Switching the JVM JDK from Sun JDK to Oracle JRockit JDK and viceversa

April 12, 2015, 8:37 pm

≪ Previous: Export current messages from weblogic JMS Queue using WLST

A JDK JVM is selected during the domain creation. Sometimes it is required to change the JDK from Sun to Oracle JRockit or Oracle JRockit to Sun Hotspot. In this blog I will go through the steps for switching from Sun to Oracle JRockit. Similar steps are required while switching from Oracle JRockit to Sun JDK.

Step#1 - Download latest version of Oracle JRockit from Oracle site. ( I have downloaded p17852847_2831_Linux-x86-64.zip from oracle.support.com)

Step#2 - Copy this zip on your server and unzip it to the desired location.

Step#3 - If you have downloaded .bin file then follow below steps:

Give executable rights to .bin file (chmod a+x <jrockit_bin_file>)
Execute the bin file (./<jrockit_bin_file>)

Step#4 - Bring down complete domain ( Admin + Managed Servers). If you are using nodemanager to start servers, then bring down nodemanagers too on their respective machines.

Step#5 - Modify commEnv.sh file @$WLS_HOME/common/bin

Search for line similar to below in commEnv.sh (Actual value of JAVA_HOME will be different in your environment)

JAVA_HOME="/apps/oracle/jdk/jdk1.6.0_45"

now replace the Sun JAVA_HOME with Oracle JRockit JAVA_HOME

JAVA_HOME="/apps/oracle/jdk/jrockit-jdk1.6.0_71"

Step#6 - Modify setDomainEnv.sh file @$DOMAIN_HOME/bin

Search for line similar to below in setDomainEnv.sh

BEA_JAVA_HOME="/apps/oracle/jdk/jdk1.6.0_45"

now replace the Sun JAVA_HOME with Oracle JRockit JAVA_HOME

BEA_JAVA_HOME="/apps/oracle/jdk/jrockit-jdk1.6.0_71"

Step#7 - Modify config.xml file @$DOMAIN_HOME/config

Search for all occurrence of line similar to below in config.xml

<java-home>/apps/oracle/jdk/jdk1.6.0_45</java-home>

now replace the Sun JAVA_HOME with Oracle JRockit JAVA_HOME

<java-home>/apps/oracle/jdk/jrockit-jdk1.6.0_71</java-home>

Step#8 - Modify nodemanager.properties file @$WLS_HOME/common/nodemanager

Update javaHome & JavaHome with the currect JDK as below

javaHome=/apps/oracle/jdk/jrockit-jdk1.6.0_71

JavaHome=/apps/oracle/jdk/jrockit-jdk1.6.0_71/jre

Step#9 - Delete tmp & cache folder for admin and managed servers.

Step#10 - Start NodeManager, Admin Server and Managed Servers.

↧

Configuring LDAP with Jenkins

April 21, 2015, 7:52 pm

≫ Next: My tips for 1Z0-133 - Oracle WebLogic Server 12c: Administration I

≪ Previous: Switching the JVM JDK from Sun JDK to Oracle JRockit JDK and viceversa

Recently my colleague faced issue while trying to integrate LDAP with Jenkins. Even though lots of material is available online, he was not able to do it. The steps were clear in the various documents available on internet but somehow it was not working for his installed Jenkins version 1.575.
I followed almost similar approach but with a little twist at the end (while providing values in the textbox) which worked for us. I am documenting the steps below hoping it may help others who are facing the similar issue.

Pre-requisite:-

No#1 - You must have Jenkins installed and running
No#2 - Details of LDAP server [ I integrated with OVD (Oracle Virtual Directory) which in turns connect to LDAP & AD ]
***Below values structure may vary in your environment***
-- OVD URL - ldap://hostname.mycompany.com:3389
-- Admin User DN - uid=jenkinsadmin,ou=Application Admin,o=mycompany.com (This user is required by Jenkins to connect to OVD)
-- User DN - uid=shantans,ou=Internal,o=mycompany.com ( This is one of the many user who will access Jenkins once it is authenticated by LDAP/AD.)

Step#1 - Login onto Jenkins console using the in-built admin user

Step#2 - Navigate to "Manage Jenkins" --> "Configure Global Security"

Step#3 - Select the radio button for LDAP under security realm

Step#4 - For the textbox of "Server" copy the OVD URL. Click on "Advanced"

Step#5 - Now populate other text box with below information:-

root DN: o=mycompany.com
(Root DN is the name of your organization and is represented in DN as value of 'o'. So for my user "uid=shantans,ou=Internal,o=mycompany.com", my root DN is "o=mycompany.com")

User search base: ou=internal
(User search base is the branch under root DN "o=mycompany.com", where the user will be searched. So for my user "uid=shantans,ou=Internal,o=mycompany.com", it appears in "ou=internal" under root DN)

User search filter: uid={0}
Group search base: ou=groups
Group search filter:
Group membership filter:
(Keep above values as it is. If you need access for particular group then you have to provide value for Group search filter and Group membership filter. Otherwise you can leave it blank as above)

Manager DN: uid=jenkinsadmin,ou=Application Admin,o=mycompany.com
Manager Passwors: password
(Manager DN is the admin user mainly an application user which provides Jenkins, connectivity to LDAP)

Click "Save"

Now logout and try to login with any user available in LDAP.

Hope this will help you. Let me know if you face any issue or it has helped you fix your connectivity issue.

↧

My tips for 1Z0-133 - Oracle WebLogic Server 12c: Administration I

April 21, 2015, 8:26 pm

≫ Next: BEA-000297 Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate

≪ Previous: Configuring LDAP with Jenkins

Last week I cleared my "1Z0-133 - Oracle WebLogic Server 12c: Administration I" certification. just like other Oracle certification exam, this exam was also tricky. The easier the question the harder to answer..phew. So I am sharing my tips that will help you in getting a better idea of this certification and may contribute in your success.

How was the certification exam?
The certification exam was a mix of questions based on theoretical concepts, case study, keen observation of weblogic etc. There was a good percentage of easy questions but to pass the exam you need to make sure you answer difficult questions are correctly. There were 77 questions and passing mark was 64%.

What were the important topics covered?
A good number of questions were on new features of Weblogic 12c so I would suggest to have a good understanding of them. There were questions based on basic concept of weblogic which we tend to skip very often ;-) Install weblogic environment and do some hand on before attempting the exam. It is must because there were questions based on case studies which cannot be answered merely by going through theoretical concepts.

Which study material to refer?
I mainly referred Oracle documentation for covering various topics. However I found Oracle weblogic server 12c administration handbook by Sam R. Alapati very useful. I would suggest to go through the complete book to score good in the certification exam.

All the Best for your Certification Exam!!

↧

BEA-000297 Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate

June 8, 2015, 8:48 pm

≫ Next: BASH Script to convert certificates, import & export it to keystore

≪ Previous: My tips for 1Z0-133 - Oracle WebLogic Server 12c: Administration I

Error -

After importing new certificate in keystore, weblogic server starts throwing below error.

<Error

<WebLogicServer

<BEA-000297

<Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate

<Jun 3, 2015 3:37:48 PM PDT

<Error

<Server

<BEA-002618

<An invalid attempt was made to configure a channel for unconfigured protocol "Cannot convert identity certificate".

Reason -

The new certificate issued now a days are using SHA2 hash algorithm. SHA2 is stronger than SHA1 and generate longer hash. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. The default SSL implementation in weblogic (Certicom SSL) cannot handle more then 128-bit.

Solution -

If you are using WebLogic 10.3.2 or lower, you must first upgrade to WebLogic 10.3.3 or higher (ideally, you should upgrade to WebLogic 10.3.6 as there are some SHA2 bug fixes that are included in WebLogic 10.3.6). If you are unable to upgrade, then you will need to switch to a SHA1 certificate.

If you are using WebLogic 10.3.3 or higher, then use the following steps to enable JSSE SSL which trusts stronger certificates such as SHA2.
    a. Log in to your WebLogic admin console
    b. From left menu, choose Environment -> Servers -> SOA_MngdSvr1
    c. Click the 'Configuration' tab and 'SSL' subtab
    d. Go to bottom of page and click the 'Advanced' hyperlink
    e. Click the 'Lock & Edit' button on top left menu
    f. Go to bottom of page and check "Use JSSE SSL"
    g. Click "Save"
    h. Click 'Activate Changes'

Restart the servers for the change to take effect.

↧

BASH Script to convert certificates, import & export it to keystore

July 6, 2015, 11:21 pm

≫ Next: Display Weblogic Server Instances running on a machine

≪ Previous: BEA-000297 Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate

Doing repetitive tasks is always boring. For a system administrator, it is very often. Almost every month I have to perform tasks involving keystores and certificates in one or other environment.
So to ease it up, I have written a shell script that will do it for me. It is written based on my need. Anyone can use it as it is or modify it based on their requirements.
This is the first version and not very much tested so you may have hiccups in using it. Do let me know about it. I will fix it. I will also keep on updating based on the feedback that I will get from my team.

What this script do?
This script perform below operations:

To convert certificate into pem
To convert certificate into p12
To import certificate into keystore
To export certificate from keystore
To delete certificate from keystore

I always suggest to use PEM while performing any operations related to certificates.The best way is to convert .p7b to .pem format so that complete certificate chain is included. This is what I prefer :)

#!/bin/bash
echo "============================================"
echo "Press 1: To convert certificate into pem"
echo "Press 2: To convert certificate into p12"
echo "Press 3: To import certificate into keystore"
echo "Press 4: To export certificate from keystore"
echo "Press 5: To delete certificate from keystore"
echo "============================================"
echo "Enter your choice (1-5)"
read input
convert_cert() {
        filename=$1
        path=$2
        ## Extract input file extension
        ext=${filename##*.}
        name=${filename%%.*}
        if [ $ext == 'p7b' ] || [ $ext == 'pem' ] || [ $ext == 'cer' ] || [ $ext == 'crt' ] || [ $ext == 'der' ]
                then
                ## Check if file exists
                echo "File to convert is at $path/$filename"
                result=`find $path -name $filename | wc -l`
                if [ $result == 0 ]
                        then
                        echo "File not found!!"
                        exit $?
                fi
                ## Convert file into pem
                echo "Converting into pem..."
                echo "Extension of the file is $ext"
                if [ $ext == 'cer' -o $ext == 'der' -o $ext == 'crt' ]; then
                        `openssl x509 -in $path/$filename -inform der -noout &> /dev/null`
                        if [ $? -eq 0 ] ; then
                                `openssl x509 -in $path/$filename -inform der -out $path/$name.pem`
                                sed -i '/^$/d' $path/$name.pem
                                sed -i '/^subject/d' $path/$name.pem
                                sed -i '/^issuer/d' $path/$name.pem
                                echo "$name.pem generated!!"
                        else
                                cp $path/$filename $path/$name.pem
                                echo "$name.pem generated!!"
                        fi
                                elif [ $ext == 'p7b' ]; then
                                        `openssl pkcs7 -in $path/$filename -inform der -noout &> /dev/null`
                                        if [ $? -eq 0 ]; then
                                                `openssl pkcs7 -print_certs -in $path/$filename -inform der -out $path/$name.pem`
                                                sed -i '/^$/d' $path/$name.pem
                                                sed -i '/^subject/d' $path/$name.pem
                                                sed -i '/^issuer/d' $path/$name.pem
                                                echo "$name.pem generated!!"
                                        else
                                                `openssl pkcs7 -print_certs -in $path/$filename -out $path/$name.pem`
#                                               cp $path/$filename $path/$name.pem
                                                sed -i '/^$/d' $path/$name.pem
                                                sed -i '/^subject/d' $path/$name.pem
                                                sed -i '/^issuer/d' $path/$name.pem
                                                echo "$name.pem generated!!"
                                        fi
                                else
                                                echo "This certificate is already in .pem format"
                fi
                else
                                echo "Please provide a certificate in .p7b or .cer or .crt or .der"
                                result=5
        fi
}
if [ $input == 1 ]
        then
        echo "Enter file name"
        read filename
        echo "Enter path"
        read path
        convert_cert $filename $path
elif [ $input == 2 ]; then
        echo "Enter location of key & certificate"
        read path
        echo "Enter certificate file name"
        read filename
        name=${filename%%.*}
        echo "Enter key file name"
        read keyfilename
        echo "Enter Passphrase/Password"
        read passphrase
        result=`find $path -name $keyfilename | wc -l`
        if [ $result == 0 ]
        then
                echo "$keyfilename not found!!"
                exit $?
        fi
        result=1
        convert_cert $filename $path > /dev/null
        if [ $result == 5 ] ; then
                echo "Please provide a certificate in .p7b or .cer or .crt or .der"
                exit $?
        fi
        echo "Generating p12 file $result"
        echo "openssl pkcs12 -export -in $path/$name.pem -inkey $path/$keyfilename -out $path/$name.p12"
        openssl pkcs12 -export -in $path/$name.pem -inkey $path/$keyfilename -out $path/$name.p12
elif [ $input == 3 ]; then
        echo "Enter location of certificate"
        read path
        echo "Enter certificate file name"
        read filename
        echo "Enter alias name for the certificate"
        read alias
        echo "Enter location of keystore"
        read kpath
        echo "Enter keystore file name"
        read kfilename
        echo "Enter keystore password"
        read kpswd
        result=`find $path -name $filename | wc -l`
        if [ $result == 0 ]
        then
                echo "$filename not found!!"
                exit $?
        fi
        result=`find $kpath -name $kfilename | wc -l`
        if [ $result == 0 ]
        then
                echo "$kfilename not found!!"
                exit $?
        fi
        result=1
        convert_cert $filename $path > /dev/null
        if [ $result == 5 ] ; then
                echo "Please provide a certificate in .p7b or .cer or .crt or .der"
                exit $?
        fi
        echo "Importing certificate into keystore"
        echo "keytool -importcert -alias $alias -file $path/$filename -keystore $kpath/$kfilename -storepass $kpswd"
        keytool -importcert -alias $alias -file $path/$filename -keystore $kpath/$kfilename -storepass $kpswd
elif [ $input == 4 ]; then
        echo "Enter location for exported certificate"
        read path
        echo "Enter certificate file name for the exported certificate"
        read filename
        echo "Enter alias name of the certificate to be exported"
        read alias
        echo "Enter location of keystore"
        read kpath
        echo "Enter keystore file name"
        read kfilename
        echo "Enter keystore password"
        read kpswd
        result=`find $kpath -name $kfilename | wc -l`
        if [ $result == 0 ]
        then
                echo "$kfilename not found!!"
                exit $?
        fi
        echo "Exporting certificate from keystore"
        echo "keytool -exportcert -alias $alias -file $path/$filename.cer -keystore $kpath/$kfilename -storepass $kpswd"
        keytool -exportcert -alias $alias -file $path/$filename.cer -keystore $kpath/$kfilename -storepass $kpswd
elif [ $input == 5 ]; then
        echo "Enter alias name of the certificate to be deleted"
        read alias
        echo "Enter location of keystore"
        read kpath
        echo "Enter keystore file name"
        read kfilename
        echo "Enter keystore password"
        read kpswd
        result=`find $kpath -name $kfilename | wc -l`
        if [ $result == 0 ]
        then
                echo "$kfilename not found!!"
                exit $?
        fi
        echo "Deleting $alias certificate from keystore"
        echo "keytool -delete -alias $alias -keystore $kpath/$kfilename -storepass $kpswd"
        keytool -delete -alias $alias -keystore $kpath/$kfilename -storepass $kpswd
else
        echo "Incorrect choice!!"
fi

Save it as certificate.sh.
Give the required permission to the file
$ chmod a+x certificate.sh

Now lets do the test run :)

Test 1:- Convert Base64Encoded certificate
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
1
Enter file name
Base64Encoded.cer
Enter path
.
File to convert is at ./Base64Encoded.cer
Converting into pem...
Extension of the file is cer
Base64Encoded.pem generated!!

Test 2:- Convert DER Encoded certificate
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
1
Enter file name
DEREncoded.cer
Enter path
.
File to convert is at ./DEREncoded.cer
Converting into pem...
Extension of the file is cer
DEREncoded.pem generated!!

Test 3:- Convert p7b Encoded certificate
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
1
Enter file name
p7bEncoded.p7b
Enter path
.
File to convert is at ./p7bEncoded.p7b
Converting into pem...
Extension of the file is p7b
p7bEncoded.pem generated!!

Test 4:- Convert certificate into p12
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
2
Enter location of key & certificate
.
Enter certificate file name
soa.mycompany.com.cer
Enter key file name
soa.mycompany.com.key
Enter Passphrase/Password
changeit
Generating p12 file 1
Enter Export Password:
Verifying - Enter Export Password:
Test 5:- Import certificate in keystore
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
3
Enter location of certificate
.
Enter certificate file name
soa.mycompany.com.cer
Enter alias name for the certificate
mysoacert
Enter location of keystore
.
Enter keystore file name
mykeystore.jks
Enter keystore password
changeit
Importing certificate into keystore
.
.
Trust this certificate? [no]: yes
Certificate was added to keystore
Test 6:- Export certificate from keystore
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
4
Enter location for exported certificate
.
Enter certificate file name for the exported certificate
myexportedcertificate
Enter alias name of the certificate to be exported
mysoacert
Enter location of keystore
.
Enter keystore file name
mykeystore.jks
Enter keystore password
changeit
Exporting certificate from keystore
Certificate stored in file <./myexportedcertificate.cer>
Test 7:- Delete certificate from keystore
$ ./certificate.sh
============================================
Press 1: To convert certificate into pem
Press 2: To convert certificate into p12
Press 3: To import certificate into keystore
Press 4: To export certificate from keystore
Press 5: To delete certificate from keystore
============================================
Enter your choice (1-5)
5
Enter alias name of the certificate to be deleted
mysoacert
Enter location of keystore
.
Enter keystore file name
mykeystore.jks
Enter keystore password
changeit
Deleting mysoacert certificate from keystore

↧

Display Weblogic Server Instances running on a machine

October 2, 2015, 2:32 pm

≫ Next: How to tune JVM CMS GC to decrease CPU hike, Full GC and pause time

≪ Previous: BASH Script to convert certificates, import & export it to keystore

#!/bin/bash
regex="^([a-zA-Z]*)\s+([0-9]*)\s[0-9]* .*-Dweblogic\.Name=([a-zA-Z0-9_]*).*\s-Ddomain\.home=([a-zA-Z0-9_\.\/]*).*weblogic\.Server$"
javap=`ps -ef | grep -v grep | grep weblogic.Server`
IFS=$'\n'
echo "******************************************************************************"
printf "   User    |    PID   |   Server Name   |             Domain Name\n"
echo "******************************************************************************"
for jp in $javap
do
if [[ $jp =~ $regex ]]; then
        n=${#BASH_REMATCH[*]}
        #echo "${BASH_REMATCH[1]} | ${BASH_REMATCH[2]} | ${BASH_REMATCH[3]}    | ${BASH_REMATCH[4]}"
        printf "%+10s | %-8s | %-15s | %-30s\n" ${BASH_REMATCH[1]} ${BASH_REMATCH[2]} ${BASH_REMATCH[3]} ${BASH_REMATCH[4]}
fi
done

↧

How to tune JVM CMS GC to decrease CPU hike, Full GC and pause time

October 12, 2015, 2:30 pm

≫ Next: [EPM HYPERION 11.1.2.4] A 'Not Found' error occurred communicating with the server

≪ Previous: Display Weblogic Server Instances running on a machine

JVM GC tuning is the first tuning all system/application administrator perform to improve the system performance. Tuning is a gradual process. You cannot magically improve the performance of your application/system with in a day.

JVM GC tuning is a very important part of tuning exercise and need to be done whenever you observe a change in workload profile of your JVM. I am giving here an idea on CMS ( Concurrent Mark Sweep Collector ) of the HotSpot JVM.

Before going into the details, we must understand what is CMS Garbage Collector and how it works.

A CMS Garbage Collector is non-compacting low-latency collector. Below are the phases of a CMS concurrent collection.

1. Initial Mark: This is a stop-the-world phase hence all application threads are stopped. All the reachable live objects associated with stopped application threads are marked during this phase.

2. Concurrent Mark: During this concurrent phase, all application threads are restarted. Using the object references collected during "Initial Mark" phase, all other reference/live objects are identified.

3. Pre-cleaning Phase: This is an optimization phase in which changes to object references made by the application threads during the "Concurrent Mark" phase are identified. This is required as objects which were referred by say thread A during "initial mark" phase, may have been changed and are now referred by say thread B. These changes identified during this phase are then used to update the results from "Concurrent Mark" phase.

4. Remark Phase: This is a stop-the-world phase. CMS must stop all the application threads in this phase and then catch up with the changes the application has gone through. This step is essential so as to avoid collecting any objects that are still referenced.

5. Sweep Phase: During this concurrent phase, all non-referenced objects (i.e. dead objects) are removed from the heap.

6. Reset Phase: In this concurrent phase, CMS does some housekeeping work so that it is ready for the next Garbage Collection cycle.

Now we know how CMS GC works. Its time to see how to use it in real case scenario. Firstly I am going to give the initial heap setting that I had in my environment.

-d64 -server -Xms6g -Xmx6g -XX:SurvivorRatio=6 -XX:PermSize=256m -XX:MaxPermSize=1024m -Xmn3686m -XX:NewSize=3686m -XX:MaxNewSize=3686m -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnable

Even though I was using CMS GC, I was not using it properly. As you can see from the below screenshots that I captured using JConsole

In above screenshot, it is evident that CPU utilization was very high.

In this screenshot, the pause time is huge and the number of full GC is high too.

So to fix this what I did was, I added few new parameters and updates few existing parameters as below.

-d64 -server -Xms6g -Xmx6g -XX:SurvivorRatio=8 -XX:PermSize=256m -XX:MaxPermSize=1024m -Xmn2048m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly-XX:+ScavengeBeforeFullGC-XX:+CMSClassUnloadingEnabled

Now lets understand these parameters.

-Xmn - This parameter defines the size of young generation. I recommend to keep this value between 30%-35% of total heap size i.e. (-Xmx. Keep -Xmx & -Xms same.)

-XX:+UseParNewGC - Enables the use of the modified parallel throughput collector in the young generation.

-XX:CMSInitiatingOccupancyFraction - Set the percentage of the heap that must be full before the JVM starts a concurrent collection in the tenured/old generation.

-XX:+UseCMSInitiatingOccupancyOnly - Enables the feature that all concurrent CMS cycles should start based on -XX:CMSInitiatingOccupancyFraction=75

-XX:+ScavengeBeforeFullGC - Enables the feature that forces a young generation collection before starting a new CMS cycle or before a full GC is attempted

I hope after making the suggested changes, you will also experience an improve in performance. Do share your experience in the comment section below.

↧

[EPM HYPERION 11.1.2.4] A 'Not Found' error occurred communicating with the server

January 26, 2016, 3:00 pm

≫ Next: Connection Factory in Weblogic adapter disappear

≪ Previous: How to tune JVM CMS GC to decrease CPU hike, Full GC and pause time

ERROR:

After doing fresh installation and setup of EPM 11.1.2.4, getting below error when login on WORKSPACE.

A 'Not Found' error occurred communicating with the server.

URI: http://localhost:19000/raframework/conf/ToolsConfig.xml

Status: 404 - Not Found

Content: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /raframework/conf/ToolsConfig.xml was not found.</p>
</body></html>

CAUSE:

OHS is not aware of context "raframework", hence it does not know where to forward the request.

SOLUTION:

Add the context to mod_wl_ohs.conf file as below:

cd $FMW_HOME/user_projects/epmsystem1/httpConfig/ohs/config/OHS/ohs_component

cp mod_wl_ohs.conf mod_wl_ohs.conf.01282016

vi mod_wl_ohs.conf

Add below snippet at the end:--
<LocationMatch ^/raframework>

SetHandler weblogic-handler

WeblogicCluster localhost:9000

WLIOTimeoutSecs 6000

Idempotent OFF

WLSocketTimeoutSecs 600
</LocationMatch>

Restart OHS:

cd $FMW_HOME/user_projects/epmsystem1/httpConfig/ohs/bin

/opmnctl stopall

/opmnctl startall

Try to login again on workspace.

↧

Connection Factory in Weblogic adapter disappear

April 4, 2016, 10:50 am

≫ Next: Connect to MS SQL Database from Weblogic using Domain ID

≪ Previous: [EPM HYPERION 11.1.2.4] A 'Not Found' error occurred communicating with the server

Issue: Connection Factory in Weblogic adapter disappear

Description: When I am trying to create a new connection factory, it disappears when the adapter is updated and changes are activated in the weblogic console.

Error Message: In Admin log below message is seen

JNDI lookup of 'eis/DB/SOAXACP' failed due to: While trying to lookup 'eis.DB/SOAXACP' didn't find subcontext 'eis'. Resolved ''

javax.naming.NameNotFoundException: While trying to lookup 'eis.DB/SOAXACP' didn't find subcontext 'eis'. Resolved ''; remaining name 'eis/DB/SOAXACP'

at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1224)

at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:268)

at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:217)

at weblogic.jndi.internal.BasicNamingNode.lookupIgnorePartition(BasicNamingNode.java:1503)

Cause: The issue is caused due to Plan.xml. It is either corrupted or belongs to different adapter (i.e. using jms adapter plan.xml to save db adapter connection factory)

Solution:Recreate a new Plan.xml and then try to add the new connection factory to it.

↧

Connect to MS SQL Database from Weblogic using Domain ID

April 4, 2016, 11:24 pm

≫ Next: OEM 13c : Error Occurred: WebTier Could Not Be Started.

≪ Previous: Connection Factory in Weblogic adapter disappear

MS SQL Database can be accessed using user domain id through Oracle Weblogic Server data source. This can be achieved using open source MS SQL driver JTDS. It can be downloaded from https://sourceforge.net/projects/jtds/files/jtds.

PRE-CONFIGURATION STEPS:-

Download the open source JDBC driver for Microsoft SQL Server.
Unzip the jtds-1.3.1-dist.zip
Copy jtds-1.3.1.jar to $DOMAIN_HOME/lib
Restart the servers

CONFIGURATION STEPS:-

Click on "Lock & Edit" under "Change Center"
On the Home Page, Click on "Data Source" under "Services"
Under "Configuration" tab, Click on "New", select "Generic Data Source". Give the Name & JNDI Name.For Database Type. Select "MS SQL Server".Click "Next"

Select "Other" for "Database Driver"
Click "Next"

Select the "Transaction Options"
Click "Next"
Provide "Database User Name"& "Password"
Click "Next"

Driver Class Name: net.sourceforge.jtds.jdbc.Driver
URL: jdbc:jtds:sqlserver://mysqldb.mycompany.com:1433/DB_NAME;domain=MYCOMPANY;USENTLMV2=TRUE
Click on "Test Configuration"
Click "Next"

Select Targets
Click "Finish"

↧

OEM 13c : Error Occurred: WebTier Could Not Be Started.

September 11, 2017, 8:54 pm

≫ Next: HOW TO: Setup Beeline on linux for connecting to remote instance of Hive using Kerberos

≪ Previous: Connect to MS SQL Database from Weblogic using Domain ID

Error Message on starting OMS:

$ ./emctl start oms

Oracle Enterprise Manager Cloud Control 13c Release 2

Starting Oracle Management Server...

WebTier Could Not Be Started.

Error Occurred: WebTier Could Not Be Started.

What does log emctl.log says?

[Thread-2] INFO commands.BaseCommand run.605 - log4j:WARN No appenders could be found for logger (emctl.secure.oms.AdminCredsWalletUtil).

[Thread-2] INFO commands.BaseCommand run.605 - log4j:WARN Please initialize the log4j system properly.

[Thread-1] INFO commands.BaseCommand run.605 - Failed to get passwords from credential store

[Thread-1] INFO commands.BaseCommand run.605 - Exception: java.io.IOException value: java.io.IOException

What is the health or status of emkey?

$ ./emctl status emkey

Oracle Enterprise Manager Cloud Control 13c Release 2

Enter Enterprise Manager Root (SYSMAN) Password :

Error occurred. Check the log /app/oracle/gc_inst/em/EMGC_OMS1/sysman/log/secure.log

Hmm emkey health not good. What does secure.log says now?

Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!

at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:292)

at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:317)

at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:262)

What does this error message suggest?

“jurisdiction policy files” suggest something wrong with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File.

What to do?

First check the java version, then download and copy the policy file accordingly.

$ $JDK_HOME/bin/java -version
java version "1.7.0_111"
Java(TM) SE Runtime Environment (build 1.7.0_111-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.111-b13, mixed mode)

Now download the policy file available @ http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

If using JDK8 then download the file available @ http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

and then copy below jars

US_export_policy.jar

local_policy.jar

to $JDK_HOME/jre/lib/security

Restart OMS Server

./emctl start OMS

↧

HOW TO: Setup Beeline on linux for connecting to remote instance of Hive using Kerberos

June 6, 2020, 11:36 pm

≫ Next: Ansible Installation using non-root user on Linux

≪ Previous: OEM 13c : Error Occurred: WebTier Could Not Be Started.

To set up the connectivity, you have to download binaries that are required for a successful connection. These binaries can be downloaded from below links:

https://archive.apache.org/dist/hadoop/core/hadoop-2.5.1/hadoop-2.5.1.tar.gz

https://archive.apache.org/dist/hive/hive-1.2.1/apache-hive-1.2.1-bin.tar.gz

After downloading the tar files, extract them using below commands:

tar -xvzf hadoop-2.5.1.tar.gz

tar -xvzf apache-hive-1.2.1-bin.tar.gz

Folder Structure:

Let's say you extracted the tar files @/home/user/beeline. At this path, two new folders will get created hadoop-2.5.1 and apache-hive-1.2.1-bin. Now also extract JRE here. Also, create two empty folders "conf" and "bin".

So your directory structure is now:

/home/user/beeline

/home/user/beeline/hadoop-2.5.1

/home/user/beeline/apache-hive-1.2.1-bin

/home/user/beeline/jre

/home/user/beeline/conf

/home/user/beeline/bin

setEnv.sh File:

Create setEnv.sh file and save it inside "bin" folder. Paste below content inside it:

export HADOOP_HOME=/home/user/beeline/hadoop-2.5.1

export HIVE_HOME=/home/user/beeline/apache-hive-1.2.1-bin

export JAVA_HOME=/home/user/beeline/jre

PATH=$PATH:$HIVE_HOME/bin:$JAVA_HOME/bin

export HADOOP_OPTS="$HADOOP_OPTS -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=/home/user/beeline/conf/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/home/user/beeline/conf/jaas.conf"

jaas.conf File:

Create and save jaas.conf file under conf folder

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=false

useTicketCache=true;

};

krb5.conf File:

Create and save krb5.conf File under conf folder. Modify this file as per your environment.

[logging]

default = FILE:~/krb5libs.log

kdc = FILE:~/krb5kdc.log

admin_server = FILE:~/kadmind.log

kdc_rotate = {"period"=>"1d", "versions"=>200}

admin_server_rotate = {"period"=>"1d", "versions"=>201}

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_realm = false

dns_lookup_kdc = false

forwardable = true

renew_lifetime = 30d

ticket_lifetime = 30d

renewable = yes

service = yes

kdc_timeout = 5000

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-hmac-sha1

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-hmac-sha1

allow_weak_crypto = yes

udp_preference_limit = 1

[realms]

DOMAIN.COM = {

kdc = kdcserver.domain.com:88

default_domain = domain.com

}

[domain_realm]

.domain.com = DOMAIN.COM

domain.com = DOMAIN.COM

[appdefaults]

pam = {

debug = false

forwardable = true

renew_lifetime = 36000

ticket_lifetime = 36000

krb4_convert = false

}

Source file & generate kerberos ticket:

source /home/user/beeline/bin/setEnv.sh

kinit -kt <Location of keytab file>/krbuser.keytab <SPN> (“krb5-workstation” rpm is required to run kinit command.)

klist (To check if ticket is generated successfully.)

Connect to Hive instance:

beeline –u “JDBC URL”

beeline -u "jdbc:hive2://<hive hostname>.domain.com:10000/;principal=hive/<hive hostname>.domain.com@DOMAIN.COM"

↧

Ansible Installation using non-root user on Linux

June 25, 2021, 2:38 pm

≫ Next: Powershell Useful Commands

≪ Previous: HOW TO: Setup Beeline on linux for connecting to remote instance of Hive using Kerberos

Install required RPMs:

yum install gcc*

yum install zlib

yum install zlib-devel

yum install perl

yum install libffi-*

Install OpenSSL using source code:

Download OpenSSL and unzip it.

Change directory to openssl and execute the below commands.

$ cd openssl-1.1.1i

$ ./config --prefix=/app/openssl --openssldir=/app/openssl

Operating system: x86_64-whatever-linux2

Configuring OpenSSL version 1.1.1i (0x1010109fL) for linux-x86_64

Using os-specific seed configuration

Creating configdata.pm

Creating Makefile

**********************************************************************

*** ***

*** OpenSSL has been successfully configured ***

*** ***

*** If you encounter a problem while building, please open an ***

*** issue on GitHub <https://github.com/openssl/openssl/issues> ***

*** and include the output from the following command: ***

*** ***

*** perl configdata.pm --dump ***

*** ***

*** (If you are new to OpenSSL, you might want to consult the ***

*** 'Troubleshooting' section in the INSTALL file first) ***

*** ***

**********************************************************************

$ make prefix=/app/openssl

chmod a+x tools/c_rehash

/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \

"-oMakefile" util/shlib_wrap.sh.in > "util/shlib_wrap.sh"

chmod a+x util/shlib_wrap.sh

make[1]: Leaving directory `/app/software/openssl-1.1.1i'

rm -f test/x509aux

${LDCMD:-gcc} -pthread -m64 -Wa,--noexecstack -Wall -O3 -L. \

-o test/x509aux test/x509aux.o \

test/libtestutil.a -lcrypto -ldl -pthread

make[1]: Leaving directory `/app/software/openssl-1.1.1i'

$ make install prefix=/app/openssl

/app/openssl/share/doc/openssl/html/man7/des_modes.html

/app/openssl/share/doc/openssl/html/man7/evp.html

/app/openssl/share/doc/openssl/html/man7/ossl_store-file.html

/app/openssl/share/doc/openssl/html/man7/ossl_store.html

/app/openssl/share/doc/openssl/html/man7/passphrase-encoding.html

/app/openssl/share/doc/openssl/html/man7/proxy-certificates.html

/app/openssl/share/doc/openssl/html/man7/scrypt.html

/app/openssl/share/doc/openssl/html/man7/ssl.html

/app/openssl/share/doc/openssl/html/man7/x509.html

$ export LD_LIBRARY_PATH=/app/openssl/lib

$ export PATH=/app/openssl/bin:$PATH

Install Python using source code:

$ cd /app/software/Python-3.9.1/Modules

Update openssl location in Setup file as shown below

$ vi Setup

#SSL=/usr/local/ssl

SSL=/app/openssl

_ssl _ssl.c \

-DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \

-L$(SSL)/lib -lssl -lcrypto

$ cd ..

$ ./configure --prefix=/app/python --with-openssl=/app/openssl

checking whether compiling and linking against OpenSSL works... no

checking for --with-ssl-default-suites... python

checking for --with-builtin-hashlib-hashes... md5,sha1,sha256,sha512,sha3,blake2

configure: creating ./config.status

config.status: creating Makefile.pre

config.status: creating Misc/python.pc

config.status: creating Misc/python-embed.pc

config.status: creating Misc/python-config.sh

config.status: creating Modules/ld_so_aix

config.status: creating pyconfig.h

creating Modules/Setup.local

creating Makefile

If you want a release build with all stable optimizations active (PGO, etc),

please run ./configure --enable-optimizations

$ make

Python build finished successfully!

The necessary bits to build these optional modules were not found:

_bz2 _curses _curses_panel

_dbm _gdbm _lzma

_sqlite3 _tkinter _uuid

readline

To find the necessary bits, look in setup.py in detect_modules() for the module's name.

The following modules found by detect_modules() in setup.py, have been

built by the Makefile instead, as configured by the Setup files:

_abc _ssl atexit

pwd time

running build_scripts

copying and adjusting /app/software/Python-3.9.1/Tools/scripts/pydoc3 -> build/scripts-3.9

copying and adjusting /app/software/Python-3.9.1/Tools/scripts/idle3 -> build/scripts-3.9

copying and adjusting /app/software/Python-3.9.1/Tools/scripts/2to3 -> build/scripts-3.9

changing mode of build/scripts-3.9/pydoc3 from 644 to 755

changing mode of build/scripts-3.9/idle3 from 644 to 755

changing mode of build/scripts-3.9/2to3 from 644 to 755

renaming build/scripts-3.9/pydoc3 to build/scripts-3.9/pydoc3.9

renaming build/scripts-3.9/idle3 to build/scripts-3.9/idle3.9

renaming build/scripts-3.9/2to3 to build/scripts-3.9/2to3-3.9

gcc -pthread -Xlinker -export-dynamic -o Programs/_testembed Programs/_testembed.o libpython3.9.a -lcrypt -lpthread -ldl -lutil -lm -L/app/openssl/lib -lssl -lcrypto -lm

sed -e "s,@EXENAME@,/app/python/bin/python3.9,"< ./Misc/python-config.in >python-config.py

LC_ALL=C sed -e 's,\$($[A-Za-z0-9_]*$),\$\{\1\},g'< Misc/python-config.sh >python-config

$ make --prefix=/app/python install

Looking in links: /tmp/tmpxpcao9pg

Processing /tmp/tmpxpcao9pg/setuptools-49.2.1-py3-none-any.whl

Processing /tmp/tmpxpcao9pg/pip-20.2.3-py2.py3-none-any.whl

Installing collected packages: setuptools, pip

WARNING: The script easy_install-3.9 is installed in '/app/python/bin' which is not on PATH.

Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

WARNING: The scripts pip3 and pip3.9 are installed in '/app/python/bin' which is not on PATH.

Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

Successfully installed pip-20.2.3 setuptools-49.2.1

Update .bashrc and add Python path:

export LD_LIBRARY_PATH=/app/openssl/lib

export PATH=/app/openssl/bin:/app/python/bin:$PATH

Download and install below python modules:

Install setuptools

$ cd setuptools-53.0.0

$ python3 setup.py install --prefix=/app/python/

Install pycryptodome

$ cd pycryptodome-3.9.9

$ python3 setup.py install --prefix=/app/python/

Install pycparser

$ cd pycparser-2.20

$ python3 setup.py install --prefix=/app/python/

Install cffi

$ cd cffi-1.14.4

$ python3 setup.py install --prefix=/app/python/

Install pyparsing

$ cd pyparsing-2.4.7

$ python3 setup.py install --prefix=/app/python/

Install packaging

$ cd packaging-20.9

$ python3 setup.py install --prefix=/app/python/

Install setuptools_scm

$ cd setuptools_scm-5.0.1

$ python3 setup.py install --prefix=/app/python/

Install wheel

$ cd wheel-0.36.2

$ python3 setup.py install --prefix=/app/python/

Install toml

$ cd toml-0.10.2

$ python3 setup.py install --prefix=/app/python/

Install semantic_version

$ cd semantic_version-2.8.5

$ python3 setup.py install --prefix=/app/python/

Install setuptools_rust

$ cd setuptools-rust-0.11.6

$ python3 setup.py install --prefix=/app/python/

Install MarkupSafe

$ pip3 install MarkupSafe-1.1.1-cp39-cp39-manylinux2010_x86_64.whl

Install pyYAML

$ pip3 install PyYAML-5.4.1-cp39-cp39-manylinux1_x86_64.whl

Install Jinja2

$ pip3 install Jinja2-2.11.3-py2.py3-none-any.whl

Install cryptography

$ pip3 install cryptography-3.4.2-cp36-abi3-manylinux2014_x86_64.whl

Install ansible-base

$ cd ansible-base-2.10.5

$ python3 setup.py install --prefix=/app/python/

Using /app/python/lib/python3.9/site-packages

Finished processing dependencies for ansible-base==2.10.5

Install ansible

$ cd ansible-2.10.6

$ python3 setup.py install --prefix=/app/python/

Using /app/python/lib/python3.9/site-packages

Finished processing dependencies for ansible==2.10.6

Install six

$ cd six-1.15.0

$ python3 setup.py install --prefix=/app/python/

Install ntlm_auth

$ cd ntlm-auth-1.5.0

$ python3 setup.py install --prefix=/app/python/

Install certifi

$ cd certifi-2020.12.5

$ python3 setup.py install --prefix=/app/python/

Install urllib3

$ cd urllib3-1.26.3

$ python3 setup.py install --prefix=/app/python/

Install idna

$ cd idna-2.10

$ python3 setup.py install --prefix=/app/python/

Install chardet

$ cd chardet-4.0.0

$ python3 setup.py install --prefix=/app/python/

Install requests

$ cd requests-2.25.1

$ python3 setup.py install --prefix=/app/python/

Install requests_ntlm3

$ cd requests_ntlm3-6.1.3b1

$ python3 setup.py install --prefix=/app/python/

Install requests_ntlm

$ cd requests_ntlm-1.1.0

$ python3 setup.py install --prefix=/app/python/

Install xmltodict

$ cd xmltodict-0.12.0

$ python3 setup.py install --prefix=/app/python/

Install pywinrm

$ cd pywinrm2-0.0.0

$ python3 setup.py install --prefix=/app/python/

$ ansible --version

ansible 2.10.5

config file = None

configured module search path = ['/home/cipamgr/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

ansible python module location = /app/python/lib/python3.9/site-packages/ansible_base-2.10.5-py3.9.egg/ansible

executable location = /app/python/bin/ansible

python version = 3.9.1 (default, Feb 9 2021, 00:46:54) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

↧

Powershell Useful Commands

August 10, 2021, 7:35 pm

≪ Previous: Ansible Installation using non-root user on Linux

Import Web Admin Module

Import-Module WebAdministration

Default IIS Log Directory

(Get-WebConfigurationProperty '/system.applicationHost/sites/siteDefaults' -Name 'logfile.directory').Value

Get All Websites on The IIS

PS>Get-WebSite

Name ID State Physical Path Bindings

---- -- ----- ------------- --------

mypool 2 Stopped E:\mypool http *:80:

https *:443: sslFlags=0

mypoolpoc 3 Started e:\mypoolPoc http *:80:

# To show configured IIS sites:

# -----------------------------------------------------------------------------

Get-ChildItem IIS:\Sites

Stop Website

PS> Stop-WebSite -Name "mysite"

Start Website

PS> Start-WebSite -Name 'mysite'

Invoke URL

PS>Invoke-WebRequest -URI http://localhost

Telnet

PS> Test-NetConnection <SERVERNAME> -Port <PORT>

Tail File

PS> Get-Content .\error.log -Tail 2 –Wait

Last 10 reboot

PS> Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074, 6005, 6006, 6008} -MaxEvents 8 | Format-Table -wrap

Install IIS Server

Install-WindowsFeature -name Web-Server -IncludeManagementTools

IIS Server Version

Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\ | Select-Object

[System.Diagnostics.FileVersionInfo]::GetVersionInfo(“C:\Windows\system32\notepad.exe”).FileVersion

reg query HKLM\SOFTWARE\Microsoft\InetStp\

Windows Server

(Get-WmiObject -class Win32_OperatingSystem).Caption

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Share Folder with Multiple Users

net share GlobalScape=E:\Globalscape /grant:"DOMAIN\ADGROUP",FULL /grant:"DOMAIN\USERNAME",FULL

Get Permission on the Folder

Get-SmbShareAccess -Name "Globalscape"

(Get-Acl -Path \\HOSTNAME\GLOBALSCAPE).Access | Format-Table -AutoSize

Change Permission on the Folder

(Get-ACL -Path .\Certificates\).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

$ACL = Get-ACL -Path ".\Certificates"

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("username","FullControl","Allow")

$ACL.SetAccessRule($AccessRule)

$ACL | Set-Acl -Path ".\Certificates"

(Get-ACL -Path ".\Certificates").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

Remove Permission on the Folder

$ACL = Get-Acl -Path ".\sample.txt"

$ACL.SetAccessRuleProtection($true,$false)

$ACL | Set-Acl -Path ".\sample.txt"

(Get-ACL -Path ".\sample.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

$ACL = Get-ACL -Path ".\sample.txt"

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","Allow")

$ACL.RemoveAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")

$ACL.RemoveAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users","ReadAndExecute, Synchronize","Allow")

$ACL.RemoveAccessRule($AccessRule)

$ACL | Set-Acl -Path ".\sample.txt"

(Get-ACL -Path ".\sample.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

$ACL = Get-ACL -Path ".\sample.txt"

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")

$ACL.RemoveAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users","ReadAndExecute, Synchronize","Allow")

$ACL.RemoveAccessRule($AccessRule)

$ACL | Set-Acl -Path ".\sample.txt"

(Get-ACL -Path ".\sample.txt").Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

Unzip the .zip file:

PS E:\Program Files\Java> Expand-Archive -Force jdk1.8.0_271.zip .\jre-8u271-windows-x64.tar\

Get Powershell Version

Get-Host | Select-Object Version

RAM Size

([Math]::Round(((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory/1GB),0))

CPU

Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Number*

Show Certificates

Get-ChildItem -Path Cert:\LocalMachine\Root

Import Certificates

Import-Certificate -FilePath "E:\Maintenance\wsctt.pem" -CertStoreLocation Cert:\LocalMachine\Root

Delete Service

(Get-Service).where({$_.Name -like 'wpnuserservice*'}) | Select-Object -Property *

$service = Get-WmiObject -Class Win32_Service -Filter "Name='servicename'"

$service.delete()

Get IIS Application Pool Identity Account Passwords in Clear Text

Method#1:

Get-CimInstance -Namespace root/MicrosoftIISv2 -ClassName IIsApplicationPoolSetting -Property Name, WAMUserName, WAMUserPass | select Name, WAMUserName, WAMUserPass

If errors out then run

Add-WindowsFeature Web-WMI | Format-List

Method#2:

$appPools = Get-WebConfiguration -Filter '/system.applicationHost/applicationPools/add'

foreach($appPool in $appPools)

{

if($appPool.ProcessModel.identityType -eq "SpecificUser")

{

Write-Host $appPool.Name -ForegroundColor Green -NoNewline

Write-Host " -"$appPool.ProcessModel.UserName"="$appPool.ProcessModel.Password

}

Install Module Offline

On Local Machine:

Save-Module IISAdministration -Path \\HOSTNAME\E$\Maintenance -Repository PSGallery

On Server:

cd "C:\Program Files\WindowsPowerShell\Modules"

Copy-Item E:\Maintenance\IISAdministration -Destination .\ -Recurse

Import-Module IISAdministration

Get-Module IISAdministration

Test HTTPS URL

Enable TLS1.2

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Ignore Certificate

if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)

{

$certCallback = @"

using System;

using System.Net;

using System.Net.Security;

using System.Security.Cryptography.X509Certificates;

public class ServerCertificateValidationCallback

{

public static void Ignore()

{

if(ServicePointManager.ServerCertificateValidationCallback ==null)

{

ServicePointManager.ServerCertificateValidationCallback +=

delegate

(

Object obj,

X509Certificate certificate,

X509Chain chain,

SslPolicyErrors errors

)

{

return true;

};

}

Add-Type $certCallback

}

[ServerCertificateValidationCallback]::Ignore()

Execute the command

Invoke-WebRequest -URI https://localhost:8443 -UseBasicParsing

Get AppPool Recycling Settings

$ConfigSection = Get-IISConfigSection -SectionPath "system.applicationHost/applicationPools"

$SitesCollection = Get-IISConfigCollection -ConfigElement $ConfigSection

$Site = Get-IISConfigCollectionElement -ConfigCollection $SitesCollection -ConfigAttribute @{"name" = "myapppool"}

$recycling = Get-IISConfigElement -ConfigElement $Site -ChildElementName "recycling"

$flags = $recycling.Attributes["logEventOnRecycle"].Value

$onRecycle = @{

'Time' = [bool]($flags -band 1) # Specific Time

'Requests' = [bool]($flags -band 2) # Request Limit Exceeded

'Schedule' = [bool]($flags -band 4) # Regular Time Interval

'Memory' = [bool]($flags -band 8) # Virtual Memory Limit Exceeded

'IsapiUnhealthy' = [bool]($flags -band 16) # Isapi Reported Unhealthy

'OnDemand' = [bool]($flags -band 32) # Manual Recycle

'ConfigChange' = [bool]($flags -band 64) # Application Pool Configuration Changed

'PrivateMemory' = [bool]($flags -band 128) # Private Memory Limit Exceeded

}

$onRecycle

Find files modified in last 21 days

$days_to_check=$(Get-Date).AddDays(-21)

Get-ChildItem E:\Inetpub\*.* -Recurse | where { $_.LastWriteTime -gt $days_to_check } | Foreach {

"File Name: " + $_.Name

Web Module Installed on IIS

PS> Get-WebGlobalModule

Get Scheduled Task Details

PS> Get-ScheduledTask -TaskName VU* | Format-Table State, TaskName, Triggers

State TaskName Triggers
----- -------- --------
Ready VU_AUTO_FileXfer_Daily {MSFT_TaskDailyTrigger}

PS> Get-ScheduledTask -TaskName VU* | Get-ScheduledTaskInfo | Format-Table TaskName, LastRuntime, NextRuntime

TaskName LastRuntime NextRuntime
-------- ----------- -----------
VU_AUTO_FileXfer_Daily 8/10/2021 12:00:00 PM 8/11/2021 12:00:00 PM

↧