HOWTO INSTALL MSA1500cs RED HAT EL 5

Installing MSA1500cs Red Hat EL 5 HOWTO
Author Cristhian Nunez
Date 2007-06-26

Overview

A storage area network (SAN) is an architecture to attach remote computer storage devices such as disk array controllers, tape libraries and CD arrays to servers in such a way that to the operating system the devices appear as locally attached devices. Although cost and complexity is dropping, as of 2007, SANs are still uncommon outside larger enterprises.

By contrast to a SAN, network-attached storage (NAS) uses file-based protocols such as NFS or SMB/CIFS where it is clear that the storage is remote, and computers request a portion of an abstract file rather than a disk block.

The HP StorageWorks 1500cs Modular Smart Array (MSA1500) is a Fibre Channel storage area network (SAN) 2U controller shelf that connects to HP StorageWorks SCSI and/or Serial ATA (SATA) disk enclosures. Together they provide customers with a flexible low-cost, high capacity storage solution. The MSA1500cs has been designed as a hardware foundation for future solutions to ensure maximum investment protection.

MSA1500cs Features

Increased scalability w/ SCSI drives - Gain increased SCSI capacity with the enterprise-class 300GB U320 SCSI drives now giving a total SCSI capacity of 16.8TB.

Low Cost, Higher Capacity with SATA drives - For less than $.01 per/MB customers can obtain up to 64TB of capacity.

Modular 2U Rack-Mount Disk Array Controller Shelf - Ability to attach SCSI and Serial ATA enclosures.

RAID 6 with HP's Advanced Data Guarding technology (RAID ADG) 2Gb/1Gb Fibre connections to host - Highest level of fault tolerance ADG, allocates 2 sets of parity data across multiple drives while allowing simultaneous write operations. This level of fault tolerance can withstand 2 simultaneous drive failures without downtime or data loss. Ensures customer's 1Gb infrastructure by supporting both 1/2Gb FC fabrics.

Hot plug expansion and replacement support - Hot plug expansion and replacement of hard drives, redundant controllers, for simple, fast installation and maintenance. Fans and power supplies are also hot plug replaceable.

Integrated configuration and management tools - Uses a standard set of management and utility software. These tools consistently lower the cost of ownership by reducing training and technical expertise needed to install and maintain the MSA1500cs.

Ability to upgrade from the MSA1000 to the MSA1500cs - Ability to move the MSA1000 controllers to the empty controller bays in the MSA1500cs while also upgrading the firmware. Provides greater scalability and flexibility with the added benefit of allowing the mixing of SCSI and SATA drives MSA1500cs.

Mix of SATA and SCSI MSA1500cs - Ability to mix Serial ATA enclosures and SCSI disk enclosures behind the same MSA1500 controller she

Implementation

Installing and Configuring the SAN

- Download and install the qla2xxx driver.
Note: The qla2xxx cd drivers are not working correctly. Therefore, we need to download the correct drivers qla2xxx-v8.01.07-1-dist.tgz from qlogic web site.
Unpack and install:
tar -xvzf *.tgz
cd qlogic
./drvsetup
cd qla2xxx-x-yy-zz
./extras/build.sh install
Copy .ko to /lin/modules/2.6xxx/kernel/driver/scsi/qla2xxx

We need create a file to block the default qla2xxx driver and install the new driver.
Create the file HBA_MOUNT.sh
#!/bin/bash
rmmod qla2400
rmmod qla2300
rmmod qla2xxx_conf
rmmod qla6312
rmmod qla2xxx

modprobe -v qla2xxx
modprobe -v qla2300
modprobe -v qla2322
modprobe -v qla2400
modprobe -v qla2xip

ifconfig fc0 10.1.2.3
ifconfig fc1 10.1.2.4

After do this, Make a link to /etc/rc5.d/ like this:
ln -s /root/HBA_MOUNT.sh /etc/rc5.d/S11HBA

We are ready to use the SAN Database
So, now we are gonna install another utilities from the cdrom:
Assuming that the cdrom is installed in /media/cdrom
Install ACU (Array Configuration Utility)
rpm -ivh /media/cdrom/ACU/Linux/x86/cpacuxe-7.50-23.linux.rpm
Install ADU (Array Diagnostic Utility)
rpm -ivh /media/cdrom/ADU/Linux/x86/hpadu-7.50-23.linux.rpm
Install SMH ()
rpm -ivh /media/cdrom/SMH/Linux/i386/hpsmh-2.1.5-146.rpm

Finally activate cpqacuxe and hpsmh.

/etc/init.d/hpsmhd restart
cpqacuxe -R
We can login trhought web browser typing: http://localhost:2381

Now we are gonna configure the array with ACU
Select create array, At the right side, choose the disks you want to the array.
After create the array, We need to create a logical drive. Go to create logical drive, select the array type and size.
Finally, we need to make a presentation the logical drive to operating system. Click in the controller, select “Selective Storage Presentation” , click enable, and the host mode select linux and check the box
Exit ACU and restart the system.

Now, Lets format the partition /dev/sda
mkfs.ext3 /dev/sda
Mount the partition in /oracle
mount /dev/sda /oracle

Expanding array and Logical Drives
To Expand the array and logical drive, Make the following steps
Click over array you want expand, and select option “Expand Array”
Select the disks you want to expand
After do this, Save the configuration, A process will start and it ll take a long time to complete the expand array (4 o 5 hours)
After complete the expand array process, click on the new array and select “Extend Logical Drive” . It will take a long time too.
Finally, we need to tell to the operating system for the changes.
umount /oracle
e2fsck -f /dev/sda
resize2fs /dev/sda

Openvpn HOWTO Red Hat EL 5

Openvpn HOWTO

1 Introduccion

¿Qué es una VPN?

La VPN es una tecnología de red que permite una extensión de la red local sobre una red pública o no controlada, como por ejemplo Internet.

El ejemplo más común es la posibilidad de conectar dos o más sucursales de una empresa utilizando como vínculo Internet, permitir a los miembros del equipo de soporte técnico la conexión desde su casa al centro de cómputo, o que un usuario pueda acceder a su equipo doméstico desde un sitio remoto, como por ejemplo un hotel. Todo esto utilizando la infraestructura de Internet.

Para hacerlo posible de manera segura es necesario proveer los medios para garantizar la autenticación, integridad y confidencialidad de toda la comunicación:

Autenticación y autorización: ¿Quién está del otro lado? Usuario/equipo y qué nivel de acceso debe tener.

Integridad: La garantía de que los datos enviados no han sido alterados.

Confidencialidad: Dado que los datos viajan a través de un medio potencialmente hostil como Internet, los mismos son susceptibles de interceptación, por lo que es fundamental el cifrado de los mismos. De este modo, la información no debe poder ser interpretada por nadie más que los destinatarios de la misma.

Tipos de VPN

VPN de acceso remoto

Éste es quizás el modelo más usado actualmente y consiste en usuarios o proveedores que se conectan con la empresa desde sitios remotos (oficinas comerciales, domicilios, hotel, aviones, etcétera) utilizando Internet como vínculo de acceso. Una vez autenticados tienen un nivel de acceso muy similar al que tienen en la red local de la empresa. Muchas empresas han reemplazado con esta tecnología su infraestructura dialup (módems y líneas telefónicas), aunque por razones de contingencia todavía conservan sus viejos modems.

VPN punto a punto

Este esquema se utiliza para conectar oficinas remotas con la sede central de organización. El servidor VPN, que posee un vínculo permanente a Internet, acepta las conexiones vía Internet provenientes de los sitios y establece el túnel VPN. Los servidores de las sucursales se conectan a Internet utilizando los servicios de su proveedor local de Internet, típicamente mediante conexiones de banda ancha. Esto permite eliminar los costosos vínculos punto a punto tradicionales, sobre todo en las comunicaciones internacionales.... es mas comun el anterior punto. tambien llamada tecnologia de tunel o tunneling

VPN interna

Este esquema es el menos difundido pero uno de los más poderosos para utilizar dentro de la empresa. Es una variante del tipo "acceso remoto" pero, en vez de utilizar Internet como medio de conexión, emplea la misma red de área local (LAN) de la empresa. Sirve para aislar zonas y servicios de la red interna. Esta capacidad lo hace muy conveniente para mejorar las prestaciones de seguridad de las redes inalámbricas (WiFi).

Un ejemplo muy clásico es un servidor con información sensible, como las nóminas de sueldos,

ubicado detrás de un equipo VPN, el cual provee autenticación adicional más el agregado del cifrado, haciendo posible que sólo el personal de RRHH habilitado pueda acceder a la información.

Certificado digital

Un Certificado Digital es un documento digital mediante el cual un tercero confiable (una autoridad de certificación) garantiza la vinculación entre la identidad de un sujeto o entidad y su clave pública.Si bien existen varios formatos de certificado digital, los más comúnmente empleados se rigen por el estándar UITT X.509v3. El certificado contiene usualmente el nombre de la entidad certificada, un número serial, fecha de expiración, una copia de la clave pública del titular del certificado (utilizada para la verificación de su firma digital), y la firma digital de la autoridad emisora del certificado de forma que el receptor pueda verificar que el esta última ha establecido realmente la asociación.

Formato de Certificado Digital

El certificado digital está formado por:

Clave pública
Clave privada
Información del Propietario
Información del emisor del Certificado

2 Paquetes Necesarios

openvpn2.0.71.el4.rf
lzo1.084.2.el4.rf
openssldevel0.9.7a43.4
openssl0.9.7a43.4

3 Procedimientos

Configurando tu propia Autoridad Certificadora (CA Certificate Authority) y generacion de certificados y par de llaves para el Servidor OpenVPN y un cliente VPN.
El primer paso al construir una VPN con OpenVPN 2.0 es establecer una PKI (Infraestructura de LLave Publica Public Key Infrastructure), esta PKI consiste de:

Un certificado aparte (tambien conocido como llave publica) y una llave privada para el servidor y cada cliente.

Un Certificado Mastro para la Autoridad Certificadora (CA) y su llave la cual es usada para firmar cada certificado de el servidor y el cliente. Generar la llave y el certificado Maestro para la Autoridad Certificadora (CA).

En esta seccion se generaran los certificados/llaves para la CA, el server y el cliente. Para la administracion de la PKI usaremos los scripts que vienen con OpenVPN (easyrsa) pero en este caso usaremos la nueva version que tiene muchas mejoras, es esta easyrsa 2.0.

Estos scripts de la version 2.0 de easyrsa estan en: /usr/doc/openvpn2.0.6/easy

rsa/2.0/

Se recomienda copiar el contenido de dicho directorio por ejemplo a /etc/openvpn/easyrsa V2.0.

Entonces haremos:
# cd /etc/openvpn
# mkdir easyrsaV2.0
# cp r /usr/doc/openvpn2.0.6/easyrsa/2.0/* /etc/openvpn/easyrsa V2.0
# cd /etc/openvpn/easyrsaV2.0
Ahora editaremos el archivo vars lo primero que se hara es definir la ruta para la variable KEY_DIR que por default estara asi: /etc/openvpn/easyrsaV2.0/keys, pero dicho directorio no existe por lo que primero lo crearemos:

# mkdir p /etc/openvpn/easyrsaV2.0/keys
Es en este directorio donde se almacenaran las llaves privadas, los archivos de requerimiento de certificado (.csr) y los certificados (.crt) y otros archvos e como el serial y el index.txt.

Ahora configuraremos los parametros KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG y KEY_MAIL, no hay que dejar ninguno de estos parametros vacios, los valores de estas variables seran pasadas de manera determinada a los certificados que crearemos, por ejemplo:

export KEY_COUNTRY="DR"
export KEY_PROVINCE="Santo Domingo"
export KEY_CITY="Distrito Nacional"
export KEY_ORG="Fundacion Codigo Libre"
export KEY_EMAIL="cristhian@codigolibre.org"
Lo siguiente es inicializar la PKI, asi:

# source ./vars

NOTE: If you run ./cleanall, I will be doing a rm rf on

/etc/openvpn/easyrsaV2.0/keys

Si se editaron los parametros correctamente veras algo como lo que salio arriba.
Ahora configuraremos un entorno nuevo.
# ./cleanall

Conforme vayas creando certificados, keys, y requerimientos para firma de certificados, tendras que entender que solo los archivos.key deben de mantenerse confidenciales. Los archivos .crt y .csr pueden ser enviados sobre un canal inseguro como un email en texto plano.

Generando Parametros Diffie Hellman.
Los parametros Diffie Hellman deben de ser generados para el Servidor OpenVPN:

# ./builddh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.............................................................................+..
#

Construiremos el certificado/key para la CA: Veremos algo asi:
# ./pkitool initca
Using CA Common Name: Tuxjm CA
Generating a 1024 bit RSA private key
............................++++++
........................++++++
writing new private key to 'ca.key'

Generacion de certificado y llaves para el servidor.

Lo siguiente es generar el certiicado y la llave privada par el servidor:

# ./pkitool server servidor
Generating a 1024 bit RSA private key
...........++++++
...................................................................++
++++
writing new private key to 'servidor.key'

Using configuration from /etc/openvpn/easyrsaV2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'MX'
stateOrProvinceName :PRINTABLE:'Baja California'
localityName :PRINTABLE:'Tijuana'
organizationName :PRINTABLE:'Tuxjm'
commonName :PRINTABLE:'servidor'
emailAddress :IA5STRING:'jmedinaaa@uxjm.net'
Certificate is to be certified until Apr 30 03:50:13 2016 GMT (3650
days)
Write out database with 1 new entries
Data Base Updated
#
Como pudimos ver lo todos los valores fueron tomados de el archivo vars y le agrego el valor de commonName el valor de el argumento que pusimos: ./pkitool server servidor, en este caso le puso servidor.

Generacion de certificado y llave privada para un cliente.
Esto es muy similar a los pasos previos
# ./pkitool cliente1
Generating a 1024 bit RSA private key
.........................................++++++
............................++++++
writing new private key to 'cliente1.key'
Using configuration from /etc/openvpn/easyrsaV2.0/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'MX'
stateOrProvinceName :PRINTABLE:'Baja California'
localityName :PRINTABLE:'Tijuana'
organizationName :PRINTABLE:'Tuxjm'
commonName :PRINTABLE:'cliente1'
emailAddress :IA5STRING:'jmedinaaa@tuxjm.net'
Certificate is to be certified until Apr 30 03:51:59 2016 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
#

Como pudimos ver lo todos los valores fueron tomados de el archivo vars y le agrego el valor de commonName el valor de el argumento que pusimos: ./pkitool server cliente1, en este caso le puso cliente1.
Ahora crearemos un segundo certiicado para un nuevo cliente:
# source ./vars
NOTE: If you run ./cleanall, I will be doing a rm rf on
/etc/openvpn/easyrsaV2.0/keys
# ./pkitool cliente2
Conforme vayas agregando clientes lo haras con esta misma herramienta (pkitool) no hay que olvidar que cada vez que se vaya a usar el script pkitool se tiene que ejecutar el comando source ./vars antes de crear, o revocar algun certificado.

Bien, ahora lo que sigue es copiar los archivos necesarios a su lugar respectivo, en el caso de: ca.crt, dh1024.pem, servidor.crt y servidor.key van en el servidor, asi que los podemos dejar en donde estan, los archivos ca.crt, cliente1.crt y cliente1.key se tendran que pasar a el cliente, esto tiene que ser por un medio seguro, se puede usar ssh para pasarlos a la maquina cliente.

Suponiendo que aun estamos en /etc/openvpn/easyrsaV2.0
# mkdir archivoscliente1
# cd keys
# cp v ca.crt cliente1.crt cliente1.key ../archivoscliente1/

Y luego:
# cd ..
# chmod R 755 archivoscliente1
$ scp r archivoscliente1 usuario@clientevpn:.

Creando archivos de configuracion para el servidor y el cliente.

Consiguendo los archivos de configuracion de ejemplo.

Es recomendable usar los archivos de configuracion de ejemplo de OpenVPN como un punto inicial para tu propia configuracion. estos pueden ser encontrados en: /usr/doc/openvpn2.0.6/sampleconfigfiles/ Los archivos que necesitaremos son: server.conf y client.conf

Editando el archivo de configuracion de el servidor.

El archivo de configuracion de ejemplo para el servidor es un punto de inicio ideal para la configuracion de un servidor OpenVPN. Creara una VPN usando una interfaz de red virtual TUN (para routed mode), escuchara conexiones de clientes en el puerto UDP 1194 (El numero de puerto oficial de OpenVPN), y distribuira direcciones virtuales de la subred 10.8.0.0/24 para los clientes que se conecten.

Copiamos el archivo de configuracion de el servidor:
# cd /etc/openvpn/
# cp /usr/doc/openvpn2.0.6/sampleconfigfiles/server.conf .
Editar el archivo server.conf y cambiar los valores de las lineas de los parametros: ca, cert, key y dh para que apunten a los archivos generados en la seccion anterior.

Por ejemplo quedaria asi:
ca /etc/openvpn/easyrsaV2.0/keys/ca.crt
cert /etc/openvpn/easyrsaV2.0/keys/servidor.crt
key /etc/openvpn/easyrsaV2.0/keys/servidor.key
dh /etc/openvpn/easyrsaV2.0/keys/dh1024.pem

Editando el archivo de configuracion de el cliente.

En el cliente VPN tambien se deben de seguir los procedimientos de instalacion que se dieron al inicio, una vez que este todo instalado es hora de copiar los archivos que se generaron en el servidor y se copiaron por un medio seguro (ssh/scp), dichos archivos son:

ca.crt cliente1.crt cliente1.key

Y hay que copiarlos de donde esten a /etc/openvpn/ y ponerles los permisos adecuados:

# chmod 644 ca.crt
# chmod 644 cliente1.crt
# chmod 600 cliente1.key

Ahora lo que sigue es usar un archivo de configuracion para el cliente de ejemplo:

# pwd
/etc/openvpn
# cp /usr/doc/openvpn2.0.6/sampleconfigfiles/client.conf .

Entonces en el cliente tendremos:

# pwd
/etc/openvpn
# ls
ca.crt client.conf cliente1.crt cliente1.key

Teniendo estos archivos, lo que sigue es editar el archivo client.conf y cambiar los parametros de ca, cert y key para que apunten a los nombres de archivos que acabamos de copiar, en este caso el valor de ca se deja como esta, y se cambia el valor de cert de client.crt a cliente1.crt y el valor de key de client.key a cliente1.key, hay que recordar que el archivo ca.crt es universal tanto para los clientes y los servidores.

Ahora hay que editar el parametro de remote para puntarlo a el nombre de host o direccion IP y puerto de el servidor OpenVPN.

Por ejemplo:
remote 200.222.111.101 1194
Bien una vez editado el parametro guardar el archivo.

Inicializacion de la VPN y pruebas iniciales de conectividad.

Iniciando el Servidor.
Primero hay que asegurarse que el servidor OpenVPN es accesible desde el Internet, esto quiere decir:
Abrir el puerto UDP 1194 en el firewall o configurar una regla de redireccionamiento de puerto
(port forwarding) de el puerto UDP 1194 desde el gateway/firewall a la maquina servidor OpenVPN.

Lo siguiente es asegurarse que la interfaz TUN no esta firewalleada.

Por simplicidad y para hacer pruebas iniciales, es recomendable iniciar el servidor OpenVPN desde la linea de comando, en lugar de iniciarlo como un servicio (daemon).

# cd /etc/openvpn/
# openvpn server.conf
Tue May 2 21:30:49 2006 OpenVPN 2.0.6 i686pclinux [SSL] [LZO]
built on Apr 29 2006
Tue May 2 21:30:49 2006 DiffieHellman initialized with 1024 bit key
Tue May 2 21:30:49 2006 TLSAuth MTU parms [ L:1542 D:138 EF:38 EB:0
ET:0 EL:0 ]
Tue May 2 21:30:49 2006 TUN/TAP device tun0 opened
Tue May 2 21:30:49 2006 /sbin/ip link set dev tun0 up mtu 1500
Tue May 2 21:30:49 2006 /sbin/ip addr add dev tun0 local 10.8.0.1
peer 10.8.0.2
Tue May 2 21:30:49 2006 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue May 2 21:30:49 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 2 21:30:49 2006 UDPv4 link local (bound): [undef]:1194
Tue May 2 21:30:49 2006 UDPv4 link remote: [undef]
Tue May 2 21:30:49 2006 MULTI: multi_init called, r=256 v=256
Tue May 2 21:30:49 2006 IFCONFIG POOL: base=10.8.0.4 size=62
Tue May 2 21:30:49 2006 IFCONFIG POOL LIST
Tue May 2 21:30:49 2006 Initialization Sequence Completed
Si muestra algo similar a lo de arriba significa que en el servidor todo fue bien.
Iniciando el Cliente.
Como en la configuracion de el servidor, es mejor inicializar el cliente desde la linea de comandos.

# cd /etc/openvpn/
# openvpn client.conf
Wed May 3 10:36:32 2006 OpenVPN 2.0.6 i686pclinux [SSL] [LZO]
built on Apr 29 2006
Wed May 3 10:36:32 2006 IMPORTANT: OpenVPN's default port number is
now 1194, based on an official
port number assignment by IANA. OpenVPN
2.0beta16 and earlier used 5000
as the default port.
Wed May 3 10:36:32 2006 WARNING: No server certificate verification
method has been enabled.
See http://openvpn.net/howto.html#mitm for more info.

Wed May 3 10:36:32 2006 LZO compression initialized
Wed May 3 10:36:32 2006 Control Channel MTU parms [ L:1542 D:138
EF:38 EB:0 ET:0 EL:0 ]
Wed May 3 10:36:32 2006 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 3 10:36:32 2006 Local Options hash (VER=V4): '41690919'
Wed May 3 10:36:32 2006 Expected Remote Options hash (VER=V4):
'530fdded'
Wed May 3 10:36:32 2006 UDPv4 link local: [undef]
Wed May 3 10:36:32 2006 UDPv4 link remote: 200.222.111.101:1194
Wed May 3 10:36:32 2006 TLS: Initial packet from 200.222.111.101:1194, sid=cb908c7a 37dab07c
Wed May 3 10:36:33 2006 VERIFY OK: depth=1,/C=MX/ST=Baja_California/L=Tijuana/O=Tuxjm/CN=Calcom_CA/emailAddress=jmedinaaa@tuxjm.net
Wed May 3 10:36:33 2006 VERIFY OK: depth=0,/C=MX/ST=Baja_California/L=Tijuana/O=Tuxjm/C
Wed May 3 10:36:35 2006 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed May 3 10:36:35 2006 Initialization Sequence Completed

Si muestra algo similar a lo de arriba significa que en el cliente todo fue bien. Ahora, intenta hacer ping a traves de la VPN desde el cliente. Si estas usando openvpn en modo routed ( usando dev tun en el archivo de configuracion de el server), intenta:

# ping 10.8.0.1

Si el ping se hace con exito, Felicitaciones! ahora ya tienes una VPN funcional.

4 Problemas Encontrados y Soluciones

Si el ping fallo o la inicializacion de el cliente OpenVPN para completar, aqui hay un checklist de sintomas comunes y sus soluciones:

Obtienes el mensaje de error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity).

Este error indica que el cliente no fue capaz de establecer una conexion de red con el servidor.

Soluciones:

Asegurate de que el ciente esta usando la direccion correcta de el hostname/IP y el numero de puerto que le permitira alcanzar a el servidor OpenVPN

La conexion "stalls" al inicio cuando se usa la configuracion proto udp, el archivo de log de el servidor muestra la linea:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx

Sin embargo el log de el cliente no muestra una linea equivalente.

Solucion:
Tienes una conexion en un solo sentido de el cliente a el servidor. La direccion de el servidor hacia el cliente esta bloqueada por un firewall, usualmente en el lado e el cliente. El firewall puede ser (a) un software de firewall personal corriendo en el cliente, o (b) el gateway (router)_ que hace NAT para el cliente. Modifica el firewall para permitir conexiones de regreso a paquetes UDP de el servidor para alcanzar el cliente. Ver el FAQ para informacion adicional para la resolucion de problemas.

HOWTO APACHE HTTP SSL SERVER

APACHE HTTP SSL SERVER ON RHEL 5

Author Marian Sanchez
Date 2007-06-05

Overview

What is Apache-SSL?
Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.
What provides Mod_ssl to Apache Web Server?
Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols

Highlights

The feature highlights of mod_ssl are the following:

Open Source software.
Useable for both commercial and non-commercial use
Available for both Unix and Win32 platforms 128-bit strong cryptography world-wide
Support for SSLv2, SSLv3 and TLSv1 protocols
Support for both RSA and Diffie-Hellman ciphers
Clean reviewable ANSI C source code
Clean Apache module architecture
Integrates seamlessly into Apache through an Extended API (EAPI)
Full Dynamic Shared Object (DSO) support
Support for the OpenSSL+RSAref US-situation
Advanced pass-phrase handling for private keys
X.509 certificate based authentication for both client and server
X.509 certificate revocation list (CRL) support
Support for per-URL renegotiation of SSL handshake parameters
Support for explicit seeding of the PRNG with external sources
Additional boolean-expression based access control facility
Backward compatibility to other Apache SSL solutions
Inter-process SSL session cache (DBM or Shared Memory based)
Powerful dedicated SSL engine logging facility
Simple and robust application to Apache source trees
Fully integrated into the Apache 1.3 configuration mechanism
Additional integration into the Apache Autoconf-style Interface (APACI)
Assistance in X.509v3 certificate generation (both RSA and DSA

Requirements

*Apache Web Server already Installed.
*OpenSSL library already installed.
*Mod_SSL already installed.

Implementation

Step one - create the key and request:
openssl req -new > new.cert.csr

Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key

Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365

The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert
SSLCertificateKeyFile /path/to/certs/new.cert.key

How do I create a client certificate?

Step one - create a CA certificate/key pair, as above.
Step two - sign the client request with the CA key:
openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey my.CA.key -CA my.CA.cert -CAkey my.CA.key -CAcreateserial -days 365
Step three - issue the file 'client.cert.cert' to the requester.

The Apache-SSL directives that you need to validate against this cert are:

SSLCACertificateFile /path/to/certs/my.CA.cert
SSLVerifyClient 2
How do I access client certs from my CGI?
In release apache_1.3.2+ssl_1.27 and above, you can use the directive:
SSLExportClientCertificates

Which will create environment variables containing the contents of client certs. For more details, see the SSLExportClientCertificates section in the docs.There is also a working example at: https://www.apache-ssl.org/cgi/cert-export.

After the certificate is created, we saved them inside one DIR and chmod it to allow only root had access to that particular DIR for security reasons.
chmod 400 /etc/ssl/midominio.org/server.*

Marian Sanchez

HOWTO DNS SERVER

HOWTO DNS SERVER ON RHEL 5

Author Cristhian Nunez
Date 2007-06-06


Overview

On the Internet, the Domain Name System (DNS) associates various sorts of information with so-called domain names; most importantly, it serves as the "phone book" for the Internet: it translates human-readable computer hostnames, e.g. en.wikipedia.org, into the IP addresses that networking equipment needs for delivering information. It also stores other information such as the list of mail exchange servers that accept e-mail for a given domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use.

BIND (Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon) is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a de facto standard. Supported by Internet Systems Consortium. BIND was originally created by four graduate students with CSRG at the University of California, Berkeley and first released with 4.3BSD. Paul Vixie started maintaining it in 1988 while working for DEC.

A new version of BIND (BIND 9) was written from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush, views, multiprocessor support, and an improved portability architecture. It is commonly used on Linux systems.

DNS Features

• An A record or address record maps a hostname to a 32-bit IPv4 address.

• An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address.

• A CNAME record or canonical name record is an alias of one name to anther. The A record to which the alias points can be either local or remote - on a foreign name server. This is useful when running multiple services (like an FTP and a webserver) from a single IP address. Each service can then have its own entry in DNS (like ftp.example.com and www.example.com.)

• An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain.

• A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org.

• An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Delegations depend on NS records.

• An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.

• An SRV record is a generalized service location record.

• A TXT record allows an administrator to insert arbitrary text into a DNS record. For example, this record is used to implement the Sender Policy Framework and DomainKeys specifications.

• NAPTR records ("Naming Authority Pointer") are a newer type of DNS record that support regular expression based rewriting.

Other types of records simply provide information (for example, a LOC record gives the physical location of a host), or experimental data (for example, a WKS record gives a list of servers offering some well known service such as HTTP or POP3 for a domain).

Requirements

bind-utils-9.3.3-7.el5.rpm
bind-chroot.3.3-7.el5.rpm
bind-libs-9.3.3-7.el5.rpm
bind-9.3.3-7.el5.rpm

Implementation

Install all packages with rpm command.
rpm ivh package.rpm
Check if Bind is working under chroot system. If so, the default chroot directory will be located in /var/named/chroot/
Create the local zone for to add the dns registry

1.$TTL 86400 ; 1 day

2.mydomain.local IN SOA mydomain.local. cnunez.mydomain.local. (
3. 2007052401 ; serial
4. 28800 ; refresh (8 hours)
5. 7200 ; retry (2 hours)
6. 604800 ; expire (1 week)
7. 86400 ; minimum (1 day)
8. )
9. NS doberman.mydomain.local.
10. A 10.1.0.15
11.mydomain.local.
12.dev A 10.1.0.10
13.bulldog A 10.1.0.11
14.foxterrier A 10.1.0.12

Bind will check this file to create the forward zones
Line 1 specify the time in seconds to update
Line 2 The domain onemax.local is defined as SOA.
Line 3 2007052401 is the serial, If we have more DNS running as slave, in each modification that we make, we have to change the serial to update the dns slaves.
Line 4 is the time to update dns slaves.
Line 5 If the dns slaves are not available, it will retry update in 2 hours.
Line 6 Time to expire the zone
Line 7 total life time
Line 9 A Name Server entry Defined
Line 12 13 and 14, dns registry pointing to respectives ip address.

After do that, we need create a reverse local zone. This reverse local zone is to resolve from ip address – names

1.$TTL 259200 ; 3 days
2.@ IN SOA mydomain.local. cnunez.mydomain.local. (
3. 2007052401 ; serial
4. 28800 ; refresh (8 hours)
5. 7200 ; retry (2 hours)
6. 604800 ; expire (1 week)
7. 86400 ; minimum (1 day)
8. )
9.@ IN NS doberman.mydomain.local.
10.10 IN PTR dev.mydomain.local.
11.11 IN PTR bulldog.mydomain.local.
12.12 IN PTR foxterrier.mydomain.local.

Edit the /etc/named.conf configuration file and add the following lines

- acl "loopback" {
127.0.0.1;
};
acl "internals" {
10.0.0.0/8;
172.16.0.0/22;
};
zone "onemax.local" IN {
type master;
file "/var/named/onemax.local";
notify no;
allow-transfer { 10.1.0.12; };
zone "0.0.10.in-addr.arpa" {
type master;
notify no;
allow-transfer { 10.1.0.12; };
file "/var/named/10.0.0.db";
allow-update { none; };
zone "0.1.10.in-addr.arpa" {
type master;
notify no;
allow-transfer { 10.1.0.12; };
file "/var/named/10.0.0.db";
allow-update { none; };

In the /etc/named.conf, we specify all the zones that we want resolve. Our zone to resolve is onemax.local and the reverse one is 10.0.0.db

Finally, lets start the bind service
/etc/init.d/named start

Configure bind to start at every system restart
chkconfig –level 345 named on

- Check if bind is working correctly
nslookup bulldog.mydomain.local
Server: 10.1.0.15
Address: 10.1.0.15#53

Name: bulldog.mydomain.local
Address: 10.1.0.11

Check if reverse zone is working correctly too.
nslookup 10.1.0.11
Server: 10.1.0.15

Address: 10.1.0.15#53
11.0.1.10.in-addr.arpa name = bulldog.mydomain.local.

Cristhian Nunez

HOWTO USE MINICOM TO CONNECT A ROUTER

HOWTO USE MINICOM TO CONNECT A ROUTER

"Use minicom to connect to the router, firewall via the serial port" - Huzeyfe Önal - (2006-03-27 10:12:52) [3194]
You can use minicom to connect your router or like hardware appliances.(In windows HyperTerminal is populer..). At first sure you have minicom program. (whcih minicom, locate minicom etc..) After, su - root
and run
#minicom -s
minicom is text menu-based program, set the options below;
#minicom -s
Choose "Serial port setup"
A - Serial Device : /dev/ttyS0
Type /dev/ttyS0 (or another serial port you use)
Enter, Esc
E - Bps/Par/Bits : 38400 8N1 and change this values to 9600 8N1
Esc..
F - Hardware Flow Control : Yes
Change this value to No
Choose "Save setup as dfl" or another profile name
then use minicom ..

Cristhian Nunez

Enable Amule for download ed2k files from Firefox

Enable Amule for download ed2k files from Firefox

* Download amule-utils
* Remove MozEx if installed or at least remove the ed2k input from it (only if MozEx is installed)
* Insert about:config in the address bar
* Right click on the list, select New, then Boolean; insert network.protocol-handler.external.ed2k as Preference Name and true as Value
* Now another right click, select New and String; insert network.protocol-handler.app.ed2k as Preference Name and /path/to/ed2k (path to where the file is installed on your system) as Value.

HOWTO DHCP SERVER RHEL 5

DHCP

Dynamic Host Configuration Protocol
Author Cristhian Nunez
Date 2007-06-05

Overview

DHCP is a set of rules used by communications devices such as a computer, router or network adapter to allow the device to request and obtain an IP address from a server which has a list of addresses available for assignment.

DHCP is a protocol used by networked computers (clients) to obtain IP addresses and other parameters such as the default gateway, subnet mask, and IP addresses of DNS servers from a DHCP server. It facilitates access to a network because these settings would otherwise have to be made manually for the client to participate in the network.

The DHCP server ensures that all IP addresses are unique, e.g., no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). Thus IP address pool management is done by the server and not by a human network administrator.

Requirenments
- dhcp-3.0.5-3.el5.rpm

Implementation

-> Install the rpm file
rpm -ivh dhcp-3.0.5-3.el5.rpm
-> Create the /etc/dhcpd.conf
-> Add the following lines
addns-domainname "mydomain.local";
ddns-update-style interim;
option domain-name-servers 10.1.0.15,10.1.0.12; #Dns for the clients
default-lease-time 18000; #assigns time in seconds to a client with ip address
max-lease-time 25200; #Max lease time in seconds
option routers 10.0.0.1; # Assigns the default gateway to a client
option subnet-mask 255.0.0.0;
option domain-name "onemax.local";
option ntp-servers 10.1.0.13; # NTP Server
subnet 10.0.0.0 netmask 255.0.0.0 { # IP Range to offer the clients
range 10.0.0.20 10.0.0.199;
}

-> After save the file, start the service.
/etc/init.d/dhcpd start
-> Start Dhcp at every linux restart
chkconfig –level 345 dhcpd on

HOWTO PHP 5.2.1 RHEL 5

HOWTO PHP 5.2.1 With Module PHP-Oracle RHEL 5

Author Cristhian Nunez
Date 2007-06-05
Document description: Compiling PHP 5.2.1 for Support Oracle module

Overview

PHP is a reflective programming language originally designed for producing dynamic web pages.[1] PHP is used mainly in server-side scripting, but can be used from a command line interface or in standalone graphical applications. Textual User Interfaces can also be created using ncurses.

The main implementation is produced by The PHP Group and released under the PHP License. It is considered to be free software by the Free Software Foundation[2]. This implementation serves to define a de facto standard for PHP, as there is no formal specification.

PHP generally runs on a web server, taking PHP code as its input and creating Web pages as output, however it can also be used for command-line scripting and client-side GUI applications. PHP can be deployed on most web servers and on almost every operating system and platform free of charge. The PHP Group also provides the complete source code for users to build, customize and extend for their own use.

Originally designed to create dynamic web pages, PHP's principal focus is server-side scripting. While running the PHP parser with a web server and web browser, the PHP model can be compared to other server-side scripting languages such as Microsoft's ASP.NET system, Sun Microsystems' JavaServer Pages, mod_perl and the Ruby on Rails framework, as they all provide dynamic content to the client from a web server. To more directly compete with the "framework" approach taken by these systems, Zend is working on the Zend Framework - an emerging (as of June 2006) set of PHP building blocks and best practices; other PHP frameworks along the same lines include CakePHP, PRADO and Symfony.

PHP 5 Features

Support for object-oriented programming
The PHP Data Objects extension, which defines a lightweight and consistent interface for accessing databases
Performance enhancements
Better support for MySQL
Embedded support for SQLite
Integrated SOAP support
Data iterators
Error handling via exceptions

Implementation

Download and unpack php-5.2.1.tar.bz2
Apply the following commands:
Note: Before compile PHP, ensure you have the following packages installed:

• apr-devel-1.2.7-11.i386.rpm # httpd-devel dependencies

• apr-util-devel-1.2.7-6.i386.rpm #httpd-devel dependencies

• httpd-devel-2.2.3-6.el5.i386.rpm #For the apxs command

• mysql-devel-5.0.22-2.1.i386.rpm # Msqli support

• Compile libmcrypt-2.5.8.tar.gz for support mcrypt

Also, Ensure have installed Oracle and declared the variable $ORACLE_HOME

./configure --with-oci8=$ORACLE_HOME --with-apxs2=/usr/sbin/apxs --with-config-file-path=/etc/httpd/conf --enable-sigchild --with-mysql=/usr/include/mysql --enable-soap --with-mysqli --with-zlib --enable-zip --with-ldap-sasl --with-openssl --with-ldap –with-mcrypt

make

make install

Ensure that Apache does not load the default module php installed. Comment the following line y /etc/httpd/conf/httpd.conf

#LoadModule php5_module /usr/lib/httpd/modules/libphp5.so

restart Apache. /etc/init.d/httpd restart

Test your configuration. Create a index.php file with the following contents:

Go to the browser and load the index.php file and check the configuration.

HOWTO APACHE TOMCAT 5.X

HOWTO APACHE TOMCAT 5.X RHEL 5

Author: Cristhian Nunez
Date 2007-06-05

Overview

Apache Tomcat is a web container developed at the Apache Software Foundation (ASF). Tomcat implements the servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, providing an environment for Java code to run in cooperation with a web server. It adds tools for configuration and management but can also be configured by editing configuration files that are normally XML-formatted. Tomcat includes its own internal HTTP server.

Features
Implements the Servlet 2.4 and JSP 2.0 specifications
Reduced garbage collection, improved performance and scalability
Native Windows and Unix wrappers for platform integration
Faster JSP parsing

Requirements

Apache 2.0
Java Development Kit (JDK)

Implementation

Download and install apache tomcat from http://tomcat.apache.org/
Unzip the package and copy under /usr/local/tomcat/
Set $JAVA_HOME and $CLASSPATH.
export JAVA_HOME=”path-to-jdk”
export CLASSPATH=/usr/local/tomcat/common/lib/jsp-api.jar:/usr/local/tomcat/common/lib/servlet-api.jar

Rename server.xml. mv /usr/local/tomcat/conf/server.xml.orig /usr/local/tomcat/conf/server.xml

Change the default port number

We can change the default port number in /usr/local/tomcat/conf/server.xml

Find the lines:
Code:
maxThreads="150" minSpareThreads="25" ...
Change it to the port desired.

Turn on Servlet reloading. Edit /usr/local/tomcat/conf/context.xml

Find:
Code:
Change It to:
Enable Invoker Servlet. Edit /usr/local/tomcat/conf/web.xml

Find and uncomment (remove the <-- and --> wrapped around the tags):
Code:
invoker
org.apache.catalina.servlets.InvokerServlet
...

Also find and uncomment:
Code:
invoker
/servlet/*

Create Link to start and shutdown tomcat automatically in each server restart
ln -s /usr/local/tomcat/bin/startup.sh /etc/rc5.d/S99tomcat
ln -s /usr/local/tomcat/bin/shutdown.sh /etc/rc5.d/K99tomcat
Finally, start tomcat

/usr/local/tomcat/bin/startup.sh

HOWTO INSTALL JDK

Howto Install Java JDK on RHEL 5

Author: Cristhian Nunez
Date:2007-06-05
Document description: JDK for Java Applications on Red Hat Enterprise Linux 5

Overview

The Java Development Kit (JDK) is a Sun Microsystems product aimed at Java developers. Since the introduction of Java, it has been by far the most widely used Java SDK. On 17 November 2006, Sun announced that it would be released under the GNU General Public License (GPL), thus making it free software. This happened for a large part on 8 May 2007[1]

The JDK is a subset of what is loosely defined as a Software development kit (SDK) in the general sense. In the descriptions which accompany their recent releases for Java SE, EE, and ME, Sun acknowledge that under their terminology, the JDK forms the subset of the SDK which is responsible for the writing and running of Java programs. The remainder of the SDK is composed of extra software, such as Application Servers, Debuggers, and Documentation.

JDK Components

Development Tools

(In the bin/ subdirectory) Tools and utilities that will help you develop, execute, debug, and document programs written in the JavaTM programming language

Runtime Environment (JRE)

In the jre/ subdirectory) An implementation of the Java Runtime Environment (JRETM) for use by the JDK. The JRE includes a JavaTM Virtual Machine (JVMTM), class libraries, and other files that support the execution of programs written in the JavaTM programming language.

Additional Libraries

(In the lib/ subdirectory) Additional class libraries and support files required by the development tools.

Demo Applets and Application

(In the demo/ subdirectory) Examples, with source code, of programming for the JavaTM platform. These include examples that use Swing and other JavaTM Foundation Classes, and the JavaTM Platform Debugger Architecture.

Sample Code

(In the sample subdirectory) Samples, with source code, of programming for certain Java API's.

C Header Files

(In the include/ subdirectory) Header files that support native-code programming using the Java Native Interface, the JVMTM Tool Interface, and other functionality of the JavaTM platform.

Source Code

(In src.zip) JavaTM programming language source files for all classes that make up the Java core API (that is, sources files for the java.*, javax.* and some org.* packages, but not for com.sun.* packages). This source code is provided for informational purposes only, to help developers learn and use the JavaTM programming language. These files do not include platform-specific implementation code and cannot be used to rebuild the class libraries.

Implementation

Download and install jdk package from java.sun.com/javase/downloads/index.jsp

Apply the correct permissions to the file.

chmod 755 jdk-1_5_0_09-linux-i586.rpm.bin
rpm -ivh jdk-1_5_0_09-linux-i586.rpm

The installation will be located in /usr/java/jdk1.5.0_09

Create the correct links to java.:

ln -sf /usr/java/jdk1.5.0_09/bin/java /etc/alternatives
ln -sf /usr/java/jdk1.5.0_09/bin/javac /etc/alternatives

Create the Plugin to Mozilla or Firefox
ln -s /usr/java/jdk1.5.0_09/jre/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/firefox/plugins