20091222

MakeLDIF.jar

Yesterday I have realized that I do not remember how to prepare the ldif file. But not just a simple ldif with a few lines of add/modify/delete subcommands. I have forgotten how to use the SLAMD project's tool - MakeLDIF. As far as I remember there was the jar - MakeLDIF. It was, but now there is not. It had taken a few moments before I found the solution. Here you go:

$ find . -name *.jar | grep -i make
$ cd tools/MakeLDIF
$ perl -e 's/(^define suffix=).*/\1o=ods/' -pi example.template
$ perl -e 's/(^define numusers)=.*/\1=1000/' -pi exa*
$ perl -e 's/(^define maildomain)=.*/\1=wisnios\.com/' -pi exa*
$ head -3 exa*
define suffix=o=ods
define maildomain=wisnios.com
define numusers=1000
$ cd ..
$ ./make-ldif.sh -t MakeLDIF/example.template -o ~/ods1k.ldif
Processed 1000 entries
Processing complete.
1002 total entries written.

And the process view of similar command execution:

/usr/jdk/instances/jdk1.5.0/bin/java -server -Xms512m -Xmx512m com.slamd.tools.makeldif.MakeLDIF
-r /export/home/slamd200-20090712/tools/MakeLDIF -t /tmp/ods.template -o /tmp/ods100k.ldif

Merry Xmas!

20091208

AIX stat equivalent


$ istat /usr/sbin/lsuser
Inode 115447 on device 10/5 File
Protection: r-xr-xr-x Set UID
Owner: 0(root) Group: 7(security)
Link count: 1 Length 84080 bytes

Last updated: Tue Dec 8 14:40:33 CST 2009
Last modified: Mon Mar 30 00:45:51 CDT 2009
Last accessed: Tue Dec 8 16:55:55 CST 2009


* lsuser hint
To display the attributes of all the users, use the ALL keyword:

$ lsuser ALL

20091124

Solaris ksh variations

Today i have read, and in the parallel - discovered, that Solaris has got three ksh variants.
Two of them are ksh88, and one ksh93.

$ grep -i ver /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh:@(#)Version M-11/16/88i
/usr/xpg4/bin/sh:@(#)Version M-11/16/88i
/usr/dt/bin/dtksh:@(#)Version M-12/28/93d
/usr/dt/bin/dtksh:@(#)Version M-12/28/93
/usr/dt/bin/dtksh:@(#)Version 12/28/93

The standard one - /usr/bin/ksh, and a POSIX-compliant veriant of ksh88 - /usr/xpg4/bin/sh.
Both of them are the components of SUNWcsu (Core Solaris (Usr)) package.
dtksh comes from SUNWdtbas.

$ ls -li /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/ksh
26709 -r-xr-xr-x 1 root bin 620144 Jan 23 2005 /usr/dt/bin/dtksh
1536 -r-xr-xr-x 1 root bin 171412 Aug 7 13:27 /usr/xpg4/bin/sh
$ file /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/xpg4/bin/sh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/dt/bin/dtksh: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped, no debugging information available

As you can already saw (on the ls -li listing) there are also the three brothers-in-inode:

# ls -li /usr/bin/*ksh
489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/ksh
489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/pfksh
489 -r-xr-xr-x 3 root bin 171412 Aug 7 13:27 /usr/bin/rksh

It's the highest inode count from all of the Solaris shells (10u8, SUNWCall), the second place goes to csh with only two file names binded to its inode.

Fascinating.

20091122

Make yourself a package

In the world where the Good Security Practices becomes Science Fiction, there was an Admin who wants to train himself in Solaris Packaging.
He has written down the script, which has made his Lord the Legend ;-)
Now, let's put some light on it.

The script takes .ssh folder files from the specified user of template machine, and turns it into .ssh folder of root user on target host. There are also the configuration changes, inside of either /etc/default/login file, or /etc/ssh/sshd_config one.
Do not try this at (production) home!

# ./rootbox.sh
Generating package files
prototype
pkginfo
checkinstall
postinstall
postremove
login.sed
sshd_config.sed
Making package MMWrootbox.1.0.i386.pkg [/tmp]
success
Translating package format to a datastream
success
# cd /tmp
# pkgadd -d MMWrootbox.1.0.i386.pkg

The following packages are available:
1 MMWrootbox Root box
(i386) 1.0

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Processing package instance from

Root box(i386) 1.0
Marcin Marian Wisnios
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of [y,n,?] y

Installing Root box as

## Installing part 1 of 1.
/root/.ssh/authorized_keys
[ verifying class ]
Modifying /etc/default/login
Modifying /etc/ssh/sshd_config
[ verifying class ]
## Executing postinstall script.

Installation of was successful.
# date;svcs -x ssh| grep -i state
Sun Nov 22 08:50:57 CET 2009
State: online since Sun Nov 22 08:50:42 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
128c128
< PermitRootLogin without-password
---
> PermitRootLogin no
# diff /etc/default/login /tmp/rootbox.bak/login
18c18
< #CONSOLE=/dev/console
---
> CONSOLE=/dev/console
# pkginfo MMWrootbox
system MMWrootbox Root box
# pkginfo -l MMWrootbox
PKGINST: MMWrootbox
NAME: Root box
CATEGORY: system
ARCH: i386
VERSION: 1.0
BASEDIR: /
VENDOR: Marcin Marian Wisnios
DESC: Methods and keys to allow remote root user access
PSTAMP: 20091122085002
INSTDATE: Nov 22 2009 08:50
EMAIL: wisnios@gmail.com
STATUS: completely installed
FILES: 4 installed pathnames
2 shared pathnames
1 directories
3 blocks used (approx)

# pkgrm MMWrootbox

The following package is currently installed:
MMWrootbox Root box
(i386) 1.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package dependencies in global zone
## Processing package information.
## Removing pathnames in class
Modifying /etc/ssh/sshd_config
Modifying /etc/default/login
## Removing pathnames in class
/root/.ssh/authorized_keys
/root/.ssh
## Executing postremove script.
## Updating system information.

Removal of was successful.
# svcs -x ssh|grep -i state; date
State: online since Sun Nov 22 08:52:33 2009
Sun Nov 22 08:52:50 CET 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
# diff /etc/default/login /tmp/rootbox.bak/login


http://cs-tools.googlecode.com/files/rootbox.sh

Enjoy.

20091028

Paranoid

So, have you ever seen the Solaris 10 boot process, line by line?
I do not talk about the kernel -m verbose mode, which only shows the particular SMF identifiers.
Have you ever wondered why the boot process has hanged? and what's the cause?

The Wisnios way is as follow.
I've decided to replace the master restarter binary with a shell script.

# mv /lib/svc/bin/svc.startd /lib/svc/bin/svc.startdd
# vi /lib/svc/bin/svc.startd


#!/bin/sh
truss -fa -t exec /lib/svc/bin/svc.startdd


# chmod 555 /lib/svc/bin/svc.startd
# chgrp sys /lib/svc/bin/svc.startd


You could also choose the more verbose mode by adding the -e switch to truss command.
Truss -f option follows all fork/vfork children, -a shows the argument strings within the exec() calls and -e shows the environment variables (for ex. SMF_FMRI).

Other traces are limited by imagination only.

20090924

rmdom.pl

I've just started the google code project called cs-tools (Commandline Support Tools).
This will be a container for my set of scripts supporting the administration of Sun Java Communications Suite components.
Project Home: http://code.google.com/p/cs-tools/

There's also the first one perl program - rmdom.pl - you could use to simplify the deletion and purge process of hosted domain.

Sample session:

# perl rmdom.pl
fe : frontend.localdomain
be : backend.localdomain
ldap: ldap.localdomain:389
%%%%%%%%%%%%%%%%%%%%%%%%%%
bind dn: cn=dirmgr
bind passwd:
domain: rmdom.pl
mail domain ok
cal domain ok
active users: 2
active groups: 1
are you sure (yes to confirm)? yes
domain deleted
domain purged

Enjoy.

20090922

DateTime set: Object cannot be written

Very lately (about fifteen minutes ago) I had to resolve the time issue from the ELOM level of Sun Fire X2200.
It couldn't be done, because:

/SP/AgentInfo -> show

/SP/AgentInfo
Targets:
PEF
PET
SEL
console
mail
SNMP

Properties:
[...]
DateTime = 01/03/1970-02:56:23
[...]

/SP/AgentInfo -> set DateTime="09/22/2009-00:22:00"
set: Object cannot be written

So, it's the place where the ipmitool could be used.
Ipmitool need the three kernel modules to be loaded:
* ipmi_si
* ipmi_devintf
* ipmi_msghandler

The time can be adjusted with an argument set of the ipmitool's SEL (System Event Log) subcommand.
Sample Linux command line session:

# ipmitool sel time get
Could not open device at /dev/ipmi0 or /dev/ipmi/0: No such file or directory
Get SEL Time command failed
# lsmod | grep ipmi
# modprobe ipmi_devintf
# modprobe ipmi_si
# lsmod | grep ipmi
ipmi_si 57164 0
ipmi_devintf 20624 0
ipmi_msghandler 50680 2 ipmi_si,ipmi_devintf
# ipmitool sel time get
01/01/1970 22:07:22

# ipmitool sel time set "09/22/2009 00:22:00"

# ipmitool sel time get
09/22/2009 00:22:03

20090703

Arming Messaging Server

Today I've got the three recipes to tighten the unwanted malicious user activity.
All of them are related to mappings file rules.

First i want to prohibit all the unauthenticated users from sending emails.
It could be achieved with a following line in the FROM_ACCESS table:

TCP|*|25|*|*|SMTP*|*|tcp_local|*@*|* $C$}$6,_canonical_name_{$N$ -$ Authentication$ required$ when$ sending$ with$ this$ envelope$ sender$ domain$E


The second step is to block attemtps of faking From header, after successful authentication
(for ex. using stolen password, or personal account in a negative manner).
I've prepared the suitable lines, also in FROM_ACCESS table:

*|SMTP*|*|tcp_auth|*@*|*@$4* $Y
*|SMTP*|*|tcp_auth|*@*|*@* $N$_Sender$ address$ rejected$ for$ $4

It reject the use of tcp_auth channel when domain of authenticated account is different from the one used within the From header.

The third method take advantage of check_metermaid.so library (included in Messaging Server installation).
MeterMaid could be used to throttle the agressive usage of mail server.
I've used two rules (to block them all ;-) ).
First one restrict the number of connections (15) in a unit of time (60 s.).
It's assigned under PORT_ACCESS table:

*|*|*|*|* $C$:A$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$3]$N421$ Connection$ declined$ at$ this$ time$E

Related thresholds are defined with a configutil command or by edition of msg.conf:

metermaid.config.secret = [your shared secret to authenticate incoming connections]
metermaid.config.serverhost = [host name or ip address of your metermaid server]
metermaid.table.ext_throttle.data_type = string
metermaid.table.ext_throttle.options = nocase
metermaid.table.ext_throttle.quota = 15
metermaid.table.ext_throttle.quota_time = 60

Ex.

# configutil -o metermaid.config.serverhost -v somehost.somedomain
# configutil -o metermaid.config.secret -v somesecret
and so on...

ext_throttle is defined by you throttling table name, and must be the same within the mappings and msg.conf files.

The second rule restrict number of total recipients sent to by a user (i've used the same limit values, but you could add the next throttle table with required thresholds).
It should be addes within the ORIG_SEND_ACCESS mapping tables:

tcp_auth|*|*|* $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$0]$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

So, run imsimta cnbuild && imsimta restart and...

[...]
235 2.7.0 LOGIN authentication successful.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
[...]
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
550 5.7.1 Excessive email sent - Please try again later: marcin.wisnios@somedomain

Enjoy.

20090623

Disable IPv6 in OpenSolaris 2009.06

I always want the system works in a way I like it. This way comes with running only the things I really need.
I do not want IPv6 protocol stack when it's useless.

Here, it's a short recipe how it could be achieved.

First, remove the IPv6 from network auto-magic interface configuration.
Add the following entry to /etc/nwam/llp file:

e1000g0 noipv6 dhcp

Now, you could permanently disable the ndp with:

svcadm disable ndp

It's no persistant across reboots without the modification of /etc/nwam/llp.

The second step is not so obvious. Some people in OpenSolaris team want it / like it / need it. I don't care.
I want it to be disabled.
The loopback inet6 interface is being plumbed form inside the /lib/svc/method/net-loopback method of SMF - svc:/network/loopback:default
I replace the original call with an IF condition of IPv6 entry existence inside the /etc/inet/hosts

# IPv6 loopback
if ( egrep "^::1" /etc/inet/hosts ); then
/sbin/ifconfig lo0 inet6 plumb ::1 up
fi

To polish the final result we should disable the sendmail ipv6 interface binding.
I commented out the relevant line of /etc/mail/sendmail.cf file:

0 DaemonPortOptions=Name=MTA-v4, Family=inet
#0 DaemonPortOptions=Name=MTA-v6, Family=inet6

Enjoy.

20090531

Solaris IP shortcuts

Today, I had to modify my routing table under Solaris 10u7 (5/09), and I made a typo.
Instead of writing 10.0.2.1, I typed 10.0.21... and it has worked.

sol10u7 [~]# route add default 10.0.21
add net default: gateway 10.0.21
sol10u7 [~]# netstat -rn

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.0.0.21 UG 1 0
10.0.0.0 10.0.2.16 U 1 0 e1000g0
224.0.0.0 10.0.2.16 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 54 lo0


I've also tried to use 10.1 and 10.1.1, and another success has been met.

sol10u7 [/etc/krb5]# route add default 10.1
add net default: gateway 10.1
sol10u7 [/etc/krb5]# netstat -rn

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.0.2.2 UG 1 0
default 10.0.0.1 UG 1 0
10.0.0.0 10.0.2.16 U 1 24 e1000g0
224.0.0.0 10.0.2.16 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 58 lo0
sol10u7 [/etc/krb5]# route add default 10.1.1
add net default: gateway 10.1.1
sol10u7 [/etc/krb5]# netstat -rn

Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.0.2.2 UG 1 0
default 10.0.0.1 UG 1 0
default 10.1.0.1 UG 1 0
10.0.0.0 10.0.2.16 U 1 24 e1000g0
224.0.0.0 10.0.2.16 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 58 lo0

The deletion works in the same manner.

sol10u7 [~]# route delete default 10.0.21
delete net default: gateway 10.0.21

Nice. Is it a bug, or is it a feature ;-) ?
I know there's a similar IPv6 behaviour - reducing the number of Zeros in address notation, but I didn't know it's also related to IPv4.

20090529

Create base64 jpegPhoto attribute

So, you wanna a picture in your user profile within the Directory Server entry?
Go for it.

Generate base-64 encoded value of the selected picture:

book [/tmp]# ldif -b jpegPhoto < marcin.jpg
jpegPhoto:: /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlA
GTAAAAAAf/bAIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMSDxgYG
hoYGCMiIiIjJycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0ODQ0TGBEPDw8PERgWF
xQUFBcWGhoYGBoaISEgISEnJycnJycnJycn/8AAEQgBVAH0AwEiAAIRAQMRAf/EAK4AAAIDAQEBA
QAAAAAAAAAAAAMEAAIFAQYHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQFEAACAQMCBAMFBQUFBwMDB
[...]


Enter output to the ldif file or create the modification by hand:

book [~]$ ldapmodify -D cn=dirmgr
Enter bind password:
dn: uid=marcin,ou=People,o=wisnios.com,o=isp
changetype: modify
add: jpegPhoto
jpegPhoto:: /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlA
GTAAAAAAf/bAIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMSDxgYG
hoYGCMiIiIjJycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0ODQ0TGBEPDw8PERgWF
xQUFBcWGhoYGBoaISEgISEnJycnJycnJycn/8AAEQgBVAH0AwEiAAIRAQMRAf/EAK4AAAIDAQEBA
QAAAAAAAAAAAAMEAAIFAQYHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQFEAACAQMCBAMFBQUFBwMDB
[...]
^D

20090514

zpool replace problem

Scenario.
Disk from pool1 failed. It was replaced with a new one, with appropriate cfgadm -c unconfigure and cfgadm -c configure commands. Process of resilvering has been completed, but there's still the unavailable device within a pool status. Any try to take a device offline causes the scrub process to start again.

thumper [~]# zpool status -v pool1
pool: pool1
state: DEGRADED
status: One or more devices could not be opened. Sufficient replicas exist for
the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
see: http://www.sun.com/msg/ZFS-8000-D3
scrub: resilver in progress, 2,32% done, 28h7m to go
config:

NAME STATE READ WRITE CKSUM
pool1 DEGRADED 0 0 0
raidz2 DEGRADED 0 0 0
c7t0d0p0 ONLINE 0 0 0
c6t0d0p0 ONLINE 0 0 0
c7t4d0p0 ONLINE 0 0 0
c6t4d0p0 ONLINE 0 0 0
c1t0d0p0 ONLINE 0 0 0
c0t0d0p0 ONLINE 0 0 0
c1t4d0p0 ONLINE 0 0 0
c0t4d0p0 ONLINE 0 0 0
c5t1d0p0 ONLINE 0 0 0
c4t1d0p0 ONLINE 0 0 0
c5t5d0p0 ONLINE 0 0 0
c4t5d0p0 ONLINE 0 0 0
c7t1d0p0 ONLINE 0 0 0
c6t1d0p0 ONLINE 0 0 0
spare DEGRADED 0 0 0
c7t5d0p0 UNAVAIL 0 0 0 cannot open
c1t3d0p0 ONLINE 0 0 0
c6t5d0p0 ONLINE 0 0 0
c1t1d0p0 ONLINE 0 0 0
c0t1d0p0 ONLINE 0 0 0
c1t5d0p0 ONLINE 0 0 0
c0t5d0p0 ONLINE 0 0 0
spares
c1t3d0p0 INUSE currently in use
c0t3d0p0 AVAIL

errors: No known data errors


Solution
Do exactly the same what has been done with a disk from the system point of view.
Replace it in place.

thumper [~]# zpool replace pool1 c7t5d0p0 c7t5d0p0


After resilver period of time:

thumper [~]# zpool status -v pool1
pool: pool1
state: ONLINE
scrub: resilver completed with 0 errors on Thu May 14 17:08:20 2009
config:

NAME STATE READ WRITE CKSUM
pool1 ONLINE 0 0 0
raidz2 ONLINE 0 0 0
c7t0d0p0 ONLINE 0 0 0
c6t0d0p0 ONLINE 0 0 0
c7t4d0p0 ONLINE 0 0 0
c6t4d0p0 ONLINE 0 0 0
c1t0d0p0 ONLINE 0 0 0
c0t0d0p0 ONLINE 0 0 0
c1t4d0p0 ONLINE 0 0 0
c0t4d0p0 ONLINE 0 0 0
c5t1d0p0 ONLINE 0 0 0
c4t1d0p0 ONLINE 0 0 0
c5t5d0p0 ONLINE 0 0 0
c4t5d0p0 ONLINE 0 0 0
c7t1d0p0 ONLINE 0 0 0
c6t1d0p0 ONLINE 0 0 0
c7t5d0p0 ONLINE 0 0 0
c6t5d0p0 ONLINE 0 0 0
c1t1d0p0 ONLINE 0 0 0
c0t1d0p0 ONLINE 0 0 0
c1t5d0p0 ONLINE 0 0 0
c0t5d0p0 ONLINE 0 0 0
spares
c1t3d0p0 AVAIL
c0t3d0p0 AVAIL

errors: No known data errors

Voila!

AIX software (de)installation

During my AIX lab works I've accidentally installed all the packages from the /export/aix/lpp_source/xlCv8eval location
(IBM XL C/C++ V8.0 Evaluation).

aix61 [/export/aix]# installp -a -d lpp_source/xlCv8eval all
[...]

+-----------------------------------------------------------------------------+
BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
221 Selected to be installed, of which:
66 Passed pre-installation verification
146 FAILED pre-installation verification
9 Already installed (directly or via superseding filesets)
----
66 Total to be installed

+-----------------------------------------------------------------------------+
Installing Software...
+-----------------------------------------------------------------------------+

[...]

Finished processing all filesets. (Total time: 2 mins 17 secs).

[...]

Two minutes and seventeen seconds of sorrow.

Because it was my first installation attempt I wanted to rollback the applied changes.
But, how to uninstall all the filesets together?
I've prepared the handy oneliner. Feel free to provide a better solution.

aix61 [/export/aix/lpp_source/xlCv8eval/installp]# for f in `ls -1 ppc | cut -d . -f 1 | sort | uniq`; \
do installp -u -e /home/wisnios/xlCv8eval.uninstall.log -g $f; \
done

where ls -1 ppc | cut -d . -f 1 | sort | uniq gives:

ibmdebugger
memdbg
vac
vacpp
xlC
xlhelp
xlmass
xlsmp

Mission accomplished.

20090507

Solaris IPSec with preshared keys

To implement transport mode ipsec configuration we have to complete the following steps:

  • assign ipsec policy (ipsecinit.conf)
  • configure Internet Key Exchange (IKE) daemon (in.iked) (config)
  • setup preshared key secret (ike.preshared)

The configuration should be made on both of the communicating nodes.
In below example i've used nodes named sol10u6 (10.0.2.15) and sol10u7 (10.0.2.16).
To generate the password ascii representation i've used a piece of code:


/*
IKE password converter
- Marcin Wisnios [marcin AT wisnios.com]
*/
#include <stdio.h>
#include <string.h>

#define PSIZE 512

int main(int argc, char* argv[])
{
int n;
size_t size;
char pass[PSIZE];

if (argc == 1)
{
fprintf(stderr, "Usage: %s password\n", argv[0]);
}
else
{
size=strlen(argv[1]);
if (size >= PSIZE)
{
fprintf(stderr, "Warning: possibility of buffer overflow on oversized password (>=%d). Exiting.\n", PSIZE);
return -1;
}

strncpy(pass, argv[1], size);

for(n=0; n<size; n++)
{
printf("%d", pass[n]);
}

printf("\n");
}

return 0;
}


I've used sample secret: example-preshared-key-secret-do-not-use-it.

sol10u6 [~]$ ./ikepconv example-preshared-key-secret-do-not-use-it
10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116

Let's start with ipsec policy settings.
Setup is as follows:

sol10u6 [~]# cat /etc/inet/ipsecinit.conf
[...]
{ laddr 10.0.2.15 raddr 10.0.2.16 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

sol10u7 [~]# cat /etc/inet/ipsecinit.conf
[...]
{ laddr 10.0.2.16 raddr 10.0.2.15 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

encr_algs aes - Use AES as Encapsulating Security Payload (ESP, IP Protocol: 50) encryption algorithm
encr_auth_algs md5 - Use MD5 as ESP authentication algorithm
sa shared - shared Security Association (SA) means the communication between the two nodes in one direction uses the same channel;
in opposite to "unique" which uses separate SA for each pair of source and destination ports

Apply IPSec policy to the system:

sol10u6 [~]# ipsecconf -a /etc/inet/ipsecinit.conf
sol10u6 [~]# ipsecconf
#INDEX 2
{ laddr 10.0.2.15 raddr 10.0.2.16 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

From now the communication is broken; IPSec has been instructed to encrypt and authenticate the traffic.
We need to provide the valid SA related to security policy.
To automate the process of key management I've used IKE daemon (in.iked).
It should be configured similary to below output:

sol10u6 [~]# cat /etc/inet/ike/config
[...]
### BEGINNING OF FILE

{
label "preshared"
local_id_type ip
local_addr 10.0.2.15
remote_addr 10.0.2.16

p1_xform
{ auth_method preshared oakley_group 5 encr_alg aes auth_alg md5 }
}

sol10u7 [~]# cat /etc/inet/ike/config
[...]
### BEGINNING OF FILE

{
label "preshared"
local_id_type ip
local_addr 10.0.2.16
remote_addr 10.0.2.15

p1_xform
{ auth_method preshared oakley_group 5 encr_alg aes auth_alg md5 }
}

oakley_group - The Oakley Diffie-Hellman group used for IKE SA key derivation. Acceptable values are currently 1 (768-bit), 2 (1024-bit), or 5 (1536-bit).

The last step is to configure the preshared secrets file.

sol10u6 [~]# cat /etc/inet/secret/ike.preshared
[...]
{
localidtype IP
localid 10.0.2.15
remoteidtype IP
remoteid 10.0.2.16
key 10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116
}

sol10u7 [~]# cat /etc/inet/secret/ike.preshared
[...]
{
localidtype IP
localid 10.0.2.16
remoteidtype IP
remoteid 10.0.2.15
key 10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116
}

key - continuous ASCII characters decimal representation of the passphrase "example-preshared-key-secret-do-not-use-it" (converted with ikepconv from the beginning of my post).
That's it: e(101)x(120)a(97)m(109)p(112)l(108)e(101)-(45)...

Start IKE daemon:

sol10u6 [~]# /usr/lib/inet/in.iked -d [debug mode]
sol10u6 [~]# /usr/lib/inet/in.iked

It's time for a simple test.

sol10u7 [~]# ping 10.0.2.15
10.0.2.15 is alive

sol10u6 [~]# snoop -c 1 src host 10.0.2.16
Using device /dev/e1000g0 (promiscuous mode)
sol10u7 -> sol10u6 ESP SPI=0xc072b272 Replay=6
1 packets captured


sol10u7 [~]# ping 10.0.2.15
10.0.2.15 is alive

sol10u6 [~]# snoop -c 1 -v src host 10.0.2.16
Using device /dev/e1000g0 (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 17:46:25.51503
ETHER: Packet size = 150 bytes
ETHER: Destination = 8:0:27:ba:19:34, PCS Computer Systems GmbH
ETHER: Source = 8:0:27:30:9c:39, PCS Computer Systems GmbH
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 136 bytes
IP: Identification = 9596
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 50 (ESP)
IP: Header checksum = 7da9
IP: Source address = 10.0.2.16, sol10u7
IP: Destination address = 10.0.2.15, sol10u6
IP: No options
IP:
ESP: ----- Encapsulating Security Payload -----
ESP:
ESP: SPI = 0xc072b272
ESP: Replay = 10
ESP: ....ENCRYPTED DATA....

1 packets captured

INFO:
The IPSec definitions has been added to SMF in Solaris 10 update 7:
svc:/network/ipsec/manual-key:default
svc:/network/ipsec/ike:default
svc:/network/ipsec/ipsecalgs:default
svc:/network/ipsec/policy:default

Remember to enable ipsec/ike daemon service.

Enjoy.

20090426

Directory Server SSL Certificate

Recently, I've added the article about SSL configuration of Sun Java Commmunications Suite components (link).
Today I want to expand its content with Directory Server SSL preparation.

DS comes with self-signed certificate (it's valid for a period of three months). It name's defaultCert, and by defalt allow for secure connections through the port 636.
It's stored in alias directory under the instance path:

book [/]# ls /instances/ds1/alias
certmap.conf secmod.db slapd-cert8.db slapd-key3.db


book [/instances/ds1/alias]# dsconf get-server-prop -D cn=dirmgr ssl-rsa-cert-name
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : defaultCert

book [/]# /opt/SUNWdsee/ds6/bin/dsadm list-certs /instances/ds1/
Alias Valid from Expires on Self-signed? Issued by Issued to
----------- ---------------- ---------------- ------------ ----------------------------------------------------- --------------
defaultCert 2009/03/18 12:28 2009/06/18 12:28 y CN=book,CN=636,CN=Directory Server,O=Sun Microsystems Same as issuer
1 certificate(s) found

book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u


But, I want to use the same one as with other COMMS components - Server-Cert - issued by CA.

book [/instances/ds1/alias]# dsadm import-cert /instances/ds1/ /root/SSL/VeriSign.cert.pkcs12
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.
book [/instances/ds1/alias]# dsadm stop /instances/ds1
Directory Server instance '/instances/ds1' stopped
book [/instances/ds1/alias]# dsadm start /instances/ds1
Directory Server instance '/instances/ds1' started: pid=25150
book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u
Server-Cert u,u,u

Now i have to change default rsa certificate name, within the DS configuration:

book [~]# dsconf set-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name:Server-Cert
Enter "cn=dirmgr" password:
Before setting SSL configuration, export Directory Server data.
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take effect.

Restart DS one more time.

That's all folks.

book [~]# dsconf get-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name
Certificate "CN=[...]" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : Server-Cert

20090408

Forward mappings

The presented configuration allows to gather messages of specified address pattern inside the given mail account.
The below example is based on the destination address, but can be easily changed into source based.

Sun Java Messaging Server allow to use the FORWARD mapping table and FORWARD lookup table.
I will focus on FORWARD Mapping Table. This usage is disabled by default. So, before I can go further I have to enable the USE_FORWARD_DATABASE withing the option.dat file.

USE_FORWARD_DATABASE can take one of three values. The meaning is as follows:

  • 1 - use forward database
  • 8 - use forward database entries with a specified channel
  • 16 - use forward mapping table entries with a specified channel

To get the pieces together I've used 16, so:

[option.dat]
[...]
USE_FORWARD_DATABASE=16

To let the Messaging Server keep all the messages begining with a prefix- on the wisnios@wisnios.com account, add the following to your mappings file:

FORWARD

!
! Format for channel specific forward mapping entries
! src-channel|source-address|original-address changed-address
!
*|*|prefix-*@wisnios.com $D$H$Ywisnios@wisnios.com


The first * (asterisk) could be tcp_local. I thought so, but it's not true.
Simple test with imsimta test -rewrite -debug prefix-test@wisnios.com shows that message uses the l channel:

[...]
12:41:14.65: Applying forward mapping to: l|postmaster@book.entic.net|prefix-test@wisnios.com
12:41:14.65: Matched, result is: wisnios@wisnios.com
[...]

The second field could be used as an additional pattern filter, based on the sender address / domain part.
In my example it's also the asterisk sign.

The third field does the trick.

$D - run rewrite process one more time (without this option mapping will fail)
$H - do not check any other forward lookup table or FORWARD mapping entries (optional with this one entry)
$Y - use specified address as a new one (no comment - required)

So, let's try:

book [/]# imsimta test -mapping -debug
Enter table name: FORWARD
Input string: tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39: Mapping 6 applied to tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39: Entry #1 matched, pattern "*|*|prefix-*@wisnios.com", template "$D$H$Ywisnios@wisnios.com", match #0.
13:00:03.39: New target "wisnios@wisnios.com"
13:00:03.39: Exiting...
13:00:03.39: Final result "wisnios@wisnios.com"
Output string: wisnios@wisnios.com
Output flags: [0, 'D' (68), 'H' (72), 'Y' (89)]
Input string:

The last bastion was the imsimta command itself.
After the configuration changes I've run imsimta cnbuild && imsimta reload.
That was a mistake.
It allows imsimta test -rewrite complete successfully, but rejects the incoming messages to prefix-something with:
550 5.1.1 unknown or illegal alias: prefix-something@wisnios.com

To make everything work smoothly run imsimta restart after job complete.

To test this configuration I've used:

Sun Java(tm) System Messaging Server 6.3-2.01 (built Jun 13 2007; 64bit)
libimta.so 6.3-2.01 (built 00:30:08, Jun 13 2007; 64bit)

20090407

Summary of the mail traffic size

Today I've written a handy oneliner to get a summary of mail traffic size for a current/yesterday period of log time.
Sun Java Messaging Server denotes the size (sz) of every message in kilobytes, accordingly to the (MTA) BLOCK_SIZE variable (default value: 1024 bytes).

For example, to get the yesterday sum of messages being sent to domain.com (single-tiered architecture):

sed '/tcp_local.*ims-ms.*domain.com/p;d' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'

The returned value will be presented in Mb.

To get a similar check for frontend-backend (two-tiered) scenario, with LMTP, and for a current log file:

sed '/tcp_local.*tcp_lmtpcs.*domain.com/p;d' mail.log_current | awk '{ SIZE+=$6 } END { print SIZE/1024 }'


To engage a command for the outbound messages I've used a tcp_auth channel name as a significant mark.

# sed '/tcp_auth.*wisnios.com/p;d;' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'
102.645

20090402

MTA log rotation for Messaging Server

Sun Java System Messaging Server do not rotate the log file of MTA process - mail.log. There is only a two steps of pseudo rotation between the files: mail.log_current, mail.log_yesterday and a mail.log "bucket".

Present activity is being logged into mail.log_current. It's content will be moved into mail.log_yesterday after a day period.
After the next day, it will end its rotation life inside the mail.log file, increasing its content.

To control the mail.log growth process I use the Solaris logadm tool.

book [/]# crontab -l
[...]
# Messaging Server MTA log rotation
0 0 * * 1 /usr/sbin/logadm -c -C 52 -t '$dirname/$basename.$n' /var/opt/sun/comms/messaging64/log/mail.log
book [/]#


Every monday, at 0:00 AM, the logadm rotates the given logfile. It copies the original file (-c) to a next available one, with increased version number ($basename.$n), and truncates the mail.log content to zero (-c). It keeps 52 copies of rotated files (-C 52) and cleans the rest.

20090328

Mac OS X ipfw traffic shaping

It's related to my common problem with images upload. When I start to upload a new set of pictures the rest of traffic on my isp network connection is being reduced almost to zero.

To decrease the available bandwidth to a flickr website, I've used below commands:

% sudo ipfw pipe 1 config bw 256kbit/s

% sudo ipfw pipe show
00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

% sudo ipfw add pipe 1 dst-ip 87.248.121.213 dst-port 80
33400 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw show
33300 0 0 deny icmp from any to me in icmptypes 8
33400 1492 2084081 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw pipe show
00001: 256.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.1.101/57602 87.248.121.213/80 437 611800 46 64400 0

When the job is completed:

% sudo ipfw delete 33400

OR /if there's no other pipes/

% sudo ipfw pipe flush
Are you sure? [yn] y

Flushed all pipes.

20090326

Monitoring sessions in application server

The method described below is reated to GlassFish Application Server in Solaris 10 environment.
I've used the example of Convergence application (from Sun Java Communications Suite), but it could be any other app deployed on appsvr.

Before we start let's check the monitoring levels of services:

# /opt/SUNWappserver/bin/asadmin get server.monitoring-service.module-monitoring-levels.*
server.monitoring-service.module-monitoring-levels.connector-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.connector-service = OFF
server.monitoring-service.module-monitoring-levels.ejb-container = OFF
server.monitoring-service.module-monitoring-levels.http-service = OFF
server.monitoring-service.module-monitoring-levels.jdbc-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.jms-service = OFF
server.monitoring-service.module-monitoring-levels.jvm = OFF
server.monitoring-service.module-monitoring-levels.orb = OFF
server.monitoring-service.module-monitoring-levels.thread-pool = OFF
server.monitoring-service.module-monitoring-levels.transaction-service = OFF
server.monitoring-service.module-monitoring-levels.web-container = OFF

The most interesting, in this case, is the last one.
To begin monitor the given service we have to switch its lavel to HIGH (or LOW; it makes no difference from GlassFish v3).

# /opt/SUNWappserver/bin/asadmin set server.monitoring-service.module-monitoring-levels.web-container=HIGH
Please enter the admin user name>admin
Please enter the admin password>
server.monitoring-service.module-monitoring-levels.web-container = HIGH

Let's look at all the session counters related lines.

All appliacations:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.*.server.*session*count

Convergence only:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.*session*count


Sample command to get the current value of Convergence active sessions:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.activesessionscurrent-count
server.applications.Convergence.server.activesessionscurrent-count = 99

20090314

Sun Java System Directory Server Platform Support

SJSDSPS... nice title ;-)

Since yesterday I've been looking forward for the Directory Server installator for AIX (6.1) system. I know, there is still the OpenDS, but I want the same solution I know from Solaris. The last possible download of DS for AIX (5.2), available on the official Sun Microsystems web site, is Directory Server 5.2 P4 Full Distribution and Directory Server 5.2 P6 Patch. There's no opportunity to get the Directory Server Enterprise Edition (DSEE).

I thought I missed something. Maybe Sun guys do not like IBM guys.
Than, I've found this - http://docs.sun.com/app/docs/doc/820-2759/eof-platform-support :

In future releases of Directory Server Enterprise Edition, support for Windows 2000, Red Hat Advanced Server 3.0, and J2SE platform 1.4 may be removed. Support for the native install package releases for platforms other than the Solaris operating system might be removed. Support for 32–bit versions of the software might be discontinued for some platforms. To be prepared, plan the transition to 64–bit versions of the software and to newer versions of the supported operating systems.

"Might be" or "has been" makes a difference.

And one more quotation - http://docs.sun.com/source/819-1815/index.html :

Directory Server 5.2 Patch 6 is available on the following platforms:
[...]
· IBM AIX 5.2 (Power PC) (32 bit)

The original release of Directory Server 5.2 has not been validated on IBM AIX 5.2. However, this update is validated on IBM AIX 5.2. The original release of Directory Server 5.2 has been validated on IBM AIX 5.1, but IBM AIX 5.1 is no longer supported by IBM.

So, the guilty of lack of AIX support for Directory Server is IBM itself. Am I wrong or right?
But, it's related to AIX 5.2. What about AIX 5.3, AIX 6.1? I don't know the answer. Anybody?

20090313

Linux stuff in the AIX neighbourhood

When I logged in into the AIX system for a very first time I had experienced the beauty of IBM system, and helplessness. I had known only the four AIX specific commands, and a bunch of experiences from Sun Solaris system.

The first stonghold was the ksh system shell. No history. No command completion. "No" in a way I used to use it. It took me a while to find out the fc cmd.
So, the fist thought was to bring in the zsh.

But... in order to make it possible, I have to know - HOW and FROM.
The Solaris has got it's sunfreeware.com and blastwave.org. AIX - rpm database of ppc packages.

Here it is: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html
How to get the rpm itself: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html

The rest is as simple as:

# rpm -i zsh*rpm

... after installing the dependencies ;-) (rpm packages: coreutils, grep)

20090310

SSL: be prepared

Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.


# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert


cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.
 
# configutil -o encryption.rsa.nssslpersonalityssl
Server-Cert


Messaging Server

Initialize certificate database:

# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:

It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.

# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias Valid from Expires on Self-signed? Issued by Issued to
----- ---------- ---------- ------------ --------- ---------
0 certificates found


Now, let's eat some certificates.

# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:

Voile!

If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:

# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert

# msgcert renew-selfsign-cert Server-Cert


Errors:

· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate

The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)


· A certificate with the same alias already exists in the database.
Failed to import the certificate

The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)


Web Server

We could use the same converted file to feed the web server database.

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# certutil -L -d .
Server-Cert u,u,u

The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.

The self-signed cert could be generated with wadm administration command:

wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully


Application Server (Glassfish)

The same trick with appsvr.

[/opt/SUNWappserver/domains/domain1/config]
# pk12util -i /root/SSL/cert.pkcs12 -d .

[/opt/SUNWappserver/domains/domain1/config]
# certutil -L -n Server-Cert -d .


To change the default instance ssl configuration, follow those steps:

[https://appserver:4848]

Configurations:
default-config:
HTTP Service:
http-listener-2: (switch to right panel)

[right panel]
SSL:
Certificate NickName: Server-Cert (replace the default s1as entry)


Good luck.

20090225

port to pid / pid to port mapper

Finally, I've developed the mutual pid/port mapper.

Here it is. Feel free to use.

#!/bin/bash
#
# The mutual pid/port mapper
# - Marcin Wisnios [marcin AT wisnios.com]
#
case "$1" in
'')
echo "Usage: $0 PORT | -p PID | -n NAME | -a (ALL)"
exit 1
;;
'-p')
# pid search
P_ID=$2
;;
'-n')
# name search
P_ID=`pgrep $2`
;;
'-a')
# list all
P_ID=`ps -e -o pid,comm | sed '/PID/d; /ps/d; /sed/d; /bash/d; s/\([0-9]\{1,5\}\).*/\1/p;d'`
;;
*)
# port search
P_ID=`ps -e -o pid,comm | sed '/PID/d; /ps/d; /sed/d; /bash/d; s/\([0-9]\{1,5\}\).*/\1/p;d'`
PORT=$1
;;
esac

for P in $P_ID; do

N=`ps -o comm -p $P | sed '/COMMAND/d'`
N=`basename $N`

pfiles $P | sed 's/.*sockname:\ AF_INET[6]\{0,1\} \(.*\)\ \ port:\ \(.*\)/\1:\2/p;d' | while read L; do
if [ -z $PORT ]; then
echo "$L $P/$N"
else
echo "$L $P/$N" | sed "/:$PORT/p;d"
fi
done

done


Examples of use:

book [/home/wisnios]# ./ppm.sh 22
:::22 6963/sshd
::ffff:208.64.63.178:22 13491/sshd
::ffff:208.64.63.178:22 13507/sshd

book [/home/wisnios]# ./ppm.sh -n ns-slapd
:::389 7128/ns-slapd
:::636 7128/ns-slapd

book [/home/wisnios]# ./ppm.sh -p 20623
0.0.0.0:80 20623/cherokee-worker