HBSpy's Hexo

发表于 更新于 Disqus:

WebSphere

  1. the trustAnchors parameter must be non-empty

引起这问题的原因有很多,在这儿先贴一个StackOverflow上的讨论

http://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty

我们的场景是,在连接一个开启了security的WAS时产生的

使用的是WAS默认的key.p12和trust.p12

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/nullNode01Cell/nodes/nullNode01/key.p12
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/nullNode01Cell/nodes/nullNode01/trust.p12

先贴一份前期知识

https://www.ibm.com/support/knowledgecenter/zh/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_7ssldefault_chainedcert_config.html

文中说

在创建概要文件期间,WebSphere Application Server 将创建缺省密钥库文件 key.p12 和缺省信任库文件 trust.p12。另外,还将在 key.p12 文件中创建缺省的链证书。并且会从 key.p12 文件中抽取链式证书的根签署者或公用密钥并将其添加到 trust.p12 文件中。如果在进程启动期间这些文件不存在,那么会在启动期间进行重新创建。
缺省密钥库和缺省信任库的后缀分别为 DefaultKeyStore 和 DefaultTrustStore,您可以凭此确定这两个文件。另外,在 SSL 配置中,必须将 fileBased 属性设置为 true,以便运行时环境只使用缺省密钥库和缺省信任库。

在基本应用程序服务器上,缺省密钥和信任密钥库存储在配置库的节点目录中。例如,缺省 key.p12 和 trust.p12 库是使用 AppSrv01 概要文件名称、myhostNode01Cell 名称和 myhostNode01 节点名创建的。密钥库和信任库分别位于下列目录中:
[AIX Solaris HP-UX Linux Windows] C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\myhostNode01Cell \nodes\myhostNode01\key.p12
[AIX Solaris HP-UX Linux Windows] C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\myhostNode01Cell \nodes\myhostNode01\trust.p12
WebSphere Application Server 生成的所有缺省密钥库的缺省密码都是 WebAS。在进行初始配置之后,您应更改缺省密码,以便获得一个更安全的环境。

然而,并没有!

我们使用keytool查看这两个库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@was nullNode01]# keytool -list -v -keystore key.p12 -storetype PKCS12 -storepass WebAS

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: default
Creation date: Dec 20, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=null, OU=nullNode01Cell, OU=nullNode01, O=IBM, C=US
Issuer: CN=null, OU=Root Certificate, OU=nullNode01Cell, OU=nullNode01, O=IBM, C=US
Serial number: 7f412de35e4f
Valid from: Mon Dec 19 10:00:29 CST 2016 until: Tue Dec 19 10:00:29 CST 2017
Certificate fingerprints:
         MD5:  FA:E4:22:96:D3:4B:6A:AE:5D:70:49:63:87:C8:38:D9
         SHA1: 22:2D:53:3C:7B:F3:13:3C:46:06:1D:8E:EF:69:F0:A0:2F:4B:7F:62
         SHA256: AB:62:ED:51:D3:63:5F:3E:91:1C:AD:BB:2B:9F:F7:64:10:98:4C:71:36:ED:3C:F4:74:63:C5:4B:B8:83:62:78
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: ProfileUUID:AppSrv01-BASE-6a02d09f-b69d-4ad5-ab40-6dcfc5a4353d
]

正常

1
2
3
4
5
6
7

[root@was nullNode01]# keytool -list -v -keystore trust.p12 -storetype PKCS12 -storepass WebAS   

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entry

说好的放进去呢

解决方案有两种,一种我附个别人的

http://www.wenhq.com/article/view_711.html

用http进行连接的,客户端代码比较简单,直接使用URL类进行连接并获取输入流即可。https不需要客户端证书,并且服务器端的证书是已经受信任的也同http一样容易。当验证的证书每年的费用得好几千元,为了省钱,这里主要是说java访问未验证证书的https的访问。
通常有两种方案:1、将证书导入到TrustStore文件中;2、修改X509证书信任管理器类的实现。推荐使用第一种方案,我们可以尽量让服务器的证书稳定,不在使用中修改就可以了。
第一步、导出服务器端证书。用ie连接地址,然后出现了证书确认的提示框,点击查看证书-详细信息,点击复制到文件,选择base64编码,导出保存文件为test.cert。
第二步、把证书从其它文件导入到TrustStore文件中。
keytool -import -file test.cer -keystore test_store
第三步、设置java的javax.net.ssl.trustStore的系统属性
System.setProperty(“javax.net.ssl.trustStore”, “D: \test_store”);//注意是绝对路径
这样通过HttpClient应用接口就可以访问我们自己的https服务了。
常见错误:javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: Java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 异常,有两种情况:
1、没有设置或者文件路径设置错误;
2、证书就采用keytool的默认jks类型就可以,否则也会报错,参考内容
An implementation of PKCS12 as JCA keystore type “pkcs12″. Storing trusted anchors in PKCS12 is not supported. Users should store trust anchors in JKS format and save private keys in PKCS12 format.
来自http://www.cs.nyu.edu/artg/internet/Spring2006/readings/JSSERefGuide.html

No related posts.

第二种可以在WAS里进行配置,直接把key.p12里的证书导入trust.p12

Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Personal certificates
Manages personal certificates.

Import certificates from a key file or key store

生成新trust.p12之后再次查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@was ~]# keytool -list -v -keystore trust.p12 -storetype PKCS12 -storepass WebAS

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: default
Creation date: Dec 20, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=null, OU=nullNode01Cell, OU=nullNode01, O=IBM, C=US
Issuer: CN=null, OU=Root Certificate, OU=nullNode01Cell, OU=nullNode01, O=IBM, C=US
Serial number: 7f412de35e4f
Valid from: Mon Dec 19 10:00:29 CST 2016 until: Tue Dec 19 10:00:29 CST 2017
Certificate fingerprints:
         MD5:  FA:E4:22:96:D3:4B:6A:AE:5D:70:49:63:87:C8:38:D9
         SHA1: 22:2D:53:3C:7B:F3:13:3C:46:06:1D:8E:EF:69:F0:A0:2F:4B:7F:62
         SHA256: AB:62:ED:51:D3:63:5F:3E:91:1C:AD:BB:2B:9F:F7:64:10:98:4C:71:36:ED:3C:F4:74:63:C5:4B:B8:83:62:78
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: ProfileUUID:AppSrv01-BASE-6a02d09f-b69d-4ad5-ab40-6dcfc5a4353d
]

这时候应该是跟key.p12内容差不多的,别问我为什么,不是很懂Java系

使用新的trust.p12作为trustStore去连接,然后就正常了

理论上看起来好像有一些问题,但他的确正常了,有需要的可以参考

发表于 更新于 Disqus:

pyOpenSSL

  1. Cannot import pyOpenSSL

这是一次我认为并不常见的Cannot import pyOpenSSL的问题的处理

1
2
3
4
5
6
7
8
9
10
11
12
[root@NMS winrm]# python test.py 
Traceback (most recent call last):
  File "test.py", line 1, in <module>
    import winrm
  File "build/bdist.linux-x86_64/egg/winrm/__init__.py", line 6, in <module>
  File "build/bdist.linux-x86_64/egg/winrm/protocol.py", line 11, in <module>
  File "build/bdist.linux-x86_64/egg/winrm/transport.py", line 42, in <module>
  File "/usr/local/lib/python2.7/site-packages/requests_credssp/__init__.py", line 1, in <module>
    from .credssp import HttpCredSSPAuth
  File "/usr/local/lib/python2.7/site-packages/requests_credssp/credssp.py", line 8, in <module>
    raise Exception("Cannot import pyOpenSSL")
Exception: Cannot import pyOpenSSL

尝试手动执行

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@NMS OpenSSL]# python /usr/local/lib/python2.7/site-packages/OpenSSL/__init__.py
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: EC_GROUP_new_curve_GF2m

EC_GROUP_new_curve_GF2这东西应该是openssl提供的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@NMS OpenSSL]# ldd /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so
        linux-vdso.so.1 =>  (0x00007ffe68b58000)
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f179b317000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f179af33000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f179ad15000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f179a981000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f179a73d000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f179a455000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f179a251000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f179a025000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f1799e20000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00007f1799c0a000)
        /lib64/ld-linux-x86-64.so.2 (0x000000321cc00000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f17999ff000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f17997fb000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f17995e1000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f17993c1000)

libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f179af33000)

1
2
[root@NMS OpenSSL]# nm /usr/lib64/libcrypto.so.10
nm: /usr/lib64/libcrypto.so.10: no symbols

问题应该出在libcrypto.so.10上,由于这系统不是我亲自一点点编译的,所以暂时不知道为什么

但重新编译openssl是少不了的

而且要注意加-fPIC shared

1
./config -fPIC shared

再nm一下

1
2
[root@NMS openssl-1.0.1e]# nm libcrypto.so | grep EC_GROUP_new_curve_GF2m 
00000000000bb960 T EC_GROUP_new_curve_GF2m

XXX: 需要注意,openssl相关的太底层,与许多基础功能相关,尤其是你SSH到这台服务器上进行操作,一不小心sshd就会跪,就再也SSH不上了,处理的时候一定要小心再小心

发表于 更新于 Disqus:

PyWinRM

  1. Double Hop/Second Hop
1
2
3
4
5
6
7
8
9
Active Directory ?  ????????'EXCHANGE\administrator'????????
At line:3 char:1
+ Get-Mailbox
+ ~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], ADInvalidCredentialExcepti 
on
+ FullyQualifiedErrorId : [Server=WIN-2KOQERQDJNK,RequestId=1cdf09dc-9711- 
4dbb-99a7-555fbf562855,TimeStamp=2016/12/20 6:38:06] [FailureCategory=Cmdl  
et-ADInvalidCredentialException] E5C063D1

登录到本机的PowerShell执行一些命令是没问题的,当需要加载Exchange的PowerShell时,就会遇到Double Hop或者叫Second Hop问题
目前PyWinRM提供的支持Double Hop的方式是起用WinRM CredSSP

https://github.com/diyan/pywinrm#enabling-winrm-on-remote-host

Enable WinRM CredSSP authentication. This allows double hop support so you can authenticate with a network service when running command son the remote host. This command is run in Powershell.

1
2
Enable-WSManCredSSP -Role Server -Force
Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true

同时需要pip install requests-credssp和pip install pywinrm[credssp]

但是目前pip库中的pywinrm是有问题的,是不提credssp组件的。所以需要从git源码python setup.py install

然后在winrm.Session的时候添加transport=“credssp”

credssp: Will use CredSSP authentication for both domain and local accounts. Allows double hop authentication. This only works over a HTTPS endpoint and not HTTP.

发表于 更新于 Disqus: 
1
-bash: ./dronline: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

是因为64位系统中安装了32位程序
解决方法:

1
yum install glibc.i686

发表于 更新于 Disqus:

Can’t locate ExtUtils/MakeMaker.pm

1
yum install perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker

发表于 更新于 Disqus:

CentOS 升级 gcc 和 g++ 的方法

  1. 使用 redhat developer toolset 1.1 的repo,安装GCC
1
2
3
cd /etc/yum.repos.d
wget http://people.centos.org/tru/devtools-1.1/devtools-1.1.repo 
yum --enablerepo=testing-1.1-devtools-6 install devtoolset-1.1-gcc devtoolset-1.1-gcc-c++
  1. 替换系统中原来的GCC
1
2
ln -s /opt/centos/devtoolset-1.1/root/usr/bin/* /usr/local/bin/
hash -r

发表于 更新于 Disqus:

命令或脚本

  1. extTable .1.3.6.1.4.1.2021.8
    只可以SNMP查询出单行(首行)返回结果

  2. exec/extend 指定MIBOID
    可以SNMP查询出多行(全部)返回结果)

exec无效

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Extensible sections.
# 

# This alleviates the multiple line output problem found in the
# previous executable mib by placing each mib in its own mib table:

# Run a shell script containing:
#
# #!/bin/sh
# echo hello world
# echo hi there
# exit 35
#
# Note:  this has been specifically commented out to prevent
# accidental security holes due to someone else on your system writing
# a /tmp/shtest before you do.  Uncomment to use it.
#
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest

# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
# enterprises.ucdavis.50.1.1 = 1
# enterprises.ucdavis.50.2.1 = "shelltest"
# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
# enterprises.ucdavis.50.100.1 = 35
# enterprises.ucdavis.50.101.1 = "hello world."
# enterprises.ucdavis.50.101.2 = "hi there."
# enterprises.ucdavis.50.102.1 = 0

# Now the Output has grown to two lines, and we can see the 'hi
# there.' output as the second line from our shell script.
#
# Note that you must alter the mib.txt file to be correct if you want
# the .50.* outputs above to change to reasonable text descriptions.

# Other ideas:
# 
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps 
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq

snmpd -v 5.5以上使用extend

1
extend .1.3.6.1.4.1.2021.51 ps /bin/ps

发表于 更新于 Disqus:

python升级引起的版本不兼容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   No module named yum

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.12 (default, Aug 17 2016, 09:41:51) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]

If you cannot solve this problem yourself, please go to 
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

修改执行yum的python至系统默认版本

1
2
3
4
5
6
7
whereis yum
yum: /usr/bin/yum /etc/yum.conf /etc/yum /usr/share/man/man8/yum.8.gz

whereis python
python: /usr/bin/python2.6 /usr/bin/python /usr/bin/python2.7

vim /usr/bin/yum
1
2
3
4
5
6
#!/usr/bin/python 	// 修改为原系统自带的python: #!/usr/bin/python2.6
import sys
try:
	import yum
except ImportError:
	print >> sys.stderr, ""\"
0%