Redhat Fuse and PAM usecases

See also questions close to this topic

• How to get a response by HTTPS from my Go microservice?

  I have a vue.js website hosted on Cloudflare Pages and a separate microservice hosted on the Hetzner which works with the database. From my frontend, I'm making a request with axios:

  let response = await axios.get("...")
  response.data.forEach((data) => {
      console.log(data)
  })
  

  For the backend, I'm using Go with gin web framework. My CORS configuration:

  func CORSMiddleware() gin.HandlerFunc {
      return func(c *gin.Context) {
          c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
          c.Writer.Header().Set("Access-Control-Max-Age", "86400")
          c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, UPDATE")
          c.Writer.Header().Set("Access-Control-Allow-Headers", "Origin, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
          c.Writer.Header().Set("Access-Control-Expose-Headers", "Content-Length")
          c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
          if c.Request.Method == "OPTIONS" {
              c.AbortWithStatus(200)
          } else {
              c.Next()
          }
      }
  }
  

  And it works locally and with RESTer extension, but if I deploy this to Cloudflare Pages, I get mixed content errors. If I understood this correctly, this is due to the fact that requests to the microservice go through HTTP and not HTTPS. I've tried generating the certificate and key like this:

  go run $GOROOT/src/crypto/tls/generate_cert.go --host ...
  

  And then run microservice with TLS:

  router.RunTLS("...", "cert.pem", "key.pem")
  

  But it didn't help and now I get this error:

  HTTP: TLS handshake error from ...: remote error: tls: bad certificate
  

  I have also tried autotls for gin and that doesn't work either. How I have to configure my microservice to make it work with Cloudflare Pages and HTTPS?
• How to enable AJP port in Payara Micro and Use Apache server as proxy

  I am using Payara micro community edition to deploy a microservice REST APIs. I need to enable AJP port so that the Apache proxy server listens to the AJP port 8192.

  java -jar payara-micro-5.2020.5.jar --deploydir ./payara/webapps --rootDir ./payara --postbootcommandfile ./payara/postboot.txt

  ./payara/webapps folder contains the microservice WAR file.

  postboot.txt content:

  create-network-listener --protocol http-listener-1 --listeneraddress 0.0.0.0 --listenerport 8192--jkenabled true jk-connector

  The command execution has no issues and following ports are enabled "Http Port(s)": "8080, 8192".

  I am able to use the microservice APIs locally (http://localhost:8192/). But the requests from Apache proxy shows Bad Gateway error.

  Am I missing some configuration for AJP port enabling in Payara Micro?
• How to start a django app with dynamic instance port in py eureka client?

  here is my init file of my django app:

  import py_eureka_client.eureka_client as eureka
  
  registry_client, discovery_client = eureka.init(eureka_server="http://127.0.0.1:8761",
                                                  app_name="django-app",
                                                  instance_port=8088)
  

  I want to demonstrate dynamic scaling of application but cannot start the application on different port. Any suggestion? I'm very new to microservices.
• sql developer mysql connection to remote db using local host instead of remote host

  I am on a windows server 2016 machine running sql developer and I'm trying to connect to a mysql db on a different host.

  I installed the mysql jdbc connector so that a MySql tab shows up when I create a new db connection. MySql is up and running on the remote machine and I can access it locally. I have also change the my.cnf file at the remote redhat server and added the line. Bind-address = 0.0.0.0 and afterwards restarted mysql service.

  My difficulty is confined to accessing it via sql developer on my local machine. My specific problem is that it seems to be using my local hostname (I substituted mymachine.domain for discussion purposes) rather than the hostname I specified in the connection. When I try to connect I get the following:

  Access denied for user 'root'@'localhost.domain' (using password: YES)

  I have tried to add the remote servername in my username, so I changed it to root@remotehost.domain Now the error is changed to:

  Access denied for user 'root@remotehost.domain'@'localhost.domain' (using password: YES)

  So SQL Developer on the localhost is still adding the localhost to the username.

  I have found a similar question but without any answers.
• Rtpproxy start with /var/run/ instead of /var/run/rtpproxy

  I am currently setting up rtpproxy in RHEL 7, and when I tested in in ubuntu, it runs without any problem. From what I observe, I think the problem is mainly due to the permission of /var/run/; the service fails to start and logs this error:

  rtpproxy: can't bind to a socket: /var/run/rtpproxy.sock: Permission denied

  Is there any way to change the way rtpproxy run with /var/run/rtpproxy/ rather than /var/run/ ?

  Here is the screenshot of the error showed
• Linux module load

  I have one question one of my Linux box which is RHEL 7.8 the module joydev is loaded on one server but not on the other server.

  Server A => Module joydev is loaded successfully Server b => Module joydev is not loaded

  I know I can load the module on server B but looking for root cause when both the system installation is some why the module loaded on one server but not on another.
• How to read already set property value inside groovy in apache camel

  I am stucked with reading property value inside groovy.I can see the value for logger. example:

  <setProperty propertyName="path">
     <xpath resultType="java.lang.String">//*[local-name()='FileRef']/text()</xpath>
  </setProperty>
  <log message="${property.path}"/>
  <setBody>
   <groovy>
    println (I want to use path value here which again needs to be prefix with some url which we have in property file)
  -------
  </groovy>
  </setBody>
  
• How to specify the plain jar file inside the feature file

  I tried to deploy a feature which contains jar but that is not a fuse bundle, plain jar.

  <features name="DependantJars">
    <feature name="App-Dependant-Bundles">
      <bundle>file:H:/Project/fuse-jars/dependencyjars/httpcore-4.4.4.jar</bundle>
      <bundle>file:H:/Project/fuse-jars/dependencyjars/httpclient-4.5.2.jar</bundle>
      <bundle>file:H:/Project/fuse-jars/dependencyjars/commons-compress-1.6.jar</bundle>
      <bundle>file:H:/Project/fuse-jars/dependencyjars/xom-1.2.5.jar</bundle>
      <bundle>file:H:/Project/fuse-jars/dependencyjars/json-lib-2.1-jdk15.jar</bundle>
     ....
    </feature>
  </features>
  

  I am getting the below error. Is it possible to specify the jar file inside the feature which is not bundle?

  Error executing command: Jar is not a bundle, no Bundle-SymbolicName file:H:/Project/fuse-jars/dependencyjars/httpcore-4.4.4.jar
• Configure properly linux pam radius for MFA

  I've trying to configure 2FA in linux with pam radius module, and it works but not as I expected.

  With my current configuration( module sshd in pam.d), when one user begin the login process, the system-auth password is being prompted, and then the radius module ask for second authentication (phone calling with MFA in my case). But radius module always ask for the 2FA, regardless if system-auth return a success or failure. The best config for me, it would be that radius module only prompt 2FA only if local authenticacion was successfully.

  Guys, do you know the correct way to configure sshd pam module and/or system-auth module?.

  My sshd pam config is standard

  # cat sshd
  #%PAM-1.0
  auth    required        pam_sepermit.so
  auth    substack        password-auth
  # 2FA
  auth    [default=ignore success=1 ]     pam_succeed_if.so uid <= 10000 debug
  auth    required        pam_radius_auth.so client_id=xxxxx debug
  #
  auth    include         password-auth
  # Used with polkit to reauthorize users in remote sessions
  -auth      optional     pam_reauthorize.so prepare
  account    required     pam_nologin.so
  account    include      password-auth
  password   include      password-auth
  # pam_selinux.so close should be the first session rule
  session    required     pam_selinux.so close
  session    required     pam_loginuid.so
  # pam_selinux.so open should only be followed by sessions to be executed in the user context
  session    required     pam_selinux.so open env_params
  session    required     pam_namespace.so
  session    optional     pam_keyinit.so force revoke
  session    include      password-auth
  session    include      postlogin
  # Used with polkit to reauthorize users in remote sessions
  -session   optional     pam_reauthorize.so prepare
  

  Thank you and regards.
• Exclude SSH Login from wtmp & Syslog for a Specific User Account

  I have a monitoring server (‘ClusterControl’) which uses a regular user account to login using an ‘interactive shell’ and runs some sudo maintenance commands.

  This account logs-in via an SSH Key (passwordless) 4 times per minute it seems.

  The /var/log/wtmp and /var/log/syslog fills up with thousands of login entries.

  Three problems arise:

  1. The last command without parameters is rendered un-usable since the serviceaccount username is displayed thousands of times and scrolls of the screen - other account logins are not seen.

  2. The /var/log/wtmp and /var/log/syslog files get very large quickly.

  3. Syslog at /var/log/syslog is un-usable without passing it through grep to filter out the login entries.

  Question

  How can I exclude this user account from being logged?

  P.S. I have tried adding a PAM entry of systemd [success=ok default=1] pam_succeed_if.so user in username in the various pam files located in /etc/pam.d folder as some articles have directed but it has not worked.

  I’m not sure which file to use and what the correct syntax should be.

  /var/log/syslog shows the ssh username login logged by ‘systemd’ at the beginning of the log line.

  The server is Ubuntu 18.04

  Note:
  I generally don’t cross-post but I’ve also asked the Unix & Linux community here
• Is it possible to auth user in third party app with their ssh key used to login?

  I'm writing CLI application secured with strong password. The users supposed to run it on a server inside of secured perimeter over ssh. My users complain it's too annoying to enter the password every time.

  I'm trying to figure out if it's possible to use user's ssh keys to authenticate them in my app instead of inputting application password. I can't rely on $USER because I want bind authentication to user's ssh keys.

  I considered ssh-agent but it runs on user's machine afaik. I'm considering PAM now, but not sure if it's possible to check the keys the user used to authenticate.

  Could anyone suggest if it's possible and where to research?
• Converting from Red Hat Fuse 3.x to 7.4 - JBI

  We currently have a JBI app running on Red Hat Fuse ESB 3.x and intend to transition to a supported version of Fuse ESB 7.4

  I am looking for some type of document or guidance on converting our JBI app... as I understand JBI packaging has been deprecated in favor of OSGI ...I am just looking for some documents that may shed some light on the process required to transition the JBI app to OSGI... I am wondering if this is a matter of using straight up Camel for what we need or if there are deeper considerations.