OIT SysCore

This is a brief overview on how to WebAuth-enable, or protect, applications running on the central UMBC Web environment. WebAuth is available as an authentication method within the Apache webserver that is running on the central UMBC webserver, including most virtual-hosted sites. Utilizing WebAuth in your applications only requires manipulation of a ".htaccess" file. Detailed syntax and options are covered in the Apache 1.3 documentation.

Today I spent some time playing with/learning about the Dell Remote Access Controller that our 2650's, and other similar boxen, are configured with.

The DRAC provides functionality for console redirection, server managment (power cycling!), hardware status monitoring, and other things. The web interface is slow and horrible, however, there IS a nice command-line tool for both Linux & Windoze to query, configure, and access the remote management functionality.

After installing the legato backup client on two machines (syscoredb and jumpcore) this morning (wondering why this hadn't been done at all, as well), I copied the legato packages and install/config scripts out of Tim's work directory to /afs/umbc.edu/depts/oit/systems/legato.

This entry has been moved.

This entry has been moved.

This page has been moved.

Today we experienced a mail delivery problem that has gotten us before. Basically, a machine not under our pervue had been sitting with a metric ****ton of cued messages for one person on our system. The administrator of this machine "fixed" the problem, and it's mail server happily began to deliver these into our system. Now, the MTA will accept bunches of message for someone, fork off MDA processes (procmail) to deliver to the local addresses, the MDA will wait for a lockfile to deliver the message, do it's thing, clear the lock file, etc. Of course, if you've got a TON of messages being delivered, there are problably the respective TON of procmail processes waiting for their lockfiles... After awhile, things begin to break down, as all of the available sendmail children processes are waiting for their respective MDA's to deliver messages to this one address... WAIT, what's that locking thing???

This entry has been moved.

Our mail virus scanners check for new McAffee DAT updates quite frequently. However, when there is a new virus outbreak, you'll probably find that the production DAT files available won't catch it. McAffee has "beta" dat files available, and we typically use these in these instances.

As "afsadmin", do the following:


# cd /afs/.umbc.edu/sun4x_58/usr/av/lib
# wget http://download.nai.com/products/mcafee-avert/beta_packages/unix_betadat.tar

note, that if there are other "beta dat" tar files in your directory, there'll be a number tacked to the end of the tar (e.g. unix_betadat.tar.2), so untar the appropriate file in the next step

# tar -xvf unix_betadat.tar
# vos release sun4x_58.av


That's it.

This page has moved to the Wiki

We keep track of what is the current semester in LDAP for apps that need it don't have to expend any effort. At the time of this writing, the most important thing that relies on this being correct is the authorization to use the SGI lab machines.

It's kept as a referral ('ref') entry:
dn: umbcsemester=current,ou=Courses,o=umbc.edu
objectclass: top
objectclass: referral
objectclass: umbcCourseSem
ref: ldap:///umbcSemester=200506,ou=Courses,o=umbc.edu

Refs are slightly annoying to work with, so if you should ever need to do so here are the commands you need:
(Both commands take -h <host> -p <port> -D <bind_dn> -w <password>)

Search:
ldapsearch -b "umbcsemester=current,ou=Courses,o=umbc.edu" -M -s base "objectclass=*"

Modify:
ldapmodify -M
dn: umbcSemester=current,ou=Courses,o=umbc.edu
objectclass: top
objectclass: referral
objectclass: umbcCourseSem
umbcsemester: current
ref: ldap:///umbcSemester=200506,ou=Courses,o=umbc.edu

This page has moved to the Wiki

This information has moved to the Wiki

console.umbc.edu now has console-line level access control.


console-b9 S7 chambord auto dept #b9-7 B9 laura 2850


The new field after the "auto/noauto" flags, is a comma-delimited list of
"groups" that can access this console. Users still have to "sudo" to use console,
however, their access is restricted to the /var/console/bin/console program.

The groups are defined in the /var/console/etc/groups file -- it is simply a list of group names, followed by a colon, then a comma separated list of group members.

Updating the BIOS and Service Processor (SP) software on a Sun V20z is a procedure that so far has been poorly documented by Sun. I'll cover how to update the BIOS and the the SP software.

Read on...

First, you need the netscape-ish command line keyutil & certutil stuff. I've got a copy of them in ~banz/work/software/certstuff/solaris. The magic files live in /usr/ns/server4/alias/*

The cert utils are amazingly stupid. Make a new directory (e.g., 'new') and
copy the -whatever.db files in to new/whatever.db.

You'll be updating the cert named "Server-Cert" the database, you can view the current cert with:

certutil -L -d . -n 'Server-Cert'


To load the new cert, do something like:

certutil -A -a -n 'Server-Cert' -t u,u,u -d .

It'll ask for the PIN for the security database; it's stored in the ...-pin.txt file. Then, cut-n-paste the new cert (.pem) file, and ctrl-d it. It might segfault, but it seems to work :)

Stop the directory server, copy the new -cert7 & -key3 files where they're supposed to be, and everything should be golden.

The service processor (SP) that is on Sun V20z and V40z servers has a feature called Serial-Over-LAN (SOL) which, when turned on, redirects the serial port traffic to the SP. You can then attach to this like you would a normal serial console connection by issuing a command from the SP prompt.

This has the benefit of not requiring a dedicated serial connection to these servers. Instead of three minimum cables (SP ethernet, main ethernet, and serial), you now only need two (SP ethernet and main ethernet.)

To activate Serial-Over-LAN, log in to the SP of the machine(s) in question and issue:


platform set console -s sp -e -S 9600


Then, whenever you log into the SP, you can access the serial console with the command:


platform console


Once you do that, the serial console will appear like it would with a hardwire serial console connection. All SOL commands begin with control-e c. To bring up the SOL help menu, you would type ctrl-e c ?. To quit out of SOL and return to the SP command line, you would type ctrl-e c ..

In hopes of trying to clear up a bunch of constantly failing servers I removed bb-mig, cgi, cyclone from the backup rotation. Waiting to hear back from networks on a bunch of their servers.

In the interest of not destroying anything during the first couple days of the semester, it’s time to document one of the more complicated bits of our infrastructure here at UMBC – email delivery.

This is our production uPortal environment, which contains both a production, and a pre-production test environment. (There are other instances that are not as, well, complicated that we do development work on)

The basics: Two sun v20z's behind a loadbalancer. Each instance (prod & test) run behind an apache server to handle static requests and SSL. Dynamic uPortal
content its proxyed to a loopback-only socket that Tomcat is listening on. For requests which require legacy MyUMBC functionality through a proxy'd uPortal channel, a connection is made back to the front-end Apache instance to a loopback-only socket which contains an instance of the legacy MyUMBC system running under FastCGI.

The uPortal instances (on both servers) run out of the trees:
/afs/umbc.edu/admin/www/portal/test and /afs/umbc.edu/admin/www/portal/prod. Each contains it's own copy of Tomcat, the JRE/JDK, and apache configs. Apache is currently running the uber-004 build, which is a slight variation of the 003 build tweaked to run on Solaris 10x86.

After a few students started having the session switching issue, which is really due to misconfigured webcach at the students ISP, I decided to double check our blackboard patch level, etc.

Turns out the blackboard app reported we were quite a bit behind. 6.2.3-6 We should be at 6.2.3-23

Darn! I could have sworn I did that upgrade at the end of summer.
Darn! Its even listed on my board and checked off.
Darn! Its even listed in this blog as being done on 8/19...
Wait a minute...

It seems the version number comes from a file that was
replaced with the old version, causing blackboard to display the old version number.

I'm still working on verifying that the SP3 upgrade was done correctly.

I've changed Blackboards DB internal mirrors to be software based as opposed to hardware based. This will make it much easier to crack the mirrors before running an upgrade(like the soon to be applied SP2)