Blog

Remove delete a legacy_run from SMF on Solaris 10

Remove the scripts from /etc/init.d and rc3.d etc.

root@mydb # svcs -a | grep -i oracle
legacy_run Feb_28 lrc:/etc/rc3_d/S99Oracle_Listener
root@mydb  #

Now we want to remove it from SMF – Note once you have removed the RC scripts rebooting the server will also mean SMF won’t pick it up again, but if you don’t want to reboot you can do the following :-

root@mydb # svccfg -s smf/legacy_run
svc:/smf/legacy_run> listpg *
rc2_d_S20sysetup framework NONPERSISTENT
rc2_d_S70uucp framework NONPERSISTENT
rc2_d_S72autoinstall framework NONPERSISTENT
rc2_d_S73cachefs_daemon framework NONPERSISTENT
rc2_d_S89PRESERVE framework NONPERSISTENT
rc2_d_S95lwact framework NONPERSISTENT
rc2_d_S98deallocate framework NONPERSISTENT
rc3_d_S16boot_server framework NONPERSISTENT
rc3_d_S52imq framework NONPERSISTENT
rc3_d_S84appserv framework NONPERSISTENT
rc3_d_S85dsmcsched framework NONPERSISTENT
rc3_d_S99Oracle_Listener framework NONPERSISTENT
svc:/smf/legacy_run> delpg rc3_d_S99Oracle_Listener
svc:/smf/legacy_run> exit
root@mydb #

root@mydb # svcs -a | grep -i oracle
root@mydb #

Solaris FTP chroot on Netapp mounted filesystem

When setting up Solaris chroot FTP where the user’s home directory is on a NFS mounted Netapp filesystem you may encounter an error when doing ftpconfig :-

myhost# ftpconfig  -d  /input/jblogs

Updating directory /input/jblogs
ftpconfig: Error: Creation of devices in /input/jblogs/dev failed

To be able to run mknod to create devices ( which the ftpconfig does ) requires the Netapp volume to be exported with setuid  enabled.

Even though the mount command on Solaris seemed to show that setuid was set on the mount – the volume on the Netapp server had not been exported with setuid.

You don’t have to mount and remount the filesytem.

For security you should turn off setuid once you have finished doing your ftpconfig

Colour management in Linux; using a Pantone Huey to calibrate a monitor

Colour management in Linux; Using a Pantone Huey to calibrate a monitor

The following was done on Ubuntu 12.04 but should be similar on other recent Linux distributions.

To do proper colour calibration of your monitor you need a colorimeter and some software. The software to use is Argll CMS , this is a command line tool but there are GUI addons provided by other authors. You need a colorimeter compatible with Argll – check here for details of what hardware is supported by Argll. I chose the Pantone Huey as it was readily available and was the cheapest ( note don’t buy the Pro version – it is the same hardware – you just get better Windows software which we won’t be using anyway ).

Install Argyll

Use you favourite tool to install Argyll from the Ubuntu repositories.  If you are using Gnome then also install the Gnome CMS colour management system. To make the Huey accessible by a non-root user you need to add some rules to Udev – fortunately Argyll comes with a set of rules that can be copied into place.

sudo cp /lib/udev/rules.d/55-Argyll.rules /etc/udev/rules.d/55-Argyll.rules

Check that the Huey is accessible – plug it into a USB port and run spotread -? and look for the device listed :-

dmc@master:~$ spotread -?
Read Print Spot values, Version 1.1.0
Author: Graeme W. Gill, licensed under the GPL Version 3
usage: spotread [-options] [logfile]
-v                   Verbose mode
-s                   Print spectrum for each reading
-S                   Plot spectrum for each reading
-c listno            Set communication port from the following list (default 1)
1 = ‘usb:/bus0/dev2 (GretagMacbeth Huey)’
2 = ‘/dev/ttyS0’
3 = ‘/dev/ttyS1’
4 = ‘/dev/ttyS2’
5 = ‘/dev/ttyS3’

Installing DispcalGUI

Download the package for your distribution from the DispcalGUI site and install it – Ubuntu will fireup the install tool when you click on the Ubuntu package.

Create your profile using DispcalGUI

Make sure your Huey is plugged into a USB port. Startup Dispcal from your applications  menu. It should automagically detect your display. click the symbol between the display device and instrument – it should then show the Huey and the Calibrate and Profile buttons at the bottom of the screen will activate.

dispcalgui_021

Click on Measure for the Whitepoint and put the Huey face up next to the display. This will also measure the ambient light. You should really read the DispcalGUI manual which explains all of the settings that you should change from the defaults.

Click on Calibrate & Profile

A grey patch will apear on the screen and a terminal window will also open with instructions. Place the huey on the screen over the patch and select check all from the menu in the terminal window. Follow the instructions given. After calibration you are asked to install the profile created and make it the default one. If you have installed Gnome CMS it will handle the installation and activation of the profile.

Installing Citrix client on Linux

I need to use Citrix for remote support and I want to use my normal Linux desktop to do it.

Access to Citrix is via XenApp ( used to be called MetaFrame ) hosted on your companies web site and accessed via a browser.

For the current version of the Citrix client on 64bit Ubuntu you also needs lots of 32bit libraries so if you have not already installed the 32 bit multiarch then

sudo dpkg --add-architecture i386
sudo apt-get update

Now download the Linux client. Go to www.citrix.com , downloads , Download receiver.  Open up the question “Where can I download Citrix Receiver on other platforms and devices” and select Linux, Debian Packages , Full Package ( Self support ). Receiver for Linx ( X86_64 )

In Ubuntu firefox will ask what you want to do with the file – select the default which is to open with GDebi Package Installer. The package installer will then start up and click on Install Package.

The installer incorrectly configures the Firefox plugin to run via nspluginwrapper rather than native 64bit. To correct this :-

sudo rm -f /usr/lib/mozilla/plugins/npwrapper.npica.so /usr/lib/firefox/plugins/npwrapper.npica.so
sudo rm -f /usr/lib/mozilla/plugins/npica.so
sudo ln -s /opt/Citrix/ICAClient/npica.so /usr/lib/mozilla/plugins/npica.so
sudo ln -s /opt/Citrix/ICAClient/npica.so /usr/lib/firefox-addons/plugins/npica.so

Setup firefox so it always activates the plugin. Open up firefox , Tools – Add_ons – Plugins. Ensure that the “Citrix Receiver for Linux” is set for always activate

Use Firefox to go to your companies Citrix site , login in and access a Citrix service – the Citrix Receiver will startup on your desktop but you will often get an error such as

You have not chosen to trust “/C=US/ST=/L=/0=Equifax Secure Certificate Authority/CN=”, the issuer of the server’s security certificate (SSL error 61).

Citrix certicate error

The error is caused by the Citrix client not having the required certificate. You can download the root certificate from the authority – see below – or it is often worth trying to copy over the certificates Firefox has as it has many of the common ones.

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

sudo c_rehash /opt/Citrix/ICAClient/keystore/cacert

Citrix should now work just fine.

If you really do need to install the root certificate then go to the certificate authority’s ( the one mentioned in the error message – i.e. Equifax ) website and download the root certificate

For the Equifax one above go to http://www.geotrust.com/resources/root-certificates/index.html and download  Equifax_Secure_Certificate_Authority_DER.cer

For VeriSign Class 3 :-

You have not chosen to trust “VeriSign Class 3 Public Primary Certification Authority – G5”, the issuer of the server’s security certificate (SSL error 61).

citrix-error-verisign

 

To get the VeriSign G5 cert http://www.verisign.com/support/roots.html save the PCA-3G5.pem to your home directory – rename it to PCA-3G5.crt

Copy the certificate to opt/Citrix/ICAClient/keystore/cacerts/  using sudo and rename it to .crt from .cer or .pem

Prevent Citrix from using the whole screen

On Ubuntu I had a problem where I could not minimise the Citrix window or get back to the desktop.

The following changes in ~/.ICAClient/wfclient.ini     solved the problem

DesiredHRES=1024
DesiredVRES=768

UseFullScreen=false

Now the Citrix window does not come up full screen

Problem with Control key sticking

I had an issue with the control key sticking in a Citrix session. i.e. if I used ^D to log out of a putty session then all my following keystrokes are prefixed by the control key ! The only way around it was to logout of Citrix and log back it. Citrix has fixed this in later versions so upgrade to the latest version ( you need to do the nspluginwarapper fix above after you upgrade otherwise the Citrix plugin will not launch )

 

AIX not showing the correct oslevel after patching

After patching AIX to 5.3 TL11 SP3 oslevel -r still showed the OS at TL 09 :-

# oslevel -r
# 5300-09

To check what filesets are below the TL you patched to first find all TL levels you have installed :-

# oslevel -r -q
Known Recommended Maintenance Levels
————————————
5300-11
5300-10
5300-09
5300-08
5300-07
5300-06
5300-05
5300-04
5300-03
5300-02
5300-01
5300-00

Next check what filesets are below our highest level e.g. TL11

# oslevel -r -l 5300-11
Fileset                                 Actual Level           Recommended ML
—————————————————————————–
Java5.sdk                               5.0.0.1                5.0.0.235
ifor_ls.html.en_US.base.cli             5.3.7.0                5.3.8.0
#

Here you can see two filesets are at the wrong level. So we need to fix this. Java is a seperate download for AIX you can get it here http://www.ibm.com/developerworks/java/jdk/aix/service.html

Check if you have the 32 or 64 bit version with lslpp -l | grep -i java and download the latest fix – select your highest TL level you have installed when you download. Install using the usual  installp / smiity method.

Re run oslevel -r -l 5300-11
Fileset                                 Actual Level           Recommended ML
—————————————————————————–
ifor_ls.html.en_US.base.cli             5.3.7.0                5.3.8.0

Now only one fileset is below level. A Google shows that there is a bug with the update process for this fileset – simply run the patch process again and it will update to the correct level.

Now oslevel is correct :-

# oslevel -r
5300-11
#

Yum hangs when checking updates with epel repo

Redhat 5

In /var/log/mesages lots of :-

May 20 09:50:01 Server1 : error getting update info: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

If I run yum -d 9 check-update it hangs at Setting up Package Sacks

Found out that another admin had added epel.repo in /etc/yum.repos.d

As we use a proxy to connect to Redhat it appears there is a feature that if you add repos then you need to update /etc/yum.conf  yum will not pick up the proxy settings from /etc/sysconfig/rhn/up2date

Adding proxy=http://proxy.mydomain.co.uk:8080  to /etc/yum.conf soleved the problem.

Stop Spam in WordPress Comments – Install CAPTCHA

This WordPress blog has been targeted by Spam bots since it started but recently it has got a lot worse and it is getting tedious to go through all the pending comments and delete the Spam ones.

I’ve seen CAPTCHA used on other sites as a means to distinguish between humans and Spam bots so a quick Google for WordPress CAPTCHA plugins found a few. I wanted one that is updated regularly so it will still work when a new WordPress update is available. The plugin I chose was SI CAPTCHA . This seems to be regularly updated , looks very good, has audio and it works fine – I have had no Spam bot comments since installing. The plugin is free but if you find it useful and want to fund further development then there is a Paypal link – if you think how much time this plugin will save you a donation is highly recommended.

The link on the WordPress plugins site has all the information needed to install. ( Note for Centos check you have php-gd installed – see below ).  Basically you unzip it into wp-contents/plugins directory then go to your Admin page , select plugins ,  then activate the SI Captcha plugin.

There is a nice Captcha support test link to check all is well – my setup failed first time – I got :-

ERROR: GD image support not detected in PHP

ERROR: imagepng function not detected in PHP

This was resolved by installing php-gd RPM. For Centos you would do

yum install php-gd

service httpd restart

Now if anyone wants to add a comment they have to pass the CAPTCHA test which Spam bots are no good at.

Note by default it won’t add the CAPTCHA box to users who are logged in so ensure you have logged out if you want to test it for yourself.

You should see the CAPTCHA at the bottom of this entry.

Checking when a SSL/TLS certificate for an email server expires

Check if the SSL/TLS certificate for SMTP email has expired on the local server

echo ‘”‘ | openssl s_client -connect localhost:25 -starttls smtp > /var/tmp/jik

depth=0 /C=GB/ST=Hampshire/L=Farnborough/O=Tuqix/CN=mail.tuqix.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=GB/ST=Hampshire/L=Farnborough/O=Tuqix/CN=mail.tuqix.org
verify error:num=10:certificate has expired
notAfter=Feb  9 16:03:39 2010 GMT
verify return:1
depth=0 /C=GB/ST=Hampshire/L=Farnborough/O=Tuqix/CN=mail.tuqix.org
notAfter=Feb  9 16:03:39 2010 GMT
verify return:1
250 DSN
DONE
–  As you can see it has! After making a new one with genken –days 1825 mail.tuqix.org  and restarting dovecot ; service dovecot restart:-
-bash-3.2# echo ‘”‘ | openssl s_client -connect localhost:25 -starttls smtp > /var/tmp/jik
depth=0 /C=GB/ST=Hampshire/L=Farnborough/O=Tuqix/CN=mail.tuqix.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=GB/ST=Hampshire/L=Farnborough/O=Tuqix/CN=mail.tuqix.org
verify return:1
250 DSN

Installing Verisign SSL certificate on IBM HTTP server

Installing a Verisign SSL site certificate on IBM HTTP server

If you have an Apache certificate e.g. it was requested with an openssl signing request rather than using ikeyman then you first need to convert it to PKCS12 format which can then be imported into the IBMHTTPServer6 keystore.

openssl pkcs12 -export -out new_key_pair_filename.p12 -inkey private_key_filename.key -in certificate_filename.crt

You will get prompted for a password – you must use the same password as you have on the keystore you want to import it into.

Move the file to /usr/IBMHTTPServer6/bin
If you used strong encryption to generate the signing key request ( and you would have done ) then you may have to install the unrestricted JCE policy files.

To check :-

/usr/IBMHTTPServer6/java/jre/bin/keytool -list -v -keystore /usr/IBMHTTPServer6/bin/wbis104m.p12 -storetype pkcs12 -storepass passwd

If it barfs with java errors like :-

keytool error (likely untranslated): java.io.IOException: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)

keytool error (likely untranslated): java.io.IOException: Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameter
s)

You need to install the unrestricted JCE policy files.

Download the zip file from https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk ( you need an IBM ID – this is a free registration )

unzip and after making copies of the orginals copy over the new local_policy.jar US_export_policy.jar files to /usr/IBMHTTPServer6/java/jre/lib/security

Rerun the keytool command above ( ensuring you use the full path to the keytool command ) to confirm it lists the certificate details without Java errors.

Now add it into the keystore

You need to be able to use X as the ikeyman program is GUI only.

su to root , export XAUTHORITY and DISPLAY to those of the user you su’d from.

e.g.

export XAUTHORITY=/home/fred/.Xauthority

export DISPLAY=localhost:10.0

cd /usr/IBMHTTPServer6/bin

./ikeyman

Key Database File – Open

Key Database type CMS

Location /usr/IBMHTTPServer6/keys/

File Name key.kdb

You will be prompted for the password

Now import the certificate you converted to pkcs12 format above

Ensure Personal Certificates is selected then click on Export/Import

Select Import Key

Key file type PKCS12

File Name the file name of the converted pkcs12 format above

Location where you put the file

Click OK – you will be prompted for a password – use the one you set when you did the conversion ( which should also be the same as the keystore password you are putting it in )

If you get a message “The specified database has been corrupted” ensure you have installed the unrestricted JCE policy files above. If you have to install them you need to exit ikeyman and restart it again.

You should now get a dialog asking if you would like to change any of these labels before completeing the import process

Click on the label ( which is probably a very long string ) and then change it to something like prod-cert ( this is the name you will use in the httpd.conf file )

Click apply

Click OK ( you may have to scroll to the right to see the OK button )

If you now get an error An attempt to import the certificate has failed.

All the signer certificates must exist in the key database

This probably means that you need to install the Verisign intermediate signers certificate.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

Assuming it is a standard Verisign site certifiacate ( class 3 ) then go here :-

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

Cut and paste the certificate into a file and save with a .arm extension

Go into ikeyman and open the keystore as above

Select Signer Certificates

Click add

Data type Base64-encoded ASCII data

Certificate file name the name of the arm file you created above

Location the location of the arm file

Click OK

Enter a label for the certificate – choose something like Verisign intermediate CA cert

Click OK

Now select Personal Certificates and import the converted PKCS12 SSL certificate using the intructions as before.

Adding the certificate to the httpd.conf file

vi /usr/IBMHTTPServer6/conf/httpd.conf

search for SSLServerCert and change the name of the certificate to the name you chose when you added the certificate to the key store e.g. prod-cert

Restart apache

Upgrading Ubuntu to 9.10 – Squeezebox no longer connects to music library

After I upgraded Ubuntu to 9.10 my Squeezebox Duet could not see my music library on my Ubuntu server.

I checked my router for DHCP clients to confirm the Squeebox Duet and controller were connected and I was surprised to see a DHCP connection from my newly upgraded Ubuntu server as it should have been a static IP. I seem to remember I had the same problem last time I upgraded – anyway as the Squeezebox expects to see the Ubuntu server running the  music library daemon on a static IP I assumed this was the problem.

Reverting back to a static IP address after upgrading Ubuntu

From the tool bar – System – Preferences – Network Connections

Select  Wired connection 1 – Edit

Check the IPV4 Settings tab for the correct IP address then click apply.

Open up a terminal and restart the network

sudo /etc/init.d/networking restart

Check with ifconfig -a that the required static IP address has been applied.

Squeezebox stil not finding my music library

Now I had the right IP address on my Ubuntu server the Squeezebox still would not find the music library.

I checked on the Ubuntu server if the squeecenter daemon was running ( ps -ef | grep squee ) – it was not. I attempted to restart it :-

sudo /etc/init.d/squeezecenter restart
Restarting squeezecenterNo squeezecenter_s found running; none killed.
start-stop-daemon: stat /usr/sbin/squeezecenter_safe: No such file or directory (No such file or directory)

Oh dear – time for a Google search. Apparently the 9.10 upgrade to MySql broke it and I needed to download the latest ( beta ) version 7.4.2 of squeeboxserver ( the new name for squeezecenter ). You can get it from

http://downloads.slimdevices.com/nightly/?ver=7.4

In Ubuntu if you click on the Debian installer package link then an installer will start up – ask you confirm you want it installed and warn about an older version available in the repository which would be more stable. After installer I started it up :-

sudo /etc/init.d/squeezeboxserver start

As I was using squeezecenter rather than squeezeboxserver I had to configure it to tell it where my music files and play list were. To do this connect to http://localhost:9000 , type in your squuebox network login ( or register if you don’t have one ) and then follow the instructions to point to your music and playlist files.