CQ Development Team Server “In A Box” (Updated)

Posted in: Enterprise Java

I just finished publishing a new machine image that includes improvements to integrate to the new repo.adobe.com Maven repository, and to also deploy CQ as a service so that it will startup and shutdown with the operating system.

Check the details here:

http://cqblueprints.com/xwiki/bin/view/Blue+Prints/CQ+Development+Team+Server+%22In+A+Box%22

How To Test Drive Development With Linux

Posted in: System Administration

An Email Strategy

Posted in: System Administration

Anyone with an email address has had to deal with spam. Insidious, potentially offensive, sometimes incomprehensible but definitely time wasting spam. It is such a problem that there is a whole industry of software products out there to deal with the spam. Some of these tools can delete the spam straight away, others just tag it and allow you to redirect it to a Spam folder or something similar. But what none of them can tell you is who gave away your email address? Was it that online store you purchased a gift from last month? Did they then sell your email address to a list broker? Maybe it was a co-worker playing a joke that gave your personal address to that porn site?

Wouldn’t it be nice to know who gave away your email address? I certainly want to know.

In addition, unfortunately as good as some of the tools out there are, some spam inevitably gets through. I have given up on email addresses because they had become so riddled with spam that the signal to noise ratio was not worth the effort anymore. My original Yahoo! mail account comes to mind. I want to be able to block as much spam as possible – not tag it or redirect it, I simply want to know nothing about its existence in the first place.

So this is how I manage my email and deal with spam.

Firstly I purchased my own domain name and I set up an email server to host the email for that domain. Even the most basic Linux hosting plans will be more than enough for this purpose.

Next I set up just one real account on the email server. I then configured the server to redirect all of the email sent to that domain to that one real account. This is often called a catch-all account.

Now whenever I need to provide an email address for something, I use a unique one-off address. For example, when I signed up for Netflix, I used netflix@mydomain.com as the email address for my account. Whenever Netflix sends me an email at that address, it still ends up in my Inbox because of the catch-all account. l also know that if I start getting spam email being sent to netflix@mydomain.com then I need to have some harsh words with Netflix (thankfully this has not happened with Netflix).

If you implement this strategy, you’ll be surprised how many of these one-off addresses you end up creating. So to keep things organized (and so I do not forget who I gave the address too) I try to map these addresses to the domain names of the website or the company I am giving them too. This however, will raise some eyebrows from time to time. When the car salesman at the BMW dealership asks for your email address and you tell him it is bmw@mydomain.com you will almost certainly get a strange look.

OK, so now I can give out unique (traceable) email addresses to companies and websites when they ask for them. If I start getting spam being sent to a specific address, I know who sold me out. It also means that the email address that my personal friends and family use is kept reasonably secluded and not plastered all over websites and in databases all over the planet.

Now what do I do if the spam being sent to one of these unique email address gets out of hand? Easy, I just block receiving email for that address on the server. Any email sent to that address will bounce back to the sender with a message telling them that the account is no longer valid. I never see the email, I am never even aware of its existence, I never waste time downloading it to my phone or laptop. Perfect. In addition, the rest of my email is not affected, it still all gets through.

In my environment I run Sendmail as my mail server. Configuring Sendmail to completely block certain recipient addresses is very simple. You will need to edit the file /etc/mail/access which is a simple text file – if it does not exist, you can create it. In this file, you will need to add a line for each address you want to block. Here is an example

To:bmw@mydomain.com REJECT
To:vistaprint@mydomain.com REJECT

Sendmail will reject/bounce any inbound message sent to either of these 2 addresses. In my actual file I have about 15 addresses total being bounced currently.

Once you have edited the access file, you have to turn it into the database format that Sendmail expects. This is also easy to do.

$ cd /etc/mail
$ makemap hash access.db < access

That’s it. You don’t even need to restart Sendmail, the settings take effect straight away. Anytime you need to start rejecting another email you just add another line to the access file and regenerate the database.

Now, in the spirit of full disclosure, I admit that I do still get some spam. This is spam that is being sent to addresses that are legitimate and which I do not want to block. But I do know that the number of spam messages I do see versus the number that are getting bounced is slanted heavily in my favor – something like 1 or 2 per day get through versus 1 or 2 hundred that are getting bounced.

Let me know if you have any other ideas for taking better control of your email.

Installing JBoss Portal

Posted in: Enterprise Java, System Administration

Today I finished a successful fresh install of JBoss Portal. Below is the process I followed.

Versions

  • JBoss Portal — 2.7.2 (bundled with JBoss AS 4.2.3)
  • JavaSE — 5.0 Update 19
  • MySQL — 5.1.34 (Community Edition)
  • Linux Flavor — Red Hat Enterprise Linux Server 5.2 (64 bit)

Step 1 – Downloads

  1. I grabbed the Java installer from here http://java.sun.com/javase/downloads/index_jdk5.jsp. The downloaded file was called jdk-1_5_0_19-linux-amd64-rpm.bin
  2. I grabbed the Portal binaries from here http://www.jboss.org/jbossportal/download/index.html. The downloaded file was called jboss-portal-2.7.2-bundled.zip
  3. I grabbed the MySQL binary from here http://dev.mysql.com/downloads/mysql/5.1.html#linux-rhel5-x86-64bit-rpms. I downloaded the server (MySQL-server-community-5.1.34-0.rhel5.x86_64.rpm) and the client (MySQL-client-community-5.1.34-0.rhel5.x86_64.rpm) RPMs
  4. I grabbed the MySQL JDBC driver from this page http://dev.mysql.com/downloads/connector/j/5.1.html. The downloaded file was called mysql-connector-java-5.1.7.tar.gz

Step 2 – Install JavaSE

  1. I made the installer executable

    $ chmod +x jdk-1_5_0_19-linux-amd64-rpm.bin
  2. Then executed the installer

    $ ./jdk-1_5_0_19-linux-amd64-rpm.bin
  3. I paged through endless legal boilerplate and accepted it by typing yes and hitting enter (hopefully I didn’t sell my soul)
  4. The installer extracted the RPM file and installed it.
    I double checked the package was installed by querying the RPM database:

    $ rpm -q jdk
    jdk-1.5.0_19-fcs
    $

    This RPM installed all of the files into /usr/java/jdk1.5.0_19

  5. I edited the /etc/profile file to make the JAVA_HOME environment variable and Java binaries available to everyone on the box. I added the following lines to achieve this

    export JAVA_HOME=/usr/java/jdk1.5.0_19
    export PATH=$PATH:$JAVA_HOME/bin
  6. I double checked it all worked

    $ source /etc/profile
    $ echo $JAVA_HOME
    /usr/java/jdk1.5.0_19
    $

Step 3 – Deploy Portal Binaries

  1. I am never sure the correct place in a Linux distribution to put 3rd party stuff, but I went with /usr/local this time

    $ pwd
    /usr/local
    $ unzip ~/jboss-portal-2.7.2-bundled.zip

    This created the directory /usr/local/jboss-portal-2.7.2

  2. Once again, I edited the /etc/profile file to add the JBoss environment to it by adding the following line

    export JBOSS_HOME=/usr/local/jboss-portal-2.7.2

    Then I tested it

    $ source /etc/profile
    $ echo $JBOSS_HOME
    /usr/local/jboss-portal-2.7.2
    $

Step 4 – Change Default Port (Optional)
For my install I have no need to run Apache in front of JBoss, so I want JBoss to listen (or more correctly, have Tomcat listen) directly on port 80 – by default it listens on 8080.

  1. I opened the $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file, (which is a standard Tomcat configuration file) in an editor.
  2. I changed the port of the HTTP connector to 80 (you can find it by searching for 8080). I also change the HTTPS connector to use 443 (you can find this one by searching for 8443). I then changed the value of the redirectPort attribute of the HTTP connector to match.

Step 5 – Change Portal to be the root web app. (Optional)
For my install, the Portal will be the main application on the server, so I want it to be accessible from the root of the server, and not have to enter the portal context path all of the time.

  1. First, I disabled the current root application

    $ mv $JBOSS_HOME/server/default/deploy/jboss-web.deployer/ROOT.war $JBOSS_HOME/server/default/deploy/jboss-web.deployer/ROOT.war.old
  2. I opened the $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-server.war/WEB-INF/jboss-web.xml file, in an editor.
  3. I found the <context -root> tag and changed the vallue to be just a single forward slash character.

    <context-root>/</context-root>
  4. I saved the file and exited the editor.

Step 6 – Install MySQL
By default, JBoss Portal will use a Hypersonic database for all of its internal data. My environment will be a production environment, so I want to use something more robust.

  1. I Installed the MySQL binaries by using a normal RPM install

    $ rpm -ivh MySQL-server-community-5.1.34-0.rhel5.x86_64.rpm
    $ rpm -ivh MySQL-client-community-5.1.34-0.rhel5.x86_64.rpm

    The installation process started the mysqld service automatically. It also installed MySQL as a service automatically.

  2. I checked that it was running

    $ mysqladmin version
    mysqladmin Ver 8.42 Distrib 5.1.34, for unknown-linux-gnu on x86_64
    Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc.
    This software comes with ABSOLUTELY NO WARRANTY. This is free software,
    and you are welcome to modify and redistribute it under the GPL license

    Server version 5.1.34-community
    Protocol version 10
    Connection Localhost via UNIX socket
    UNIX socket /var/lib/mysql/mysql.sock
    Uptime: 5 hours 29 min 16 sec

    Threads: 1 Questions: 5 Slow queries: 0 Opens: 15 Flush tables: 1 Open tables: 8 Queries per second avg: 0.0
    $

There are a lot of things you might want to do to a base MySQL install before putting it into production, but that is beyond the scope of this document. I would start with this link for some of the things you need to consider: http://dev.mysql.com/doc/refman/5.1/en/unix-post-installation.html

Step 7 – Point the Portal at MySQL

  1. I connected to the MySQL server running on localhost, as the current user (which happened to be root in my case).

    $ mysql
    Welcome to the MySQL monitor. Commands end with ; or g.
    Your MySQL connection id is 15
    Server version: 5.1.34-community MySQL Community Server (GPL)

    Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

    mysql>

  2. I created a Database instance for the Portal to use

    mysql> CREATE DATABASE jbossportal;
    Query OK, 1 row affected (0.00 sec)
  3. Then I created a user for the Portal to connect as

    mysql> CREATE USER ‘portal’@'localhost’ IDENTIFIED BY ‘portalpassword’;
    Query OK, 0 rows affected (0.00 sec)
  4. Then I granted all privileges for the jbossportal Database to the user I just created

    mysql> GRANT ALL ON jbossportal.* TO ‘portal’@'localhost’;
    Query OK, 0 rows affected (0.00 sec)

    At this point I quit the MySQL interpreter.

  5. Next, I untared the MySQL JDBC driver

    $ tar zxvf mysql-connector-java-5.1.7.tar.gz
  6. Then I copied the driver jar file to the $JBOSS_HOME/server/default/lib/ directory

    $ cp mysql-connector-java-5.1.7/mysql-connector-java-5.1.7-bin.jar $JBOSS_HOME/server/default/lib
  7. Next I disabled the original Hypersonic datasource

    $ mv $JBOSS_HOME/server/default/deploy/portal-hsqldb-ds.xml $JBOSS_HOME/server/default/deploy/portal-hsqldb-ds.xml.bak
  8. Then I deployed a datasource descriptor for MySQL. There is an example datasource descriptor in the JBoss Portal binary distribution

    $ cp $JBOSS_HOME/setup/portal-mysql5-ds.xml $JBOSS_HOME/server/default/deploy

    I double checked the username, password and database name settings in the file were correct

Step 9 – Check Your Work
Now I checked my handy work before moving on to the next step.

  1. I made the JBoss run script executable
    $ chmod +x $JBOSS_HOME/bin/run.sh
  2. Next I ran the script
    $ $JBOSS_HOME/bin/run.sh

    It will take a while but, eventually the server will finish booting.

  3. Now I hit the basic JBoss AS home page at this URL: http://myserver/ and made sure it looked OK.
  4. Then I hit the JBoss Portal page at this URL: http://myserver/portal and checked it as well.

If you have trouble accessing your URL, there could be an issue with the address that JBoss is listening on. This can be caused by various issues with your server setup (hostname, hosts file etc.). One quick thing to try is to pass -b 0.0.0.0 as an argument to the run.sh script – this tells JBoss to listen on all addresses, which might help you figure out where the issue is.

Step 10 – Setup JBoss Portal as a Service

  1. I opened the file $JBOSS_HOME/bin/jboss_init_redhat.sh in an editor.
  2. First I double checked the environment variables set at the top of the file (particularly JBOSS_HOME and JBOSS_USER) were correct.
  3. Then at the very top of the file, below the shebang line, I added the following 3 lines to make the script compatible with the chkconfig system

    # Comments to support chkconfig
    # chkconfig: 2345 80 40
    # description: JBoss Portal

    I saved the file and exited the editor.

  4. Then I made it executable

    $ chmod +x $JBOSS_HOME/bin/jboss_init_redhat.sh
  5. Next I linked the script into the init.d directory

    $ ln -s $JBOSS_HOME/bin/jboss_init_redhat.sh /etc/init.d/jboss
  6. Then I ran chkconfig to register the script for the correct run levels

    $ chkconfig –add jboss
  7. I then started the server by hand to double check my work and also just to get the server up and running without having to do a reboot

    $ service jboss start
  8. Then I hit the JBoss Portal page once again and checked that it came up properly

Step 11 – Have A Beer
It is always appropriate to reward yourself with a craft, micro-brewed or home-brewed beer!

Security Configuration Guides

Posted in: System Administration

As I was trying to learn more about hardening a CentOS box I am now the sole admin for I stumbled upon this little gem of a website. The Central Security Service, which is part of the National Security Agency (which sounds much more intimidating if just say the NSA) has published a whole bunch or recommendations for specific Operating Systems and how to secure them. In addition there are guides for databases and routers among other things. Who knew the Federal Government could be so useful.
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml