Oracle - Avoid user password expiration

When you connect to Oracle you see this warning: "The password wil expire within %s days"

Check all profiles:

select * from dba_profiles

Check the profile assigned to one user:

select profile from DBA_USERS where username = 'MyUser';

For this profile, filter its limits:

select resource_name,limit from dba_profiles where profile='DEFAULT';

Check user account status and expiration date for this user:

select username, account_status, expiry_date from dba_users where username='MyUser';

With this information we know that our user is assigned to the Default profile, which has an expiration policy of 180 days. Also, this user´s password will expire on 09/01/2018. To avoid this, just update the profile´s policy.

alter profile DEFAULT limit PASSWORD_LIFE_TIME  unlimited;

The last thing to do is reset the password to its own value, in order to restart the account status to OPEN. Depending on your Oracle version, you can obtain this password by two means:

select password from dba_users where username='MyUser';

select spare4 from sys.user$ where name='MyUser';

Only one of them will return a non NULL value. Then update the user.

alter user MyUser identified by values 'S:9090878D...;T:193A657B...';

Configure Hawtio in JBoss domain mode

These are the steps to configure Hawtio in Jboss EAP 6:

• Create a Management user
• Configure JBoss security
• Disable JBoss logging subsystem
• Test

This was tested with JBoss EAP 6.2, Hawtio 1.4.9 and Java 7 (this is the reason to not use the last Hawtio release).

Create a Management user

The user who will access hawtio console will need to provide a valid credentials, and he must have asociated an specific role (group).

By using add-user.sh script you need to create a Management user, in this case 'hawtio'. Besides, this user will belong to 'roleHawtio' group.

[root@jboss01 bin]# ./add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : hawtio
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: roleHawtio
About to add user 'hawtio' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'hawtio' to file '/opt/jboss-eap-6.2-dc/standalone/configuration/mgmt-users.properties'
Added user 'hawtio' to file '/opt/jboss-eap-6.2-dc/domain/configuration/mgmt-users.properties'
Added user 'hawtio' with groups roleHawtio to file '/opt/jboss-eap-6.2-dc/standalone/configuration/mgmt-groups.properties'
Added user 'hawtio' with groups roleHawtio to file '/opt/jboss-eap-6.2-dc/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no
[root@jboss01 bin]#

After the command is executed, you need to replicate the mgmt-users.properties and mgmt-groups.properties files in all nodes of your domain.

Configure JBoss security

In domain.xml file you need to add the following system properties (the complete list of available properties to configure are in the this link):

<system-properties>
 <property name="java.net.preferIPv4Stack" value="true"/>
 <property name="hawtio.authenticationEnabled" value="true"/>
 <property name="hawtio.offline" value="true"/>
 <property name="hawtio.realm" value="hawtio-domain"/>
 <property name="hawtio.role" value="roleHawtio" />
</system-properties>

The property hawtio.realm is referencing the hawtio-domain, so you need to configure this domain in jboss security subsystem.

<subsystem xmlns="urn:jboss:domain:security:1.2">
 <security-domains>
  
  (...)
  
  <security-domain name="hawtio-domain" cache-type="default">
   <authentication>
    <login-module code="RealmDirect" flag="required">
     <module-option name="realm" value="ManagementRealm"/>
    </login-module>
   </authentication>
  </security-domain>
 </security-domains>
</subsystem>

Is very important to keep in mind that you need to replicate this config in all profiles of the domain.xml file.

Disable JBoss logging subsystem

If you are like me and you think that JBoss logging subsystem is a pain in the ass, probably you would like to disable it. Luckly it´s very esay, just open the hawtio WAR and add the following jboss-deployment-structure.xml file in META-INF folder:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
 <deployment>  
  <exclude-subsystems>
   <subsystem name="logging" />  
  </exclude-subsystems>

  <exclusions>
   <module name="org.apache.log4j" />
   <module name="org.slf4j" />
   <module name="org.log4j" />
   <module name="org.jboss.logging" />
  </exclusions>
 </deployment>
</jboss-deployment-structure>

Test

When these changes are done, you can deploy hawtio WAR in your domain. There you should see the following log trace, where you can check the params you specified before:

[Server:spre-segjava-1] 14:47:45,269 INFO  [stdout] (ServerService Thread Pool -- 77) INFO  | ServerService Thread Pool -- 77 | Starting hawtio authentication filter, JAAS realm: "hawtio-domain" authorized role: "roleHawtio" role principal classes: ""

If you try to access to http://[host]/hawtio/ you will be redirect to the login page and you just need to use the credentials created in the first step.

Centos 7.x - Minimal network setup

This is a continuation of a previous post, but this time dedicated to CentOS 7 (our customer is evolving!!)

Environment:

• Virtualbox 5.1.10
• CentOS 7.4.1708

Before start with the installation, in Virtualbox you have to configure two network adapters:

• Adapter 1: Host only
• Adapter 2: NAT

The first one will be used to communicate host and guest, for example, by using a ssh connection. The second one will be used by the guest in order to gain direct access to the internet.

When CentOS starts for first time, you will already had internet access. But local network will be disabled. Execute the following command to check your network interfaces:

ip add

The result will be something like this:

Here you can see three interfaces:

• lo: Loopback
• enp0s3: Host-Only adapter
• enp0s8: NAT adapter

If you have doubts about which is the host-only, you can check the MAC address and compare it with the Virtualbox adapter.

Once you are sure enp0s3 is your interface, go to /etc/sysconfig/network-scripts/ and edit ifcfg-enp0s3 file, for example with vi. You will have to make two changes:

• Set BOOTPROTO=none
• Set ONBOOT=yes
• Add IPADDR=your IP

Then execute the following command:

systemctl restart network.service

Now you will have your interface up and with the IP address you set before.

Note

As stated in my previous post, remember to configure proxy settings for system and yum configuration:

System config

Edit ~/.bash_profile file and add the following lines:

# The Web proxy server used by this account
http_proxy="http://usuario:password@my.proxy:8080"

export no_proxy=localhost,127.0.0.1
export http_proxy

YUM config

Edit  /etc/yum.conf y add the following lines:

# The proxy server - proxy server:port number
proxy=http://my.proxy:8080
# The account details for yum connections
proxy_username=usuario
proxy_password=password




LibreOffice - Force PDF/A export

I was using LibreOffice to convert documents from disparate formats to PDF. This is done by using the following command:

libreoffice5.3 --headless --convert-to pdf prueba.txt

My problem was that the output file was not int PDF/A format.

LibreOffice, by working with it´s GUI interface, do supports PDF/A conversion, so the problem should be in some kind of default configuration.

There is configuration file called registrymodifications.xcu which contains all settings used by the programa, and during the exportation too. This file is located in  ~/.config/libreoffice/4/user/ directory. For example /root/.config/libreoffice/4/user/registrymodifications.xcu.

This is an xml based file with a lot of (poor/undocumented) preferences. In particular, in order to set PDF/A as default option, you have to insert the following config line:

<?xml version="1.0" encoding="UTF-8"?>
<oor:items xmlns:oor="http://openoffice.org/2001/registry" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 (...)
 <item oor:path="/org.openoffice.Office.Common/Filter/PDF/Export">
  <prop oor:name="SelectPdfVersion" oor:op="fuse">
   <value>1</value>
  </prop>
 </item>
 (...)
</oor:items>

Now, if you launch the conversion again you will get a PDF/A-1A file.

Though registrymodifications.xcu file is quite obscure, you can get mor info by using the GUI version of the program. If you navigate to Tools > Options > LibreOffice > Advanced > Open Expert Configuration, you can check the whole list of settings.

Unix - CIFS / NFS Mount

Mount CIFS

fstab:

//host/server_dir /mnt/unix_dir  cifs gid=jboss,uid=jboss,domain=xxxxx,user=yyyyy,password=zzzzz,_netdev,rw   0 0

Mount NFS

fstab:

host:/server_dir /mnt/unix_dir nfs rsize=8192,timeo=14,intr 0 0