Friday, November 26, 2010

Create Java SSL certificate


1 Create the SSL key for your machine using Java's keytool program. When asked to specify your first and last name, use the name of the machine running the CAS Tomcat server. For example, on my machine, I used localhost:
                 keytool -genkey -alias tomcat -keypass mycertificate -keyalg RSA
2. You now have a keystore in the current user's home directory. Now you need to add the certificate to your JRE's cacerts file. Export the certificate you just generated:
                 keytool -export -alias tomcat -keypass mycertificate -file server.crt
3. Now, add the exported certificate (server.crt) to your JRE's cacerts file again using Java's keytool program, as follows:
                keytool -import -file server.crt -keypass mycertificate -keystore ..\jre\lib\security\cacerts
4. The last step in setting up SSL is to tell Tomcat about the keystore. Edit the server.xml file again. Modify the SSL connector definition with the lines           highlighted below. Note that the keystoreFile is the full path to the current user's home directory where the keystore resides:
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                keystoreFile="/root/.keystore"
                                keystorePass="mycertificate"
                                truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/
                                security/cacerts" />
Vocabulary: , No comments:

Thursday, November 25, 2010

Alfresco and CAS Integration


1.            You can set up CAS on separate tomcat or same tomcat running alfresco. you need to make couple of changes to tomcat's conf/server.xml file for separate tomcat regarding SSL/AJP/server port:
                                ...
                                <Server port="8006" shutdown="SHUTDOWN">
                                ...
                                <Connector port="8081" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" redirectPort="8444"
                                acceptCount="100"
                                connectionTimeout="20000" disableUploadTimeout="tru
                                e" />
                                ...
                                <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                ...
                                <!-- Define an AJP 1.3 Connector on port 8010 -->
                                <Connector port="8010"
                                enableLookups="false" redirectPort="8443"
                                protocol="AJP/1.3" />
                2. Start up new Tomcat instance. and it should run smoothly along with alfresco tomcat.
                3. Download the CAS server from JA-SIG at http://www.ja-sig.org/products/cas/.
                4. CAS-protected URL redirects, the browser to the CAS authentication page. For security reasons, the CAS URLs are protected with SSL. Creating the certificate and adding it to the JRE's keystore requires below steps.
                5. Use Java's keytool program to create the SSL key for your machine. When asked to specify your first and last name, use the name of the machine running the CAS Tomcat server. For example, I used localhost:
                 keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
                6. We have a keystore in the user's home directory. Now need to add the certificate to your JRE's cacerts file. Export the certificate generated:
                 keytool -export -alias tomcat -keypass changeit -file server.crt
                7. Adding the exported certificate (server.crt) to JRE's cacerts file, as follows:
                keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts
                8. The last step in setting up SSL is to tell Tomcat about the keystore. Edit the server.xml file again. :
                                <Connector port="8443" maxHttpHeaderSize="8192"
                                maxThreads="150" minSpareThreads="25"
                                maxSpareThreads="75"
                                enableLookups="false" disableUploadTimeout="true"
                                acceptCount="100" scheme="https" secure="true"
                                clientAuth="false" sslProtocol="TLS"
                                keystoreFile="/root/.keystore"
                                keystorePass="changeit"
                                truststoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/
                                security/cacerts" />
                9. Copy the CAS webapp WAR to the webapps directory of Tomcat instance. The          CAS webapp WAR is in the directory where you expanded CAS under "modules". The file is called cas-server-webapp-3.3.3.war.
                10. Start CAS Tomcat. CAS screen can be seen at https://[machine name]:8443/cas. Add the following entry to the Alfresco web.xml
                                <!-- cas client filter -->
                                <filter>
                                <filter-name>CAS Filter</filter-name>
                                <filter-class>
                                edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
                                <init-param>
                                                <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
                                                <param-value>https://localhost:8443/cas/login</param-value>
                                </init-param>
                                <init-param>
                                <param-name>
                                edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
                                <param-value>https://localhost:8443/cas/serviceValidate</param-value>
                                </init-param>
                                <init-param>
                                <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
                                <param-value>localhost:8080</param-value>
                                </init-param>
                                </filter>
                11.          Next, add the filter mapping.This will cause Tomcat to redirect the browser to the CAS login if anyone without a valid ticket attempts to run. For Alfresco, the                 URL pattern should be:
                                <filter-mapping>
                                <filter-name>CAS Filter</filter-name>
                                <url-pattern>/faces/*</url-pattern>
                                </filter-mapping>
                12.          Save the web.xml file. At this point, you could restart Alfresco Tomcat and open the web client and you'd be redirected to the CAS login page. But Alfresco                 doesn't yet know how to extract the credentials from CAS to use to start an Alfresco session. To do that, you have to write an AuthenticationFilter. Look at Alfresco Wiki at http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration for same.
                13.          You need to tell Alfresco to use the new Authentication Filter in place of the out of the box Authentication Filter. Do that by editing web.xml and modifying               the Authentication Filter filter as follows:
                                <filter>
                                <filter-name>Authentication Filter</filter-name>
                                <!--
                                <filter-class>
                                org.alfresco.web.app.servlet.AuthenticationFilter
                                </filter-class>
                                -->
                                <filter-class>
                                com.someco.servlets.AuthenticationFilter</filter-class>
                                <init-param>
                                <param-name>cas.user.label</param-name>
                                <param-value>
                                edu.yale.its.tp.cas.client.filter.user</param-value>
                                </init-param>
                                </filter>
                15.          Start Alfresco. You should now be able to log in to Alfresco . Remember that at this point, CAS is still using its default adapter, which grants successful logins when the username and password match.
Vocabulary: , No comments:

Thursday, September 02, 2010

Jsp Include Directive vs Action

Jsp Include directive
At JSP page translation phase, the content of the file mentioned in the include directive is included/added as it is, in the place where the directive is used. Then the total JSP page is translated into a java servlet class. The included file is a static resource like html or a JSP page. Generally JSP include directive is used to include header banners and footers content.

The JSP compilation process is that, the JSP page gets compiled only if that page has changed. If the change is only in the included file, the source JSP file will not be compiled and therefore the modification will not get reflected in the browser output.



Jsp Include action
The jsp:include action element works like a function call. At runtime, the included file will be compiled & executed and the resulted output is included with the source page. When the included JSP page is called, both the request and response objects are passed as parameters.

In case we need to pass any values to the included file, then jsp:param element can be used. If the resource is static, its content is inserted into the calling JSP file, since there is no processing needed.




Vocabulary: No comments:

Wednesday, September 01, 2010

Salman Khan's Dabangg 2010

Salman Khan's Dabangg is coming next week. And I was among all those die hard Salman fans who want to know what dabangg means. Well, Dabangg, or dabang, as it used to be spelled earlier, means someone who has a dabdaba, a control over a specific area and people there.

The word dabangg is generally used to address people who have good deal of control or influence over the other powerful people of the area. Hence, Dabangg also means Powerful.
No comments:

Saturday, July 31, 2010

JBoss Performance Tuning

JBoss version EAP-4.3.0.GA_CP03
Configuration production 

Preface

This advice is primarily on how to tune and/or slim JBossAS. The two concepts are orthogonal in most cases. While reducing idle service threads through slimming won't have a large impact on performance, using less memory and resources may allow you to tune other performance aspects. Of course this does reduce startup time. Furthermore, as a general security concept -- remove services you don't use. We will separate the two categories: slimming and tuning. We start by using the production configuration and trimming from there.
Note for those concerned that this advice will make a technically non-J2EE-compliant instance of JBoss, as removing key J2EE services would cause JBoss to fail the TCK. Most performance tuning/administrative tasks done in real-world installations technically fall in this category.

  1. Tune the garbage collector

    • Set -Xms and -Xmx to the same value - This increase predictability by removing the most important sizing decision from the virtual machine.
    • Use server VM - The server JVM is better suited to longer running applications.
      To enable it simply set the -server option on the command line.
    • Turn off distributed gc - Set it to run every 30 minute at least
      -Dsun.rmi.dgc.client.gcInterval=1800000
      -Dsun.rmi.dgc.server.gcInterval=1800000
    • Turn on parallel gc - If you have multiple proessors you can do your garbage collection with multiple threads.
      Use the flag -XX:+UseParallelGC.
    • Don't choose an heap larger then 70% of your OS memory
    • Tune the Heap ratio - The heap ratio specifies how the amount of the total heap will be partitioned between the
      young and the tenured space. For example, setting -XX:NewRatio=3 means that the ratio between the
      young and tenured generation is 1:3
    • XX:+DisableExplicitGC turn's off explicit garbage collection from java code.
  2. Don't use Huge heaps, use a cluster More JVMs/smaller heaps can outperform fewer JVMs/Larger Heaps. So instead of huge heaps, use additional server nodes.
    Set up a JBoss cluster and balance work between nodes.

  3. For Disabling Development mode in JBoss Tomcat. Look for the code below in server/production/deploy/jboss-web.deployer/conf/web.xml


    • development - To disable on access checks for JSP pages compilation set this to false.
    • modificationTestInterval - If development has to be set to true for any reason (such as dynamic generation of JSPs), setting this to a high value will improve performance a lot.
    • checkInterval - If development is false and checkInterval is greater than zero, background compilations are enabled. checkInterval is the time in seconds between checks to see if a JSP page needs to be recompiled. Default is 0.  
    <servlet>
  <servlet-name>jsp</servlet-name>
  <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>

    Add the following parameters as required 

    <init-param>
   <param-name>development</param-name>
   <param-value>false</param-value>
</init-param>

  4. Generic Database Connection Pool configuration Edit server/production/deploy/oracle-ds.xml 
    <datasources>
   ....

<!--pooling parameters-->
<min-pool-size>5</min-pool-size>
<max-pool-size>100</max-pool-size>
<blocking-timeout-millis>5000</blocking-timeout-millis> 
<idle-timeout-minutes>15</idle-timeout-minutes>
<prepared-statement-cache-size>100</prepared-statement-cache-size>




    • : this is the number of prepared statements per connection to be kept open and reused in subsequent requests.
    • Disable the connection debugging
    • increase max size of pools to appropriate level

  5. Deployment Scanner - The deployment scanner scanning every 5 seconds eats up cycles especially on systems with a slow filesystem. Edit server/production/conf/jboss-service.xml. change the scan period to larger duration.
    <!-- An mbean for hot deployment/undeployment of archives. --> 
<mbean code="org.jboss.deployment.scanner.URLDeploymentScanner"
    name="jboss.deployment:type=DeploymentScanner,flavor=URL">
    ... 
    

    
<attribute name="ScanPeriod">5000</attribute> 
    

    
... 
    

    </mbean> 
    

    6. 

  6. Lots of EJB requests ? switch to the PoolInvoker? open server/production/conf/standardjboss.xml and find the following fragment: 
    

    

    <invoker-mbean>jboss:service=invoker,type=jrmp</invoker-mbean>
    

    
On JBoss should find 4 occurrences of it: stateless-rmi-invoker, clustered-stateless-rmi-invoker, stateful-rmi-invoker,entity-rmi-invoker. Now replace this fragment for desired EJB types: 
    

    

    <invoker-mbean>jboss:service=invoker,type=pooled</invoker-mbean>
    

    

    7. 

  7. If you are using the Pooled Invoker then you may need to change the MaxPoolSize? attribute in pool configuration if required. Edit server/production/conf/jboss-service.xml
    

    
 
    <mbean code="org.jboss.invocation.pooled.server.PooledInvoker" 
name="jboss:service=invoker,type=pooled"> 
    

    
<attribute name="NumAcceptThreads">1</attribute> 
    
<attribute name="MaxPoolSize">300</attribute>
    
<attribute name="ClientMaxPoolSize">300</attribute> 
    
<attribute name="SocketTimeout">60000</attribute> 
    
<attribute name="ServerBindAddress">${jboss.bind.address}</attribute> 
    
<attribute name="ServerBindPort">4445</attribute> 
    
<attribute name="ClientConnectAddress">${jboss.bind.address}</attribute> 
    
<attribute name="ClientConnectPort">0</attribute> 
    
<attribute name="EnableTcpNoDelay">false</attribute> 
    
<depends optional-attribute-name="TransactionManagerService">
    
jboss:service=TransactionManager</depends> 
    

    </mbean> 
    
  
    

    8. 

  8. JBoss Logging
    

    
* Enable the logging for file in production enviornment.
    
* Disabled for console and the priority to be error. 
    

    9. 

  9. Tune the Operating System - Each operating system sets default tuning parameters differently. For Windows platforms, the default settings are usually sufficient. However, the UNIX and Linux operating systems usually need to be tuned appropriately. 
    

    
* Increase default socket send/receive buffer.
    
* Optimize MTU.
    
* Use Big Memory Pages.
    

    10. 












Vocabulary:




No comments:
              



























        

      









Subscribe to:
Posts (Atom)