I have spent the better part of the last 2 years working on various projects implementing Oracle security products in the Identity and access management space. now that I have completed these I thought that its time I share a few of my handy sysadmin commands that I used on a daily basis to implement and maintain these systems.
Checking Firewall Rules
For outsiders to IT projects you would be amazed at how many times people blame application or functional issues, so if you want to look like a genius learn telnet or install netcat:
$ telnet somerandom.host.com 7777
As an aside when using Oracle Enterprise Manager (OEM) even if your firewalls are open they wont always respond to your telnet/connectivity checks so make sure you define servers you want to connect to in your hosts file.
Make sure you can use Open SSL
Often when you are working with Load balancer’s, proxies and websites, certificates can be a major cause of concern. Use Open SSL to verify that your certificates are correct.
// The below command will pull the hostname on the cert, experiment with other grep combinations to pull more details $ openssl s_client -connect somerandom.host.com:443 |grep CN
Learn how to write LDIF scripts
When playing in Oracle Interned Directory (OID), Oracle Unified Directory (OUD) and Active Directory particularly with large amounts of users your going to need to know how to write .ldif scripts.
// heres an example of an ldap search $ ldapsearch -p 3060 -D cn=orcladmin -q -b "cn=name1,cn=name2,cn=name3" -s base "objectclass=*"
At least once in your time being a sysadmin you will hit a problem where network connectivity is an issue. Be prepared, learn tcpdump.
// below is an example of tcpdump look up the man page for more examples /usr/sbin/tcpdump -vv -x -X -s 2500 -i lo 'port 7777' -w /tmp/capture.pcap
Start Weblogic admin server
Starting a weblogic admin server can only be done manually so you will run this command often when you make changes that require a server / component restart:
// Start weblogic server $ /path/to/dir/user_projects/domains/base_domain/bin/startWebLogic.sh \ -Dweblogic.management.username=weblogic \ -Dweblogic.management.password=password &
Start node manager
Node manager is one of the handy utilities that starts managed servers up and send them commands to shutdown or update config parameters
// Start Node manager $ /path/to/dir/wlserver_10.3/server/bin/startNodeManager.sh &
Restart Http server
When working with proxies to test failovers or pick up new configuration you will need to stop and start them often you can do that with the following commands - but make sure you familiarise yourself with apache first and foremost:
// Stop / Start individual components $ /path/to/ohs/bin/opmnctl stopproc ias-component=web_srvr $ /path/to/ohs/bin/opmnctl startproc ias-component=web_srvr // Stop / Start entire server $ /path/to/ohs/bin/opmnctl stopall $ /path/to/ohs/bin/opmnctl startall
Unlock your admin user in the database
When you have keyed in the password incorrectly one to many times run the following:
## Unlock XELSYSADM account ## update usr set usr_login_attempts_ctr=0 where usr_login='XELSYSADM'; update usr set usr_locked=0 where usr_login='XELSYSADM'; Commit;
Start IAM components individually
If you have a node manager issue or you need to bring components up and down you can use the below command:
// this example starts the soa server $ /path/to/dir/user_projects/domains/base_domain/bin/startManagedWebLogic.sh soa_server1 \ -Dweblogic.management.server=http://servername:port \ -Dweblogic.management.username=weblogic \ -Dweblogic.management.password=password &
Watch log files & filter for events
I actually spent most of my time on proxies monitoring logs with the below command:
$ tail -f path/to/log/file.log | grep “ERROR”
Import and display certs
Often when configuring identity manager for use in an organisation you will need to do some kind of certificate / SSL setup - below are some handy wallet commands:
// Command to create a wallet $ /path/to/dir/oracle_common/bin/orapki wallet create -wallet servername_wallet -pwd password123 -auto_login // Command to import a certificate $ /path/to/dir/oracle_common/bin/orapki wallet add -wallet servername_wallet -trusted_cert -cert cert_to_import.pem -pwd password123 // Printing Certs $ /path/to/dir/oracle_common/bin/orapki wallet display -wallet servername_wallet Oracle PKI Tool : Version 188.8.131.52.0 Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Trusted Certificates: Subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US Subject: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Make Manual Filesystem backups
The great thing about Unix apps is that you can often copy + paste installations over very easily There will be some cases where you need to migrate servers, clone them or restore to an earlier config set you can do this by making "tarballs" of your server on occasion:
// backup an entire directory $ tar -cvpf /dir/backups/fullbackup.tar --directory=/path/to/dir . // backup an entire directory with exclusions $ tar -cvpf /dir/backups/fullbackup.tar --directory=/path/to/dir --exclude=proc . // untar a backup / archive tar -xvpzf /dir/backups/fullbackup.tar -C /path/to/dir --numeric-owner
To put in new firewall rules use iptables:
// IP tables fw rules $ iptables -A INPUT -i eth0 -p tcp --dport 3872 -m state --state NEW,ESTABLISHED -j ACCEPT $ iptables -A OUTPUT -o eth0 -p tcp --sport 3872 -m state --state ESTABLISHED -j ACCEPT
Patch a WebLogic server
The commands below are an example of running a WebLogic patch, trust me this will come in handy:
// weblogic patch steps $ cd /path/to/dir/utils/bsu/cache_dir $ export JAVA_HOME=/dir/tools/jdk1.7.0_72 $ export MW_HOME=/path/to/dir $ export WL_HOME=/path/to/dir/wlserver_10.3 $ ./bsu.sh -patch_download_dir=/path/to/dir/utils/bsu/cache_dir -patchlist=XXXX -prod_dir=/path/to/dir/wlserver_10.3 -install -verbose
Hoping you find this helpful! If you have some other Identity management goodies feel free to leave them in the comment section below.
If I find this post is popular I will do a version 2 with more commands and scenarios to run through.
Until next time!
The Security Sleuth