launch | Redeploy | Reload”

Click on Launch, a new window will open giving you two URL’s that you will access the apex application on.

http://FQDN:37339/apex
https://FQDN:8181/apex

To access Oracle Application Express Listener Administration, in your Web browser go to:

http://FQDN:8181/apex/listenerConfigure

The setting are as follows:

Username:APEX_PUBLIC_USER

Password: As per what was set  above with the SQL script (ALTER USER APEX_PUBLIC_USER IDENTIFIED BY ENTER PASSWORD😉

Connection Type: Basic

Hostname: FQDN of the sever

Port:1521

SID:XE

Once you click on OK, then you should be be presented with the following

https://FQDN:8181/apex/wwv_flow.accept

And a web page should appear as below

We now need to create a workspace so that we can start working.

Navigate to

https://FQDN:8181/apex/apex_admin

Logon with the admin password that was set when you managed the users in the realm configuration

You will be asked to change the password to match the new 11g complexity passwords.

You now should have a working APEX installation

You may have a working environment but you will not be able to do anything with it.

Directly from one of the installation guides

"JOB_QUEUE_PROCESSES determine the maximum number of concurrently running jobs. In Oracle Application Express release 4.1, transactional support and SQL scripts require jobs.

If JOB_QUEUE_PROCESSES is not enabled and working properly, you cannot successfully execute a script.”

To see how many JOB_QUEUE_PROCESSES there are, can be checked in three ways. The easiest is from the command line

sqlplus sys/ORACLE_PASSWORD@localhost as sysdba

SELECT VALUE FROM v$parameter WHERE NAME = ‘job_queue_processes’

ALTER SYSTEM SET JOB_QUEUE_PROCESSES = <number>

Replace number with the amount of processes that you wish to run. I have no idea at the moment what this number should be set to as I suspect it will be based on how many applications and user will be accessing the system. For a start I set mine to 20, it’s a good number to start with. More later on how you determine what this number should be.


Change the Query Cache Size Amazon AWS RDS

We are running a PHP web site with the Mysql RDS from Amazon, there is a need to change the PHP cache size to make the server run more effectively. Normally this would be done in the my.cnf file but as you know with RDS you use the parameter groups. If you don’t have the RDS tools on your server then look to the another blogg by me for the instructions on getting it up and running Change the max_allowed_packet Amazon RDS

Once you have it working then back here.

You only need to do this part if you did not create a parameter group

rds-create-db-parameter-group NAMEOFGROUP -f DATABASEVERSION -d “My custom database parameter group”

NAMEOFGROUP – If this is a single multi used database, give it a generic name otherwise give it the name of the RDS name

DATABASEVERSION – at the time of writing mysql5.1 mysql5.5

e.g.

rds-create-db-parameter-group mydbgroup -f mysql5.1 -d “My custom database parameter group”

This has now created the shell to store the parameters such as max_allowed_packet but in this case the query cache size

rds-modify-db-parameter-group NAMEOFGROUP –parameters “name=query_cache_size,value=3048576,method=immediate”

rds-modify-db-parameter-group NAMEOFGROUP –parameters “name=query_cache_type,value=1,method=pending-reboot”

 

NOTE the pending-reboot, for this setting to take effect the database needs a recycle.

Read up on the query_cache stuff in the MySQL site and forums, this blog is all about how you set things in AWS and not how to tune your MySQL server.

Again you only need to do this if you created the group from scratch

rds-modify-db-instance your-instance-here –db-parameter-group-name NAMEOFGROUP

 

Substitute you RDS instance name (your-instance-here and NAMEOFGROUP)

You will need to restart the RDS instance to get these settings to take effect.


Securing your Linux server from SSH attacks

If you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.

So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.

Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.

You therefore will start seeing entries in your /var/log/secure file something along the lines of :

Jul 1 20:48:28 ip-10-228-234-162 sshd[6901]: pam_succeed_if(sshd:auth): error retrieving information about user andreea
Jul 1 20:48:30 ip-10-228-234-162 sshd[6901]: Failed password for invalid user andreea from 27.54.120.3 port 42511 ssh2
Jul 1 19:48:30 ip-10-228-234-162 sshd[6904]: Received disconnect from 27.54.120.3: 11: Bye Bye
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: Invalid user davida from 27.54.120.3
Jul 1 19:48:32 ip-10-228-234-162 sshd[6914]: input_userauth_request: invalid user davida
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): check pass; user unknown
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse
r= rhost=27.54.120.3

How annoying, that you have to expend time and effort with this these idiots.

Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.

You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you. http://denyhosts.sourceforge.net/

What a tool, there is a brilliant README file in the install directory, but as usual  to make it easy or your and me, here are the highlights to get it working

yum install python

cd ~
mkdir software
cd software
wget http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz/download
tar -xvzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install

cd /usr/share/denyhosts

cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control

vi denyhosts.cfg
chown root:root daemon-control
chmod 700 daemon-control

vi denyhosts.cfg

Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.

The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it 🙂

cd /etc/init.d

ln -s /usr/share/denyhosts/daemon-control denyhosts

If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:

chkconfig –add denyhosts

service denyhosts start