Error: ORA-28000: the account is locked

Posted on Updated on

ORA-28000
Error: ORA-28000: the account is locked

Cause: The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the database administrator has locked the account.

Action: Wait for PASSWORD_LOCK_TIME or contact the database administrator

To unlock an user manually:

alter user <username> account unlock;

to change his password:

alter user <username> identified by new_password;

HowTo: Install Jitsi Server for Videoconferencing/Chat messaging

Posted on Updated on

Jitsi Meet is a free, open source, secure, simple and scalable video conferencing solution.

Which allows creating client app embedded with the custom designed web application.

Jitsi Videobridge is an XMPP server component designed to run thousands of video streams from a single server — and it’s fully open source and WebRTC compatible.

Jitsi Meet is an Open Source WebRTC JavaScript application that uses Jitsi Videobridge to provide high quality, scalable video conferences.

 

Install Apache or nginix, else Install will install jitty as a fronting server.

apt-get install apache2
Configure Repository
wget https://download.jitsi.org/jitsi-key.gpg.key
apt-key add jitsi-key.gpg.key
echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list

Install Jitsi
apt-get update
apt-get install jitsi-meet

Install Certificate 
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Provide Email ID for during installation

Restart services

service apache2 status
service jvb status

https://vc.domain.com

Enabled Authentication, so the authentication users are allowed to create rooms
https://github.com/jitsi/jicofo#secure-domain

Update the propertiy
vi /etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.auth.URL=XMPP:vc.domain.com

cp rpf /etc/prosody/conf.avail/domain.com.cfg.lua /etc/prosody/conf.avail/vc.domain.com.cfg.lua_original
vi /etc/prosody/conf.avail/vc.domain.com.cfg.lua

#Update below settings
authentication = "internal_plain"

#Execute command to create user
prosodyctl register <Loginuser>@vc.domain.com <Password>
#Restart Service
service jvb restart
service jicofo restart
service prosody restart


#Update few headers including CORS to avoid bosh client connectivity issue. 
vi /etc/apache2/site-available.vc.domain.com
<Location /http-bind>
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Credentials true
        Header set Access-Control-Allow-Methods  "GET,POST,OPTIONS"
        Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
        Header add Strict-Transport-Security "max-age=15768000; includeSubDomains"
        Header always set X-Frame-Options ALLOW
        Header always set X-Content-Type-Options nosniff
 </Location>

HowTo: Create pkcs12 keystore from existing Certificate and Privatekey

Posted on Updated on

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

There are several methods that you can use but I found the following the most simple:

  1. I have Public Certificate and Private key in the folder name /certs

 

 

2. Create certificate server.crt is your public certificate and server.key is the private key used to create the keystore server.p12

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 



In addition for Java Application some times we have to use the JKS keystore, so it need to import the certificates.

keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server.jks -deststoretype JKS


 

HowTo: Setu FTP Server on Ubunut 16.04 with virual Users

Posted on Updated on

FTP Server, the File Transfer Protocol server work for file transfter through network between a client and server. It is faster, secure and conveinent to move files. Here we will show how to install, configure and FTP server with Virtual users in Ubuntu.

$ sudo apt-get update
$ sudo apt-get install vsftpd libpam-pwdfile

$ sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

Open the configuration and replace the file content with follows:

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
user_config_dir=/etc/vsftpd/vsftpd-virtual-user/
virtual_use_local_privs=YES
dual_log_enable=YES
connect_from_port_20=YES
listen=YES
pam_service_name=ftp
tcp_wrappers=YES
allow_writeable_chroot=YES

Restart vsftpd service:

$ sudo service vsftpd restart

Then create a new directory for file with virtual users:

$ sudo mkdir -p /etc/vsftpd/vsftpd-virtual-user/

And create a blank file where we will add users with passwords a bit later:

$ sudo touch /etc/vsftpd/vsftpd-virtual-user/vsftpd_user

Copy yet another configuration file:

$ sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

And replace its content by the next one:

session optional        pam_keyinit.so  force   revoke
auth   required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth   required        pam_shells.so
auth    include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so

Now we can create a new system user. It user will have an own separate home directory but will not allow to login via ssh. Replace USERNAME with something you want, like ftp-myproject for example.

$ sudo useradd --home /home/USERNAME --gid nogroup -m --shell /bin/false USERNAME

Then setup a password for newly created user:

$ echo USERNAME:PASSWORD|sudo chpasswd

Now we have to add the name of new user to the vsftpd_user file:

$ sudo nano /etc/vsftpd/vsftpd-virtual-user/vsftpd_user

Just add the name of the user to this file as a separate line.

Create the separate file for our user in the directory /etc/vsftpd/vsftpd-virtual-user

$ sudo nano /etc/vsftpd/vsftpd-virtual-user/USERNAME

And put the next content inside it:

local_root=/home/USERNAME
cmds_allowed=USER,PASS,SYST,FEAT,OPTS,PWD,TYPE,PASV,LIST,STOR,CWD,MKD,SIZE,MDTM,CDUP,RETR,RNFR,RNTO,QUIT
local_umask=022
write_enable=YES

If you want to give a permission for deleting files to your new user than just add DELE to the argument cmds_allowed.

If the server unable to start comment IPV6 settings and try restart vsftpd server
#listen_ipv6=YES

Error: Git command error (gnome-ssh-askpass:26734): Gtk-WARNING **: cannot open display:

Posted on Updated on

I’ve been working on the project remotely through the command line, I just have only the repository access to share source code to the team, now I was getting the following error message wile I push/pull bash redirect password prompt to gnome askpass for password input. This could be annoying and block the work flow.

[root@srv-20 data]# git pull

(gnome-ssh-askpass:26699): Gtk-WARNING **: cannot open display:

The solution for fix this issue is to force bash to stop password redirection to GUI , with the below command you can either use the command runtime or  in .bashrc

unset SSH_ASKPASS

 

Error: zabbix gateway unable to support wildfly http-remoting service

Posted on Updated on

Here is my workaround to support http-remoting in zabbix,

I have confiured zabbix server with zabbix agent to monitor production server, since we switch jboss-4.2 to wildfly-8.2 it got messed-up, zabbix unable to communicate with  wildfly. the following error found the Zabbix-gateway server. The error seems like wildlfy is communicating with native RMI service.

2017-07-20 01:18:10.247 [pool-1-thread-3] WARN com.zabbix.gateway.SocketProcessor - error processing request
com.zabbix.gateway.ZabbixException: java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: 192.168.101.197; nested exception is:
 java.net.ConnectException: Connection refused (Connection refused)]
 at com.zabbix.gateway.JMXItemChecker.getValues(JMXItemChecker.java:97) ~[zabbix-java-gateway-3.2.6.jar:na]
 at com.zabbix.gateway.SocketProcessor.run(SocketProcessor.java:62) ~[zabbix-java-gateway-3.2.6.jar:na]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
 at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Caused by: java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: 192.168.101.197; nested exception is:
 java.net.ConnectException: Connection refused (Connection refused)]
 at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:369) ~[na:1.8.0_131]
 at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) ~[na:1.8.0_131]
 at com.zabbix.gateway.ZabbixJMXConnectorFactory$1.run(ZabbixJMXConnectorFactory.java:76) ~[zabbix-java-gateway-3.2.6.jar:na]
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_131]
 at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_131]
 ... 3 common frames omitted

I have download srcRPM https://repo.zabbix.com/zabbix/3.2/rhel/7/SRPMS/zabbix-3.2.6-1.el7.src.rpm , to check (JMXItemChecker.java:97) since it was mentioned in the error message. the same like my thought the protocol was hotcoded in the source. I have did some patch work and recompile the RPM and install Zabbix-gatway it worked as expected.

 

 

Please follow the steps which worked for me, you can download the version of zabbix server installed and reinstall the zabbix-gateway rpm.

1, Check the zabbix version installed. those installation was through yum

rpm -qa | grep zabbix
zabbix-java-gateway-3.2.6-1.el7.x86_64
zabbix-server-mysql-3.2.6-1.el7.x86_64
zabbix-agent-3.2.6-1.el7.x86_64
zabbix-release-3.2-1.el7.noarch
zabbix-web-3.2.6-1.el7.noarch
zabbix-get-3.2.6-1.el7.x86_64
zabbix-web-mysql-3.2.6-1.el7.noarch
zabbix-sender-3.2.4-1.el7.x86_64

2, Remove installed zabbix-gateway only

rpm -e zabbix-java-gateway-3.2.6-1.el7.x86_64
warning: /etc/zabbix/zabbix_java_gateway.conf saved as /etc/zabbix/zabbix_java_gateway.conf.rpmsave

3, Download and extract Source RPM

wget https://repo.zabbix.com/zabbix/3.2/rhel/7/SRPMS/zabbix-3.2.6-1.el7.src.rpm
rpm -ivh zabbix-3.2.6-1.el7.src.rpm

4, Modify the source to support http-remoting

cd /root/rpmbuild/SOURCES/
tar -zxvf zabbix-3.2.6.tar.gz
vi zabbix-3.2.6/src/zabbix_java/src/com/zabbix/gateway/JMXItemChecker.java

Modify with below entries, it checks the port 9990 with go to the “if” block others will go to the “else” block, so your wildlfy management port should be default port (9990) or you can modify the code as what you would like to use for wildlfy custom management port.

String conn = request.getString(JSON_TAG_CONN);
 int port = request.getInt(JSON_TAG_PORT);

 Integer remoting = new Integer("9990");
 int retval = remoting.compareTo(port);

if (retval == 0)
 {
 url = new JMXServiceURL("service:jmx:http-remoting-jmx://" + conn + ":" + port);
 }
 else
 {
 url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + conn + ":" + port + "/jmxrmi");
 }

//url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://[" + conn + "]:" + port + "/jmxrmi");
 jmxc = null;
 mbsc = null;

Save and exit the file

5, Pack the source file which extracted to modify the .java

tar -zcvf zabbix-3.2.6.tar.gz zabbix-3.2.6

6, Install dependency to rebuild rpm

yum install iksemel-devel java-devel libssh2-devel OpenIPMI-devel unixODBC-devel gnutls-devel net-snmp-devel postgresql-devel -y

7, Rebuild the rpm

cd /root/rpmbuild/
rpmbuild -v -bb --clean SPECS/zabbix.spec

8, Install new zabbix-gateway

cd /root/rpmbuild//RPMS/

rpm -ivh zabbix-java-gateway-3.2.6-1.el7.centos.x86_64.rpm
rm -rf /etc/zabbix/zabbix_java_gateway.conf
mv /etc/zabbix/zabbix_java_gateway.conf.rpmsave /etc/zabbix/zabbix_java_gateway.conf

9, Now restart zabbix-gateway

service zabbix-java-gateway restart

Now you can see the zabbix can connect to wildfly and read metrics, I believe this could be very helpful those who switching to wildfly.

Newly installed zabbix-java-gateway package

 

 


rpm -qa | grep zabbix
zabbix-java-gateway-3.2.6-1.el7.centos.x86_64
zabbix-server-mysql-3.2.6-1.el7.x86_64
zabbix-agent-3.2.6-1.el7.x86_64
zabbix-release-3.2-1.el7.noarch
zabbix-web-3.2.6-1.el7.noarch
zabbix-get-3.2.6-1.el7.x86_64
zabbix-web-mysql-3.2.6-1.el7.noarch
zabbix-sender-3.2.4-1.el7.x86_64

Howto: Disable 2FA in getlab for a user

Posted on

Gitlab supported 2FA and U2F device support to improve security in the public network. We need to configure GoogleAuthenticator in smartphone and register to the existing Gitlab user to allow logins, in some cases if we lost phone or  unable to access GoogleAuthenticator  we can’t to login GitLab,

GitLab share recovery codes to initiate recovery process, but if we also lost recovery codes, the following method help to disable 2FA and allow us to login,

Login to the SSH on Gitlab Server and connect to PostgreSQL.

[root@control3 master]# sudo -u gitlab-psql -i bash

Login to the postgres

bash-4.1$ /opt/gitlab/embedded/bin/psql --port 5432 -h /var/opt/gitlab/postgresql -d gitlabhq_production

Disable 2FA for user, here I used username root,

gitlabhq_production=# UPDATE public.users SET otp_required_for_login = false WHERE username = 'root';

Now you can login through browser, it ask to enable  2FA. hope this help you.