I’ve been using Glassfish 3.1 for a few months. It runs fine on my Windows 7 machine and seems to run on my Linux server. However, when I try to access linux-server:4848 to see the admin interface, I just get the copyright notice and no login page. Refreshing makes no difference. I couldn’t find anyone with that exact problem online but several people mentioned that you need to use exactly the right version of Java. I had been using the Debian default OpenJDK 6. I added contrib and non-free to /etc/apt/sources.list, installed sun-java6-jdk, ran update-alternatives --config java, edited glassfish/config/asenv.conf to point to the Sun JDK, and restarted Glassfish with glassfish/bin/asadmin restart-domain (actually I stopped and started it, not sure if there’s a difference). Problem gone. Admin interface accessible. Now to figure out how to make Glassfish use my new certificates. This post by Ali Ok should prove helpful, as will this post at SSLShopper.
You are currently browsing the archives for the Linux category.
The university I work for provides virtual servers using VMware. I was given one to use as a web application server running Glassfish. I encountered a few difficulties along the way.
First, I couldn’t get the server to boot from my Debian netinst ISO file. I was able to mount it while the server was booting, using the vSphere client, but I never got there fast enough for it to boot from it. I tried rebooting (from inside vSphere) but that disconnects the ISO. With a bit of help from a colleague, I learnt that you can reboot with ctrl-alt-insert (translated to ctrl-alt-del) and that this doesn’t unmount the disc image.
Second, I assumed that I needed the IA64 release of Debian since the virtual machine was 64-bit and Intel-based. However, I then learnt that IA64 is only for Itanium processors, and that most other 64-bit CPUs need the amd64 release, even if they are Intel. I was then able to install Debian.
Third, the keyboard layout of the virtual machine is independent of my laptop’s layout (Dvorak), so I assume vSphere client accesses low level key presses. Configuring keyboard layout in Debian is achieved via dpkg-reconfigure keyboard-configuration.
Fourth, there wasn’t a package for Glassfish on Debian. Well, there are a few packages with that name but they are out of date and only provide some jar files. Fortunately, Glassfish can be installed easily by hand within a single folder. Create a new glassfish user, set it up with a home directory, su to that user and run the installer in silent mode. The default settings worked for me and everything was installed in one subdirectory of the glassfish home directory. There is a way to run the installer with the -n option on another machine (with a GUI) and create a configuration file that can then be used on a headless machine like the one I was using. I couldn’t get that option to work on Windows so I just let it install with the default options. I expect you can configure it later anyway. If you want to access and manage it via Netbeans, you need to set an admin password. Apparently, it can’t contain any spaces. Have a look at the asadmin enable-secure-admin command and asadmin change-admin-password --user admin command. asadmin is in the glassfish installation folder so you will need to call it using its full path. I found a very useful page by Nabi Zamani about installing Glassfish on Ubuntu. Not exactly Debian but close. The start up script and iptables scripts are very helpful, although by searching a bit more you can find init scripts that include the dependencies and other meta-info at the top (avoids the OS complaining about missing LSB data). If glassfish doesn’t start or iptables isn’t making it accessible on port 80 (instead of the default port 8080), check that executable permissions are set correctly on the init and network files mentioned in the link above. There’s a password file in glassfish/domains/domain1/ which needs to be readable only by glassfish. I made the mistake of running some command as root and messed up the permissions. Also make sure that iptables has loaded the rules that should have been saved into /etc/iptables-save.rules (or similar).
Finally, I wanted to install the VMware tools. No idea what they do but apparently they increase performance of the client OS. Couldn’t find where to download them or how to install them until I came across Wolfsrudel’s comment on debiantutorials.com. He (male judging by the very small photo) explains that the tools are available after you add non-free and contrib to your apt/sources.list file. Then run the following as root.
apt-get updateapt-get install module-assistant open-vm-source open-vm-toolsmodule-assistant preparemodule-assistant build open-vm-sourcemodule-assistant install open-vm-source- reboot
I have a complicated directory hierarchy on a Linux server with several gigabytes of files that I would like to backup to DVDs and be able to easily copy to another computer. The directories and subdirectories don’t easily divide into chunks of convenient size. I thought about using the tar command with the -M or --multi-volume option, or piping it into split. Several forums and websites suggest this. This isn’t an ideal solution because then you need to create a disc image containing a file larger than 4GB which isn’t supported by ISO9660 (typical CD format). So you would need to create a UDF image using mkudffs which can support larger files, but even then, the large multi-part tar archive may not be easily read by the receiving machine.
A better solution was suggested by Hubert Kario on Stack Exchange. He recommends using the dirsplit command which comes with some of the CD and DVD tools. The man page for dirsplit was written in 2004 so it’s hardly a new piece of software, and yet few people online seem to mention it, or perhaps I was just searching for the wrong keywords.
I ran the following commands as suggested by the dirsplit help text.
dirsplit -e2 my/data/folder genisoimage -D -r --joliet-long -graft-points -path-list vol_1.list -V MY_DISK_1 -o my_data_1.iso genisoimage -D -r --joliet-long -graft-points -path-list vol_2.list -V MY_DISK_2 -o my_data_2.iso
The -e option determines how folders are split up, whether a single folder should be stored on a single disc or whether files from the same folder can be on different discs. By default, dirsplit outputs catalog files which can be used by genisofs to create ISO images. These catalog files are essentially a list of files to be included in each disc image. The default size for each disc image is suitable for a DVD, just over 4GB.
I’m not sure exactly what the genisoimage options do and I haven’t yet burnt and tested the DVDs, but it looks promising and was very straightforward.
Following on from my previous post about securing Squirrelmail, I found that WordPress can be forced to use https for login and admin tasks quite easily. Just edit your wp-config.php file and add define('FORCE_SSL_LOGIN', true); or define('FORCE_SSL_ADMIN', true); somewhere before the warning at the end of the file. The former option will just use https to transmit your login details. The latter will force all access to the admin pages to be secured. According to the WordPress documentation, https can be slow, that’s why you might not want it to be enabled for the whole session.
Recently noticed that my e-mail account provided my the French post office provides absolutely no security for either IMAP or webmail connections. The webmail doesn’t even seem to support https if you type it into the address bar. This is bad news because it means I can’t access it from public networks without my login and password being sent in clear text over the net.
Then I noticed that my Squirrelmail setup doesn’t force https for login, although you can still request it by typing in the address manually. I failed to configure Apache to rewrite URLs to https. There’s is always some subtlety in rewrite rules and Apache configuration in general that stops things from working the way I want first time. But Squirrelmail has a plugin called Secure Login which allows you to force secure https starting at the login page.
Download the tar.gz archive to your Squirrelmail plugin directory, probably in /usr/share/squirrelmail/plugins/. Unpack it. Copy config.sample.php to config.php within the secure_login folder. Set the $change_back_to_http_after_login variable to 0 so your sessions remain in https. I don’t know why you would want to set it to 1 unless you have serious performance issues on a very underpowered server. In any case, if it’s set to 1 you won’t be able to login at all. Don’t forget to run the Squirrelmail Perl configuration script /etc/squirrelmail/conf.pl to enable the new plugin.
The recent Ubuntu releases seem to support the university VPN that I sometimes use. Remember that some home modems, access points or routers will need to have the VPN passthrough option enabled before they let you connect.
The remaining problem was that I don’t want all my traffic going via the VPN, only connections to university servers, in particular the mail and web servers. In the VPN configuration, go to the IPV4 Settings tab and click the Routes button at the bottom of the window. Check the Use this connection only for resources on its network box and fill in the address and netmask fields with the details of the private servers you need to access via the VPN. The gateway and metric fields can be left blank. If you just need to access one server with a single IP address, enter it in the address field and then 255.255.255.255 as the netmask. But remember that some services, including webservers, may have multiple IP addresses as they are mirrored across several physical machines for speed and redundancy. You can find all these addresses using nslookup.
I don’t know how important the other options are. I left Ignore automatically obtained routes unchecked. Back under the IPV4 settings tab, I selected Automatic (VPN) method.
Only a small number of servers here are accessible from off-campus. This prevents staff and students from using their office computers to host websites and share files via http. Lots of good reasons for this but on one occasion a colleague needed to run a Tomcat server (Java) for a research project and it needed to be accessible worldwide. I was unable to get it running on this server 
but was able to use Apache’s mod_proxy to make his own machine accessible on the web via a URL on this server.
I enabled Apache’s mod_proxy and used the following lines in /etc/apache2/mods-enabled/proxy.conf.
ProxyVia Block ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /public_url http://firewalled-private-server ProxyPassReverse /public_url http://firewalled-private-server
The content hosted on http://firewalled-private-server must of course be accessible from your public server. It will then be available outside your network at http://my-public-server/public_url.
There may be some security considerations, and some of the lines in the configuration may not be necessary, but it did the trick. FYI it’s not in place any more.
WordPress is updated every few months. That’s good. But it’s a nuisance to go through the manual update every time. WordPress can update itself via the web admin interface but it needs a few tweaks. Without these changes, you will see a form asking for details of an FTP server. These are not required, they are just a sign that the web update method didn’t work and that FTP is available as a fallback (presumably for shared hosting where FTP is the only way to upload files).
- The WordPress directory must be writable (or owned?) by the user running the webserver.
- The proxy server must be configured in
wp-config.php.
In our case we need:define('WP_PROXY_HOST', 'wwwcache.lancs.ac.uk'); define('WP_PROXY_PORT', '8080'); define('WP_USEPROXY','TRUE'); - I’ve changed the permissions so my user’s group can write all files and directories, and the SUID and SGID bits are set on all directories in the hope that if I create any files manually, they will have the right permissions and not break the updates. There may well be some security considerations which I’ve neglected.
When you use Subversion (or other version control systems), be sure to use them consistently. Checked out directories contain a hidden directory containing information about the repository, the original checked out files, which files have been deleted or added… Copying the complete directory to a different location or even a different computer might work seamlessly, copying individual files is also acceptable. But as soon as you copy subdirectories (with their special hidden directory) that have been updated or committed on another computer, the upper directory and the subdirectory become inconsistent as far as version control is concerned. You will get messages asking you to clean up, and claiming that some subdirectories are not under version control.
- Best practice is to use the version control tools to exchange files: commit on one computer, checkout on another, make changes, commit, update on the first computer.
- If individual files need to be processed on another computer (eg. batch converting images from one format to another on a *nix machine) then proceed as above, or select all and copy the individual files, not the whole directory.
- If you need to provide the whole version controlled directory to someone who doesn’t need version control (eg. sending LaTeX sources to an editor), use the export feature to create a clean directory tree without all the hidden version control subdirectories.
At some point during a recent upgrade, LDAP authentication broke on our server. It’s exactly the problem reported by vrillusions on the Ubuntu forums, and the solution by windependence worked perfectly.
The problem became apparent when trying to change a password for a colleague who couldn’t log in.
# passwd dave Enter login(LDAP) password: passwd: Authentication information cannot be recovered passwd: password unchanged
It turns out that PAM wasn’t using LDAP correctly. This was fixed by removing the use_authtok parameter in /etc/pam.d/common-password.