Tuesday Feb 04, 2014

Binding a server to privileged port on Linux w/o running as root

This is applicable to any service using privileged ports (< 1024), for instance to run a HTTP server on port 80 or a LDAP directory server on port 389.

  • Running the server as root is not a recommended option for security reasons.
  • Using iptables to map privileged port (e.g. 389) to non-privileged port is a well-know method.
  • Updating the Linux config to put 389 on the non-privileged port list is another option.

There is another option that I use frequently, based on setcap to run OUD on port 389 in my labs:

This solution requires install and modification of a java 7 JVM specifically for OUD use.

Such configuration has security implications, as anyone running that JVM has the right to bind on privileged ports (settings are JVM wide, not restricted to a specific jar file/application), so the jvm access should be restricted to the appropriate user only (the one allowed to start OUD)

Here is the procedure:

  1. download patchelf sources from here and compile them on target Linux.
  2. install setcap package on Linux if needed
  3. install a java 7 SDK on target system e.g. /space/java/jdk1.7.0_45
  4. restrict access to that jvm (java and jre) to the appropriate user only (the one used to start OUD).
    Put in place additional security if needed.
  5. as root, run the following commands to allow java to bind as priviledged ports

    setcap cap_net_bind_service=+epi <JAVA_HOME>/bin/java
    setcap cap_net_bind_service=+epi <JAVA_HOME>/jre/bin/java


  6. - change java dynamic library loading strategy as default strategy is not compatible with setcap

    patchelf --set-rpath <JAVA_HOME>/jre/lib/amd64/jli <JAVA_HOME>/jre/bin/java
    patchelf --set-rpath <JAVA_HOME>/lib/amd64/jli <JAVA_HOME>/bin/java


  7. - Modify jvm used by oud

    edit java.properties and modify property e.g default.java-home
    run dsjavaproperties

  8. - start OUD with standard start-ds command.


Tuesday Aug 07, 2012

Monitoring OUD with VisualVM

VisualVM is a visual tool integrating several commandline JDK tools and lightweight profiling capabilities. Designed for both production and development time use, it further enhances the capability of monitoring and performance analysis for the Java SE platform.

Here are the steps to use VisualVM to monitor Oracle Unified Directory: 

#1 Download the latest release of VisualVM from http://visualvm.java.net/

#2 Enable the MBeans plugin as described in  http://visualvm.java.net/mbeans_tab.html to take advantage of the statistics exposed by OUD

#3 Enable JMX on OUD

  1. Start the server.

  2. Enable the JMX Connection Handler and set the port number to be used with JMX.

    Choose a port that is not in use and to which the user that is running the server has access rights.

    $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
      set-connection-handler-prop --handler-name "JMX Connection Handler" \
      --set enabled:true --set listen-port:1689
    
  3. Add the JMX read, write, and notify privileges to the root DN.

    $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -X -n \
      set-root-dn-prop \
      --add default-root-privilege-name:jmx-read \
      --add default-root-privilege-name:jmx-write \
      --add default-root-privilege-name:jmx-notify
    
  4. Restart the server.

#4 Connect to OUD from VisualVM

To connect VisualVMto a server instance, click on File/Add JMX Connection. The following fields are required:

  • JMX URL:

    service:jmx:rmi:///jndi/rmi://''host'':''port''/org.opends.server.protocols.jmx.client-unknown

    • host is a host name, an IPv4 numeric host address, or an IPv6 numeric address enclosed in square brackets.

    • port is the decimal port number of the JMX connector.

    The default JMX URL is:

    service:jmx:rmi:///jndi/rmi://198.51.100.0:1689/org.opends.server.protocols.jmx.client-unknown

  • User Name. A valid LDAP user name.

    The default Directory Manager user name is cn=Directory Manager.

  • Password. The user's LDAP password.

#5 Browse MBeans attributes

Go to the right panel then select the MBean tab and navigate in the MBean tree. You can get access to the OUD config, monitoring information & statistics and all the convenient java metrics.


Note: You can plot those JMX numeric values in VisualVM that appear in bold. To do so, double-clicking on numeric attribute values will display a chart that plots changes in that numeric value.





Monday Mar 22, 2010

SCJP

[Read More]

Monday Apr 07, 2008

OpenSolaris and Java Real Time at INSA LYON

March was a busy month for Julien Canquelain and Sebastien Rodriguez, our Sun Campus Ambassadors for INSA Lyon.

First, they organized a conference about OpenSolaris on March 20th. They presented the OS, DTrace, Zones and ZFS. Conference went well despite some hardware problems just before the demo. OpenSolaris was new for most attendees (40 people) and OpenSolaris t-shirts were really appreciated !

On March 27th, Bertrand Delsart from the Sun Java Real Time group in Grenoble Engineering Center , gave a conference at INSA Lyon about Java RT . About 20 students showed up, which is not bad as the subject is quite technical. The conference was very interesting and Bertrand found the good mix between high-level concepts and crusty (you said gory ?) details.



Apart from these 2 events, there is more to come as a teacher has just acquired some SunSpots and has started to set up some labs to use these devices. Stay tuned.
About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today