Firewall Configuration :
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=8080/tcp
firewall-cmd --zone=public --add-port=1539/tcp
. /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh
sqlplus /nolog
TOMCAT :
https://www.tecmint.com/install-apache-tomcat-in-centos/
useradd nt
passwd nt
password : pSSWRD
yum install java-1.8.0-openjdk-devel #install JDK 8
java -version
cd /usr/local
yum install wget
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.39/bin/apache-tomcat-9.0.39.tar.gz
tar -xvf apache-tomcat-9.0.39.tar.gz
mv apache-tomcat-9.0.39 tomcat
echo "export CATALINA_HOME="/usr/local/tomcat"" >> ~/.bashrc
source ~/.bashrc
Now we all set to start the tomcat web server using the scripts provided by the tomcat package.
cd /usr/local/tomcat/bin
./startup.sh
sudo firewall-cmd --zone=public --add-service=http
http://192.168.1.100:8080
OR
http://example.com:8080
vi /usr/local/tomcat/conf/tomcat-users.xml
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
If you want to run Tomcat on different port say 80 port. You will have to edit the ‘server.xml‘ file in ‘/usr/local/tomcat/conf/‘. Before changing, port, make sure to stop the Tomcat server using.
# /usr/local/tomcat/bin/shutdown.sh
Now open the server.xml file using the Vi editor.
# vi /usr/local/tomcat/conf/server.xml
Now search for “Connector port” and change its value from 8080 to 1510 or any other port you want as it follows.
Restart Tomcat9 :
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
Secure Tomcat :
https://geekflare.com/apache-tomcat-hardening-and-security-guide/
https://geekflare.com/apache-tomcat-hardening-and-security-guide/
https://gridscale.io/en/community/tutorials/securing-apache-tomcat-with-ssl/
https://www.mulesoft.com/tcat/tomcat-security
https://www.upguard.com/blog/15-ways-to-secure-apache-tomcat-8
Let’s hide the product and version details from the Server header.
vi /usr/local/tomcat/conf/server.xml
Go to $tomcat/conf folder
Modify server.xml by using vi
Add following to Connector port
Server =” “
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
Server =" "
redirectPort="8443" />
vi /etc/httpd/conf/httpd.conf
Server Time Zone :
sudo timedatectl set-timezone Asia/Dhaka
Swap Space :
swapon -s
free -m
df -h
sudo fallocate -l 2G /swapfile
ls -lh /swapfile
sudo mkswap /swapfile
sudo dd if=/dev/zero of=/swapfile count=2048 bs=1MiB
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
vi /etc/fstab
/swapfile swap swap sw 0 0
run this command:
sudo sysctl vm.swappiness=10
vi /etc/sysctl.conf
Add this line :
vm.swappiness = 10
vm.vfs_cache_pressure = 50
To verify swap's size
swapon --summary
free -h
Upgrade the system :
yum upgrade -y
yum install java-1.8.0-openjdk.x86_64 java-1.8.0-openjdk-devel.x86_64 mc net-tools.x86_64 htop iotop iftop unzip wget epel-release -y
yum install rlwrap -y
Minimal CentOS installation:
There's an utility called chrony for this purpose in the minimal CentOS installation:
systemctl start chronyd
systemctl enable chronyd
SElinux disable :
vi /etc/sysconfig/selinux
And change the value SELINUX=enforcing to SELINUX=disabled, then save the config file. After doing this, execute this to disable selinux in the runtime:
setenforce 0
Install Oracle DB :
cd /root
yum install oracle-rdbms-server-11gR2-preinstall-1.0-3.el7.x86_64.rpm --skip-broken
# curl -o oracle-database-preinstall-19c-1.0-1.el7.x86_64.rpm https://yum.oracle.com/repo/OracleLinux/OL7/latest/x86_64/getPackage/oracle-database-preinstall-19c-1.0-1.el7.x86_64.rpm
# yum -y localinstall oracle-database-preinstall-19c-1.0-1.el7.x86_64.rpm
uninstall oracle database xe 11g :
---- yum remove oracle-database-xe-18c
---install oracle database xe 18c :
cd Disk1/
yum localinstall oracle-xe-11.2.0-1.0.x86_64.rpm
Now, when the packages are installed and the user is set up, you need to run the initial database configuration script:
Listener :
Configurations :
/etc/init.d/oracle-xe configure
---------------- https://davidghedini.com/pg/entry/install_oracle_11g_xe_on_centos/
. /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh
sqlplus /nolog
CONN SYS/SYS@XE AS SYSDBA
--To allow remote access to Oracle 11g XE GUI (as well as Application Express GUI) issue the following from SQL*Plus
EXEC DBMS_XDB.SETLISTENERLOCALACCESS(FALSE);
-- ADD PORT 8080
firewall-cmd --zone=public --add-port=8080/tcp
You should now add an additional member for each group under /u01/app/oracle/oradata/XE
SQL ALTER DATABASE ADD LOGFILE MEMBER '/u01/app/oracle/oradata/XE/log1b.LOG' TO GROUP 1;
SQL ALTER DATABASE ADD LOGFILE MEMBER '/u01/app/oracle/oradata/XE/log2b.LOG' TO GROUP 2;
ALTER DATABASE ADD LOGFILE MEMBER '/u01/app/oracle/oradata/XE/log1b.LOG' TO GROUP 1;
ALTER DATABASE ADD LOGFILE MEMBER '/u01/app/oracle/oradata/XE/log2b.LOG' TO GROUP 2;
alter system set sessions=250 scope=spfile;
shutdown immediate
startup
alter system set processes=200 scope=spfile;
startup
---------------- https://davidghedini.com/pg/entry/install_oracle_11g_xe_on_centos/
Note that since 12c Oracle Database has multitenant architecture, which means there could be several pluggable databases and one multitenant container database. By default, the XEPDB1 pluggable database is created during the installation of XE.
To make it easier to connect to the pluggable database, I recommend editing of tnsnames.ora file and add there a new connection descriptor that we are going to use:
---vi /u01/app/oracle/product/11.2.0/xe/network/admin/sqlnet.ora
--- SQLNET.ALLOWED_LOGON_VERSION=8
vi /u01/app/oracle/product/11.2.0/xe/network/admin/tnsnames.ora
Add this record there below the standard XE record:
srvr2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.100)(PORT = 1539))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
)
)
--- give access to firewall of port 1539
firewall-cmd --zone=public --add-port=1539/tcp
copy tnsnames to your windows oracle /network/admin folder.
Check connection from anywhere. e.g. Your Laptop or PC.
CONNECT WITHOUT GIVING ANY DATABASE NAME:
sqlplus /nolog
conn SYS/PSSWRD123 AS SYSDBA
SHUTDOWN IMMEDIATE
create pfile from spfile;
STARTUP
Install Apex 20.1 :
>> So let's get it started. Change your directory back to /root, unzip the APEX archive and make the user oracle the owner of the directory.
Considering we are installing the 18.2 version of APEX, it would look like this:
cd /root
cd /opt
mkdir oracle
cd /opt/oracle
--rm -rf oracle
mkdir -p /opt/oracle/apex
cd /root
unzip apex_20.1.zip -d /opt/oracle
chown -R oracle:oinstall /opt/oracle/apex
>> Note that we will be installing the full development environment of APEX.
This could be converted to a runtime only environment if needed. Refer to the official documentation for this. The full development environment should be used only when the Application Builder is needed. On a production environment it is strongly recommended to choose the runtime only setup.
>> From the APEX new home directory connect to our pluggable database as sysdba and run the installation scripts
(we will be using SYSAUX schema for APEX metadata):
cd /opt/oracle/apex
sqlplus /nolog
conn sys/SYS@XE AS SYSDBA
--- @apxremov.sql
-- connect to the database
sqlplus /nolog
conn sys/SYS@XE AS SYSDBA
CREATE TABLESPACE APEX DATAFILE '/u01/app/oracle/oradata/apex01.dbf' SIZE 5000M AUTOEXTEND ON NEXT 1M;
CREATE TABLESPACE apexindex DATAFILE '/u01/app/oracle/oradata/apexindex01.dbf' SIZE 5000M AUTOEXTEND ON NEXT 1M;
---CREATE TABLESPACE bhorbazar DATAFILE '/opt/oracle/oradata/XE/bhorbazar01.dbf' SIZE 5000M AUTOEXTEND ON NEXT 1M;
ALTER USER ANONYMOUS ACCOUNT UNLOCK;
--- ALTER SESSION SET CONTAINER=XE;
-- run the script to install a full development environment:
SQL>
sqlplus /nolog
conn sys/SYS@XE AS SYSDBA
@apexins.sql APEX APEX TEMP /i/
----@apxldimg.sql E:\apex_20.1
----@apxldimg.sql /opt/oracle
---- create an instance administrator user and set their password
conn sys/SYS@XE AS SYSDBA
@apxchpwd.sql
@apex_rest_config.sql
@apex_epg_config.sql /opt/oracle
SELECT DBMS_XDB.gethttpport FROM DUAL;
exec dbms_xdb.sethttpport(8080);
--- exec dbms_xdb.setftpport(0);
>> unlock and set up APEX public user, this is needed for ORDS to be able to connect to APEX engine.
alter user apex_public_user account unlock;
alter user apex_public_user identified by PSSWRD123;
conn sys/SYS@XE AS SYSDBA
alter USER ANONYMOUS ACCOUNT UNLOCK;
alter user ANONYMOUS identified by PSSWRD123;
alter USER XDB ACCOUNT UNLOCK;
alter user XDB identified by PSSWRD123;
--- Account Status must be Open :
select account_status from dba_users where username='ANONYMOUS';
select account_status from dba_users where username='XDB';
conn sys/SYS@XE AS SYSDBA
-- now disconnect from the database
192.168.1.100:8080/apex
192.168.1.100:80/apex
Installation of ORDS :
cd /root
cd /opt/oracle
rm -rf ords
mkdir -p /opt/oracle/ords
cd /root
yum install unzip
unzip ords-19.2.0.199.1647.zip -d /opt/oracle/ords
cd /opt/oracle/ords
mkdir config
mv ords.war apps.war
How to UnInstall ORDS :
----- systemctl stop tomcat
----- systemctl stop httpd
----- java -jar apps.war uninstall
java -jar apps.war install advanced
------- Configuration folder path :
/opt/oracle/ords/config
When prompted for ORDS configuration directory (the first question), enter config. Then provide the connection info to your pluggable database (
******* specify XEPDB1 for the service name
Enter the name of the database server [localhost]:example
Enter the database listen port [1521]:1539
Enter 1 to specify the database service name, or 2 to specify the database SID [1]:1
Enter the database service name:ORCLPDB1
Enter 1 if you want to verify/install Oracle REST Data Services schema or 2 to skip this step [1]:1
Enter the database password for ORDS_PUBLIC_USER:
Confirm password:
Requires SYS AS SYSDBA to verify Oracle REST Data Services schema.
Enter the database password for SYS AS SYSDBA:
Confirm password:
Retrieving information.
Enter the default tablespace for ORDS_METADATA [SYSAUX]:SYSAUX
Enter the temporary tablespace for ORDS_METADATA [TEMP]:TEMP
Enter the default tablespace for ORDS_PUBLIC_USER [USERS]:USERS
Enter the temporary tablespace for ORDS_PUBLIC_USER [TEMP]:TEMP
Enter 1 if you want to use PL/SQL Gateway or 2 to skip this step.
If using Oracle Application Express or migrating from mod_plsql then you must enter 1 [1]:1
Enter the PL/SQL Gateway database user name [APEX_PUBLIC_USER]:APEX_PUBLIC_USER
Enter the database password for APEX_PUBLIC_USER:
Confirm password:
Enter 1 to specify passwords for Application Express RESTful Services database users (APEX_LISTENER, APEX_REST_PUBLIC_USER) or 2 to skip this step [1]:1
Enter the database password for APEX_LISTENER:
Confirm password:
Enter the database password for APEX_REST_PUBLIC_USER:
Confirm password:
Oct 30, 2019 1:05:38 PM
INFO: reloaded pools: []
Installing Oracle REST Data Services version 18.3.0.r2701456
... Log file written to /root/ords_install_core_2019-10-30_130538_00357.log
... Verified database prerequisites
... Created Oracle REST Data Services schema
... Created Oracle REST Data Services proxy user
... Granted privileges to Oracle REST Data Services
... Created Oracle REST Data Services database objects
... Log file written to /root/ords_install_datamodel_2019-10-30_130554_00366.log
... Log file written to /root/ords_install_apex_2019-10-30_130556_00005.log
Completed installation for Oracle REST Data Services version 18.3.0.r2701456. Elapsed time: 00:00:19.713
Enter 1 if you wish to start in standalone mode or 2 to exit [1]:2
After the configuration is completed,
****** the values are saved in
vi /opt/oracle/ords/config/ords/defaults.xml
file and may be modified there.
You can find more information about possible ORDS configuration options in the official documentation. The tomcat user (created as part of Tomcat install) must have read-write access to the ORDS configuration folder:
chown -R nt:nt /opt/oracle/ords/config
Copy the ords.war into the Tomcat webapps directory for this (and we will restart the Tomcat service later):
------------------cp -a /opt/oracle/ords/ords.war /usr/share/tomcat/webapps/apps.war
---- cp -a /opt/oracle/ords/apps.war /usr/share/tomcat/webapps/
cp -a /opt/oracle/ords/apps.war /usr/local/tomcat/webapps/
Then we need to copy APEX static files (images, stylesheets, JS files and so on) to the web server directory:
cd /usr/local/tomcat/webapps
mkdir i
cp -a /opt/oracle/apex/images/. /usr/local/tomcat/webapps/i/
cd /usr/local/tomcat/conf
vi server.xml
--- Now search for :
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
Add this line here :
<Context docBase="/opt/oracle/apex/images/" path="/i/" />
--------------------------------------------------------------------------------------------------------
<Connector port="1510" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="1510" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
--------------------------------------------------------------------------------------------------------
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
sudo systemctl restart tomcat
Done! We succeeded in installing of ORDS and deploying it to Tomcat by now. Only one step is left.
ALTER USER APEX_LISTENER IDENTIFIED BY PSSWRD123 ACCOUNT UNLOCK;
ALTER USER APEX_PUBLIC_USER IDENTIFIED BY PSSWRD123 ACCOUNT UNLOCK;
ALTER USER APEX_REST_PUBLIC_USER IDENTIFIED BY PSSWRD123 ACCOUNT UNLOCK;
HTTPD :
sudo yum install httpd
cd /etc/httpd/conf.d/
touch 10-apex.conf
vi /etc/httpd/conf.d/10-apex.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect Permanent / https://example.com
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPreserveHost on
RequestHeader unset Origin
ProxyPass http://192.168.1.100:1510/
ProxyPassReverse http://192.168.1.100:1510/
</Location>
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>
systemctl enable httpd
systemctl restart httpd
<VirtualHost *:80>
ServerName bhorbazar.com
ServerAlias www.bhorbazar.com
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPreserveHost on
RequestHeader unset Origin
ProxyPass http://192.168.1.100:1510/
ProxyPassReverse http://192.168.1.100:1510/
</Location>
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]</VirtualHost>
Tomcat Redirect :
cd /usr/local/tomcat/webapps/ROOT
cp index.jsp original-index.jsp
vi index.jsp
<% response.sendRedirect(""); %>
mkdir public
mkdir admin
cd public
vi index.jsp
<% response.sendRedirect(""); %>
cd ..
cd admin
vi index.jsp
<% response.sendRedirect(""); %>
SSL in httpd:
sudo yum install epel-release
sudo yum install certbot python2-certbot-apache mod_ssl
sudo certbot --apache -d example.com
sudo certbot --apache -d example.com -d www.example.com
sudo certbot --apache
sudo certbot renew --dry-run
sudo crontab -e
ssl tomcat :
--- https://medium.com/@mashrur123/a-step-by-step-guide-to-securing-a-tomcat-server-with-letsencrypt-ssl-certificate-65cd26290b70
------------------------
-------- Prerequisites :
------------------------
>>> Before starting work on this task, I assume you already have:
01 - Running Centos system with sudo privileges shell access.
02 - A domain name registered and pointed to your server’s public IP address.
03 - For this tutorial, we use bhorbazar.com and www.bhorbazar.com, which is pointed to our server.
04 - Recent version of JAVA installed.
05 - Recent version of tomcat server installed in your .
06 - Have port 80 and 8443 open in your firewall.
07 - Have Openssl installed.
sudo yum install epel-release
sudo yum install certbot
---- If you have an active firewall, e.g firewalld, open https port on the firewall.
---- # firewall-cmd --add-service https --permanent
---- # firewall-cmd --reload
---- If you are not using letsencrypt then you can skip this step.
sudo certbot certonly --standalone -d www.example.com
If everything goes fine. A new ssl will be issued at below location. Navigate to below directory and view files.
cd /etc/letsencrypt/live/example.com
ls -l
Files List: -- >
cert.pem
chain.pem
fullchain.pem
privkey.pem
>>> Convert keypair + certificate to Java Keystore :
At first create a PKCS12 that contains both your full chain and the private key. You need to have openssl installed for that.
openssl pkcs12 -export -out /tmp/bhorbazar.com_fullchain_and_key.p12 \
-in /etc/letsencrypt/live/www.bhorbazar.com/fullchain.pem \
-inkey /etc/letsencrypt/live/www.bhorbazar.com/privkey.pem \
-name tomcat
Then convert that PKCS12 to a JKS, using java's keytool
keytool -importkeystore \
-deststorepass pSSWRD -destkeypass pSSWRD -destkeystore /tmp/www.bhorbazar.com.jks \
-srckeystore /tmp/bhorbazar.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass pSSWRD \
-alias tomcat
Replace pSSWRD with your password. : pSSWRD
----- Configure Tomcat with the Java Keystore :
Now go to your tomcat application and open your server.xml file
# vi /etc/tomcat/conf/server.xml
Ensure the following section is commented out
<!---
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
Configure connector to use a shared thread pool
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Next is to define SSL HTTP/1.1 Connector on port 8443
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/tmp/example.com.jks"
keystorePass="pSSWRD"
clientAuth="false" sslProtocol="TLS" />
With above configuration, http to https redirect will be done automatically for the application.
Now just Stop and Start Apache Tomcat and you are done.
cd /usr/local/tomcat/bin
./shutdown.sh
./startup.sh
How to enable iptables :
https://upcloud.com/community/tutorials/configure-iptables-centos/
drop the lines with REJECT commands.
DDos Attack :
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
You can also bock an IP address on the server using iptables by entering the following commands:
https://www.hostingswift.com/how-to-block-or-unblock-an-ip-address-on-a-linux-server
iptables -A INPUT -s 88.99.252.172 -j DROP
iptables -A INPUT -s 67.207.67.2 -j DROP
systemctl restart httpd
HOW TO UNBLOCK AN IP ADDRESS ON A LINUX SERVER :
Use the following syntax (the -d options deletes the rule from table):
# iptables -D INPUT -s 209.175.453.23 -j DROP
# service iptables save
vi /etc/sysconfig/iptables
SSL in Database (Wallet):
https://apex.oracle.com/pls/apex/germancommunities/apexcommunity/tipp/6121/index-en.html
0 comments:
Post a Comment