EDIT: SOLUTION: NEVER USE SPECIAL CHARACTERS IN YOUR SOLR.IN.CMD. IT WILL NOT WORK!
I have a certificate named "cert.pfx" from our organisation with the passwort "123456".
I want to use this file to enable https in Solr. I converted the pfx file to the desired .jks file:
keytool -importkeystore -srckeystore cert.pfx -srcstoretype pkcs12 -destkeystore solr-ssl.keystore.jks -deststoretype JKS
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.jks.p12 -srcstoretype jks -deststoretype pkcs12
D:\openssl\openssl.exe pkcs12 -in solr-ssl.keystore.jks.p12 -out solr-ssl.pem
Output:
solr-ssl.keystore.jks
solr-ssl.keystore.jks.p12
solr-ssl.pem
Solr.in.cmd file:
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
REM to enable https module with custom jetty configuration.
set SOLR_SSL_ENABLED=true
REM Uncomment to set SSL-related system properties
REM Be sure to update the paths to the correct keystore for your environment
set SOLR_SSL_KEY_STORE=D:\openssl\solr-ssl.keystore.jks
set SOLR_SSL_KEY_STORE_PASSWORD=123456
set SOLR_SSL_TRUST_STORE=D:\openssl\solr-ssl.keystore.jks
set SOLR_SSL_TRUST_STORE_PASSWORD=123456
REM Require clients to authenticate
set SOLR_SSL_NEED_CLIENT_AUTH=false
REM Enable clients to authenticate (but not require)
set SOLR_SSL_WANT_CLIENT_AUTH=false
REM Verify client hostname during SSL handshake
REM set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
REM this to false can be useful to disable these checks when re-using a certificate on many hosts
set SOLR_SSL_CHECK_PEER_NAME=true
REM Override Key/Trust Store types if necessary
set SOLR_SSL_KEY_STORE_TYPE=JKS
set SOLR_SSL_TRUST_STORE_TYPE=JKS
When I am trying to start Solr, I get the following error:
Caused by: java.security.PrivilegedActionException: java.io.IOException: Keystore was tampered with, or password was incorrect
at java.security.AccessController.doPrivileged(AccessController.java:738)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1746)
... 7 more
Why do I get this error, when I clearly used "123456" in every step?
Looks like the issue is when you have special characters ie: ! # # $ in the password you can't include these in a SOLR config file.
Related
I wrote a script to encrypt a file using gpg, in a .bat script which takes in a filename passed from a powershell script. This is my .bat file (the important parts anyway):
gpg --batch --yes --passphrase "C:\users\me\Desktop\testkey.txt" --gen-key
"C:\users\me\Desktop\SetEncryptionSettings.txt"
gpg --batch --yes -r myuser--output %OutputParam% --encrypt %1
where SetEncryptionSettings.txt looks like this:
Key-Type: default
Subkey-Type: default
Name-Real: myuser
Name-Comment: nocomment
Name-Email: me#gmail.com
Expire-Date: 0
And this works. I can decrypt the file myself. However, I sent my file to someone else who appears to be using a different decryption algorithm...he says I should use hmac-sha2-256.
I understand the encryption options in a .bat file to provide these four options:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
which can be seen here, for example:
https://yanhan.github.io/posts/2017-09-27-how-to-use-gpg-to-encrypt-stuff.html
So I thought that my code was using RSA since that's the default...and that since there are no options here for hmac-sha2-256, I'm going to have to change everything now. Can I make this work using a similar setup to what I have now, without downloading any additional programs?
I want to create a batch file to execute a set of Git commands to:
Fetch a new remote repository.
Create a local repository to track the remote and check the new local branch out.
Second Git command uses a forward slash (origin/[repositoryName]) and gives the following error:
"fatal: Missing branch name; try -b".
#ECHO OFF
SET /P branch = Enter remote branch name:
git fetch origin %branch%
git checkout --track origin/%branch%
First, git command fetches the remote repository.
Second git command gives error:
"fatal: "Missing branch name; try -b"
As mentioned in comments you should use the following piece of code:
#echo off
set /p "branch=Enter remote branch name: "
git fetch origin %branch%
git checkout --track origin/%branch%
which is slightly modified.
You don't need to scream in batch file :) it is a case insensitive language.
When you set variables don't add extra spaces around the =. Because then, interpreter interprets it as var<space> and <space>value.
Also, quote variable name and value in format like: set "var=value".
I'm trying to run xmlaccess from my computer and websphere portal server is installed on different machine connected over lan with mine. I did all the configuration of adding jar files on my computer and then running the xmlaccess command with required parameters. but i keeps on giving the same output and doesn't create an output file.I have copied all the jar files as given on ibm knowledge centre.
this is command i give and the output i get everytime, when running the same command on the machine where websphere is installed, it creates the output file and works all fine
C:\Users\Admin\Desktop\deployment>xmlaccess -in C:\Users\Admin\Desktop\deploymen
t\ExportAllPortlets.xml -url http://172.16.100.227:10039/wps/config -out Exporte
dWebModules.xml -user ****** -password ******
Licensed Materials - Property of IBM, 5724-E76, 5724-E77, 5724-I29 and 5655-Y16,
(C) Copyright IBM Corp. 2001, 2014 - All Rights reserved. US Government Users R
estricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
EJPXB0001I: Command line parameters:
-in <xml input file>
[-user <user name>]
Will be queried over the console, if omitted
[-password <password>]
Will be queried over the console, if omitted
[-useEncryptedCredentials <file>]
Retrieve user name and password from properties file. Update fil
e with encrypted password.
[-noUpdateProperties]
Do not save encrypted password back to properties file.
[-out <output file>]
default: write to stdout
[-url <portal config URL>]
default: http://localhost/wps/config
[-attempts <max. connection attempts>]
default: 1 attempt, no retries
[-truststore <file name of the trust store for HTTPS>]
default: $JAVA_HOME/lib/security/cacerts
[-trustpwd <password for the trust store for HTTPS>]
default: <empty>
[-trusttype <file type of the trust store for HTTPS>]
default: jks
[-keystore <file name of the key store for HTTPS>]
default: $JAVA_HOME/lib/security/cacerts
[-keypwd <password for the key store for HTTPS>]
default: <empty>
[-keytype <file type of the key store for HTTPS>]
default: jks
[-credentialexport]
enables export and import of credential secrets
[-protocol <protocol>]
selects the protocol (if portal config URL
specified https:, otherwise this parameter is ignored).
default: SSL
[-encryptionPassphrase <passphrase>]
passphrase for credential encryption and decryption
try putting it in a non virtualized directory, like c:\xmlaccess instead of on the desktop.
create a folder in that directory called plugins
Please these jars in there
bootstrap.jar, com.ibm.ffdc.jar, com.ibm.ws.emf.jar, com.ibm.ws.runtime.jar, j2ee.jar, org.eclipse.emf.common.jar, org.eclipse.emf.ecore.jar, wp.base.jar, wp.engine.impl.jar, wp.utilities.streams.jar,wp.xml.client.jar
I was using a 1.8 jdk
Then set up your bat file like this
#echo off
set WAS_HOME=C:\xmlacess\plugins
set cpath=%WAS_HOME%\com.ibm.ws.runtime.jar
set cpath=%cpath%;%WAS_HOME%\bootstrap.jar
set cpath=%cpath%;%WAS_HOME%\com.ibm.ws.emf.jar
set cpath=%cpath%;%WAS_HOME%\org.eclipse.emf.ecore.jar
set cpath=%cpath%;%WAS_HOME%\org.eclipse.emf.common.jar
%JAVA% -classpath c:\xmlaccess\plugins\wp.xml.client.jar;%WAS_HOME%\wp.base.jar;%WAS_HOME%\wp.engine.impl.jar;%WAS_HOME%\wp.utilities.streams.jar;%WAS_HOME%\j2ee.jar;%WAS_HOME%\com.ibm.ffdc.jar;%cpath% com.ibm.wps.xmlaccess.XmlAccess %*
I want a batch file that after running with standard access, checks the status of the firewall and if the firewall is disabled, start a file. But, if the firewall is enabled, show all allowed ports. Is this possible?
I am checking if the firewall is enabled or not by using the Windows registry value EnableFirewall.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
I am not sure if this is the right way.
You can get the firewalls current state using this command:
netsh advfirewall show allprofiles state
You can also use the command
netstat -ab | more
This will get a list of all the open ports and display it on screen.
As for reading a registry key you can use reg query:
reg query <KeyName> [{/v <ValueName> | /ve}] [/s] [/se <Separator>] [/f <Data>] [{/k | /d}] [/c] [/e] [/t <Type>] [/z]
Source: https://technet.microsoft.com/en-us/library/cc742028.aspx
Having set up a new server, I'm now running v2 of mod_security. I was able to convert all my rules to the new format, and everything seems to run fine so far. Just one thing I didn't manage is to have mod_security using its own logs (instead of logging to Apache's error_log). With v1.9 I was at least able to duplicate the messages, defining an additional log file with
CustomLog /path/to/modsec_log "%h %l %u %t \"%r\" %>s %b %{mod_security-message}i" env=mod_security-relevant
But not even that works anymore. I couldn't find anything browsing the questions tagged mod-security2, aunt Google didn't turn up any useful hints either. Is there anything I might have missed?
Do you mean the audit and debug logs? I have them set at modsec2.conf like this
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
In the modsecurity_crs_10_setup.conf file (on my configuration under /usr/share/modsecurity-crs) you can disable the logs on Apache error.log
# -- [[ Alert Logging Control ]] --
# You have three options -
#
# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
# - To log *only* to the Apache error_log file use: "log,noauditlog"
Just change SecDefaultAction to
SecDefaultAction "phase:1,deny,nolog,auditlog"
Set the Logpath in the modsecurity.conf file as follows:
SecAuditLog /root/...path../logs/modsec_audit.log ( Relative Path )