Archive for the ‘ RHEL ’ Category

How to install webpasswordsafe 1.3 WAR on Centos 6

Here’s a quick howto on installing web password safe on CentOS 6 with tomcat.

Prerequiste:

You’ll need to have JAVA setup correctly with JCE installed and I assume that Tomcat is already installed. You can consult both documentation I wrote :

Howto install JDK 7 with JCE

Howto install Tomcat 7 on centos 6

I will describe the steps I took, feel free to tell me if there’s something to fix, it’s possible your setup is slightly different..

  • Install your CentOS with at least those package/group @Base, mysql-server2 and mysql-connector-java.noarch
    • Don’t forget to run mysql_secure_installation and change the root password..

 

  • Not sure on this one, because my system is kickstarted and automatically added to the repo, but you’ll probably need the EPEL repository ( rpm -Uhv http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm )

 

 

Now we’ll copy the MySQL JDBC driver to our Tomcat Install if it’s not already done:

# ls -lah /opt/apache-tomcat-7.0.53/lib/*mysql*

If you see a file there, skip the copy, you already have the JDBC driver installed.

# cp /usr/share/java/mysql-connector-java.jar /opt/apache-tomcat-7.0.53/lib/

Now we will create the database needed by passwordsafe and the user it will use to connect, plus the permission.

# mysql -u root -p
 mysql> create database webpasswordsafe;
 mysql> create user wps@localhost identified by 'PUT_A_SAFE_PASSWORD_HERE';
 mysql> grant all privileges on webpasswordsafe.* to wps@localhost;
 mysql> grant usage on webpasswordsafe.* to wps@localhost;
 mysql> flush privileges;
 mysql> exit

Now we will deploy the WAR for the first time, and configure some settings:

Stop tomcat if it run:

# /etc/init.d/tomcat-webpasswordsafe stop

Copy the WAR in the webapp directory of your tomcat install and we will rename it:

# cp -ar webpasswordsafe-sample-1.3.war /opt/webpasswordsafe/catalina_base/webapps/
# mv webpasswordsafe-sample-1.3.war webpasswordsafe-1.3.war

Start Tomcat:

# /etc/init.d/tomcat-webpasswordsafe start

Now let’s configure few basics settings:

Set a new secret key at encryptor.jasypt.password

# cd /opt/webpasswordsafe/catalina_base/webapps/webpasswordsafe-1.3
# vim WEB-INF/encryption.properties

Edit the config to access the database:

# vim WEB-INF/jdbc.properties
 set db user key
 jdbc.username=wps
 jdbc.password=HERE_YOU_PASTE_THE_NOT_SO_SAFE_PASSWORD_YOU_PROBABLY_CHOOSE

 uncomment mysql config:
 # MySQL/MariaDB settings
 hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect
 jdbc.driverClassName=com.mysql.jdbc.Driver
 jdbc.url=jdbc:mysql://localhost:3306/webpasswordsafe
 jdbc.validationQuery=select 1

Now restart Tomcat and we’ll see if everything work:

# /etc/init.d/tomcat-webpasswordsafe restart

Normally at this point you should be able to access the web interface via http://your-hostname-or-ip:8080/webpasswordsafe-1.3/

If you are using the default LocalAuthenticator the user/pass are: admin/admin

That’s it for the install, check the Admin Guide for more informations regarding all the different options available in the config files.. I will probably add another post to cinfigure the LDAP connector and other features.

 

Be sure to setup a SSL connection if you want to use this in production… You don’t want to access your password manager via http… You are gonna store all your password there, doublecheck EVERYTHING, root password, MySQL, SSL, ensure that you have the minimum service running on this host, iptables and SELinux enabled could be a great idea.

 

Note:

Howto install java JDK 7 on CentOS 6 with Java Cryptography Extension (JCE) enabled ready for Tomcat

This installation of java is for people who want to install java and use it with tomcat or any other app that don’t require the java bin to be in the $PATH…

 

Download the latest JDK 7 release: http://java.sun.com/javase/downloads/index.jsp

If you need to install the JCE, download it: Other Downloads -> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. If you don’t know what JCE is, the chance are you won’t need it..

Untar the archive and move it to /opt

# tar -xzvf jdk-7u51-linux-x64.gz
# mv jdk-7u51-linux-x64 /opt/

If you downloaded the JCE, unzip it. We’ll need to overwrite the default file. We’ll backup the file before..

# mv /opt/jdk1.7.0_51/jre/lib/security/local_policy.jar /opt/jdk1.7.0_51/jre/lib/security/local_policy.jar.orig
# mv /opt/jdk1.7.0_51/jre/lib/security/US_export_policy.jar /opt/jdk1.7.0_51/jre/lib/security/US_export_policy.jar.orig
# unzip UnlimitedJCEPolicyJDK7.zip
# cp UnlimitedJCEPolicy/*.jar /opt/jdk1.7.0_51/jre/lib/security/

 

And voila!

 

 

Howto Install Tomcat 7 clean on Centos 6

Prerequisite: you need to have a working copy of Java installed. See my post about installing Java on CentOS 6 Here.

You’ll see that Tomcat is installed in /opt and every single application will use it’s own catalina_home, this is in place to separate different install and simplify the update process, same thing for java, if a single war don’t support a new version of tomcat, you can upgrade by application, changing only the symbolic link..

 

The user will use uid 5007, it’s a standard uid of the tomcat user where I work.

useradd -u 5007 -s /sbin/nologin -c "Tomcat" _tomcat

Download the latest tarball and extract it to /opt

tar xzvf apache-tomcat-7.0.53.tar.gz -C /opt
ln -s /opt/apache-tomcat-7.0.53 /opt/tomcat-webpasswordsafe

We will now create the catalina_home base config

cd /opt
mkdir -p webpasswordsafe/catalina_base
cd webpasswordsafe/catalina_base
mkdir bin conf logs webapps work temp
chown _tomcat logs webapps work temp

Now we’ll create setenv.sh where the java_home will be set:

vim /opt/webpasswordsafe/catalina_base/bin/setenv.sh

Point the JAVA_HOME variable to your java home, if you have followed my howto on java it should look like this…

JAVA_HOME=/opt/java-webpasswordsafe

Copy the server.xml and web.xml to our catalina_base, the default should be ok:

cp /opt/apache-tomcat-7.0.53/conf/server.xml /opt/webpasswordsafe/catalina_base/conf/
cp /opt/apache-tomcat-7.0.53/conf/web.xml /opt/webpasswordsafe/catalina_base/conf/

We will now give the files the right ownership:

chmod -R 644 /opt/webpasswordsafe/catalina_base/conf/*
chown -R _tomcat._tomcat /opt/webpasswordsafe/catalina_base/

Create the init script used to start tomcat.

You’ll have to adjust the variable CATALINA_BASE, CATALINA_HOME and SVC_SCRIPT to reflect your installation if it’s not the same as mine.

vim /etc/init.d/tomcat-webpasswordsafe
#!/bin/bash
#
# Init file for buildserver tomcat
#
# chkconfig: 35 99 10
# description: BuildServer Tomcat
#

# source function library
. /etc/rc.d/init.d/functions

RETVAL=0
prog="tomcat pour le gestionnaire de password"

SVC_SCRIPT=/opt/tomcat-webpasswordsafe/bin/catalina.sh
SVC_START_ARGS="start"
SVC_STOP_ARGS="stop"
SVC_USER="_tomcat"

ECHO=/bin/echo
SUDO=/usr/bin/sudo
RUNUSER=/sbin/runuser

# Toute la config et les apps sont deployees dans ce repertoire
export CATALINA_BASE=/opt/webpasswordsafe/catalina_base
# Le repertoire ou tomcat est vraiment installe
export CATALINA_HOME=/opt/tomcat-webpasswordsafe


start()
{
 $ECHO -n $"Starting $prog: "
 # On utilise runuser au lieu de daemon() car daemon clear l'environnement... need CATALINA_*
 $RUNUSER -s /bin/bash -m -c "$SVC_SCRIPT $SVC_START_ARGS" "$SVC_USER" && success || failure
 RETVAL=$?
}

stop()
{
 $ECHO -n $"Stopping $prog: "
 $SVC_SCRIPT $SVC_STOP_ARGS && success || failure
 RETVAL=$?
}


case "$1" in
 start)
 start
 ;;
 stop)
 stop
 ;;
 restart)
 stop
 start
 ;;
 *)
 echo $"Usage: $0 {start|stop|restart}"
 RETVAL=1
esac
exit $RETVAL

Give the right permissions to the files:

chmod +x /etc/init.d/tomcat-webpasswordsafe

Enable the service to start at boot:

chkconfig tomcat-webpasswordsafe on

Let’s try this!

Start tomcat with the init script we’ve just created:

/etc/init.d/tomcat-passwordsafe start

You can take a look at the log to see if everything is ok.

tail -f /opt/webpasswordsafe/catalina_base/logs/catalina.out

If you see something similar to INFO: Server startup in 33397 ms, your installation is fine you can go ahead and put your war file in the webapp directory in catalina_home.

 

Let me know what you think and if you have problem I’ll be glad to help you, but this is pretty straight forward!

Howto update / change hostname of a system using RHEL/Centos in RHN, Satellite or Spacewalk

Today I had to update a system profile in RHN. The system is a RHEL 4 and was added to RHN few years ago and the hostname had changed since then. You can change the system name in RHN but you cannot change the hostname or the ipaddress. I just wanted to share with everyone how to update the RHN profile of a host.

Once your hostname is changed, you just have to execute this command:

# up2date --hardware

If you are using spacewalk and CentosOS6/RHEL6 you’ll see that up2date is not there anymore. You’ll need to have the rhn tool installed and sync the profile with:

# rhn-profile-sync

And voila, you should see the updated hostname on RHN/Spacewalk/Satellite.

@++