How to do a HTTP request from terminal

A quick tip for use in terminal:

# print string auth 
echo -n "dummyuser:MyPassword" | base64

# Unix terminal (basic auth, doing http request with GET method)

curl -X GET \
  -H "Content-Type: text/xml" \
  -H "Authorization: Basic ZHVtbXl1c2VyOk15UGFzc3dvcmQ=" \
  "http://dummyserver:5000/dir/wsdl?p=ic/6e7abd99891231jij123ndb769978566c470"


# Unix terminal (basic auth, doing http request with POST method to send payload from file)

curl -X POST \
  -H "Content-Type: application/soap+xml" \
  -H "Authorization: Basic ZHVtbXl1c2VyOk15UGFzc3dvcmQ=" \
  -d @./request.xml \
  "https://dummyserver:50001/XISOAPAdapter/MessageServlet?senderParty=&senderService=SYS_LEGACY&receiverParty=&receiverService=&interface=BookingFlight_Out&interfaceNamespace=http://LGCY/namespace"


# Unix terminal (basic auth, doing http request with POST method)

curl -X POST \
  -H "Content-Type: text/xml" \
  -H "Authorization: Basic ZHVtbXl1c2VyOk15UGFzc3dvcmQ=" \
  -d "<soapenv:Envelope>....ommited lines </soapenv:Envelope>" \
  "https://dummyserver:50001/XISOAPAdapter/MessageServlet?senderParty=&senderService=SYS_LEGACY&receiverParty=&receiverService=&interface=BookingFlight_Out&interfaceNamespace=http://LGCY/namespace"

# Windows Powershell (basic auth, doing http request with GET method)

$Username = "dummyuser"
$Password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($Username, $Password)

Invoke-RestMethod -Uri "http://dummyserver:5000/dir/wsdl?p=ic/6e7abd99891231jij123ndb769978566c470" -Method GET -Credential $Credential


# Windows Powershell (basic auth, doing http request with POST method to send payload from file)
 
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("dummyuser:MyPassword"))
$headers = @{
    Authorization = "Basic $base64AuthInfo"
    "Content-Type" = "text/xml"
}

Invoke-RestMethod -Uri "https://dummyserver:50001/XISOAPAdapter/MessageServlet?senderParty=&senderService=SYS_LEGACY&receiverParty=&receiverService=&interface=BookingFlight_Out&interfaceNamespace=http://LGCY/namespace" -Method Post -Headers $headers -Body (Get-Content -Path "request.xml" -Raw)

Bye!

Putty, connect over ssh using a key pair

Follow the next steps to generate a key pair and configure putty to use the private and public key to connect to remote server over ssh.

1. Generate a key pair, open PuttyGen select type RSA, click on Generate and move the mouse cursor over the blank area until this is filled.

2. Set a passhrase if you want to create one, I’m going to leave it in blank.

Seguir leyendo →

Jenkins, pipeline execute script over ssh

• 

In this post I’m going to show how to execute a bash script into the remote server using a Jenkins Pipeline Step using the sshPublisher plugin, in my previous post I’d showed the other way to configure without plugin.

Setup server autentication

1. Create a new key pair, login with service user for jenkins and create new key pair without passhrase (leave it in blank or you can set if you want secure the private key):

# using the service user
sudo su -s /bin/bash jenkins

# create key pair 
ssh-keygen -f ~/.ssh/id_pipessh -t rsa

out:

$ ssh-keygen -f ~/.ssh/id_pipessh -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /c/Users/003084781/.ssh/id_pipessh
Your public key has been saved in /c/Users/003084781/.ssh/id_pipessh.pub
The key fingerprint is:
SHA256:rPIPQ8a74wwumZ7TrtXOXfKcWbcSBgUhgqRnSY9Evf4 GMX+003084781@IBM-PF398HP4
The key's randomart image is:
+---[RSA 3072]----+
|   o=o. . oo     |
|   +.+.. .  .    |
|  . = ..   .     |
|   o ...  .      |
|     .+ S  .     |
|     +.o    o    |
|   ++ *.. .....  |
|  =+.B.=E= +.. . |
| .+=o.Boo =  ..  |
+----[SHA256]-----+

The private key (‘id_pipessh‘) and the public key (‘id_pipessh.pub‘) are created into ~/.ssh

Seguir leyendo →

Install Fedora CoreOS + Cockpit for VirtualBox

In this entry I’m going to show how to install Fedora CoreOS with Cockpit to manage the server. Although I’m using Mac OS the commands are the same for Linux.

First the basics:

Fedora CoreOS is an automatically-updating, minimal operating system for running containerized workloads securely and at scale. It is currently available on multiple platforms, with more coming soon.

Cockpit is a web-based graphical interface for servers, intended for everyone. See your server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs. 

Seguir leyendo →

SSH tunneling from UNIX console

I’ve ever forgot write this tip,  in some cases when you’re working from an unix server you must to connect with other hosts, for example a web application to database, but for security reasons the server is the only one with permisions to connect. If you want to connect from your computer you can’t do this.

In this case you can use SSH tunneling, this command enables to use the server as point to connect from your computer, in other words, you can use the server like a bridge to achieve the connection with the data base.

ssh -L 5566:10.1.2.3:1527 myuser@10.2.3.4

• 5566: is your local port to use in your computer
• 10.1.2.3:1527 redirect all trafic to indicated host and port (through your local port)
• myuser@10.2.3.4  it’s the normal ssh connection to your server

After that, you can do the connection from your machine to achive the DB with something like this:

jdbc:oracle:thin:@localhost:5566:mydb

Regards!

JBoss EAP 6.2 Shell script as a service for SUSE

Just like that, explained by self  🙂

	#! /bin/sh
	### BEGIN INIT INFO
	# Provides: JBOSS
	# Required-Start:
	# Required-Stop:
	# Default-Start: 5
	# Default-Stop:
	# Description: Start Jboss Aplication Server 6.2
	### END INIT INFO
	export JBOSS_HOME=/usr/share/jboss/jboss-eap-6.2
	start(){
	echo "Starting JBoss EAP..."
	# If using an SELinux system such as RHEL 4, use the command below
	# instead of the "su":
	# eval "runuser - jboss -c '/opt/jboss/current/bin/run.sh > /dev/null 2> /dev/null &'
	# if the 'su -l ...' command fails (the -l flag is not recognized by my su cmd) try:
	#Jboss EAP 6.2
	su -l jboss -c '$JBOSS_HOME/bin/standalone.sh > /dev/null 2> /dev/null &'
	}
	stop(){
	echo "Stopping JBoss..."
	# If using an SELinux system such as RHEL 4, use the command below
	# instead of the "su":
	# eval "runuser - jboss -c '/opt/jboss/current/bin/shutdown.sh -S &'
	# if the 'su -l ...' command fails try
	#Jboss EAP 6.2
	su -l jboss -c '$JBOSS_HOME/bin/jboss-cli.sh --connect command=:shutdown'
	}
	restart(){
	su -l jboss -c '$JBOSS_HOME/bin/jboss-cli.sh --connect --command=:reload'
	}
	case "$1" in
	start)
	start
	;;
	stop)
	stop
	;;
	restart)
	restart
	;;
	*)
	echo "Usage: jboss {start|stop|restart}"
	exit 1
	esac
	exit 0

view raw jboss7.sh hosted with ❤ by GitHub

References

• https://developer.jboss.org/wiki/HowToInstallJBossAS7AsALinuxService
• http://www.mastertheboss.com/jboss-web/jbosswebserver/how-do-you-configure-a-web-application-as-default-web-app
• http://susefaq.sourceforge.net/faq/services.html

Regads

Install Java JDK on Server (Suse)

La instalación del a jdk en servidores Unix puede generar a veces algunos problemas ya que generalmente no hay una guía exacta para realizar la instalación, pero desde mi punto de vista creo que también se debe a que en internet hay muchas formas de hacerlo y también es verdad que Unix lo permite, por lo tanto no hay una forma «correcta» de hacerlo.

Sin embargo hay una forma de mantener un orden dentro de todo este caos, por ejemplo hay servidores que a veces necesitan tener instaladas dos o más versiones de la jdk en el mismo server… y ¿como controlamos esto? este tipo de cuestiones son las que causan esos problemas  a los que me refiero porque muchos ajustamos variables de entorno y terminamos creando un dessatre, y bueno antes de mostrar la instalación quería transmitir esta pequeña perspectiva.

El siguiente comando es el que nos a ayudar en Suse a controlar esto:

update-alternatives

Nota: en Ubuntu el equivalente es el comando alternatives
Seguir leyendo →

Add unix user for tomcat service

Regresando un poco a las raices de como instalar este server creo que una pequeña y práctica nota para hacerlo es poner atención al usuario que utilizamos para ejecutar el contenedor web.

A veces no le damos mucha importancia a estos detalles porque generalmente siempre tenemos muchas actividades y lo que todo mundo quiere ver es la aplicación funcionando en el menor tiempo posible, y lo clasico es dejar la instalación con un usuario de administración o el root (en el peor de los casos).

Por ello decidí tomar unos minutos para escribir estas líneas con los comandos de como debemos agregar un usuario de servicio para nuestro contenedor para que sea ejecutado en el servidor.

	#Create group and user
	groupadd tomcat
	useradd -r -m -d ${USR_TOMCAT_HOME_DIR} -s /bin/false tomcat -g tomcat
	# In debian distro you can use this alternative
	useradd -r -m -d ${USR_TOMCAT_HOME_DIR} -s /sbin/nologin tomcat -g tomcat
	#set user password
	passwd tomcat
	#Change folder privilegies
	chown -R tomcat.tomcat /path/to/tomcat
	chmod 775 /path/to/tomcat/webapps
	#start or stop server
	sudo -u tomcat /opt/tomcat/bin/startup.sh
	sudo -u tomcat /opt/tomcat/bin/shutdown.sh
	#if you have normal or admin user you need these commands:
	su - tomcat -c /opt/tomcat/bin/startup.sh
	su - tomcat -c /opt/tomcat/bin/shutdown.sh

view raw TomcatUser.sh hosted with ❤ by GitHub

Con esto podemos crear un usuario que no tiene privilegios para firmarse en el sistema sin embargo, puede ejecutar comandos através de la instrucción sudo.

Esto es una muy buena practica de seguridad para evitar que se firmen en el sistema con los usuarios de servicio, sin embargo ¿que pasa si un día necesitas entrar con este usuario?, fácil podemos cambiarle el shell con la iinstrucción:

# Enable login
sudo usermod -s /bin/sh tomcat
# Disable login 
sudo usermod -s /bin/false tomcat

Ah y algo muy importante que puede pasar en algunas distribuciones es que al iniciar el contenedor no puede enlazar el puerto 80 con un usuario diferente al root por lo que debes redireccionar los puertos con el comando iptables:

When running Tomcat as a user other than the root user, you will not be able to bind to port 80, which is where Tomcat listens for HTTP requests

Aunque vaya esto último solo es para ambientes de desarrollo, en producción ¡nunca! debes hacer esto, en su lugar debes colocar un servidor proxy que redireccione las peticiones al tomcat.

Bueno y el último paso es generar un script para que se ejecute cada vez que se inicie o detenga el sistema operativo:

Generas un archivo «vi /etc/init.d/tomcat» con el siguiente contenido:

	#!/bin/bash
	### BEGIN INIT INFO
	# Provides: tomcat7
	# Required-Start: $network
	# Required-Stop: $network
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: Start/Stop Tomcat server
	### END INIT INFO
	TOMCAT_HOME=/opt/apache-tomcat-7.0.57
	PATH=/sbin:/bin:/usr/sbin:/usr/bin
	start() {
	sudo -u tomcat $TOMCAT_HOME/bin/startup.sh
	}
	stop() {
	sudo -u tomcat $TOMCAT_HOME/bin/shutdown.sh
	}
	case $1 in
	start|stop) $1;;
	restart) stop; start;;
	*) echo "Run as $0 <start|stop|restart>"; exit 1;;
	esac

view raw Tomcat7.bash hosted with ❤ by GitHub

Debes cambiar la variable TOMCAT_HOME con la ruta donde se encuentra ubicado tu servidor.

# Add permisions
chmod 755 /etc/init.d/tomcat
# Add script to automatic 
update-rc.d tomcat defaults

Referencias

• http://www.mulesoft.com/tcat/tomcat-linux
• http://www.cyberciti.biz/faq/unix-create-user-account/
• http://linux-sxs.org/internet_serving/c140.html
• http://superuser.com/questions/670848/how-to-install-tomcat-server-using-no-login-shell
• https://www.owasp.org/index.php/Securing_tomcat
• https://www.digitalocean.com/community/tutorials/how-to-restrict-log-in-capabilities-of-users-on-ubuntu
• http://www.cyberciti.biz/tips/linux-prevent-normal-users-from-logging-into-system.html
• http://serverfault.com/questions/519215/what-is-the-difference-between-sbin-nologin-and-bin-false