virtual memory --> PTE/page table entry --> memory/paging (RAM/disk)
PTE : is the map table
In windows 32bit: 2GB is for kernel space, the other 2GB for shared/user.
32bit means it can allocate only up to 4GB memory.
The division means that each user process can have up to 2GB of virtual memory address.
/3GB ==> makes each user process can have up to 3GB (3072MB)
/USERVA ==> is a way to offset the lack of memory for PTE (PTE is in kernel space??).
So if /3gb is used, and /userva is used (ex. =3030), the PTE can have additional space as much as the substraction of them (3072-3030MB=42MB additional for kernel space : free PTE).
More detail : http://support.microsoft.com/kb/810371
/PAE ==> is a way to have more than 4GB memory recognised by the OS. It does not mean each process can have more than 2GB (or 3GB with /3GB on), but it means that there are some more space in memory to be used instead to be paged out to disk.
Wanna know deeper about address in memory, go to :
http://www.cs.cornell.edu/~tomf/notes/cps104/virtual.html
http://everything2.com/title/Page+Table+Entry
Wednesday, 26 May 2010
Tuesday, 25 May 2010
Threads in Processes
Threads are in process, they use the same address space of the process.
How to see threads inside process:
Linux: pstree
UNix : ptree
In general:
AIX : ps -mo THREAD -L pid
Linux : ps -L pid
Topas : press H
Manually, just go to : /proc/pid/lwp/threadsID
What can you do:
Linux : renice integerTID (TID = thread ID)
AIX : you can see which processor handle the threads and define which you want, detail:
http://www.ibm.com/developerworks/aix/library/au-aixprocesscontrol/index.html
Can you kill TID in runtime:
Yes, just kill TID, but not suggested, better to kill the process.
In one well-known application, kill a TID same like killing the whole process.
In the programming there is function to stop only thread though, do googling for it.
How to see threads inside process:
Linux: pstree
UNix : ptree
In general:
AIX : ps -mo THREAD -L pid
Linux : ps -L pid
Topas : press H
Manually, just go to : /proc/pid/lwp/threadsID
What can you do:
Linux : renice integerTID (TID = thread ID)
AIX : you can see which processor handle the threads and define which you want, detail:
http://www.ibm.com/developerworks/aix/library/au-aixprocesscontrol/index.html
Can you kill TID in runtime:
Yes, just kill TID, but not suggested, better to kill the process.
In one well-known application, kill a TID same like killing the whole process.
In the programming there is function to stop only thread though, do googling for it.
Monday, 24 May 2010
JSP and Servlet
JSP = java server pages (.jsp) = a html-like file which contain dynamic content (eg:date now)
html file extension can be changed into jsp extension, then that file will go through the tomcat translation ==> java file, then it'll be compiled into .class.
JSP basically is a html file with some java code inside (extrainfo: java code in a block is named scriplet, like function in vbs).
This html-jsp can import some java classes.
And can use bean as well, bean basically is a java class (java file compiled --> .class file), bean can have scope session (so can be used at diffrent session at which the bean containing diffrent value@property)
http://www.jsptut.com/Forms.jsp
EJB container manage the lifecycle of Ent bean, for statefull: doesntexist - ready - passive
active is in memory, passive in 2nd storage.
after ejbremove method called by ejbContainer, it is ready to be GC-ed.
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/EJBConcepts9.html
More detail on this : http://www.jsptut.com/
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Servlet (a java class) : java programming language concentrate on web function
javax.servlet.http.HttpServletRequest
javax.servlet.http.HttpServletResponse
javax.servlet.jsp.JspWriter
javax.servlet.jsp.PageContext
More detail on this : http://www.jsptut.com/Further.jsp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
So jsp is the presentation, and the servlet is the engine.
html file extension can be changed into jsp extension, then that file will go through the tomcat translation ==> java file, then it'll be compiled into .class.
JSP basically is a html file with some java code inside (extrainfo: java code in a block is named scriplet, like function in vbs).
This html-jsp can import some java classes.
And can use bean as well, bean basically is a java class (java file compiled --> .class file), bean can have scope session (so can be used at diffrent session at which the bean containing diffrent value@property)
http://www.jsptut.com/Forms.jsp
EJB container manage the lifecycle of Ent bean, for statefull: doesntexist - ready - passive
active is in memory, passive in 2nd storage.
after ejbremove method called by ejbContainer, it is ready to be GC-ed.
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/EJBConcepts9.html
More detail on this : http://www.jsptut.com/
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Servlet (a java class) : java programming language concentrate on web function
javax.servlet.http.HttpServletRequest
javax.servlet.http.HttpServletResponse
javax.servlet.jsp.JspWriter
javax.servlet.jsp.PageContext
More detail on this : http://www.jsptut.com/Further.jsp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
So jsp is the presentation, and the servlet is the engine.
Friday, 21 May 2010
IBM TDS / LDAP
bash-2.05b# ps -ef | grep ldapdb2
ldapdb2 614418 1106044 0 Mar 24 - 11:28 db2acd 0
ldapdb2 1134664 1106044 0 Mar 24 - 67:01 db2sysc 0
bash-2.05b$ ps -ef | grep ldapdb2svc ==> result 0 (normal - just info)
the process is "db2sysc" which open the 3700 port (this is the ldapdb2svc port)
bash-2.05b# ps -ef | grep ibmdiradm
ldap 638978 1 0 Mar 24 - 0:45 /usr/ldap//bin/ibmdiradm -l
bash-2.05b# ps -ef | grep ibmslapd | grep -v grep
ldap 688256 1 2 Mar 24 - 623:26 /usr/bin/ibmslapd
>>>>>>>>>>>>
Usage: ibmdiradm [options]
where:
options:
-f file use file as configuration file
-h level debug level. Use in conjunction with ldtrc
-p port use port as the port to start ibmdiradm on
-s SSLport use SSLport as the port to start ibmdiradm on
-V print version information
-? this help screen
bash-2.05b# ibmdiradm -V
Directory server version is IBM Tivoli Directory Admin Server(SSL), Version 5.2 (Oct 17 2005 17:13:43)
>>>>>>>>>>
bash-2.05b# ibmslapd --help
ibmslapd: illegal option -- -
Usage:
ibmslapd [ -a | -n | -c ]
where:
-a start server in configuration only mode
-n do not start server in configuration only mode
-c run in console mode
bash-2.05b# ibmslapd -v
Directory server version is IBM Tivoli Directory (SSL), Version 5.2 (Oct 17 2005 17:08:46)
>>>>>>>>>>>>>>>>>
bash-2.05b# ibmdirctl
You must specify a command
Usage: ibmdirctl [options] command -- [ibmslapd options]
where:
command: command to issue to ibmdiradm
must be one of start/stop/restart/status/admstop
start starts the IBM Tivoli Directory Server
stop stops the IBM Tivoli Directory Server
restart stops and starts the IBM Tivoli Directory Server
status displays whether the IBM Tivoli Directory Server is running
statusreturn sets exit code 0=running, 1=starting, 2=stopped
admstop stops the IBM Tivoli Directory Server Administration Daemon
options:
-D adminDn bind DN
-h hostname ibmdiradm hostname
-K keyfile file to use for keys
-N key_name private key name to use in keyfile
-p port ibmdiradm port number
-P key_pw keyfile password
-v run in verbose mode
-w adminPw bind password or '?' for non-echoed prompt
-Y use a secure ldap connection (TLS)
-Z use a secure ldap connection (SSL)
-? this help screen
ibmslapd options are any options the ibmslapd process takes
at startup time. These are ignored if the 'stop' command was issued.
If ibmslapd options are requested, they must be preceded by the '--'.
If the 'admstop' command is issued successfully, the IBM Tivoli Directory
Server Administration Daemon must be restarted manually. (red - ibmdiradm command)
>>>>>>>>>>>>>>>>>>>>>>>>
Example :
Knowing the status of ibmslapd:
ibmdirctl -D cn=root -w xxxxxx status
ibmdirctl -D cn=root -w ? status ==> for password prompt
Note if you get "connection error", try check ibmdiradm process there or not.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
PORTS (/etc/services/):
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
www-ldap-gw 1760/tcp # www-ldap-gw
www-ldap-gw 1760/udp # www-ldap-gw
ldap-admin 3407/tcp # LDAP admin server port
ldap-admin 3407/udp # LDAP admin server port
ldapdb2svc 3700/tcp
ldapdb2svci 3701/tcp
DB2_ldapdb2 60000/tcp
DB2_ldapdb2_1 60001/tcp
DB2_ldapdb2_2 60002/tcp
DB2_ldapdb2_END 60003/tcp
ibm-diradm 3538/tcp # IBM Directory Server
ibm-diradm 3538/udp # IBM Directory Server
ibm-diradm-ssl 3539/tcp # IBM Directory Server SSL
ibm-diradm-ssl 3539/udp # IBM Directory Server SSL
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
bash-2.05b$ db2 list node directory
Node Directory
Number of entries in the directory = 2
Node 1 entry:
Node name = IDSINODE
Comment =
Directory entry type = LOCAL
Protocol = LOCAL
Instance name = ldapdb2
Node 2 entry:
Node name = LDAPDB2N
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = localhost
Service name = ldapdb2svc
>>>>>>>>>>>>>>>>>>>>>>>>>>
Getting the config of DB2:
bash-2.05b$ db2 get dbmconfig
>>>>>>>>>>>>>>>>>
TROUBLE SHOOTING:
1. check the ldap db2 instance:
bash-2.05b$ db2 connect to ldapdb2 (ensure the set : DB2INSTANCE=ldapdb2)
Database Connection Information
Database server = DB2/AIX64 9.5.5
SQL authorization ID = LDAPDB2
Local database alias = LDAPDB2
2. db2 => LIST DATABASE DIRECTORY
System Database Directory
Number of entries in the directory = 2
Database 1 entry:
Database alias = LDAPDB2B
Database name = LDAPDB2
Node name = LDAPDB2N
Database release level = c.00
Comment =
Directory entry type = Remote
Catalog database partition number = -1
Alternate server hostname =
Alternate server port number =
Database 2 entry:
Database alias = LDAPDB2
Database name = LDAPDB2
Local database directory = /ldapdb2/data
Database release level = c.00
Comment =
Directory entry type = Indirect
Catalog database partition number = 0
Alternate server hostname =
Alternate server port number =
3. ldapsearch -p 389 -b "" -s base objectclass=*
namingcontexts=CN=SCHEMA
namingcontexts=CN=LOCALHOST
namingcontexts=CN=PWDPOLICY
namingcontexts=CN=IBMPOLICIES
namingcontexts=SECAUTHORITY=DEFAULT
namingcontexts=DC=AMM,DC=XX,DC=NL
subschemasubentry=cn=schema
supportedextension=1.3.18.0.2.12.1
.......
supportedextension=1.3.18.0.2.12.37
supportedcontrol=2.16.840.1.113730.3.4.2
......
supportedcontrol=1.3.18.0.2.10.18
security=none
port=389
supportedsaslmechanisms=CRAM-MD5
supportedsaslmechanisms=DIGEST-MD5
supportedldapversion=2
supportedldapversion=3
ibmdirectoryversion=5.2
ibm-ldapservicename=deehqws011oxixm
ibm-serverId=8d6c19c0-30ea-102a-9241-8d6a2b010899
ibm-supportedacimechanisms=1.3.18.0.2.26.3
ibm-supportedacimechanisms=1.3.18.0.2.26.4
ibm-supportedacimechanisms=1.3.18.0.2.26.2
vendorname=International Business Machines (IBM)
vendorversion=5.2
ibm-sslciphers=N/A
ibm-slapdisconfigurationmode=FALSE
ibm-slapdSizeLimit=500
ibm-slapdTimeLimit=900
ibm-slapdDerefAliases=always
ibm-supportedAuditVersion=2
ibm-sasldigestrealmname=xxxxxxxxx----(red:hostname)
4. ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)'
ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)' dn
???????????????????????????????????????????????????????????????
ldapdb2 614418 1106044 0 Mar 24 - 11:28 db2acd 0
ldapdb2 1134664 1106044 0 Mar 24 - 67:01 db2sysc 0
bash-2.05b$ ps -ef | grep ldapdb2svc ==> result 0 (normal - just info)
the process is "db2sysc" which open the 3700 port (this is the ldapdb2svc port)
bash-2.05b# ps -ef | grep ibmdiradm
ldap 638978 1 0 Mar 24 - 0:45 /usr/ldap//bin/ibmdiradm -l
bash-2.05b# ps -ef | grep ibmslapd | grep -v grep
ldap 688256 1 2 Mar 24 - 623:26 /usr/bin/ibmslapd
>>>>>>>>>>>>
Usage: ibmdiradm [options]
where:
options:
-f file use file as configuration file
-h level debug level. Use in conjunction with ldtrc
-p port use port as the port to start ibmdiradm on
-s SSLport use SSLport as the port to start ibmdiradm on
-V print version information
-? this help screen
bash-2.05b# ibmdiradm -V
Directory server version is IBM Tivoli Directory Admin Server(SSL), Version 5.2 (Oct 17 2005 17:13:43)
>>>>>>>>>>
bash-2.05b# ibmslapd --help
ibmslapd: illegal option -- -
Usage:
ibmslapd [ -a | -n | -c ]
where:
-a start server in configuration only mode
-n do not start server in configuration only mode
-c run in console mode
bash-2.05b# ibmslapd -v
Directory server version is IBM Tivoli Directory (SSL), Version 5.2 (Oct 17 2005 17:08:46)
>>>>>>>>>>>>>>>>>
bash-2.05b# ibmdirctl
You must specify a command
Usage: ibmdirctl [options] command -- [ibmslapd options]
where:
command: command to issue to ibmdiradm
must be one of start/stop/restart/status/admstop
start starts the IBM Tivoli Directory Server
stop stops the IBM Tivoli Directory Server
restart stops and starts the IBM Tivoli Directory Server
status displays whether the IBM Tivoli Directory Server is running
statusreturn sets exit code 0=running, 1=starting, 2=stopped
admstop stops the IBM Tivoli Directory Server Administration Daemon
options:
-D adminDn bind DN
-h hostname ibmdiradm hostname
-K keyfile file to use for keys
-N key_name private key name to use in keyfile
-p port ibmdiradm port number
-P key_pw keyfile password
-v run in verbose mode
-w adminPw bind password or '?' for non-echoed prompt
-Y use a secure ldap connection (TLS)
-Z use a secure ldap connection (SSL)
-? this help screen
ibmslapd options are any options the ibmslapd process takes
at startup time. These are ignored if the 'stop' command was issued.
If ibmslapd options are requested, they must be preceded by the '--'.
If the 'admstop' command is issued successfully, the IBM Tivoli Directory
Server Administration Daemon must be restarted manually. (red - ibmdiradm command)
>>>>>>>>>>>>>>>>>>>>>>>>
Example :
Knowing the status of ibmslapd:
ibmdirctl -D cn=root -w xxxxxx status
ibmdirctl -D cn=root -w ? status ==> for password prompt
Note if you get "connection error", try check ibmdiradm process there or not.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
PORTS (/etc/services/):
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
www-ldap-gw 1760/tcp # www-ldap-gw
www-ldap-gw 1760/udp # www-ldap-gw
ldap-admin 3407/tcp # LDAP admin server port
ldap-admin 3407/udp # LDAP admin server port
ldapdb2svc 3700/tcp
ldapdb2svci 3701/tcp
DB2_ldapdb2 60000/tcp
DB2_ldapdb2_1 60001/tcp
DB2_ldapdb2_2 60002/tcp
DB2_ldapdb2_END 60003/tcp
ibm-diradm 3538/tcp # IBM Directory Server
ibm-diradm 3538/udp # IBM Directory Server
ibm-diradm-ssl 3539/tcp # IBM Directory Server SSL
ibm-diradm-ssl 3539/udp # IBM Directory Server SSL
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
bash-2.05b$ db2 list node directory
Node Directory
Number of entries in the directory = 2
Node 1 entry:
Node name = IDSINODE
Comment =
Directory entry type = LOCAL
Protocol = LOCAL
Instance name = ldapdb2
Node 2 entry:
Node name = LDAPDB2N
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = localhost
Service name = ldapdb2svc
>>>>>>>>>>>>>>>>>>>>>>>>>>
Getting the config of DB2:
bash-2.05b$ db2 get dbmconfig
>>>>>>>>>>>>>>>>>
TROUBLE SHOOTING:
1. check the ldap db2 instance:
bash-2.05b$ db2 connect to ldapdb2 (ensure the set : DB2INSTANCE=ldapdb2)
Database Connection Information
Database server = DB2/AIX64 9.5.5
SQL authorization ID = LDAPDB2
Local database alias = LDAPDB2
2. db2 => LIST DATABASE DIRECTORY
System Database Directory
Number of entries in the directory = 2
Database 1 entry:
Database alias = LDAPDB2B
Database name = LDAPDB2
Node name = LDAPDB2N
Database release level = c.00
Comment =
Directory entry type = Remote
Catalog database partition number = -1
Alternate server hostname =
Alternate server port number =
Database 2 entry:
Database alias = LDAPDB2
Database name = LDAPDB2
Local database directory = /ldapdb2/data
Database release level = c.00
Comment =
Directory entry type = Indirect
Catalog database partition number = 0
Alternate server hostname =
Alternate server port number =
3. ldapsearch -p 389 -b "" -s base objectclass=*
namingcontexts=CN=SCHEMA
namingcontexts=CN=LOCALHOST
namingcontexts=CN=PWDPOLICY
namingcontexts=CN=IBMPOLICIES
namingcontexts=SECAUTHORITY=DEFAULT
namingcontexts=DC=AMM,DC=XX,DC=NL
subschemasubentry=cn=schema
supportedextension=1.3.18.0.2.12.1
.......
supportedextension=1.3.18.0.2.12.37
supportedcontrol=2.16.840.1.113730.3.4.2
......
supportedcontrol=1.3.18.0.2.10.18
security=none
port=389
supportedsaslmechanisms=CRAM-MD5
supportedsaslmechanisms=DIGEST-MD5
supportedldapversion=2
supportedldapversion=3
ibmdirectoryversion=5.2
ibm-ldapservicename=deehqws011oxixm
ibm-serverId=8d6c19c0-30ea-102a-9241-8d6a2b010899
ibm-supportedacimechanisms=1.3.18.0.2.26.3
ibm-supportedacimechanisms=1.3.18.0.2.26.4
ibm-supportedacimechanisms=1.3.18.0.2.26.2
vendorname=International Business Machines (IBM)
vendorversion=5.2
ibm-sslciphers=N/A
ibm-slapdisconfigurationmode=FALSE
ibm-slapdSizeLimit=500
ibm-slapdTimeLimit=900
ibm-slapdDerefAliases=always
ibm-supportedAuditVersion=2
ibm-sasldigestrealmname=xxxxxxxxx----(red:hostname)
4. ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)'
ldapsearch -b dc=amm,dc=xx,dc=nl '(uid=at*)' dn
???????????????????????????????????????????????????????????????
Unix Tip : Process -> ports and viceversa
the basic is :
lsof | grep ldap
lsof | grep firefox
advance:
lsof -i :389
lsof -p pidnumber
>>>>>>>>>>
In linux:
netstat -putanuw
lsof | grep ldap
lsof | grep firefox
advance:
lsof -i :389
lsof -p pidnumber
>>>>>>>>>>
In linux:
netstat -putanuw
Thursday, 20 May 2010
Socket
Sock Application (e.g., Netscape) - OSI layer 7 Application
|
SOCK DLL/library - socket() - binding to a port to make it listen
|
TCP/UDP - OSI layer 4 Transport
|
IP/IPX
|
Modem or Network card
|
Network
Above is also called TCP/IP stack (stack is LIFO - last in first out)
TCP/IP stack is loaded into a memory space.
KERNEL = TCP/IP + NLB driver + network adapter driver
In unix :
driver/module in .so = shared object or .ko = kernel object (related with memory segmentation)
insmod, lsmod, rmmod
|
SOCK DLL/library - socket() - binding to a port to make it listen
|
TCP/UDP - OSI layer 4 Transport
|
IP/IPX
|
Modem or Network card
|
Network
Above is also called TCP/IP stack (stack is LIFO - last in first out)
TCP/IP stack is loaded into a memory space.
KERNEL = TCP/IP + NLB driver + network adapter driver
In unix :
driver/module in .so = shared object or .ko = kernel object (related with memory segmentation)
insmod, lsmod, rmmod
Unix Trip : how to get your gateway address
$ arp
Address HWtype HWaddress Flags Mask Iface
d6e-cd-br-cen ether 00:06:d6: C eth0
gate-bro- ether 00:00:0c:07: C eth0
arp -a
d6e-cd-b.com (9.158.) at 00:06:d6:: [ether] on eth0
gate-br.com (9.158.1) at 00:00:0c::: [ether] on eth0
Address HWtype HWaddress Flags Mask Iface
d6e-cd-br-cen ether 00:06:d6: C eth0
gate-bro- ether 00:00:0c:07: C eth0
arp -a
d6e-cd-b.com (9.158.) at 00:06:d6:: [ether] on eth0
gate-br.com (9.158.1) at 00:00:0c::: [ether] on eth0
Monday, 17 May 2010
WAS : express, base, ND
Express is like tomcat, only WAR no EJB module. Furthermore single instance for dev-prod to simplify the deployment.
Base, able to handle EJB module. Not support cluster and only support server1 Appserver.
Server1 cant be started or stopped using ISC.
ND, support cluter and multi app servers.
Note :
About ISC :
there is a isclite.ear module in config/cells/node/applications/ if ISC is installed.
In base, you may not install ISC, nor defaultapp (snoop/hello), nor sampleApp(plant)
But you are auto installing the ivtApp.ear and query.ear.
IvtApp.ear is used during the firstStep to verifiy instalation result, like start hem and test the ports.
About trial period:
can be tricked by changing the date of the OS.
Base, able to handle EJB module. Not support cluster and only support server1 Appserver.
Server1 cant be started or stopped using ISC.
ND, support cluter and multi app servers.
Note :
About ISC :
there is a isclite.ear module in config/cells/node/applications/ if ISC is installed.
In base, you may not install ISC, nor defaultapp (snoop/hello), nor sampleApp(plant)
But you are auto installing the ivtApp.ear and query.ear.
IvtApp.ear is used during the firstStep to verifiy instalation result, like start hem and test the ports.
About trial period:
can be tricked by changing the date of the OS.
Friday, 14 May 2010
Security 3 : websphere, plugin, IHS key database
IHS --> SSLengine ON
Certificate location
keyfile location
chainfile location
Plugin : CMS type=> .kdb
ikeyman tools => generate self-signed cert
extract it to a .arm file
transfer it to a WAS servers to be put it in key (or trust file)
more precisely is "ADD" in signer certificate (not personal certificate)
WAS : jks = javakeystore => a db file of certicates collection (new generated by ikeyman tool)
a. one.jks => private key and trusted certs are here
b. key.jks and trust.jks => private key in key.jks while trusted certs in trust.jks
ikeyman tools ==> generate self-signed cert in personal certs
extract it to a .arm file
transfer it to a Plugin servers to be put it in key.kdb
==> signer certificates => ADD
I wonder why, we need "add" to signer certs as well in WAS side.
If you use LDAPS in WAS, then you "add" also the ldap server certs in that jks file.
Note : 1. dont forget to set the path in ISC to the correct location of jks file
2. ikeyman tools is GUI, gsk7cmd is CLI,
3. keytool can be used as well to read the jks wihtout password
4. during the creation of jks, it prompts password, this password is encrypted in a stash file.
5. .arm = .cer
6. keyring = keystore
7. signer certificate = trust certs = ssl from client side
8. key = private key = ssl from server side
reference : http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wass_content/06061801a07.html
Certificate location
keyfile location
chainfile location
Plugin : CMS type=> .kdb
ikeyman tools => generate self-signed cert
extract it to a .arm file
transfer it to a WAS servers to be put it in key (or trust file)
more precisely is "ADD" in signer certificate (not personal certificate)
WAS : jks = javakeystore => a db file of certicates collection (new generated by ikeyman tool)
a. one.jks => private key and trusted certs are here
b. key.jks and trust.jks => private key in key.jks while trusted certs in trust.jks
ikeyman tools ==> generate self-signed cert in personal certs
extract it to a .arm file
transfer it to a Plugin servers to be put it in key.kdb
==> signer certificates => ADD
I wonder why, we need "add" to signer certs as well in WAS side.
If you use LDAPS in WAS, then you "add" also the ldap server certs in that jks file.
Note : 1. dont forget to set the path in ISC to the correct location of jks file
2. ikeyman tools is GUI, gsk7cmd is CLI,
3. keytool can be used as well to read the jks wihtout password
4. during the creation of jks, it prompts password, this password is encrypted in a stash file.
5. .arm = .cer
6. keyring = keystore
7. signer certificate = trust certs = ssl from client side
8. key = private key = ssl from server side
reference : http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wass_content/06061801a07.html
Security 2 : certificates, CA, SSL
How browser and SSL web server connected:
1. browsers usually have the "trust root CA" already which means have those public key
2. first it will work in asymmetric method
3. Certificate of web server containing CN/domain name, digital signature CA (result of encrypting priv key CA : maybe with HASH), HASH (or fingerprint), public key of the web server.
4. Pub key in browser will decrypt the dig signature CA
5. It will get the HASH and compare with the HASH in the certificate
This verify if the CA is really the CA, example: this Cert really come form verisign.
6. After browser verify it, it use the public key web server in the certs to encrypt the req along with sessionID
7. Web server got it and decrypt using it priv key.
8. At this point, web server will do the symmetric key encryption using the sessionID as the shared code.
Note : Dont be confused, there are CA key pair and also web server key pair.
Asymmetric encrypt is slower than symmetric.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
In unix use openssl command
First you generate the priv key RSA.
then from that you create a .csr file. CSR : certificate request
which need some input as domain name, etc.....
then you send the .csr to a CA
if it is commercial CZ, they may contact you for verify and to be paid
then CA will send you the .cert files/.arm files
set the cert localtion on the virtual host section of your http
also set the key file location in the same section
also set the SSLCertificateChainFile in the same section.
==> this last file is a plain text file containing the structure intermediate CA up to root CA
==> explain later on in next
>>>>>>>>>>>>>>>>>>>>>>>>>>
CA :
A. private CA
B. commercial CA
1. root CA : the root, issued to and issued by itself, and signed by it self.
2. intermediate CA : the derivatives up to several level, issued by : rootCA/above intermediate CA
issued to : itself. signed by the ROOT CA or above intermCA.
In secure case : root CA is std alone, intermediate CA is in network. You create csr in intermCA, bring it over usb to root CA. you generate the cert, and bring over usb again to intermCA, and install it. Now you have rootCA signed cert at your intermCA.
Now you can create any new certs to be used by web servers.
Remember in web servers, you need set the chain file (in order client browser can auth the intermCA upto the rootCA).
reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/
chain file looks like:
--BEGIN--
FDARGARGAGAGFDGFDGDCCCC
the intermCA2
DSFSDGDSFHSHSHSD%^GG#TG
--END--
--BEGIN--
the intermCA1
--END--
--BEGIN--
the rootCA
--END--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
summary : certificate is public key with some info of your data
can be digitally signed by a CA or commercial CA
digitally sign means as written in digital signature workflow
1. browsers usually have the "trust root CA" already which means have those public key
2. first it will work in asymmetric method
3. Certificate of web server containing CN/domain name, digital signature CA (result of encrypting priv key CA : maybe with HASH), HASH (or fingerprint), public key of the web server.
4. Pub key in browser will decrypt the dig signature CA
5. It will get the HASH and compare with the HASH in the certificate
This verify if the CA is really the CA, example: this Cert really come form verisign.
6. After browser verify it, it use the public key web server in the certs to encrypt the req along with sessionID
7. Web server got it and decrypt using it priv key.
8. At this point, web server will do the symmetric key encryption using the sessionID as the shared code.
Note : Dont be confused, there are CA key pair and also web server key pair.
Asymmetric encrypt is slower than symmetric.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
In unix use openssl command
First you generate the priv key RSA.
then from that you create a .csr file. CSR : certificate request
which need some input as domain name, etc.....
then you send the .csr to a CA
if it is commercial CZ, they may contact you for verify and to be paid
then CA will send you the .cert files/.arm files
set the cert localtion on the virtual host section of your http
also set the key file location in the same section
also set the SSLCertificateChainFile in the same section.
==> this last file is a plain text file containing the structure intermediate CA up to root CA
==> explain later on in next
>>>>>>>>>>>>>>>>>>>>>>>>>>
CA :
A. private CA
B. commercial CA
1. root CA : the root, issued to and issued by itself, and signed by it self.
2. intermediate CA : the derivatives up to several level, issued by : rootCA/above intermediate CA
issued to : itself. signed by the ROOT CA or above intermCA.
In secure case : root CA is std alone, intermediate CA is in network. You create csr in intermCA, bring it over usb to root CA. you generate the cert, and bring over usb again to intermCA, and install it. Now you have rootCA signed cert at your intermCA.
Now you can create any new certs to be used by web servers.
Remember in web servers, you need set the chain file (in order client browser can auth the intermCA upto the rootCA).
reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/
chain file looks like:
--BEGIN--
FDARGARGAGAGFDGFDGDCCCC
the intermCA2
DSFSDGDSFHSHSHSD%^GG#TG
--END--
--BEGIN--
the intermCA1
--END--
--BEGIN--
the rootCA
--END--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
summary : certificate is public key with some info of your data
can be digitally signed by a CA or commercial CA
digitally sign means as written in digital signature workflow
Security 1 : Asymmetric, symmetric, hash, digital signature, email encryption
Symmetric : shared code
Asymmetric: pair key - public & private
Hash : SHA or MD5 ==> algorithm to make a data into short form, use to verify if data altered or not along the way. Example : email + hash = 010101100 (this is called fingerprint)
Digital signature ==> fingerprint + private key encryption
you sent : email + digital signature (for now we ignore the email encryption)
recipient has your pub key!
recipient also has the hash!
==> first it will hash the email and it will get the fingerprint 010101100
==> second it will decrypt the dig signature with the pub key and it will get the fingerprint
==> A. comparing the fingerprint step 1 and 2 above, if not equal then email was altered!!
B. also if the pub key failed to decrypt at step 2, then it means the private key wrong, which could means it was not sent by the real person (bcoz private key is only had by the real)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Now, about email encryption:
the encryption is done by the pub key, and is called RSA method.
Sender has the pub key of recipient and encrypt the email with it.
Recipient will use his priv key to decrypt it.
Note : Even if someone else has recipient pub key, it does not mean he can reverse back the data. Only one who has private key can decrypt it.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Asymmetric: pair key - public & private
Hash : SHA or MD5 ==> algorithm to make a data into short form, use to verify if data altered or not along the way. Example : email + hash = 010101100 (this is called fingerprint)
Digital signature ==> fingerprint + private key encryption
you sent : email + digital signature (for now we ignore the email encryption)
recipient has your pub key!
recipient also has the hash!
==> first it will hash the email and it will get the fingerprint 010101100
==> second it will decrypt the dig signature with the pub key and it will get the fingerprint
==> A. comparing the fingerprint step 1 and 2 above, if not equal then email was altered!!
B. also if the pub key failed to decrypt at step 2, then it means the private key wrong, which could means it was not sent by the real person (bcoz private key is only had by the real)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Now, about email encryption:
the encryption is done by the pub key, and is called RSA method.
Sender has the pub key of recipient and encrypt the email with it.
Recipient will use his priv key to decrypt it.
Note : Even if someone else has recipient pub key, it does not mean he can reverse back the data. Only one who has private key can decrypt it.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Subscribe to:
Posts (Atom)