How to install Tomcat 6 on RHEL 6 or CentOS 6

Here are some steps to install Tomcat 6 on Red Hat 6 (or CentOS 6).

 

First we are going to prepare the repository:


yum install yum-priorities
rpm -Uvh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
rpm -Uvh http://mirrors.dotsrc.org/jpackage/6.0/generic/free/RPMS/jpackage-utils-5.0.0-7.jpp6.noarch.rpm

Next we will install Java and Tomcat 6:


yum -y install java
yum -y install tomcat6 tomcat6-webapps tomcat6-admin-webapps

Finally we can launch Tomcat 6:


service tomcat6 start

To connect to Tomcat, just browse to port 8080 on the server, for example:


http://127.0.0.1:8080/

Here are a couple of diagnostic commands to test that Tomcat is running:

# service tomcat6 status
tomcat6 (pid 17318) is running... [ OK ]
# netstat -nlp|grep 800
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN xxxxx/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN xxxxx/java
# netstat -nlp|grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN xxxxx/java

File Structure

The Red Hat file structure is different than the default file structure Tomcat 6 has when installing from source. Here is the file structure that is used when installing with this method:

/etc/tomcat6 (this is where the main tomcat config files reside)
/usr/share/doc/usr/share/tomcat6
/usr/share/tomcat6/bin
/usr/share/tomcat6/conf
/usr/share/tomcat6/lib
/usr/share/tomcat6/logs
/usr/share/tomcat6/temp
/usr/share/tomcat6/webapps
/usr/share/tomcat6/work
/var/cache/tomcat6
/var/cache/tomcat6/temp
/var/cache/tomcat6/work
/var/lib/tomcat6 (this is where you will add and/or change most of your files)
/var/lib/tomcat6/webapps
/var/log/tomcat6

Here is an article that explains how to add support for JConsole debugging and/or monitoring to Tomcat:
https://wiki.internet2.edu/confluence/display/CPD/Monitoring+Tomcat+with+JMX


Installing a Secure Certificate on IBM Smart Business Server (VERDE)

At the time of this writing, the IBM Smart Business Server’s control panel doesn’t allow importing a secure certificate (SSL cert). Never-the-less it is possible to install a valid (CA signed) secure certificate from the command line. This article assumes that the reader is familiar with SSL and the basic SSL KEY, CSR, and CRT generation step. We are therefore picking up at the point where you have an SSL KEY as well as an SSL CRT. You will also need a machine that has openssl installed (any Linux or Mac box will do). In fact the smart business server itself has openssl installed, as well as keytools, so all the steps can be performed directly on the smart business server.

Please note that this is a draft document, and work in progress. At this time only the public facing websites have been successfully set up with a CA signed certificate.

  • The Apache configuration file for the setup wizard is:/etc/apache2/httpdWSW.conf
  • The Apache configuration file for the intranet is here:/etc/apache2/httpdInt.conf with the corresponding SSL configuration here: /etc/apache2/extra/httpdInt-ssl.conf
  • First copy the new key and cert (in the same file, key goes on top and then the cert) into /etc/opt/ibm/bbp/smartcontainer/httpdWSW.cert
  • (Optional, this step hasn’t been successfully tested, because a non-RFC compiant method is used.) To create an RFC compliant PKCS8 version of the key pair where the intranet config file is expecting it:
    cd /etc/opt/ibm/bbp/
    openssl pkcs8 -topk8 -inform PEM -nocrypt -in smartcontainer/httpdWSW.cert -out PKCS8.cert
  • Make sure the CA bundle is made available and properly reference in the above mentioned config files (cp path/to/sf_bundle.crt smartcontainer/)
  • Create a PKCS12 version of your certificate:
    openssl pkcs12 -export -chain -CAfile sf_bundle.crt -in '<your>.crt' -inkey '<your>.key' -out PKCS12.cert -name <name> -passout pass:111111
    (at the time of this writing, the default cert store password hard coded in the VERDE install is 111111)
  • Location of the Java SSL Keystore: /etc/opt/ibm/bbp/SSLkeystore
  • Location of the [SAFEv3] encription tool:/opt/ibm/bbp/saf/encryptPassword.sh
  • Password retrieval command:/opt/ibm/bbp/saf/lib/security/manageAdminCreds -f get -a JavaKeyStore2048BitKey -i 1
  • Create a new keystore based on the PKCS#12 cert:
    keytool -importkeystore -destkeystore SSLkeystore.new -srckeystore PKCS12.cert -srcstoretype PKCS12 -alias <common_name_of_SSL_cert>
  • Update the Keystore configuration reference in /opt/ibm/bbp/saf/cfg (use the password retrieved above).
  • Copy the PKCS#12 cert to the VERDE Tomcat cert store:
    cp PKCS12.cert /var/lib/verde/host.p12
    cp /var/lib/verde/host.p12 /usr/lib/verde/etc/host.p12
    (Make sure you save your previous copies of any file you modify.)

At this point, you have to restart the system, to make sure that all public services get the proper certificate loaded on boot. If you prefer, you can restart the services:

  • /etc/init.d/lwi restart
  • /etc/init.d/simpleAgent_d restart
  • restart the VERDE software from the web console

References

  • http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
  • http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
  • Many thanks to the bISV IBM support team

Sametime 8.5.1 Deployment

To deploy a Sametime environment with multiple levels of licensing, multiple Sametime servers with each respective license versions needed (Entry, Standard, etc.). The Sametime wiki has a number of useful resources to plan out a complex Sametime deployment:

  • http://www-10.lotus.com/ldd/stwiki.nsf/page.xsp?documentId=6F6353B28F5FB51185257775007AC431&action=openDocument
  • http://www-10.lotus.com/ldd/stwiki.nsf/dx/1.3_Lotus_Sametime_product_family
  • http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Learning%20Center

And here are some documents that delve into the details:

  • http://www-10.lotus.com/ldd/stwiki.nsf/dx/Chapter_2._Planning_a_Sametime_8.5.1_deployment
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/plan/plan_topol_deploy.html

Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Linux Kernel Hangs During Boot

While rebooting a machine for example to apply a kernel update, it hangs. You try older kernels, and it hangs too. Not necessarily at the same spot. Here are some examples:

...
io scheduler cfq registered (default)
...
Real Time Clock Driver v1.12ac

These kernel hangs during boot are interestingly traceable to the USB keyboard. If you use a PS2 keyboard instead, the kernel may just continue booting. No comment.


Domino Server Crash Debug Data Collection

Even though Domino servers tend to be very stable, it may happen that every now and then there is a crash. In that case it is good to be able to provide appropriate details to IBM. Here are some recommendations form IBM tech support:

  • Make sure gdb is installed on the OS (Unix OSs only)
  • Add the following lines to notes.ini:
    debug_threadid=1
    debug_show_timeout=1
    debug_capture_timeout=1

These recommendations apply to any Domino based server: Quickr, Sametime, Traveler.


Migrate ProxMox KVM Storage from local to NFS on netapp

Proxmox KVM storage migration from local to NFS

In order to be able to use the live partition migration in Proxmox, the KVM partition needs to be on NFS or iSCSI.

Here is the process for an NFS storage.

- shut down vm
- rsync -av /var/lib/vz/images/<VMID> /mnt/pve/<NFS VOL>/images/
- edit /etc/qemu-server/<VMID>.conf
- change ide0: local:<VMID>/vm-<VMID>-disk-1.raw to ide0: <NFS VOL>:<VMID>/vm-<VMID>-disk-1.raw
- start up vm

Verifying SSL Certificates

Problem

You have a few SSL cert files on your server, but you are not sure which one is the newest, or the right cert to use.

Solution

Look at the contents of a CSR


openssl req -noout -text -in [domain_name].csr

Where [domain_name].csr is the name of the CSR file.

Look at the contents of a certificate


openssl x509 -noout -text -in [domain_name].crt

Look at the MD5 fingerprint of a certificate


openssl x509 -fingerprint -noout -in [domain_name].crt

Check the private key, the CSR, and the signed cert

To check that the private key, the CSR, and the signed cert belong to the same set, you need to compare the MD5 outputs:

openssl rsa -noout -modulus -in [domain_name].key |openssl md5
openssl req -noout -modulus -in [domain_name].csr |openssl md5
openssl x509 -noout -modulus -in [domain_name].crt |openssl md5


SMTP Server Testing with Authentication

Problem

You need to test manually an SMTP server that requires authentication.

Solution

The text you need to enter into a DOS or Unix command line is in typewriter typeface. Responses from the server are shown in italic.
telnet smtp-server.smtpdomain.com 25
Trying xxx.xxx.xxx.xxx…
Connected to smtp-server.smtpdomain.com.
Escape character is ‘^]’.
220 smtp-server.smtpdomain.com plus some other optional server greeting text

helo localhost
250 smtp-server.smtpdomain.com
auth login
You now need to enter your email and then your password encoded in BASE64. Do encode your password use the HCI Data Encoder
mail from: [email protected]
250 Sender accepted.
rcpt to: [email protected]
250 OK
data
354 End your message with a period.
Subject: test email

test content
.

250 Accepted message …
quit
221 Good bye.
Connection closed by foreign host.