영이네

JBoss EAP 6/7 - vault : 패스워드 암호화

1. keystore/vault 파일을 저장할 디렉터리 생성

web1]$ mkdir -p $JBOSS_HOME/vault

2. keystore.sh 실행하여 keystore 생성

- 스크립트1. keysotre.sh 확인(맨아래)

web1]$ ./keystore.sh [aliasname] [storepass] [keypass] [validity(in day)]

3. vault.sh 실행하여 vault 생성

- 스크립트2. vault.sh 확인(맨아래)

web1]$ ./vault.sh [aliasname] [sotrepass] [password]

4. 출력된 결과를 standalone.xml / host-slave.xml / domain.xml에 등록

Please make note of the following:

********************************************

Vault Block:vb

Attribute Name:password

Configuration should be done as follows:

VAULT::vb::password::1

********************************************

WFLYSEC0048: Vault Configuration in WildFly configuration file:

********************************************

...

</extensions>

<vault>

  <vault-option name="KEYSTORE_URL" value="$JBOSS_HOME/vault/vault.keystore"/>

  <vault-option name="KEYSTORE_PASSWORD" value="MASK-5dOaAVafCSd"/>

  <vault-option name="KEYSTORE_ALIAS" value="vault"/>

  <vault-option name="SALT" value="1234abcd"/>

  <vault-option name="ITERATION_COUNT" value="120"/>

  <vault-option name="ENC_FILE_DIR" value="$JBOSS_HOME/vault/"/>

</vault>

<management>

...

********************************************

4.1. standalone 모드

web1]$ vi standalone.xml

...

</extensions>

<vault>

<vault-option name="KEYSTORE_URL" value="$JBOSS_HOME/vault/vault.keystore"/>

<vault-option name="KEYSTORE_PASSWORD" value="MASK-5dOaAVafCSd"/>

<vault-option name="KEYSTORE_ALIAS" value="vault"/>

<vault-option name="SALT" value="1234abcd"/>

<vault-option name="ITERATION_COUNT" value="120"/>

<vault-option name="ENC_FILE_DIR" value="$JBOSS_HOME/vault/"/>

</vault>

<management>

...

<datasource pool-name="OracleDS" ...>

<security>

<user-name>jboss</user-name>

<password>${VAULT::vb::password::1}</password>

</security>

</datasource>

4.2. domain 모드

web1]$ vi host-slave.xml

...

</extensions>

<vault>

<vault-option name="KEYSTORE_URL" value="$JBOSS_HOME/vault/vault.keystore"/>

<vault-option name="KEYSTORE_PASSWORD" value="MASK-5dOaAVafCSd"/>

<vault-option name="KEYSTORE_ALIAS" value="vault"/>

<vault-option name="SALT" value="1234abcd"/>

<vault-option name="ITERATION_COUNT" value="120"/>

<vault-option name="ENC_FILE_DIR" value="$JBOSS_HOME/vault/"/>

</vault>

<management>

...

web1]$ vi domain.xml

<datasource pool-name="OracleDS" ...>

<security>

<user-name>jboss</user-name>

<password>${VAULT::vb::password::1}</password>

</security>

</datasource>

5. 재기동

# 스크립트1. keystore.sh

#!/bin/sh

. ./env.sh

if[ \( -n "$1" \) -a \( -n "$2" \) -a \( -n "$3" \) -a \( -n "$4" \) ]

then

$JAVA_HOME/bin/keytool -genseckey -alias $1 -storetype jceks -keyalg AES -keysize 128 -storepass $2 -keypass $3 -validity $4 -keystore $JBOSS_HOME/vault/vault.keystore

echo "Check: $JBOSS_HOME/vault/vault.keystore"

exit;

fi

echo "./keystore.sh [aliasname] [storepass] [keypass] [validity(in day)]"

exit;

# 스크립트2. vault.sh

#!/bin/sh

. ./env.sh

if[ \( -n "$1" \) -a \( -n "$2" \) -a \( -n "$3" \) ]

then

$JBOSS_HOME/bin/vault.sh --keystore $JBOSS_HOME/vault/vault.keystore --alias $1 --keystore-password $2 --vault-block vb --attribute password --sec-attr $3 --enc-dir $EAP_HOME/vault/ --iteration 120 --salt 1234abcd

echo "Check: $JBOSS_HOME/vault/VAULT.dat"

exit;

fi

echo "./vault.sh [aliasname] [storepass] [password]"

exit;

# module.xml

<module xmlns="urn:jboss:module:1.0" name="com.mysql">

<resources>

<resource-root path=“mysql-connector-java-5.1.32-bin.jar"/>

</resources>

<dependencies>

<module name="javax.api"/>

</dependencies>

</module>

# drivers

<driver name=“mysql" module="com.mysql“>

<driver-class>com.mysql.jdbc.Driver</driver-class>

</driver>

# mysql datasource

<datasource jta="false" jndi-name="java:/mysqlJNDI" pool-name=“mysqlDS" enabled="true" use-ccm="false">

<connection-url>jdbc:mysql://xxx.xxx.xxx.xxx:3306/mysql</connection-url>

<driver-class>com.mysql.jdbc.Driver</driver-class>

<driver>mysql</driver>

<pool>

<min-pool-size>2</min-pool-size>

<max-pool-size>5</max-pool-size>

<prefill>true</prefill>

</pool>

<security>

<user-name>jboss</user-name>

<password>jboss</password>

</security>

</datasource>

<security>

<security-domain>encds</security-domain>

</security>

<security-domain name="encds" cache-type="default">

<authentication>

<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">

<module-option name="username" value="username"/>

<module-option name="password" value="enc_pwd"/>

<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM"/>

</login-module>

</authentication>

</security-domain>

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" instance-id="${jboss.jvmRoute}" native="false">

    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

    <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>

    <virtual-server name="default-host" enable-welcome-root="false">

        <alias name="localhost"/>

        <alias name="000.ktis.co.kr"/>

        <access-log pattern="%a %t %H %p %U %s "> => <access-log pattern="%h %l %u %t %r %s %b %{Referer}i %{User-Agent}i %S %T">

            <directory path="access"/>

        </access-log>

    </virtual-server>

</subsystem>

로그 경로를 변경할 경우 사용 - env.sh

지정하지 않을 경우 default 경로 사용 - ${jboss.server.base.dir}/log

export JAVA_OPTS="$JAVA_OPTS -Djboss.server.log.dir=/logs/server-group/server11"

access log 설정 - standalone.xml

<subsystem xmlns="urn:jboss:domain:undertow:3.1" instance-id="${jboss.server.name}">

<buffer-cache name="default"/>

<server name="default-server">

  <ajp-listener name="ajp" socket-binding="ajp"/>

  <http-listener name="default" socket-binding="http" redirect-socket="https"/>

  <host name="default-host" alias="localhost">

   <location name="/" handler="welcome-content"/>

   <!-- combined -->

   <access-log prefix="access." directory="${jboss.server.log.dir}/access" pattern="%h %l %u %t %r %s %b %{i,Referer} %{i,User-Agent} %s %T"/>

   <filter-ref name="server-header"/>

   <filter-ref name="x-powered-by-header"/>

  </host>

</server>

...

</subsystem>

] vi ${CATALINA_BASE}/bin/catalina.sh

> JAVA_OPTS="-Dfile.encoding=UTF-8"

Tomcat7 로그 종류

• catalina.yyyy-mm-dd

• catalina.out

• host-manager.yyyy-mmdd.log

• loccal

로그레벨

• ALL

• FINEST : 300

• FINER  : 400

• FINE   : 500

• CONFIG : 700

• INFO   : 800

• WARNING: 900

• SEVERE : 1000

• OFF

• 설졍 예)

1catalina.org.apache.juli.FileHandler.level = FINE

1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs

1catalina.org.apache.juli.FileHandler.prefix = catalina.

catalina.out 로테이션

• org.apache.catalina.startup.Bootstrap "$@" start \

• 2>&1 |/usr/sbin/rotatelogs "$CATALINA_BASE"/logs/catalina.out.%Y-%m-%d 86400 540 &

bin/service.bat install

https://github.com/ran-jit/tomcat-cluster-redis-session-manager

tomcat/lib

commons-logging-1.2.jar

commons-pool2-2.4.2.jar

jedis-2.9.0.jar

tomcat-cluster-redis-session-manager-3.0.1.jar

tomcat/conf/redis-data-cache.properties

tomcat/conf/context.xml

<Valve className="tomcat.request.session.redis.SessionHandlerValve" />

<Manager className="tomcat.request.session.redis.SessionManager" />

cd /etc/logrotate.d

vi tomcat

/data/tomcat8.5/logs/catalina.out {

    copytruncate

    daily

    compress

    dateext

    missingok

    notifempty

}

crontab -e

0 0 * * * /usr/sbin/logrotate -f /etc/logrotate.conf

1. 쓰레드 아이디 확인

명령어 : ps -mp <WLS_PID> -o THREAD

결과:

    USER      PID     PPID        TID ST  CP PRI SC    WCHAN        F     TT      BND            COMMAND

weblogic  8454362 10617008          -  A   7   1  6        0      259      -   242001      -   - /usr/java6_64/bin/java ...

       -        -        -   88080521  S   0  82  1        -   418400      -        -           -

       -        -        -   88146055  S   0  82  1        -   418400      -        -           -

       -        -        -   88277129  R   68 82  0        -   400000      -        -           - => 문제가 되고 있는 쓰레드

2. 쓰레드 아이디를 16진수로 변경

TID 값을 10진수에서 16진수로 변경

88277129 => 5430089

3. 16진수 쓰레드 아이디로 쓰레드덤프에서 쓰레드 찾기

3XMTHREADINFO      Anonymous native thread

3XMTHREADINFO1            (native thread ID:0x5430089, native priority: 0x0, native policy:UNKNOWN)

3XMTHREADINFO3           Native callstack:

4XENATIVESTACK               (0x0900000001ACFF84 [libj9prt24.so+0x9f84])

4XENATIVESTACK               (0x0900000001B63FE0 [libj9dmp24.so+0x11fe0])

4XENATIVESTACK               (0x0900000001AC7F94 [libj9prt24.so+0x1f94])

4XENATIVESTACK               (0x0900000001B61C78 [libj9dmp24.so+0xfc78])

4XENATIVESTACK               (0x0900000001B601A8 [libj9dmp24.so+0xe1a8])

4XENATIVESTACK               (0x0900000001AC7F94 [libj9prt24.so+0x1f94])

4XENATIVESTACK               (0x0900000001B5FDA4 [libj9dmp24.so+0xdda4])

4XENATIVESTACK               (0x0900000001B66758 [libj9dmp24.so+0x14758])

4XENATIVESTACK               (0x0900000001B54488 [libj9dmp24.so+0x2488])

4XENATIVESTACK               (0x0900000001B5867C [libj9dmp24.so+0x667c])

4XENATIVESTACK               (0x0900000001AC7F94 [libj9prt24.so+0x1f94])

4XENATIVESTACK               (0x0900000001B58620 [libj9dmp24.so+0x6620])

4XENATIVESTACK               (0x0900000001B583D4 [libj9dmp24.so+0x63d4])

4XENATIVESTACK               (0x0900000001B74F24 [libj9dmp24.so+0x22f24])

4XENATIVESTACK               (0x09000000023FB6F4 [libjclscar_24.so+0x1b6f4])

4XENATIVESTACK               (0x0900000001AC7F94 [libj9prt24.so+0x1f94])

4XENATIVESTACK               (0x09000000023FB558 [libjclscar_24.so+0x1b558])

4XENATIVESTACK               (0x0900000001AC8F30 [libj9prt24.so+0x2f30])

4XENATIVESTACK               (0x0900000001AB3C70 [libj9thr24.so+0x1c70])

4XENATIVESTACK               _pthread_body+0xf0 (0x09000000012CCD34 [libpthreads.a+0x3d34])

4. 해당 쓰레드 아이디로 찾은 쓰레드의 스택트레이스를 확인