Wednesday 26 May 2010

Memory, Virtual memory, /3GB /USERVA, /PAE, PTE

virtual memory --> PTE/page table entry --> memory/paging (RAM/disk)

PTE : is the map table

In windows 32bit: 2GB is for kernel space, the other 2GB for shared/user.
32bit means it can allocate only up to 4GB memory.
The division means that each user process can have up to 2GB of virtual memory address.

/3GB ==> makes each user process can have up to 3GB (3072MB)

/USERVA ==> is a way to offset the lack of memory for PTE (PTE is in kernel space??).
So if /3gb is used, and /userva is used (ex. =3030), the PTE can have additional space as much as the substraction of them (3072-3030MB=42MB additional for kernel space : free PTE).
More detail : http://support.microsoft.com/kb/810371

/PAE ==> is a way to have more than 4GB memory recognised by the OS. It does not mean each process can have more than 2GB (or 3GB with /3GB on), but it means that there are some more space in memory to be used instead to be paged out to disk.


Wanna know deeper about address in memory, go to :
http://www.cs.cornell.edu/~tomf/notes/cps104/virtual.html
http://everything2.com/title/Page+Table+Entry

Tuesday 25 May 2010

Threads in Processes

Threads are in process, they use the same address space of the process.

How to see threads inside process:
Linux: pstree
UNix : ptree

In general:
AIX : ps -mo THREAD -L pid
Linux : ps -L pid

Topas : press H

Manually, just go to : /proc/pid/lwp/threadsID

What can you do:
Linux : renice integerTID (TID = thread ID)
AIX : you can see which processor handle the threads and define which you want, detail:
http://www.ibm.com/developerworks/aix/library/au-aixprocesscontrol/index.html

Can you kill TID in runtime:
Yes, just kill TID, but not suggested, better to kill the process.
In one well-known application, kill a TID same like killing the whole process.
In the programming there is function to stop only thread though, do googling for it.

Monday 24 May 2010

JSP and Servlet

JSP = java server pages (.jsp) = a html-like file which contain dynamic content (eg:date now)

html file extension can be changed into jsp extension, then that file will go through the tomcat translation ==> java file, then it'll be compiled into .class.

JSP basically is a html file with some java code inside (extrainfo: java code in a block is named scriplet, like function in vbs).

This html-jsp can import some java classes.

And can use bean as well, bean basically is a java class (java file compiled --> .class file), bean can have scope session (so can be used at diffrent session at which the bean containing diffrent value@property)
http://www.jsptut.com/Forms.jsp

EJB container manage the lifecycle of Ent bean, for statefull: doesntexist - ready - passive
active is in memory, passive in 2nd storage.
after ejbremove method called by ejbContainer, it is ready to be GC-ed.
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/EJBConcepts9.html


More detail on this : http://www.jsptut.com/

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Servlet (a java class) : java programming language concentrate on web function

javax.servlet.http.HttpServletRequest
javax.servlet.http.HttpServletResponse
javax.servlet.jsp.JspWriter
javax.servlet.jsp.PageContext

More detail on this : http://www.jsptut.com/Further.jsp

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

So jsp is the presentation, and the servlet is the engine.

Friday 21 May 2010

IBM TDS / LDAP

bash-2.05b# ps -ef | grep ldapdb2
ldapdb2 614418 1106044 0 Mar 24 - 11:28 db2acd 0
ldapdb2 1134664 1106044 0 Mar 24 - 67:01 db2sysc 0

bash-2.05b$ ps -ef | grep ldapdb2svc ==> result 0 (normal - just info)
the process is "db2sysc" which open the 3700 port (this is the ldapdb2svc port)

bash-2.05b# ps -ef | grep ibmdiradm
ldap 638978 1 0 Mar 24 - 0:45 /usr/ldap//bin/ibmdiradm -l

bash-2.05b# ps -ef | grep ibmslapd | grep -v grep
ldap 688256 1 2 Mar 24 - 623:26 /usr/bin/ibmslapd

>>>>>>>>>>>>
Usage: ibmdiradm [options]
where:
options:
-f file use file as configuration file
-h level debug level. Use in conjunction with ldtrc
-p port use port as the port to start ibmdiradm on
-s SSLport use SSLport as the port to start ibmdiradm on
-V print version information
-? this help screen

bash-2.05b# ibmdiradm -V
Directory server version is IBM Tivoli Directory Admin Server(SSL), Version 5.2 (Oct 17 2005 17:13:43)
>>>>>>>>>>

bash-2.05b# ibmslapd --help
ibmslapd: illegal option -- -
Usage:
ibmslapd [ -a | -n | -c ]
where:
-a start server in configuration only mode
-n do not start server in configuration only mode
-c run in console mode
bash-2.05b# ibmslapd -v
Directory server version is IBM Tivoli Directory (SSL), Version 5.2 (Oct 17 2005 17:08:46)

>>>>>>>>>>>>>>>>>

bash-2.05b# ibmdirctl
You must specify a command

Usage: ibmdirctl [options] command -- [ibmslapd options]
where:
command: command to issue to ibmdiradm
must be one of start/stop/restart/status/admstop

start starts the IBM Tivoli Directory Server
stop stops the IBM Tivoli Directory Server
restart stops and starts the IBM Tivoli Directory Server
status displays whether the IBM Tivoli Directory Server is running
statusreturn sets exit code 0=running, 1=starting, 2=stopped
admstop stops the IBM Tivoli Directory Server Administration Daemon


options:
-D adminDn bind DN
-h hostname ibmdiradm hostname
-K keyfile file to use for keys
-N key_name private key name to use in keyfile
-p port ibmdiradm port number
-P key_pw keyfile password
-v run in verbose mode
-w adminPw bind password or '?' for non-echoed prompt
-Y use a secure ldap connection (TLS)
-Z use a secure ldap connection (SSL)
-? this help screen

ibmslapd options are any options the ibmslapd process takes
at startup time. These are ignored if the 'stop' command was issued.

If ibmslapd options are requested, they must be preceded by the '--'.

If the 'admstop' command is issued successfully, the IBM Tivoli Directory
Server Administration Daemon must be restarted manually. (red - ibmdiradm command)

>>>>>>>>>>>>>>>>>>>>>>>>
Example :

Knowing the status of ibmslapd:
ibmdirctl -D cn=root -w xxxxxx status
ibmdirctl -D cn=root -w ? status ==> for password prompt

Note if you get "connection error", try check ibmdiradm process there or not.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
PORTS (/etc/services/):

ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
www-ldap-gw 1760/tcp # www-ldap-gw
www-ldap-gw 1760/udp # www-ldap-gw
ldap-admin 3407/tcp # LDAP admin server port
ldap-admin 3407/udp # LDAP admin server port
ldapdb2svc 3700/tcp
ldapdb2svci 3701/tcp
DB2_ldapdb2 60000/tcp
DB2_ldapdb2_1 60001/tcp
DB2_ldapdb2_2 60002/tcp
DB2_ldapdb2_END 60003/tcp

ibm-diradm 3538/tcp # IBM Directory Server
ibm-diradm 3538/udp # IBM Directory Server
ibm-diradm-ssl 3539/tcp # IBM Directory Server SSL
ibm-diradm-ssl 3539/udp # IBM Directory Server SSL

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

bash-2.05b$ db2 list node directory

Node Directory

Number of entries in the directory = 2

Node 1 entry:

Node name = IDSINODE
Comment =
Directory entry type = LOCAL
Protocol = LOCAL
Instance name = ldapdb2

Node 2 entry:

Node name = LDAPDB2N
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = localhost
Service name = ldapdb2svc

>>>>>>>>>>>>>>>>>>>>>>>>>>

Getting the config of DB2:
bash-2.05b$ db2 get dbmconfig

>>>>>>>>>>>>>>>>>
TROUBLE SHOOTING:

1. check the ldap db2 instance:
bash-2.05b$ db2 connect to ldapdb2 (ensure the set : DB2INSTANCE=ldapdb2)
Database Connection Information
Database server = DB2/AIX64 9.5.5
SQL authorization ID = LDAPDB2
Local database alias = LDAPDB2

2. db2 => LIST DATABASE DIRECTORY

System Database Directory

Number of entries in the directory = 2

Database 1 entry:

Database alias = LDAPDB2B
Database name = LDAPDB2
Node name = LDAPDB2N
Database release level = c.00
Comment =
Directory entry type = Remote
Catalog database partition number = -1
Alternate server hostname =
Alternate server port number =

Database 2 entry:

Database alias = LDAPDB2
Database name = LDAPDB2
Local database directory = /ldapdb2/data
Database release level = c.00
Comment =
Directory entry type = Indirect
Catalog database partition number = 0
Alternate server hostname =
Alternate server port number =

3. ldapsearch -p 389 -b "" -s base objectclass=*

namingcontexts=CN=SCHEMA
namingcontexts=CN=LOCALHOST
namingcontexts=CN=PWDPOLICY
namingcontexts=CN=IBMPOLICIES
namingcontexts=SECAUTHORITY=DEFAULT
namingcontexts=DC=AMM,DC=XX,DC=NL
subschemasubentry=cn=schema
supportedextension=1.3.18.0.2.12.1
.......
supportedextension=1.3.18.0.2.12.37
supportedcontrol=2.16.840.1.113730.3.4.2
......
supportedcontrol=1.3.18.0.2.10.18
security=none
port=389
supportedsaslmechanisms=CRAM-MD5
supportedsaslmechanisms=DIGEST-MD5
supportedldapversion=2
supportedldapversion=3
ibmdirectoryversion=5.2
ibm-ldapservicename=deehqws011oxixm
ibm-serverId=8d6c19c0-30ea-102a-9241-8d6a2b010899
ibm-supportedacimechanisms=1.3.18.0.2.26.3
ibm-supportedacimechanisms=1.3.18.0.2.26.4
ibm-supportedacimechanisms=1.3.18.0.2.26.2
vendorname=International Business Machines (IBM)
vendorversion=5.2
ibm-sslciphers=N/A
ibm-slapdisconfigurationmode=FALSE
ibm-slapdSizeLimit=500
ibm-slapdTimeLimit=900
ibm-slapdDerefAliases=always
ibm-supportedAuditVersion=2
ibm-sasldigestrealmname=xxxxxxxxx----(red:hostname)

4. ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)'
ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)' dn

???????????????????????????????????????????????????????????????

Unix Tip : Process -> ports and viceversa

the basic is :
lsof | grep ldap
lsof | grep firefox

advance:
lsof -i :389
lsof -p pidnumber

>>>>>>>>>>
In linux:
netstat -putanuw

Thursday 20 May 2010

Socket

Sock Application (e.g., Netscape) - OSI layer 7 Application
|
SOCK DLL/library - socket() - binding to a port to make it listen
|
TCP/UDP - OSI layer 4 Transport
|
IP/IPX
|
Modem or Network card
|
Network

Above is also called TCP/IP stack (stack is LIFO - last in first out)

TCP/IP stack is loaded into a memory space.

KERNEL = TCP/IP + NLB driver + network adapter driver

In unix :
driver/module in .so = shared object or .ko = kernel object (related with memory segmentation)
insmod, lsmod, rmmod

Unix Trip : how to get your gateway address

$ arp
Address HWtype HWaddress Flags Mask Iface
d6e-cd-br-cen ether 00:06:d6: C eth0
gate-bro- ether 00:00:0c:07: C eth0

arp -a
d6e-cd-b.com (9.158.) at 00:06:d6:: [ether] on eth0
gate-br.com (9.158.1) at 00:00:0c::: [ether] on eth0

Monday 17 May 2010

WAS : express, base, ND

Express is like tomcat, only WAR no EJB module. Furthermore single instance for dev-prod to simplify the deployment.

Base, able to handle EJB module. Not support cluster and only support server1 Appserver.
Server1 cant be started or stopped using ISC.

ND, support cluter and multi app servers.

Note :
About ISC :
there is a isclite.ear module in config/cells/node/applications/ if ISC is installed.
In base, you may not install ISC, nor defaultapp (snoop/hello), nor sampleApp(plant)
But you are auto installing the ivtApp.ear and query.ear.
IvtApp.ear is used during the firstStep to verifiy instalation result, like start hem and test the ports.

About trial period:
can be tricked by changing the date of the OS.

Friday 14 May 2010

Security 3 : websphere, plugin, IHS key database

IHS --> SSLengine ON
Certificate location
keyfile location
chainfile location

Plugin : CMS type=> .kdb
ikeyman tools => generate self-signed cert
extract it to a .arm file
transfer it to a WAS servers to be put it in key (or trust file)
more precisely is "ADD" in signer certificate (not personal certificate)

WAS : jks = javakeystore => a db file of certicates collection (new generated by ikeyman tool)
a. one.jks => private key and trusted certs are here
b. key.jks and trust.jks => private key in key.jks while trusted certs in trust.jks

ikeyman tools ==> generate self-signed cert in personal certs
extract it to a .arm file
transfer it to a Plugin servers to be put it in key.kdb
==> signer certificates => ADD
I wonder why, we need "add" to signer certs as well in WAS side.

If you use LDAPS in WAS, then you "add" also the ldap server certs in that jks file.

Note : 1. dont forget to set the path in ISC to the correct location of jks file
2. ikeyman tools is GUI, gsk7cmd is CLI,
3. keytool can be used as well to read the jks wihtout password
4. during the creation of jks, it prompts password, this password is encrypted in a stash file.
5. .arm = .cer
6. keyring = keystore
7. signer certificate = trust certs = ssl from client side
8. key = private key = ssl from server side

reference : http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wass_content/06061801a07.html

Security 2 : certificates, CA, SSL

How browser and SSL web server connected:

1. browsers usually have the "trust root CA" already which means have those public key
2. first it will work in asymmetric method
3. Certificate of web server containing CN/domain name, digital signature CA (result of encrypting priv key CA : maybe with HASH), HASH (or fingerprint), public key of the web server.
4. Pub key in browser will decrypt the dig signature CA
5. It will get the HASH and compare with the HASH in the certificate
This verify if the CA is really the CA, example: this Cert really come form verisign.
6. After browser verify it, it use the public key web server in the certs to encrypt the req along with sessionID
7. Web server got it and decrypt using it priv key.
8. At this point, web server will do the symmetric key encryption using the sessionID as the shared code.

Note : Dont be confused, there are CA key pair and also web server key pair.
Asymmetric encrypt is slower than symmetric.

>>>>>>>>>>>>>>>>>>>>>>>>>>>

In unix use openssl command
First you generate the priv key RSA.
then from that you create a .csr file. CSR : certificate request
which need some input as domain name, etc.....
then you send the .csr to a CA
if it is commercial CZ, they may contact you for verify and to be paid
then CA will send you the .cert files/.arm files
set the cert localtion on the virtual host section of your http
also set the key file location in the same section
also set the SSLCertificateChainFile in the same section.
==> this last file is a plain text file containing the structure intermediate CA up to root CA
==> explain later on in next


>>>>>>>>>>>>>>>>>>>>>>>>>>

CA :
A. private CA
B. commercial CA

1. root CA : the root, issued to and issued by itself, and signed by it self.
2. intermediate CA : the derivatives up to several level, issued by : rootCA/above intermediate CA
issued to : itself. signed by the ROOT CA or above intermCA.

In secure case : root CA is std alone, intermediate CA is in network. You create csr in intermCA, bring it over usb to root CA. you generate the cert, and bring over usb again to intermCA, and install it. Now you have rootCA signed cert at your intermCA.
Now you can create any new certs to be used by web servers.
Remember in web servers, you need set the chain file (in order client browser can auth the intermCA upto the rootCA).

reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/

chain file looks like:

--BEGIN--
FDARGARGAGAGFDGFDGDCCCC
the intermCA2
DSFSDGDSFHSHSHSD%^GG#TG
--END--
--BEGIN--
the intermCA1
--END--
--BEGIN--
the rootCA
--END--


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

summary : certificate is public key with some info of your data
can be digitally signed by a CA or commercial CA
digitally sign means as written in digital signature workflow

Security 1 : Asymmetric, symmetric, hash, digital signature, email encryption

Symmetric : shared code
Asymmetric: pair key - public & private

Hash : SHA or MD5 ==> algorithm to make a data into short form, use to verify if data altered or not along the way. Example : email + hash = 010101100 (this is called fingerprint)

Digital signature ==> fingerprint + private key encryption

you sent : email + digital signature (for now we ignore the email encryption)

recipient has your pub key!
recipient also has the hash!
==> first it will hash the email and it will get the fingerprint 010101100
==> second it will decrypt the dig signature with the pub key and it will get the fingerprint
==> A. comparing the fingerprint step 1 and 2 above, if not equal then email was altered!!
B. also if the pub key failed to decrypt at step 2, then it means the private key wrong, which could means it was not sent by the real person (bcoz private key is only had by the real)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Now, about email encryption:
the encryption is done by the pub key, and is called RSA method.

Sender has the pub key of recipient and encrypt the email with it.
Recipient will use his priv key to decrypt it.

Note : Even if someone else has recipient pub key, it does not mean he can reverse back the data. Only one who has private key can decrypt it.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>