Red Hat Enterprise5.4 with the RPM package to install apache and configure the SSL enabled

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh httpd-2.2.3-31.el5.i386.rpm

warning: httpd-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

error: Failed dependencies:

libapr-1.so.0 is needed by httpd-2.2.3-31.el5.i386

libaprutil-1.so.0 is needed by httpd-2.2.3-31.el5.i386

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh apr-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm

warning: apr-1.2.7-11.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

error: Failed dependencies:

libpq.so.4 is needed by apr-util-1.2.7-7.el5_3.2.i386

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh postgresql-libs-8.1.11-1.el5_1.1.i386.rpm

warning: postgresql-libs-8.1.11-1.el5_1.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:postgresql-libs ########################################### [100%]

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh apr-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm

warning: apr-1.2.7-11.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:apr ########################################### [ 50%]

2:apr-util ########################################### [100%]

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh httpd-2.2.3-31.el5.i386.rpm

warning: httpd-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:httpd ########################################### [100%]

[root@myserver][/media/RHEL_5.4 i386 DVD/Server]

$

To enable SSL, then, need to install a package mod_ssl-2.2.3-31.el5.i386.rpm

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh mod_ssl-2.2.3-31.el5.i386.rpm

warning: mod_ssl-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

error: Failed dependencies:

libdistcache.so.1 is needed by mod_ssl-2.2.3-31.el5.i386

libnal.so.1 is needed by mod_ssl-2.2.3-31.el5.i386

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh distcache-1.4.5-14.1.i386.rpm

warning: distcache-1.4.5-14.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:distcache ########################################### [100%]

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ rpm -ivh mod_ssl-2.2.3-31.el5.i386.rpm

warning: mod_ssl-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

1:mod_ssl ########################################### [100%]

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ service httpd status

httpd is stopped

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ service httpd start

Starting httpd: [ OK ]

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ netstat -ntpl |grep 443

tcp 0 0 :::443 :::* LISTEN 29673/httpd

[root@sampath][/media/RHEL_5.4 i386 DVD/Server]

$ cd /etc/pki/tls/certs/

[root@sampath][/etc/pki/tls/certs]

$ make server.key

umask 77 ; \

/usr/bin/openssl genrsa -des3 1024 > server.key

Generating RSA private key, 1024 bit long modulus

.......++++++

...........++++++

e is 65537 (0x10001)

Enter pass phrase:

Verifying - Enter pass phrase:

[root@sampath][/etc/pki/tls/certs]

$ make server.crt

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -x509 -days 365 -out server.crt -set_serial 0

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:Tamilnadu

Locality Name (eg, city) [Newbury]:Pollachi

Organization Name (eg, company) [My Company Ltd]:HP

Organizational Unit Name (eg, section) []:MW

Common Name (eg, your name or your server's hostname) []:sampath.hp.com

Email Address []:

[root@sampath][/etc/pki/tls/certs]

$ make server.crt

make: `server.crt' is up to date.

[root@sampath][/etc/pki/tls/certs]

$ ls -lrt

total 484K

-rw-r--r-- 1 root root 2.2K Jun 29 2009 Makefile

-rwxr-xr-x 1 root root 610 Jun 29 2009 make-dummy-cert*

-rw-r--r-- 1 root root 431K Jun 29 2009 ca-bundle.crt

drwxr-xr-x 5 root root 4.0K Apr 27 13:36 ../

-rw------- 1 root root 1.4K Jun 15 12:18 localhost.crt

-rw------- 1 root root 963 Jun 15 12:26 server.key

-rw------- 1 root root 1.1K Jun 15 12:27 server.crt

drwxr-xr-x 2 root root 4.0K Jun 15 12:27 ./

[root@sampath][/etc/pki/tls/certs]

$ mv server.key ../private/

[root@sampath][/etc/pki/tls/certs]

$ cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup

[root@sampath][/etc/pki/tls/certs]

$ vi /etc/httpd/conf.d/ssl.conf

[root@sampath][/etc/pki/tls/certs]

$ /etc/init.d/httpd restart

Stopping httpd: [ OK ]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server sampath.hp.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

There are few steps to be followed in this process.

1. Create Private key file by using the below commands.

2. Generate CSR file by using the key which was created in the step 1

3. Send the CSR file to certificate issuing authorities like Verisign and get the certificate which will be installed on either webserver/Load Balancer

Private Key fileà CSR generationàSend CSR to VerisignàGet the certificateàInstall it either on LB or Webserver

Please follow the below Steps:

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
…………………………………………………++++++
……..++++++
e is 65537 (0×10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

# openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [IN]:IN
State or Province Name (full name) [Nikesh Jauhari]:Nikesh
Locality Name (eg, city) [Pune]:Pune
Organization Name (eg, company) [My Company Ltd]:Cybage Software Pvt. Ltd.
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server’s hostname) []:poison.hell.com
Email Address []:njauhari@cybage.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r–r– 1 root root 745 Jun 29 12:19 server.csr
-rw-r–r– 1 root root 891 Jun 29 13:22 server.key
-rw-r–r– 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

To generate a temporary certificate which is good for 365 days, issue the following command:

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
………………………..
Getting Private key

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

# cp server.crt /usr/local/apache/conf/ssl.crt
# cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

Step 7: Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd start

Now you can use https://yourwebservername.dowmain-name.

RPM Command Cross Reference

• rpm -Uvh fortune-mod-1.0-13.rpm - option -U used to upgrade the fortune-mod package to newer version and remove all other versions of fortune-mod from system. Option -v and -h are used to provide verbose output with installation progress status using hash key.
  
  
• rpm -ivh fortune-mod-1.0-13.rpm - option -i used to install the fortune-mod package.
  
  
• rpm -Fvh fortune-mod-1.0-13.rpm - option -F used to upgrade the fortune-mod package only if the an earlier version has installed.
  
  
• rpm -qa --last - option -qa used to query the RPM database for a list of all packages installed in the system, and option --last to sort listing by date of installation.
  
  
• rpm -qi fortune-mod-1.0-13 - option -qi used to query the RPM database to verify is the fortune-mod-1.0-13 package installed in the system, coupled with detail information of the package if it is installed.
  
  
• rpm -ql fortune-mod-1.0-13 - option -ql used to query the RPM database for a list of all files installed to the system by the fortune-mod-1.0-13 package. This form of RPM command is useful, for example, to check is there any sample files installed to comprehend the help contents in the man page.
  
  
• rpm -qf /usr/games/fortune - option -qf used to query RPM database for the RPM package that install the /usr/games/fortune file.
  
  
• rpm -qR fortune-mod-1.0-13 - option -qR used to query RPM database for a list of dependencies of fortune-mod-1.0-13 package.
  
  
• rpm -e fortune-mod-1.0-13 - option -e used to remove or uninstall the fortune-mod-1.0-13 package.

PuTTY Tips and Tricks

PuTTY is hands-down the best SSH client for Windows. It’s light-weight with a single putty.exe file and nothing else to install.

A while back we wrote about 12 powerful PuTTY software add-ons and explained how PuTTY connection manager can help you to organize PuTTY SSH sessions in tabs.

In this article, let us review 10 awesome native PuTTY tips and tricks that you might have not explored earlier.

If you have not used PuTTY earlier and you have heard only about Silly Putty and Mighty Putty and not the PuTTY software, you may want to download PuTTY software from the official PuTTY download page here before exploring these PuTTY tricks.

PuTTY Trick 1: Delete All PuTTY Sessions Together

When you are swapping an old computer with a new computer, you may end-up transferring all PuTTY sessions to new computer. Once you’ve transferred all PuTTY sessions, execute “putty -cleanup” from the command line as shown below.

C:>putty -cleanup

This will display following warning message. Click on ‘Yes’ to wipe-out all PuTTY session and random seed files from the Windows registry. This is a better process to delete all saved PuTTY sessions from Windows registry instead of deleting one-by-one from the PuTTY session list.

Fig: PuTTY Cleanup Sessions

PuTTY Trick 2: Change Font Size Automatically when Resizing PuTTY Window

By default when you resize a PuTTY window, the font size doesn’t change. Sometimes it would be good if font size decrease when you reduce the PuTTY window size (or) font size increase when you increase the PuTTY window size. For example, when you are running Unix top command, if you try to resize the window, the output will get cut-off in the PuTTY as shown below.

Fig: Partial output truncated during PuTTY window resize

Launch PuTTY -> Select a Session -> Click on Load. From left side tree menu click on Window -> select the “Change the size of the font” under “When window size is resized” section as shown below -> Click on ‘Open’ at the bottom of this window to start the session.

Fig: PuTTY Change the font size automatically

After the above change, start the PuTTY SSH session and login again. Start the Unix top command and try to resize the window. When you reduce the window size, the font size will become smaller and adjust the top command output automatically to fit in the small size screen as shown below.

Fig: Unix top command output not truncated

Note: Instead of automatically adjusting the font size during window resize, you can also set the following options “When window is resized” from the PuTTY configuration window.

• Change the number of rows and columns.
• Change the size of the font. (this is the option we discussed in this tip)
• Change font size only when maximized.
• Forbid resizing completely. (This option can be very helpful, when you don’t want PuTTY window resizing to happen)

PuTTY Trick 3: Change the PuTTY SSH Session Window Title

By default, PuTTY software displays “username@hostname:~” in the PuTTY window title after you login. You can change this to any user-friendly text.

Launch PuTTY -> Select a Session -> Click on Load. From left side tree menu click on Window -> Behavior. On the right panel, in the ‘Window Title’ text box enter the desired windows title as shown below. After this change, make sure to save the session.

Fig: Custom Window Title for PuTTY Session

Load this saved PuTTY SSH session and login again to the server, which will display the new updated window title as shown below.

Fig: PuTTY Session showing user defined custom window title

PuTTY Trick 4: View PuTTY Event log

When you are logged-in to a PuTTY SSH session, right mouse-click on the PuTTY window title, which will display PuTTY menu. Select ‘Event Log’ menu-item, which will display the following PuTTY event log window.

This will be very helpful to debug any PuTTY SSH session issues.

Fig: PuTTY Event Log Display

PuTTY Trick 5: Paste to Clipboard in Rich Text Editor (RTF) Format

Typically when you copy/paste from PuTTY window to a word document, it will paste only in plain text as explained below.

• Login to PuTTY Telnet or SSH session without setting the ‘Paste to clipboard in RTF’ option that was explained below.
• Execute ‘man ssh’ from the command line.
• Copy the first few lines of the man output.
• Launch Microsoft Word and paste the output. You’ll see only the text output without any formatting.

Enable the RTF copy/paste feature in PuTTY software as shown below.

Launch PuTTY terminal -> Select a Session -> Click on Load. From left side tree menu click on Window -> Selection. On the right panel, select the check-box where it says “Paste to clipboard in RTF as well as plain text” as shown in the image below.

Fig: Enable Rich Text Paste to Clipboard in PuTTY

• Login to PuTTY telnet or SSH session after setting the ‘Paste to clipboard in RTF’ option that was explained above.
• Execute ‘man ssh’ from the command line.
• Copy the first few lines of the man output.
• Launch Microsoft Word and paste the output. You’ll see only the text output getting copied with all the format as shown below.

Fig: Rich Text copied from PuTTY to MS-Word with formatting

PuTTY Trick 6. Make PuTTY SSH Session Always Stay On Top

Sometimes when you are running a monitoring session (for example, unix top command), you may want the PuTTY client window to stay on top all the times.

Launch PuTTY terminal -> Select a Session -> Click on Load. From left side tree menu click on Window -> Behavior. On the right panel, click on the check-box where it says “Ensure window is always on top” as shown below.

Fig: PuTTY Window Behavior - Always on Top

After this change, login to the PuTTY FTP or SSH or telnet session. This particular session will always stay on top irrespective of any other application you open in the windows.

PuTTY Trick 7: Launch PuTTY Client In Full Screen Mode

Following are the two methods to launch PuTTY client in full screen mode.

Method 1: When the PuTTY client session is running, right mouse-click on the window title and select ‘Full Screen’ (or)

Method 2: Launch PuTTY -> Select a Session -> Click on Load. From left side tree menu click on Window -> Behavior. On the right panel, click on the check-box where it says “Full Screen on Alt Enter” as shown below.

Fig: Press Alt-Enter for PuTTY Full Screen

After this change, when the PuTTY terminal session is running, press Alt Key + Enter Key to run that particular PuTTY session in full screen.

PuTTY Trick 8: Launch PuTTY Window Maximized by Default

By default when you launch any PuTTY terminal session, it runs in the normal window size. Sometimes you may prefer it to start in a maximized mode. Follow the steps mentioned below.

• Create a new PuTTY windows shortcut.
• Right mouse-click on this windows shortcut and select properties.
• Click on the Run drop-down list and select ‘Maximized’ as shown below.
• Now, anytime you use this PuTTY shortcut to launch any session, it will be displayed in maximized mode by default.

Fig: Open PuTTY in Maximum Window Size

PuTTY Trick 9. Move Putty sessions to another computer

PuTTY stores all the session information in Windows registry. On the source machine, export the PuTTY session registry information as shown below.

C:> regedit /e "%userprofile%\desktop\putty-registry.reg" HKEY_CURRENT_USER\Software\Simontatham

Transfer this putty-registry.reg file from source machine to destination machine.

On the destination machine, import the PuTTY SSH session registry, by right mouse-click on the putty-registry.reg and click on ‘Merge’. This will transfer all the PuTTY session information from one windows system to another.

Fig: Transfer Windows PuTTY Registry to another computer

PuTTY Trick 10: Launch Most frequently Used PuTTY Session Quickly

To launch a most frequently used PuTTY session quickly, follow the steps below.

• Create a new PuTTY windows shortcut
• Rename this shortcut to your favorite name. For example, dev-db.
• Right mouse-click on this shortcut and select properties.
• In the Target field, at the end append “-load putty-session-name” as shown below.
• Now, anytime you click on the dev-db windows shortcut, it will automatically launch the dev-db PuTTY session.

Fig: Launch PuTTY session with one click from command line

Communication between Iplanet webserver and weblogic Appserver6.

I can give you all the information that you need. We are currently using IPlanet webserver as a proxy for static data (HTML, PDF, images, etc.) while all other requests are routed to weblogic and handled by the application server.

First, you will need to install IPlanet webserver. Let say that you have IPlanet running at the following address: http://andromeda:8080, and, let's say that you have a WL managed server at http://orion:9027, on which your application is currently deployed and running.

You need to configure IPlanet with the correct plugin. If you are running IPlanet on UNIX, then find the file named "libproxy.so" in your WL installation (It's there, just look for it) If you are running IPlanet on Windows, then you will need a file named "proxy36.dll", which does not come with WL 6, but I have it, and I can email it to you (It's only about 500K).

Anyway, when you get either file, copy it to the following directory...

[Iplanet-root]/server4/plugins/lib

Now, go to the "config" directory of your Iplanet webserver (not the admin server), and open the file named "obj.conf". At the top of the file where there are "Init" commands, add the following two lines....

Init fn="load-modules" shlib="[full-path-to-plugin-file]" funcs="wl_proxy,wl_init"
Init fn="wl_init"

Make sure you specify the full path to the plugin file for [full-path-to-plugin-file].

At the bottom of the file, add the folllowing...



THis tells Iplanet how to route requests to Weblogic based on the "MYAPP" pattern. All URI's starting with "/MYAPP" are handled by this configuration.

Hold that thought for one moment, you need to also set up a static folder for your application on IPlanet. Create a directory called "myApp" (this must match the name specified above for the "name" attribute), at the following location...

[Iplanet-root]/server4/docs/

You can create additional folders under the "myApp" directory to accomodate different types of static data, such as an "images" directory for images.

Keep in mind that IPlanet will automatically forward a request to Weblogic provided that the request URI starts with the pattern that matched the "ppname" attribute above, therefore, all requests must start with "/MYAPP/*.