Linux

Using Netdata to Monitor Nginx

Leave a comment

In this tutorial, How to Monitor the Nginx using Netdata on Centos 7. Netdata is a free open source. It is very easy to install and configure for real-time monitoring.

Steps install and configure

  • Centos 7 Server or RHEL 7 Server
  • Install Web Server Nginx
  • Install Netdata and configure Monitor for Web Server Nginx.

1. Install Web Server Nginx

Enable EPEL repository

[root@DevopsRoles ~]# yum install epel-release

Install the Nginx package, as follows.

[root@DevopsRoles ~]# yum install nginx

Start and enable Nginx Web Server, as follows.

[root@DevopsRoles ~]# systemctl start nginx
[root@DevopsRoles ~]# systemctl enable nginx
[root@DevopsRoles ~]# systemctl status nginx

If you are running a firewall. You need to open port 80/443 for Nginx Webserver.

Enable Nginx Stub_Status Module

I will enable the stub_status module which netdata uses to collect metrics from your Nginx web server.

[root@DevopsRoles ~]# vi /etc/nginx/nginx.conf

Copy and paste the location configuration as below

location /server_status {
 	stub_status;
 	allow 127.0.0.1;	#only allow requests from localhost
 	deny all;		#deny all other hosts	
 }

restart the Nginx service to effect

[root@DevopsRoles ~]# nginx -t
[root@DevopsRoles ~]# systemctl restart nginx

Now, Use curl command to check 

curl http://127.0.0.1/server_status

# The output terminal as below:
[root@DevopsRoles ~]# curl http://127.0.0.1/server_status
Active connections: 1 
server accepts handled requests
 1 1 1 
Reading: 0 Writing: 1 Waiting: 0

3. Install Netdata on Centos 7 here

4. Configure Netdata to Monitor Nginx

The Netdata configure for Nginx in folder /etc/netdata/python.d which is written in YAML format.

You can open it or create a new file nginx.conf as below

[root@DevopsRoles python.d]# cat /etc/netdata/python.d/nginx.conf 
# The output as below:
localhost:
  name : 'local'
  url  : 'http://localhost/server_status'

localipv4:
  name : 'local'
  url  : 'http://127.0.0.1/server_status'

Restart Netdata Server

[root@DevopsRoles ~]# systemctl restart netdata

5. Using Netdata to Monitor Nginx Web Server

Open a web browser access the netdata web UI.

http://NETDATA_SERVER_IP:19999
or
http://DOMAIN_NAME:19999

The result as the picture below

Conclusion

Through the article, you can use Netdata to monitor Nginx. I hope will this your helpful. Thank you for reading the DevopsRoles page!

Linux

Using Netdata to Monitor MariaDB Database

Leave a comment

In this tutorial, How to Monitor the MariaDB database using Netdata on Centos 7. Netdata is a free open source. It is very easy to install and configure for real-time monitoring.

Steps install and configure

  • Centos 7 Server or RHEL 7 Server
  • Install MariaDB Database
  • Install Netdata and configure Monitor for MariaDB Database.

1. Install MariaDB Database

Adding MariaDB YUM software repository.

[root@DevopsRoles ~]# vim /etc/yum.repos.d/MariaDB.repo

The content file MariaDB.repo is as follows.

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Install the MariaDB package, as follows.

[root@DevopsRoles ~]# yum install MariaDB-server MySQL-python MariaDB-client -y

Start and enable MariaDB Database Server, as follows.

[root@DevopsRoles ~]# systemctl start mariadb
[root@DevopsRoles ~]# systemctl enable mariadb
[root@DevopsRoles ~]# systemctl status mariadb

By default, the MySQL installation is unsecure and you need to secure it, as follows

[root@DevopsRoles ~]# mysql_secure_installation

To create this user MariaDB

MariaDB [(none)]> create user 'netdata'@'localhost'; 
MariaDB [(none)]> grant usage on *.* to 'netdata'@'localhost'; 
MariaDB [(none)]> flush privileges;

If you are running a firewall. You need to open the port 3306 for MariaDB Database

3. Install Netdata on Centos 7 here

4. Configure Netdata to Monitor MariaDB

The netdata configure for MariaDB in folder /etc/netdata/python.d which is written in YAML format.

You can open it or create a new file mysql.conf as below

[root@DevopsRoles python.d]# cat /etc/netdata/python.d/mysql.conf 
localhost:
  name : 'local'
  user : 'netdata'
  port : '3306'

Restart Netdata Server

[root@DevopsRoles ~]# systemctl restart netdata

5. Using Netdata to Monitor MariaDB Database

Open a web browser access the netdata web UI.

http://NETDATA_SERVER_IP:19999
or
http://DOMAIN_NAME:19999

The result as the picture below

Netdata debug for mariadb

/usr/libexec/netdata/plugins.d/python.d.plugin 1 debug mysql

Error netdata for MariaDB code (Fixed)

2020-07-05 16:32:37: python.d ERROR: mysql[localhost] : MySQLdb or PyMySQL module is needed to use mysql.chart.py plugin

On My Centos missing MySQL-python package

Conclusion

Through the article, you can use Netdata to Monitor MariaDB Database. I hope will this your helpful.

Linux

Using Netdata to Monitor Apache Performance

Leave a comment

In this tutorial, How to Monitor Apache Performance using Netdata on Centos 7. Netdata is a free open source. It is very easy to install and configure for real-time monitoring.

Steps install and configure

  • Centos 7 Server or RHEL 7 Server
  • Install Apache HTTP Server with mod_status_module enabled
  • Install Netdata and configure Monitor for Apache HTTP Server.

1. Install Apache HTTP server

First, install the Apache HTTP server on Centos. I will Yum package manager to install Apache.

[root@DevopsRoles ~]# yum install httpd

Start and enable Apache HTTP server.

[root@DevopsRoles ~]# systemctl start httpd
[root@DevopsRoles ~]# systemctl enable httpd
[root@DevopsRoles ~]# systemctl status httpd

If you are running a firewall. You need to open ports 80 and 443 for Apache.

2. Enable mod_status module in Apache

You need to enable and configure the mod_status module in apache, This is required by Netdata.

[root@DevopsRoles ~]# cat /etc/httpd/conf.modules.d/00-base.conf | grep mod_status
LoadModule status_module modules/mod_status.so

Create a server-status.conf for the Apache server-status page as below

[root@DevopsRoles ~]# cat /etc/httpd/conf.d/server-status.conf
<Location "/server-status">
    SetHandler server-status
    #Require host localhost           #uncomment to only allow requests from localhost 
</Location>

Restart Apache HTTP Server

[root@DevopsRoles ~]# systemctl restart httpd

Test working Apache Server status page.

[root@DevopsRoles ~]# curl http://localhost/server-status

3. Install Netdata on Centos 7 here

4. Configure Netdata to Monitor Apache Performance

The Netdata configure for Apache in folder /etc/netdata/python.d

You can open it or create new file apache.conf as below

[root@DevopsRoles ~]# cat /etc/netdata/python.d/apache.conf
localhost:
  name : 'local'
  url  : 'http://localhost/server-status?auto'

localipv4:
  name : 'local'
  url  : 'http://127.0.0.1/server-status?auto'

Restart netdata server

[root@DevopsRoles ~]# systemctl restart netdata

5. Using Netdata to Monitor Apache Performance

Open a web browser access the Netdata web UI.

http://NETDATA_SERVER_IP:19999
or
http://DOMAIN_NAME:19999

The result as below

Conclusion

Thought the article, you can use Netdata to monitor Apache Performance. I hope will this your helpful.

Database Administrator

How to Reset MariaDB root password on Centos: A Simple Guide

Leave a comment

Introduction

MariaDB is free and Open-source. It is the famous fork of the MySQL database. In this tutorial, How to Reset MariaDB root password. Forgetting the root password of your MariaDB database can be a frustrating experience, especially when you need to make critical updates or changes.

However, resetting the MariaDB root password on CentOS is a manageable task if you follow the right steps. This guide will take you through a straightforward, step-by-step process to reset your MariaDB root password, ensuring you regain access to your database quickly and securely. Let’s get started and resolve this issue efficiently.

Check the version of the MariaDB server.

mysql --version

How to reset MariaDB root password

Step by step to reset your MySQL/MariaDB root password.

Stop MySQL/MairaDB service

For MySQL:

sudo systemctl stop mysql

For MariaDB:

sudo systemctl stop mariadb

Start the database server without loading the grant tables

sudo mysqld_safe --skip-grant-tables &

Log in to the MySQL shell

mysql -u root

Set a new root password

For MySQL 5.7.6 and later or MariaDB 10.1.20 and later

mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'MY_NEW_PASSWORD';
mysql> FLUSH PRIVILEGES;

If ALTER USER statement doesn’t work for you, Try the command below

mysql> USE mysql;
mysql> UPDATE user SET password=PASSWORD('MY_NEW_PASSWORD') WHERE User='root' AND Host = 'localhost';
mysql> FLUSH PRIVILEGES;

For MySQL 5.7.5 and earlier or MariaDB 10.1.20 and earlier:

mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MY_NEW_PASSWORD');
mysql> FLUSH PRIVILEGES;

Stop and Start MySQL/MariaDB

For MySQL:

sudo systemctl stop mysql
sudo systemctl start mysql

For MariaDB:

sudo systemctl stop mariadb
sudo systemctl start mariadb

Verify the password

mysql -u root -p

Conclusion

You have Reset MariaDB root password on Centos. By following the steps outlined in this guide, you should now have successfully reset your password and regained control over your MariaDB database. Remember, maintaining secure and up-to-date records of your credentials is essential to avoid similar issues in the future. If you encounter any problems or need further assistance, don’t hesitate to reach out for support. I hope will this your helpful. Thank you for reading the DevopsRoles page!

Linux

Step-by-Step Guide to Install Tomcat7, Java 1.8, and Solr on CentOS 7

Leave a comment

Introduction

In this tutorial, we’ll walk through the process of Install Tomcat7 , Java 1.8, and Solr on CentOS 7. First, ensure your system is up to date by running the necessary updates. Then, proceed to download and install Java 1.8, configuring the environment variables accordingly. Next, set up Tomcat 7, adjusting the necessary configurations for optimal performance.

Finally, integrate Solr into Tomcat to leverage its powerful search capabilities. Throughout the tutorial, I’ll provide step-by-step instructions to guide you seamlessly through each installation process. By the end, you’ll have a fully functional and efficient setup of Tomcat 7, Java 1.8, and Solr on your CentOS 7 system.

Install Tomcat7 java 1.8 and Sorl

Install Java 1.8 and Tomcat 7

sudo yum install java-1.8.0-openjdk*
sudo yum install tomcat
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo systemctl restart firewalld.service
sudo systemctl enable tomcat.service
sudo systemctl start tomcat

Download Ant and ivy used to compile Solr as well.

yum install wget
wget -P /home/vagrant/ http://archive.apache.org/dist/lucene/solr/4.10.2/solr-4.10.2-src.tgz
wget -P /home/vagrant/ https://downloads.apache.org//ant/binaries/apache-ant-1.10.8-bin.tar.gz
wget -P /home/vagrant/ https://downloads.apache.org/ant/ivy/2.4.0/apache-ivy-2.4.0-bin.tar.gz
cd /home/vagrant/
tar zxvf solr-4.10.2-src.tgz
tar zxvf apache-ant-1.10.8-bin.tar.gz
tar zxvf apache-ivy-2.4.0-bin.tar.gz

[vagrant@Server01 ~]$ cp apache-ivy-2.4.0/ivy-2.4.0.jar apache-ant-1.10.8/lib/

Setting environment variables

export ANT_HOME=/home/vagrant/apache-ant-1.10.8
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64/
export PATH=${PATH}:/${ANT_HOME}/bin/

Edit /etc/tomcat/server.xml file

<Connector port="8080" protocol="HTTP/1.1"
 connectionTimeout="20000"
 redirectPort="8443" URIEncoding="UTF-8" useBodyEncodingForURI="true" />

Compiling Solr

cd /home/vagrant/solr-4.10.2
ant clean
ant compile
cd solr
ant dist

logging settings

cp solr-4.10.2/solr/example/lib/ext/* /usr/share/tomcat/lib
cp solr-4.10.2/solr/example/resources/log4j.properties /usr/share/tomcat7/lib

Arrangement of War files and various

cp solr-4.10.2/solr/dist/solr-4.10.2-SNAPSHOT.war to /var/lib/tomcat/webapps/solr.war

Create a directory for solr.home

mkdir /var/lib/solr/home
chmod -R a+w /var/lib/solr/home
vi /var/lib/solr/home/solr.xml
<?xml version="1.0" encoding="UTF-8" ?>
<solr persistent="false">
  <cores adminPath="/admin/cores">
  <core name="test" instanceDir="test" config="solrconfig.xml" schema="schema.xml"/>
  </cores>
</solr>

Modify /etc/tomcat/tomcat.conf

JAVA_OPTS="${JAVA_OPTS} -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dsolr.solr.home=/var/lib/solr/home"

Create a directory for the core

mkdir /var/lib/solr/home/test
mkdir /var/lib/solr/home/test/conf
mkdir /var/lib/solr/home/test/data
chmod -R a+x /var/lib/solr/home/test/data
cp solr-4.10.2/solr/example/solr/collection1/conf/* /var/lib/solr/home/test/conf/

please edit as you like it.

vi /var/lib/solr/home/test/conf/solrconfig.xml
vi /var/lib/solr/home/test/conf/schema.xml

Conclusion

In this guide, we have successfully installed and configured Tomcat7, Java 1.8, and Solr on CentOS 7. By following the detailed steps outlined above, you should now have a fully functional setup that is ready for web application deployment and advanced search capabilities.

This combination of technologies provides a robust foundation for developing and managing enterprise-level applications. Remember to regularly update your software to ensure security and performance enhancements. If you encounter any issues or have further questions, don’t hesitate to consult the official documentation or seek help from the community. I hope will this your helpful. Thank you for reading the DevopsRoles page!

Linux

Mastering the rev command in Linux: Reversing Text Lines

Leave a comment

Introduction

In this guide, we’ll explore how to use the rev command in Linux, a powerful tool for reversing the characters in each line of text. Essential for many DevOps roles, the rev command enhances file manipulation and helps in reversing outputs from other commands. Let’s dive into how this simple yet effective command can streamline your text-processing tasks in Linux environments.

The syntax rev command in Linux

rev [option] [file...]

Some common options for the “rev” command include:

  • -V: Displays the version information for the command.
  • -h: Shows the help information.
  • -c: Treats input as single characters instead of entire lines.

In the manual page, the rev command is described succinctly as a utility to “reverse lines character-wise.” For comprehensive information about the rev command, including its options and examples, refer to the man page by entering man rev in the terminal. This will provide detailed insights into its functionality and usage.

For example rev command

Using the rev command reverses the output of the hostname command as below

[root@ip-10-0-0-236 ~]# hostname
ip-10-0-0-236.us-east-2.compute.internal
[root@ip-10-0-0-236 ~]# hostname | rev
lanretni.etupmoc.2-tsae-su.632-0-0-01-pi
[root@ip-10-0-0-236 ~]#

How to get 8 last characters use the combine rev command and cut command.

[root@ip-10-0-0-236 ~]# hostname
ip-10-0-0-236.us-east-2.compute.internal
[root@ip-10-0-0-236 ~]# hostname | rev | cut -b 1-8 | rev
internal

Sorting File Lines by Last Character

[ec2-user@ip-172-31-45-95 ~]$ cat domain.txt
devopsroles.com
abc.xyz
huuphan.com

[ec2-user@ip-172-31-45-95 ~]$ cat domain.txt  | rev | sort | rev
huuphan.com
devopsroles.com
abc.xyz

Conclusion

Throughout this article, you’ve seen how to utilize the rev command to Reverse characters Linux command. It’s important to remember that the rev command does not alter the original file; it merely displays the reversed output in the terminal or saves it to a new file. I hope you find these examples helpful for mastering the rev command. Thank you for reading at DevopsRoles!

Windows

Install Active Directory Windows Server 2012 R2

1 Comment

Introduction

Setting up Active Directory (AD) on Windows Server 2012 R2 is a crucial task for any organization aiming to manage users, groups, and computers efficiently. Active Directory provides a centralized and standardized system that automates network management, enhancing security and ease of access. In this guide, we will walk you through the step-by-step process of How to Install Active Directory Windows Server 2012 R2, ensuring that your infrastructure is robust, secure, and ready to handle your organizational needs.

I. Prepare

To get started, ensure that you have Windows Server 2012 R2 installed on VirtualBox. If you haven’t done this yet, you can follow VirtualBox’s installation guide to set up your virtual machine with Windows Server 2012 R2. Once your server is ready, proceed with the following steps to Install Active Directory Windows Server 2012 R2.

II. Install

1. Run [Start] – [Server Manager].

2. Click [Add roles and features].

3. Click the [Next] button.

4. Select [Role-based or feature-based installation].

5. Select a Host to which you’d like to add services.

6. Check a box [Active Directory Domain Services].

7. Additional features are required to add AD DS. Click the [Add Features] button.

8. Click the [Next] button.

9. Click the [Next] button.

10. Click the [Next] button.

11. Click [Install] button.

12. Installation is started.

13. After finishing Installation, click [Close] button.

III. Configure New DC (Domain Controler).

1. Run [Server Manager] and click [AD DS].

2. Click the [More…] link which is upper-right.

3. Click the [Promote this server to domain...] link.

4. Check a box [Add a new forest] and input any Domain name you’d like to set for the [Root domain name] field.

5. Select [Forest functional level] and [Domain functional level]. 

Set any password for Directory Services Restore Mode.

6. Click the [Next] button.

7. Set NetBIOS name.

8. Specify the Database folder or Log folder and so on. It’s Ok to keep default if you don’t have specific requirements.

9. Check the contents you configured and click the [Next] button.

10. Click the [Install] button. After finishing installation, the System will restart.

11. After restarting the System, the logon name is changed to [Domain name]\[User name].

Conclusion

By following this guide, you have successfully installed and configured Active Directory on your Windows Server 2012 R2. This setup not only streamlines user and resource management but also strengthens your network security. With AD in place, you can now leverage its full capabilities to enhance your organization’s IT infrastructure, ensuring efficient and secure operations. As your organization grows, Active Directory will continue to provide the scalability and reliability needed to manage complex network environments. The end! Happy with Windows Server. Thank you for reading the DevopsRoles page!

Jenkins

Hide password in Jenkins console

1 Comment

Introduction

How to hide the password in Jenkins console output? some build Jobs may require a username and the password is hidden for security. I use Jenkins mask password plugin to hide the password in Jenkins console output.

Jenkins Mask Passwords plugin

This plugin allows masking passwords that may appear in the console.

You need to install the Mask passwords plugin in Jenkins.

For example

I will Mask_Passwords_Before job as a picture below

As picture top. Password will show in console. it is dangerous.

Now, I use the mask password plugin for the hidden passwords in console output Jenkins.

Create Mask_Passwords_After job

The result, Passwords have hidden in console output Jenkins.

Link Youtube Hide password in Jenkins console

❓ Frequently Asked Questions (FAQ)

Q1: Is it safe to echo environment variables in Jenkins?

No, especially if they contain secrets. Even if Jenkins masks values, certain command structures can cause secrets to leak.

Q2: How do I ensure a password is masked in Jenkins console?

Use the credentials() method or the withCredentials block. Additionally, avoid echoing secrets and use the Mask Passwords Plugin for extra safety.

Q3: Can secrets leak through error logs?

Yes, poorly written scripts or verbose debug logs can expose secrets. Always sanitize error output and avoid set -x in shell scripts.

Q4: Do all Jenkins plugins respect credential masking?

Not always. Some third-party or community plugins may inadvertently expose secrets. Stick to trusted plugins and test thoroughly.

Q5: Can I revoke access to a leaked credential?

Yes. Rotate the secret immediately and update Jenkins with the new credential. Audit logs to assess impact.

🔗 External Resources

Conclusion

Through the article, You can “Hide password in Jenkins console as above. I hope will this your helpful. Thank you for reading the DevopsRoles page!

AWS

How to setup SSL/TLS connection for AWS RDS Oracle Database using SQL*PLUS, SQL Developer, JDBC

Leave a comment

Introduction

Hi everyone, today I am going to show everyone how to set up an SSL / TLS connection from the client to the AWS RDS Oracle Database.

Prepare AWS RDS Oracle Database

  • An EC2 instance with Windows Server 2019.
  • An RDS Oracle instance (12.1.0.2.v19)
  • Connect normal to RDS Oracle instance with TCP protocol

Check the current connection with the following command

sqlplus admin/admin12345@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl12.xxxxxxx.ap-northeast-1.rds.amazonaws.com)(PORT=1521))(CONNECT_DATA=(SID=SSLLAB)))

sqlplus > SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;

Task today

  1. Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.
  2. Adding the SSL Option
  3. Using SQL*Plus for SSL/TLS connections(with Oracle Wallets).
  4. Using SQL Developer for SSL/TLS connections(with JKS).
  5. Using JDBC to establish SSL/TLS connections(with JKS).

Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019

1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

2. In the navigation pane, choose Databases, and then choose the DB instance that you want to modify.

3. Choose Modify. The Modify DB Instance page appears.

4. In the Network & Security section, choose rds-ca-2019.

5. Choose Continue and check the summary of modifications.

6. To apply the changes immediately, choose Apply immediately. Choosing this option restarts your database immediately.

Adding the SSL Option

1. Create or Modify an existing option group to which you can add the SSL option for your RDS intance.

Add the SSL option to the option group.

Setting the option

SQLNET.CIPHER_SUITE:SSL_RSA_WITH_AES_256_CBC_SHA

SQLNET.SSL_VERSION:1.0 or 1.2

FIPS.SSLFIPS_140:TRUE

2. Setting Security Group using for your RDS Oracle instance with allow inbound PORT 2484, Source Range is your IPv4 CIDR VPC or EC2 instance client.

Using SQL*Plus for SSL/TLS connections

1. Download middleware

  • Oracle Database Client (12.1.0.2.0) for Microsoft Windows (x64) require for orapki Utility(download link).

Install Folder path: C:\app\client\Administrator\product\12.1.0\client_1

2. Download the 2019 root certificate that works for all AWS Regions and put the file in the ssl_wallet directory.

https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

Folder path: C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet

3. Run the following command to create the Oracle wallet.

C:\app\client\Administrator\product\12.1.0\client_1\BIN\orapki wallet create -wallet C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet -auto_login_only

4. Run the following command to add a cert to the Oracle wallet. 

C:\app\client\Administrator\product\12.1.0\client_1\BIN\orapki wallet add -wallet C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet -trusted_cert -cert C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet\rds-ca-2019-root.pem -auto_login_only

5. Run the following command to confirm that the wallet was updated successfully.

C:\app\client\Administrator\product\12.1.0\client_1\BIN\orapki wallet display -wallet C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet

6. Create the net service name to log in with SQL*PLUS.

  • Create a file name C:\app\client\Administrator\product\12.1.0\client_1\network\admin\tnsnames.ora with content.
ORCL12 =
(DESCRIPTION =
 (ADDRESS = (PROTOCOL = TCPS)(HOST = orcl12.xxxxxxx.ap-northeast-1.rds.amazonaws.com)(PORT = 2484))
 (CONNECT_DATA=
  (SERVER = DEDICATED)
  (SERVICE_NAME = SSLLAB))
 )
)
  • Edit C:\app\client\Administrator\product\12.1.0\client_1\network\admin\sqlnet.ora file with content.
WALLET_LOCATION=  
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=  
         (DIRECTORY=C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet)))
SSL_CLIENT_AUTHENTICATION = FALSE    
SSL_VERSION = 1.2    
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA)    
SSL_SERVER_DN_MATCH = NO   
SQLNET.AUTHENTICATION_SERVICES = (TCPS,TNS)    
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
  • Setting TNS_ADMIN user environment
TNS_ADMIN = C:\app\client\Administrator\product\12.1.0\client_1\network\admin\

7. Test connect with SQL*PLUS

sqlplus admin/admin12345@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=orcl12.xxxxxxxxx.ap-northeast-1.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SID=SSLLAB)))
or with TNS name service
sqlplus admin/admin12345@ORCL12
SELECT SYS_CONTEXT('USERENV', 'network_protocol') FROM DUAL;
tcps

Using SQL Developer for SSL/TLS connections

1. Download middleware

2. Convert the certificate to .der format using the following command.

openssl x509 -outform der -in C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet\rds-ca-2019-root.pem -out rds-ca-2019-root.der

Copy the output file to C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet\rds-ca-2019-root.der

3. Create the Keystore using the following command.

C:\app\client\Administrator\product\12.1.0\client_1\jdk\bin\keytool -keystore clientkeystore -genkey -alias client

Copy the output file to C:\app\client\Administrator\product\12.1.0\client_1\jdk\jre\lib\security\clientkeystore

4. Import the certificate into the key store using the following command.

C:\app\client\Administrator\product\12.1.0\client_1\jdk\bin\keytool -import -alias rds-root -keystore C:\app\client\Administrator\product\12.1.0\client_1\jdk\jre\lib\security\clientkeystore -file C:\app\client\Administrator\product\12.1.0\client_1\ssl_wallet\rds-ca-2019-root.der
Input pass of clientkeystore and confirm yes at below question , to import cert.

Trust this certificate? [no]:  yes
 Certificate was added to keystore

5. Confirm that the key store was updated successfully.

C:\app\client\Administrator\product\12.1.0\client_1\jdk\bin\keytool -list -v -keystore C:\app\client\Administrator\product\12.1.0\client_1\jdk\jre\lib\security\clientkeystore

6. Down the new version of JCE for JDK6, and remove the old jar file, copy the new jar file to under directory C:\app\client\Administrator\product\12.1.0\client_1\jdk\jre\lib\security\

Note: If you using other versions of jdk, please refer to the following link and download the correct version of JCE.

https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https

7. Config C:¥app¥client¥sqldeveloper¥sqldeveloper¥bin¥sqldeveloper.conf file, add the following line.

SetJavaHome C:\app\client\Administrator\product\12.1.0\client_1\jdk
#Configure some JDBC settings
AddVMOption -Djavax.net.ssl.trustStore=C:\app\client\Administrator\product\12.1.0\client_1\jdk\jre\lib\security\clientkeystore	
AddVMOption -Djavax.net.ssl.trustStoreType=JKS	
AddVMOption -Djavax.net.ssl.trustStorePassword=admin12345	
AddVMOption -Doracle.net.ssl_cipher_suites=TLS_RSA_WITH_AES_256_CBC_SHA

8. Test connect to AWS RDS Oracle instance with SQL developer tool with the connection string.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=orcl12.cgl7xlmapx2h.ap-northeast-1.rds.amazonaws.com)(PORT=2484))(CONNECT_DATA=(SID=SSLLAB)))

Using JDBC to establish SSL/TLS connections

1. Source code sample.

The following code example shows how to set up the SSL connection using JDBC.

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;

public class OracleSslConnectionTest {
	private static final String DB_SERVER_NAME = "orcl12.xxxxxx.ap-northeast-1.rds.amazonaws.com";
    private static final String SSL_PORT = "2484";
    private static final String DB_SID = "SSLLAB";
    private static final String DB_USER = " admin";
    private static final String DB_PASSWORD = "admin12345";

    private static final String KEY_STORE_FILE_PATH = "C:\\app\\client\\Administrator\\product\\12.1.0\\client_1\\jdk\\jre\\lib\\security\\clientkeystore";
    private static final String KEY_STORE_PASS = "admin12345";
    private static final String SSL_CIPHER_SUITES = "TLS_RSA_WITH_AES_256_CBC_SHA";
    
	public static void main(String args[])  throws SQLException {  
		final Properties properties = new Properties();
        final String connectionString = String.format(
                "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=%s)(PORT=%s))(CONNECT_DATA=(SID=%s))(SECURITY = (SSL_SERVER_CERT_DN = \"CN=Amazon RDS Root 2019 CA,OU=Amazon RDS,O=Amazon Web Services, Inc.,ST=Washington,L=Seattle,C=US\")))",
                DB_SERVER_NAME, SSL_PORT, DB_SID);
        properties.put("user", DB_USER);
        properties.put("password", DB_PASSWORD);
        
        properties.put("javax.net.ssl.trustStore", KEY_STORE_FILE_PATH);
        properties.put("javax.net.ssl.trustStoreType", "JKS");
        properties.put("javax.net.ssl.trustStorePassword", KEY_STORE_PASS);
        
        properties.put("oracle.net.ssl_cipher_suites", SSL_CIPHER_SUITES);
        
        final Connection connection = DriverManager.getConnection(connectionString, properties);
        // If no exception, that means handshake has passed, and an SSL connection can be opened
        System.out.println("connected..");
	}
	
}

2. Test connect to AWS RDS Oracle instance with JDBC thin driver.

java -Djavax.net.debug=all -cp .;C:\app\client\Administrator\product\12.1.0\client_1\jdbc\lib\ojdbc7.jar OracleSslConnectionTest

The end.Good luck to you and happy with AWS cloud.

Thank you for reading the DevopsRoles page!

Docker

DevOps Use Docker to hands-on Ansible

1 Comment

Introduction

In this tutorial, I demonstrate how to use Docker for hands-on Ansible automation. Learn how to leverage Docker in a DevOps workflow and streamline configuration management with Ansible. A practical guide for DevOps professionals and beginners.

DevOps Use Docker

My Laptop Setup:

  • Operating System: Windows 10
  • Tools: Docker and Docker Compose

By using Docker to create one Ansible container and Server01 and Server02 containers. From Ansible command is executed in Ansible container to Two target container.

Let go use Docker to hands-on Ansible

Directory Structure

├── Docker
│   ├── Ansible_Control_node
│   │   └── Dockerfile      
│   └── Target_Server
│       └── Dockerfile      
├── docker-compose.yml      
├── hosts            
└── playbook.yml

Explain File and Directory Structure

I will not explain it to Docker because it is out of this post. The basic file of Ansible.

  1. hosts the file describes the target server running
  2. playbook.yml the file I will create a new file is devopsroles.txt for two targets.

The content of files as below

docker-compose.yml file

version: '3'
services:
  ansible:
    container_name: ansible
    build: ./Ansible_Control_node
    tty: true
    working_dir: "/var/data"
    volumes:
      - .:/var/data

  server01:
    container_name: server01
    build: ./Target_Server
    tty: true
  server02:
    container_name: server02
    build: ./Target_Server
    tty: true

playbook.yml file

- hosts: target
  tasks:
  - name: "Create new file devopsroles.txt"
    shell: |
        touch devopsroles.txt

hosts file

[target]
server01
server02

Ansible_Control_node/Dockerfile file

FROM centos
ENV ANSIBLE_HOST_KEY_CHECKING False
RUN yum install epel-release -y && \
    yum update -y && \
        yum install -y openssh-server openssh-clients net-tools && \
    yum install -y ansible
CMD /bin/bash

Target_Server/Dockerfile file

# Centos image latest
FROM centos:latest

# Install OpenSSh server with yum
RUN yum -y install openssh-server openssh-clients

# Created because public key is required when starting sshd
RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
RUN ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa

# Allow login as root
RUN sed -ri 's/^#PermitEmptyPasswords no/PermitEmptyPasswords yes/' /etc/ssh/sshd_config

# Specify root password
RUN echo "root:" | chpasswd

EXPOSE 22

# Start sshd
CMD ["/usr/sbin/sshd", "-D"]

Start Ansible and two target containers.

docker-compose up -d

Connect to Ansible container

docker exec -it ansible /bin/bash

SSH connection without password from Ansible container to Two target container.

	ssh server01
	exit
	ssh server02
	exit

Run the Ansible command.

ansible-playbook -i hosts playbook.yml

Execution result of Ansible

Link Youtube

Conclusion

Using Docker with Ansible in DevOps simplifies automation and improves efficiency. By integrating these powerful tools, you can streamline your deployment and configuration management processes. Thank you for visiting the DevOpsRoles.com page.

Devops Tutorial

Exit mobile version