Wednesday 24 May 2017

[root@SERVER ~]# grep 'temporary password' /var/log/mysqld.log  2016-01-16T18:07:29.688164Z 1 
[Note] A temporary password is generated for root@localhost: O,k5.marHfFu  2016-01-22T13:14:17.974391Z 1 
[Note] A temporary password is generated for root@localhost: b5nvIu!jh6ql  2016-01-22T15:35:48.496812Z 1 
[Note] A temporary password is generated for root@localhost: (B*=T!uWJ7ws  2016-01-22T15:52:21.088610Z 1 
[Note] A temporary password is generated for root@localhost: %tJXK7sytMJV  2016-01-22T16:24:41.384205Z 1 
[Note] A temporary password is generated for root@localhost: lslQDvgwr3/S  2016-01-22T22:11:24.772275Z 1 
[Note] A temporary password is generated for root@localhost: S4u+J,Rce_0t

[root@SERVER ~]# mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:     The existing password for the user account root has expired. Please set a new password. 
New password:    
Re-enter new password:

If you see it says

... Failed! Error: Your password does not satisfy the current policy requirements 
 That means your password needs to have a character such as ! . # - etc...  mix characters well, upper case, 
lower case, ! . , # etc...    New password:     Re-enter new password:   The 'validate_password' plugin is 
installed on the server.  The subsequent steps will run with the existing configuration  of the plugin.  
Using existing password for root.    Estimated strength of the password: 100  
 Change the password for root ? ((Press y|Y for Yes, any other key for No) : Y    
New password:    
 Re-enter new password:     
Estimated strength of the password: 100  
 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y  

By default, a MySQL installation has an anonymous user,  allowing anyone to log into MySQL without having to have 
 a user account created for them. This is intended only for  testing, and to make the installation go a bit smoother. 
 You should remove them before moving into a production  environment.    Remove anonymous users? (Press y|Y for Yes, 
any other key for No) : Y  

Success.    
 
 Normally, root should only be allowed to connect from  'localhost'. This ensures that someone cannot guess at  
the root password from the network.    Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y 

 Success.  

  By default, MySQL comes with a database named 'test' that  anyone can access. 
This is also intended only for testing,  and should be removed before moving into a production  environment.     
 Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y   - Dropping test database...  Success.     - Removing privileges on test database...  Success.    Reloading the privilege tables will ensure that all changes  made so far will take effect immediately.    Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y  Success.    All done!   [root@SERVER ~]# mysql -u root -p  Enter password:   Welcome to the MySQL monitor.  Commands end with ; or \g.  Your MySQL connection id is 11  Server version: 5.7.10 MySQL Community Server (GPL)

Configuring Postfix as a Gmail Relay on CentOS

Configuring Postfix as a Gmail Relay on CentOS

This tutorial should work on any distro based on RedHat, but I have only tested it on CentOS 6.4.
You will need to run the commands as root.

I found a ton of how-tos and tutorials on how to set up Postfix as a Gmail relay, but most of them required making a client certificate or were incomplete. After fighting with getting Postfix set up on CentOS 6.1, and browsing the internet for many, many days, I finally got it working. Part of the configuration is based on the pages found here and here.

Installing Postfix

Installing Postfix is easy, just run this command as root:

yum install postfix mailx cyrus-sasl-plain

Thanks to Jonathan for pointing that out.

Configuring

Basically, you need to create a password file so that Postfix can authenticate to Gmail's servers. You do this by creating a file named sasl_passwd in /etc/postfix. Replace smtp_user and smtp_passwd with their respective values.

echo "smtp.gmail.com    smtp_user:smtp_passwd" > /etc/postfix/sasl_passwd

You then hash that file so that the password is not stored in clear text. This command will create a file named sasl_passwd.db in the /etc/postfix/ directory.

postmap hash:/etc/postfix/sasl_passwd

After that is done, add these to the bottom of /etc/postfix/main.cf. This is assuming that your root certificates installed from openssl are located in /etc/pki/tls/certs/ca-bundle.crt.

smtp_sasl_auth_enable = yes  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  smtp_sasl_security_options = noanonymous  # Secure channel TLS with exact nexthop name match.  smtp_tls_security_level = secure  smtp_tls_mandatory_protocols = TLSv1  smtp_tls_mandatory_ciphers = high  smtp_tls_secure_cert_match = nexthop  smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt  relayhost = smtp.gmail.com:587

After that is done, restart postfix:

service postfix restart

Now test it to make sure it is working. Run this:

mail email@domain

Fill in the subject, put something in the body and then type a . and hit enter.

If all went well, you should get an email at the email address you entered. If you do, you can delete the file that has the password.

rm /etc/postfix/sasl_passwd

If it did not work, check the log to see what happened.

tail /var/log/maillog

Everything should be good after you get everything set up, so enjoy your new SMTP relay!

Configuring Postfix as a Gmail Relay on CentOS

This tutorial should work on any distro based on RedHat, but I have only tested it on CentOS 6.4.
You will need to run the commands as root.

Installing Postfix

Installing Postfix is easy, just run this command as root:

yum install postfix mailx cyrus-sasl-plain

Configuring

echo "smtp.gmail.com    smtp_user:smtp_passwd" > /etc/postfix/sasl_passwd

You then hash that file so that the password is not stored in clear text. This command will create a file named sasl_passwd.db in the /etc/postfix/ directory.

postmap hash:/etc/postfix/sasl_passwd

After that is done, add these to the bottom of /etc/postfix/main.cf. This is assuming that your root certificates installed from openssl are located in /etc/pki/tls/certs/ca-bundle.crt.

smtp_sasl_auth_enable = yes  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  smtp_sasl_security_options = noanonymous  # Secure channel TLS with exact nexthop name match.  smtp_tls_security_level = secure  smtp_tls_mandatory_protocols = TLSv1  smtp_tls_mandatory_ciphers = high  smtp_tls_secure_cert_match = nexthop  smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt  relayhost = smtp.gmail.com:587

After that is done, restart postfix:

service postfix restart

Now test it to make sure it is working. Run this:

mail email@domain

Fill in the subject, put something in the body and then type a . and hit enter.

If all went well, you should get an email at the email address you entered. If you do, you can delete the file that has the password.

rm /etc/postfix/sasl_passwd

If it did not work, check the log to see what happened.

tail /var/log/maillog

Everything should be good after you get everything set up, so enjoy your new SMTP relay!

Monday 15 May 2017

how to unlock a oracle user account when it expires and set to unlimited

I have written an article on how to unlock a user account when it expires:

ORA-28002: the password will expire within 1 days

But, every 180 days, you need to repeat the same action. If you are NOT concerned with strict security rules for your database, you can take the following approach to set user accounts to never expire.

What Profile Used by a User Account?

A profile^[3] is a database object – a named set of resource limits. Using profile, you can enforce a limit on resource utilization using resource limit parameters Also you can maintain database security by using password management feature. Here is the SQL command you can use to query which profile is used by each user account:

SQL> SELECT USERNAME, PROFILE FROM DBA_USERS;

USERNAME PROFILE
—————————— ——————————

OAM_OAM                        DEFAULT
OAM_IAU_APPEND                 DEFAULT
OAM_IAU_VIEWER                 DEFAULT
OAM_IAU                        DEFAULT
OIM_SOAINFRA                   DEFAULT
OIM_ORASDPM                    DEFAULT
OIM_MDS                        DEFAULT
OIM_OIM                        DEFAULT

As shown above, both OAM and OIM user accounts use "DEFAULT" profile.

What Limits Set with a Profile?

We are only interested in "DEFAULT" profile and resource of PASSWORD type. To query all sorts of limits imposed with "DEFAULT" profile, you do the following query:

SQL> select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='PASSWORD';

OR

SQL> select resource_name, limit from dba_profiles;

RESOURCE_NAME                    LIMIT
——————————– —————————————-
FAILED_LOGIN_ATTEMPTS            10
PASSWORD_LIFE_TIME               180
PASSWORD_REUSE_TIME              UNLIMITED
PASSWORD_REUSE_MAX               UNLIMITED
PASSWORD_VERIFY_FUNCTION         NULL
PASSWORD_LOCK_TIME               1
PASSWORD_GRACE_TIME              7

As shown above, all our OAM and OIM user accounts will expire in 180 days. However, we would like to set it to never expire.

How to Set User Password to Never Expire?

Here is the alter statement that you can use:

SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

Profile altered.

The above command has set password life time associated with "DEFAULT" profile to be unlimited. You can verify the setting by:

SQL> select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='PASSWORD';

RESOURCE_NAME LIMIT

——————————– —————————————-

FAILED_LOGIN_ATTEMPTS 10

PASSWORD_LIFE_TIME UNLIMITED

PASSWORD_REUSE_TIME UNLIMITED

PASSWORD_REUSE_MAX UNLIMITED

PASSWORD_VERIFY_FUNCTION NULL

PASSWORD_LOCK_TIME 1

PASSWORD_GRACE_TIME 7

7 rows selected.

Wednesday 3 May 2017

The application experienced an internal error loading the SSL libraries

Document ID: TEC1504286

Last Modified Date: 09/29/2016
Show Technical Document Details

Problem:

When downloading a Microsoft document attachment on ServiceDesk SSL system, the following error pops up:
"The application experienced an internal error loading the SSL libraries"

Environment:

ServiceDesk 12.x-14.x
Microsoft Windows 7 - 8
Microsoft Internet Explorer

Cause:

The error is Microsoft generated Error caused by Microsoft Windows update.

Resolution/Workaround:

Microsoft have addressed these error.

Please review one of the following documents:

1. https://social.technet.microsoft.com/Forums/Sharepoint/en-US/78f64ac7-e68c-4171-b940-98f68e27279c/the-application-experienced-an-internal-error-loading-the-ssl-libraries-word-2013?forum=officeitpro

2. https://blogs.technet.microsoft.com/office_integration__sharepoint/2015/04/20/office-2013-error-certificate-error-the-application-experienced-an-internal-error-loading-the-ssl-libraries-when-opening-files/

Additional Information:

The error will not occur when using Firefox or Chrome