Foundry ServerIron SSL Troubleshooting

Logon to the serveriron and enter enable mode:

rconsole 1 1

url debug 3 <client ip> #client ip is the address you will initiate the traffic from using browser, etc

Generate traffic # connect to the site through load-balancer address (make a hosts file entry if necessary)

After generating some traffic copy the output from the putty terminal and then turn off debugging with:
url debug 0

rconsole-exit

Review output for errors and send to foundry if necessary

If you see

Error "You are about to be redirected to a connection that is not secure." for pages on your ssl protected sites you may want to try the following:

Create csw rules for Redirects

csw-rule "r6" response-status-code 301 302

csw-rule "r7" response-header "Location" pattern "http://www.sysxperts.com"

Create a csw policy to rewrite the headers so that all redirects are sent via https instead of http

csw-policy "sysxperts-301" type response-rewrite

! matches all status codes 301-302 for redirects

match "r6" response-header-rewrite

! this takes the first four characters (offset 0 length 4 which is http) and replaces them with "https"

match "r7" rewrite response-header-replace "https" offset 0 length 4

Bind the policy to your virtual server

server virtual sysxperts.com

port ssl response-rewrite-policy "sysxperts-301"

Show tech

Rconsole 1 1
show server session
show server debug
show server traffic
show server proxy
wsm show cpu
wsm dm resource
sh ssl key *
sh ssl cert *
sh ssl stat counter
sh ssl stat alert
sh ssl stat crypto
sh ssl stat client
sh socket stat
sh vm mem
sh vm deb
sh cp deb
sh ssl deb
sh tcp buf
sh cp stat
sh vm stat
sh sock list
sh ssl con
rconsole-exit

Foundry ServerIron SSL Certificate Management

After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.

Make a note of the existing certificates and keys on the Foundry as follows:

logon to each load balancer with putty and perform a sh config

192.168.5.60 and 192.168.5.80 are prod devices

192.168.7.60 and 192.168.7.80 are test devices

sh config

You just need to look at the ssl profile section (see items in bold)

ssl profile www-sysxperts-org2
 keypair-file sysxperts-key2
 certificate-file sysxpertsnew
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining
ssl profile pvalentino
 keypair-file pvalentino-key
 certificate-file pvalentinochain
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining

Make a not of the existing keypair-file and certificate-file names because you cannot use the same name when uploading the new certs and keys. Given the output above and the need to install a new cert for www.sysxperts.org:

Logon to apache web server mnsvlwwwp001 as a regular user (uploads will not work as the root user)

cd to the /data/web/certs folder or wherever you stored the keys and certs. The following uploads must be done as a regular user and in the proper order.

scp ./www.sysxperts.org.key pvalentino@192.168.5.60:sslkeypair:sysxperts-key3:sysxperts:pem

scp ./www.sysxperts.org.key pvalentino@192.168.5.80:sslkeypair:sysxperts-key3:sysxperts:pem

scp ./www.sysxperts.org.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem

scp ./www.sysxperts.org.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem

scp ./verisign_inter.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem

scp ./verisign_inter.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem

Verify that the new keys and certs have been uploaded to the Foundry devices as follows:

rconsole 1 1

sh ssl cert *

Output >

pvalentinochain 2944

sysxpertsnew 2826

sysxpertsorg3 2826 # here is the new cert chain

sh ssl key *

Output >

pvalentino-key 1209

sysxperts-key2 1197

sysxperts-key3 1209 # here is the new key

rconsole-exit

After uploading all the keys and certs to both devices and verifying, update the config on both devices as follows:

First unbind the ssl policy

server virtual webprd
 no port ssl ssl-terminate www-sysxperts-org2
ssl profile www-sysxperts-org2
 no certificate-file sysxpertsnew
 no keypair-file sysxperts-key2

Perform a save with:

end

wr mem

Update ssl profile:

conf t

ssl profile www-sysxperts-org2
 keypair-file sysxperts-key3
 certificate-file sysxpertsorg3
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off

enable-certificate-chaining

Bind virtual server to the updated profile:

server virtual webprd
 port ssl ssl-terminate www-sysxperts-org2

Perform a save with:

end

wr mem

Test configuration and burn-in for at least 7 days before cleaning up old certs and keys.

Cleaning up:

rconsole 1 1

sh ssl key *

clear ssl key oldkey #removes named key

sh ssl cert *

clear ssl cert oldcert #removes named cert chain

rconsole-exit

Ctrl-H is the backspace key on the Foundry - you can update putty keyboard properties to use Ctrl-H if you find this as annoying as i do :)

VMWare ISO storage

VMWare ISO storage and mounting

By far the easiest thing to do is make your workstation the iso storage facility, whether you are mapped to a windows network share or using local disk does not matter. Just enable the cdrom as a client device in VMWare vi client under Edit Settings for the Virtual Machine you want to setup. Then restart the Virtual Host, clicking ESC very quickly to get the boot prompt. Then click the CD/DVD button and map it to an ISO by browsing to your network share or local disk and selecting the appropriate ISO file.

sftp to the esx server and cd to /vmimages

mput *.iso # from directory where your iso's are

Go to virtual machine in VMWare and click it

Choose edit settings

Click DVD on the Hardware tab

Select Datastore ISO file radio button and browse to the vmimages folder to locate your iso and make sure connect at power on is selected

you can mount up to 4 ISO's on a single VM at a time

Reboot the virtual machine and hit escape if necessary to get boot prompt and select the CD/DVD device with the iso you would like to boot from

There are three primary options for storing ISO's.

1) Create a ISO directory on one of your VMFS volumes and store them there.

2) Create a samba mount to a Windows Server and store them there.

3) Create a NFS VMFS volume using a Windows Server and store them there.

How do I create a ISO mount point that points to a Windows Server for storing ISO files for my VM’s?

You can create a mount point inside /vmimages so your VM’s can access ISO files when needed. You could just create a directory on your VMFS volume and copy them there but this takes valuable disk space away from the ESX server. You can also use this technique to create other mount points on the ESX server if you need to copy files from a Windows server to or from it for patches and other things.

• First you will have to open the firewall port in ESX by typing in the service console “esxcfg-firewall -e smbClient”. This opens outbound TCP ports 137 – 139 and 445.

• Next make sure the Local Security Policy on the Windows Server you are going to map to has the following settings under Security options. If you do not do this you may get a “Stale NFS Handle” or “Permission denied” error when trying to mount.

o Microsoft network client - digitally sign communications (always) – DISABLED

o Microsoft network client - digitally sign communications (if server agrees) – DISABLED

o Microsoft network server - digitally sign communications (always) – DISABLED

o Microsoft network server - digitally sign communications (if server agrees) – DISABLED

• Next type “cd /vmimages” and then “mkdir ISO”

• Next type “mount -t smbfs -o username=<local windows username> //windows server/share /vmimages/ISO” you can also use a windows domain username by typing “username=<windows domain username>,workgroup=<windows domain name>”

• You will be prompted for a password for the user account you are using.

• You can type “cd /vmimages/ISO” and do “ls” and you should see all your files. You can now map your VM’s CD-ROM using the Datastore ISO file device type and select the /vmimages/ISO folder.

• If you no longer need this mount point you can un-mount it by typing “umount /vmimages/ISO”

• To automatically have your ESX server mount this when it restarts do the following:
o Edit /etc/fstab using Nano or Vi

o Add the following line to the bottom of the file: “//windows server/share /vmimages/ISO smbfs noauto,username=<windows username>,password=<windows username password> 0 0”

o Edit /etc/rc.local using Nano or Vi

o Add the following line to the bottom of the file “mount –a”

How do I create a NFS volume on a Windows Server to use for storing ISO files for my VM’s? – You can do this if you have Windows 2003 Server R2 which has built-in NFS Services

• On the Windows 2003 Server make sure “Microsoft Services for NFS” in installed. If not you need to add it under Add/Remove Programs, Windows Components, Other Network File and Print Services

• Next go to folder you want to share and right-click on it and select Properties

• Click on the NFS Sharing tab and select “Share this Folder”

• Enter a Share Name, check “Anonymous Access” and make sure the UID and GID are both -2

• In VirtualCenter, select your ESX server and click the “Configuration” tab and then select “Storage”

• Click on “Add Storage” and select “Network File System” as the storage type

• Enter the Windows Server name, the folder (share) name and a descriptive Datastore Name

• Once it finishes the configuration you can now map your VM’s CD-ROM devices to this new VMFS volume

man SELinux, semanage, and restorecon

selinux(8) SELinux Command Line documentation selinux(8)

NAME

selinux - NSA Security-Enhanced Linux (SELinux)

DESCRIPTION

NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi-

ble mandatory access control architecture in the Linux operating sys-

tem. The SELinux architecture provides general support for the

enforcement of many kinds of mandatory access control policies, includ-

ing those based on the concepts of Type Enforcement®, Role- Based

Access Control, and Multi-Level Security. Background information and

technical documentation about SELinux can be found at

http://www.nsa.gov/selinux.

The /etc/selinux/config configuration file controls whether SELinux is

enabled or disabled, and if enabled, whether SELinux operates in per-

missive mode or enforcing mode. The SELINUX variable may be set to any

one of disabled, permissive, or enforcing to select one of these

options. The disabled option completely disables the SELinux kernel

and application code, leaving the system running without any SELinux

protection. The permissive option enables the SELinux code, but causes

it to operate in a mode where accesses that would be denied by policy

are permitted but audited. The enforcing option enables the SELinux

code and causes it to enforce access denials as well as auditing them.

Permissive mode may yield a different set of denials than enforcing

mode, both because enforcing mode will prevent an operation from pro-

ceeding past the first denial and because some application code will

fall back to a less privileged mode of operation if denied access.

The /etc/selinux/config configuration file also controls what policy is

active on the system. SELinux allows for multiple policies to be

installed on the system, but only one policy may be active at any given

time. At present, two kinds of SELinux policy exist: targeted and

strict. The targeted policy is designed as a policy where most pro-

cesses operate without restrictions, and only specific services are

placed into distinct security domains that are confined by the policy.

For example, the user would run in a completely unconfined domain while

the named daemon or apache daemon would run in a specific domain tai-

lored to its operation. The strict policy is designed as a policy

where all processes are partitioned into fine-grained security domains

and confined by policy. It is anticipated in the future that other

policies will be created (Multi-Level Security for example). You can

define which policy you will run by setting the SELINUXTYPE environment

variable within /etc/selinux/config. The corresponding policy configu-

ration for each such policy must be installed in the

/etc/selinux/SELINUXTYPE/ directories.

A given SELinux policy can be customized further based on a set of com-

pile-time tunable options and a set of runtime policy booleans. sys-

tem-config-securitylevel allows customization of these booleans and

tunables.

Many domains that are protected by SELinux also include selinux man

pages explainging how to customize their policy.

FILE LABELING

All files, directories, devices ... have a security context/label asso-

ciated with them. These context are stored in the extended attributes

of the file system. Problems with SELinux often arise from the file

system being mislabeled. This can be caused by booting the machine with

a non selinux kernel. If you see an error message containing file_t,

that is usually a good indicator that you have a serious problem with

file system labeling.

The best way to relabel the file system is to create the flag file

/.autorelabel and reboot. system-config-securitylevel, also has this

capability. The restorcon/fixfiles commands are also available for

relabeling files.

AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

Sed Example

Sed Examples

To prepend a character to the beginning of every line in a file i.e. a ":" for wiki formatting purposes:

sed 's/$.*$/:\1/' filename #to preview what sed will do

sed -i 's/$.*$/:\1/' filename #to commit the change to the file

or add a " to the beginning and end of every line

sed 's/$.*$/"\1"/' filename

sed -i 's/$.*$/"\1"/' filename

To replace /usr/bin with /usr/local/bin in all files ending in .pl use:

for i in *.pl ; do sed s^\/usr\/bin^\/usr\/local\/bin^g < $i > $i.new; done

Now read the files... they should read /usr/local/bin instead of /usr/bin

to remove all instances of /usr from a file

for i in *.pl ; do `sed s^\/usr^^g < $i > $i.new && mv $i.new $i`; done

for i in *.conf; do sed s^webtest^www^g < $i > $i.new;done

-------------------------------------------------------------------------
HANDY ONE-LINERS FOR SED (Unix stream editor)               Apr. 26, 2004
compiled by Eric Pement - pemente[at]northpark[dot]edu        version 5.4
Latest version of this file is usually at:
   http://sed.sourceforge.net/sed1line.txt
   http://www.student.northpark.edu/pemente/sed/sed1line.txt
This file is also available in Portuguese at:
   http://www.lrv.ufsc.br/wmaker/sed_ptBR.html

FILE SPACING:

 # double space a file
 sed G

 # double space a file which already has blank lines in it. Output file
 # should contain no more than one blank line between lines of text.
 sed '/^$/d;G'

 # triple space a file
 sed 'G;G'

 # undo double-spacing (assumes even-numbered lines are always blank)
 sed 'n;d'

 # insert a blank line above every line which matches "regex"
 sed '/regex/{x;p;x;}'

 # insert a blank line below every line which matches "regex"
 sed '/regex/G'

 # insert a blank line above and below every line which matches "regex"
 sed '/regex/{x;p;x;G;}'

NUMBERING:

 # number each line of a file (simple left alignment). Using a tab (see
 # note on '\t' at end of file) instead of space will preserve margins.
 sed = filename | sed 'N;s/\n/\t/'

 # number each line of a file (number on left, right-aligned)
 sed = filename | sed 'N; s/^/     /; s/ *\(.\{6,\}\)\n/\1  /'

 # number each line of file, but only print numbers if line is not blank
 sed '/./=' filename | sed '/./N; s/\n/ /'

 # count lines (emulates "wc -l")
 sed -n '$='

TEXT CONVERSION AND SUBSTITUTION:

 # IN UNIX ENVIRONMENT: convert DOS newlines (CR/LF) to Unix format
 sed 's/.$//'               # assumes that all lines end with CR/LF
 sed 's/^M$//'              # in bash/tcsh, press Ctrl-V then Ctrl-M
 sed 's/\x0D$//'            # gsed 3.02.80, but top script is easier

 # IN UNIX ENVIRONMENT: convert Unix newlines (LF) to DOS format
 sed "s/$/`echo -e \\\r`/"            # command line under ksh
 sed 's/$'"/`echo \\\r`/"             # command line under bash
 sed "s/$/`echo \\\r`/"               # command line under zsh
 sed 's/$/\r/'                        # gsed 3.02.80

 # IN DOS ENVIRONMENT: convert Unix newlines (LF) to DOS format
 sed "s/$//"                          # method 1
 sed -n p                             # method 2

 # IN DOS ENVIRONMENT: convert DOS newlines (CR/LF) to Unix format
 # Can only be done with UnxUtils sed, version 4.0.7 or higher.
 # Cannot be done with other DOS versions of sed. Use "tr" instead.
 sed "s/\r//" infile >outfile         # UnxUtils sed v4.0.7 or higher
 tr -d \r <infile >outfile            # GNU tr version 1.22 or higher

 # delete leading whitespace (spaces, tabs) from front of each line
 # aligns all text flush left
 sed 's/^[ \t]*//'                    # see note on '\t' at end of file

 # delete trailing whitespace (spaces, tabs) from end of each line
 sed 's/[ \t]*$//'                    # see note on '\t' at end of file

 # delete BOTH leading and trailing whitespace from each line
 sed 's/^[ \t]*//;s/[ \t]*$//'

 # insert 5 blank spaces at beginning of each line (make page offset)
 sed 's/^/     /'

 # align all text flush right on a 79-column width
 sed -e :a -e 's/^.\{1,78\}$/ &/;ta'  # set at 78 plus 1 space

 # center all text in the middle of 79-column width. In method 1,
 # spaces at the beginning of the line are significant, and trailing
 # spaces are appended at the end of the line. In method 2, spaces at
 # the beginning of the line are discarded in centering the line, and
 # no trailing spaces appear at the end of lines.
 sed  -e :a -e 's/^.\{1,77\}$/ & /;ta'                     # method 1
 sed  -e :a -e 's/^.\{1,77\}$/ &/;ta' -e 's/\( *\)\1/\1/'  # method 2

 # substitute (find and replace) "foo" with "bar" on each line
 sed 's/foo/bar/'             # replaces only 1st instance in a line
 sed 's/foo/bar/4'            # replaces only 4th instance in a line
 sed 's/foo/bar/g'            # replaces ALL instances in a line
 sed 's/\(.*\)foo\(.*foo\)/\1bar\2/' # replace the next-to-last case
 sed 's/\(.*\)foo/\1bar/'            # replace only the last case

 # substitute "foo" with "bar" ONLY for lines which contain "baz"
 sed '/baz/s/foo/bar/g'

 # substitute "foo" with "bar" EXCEPT for lines which contain "baz"
 sed '/baz/!s/foo/bar/g'

 # change "scarlet" or "ruby" or "puce" to "red"
 sed 's/scarlet/red/g;s/ruby/red/g;s/puce/red/g'   # most seds
 gsed 's/scarlet\|ruby\|puce/red/g'                # GNU sed only

 # reverse order of lines (emulates "tac")
 # bug/feature in HHsed v1.5 causes blank lines to be deleted
 sed '1!G;h;$!d'               # method 1
 sed -n '1!G;h;$p'             # method 2

 # reverse each character on the line (emulates "rev")
 sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//'

 # join pairs of lines side-by-side (like "paste")
 sed '$!N;s/\n/ /'

 # if a line ends with a backslash, append the next line to it
 sed -e :a -e '/\\$/N; s/\\\n//; ta'

 # if a line begins with an equal sign, append it to the previous line
 # and replace the "=" with a single space
 sed -e :a -e '$!N;s/\n=/ /;ta' -e 'P;D'

 # add commas to numeric strings, changing "1234567" to "1,234,567"
 gsed ':a;s/\B[0-9]\{3\}\>/,&/;ta'                     # GNU sed
 sed -e :a -e 's/\(.*[0-9]\)\([0-9]\{3\}\)/\1,\2/;ta'  # other seds

 # add commas to numbers with decimal points and minus signs (GNU sed)
 gsed ':a;s/\(^\|[^0-9.]\)\([0-9]\+\)\([0-9]\{3\}\)/\1\2,\3/g;ta'

 # add a blank line every 5 lines (after lines 5, 10, 15, 20, etc.)
 gsed '0~5G'                  # GNU sed only
 sed 'n;n;n;n;G;'             # other seds

SELECTIVE PRINTING OF CERTAIN LINES:

 # print first 10 lines of file (emulates behavior of "head")
 sed 10q

 # print first line of file (emulates "head -1")
 sed q

 # print the last 10 lines of a file (emulates "tail")
 sed -e :a -e '$q;N;11,$D;ba'

 # print the last 2 lines of a file (emulates "tail -2")
 sed '$!N;$!D'

 # print the last line of a file (emulates "tail -1")
 sed '$!d'                    # method 1
 sed -n '$p'                  # method 2

 # print only lines which match regular expression (emulates "grep")
 sed -n '/regexp/p'           # method 1
 sed '/regexp/!d'             # method 2

 # print only lines which do NOT match regexp (emulates "grep -v")
 sed -n '/regexp/!p'          # method 1, corresponds to above
 sed '/regexp/d'              # method 2, simpler syntax

 # print the line immediately before a regexp, but not the line
 # containing the regexp
 sed -n '/regexp/{g;1!p;};h'

 # print the line immediately after a regexp, but not the line
 # containing the regexp
 sed -n '/regexp/{n;p;}'

 # print 1 line of context before and after regexp, with line number
 # indicating where the regexp occurred (similar to "grep -A1 -B1")
 sed -n -e '/regexp/{=;x;1!p;g;$!N;p;D;}' -e h

 # grep for AAA and BBB and CCC (in any order)
 sed '/AAA/!d; /BBB/!d; /CCC/!d'

 # grep for AAA and BBB and CCC (in that order)
 sed '/AAA.*BBB.*CCC/!d'

 # grep for AAA or BBB or CCC (emulates "egrep")
 sed -e '/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d    # most seds
 gsed '/AAA\|BBB\|CCC/!d'                        # GNU sed only

 # print paragraph if it contains AAA (blank lines separate paragraphs)
 # HHsed v1.5 must insert a 'G;' after 'x;' in the next 3 scripts below
 sed -e '/./{H;$!d;}' -e 'x;/AAA/!d;'

 # print paragraph if it contains AAA and BBB and CCC (in any order)
 sed -e '/./{H;$!d;}' -e 'x;/AAA/!d;/BBB/!d;/CCC/!d'

 # print paragraph if it contains AAA or BBB or CCC
 sed -e '/./{H;$!d;}' -e 'x;/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d
 gsed '/./{H;$!d;};x;/AAA\|BBB\|CCC/b;d'         # GNU sed only

 # print only lines of 65 characters or longer
 sed -n '/^.\{65\}/p'

 # print only lines of less than 65 characters
 sed -n '/^.\{65\}/!p'        # method 1, corresponds to above
 sed '/^.\{65\}/d'            # method 2, simpler syntax

 # print section of file from regular expression to end of file
 sed -n '/regexp/,$p'

 # print section of file based on line numbers (lines 8-12, inclusive)
 sed -n '8,12p'               # method 1
 sed '8,12!d'                 # method 2

 # print line number 52
 sed -n '52p'                 # method 1
 sed '52!d'                   # method 2
 sed '52q;d'                  # method 3, efficient on large files

 # beginning at line 3, print every 7th line
 gsed -n '3~7p'               # GNU sed only
 sed -n '3,${p;n;n;n;n;n;n;}' # other seds

 # print section of file between two regular expressions (inclusive)
 sed -n '/Iowa/,/Montana/p'             # case sensitive

SELECTIVE DELETION OF CERTAIN LINES:

 # print all of file EXCEPT section between 2 regular expressions
 sed '/Iowa/,/Montana/d'

 # delete duplicate, consecutive lines from a file (emulates "uniq").
 # First line in a set of duplicate lines is kept, rest are deleted.
 sed '$!N; /^\(.*\)\n\1$/!P; D'

 # delete duplicate, nonconsecutive lines from a file. Beware not to
 # overflow the buffer size of the hold space, or else use GNU sed.
 sed -n 'G; s/\n/&&/; /^\([ -~]*\n\).*\n\1/d; s/\n//; h; P'

 # delete all lines except duplicate lines (emulates "uniq -d").
 sed '$!N; s/^\(.*\)\n\1$/\1/; t; D'

 # delete the first 10 lines of a file
 sed '1,10d'

 # delete the last line of a file
 sed '$d'

 # delete the last 2 lines of a file
 sed 'N;$!P;$!D;$d'

 # delete the last 10 lines of a file
 sed -e :a -e '$d;N;2,10ba' -e 'P;D'   # method 1
 sed -n -e :a -e '1,10!{P;N;D;};N;ba'  # method 2

 # delete every 8th line
 gsed '0~8d'                           # GNU sed only
 sed 'n;n;n;n;n;n;n;d;'                # other seds

 # delete ALL blank lines from a file (same as "grep '.' ")
 sed '/^$/d'                           # method 1
 sed '/./!d'                           # method 2

 # delete all CONSECUTIVE blank lines from file except the first; also
 # deletes all blank lines from top and end of file (emulates "cat -s")
 sed '/./,/^$/!d'          # method 1, allows 0 blanks at top, 1 at EOF
 sed '/^$/N;/\n$/D'        # method 2, allows 1 blank at top, 0 at EOF

 # delete all CONSECUTIVE blank lines from file except the first 2:
 sed '/^$/N;/\n$/N;//D'

 # delete all leading blank lines at top of file
 sed '/./,$!d'

 # delete all trailing blank lines at end of file
 sed -e :a -e '/^\n*$/{$d;N;ba' -e '}'  # works on all seds
 sed -e :a -e '/^\n*$/N;/\n$/ba'        # ditto, except for gsed 3.02*

 # delete the last line of each paragraph
 sed -n '/^$/{p;h;};/./{x;/./p;}'

SPECIAL APPLICATIONS:

 # remove nroff overstrikes (char, backspace) from man pages. The 'echo'
 # command may need an -e switch if you use Unix System V or bash shell.
 sed "s/.`echo \\\b`//g"    # double quotes required for Unix environment
 sed 's/.^H//g'             # in bash/tcsh, press Ctrl-V and then Ctrl-H
 sed 's/.\x08//g'           # hex expression for sed v1.5

 # get Usenet/e-mail message header
 sed '/^$/q'                # deletes everything after first blank line

 # get Usenet/e-mail message body
 sed '1,/^$/d'              # deletes everything up to first blank line

 # get Subject header, but remove initial "Subject: " portion
 sed '/^Subject: */!d; s///;q'

 # get return address header
 sed '/^Reply-To:/q; /^From:/h; /./d;g;q'

 # parse out the address proper. Pulls out the e-mail address by itself
 # from the 1-line return address header (see preceding script)
 sed 's/ *(.*)//; s/>.*//; s/.*[:<] *//'

 # add a leading angle bracket and space to each line (quote a message)
 sed 's/^/> /'

 # delete leading angle bracket & space from each line (unquote a message)
 sed 's/^> //'

 # remove most HTML tags (accommodates multiple-line tags)
 sed -e :a -e 's/<[^>]*>//g;/</N;//ba'

 # extract multi-part uuencoded binaries, removing extraneous header
 # info, so that only the uuencoded portion remains. Files passed to
 # sed must be passed in the proper order. Version 1 can be entered
 # from the command line; version 2 can be made into an executable
 # Unix shell script. (Modified from a script by Rahul Dhesi.)
 sed '/^end/,/^begin/d' file1 file2 ... fileX | uudecode   # vers. 1
 sed '/^end/,/^begin/d' "$@" | uudecode                    # vers. 2

 # zip up each .TXT file individually, deleting the source file and
 # setting the name of each .ZIP file to the basename of the .TXT file
 # (under DOS: the "dir /b" switch returns bare filenames in all caps).
 echo @echo off >zipup.bat
 dir /b *.txt | sed "s/^\(.*\)\.TXT/pkzip -mo \1 \1.TXT/" >>zipup.bat

TYPICAL USE: Sed takes one or more editing commands and applies all of
them, in sequence, to each line of input. After all the commands have
been applied to the first input line, that line is output and a second
input line is taken for processing, and the cycle repeats. The
preceding examples assume that input comes from the standard input
device (i.e, the console, normally this will be piped input). One or
more filenames can be appended to the command line if the input does
not come from stdin. Output is sent to stdout (the screen). Thus:

 cat filename | sed '10q'        # uses piped input
 sed '10q' filename              # same effect, avoids a useless "cat"
 sed '10q' filename > newfile    # redirects output to disk

For additional syntax instructions, including the way to apply editing
commands from a disk file instead of the command line, consult "sed &
awk, 2nd Edition," by Dale Dougherty and Arnold Robbins (O'Reilly,
1997; http://www.ora.com), "UNIX Text Processing," by Dale Dougherty
and Tim O'Reilly (Hayden Books, 1987) or the tutorials by Mike Arst
distributed in U-SEDIT2.ZIP (many sites). To fully exploit the power
of sed, one must understand "regular expressions." For this, see
"Mastering Regular Expressions" by Jeffrey Friedl (O'Reilly, 1997).
The manual ("man") pages on Unix systems may be helpful (try "man
sed", "man regexp", or the subsection on regular expressions in "man
ed"), but man pages are notoriously difficult. They are not written to
teach sed use or regexps to first-time users, but as a reference text
for those already acquainted with these tools.

QUOTING SYNTAX: The preceding examples use single quotes ('...')
instead of double quotes ("...") to enclose editing commands, since
sed is typically used on a Unix platform. Single quotes prevent the
Unix shell from intrepreting the dollar sign ($) and backquotes
(`...`), which are expanded by the shell if they are enclosed in
double quotes. Users of the "csh" shell and derivatives will also need
to quote the exclamation mark (!) with the backslash (i.e., \!) to
properly run the examples listed above, even within single quotes.
Versions of sed written for DOS invariably require double quotes
("...") instead of single quotes to enclose editing commands.

USE OF '\t' IN SED SCRIPTS: For clarity in documentation, we have used
the expression '\t' to indicate a tab character (0x09) in the scripts.
However, most versions of sed do not recognize the '\t' abbreviation,
so when typing these scripts from the command line, you should press
the TAB key instead. '\t' is supported as a regular expression
metacharacter in awk, perl, and HHsed, sedmod, and GNU sed v3.02.80.

VERSIONS OF SED: Versions of sed do differ, and some slight syntax
variation is to be expected. In particular, most do not support the
use of labels (:name) or branch instructions (b,t) within editing
commands, except at the end of those commands. We have used the syntax
which will be portable to most users of sed, even though the popular
GNU versions of sed allow a more succinct syntax. When the reader sees
a fairly long command such as this:

   sed -e '/AAA/b' -e '/BBB/b' -e '/CCC/b' -e d

it is heartening to know that GNU sed will let you reduce it to:

   sed '/AAA/b;/BBB/b;/CCC/b;d'      # or even
   sed '/AAA\|BBB\|CCC/b;d'

In addition, remember that while many versions of sed accept a command
like "/one/ s/RE1/RE2/", some do NOT allow "/one/! s/RE1/RE2/", which
contains space before the 's'. Omit the space when typing the command.

OPTIMIZING FOR SPEED: If execution speed needs to be increased (due to
large input files or slow processors or hard disks), substitution will
be executed more quickly if the "find" expression is specified before
giving the "s/.../.../" instruction. Thus:

   sed 's/foo/bar/g' filename         # standard replace command
   sed '/foo/ s/foo/bar/g' filename   # executes more quickly
   sed '/foo/ s//bar/g' filename      # shorthand sed syntax

On line selection or deletion in which you only need to output lines
from the first part of the file, a "quit" command (q) in the script
will drastically reduce processing time for large files. Thus:

   sed -n '45,50p' filename           # print line nos. 45-50 of a file
   sed -n '51q;45,50p' filename       # same, but executes much faster


 
-------------------------------------------------------------------------

Foundry ServerIron 4G-SSL config

!Using 8832 out of 393214 bytes

ver 10.1.00TI2

trunk switch ethe 3 to 4

ssl profile workplace-ssh

keypair-file workplace-key

certificate-file workplacechain

cipher-suite all-cipher-suites

disable-ssl-v2

session-cache off

ssl profile corp1-ssl

keypair-file corp1-key

certificate-file corp1chain

cipher-suite all-cipher-suites

disable-ssl-v2

session-cache off

ssl profile groupware

keypair-file groupware-key

certificate-file groupwarechain

cipher-suite all-cipher-suites

disable-ssl-v2

session-cache off

server backup ethe 3 0012.f27c.5400 vlan-id 100

server no-graceful-shutdown

server port 80

tcp

udp

server port 8080

tcp

server port 8081

tcp

server port 8083

tcp

server port 8084

tcp

server port 8085

tcp

server port 8087

tcp

server port 8089

tcp

server port 8090

tcp

server port 8086

tcp

server port 8082

tcp

server port 8088

tcp

server port 8092

tcp

server port 8093

tcp

server port 8094

tcp

server port 81

tcp

tcp keepalive use-master-state

server port 82

tcp

tcp keepalive use-master-state

server source-nat-ip 192.168.5.62 255.255.255.0 192.168.5.1 port-range 2

server source-nat-ip 192.168.5.63 255.255.255.0 192.168.5.1 port-range 2 for-ssl

server source-nat-ip 192.168.5.64 255.255.255.0 192.168.5.1 port-range 2 for-ssl

csw-rule "r1" url prefix "html"

csw-rule "r15" url prefix "/sales"

csw-rule "r17" url prefix "/PVWeb"

csw-rule "r2" header "Host" pattern "webtest.corp1.com"

csw-rule "r21" url prefix "/finance"

csw-rule "r25" url prefix "/edocs"

csw-rule "r3" header "Host" pattern "webtest.corp1groupware.com"

csw-rule "r30" url prefix "/acctg"

csw-rule "r35" url prefix "/eforms"

csw-rule "r45" url prefix "/custdb"

csw-rule "r50" url prefix "/estatement"

csw-rule "r55" url prefix "/ecosts"

csw-rule "r60" url prefix "/ereports"

csw-rule "r65" url prefix "/ebenefits"

csw-rule "r70" url prefix "/elabels"

csw-rule "r75" url prefix "/etraining"

csw-rule "r80" url prefix "/eordering"

csw-policy "app-forward"

match "r15" forward 11

match "r25" forward 25

match "r21" forward 21

match "r30" forward 30

match "r35" forward 35

match "r45" forward 45

match "r50" forward 50

match "r55" forward 55

match "r60" forward 60

match "r65" forward 65

match "r70" forward 70

match "r75" forward 75

match "r80" forward 80

match "r2" forward 2

match "r3" forward 3

default forward 2

csw-policy "redirect"

match "r15" redirect "*" "*" ssl

match "r17" redirect "PVweb.corp1.com" "*" ssl

match "r25" redirect "*" "*" ssl

match "r21" redirect "*" "*" ssl

match "r30" redirect "*" "*" ssl

match "r35" redirect "*" "*" ssl

match "r45" redirect "*" "*" ssl

match "r50" redirect "*" "*" ssl

match "r55" redirect "*" "*" ssl

match "r1" forward 1218

match "r1" rewrite request-insert client-ip

match "r60" redirect "*" "*" ssl

match "r65" redirect "*" "*" ssl

match "r70" redirect "*" "*" ssl

match "r75" redirect "*" "*" ssl

match "r80" redirect "*" "*" ssl

default forward 1

default rewrite request-insert client-ip

server real pvwwwt001 192.168.5.40

source-nat

port http

port http keepalive

port http url "HEAD /"

port http server-id 1218

port http group-id 1 1

port 8080

port 8080 keepalive

port 8080 group-id 11 11

port 8080 url "GET /sales/includes/isalive.html"

port 8081

port 8081 keepalive

port 8081 group-id 21 21

port 8081 url "GET /finance/isalive.html"

port 8082

port 8082 keepalive

port 8082 group-id 25 25

port 8082 url "GET /edocs/isalive.html"

port 8083

port 8083 keepalive

port 8083 group-id 30 30

port 8083 url "GET /acctg/isalive.html"

port 8084

port 8084 keepalive

port 8084 group-id 35 35

port 8084 url "GET /eforms/isalive.html"

port 8086

port 8086 keepalive

port 8086 group-id 45 45

port 8086 url "GET /custdb/isalive.html"

port 8087

port 8087 keepalive

port 8087 group-id 50 50

port 8087 url "GET /estatement/isalive.html"

port 8088

port 8088 keepalive

port 8088 group-id 55 55

port 8088 url "GET /ecosts/isalive.html"

port 8089

port 8089 keepalive

port 8089 group-id 60 60

port 8089 url "GET /ereports/isalive.htm"

port 8092

port 8092 keepalive

port 8092 group-id 65 65

port 8092 url "GET /ebenefits/"

port 8090

port 8090 keepalive

port 8090 group-id 70 70

port 8090 url "GET /elabels/"

port 8094

port 8094 keepalive

port 8094 group-id 80 80

port 8094 url "GET /eordering/isalive.html"

port 81

port 81 group-id 2 2

server real pvwwwt003 192.168.5.50

source-nat

port http

port http keepalive

port http url "HEAD /"

port http server-id 1211

port http group-id 1 1

port 8080

port 8080 keepalive

port 8080 group-id 11 11

port 8080 url "GET /sales/includes/isalive.html"

port 8082

port 8082 keepalive

port 8082 group-id 25 25

port 8082 url "GET /edocs/isalive.html"

port 8081

port 8081 keepalive

port 8081 group-id 21 21

port 8081 url "GET /finance/isalive.html"

port 8083

port 8083 keepalive

port 8083 group-id 30 30

port 8083 url "GET /acctg/isalive.html"

port 8084

port 8084 keepalive

port 8084 group-id 35 35

port 8084 url "GET /eforms/isalive.html"

port 8086

port 8086 keepalive

port 8086 group-id 45 45

port 8086 url "GET /custdb/isalive.html"

port 8087

port 8087 keepalive

port 8087 group-id 50 50

port 8087 url "GET /estatement/isalive.html"

port 8088

port 8088 keepalive

port 8088 group-id 55 55

port 8088 url "GET /ecosts/isalive.html"

port 8089

port 8089 keepalive

port 8089 group-id 60 60

port 8089 url "GET /ereports/isalive.htm"

port 8092

port 8092 keepalive

port 8092 group-id 65 65

port 8092 url "GET /ebenefits/"

port 8090

port 8090 keepalive

port 8090 group-id 70 70

port 8090 url "GET /elabels/"

port 8094

port 8094 keepalive

port 8094 group-id 80 80

port 8094 url "GET /eordering/isalive.html"

port 81

port 81 group-id 2 2

server remote-name pvwwwt002 192.168.4.70

source-nat

port http

port http keepalive

port http url "GET /"

server remote-name pvwwwt004 192.168.4.71

source-nat

port http

port http keepalive

port http url "GET /"

server real t001-groupware 192.168.5.101

source-nat

port http

port http keepalive

port http url "HEAD /"

port http group-id 1 1

port 8093

port 8093 keepalive

port 8093 group-id 75 75

port 8093 url "GET /etraining/isalive.html"

port 82

port 82 group-id 3 3

server real t003-groupware 192.168.5.102

source-nat

port http

port http keepalive

port http url "HEAD /"

port http group-id 1 1

port 8093

port 8093 keepalive

port 8093 group-id 75 75

port 8093 url "GET /etraining/isalive.html"

port 82

port 82 group-id 3 3

server virtual webtest1 192.168.5.61

port default sticky

port http

port http cookie-name "ServerID"

port http csw-policy "redirect"

port http csw

port http request-insert client-ip "X-Forwarded-For"

port ssl sticky

port ssl ssl-terminate corp1-ssl

port ssl csw-policy "app-forward"

port ssl csw

bind http pvwwwt001 http pvwwwt003 http

bind ssl pvwwwt001 81 real-port http pvwwwt003 81 real-port http pvwwwt001 8080 pvwwwt003 8080

bind ssl pvwwwt001 8081 pvwwwt003 8081 pvwwwt001 8082 pvwwwt003 8082

bind ssl pvwwwt001 8083 pvwwwt003 8083 pvwwwt001 8084 pvwwwt001 8087

bind ssl pvwwwt003 8087 pvwwwt001 8088 pvwwwt003 8088 pvwwwt003 8084

bind ssl pvwwwt001 8086 pvwwwt003 8086 pvwwwt001 8089 pvwwwt003 8089

bind ssl pvwwwt001 8092 pvwwwt003 8092 pvwwwt001 8090 pvwwwt003 8090

bind ssl pvwwwt001 8094 pvwwwt003 8094

server virtual salestest 192.168.5.67

port default sticky

port http

bind http pvwwwt002 http pvwwwt004 http

server virtual groupware 192.168.5.100

port default sticky

port http

port http cookie-name "ServerID"

port http csw-policy "redirect"

port http csw

port http request-insert client-ip "X-Forwarded-For"

port ssl sticky

port ssl ssl-terminate groupware

port ssl csw-policy "app-forward"

port ssl csw

bind http t001-groupware http t003-groupware http

bind ssl t001-groupware 8093 t003-groupware 8093 t001-groupware 82 real-port http t003-groupware 82 real-port http

vlan 1 name DEFAULT-VLAN by port

no spanning-tree

vlan 100 name HOT-SYNC by port

untagged ethe 3 to 4

no spanning-tree

aaa authentication web-server default local

aaa authentication login default local

no enable aaa console

hostname foundry1

ip address 192.168.5.60 255.255.255.0

ip default-gateway 192.168.5.1

ip dns domain-name corp1.com

ip dns server-address 192.168.1.11 192.168.1.10

logging buffered 1000

telnet server

snmp-server

clock summer-time

clock timezone us Central

web-management

ip ssh idle-time 240

end

SSH Service Accounts

On RedHat version 5 and above there is an ssh-copy-id utility that may be used; however, for lower revisions you will need to copy the following script to /usr/bin/ssh-copy-id and make it executable before following the remainder of the steps.

#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/identity.pub"

if [ "-i" = "$1" ]; then
  shift
  # check if we have 2 parameters left, if so the first is the new ID file
  if [ -n "$2" ]; then
    if expr "$1" : ".*.pub" ; then
      ID_FILE="$1"
    else
      ID_FILE="$1.pub"
    fi
    shift         # and this should leave $1 as the target name
  fi
 else
  if [ x$SSH_AUTH_SOCK != x ] ; then
    GET_ID="$GET_ID ssh-add -L"
  fi
fi
 
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
   GET_ID="cat ${ID_FILE}"
fi

if [ -z "`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
fi

if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
  exit 1
fi

{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF

Logon as or create the service account on all machines required:

useradd -u 199 -s /bin/false serviceacct

echo password1 | passwd --stdin servicacct

Create your DSA key pair:

ssh-keygen -t dsa

Don't enter a password, just hit Enter key three times in quick succession.

Copy your new public ID to all the servers:

logon or su to the service account and run...

ssh-copy-id -i ~/.ssh/id_dsa.pub remoteservername

For bi-directional connectivity repeat the procedure on the remote server pointing back to the original.

My Tech Notes and Stuff

Foundry ServerIron SSL Troubleshooting

Foundry ServerIron SSL Troubleshooting

Foundry ServerIron SSL Certificate Management

Foundry ServerIron SSL Certificate Management

After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.

VMWare ISO storage

man SELinux, semanage, and restorecon

Sed Example

SSH Service Accounts

Facebook Badge

Please donate to vCommunity Trust Inc. Today

Paul & Amy Valentino

Great Strides for Cystic Fibrosis

Blog Archive

Thaddeus Hogan's Musings

Master Apache 2 Certification

Master 2003 Server Admin

Brainbench Cisco Cert

Brainbench Unix Programming

About Me

My Brainbench Transcript

My Tech Notes and Stuff

Foundry ServerIron SSL Troubleshooting

Foundry ServerIron SSL Troubleshooting

Foundry ServerIron SSL Certificate Management

Foundry ServerIron SSL Certificate Management

After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.

VMWare ISO storage

man SELinux, semanage, and restorecon

Sed Example

SSH Service Accounts

Facebook Badge

Please donate to vCommunity Trust Inc. Today

Subscribe To My Tech Notes

Paul & Amy Valentino

Great Strides for Cystic Fibrosis

Blog Archive

Thaddeus Hogan's Musings

Master Apache 2 Certification

Master 2003 Server Admin

Brainbench Cisco Cert

Brainbench Unix Programming

About Me

My Brainbench Transcript