20090328

Mac OS X ipfw traffic shaping

It's related to my common problem with images upload. When I start to upload a new set of pictures the rest of traffic on my isp network connection is being reduced almost to zero.

To decrease the available bandwidth to a flickr website, I've used below commands:

% sudo ipfw pipe 1 config bw 256kbit/s

% sudo ipfw pipe show
00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

% sudo ipfw add pipe 1 dst-ip 87.248.121.213 dst-port 80
33400 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw show
33300 0 0 deny icmp from any to me in icmptypes 8
33400 1492 2084081 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw pipe show
00001: 256.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.1.101/57602 87.248.121.213/80 437 611800 46 64400 0

When the job is completed:

% sudo ipfw delete 33400

OR /if there's no other pipes/

% sudo ipfw pipe flush
Are you sure? [yn] y

Flushed all pipes.

20090326

Monitoring sessions in application server

The method described below is reated to GlassFish Application Server in Solaris 10 environment.
I've used the example of Convergence application (from Sun Java Communications Suite), but it could be any other app deployed on appsvr.

Before we start let's check the monitoring levels of services:

# /opt/SUNWappserver/bin/asadmin get server.monitoring-service.module-monitoring-levels.*
server.monitoring-service.module-monitoring-levels.connector-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.connector-service = OFF
server.monitoring-service.module-monitoring-levels.ejb-container = OFF
server.monitoring-service.module-monitoring-levels.http-service = OFF
server.monitoring-service.module-monitoring-levels.jdbc-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.jms-service = OFF
server.monitoring-service.module-monitoring-levels.jvm = OFF
server.monitoring-service.module-monitoring-levels.orb = OFF
server.monitoring-service.module-monitoring-levels.thread-pool = OFF
server.monitoring-service.module-monitoring-levels.transaction-service = OFF
server.monitoring-service.module-monitoring-levels.web-container = OFF

The most interesting, in this case, is the last one.
To begin monitor the given service we have to switch its lavel to HIGH (or LOW; it makes no difference from GlassFish v3).

# /opt/SUNWappserver/bin/asadmin set server.monitoring-service.module-monitoring-levels.web-container=HIGH
Please enter the admin user name>admin
Please enter the admin password>
server.monitoring-service.module-monitoring-levels.web-container = HIGH

Let's look at all the session counters related lines.

All appliacations:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.*.server.*session*count

Convergence only:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.*session*count


Sample command to get the current value of Convergence active sessions:

# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.activesessionscurrent-count
server.applications.Convergence.server.activesessionscurrent-count = 99

20090314

Sun Java System Directory Server Platform Support

SJSDSPS... nice title ;-)

Since yesterday I've been looking forward for the Directory Server installator for AIX (6.1) system. I know, there is still the OpenDS, but I want the same solution I know from Solaris. The last possible download of DS for AIX (5.2), available on the official Sun Microsystems web site, is Directory Server 5.2 P4 Full Distribution and Directory Server 5.2 P6 Patch. There's no opportunity to get the Directory Server Enterprise Edition (DSEE).

I thought I missed something. Maybe Sun guys do not like IBM guys.
Than, I've found this - http://docs.sun.com/app/docs/doc/820-2759/eof-platform-support :

In future releases of Directory Server Enterprise Edition, support for Windows 2000, Red Hat Advanced Server 3.0, and J2SE platform 1.4 may be removed. Support for the native install package releases for platforms other than the Solaris operating system might be removed. Support for 32–bit versions of the software might be discontinued for some platforms. To be prepared, plan the transition to 64–bit versions of the software and to newer versions of the supported operating systems.

"Might be" or "has been" makes a difference.

And one more quotation - http://docs.sun.com/source/819-1815/index.html :

Directory Server 5.2 Patch 6 is available on the following platforms:
[...]
· IBM AIX 5.2 (Power PC) (32 bit)

The original release of Directory Server 5.2 has not been validated on IBM AIX 5.2. However, this update is validated on IBM AIX 5.2. The original release of Directory Server 5.2 has been validated on IBM AIX 5.1, but IBM AIX 5.1 is no longer supported by IBM.

So, the guilty of lack of AIX support for Directory Server is IBM itself. Am I wrong or right?
But, it's related to AIX 5.2. What about AIX 5.3, AIX 6.1? I don't know the answer. Anybody?

20090313

Linux stuff in the AIX neighbourhood

When I logged in into the AIX system for a very first time I had experienced the beauty of IBM system, and helplessness. I had known only the four AIX specific commands, and a bunch of experiences from Sun Solaris system.

The first stonghold was the ksh system shell. No history. No command completion. "No" in a way I used to use it. It took me a while to find out the fc cmd.
So, the fist thought was to bring in the zsh.

But... in order to make it possible, I have to know - HOW and FROM.
The Solaris has got it's sunfreeware.com and blastwave.org. AIX - rpm database of ppc packages.

Here it is: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html
How to get the rpm itself: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html

The rest is as simple as:

# rpm -i zsh*rpm

... after installing the dependencies ;-) (rpm packages: coreutils, grep)

20090310

SSL: be prepared

Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.


# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert


cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.
 
# configutil -o encryption.rsa.nssslpersonalityssl
Server-Cert


Messaging Server

Initialize certificate database:

# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:

It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.

# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias Valid from Expires on Self-signed? Issued by Issued to
----- ---------- ---------- ------------ --------- ---------
0 certificates found


Now, let's eat some certificates.

# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:

Voile!

If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:

# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert

# msgcert renew-selfsign-cert Server-Cert


Errors:

· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate

The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)


· A certificate with the same alias already exists in the database.
Failed to import the certificate

The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)


Web Server

We could use the same converted file to feed the web server database.

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# certutil -L -d .
Server-Cert u,u,u

The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.

The self-signed cert could be generated with wadm administration command:

wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully


Application Server (Glassfish)

The same trick with appsvr.

[/opt/SUNWappserver/domains/domain1/config]
# pk12util -i /root/SSL/cert.pkcs12 -d .

[/opt/SUNWappserver/domains/domain1/config]
# certutil -L -n Server-Cert -d .


To change the default instance ssl configuration, follow those steps:

[https://appserver:4848]

Configurations:
default-config:
HTTP Service:
http-listener-2: (switch to right panel)

[right panel]
SSL:
Certificate NickName: Server-Cert (replace the default s1as entry)


Good luck.