I am new to Wix installer. I am trying to add firewall exception for my program.
My code is as follow:
<Component Id="_VIEW.EXE" Guid="*" Transitive="yes">
<File Id="view.exe"
Name="view.exe"
KeyPath="yes"
Source="$(var.INSTALLSOURCE)\view.exe">
<fire:FirewallException Id="view_firewall_domain_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_domain_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_private_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
<fire:FirewallException Id="view_firewall_private_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
</File>
</Component>
In my code, I add 4 firewall exception and each exception has different value for "Profile" and "Protocol" attributes. My expected result is 4 exceptions created:
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Domain Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
But the actual result is only one exception is created and the value of "Protocol" attribute is "any" instead of "TCP" or "UDP":
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any Any Any Any Any Any
So, I have two questions:
Why is only one exception created? Must the name of the exception be unique?
Why does the value of the "Protocol" attribute not take effect?
I refer an official document about firewall extension:
http://wixtoolset.org/documentation/manual/v3/xsd/firewall/firewallexception.html
In the document, I saw some description about "File" attribute:
Identifier of a file to be granted access to all incoming ports and protocols. If you use File, you cannot also use Program.
If you use File and also Port or Protocol in the same FirewallException element, the exception will fail to install on Windows XP and Windows Server 2003. IgnoreFailure="yes" can be used to ignore the resulting failure, but the exception will not be added.
Does it mean that if I set firewall rule for a program, the "Protocol" and "Port" attributes will be "Any" automatically even I set "Protocol"?
The existing wix FirewallException custom actions make use of the XP/Server2003 windows firewall API. In this API, setting a firewall exception for a particular executable implies that all ports and all protocols will be opened to the exception.
For reference, the XP/Server2003 firewall API interfaces. Notice that INetFwOpenPort has the ability to get/set the port, while INetFwAuthorizedApplication does not.
If you want to create a firewall exception on a program and explicitly limit the port, protocol, and domain you'll need to make use of the windows 'advanced' firewall API that came with Vista. Check out these references:
Highlevel overview
Reference guide
Command-line reference guide
Sadly, nobody has yet implemented an AdvancedFirewallException extension for wix that makes use of these updated APIs. Maybe I'll run a kickstarter campaign to see if there interest in funding the development ;P
Try to use different Names for each FirewallExeption ID. This worked for me:
<File Id="sample.exe"
Name="sample.exe"
Source="..\TestFrame\bin\debug\sample.exe"
Vital="yes"
KeyPath='yes'>
<fire:FirewallException Id="FirewallDomainSampleTcp"
Name="Domain Sample TCP"
Protocol="tcp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="FirewallDomainSampleUdp"
Name="Domain Sample UDP"
Protocol="udp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="FirewallPrivatSampleTcp"
Name="Private Sample TCP"
Protocol="tcp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
<fire:FirewallException Id="FirewallPrivateSampleUdp"
Name="Private Sample UDP"
Protocol="udp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
</File>
Related
In ejabberd 18.01-2, installed in lxc container Ubuntu 18.04 Bionic LTS using apt, I'm trying to setup mod_http_upload.
In the section listen, I have
listen:
-
port: 5444
module: ejabberd_http
tls: true
request_handlers:
"/upload": mod_http_upload
In the configuration file, commented port was 5444, however, in the current documentation, it is 5443, so I am not sure which one is right.
In the modules section, I have
modules:
mod_http_upload:
host: "upload.ejabberd.forumanalogue.fr"
max_size: infinity
thumbnail: true
put_url: "https://ejabberd.forumanalogue.fr:5444/upload"
docroot: "/ejabberd/upload"
When I start the service, I can see an odd message in the logs
2019-11-11 21:02:35.287 [warning] <0.367.0>#ejabberd_pkix:handle_call:255 No certificate found matching 'upload.ejabberd.forumanalogue.fr': strictly configured clients or servers will reject connections with this host; obtain a certificate for this (sub)domain from any trusted CA such as Let's Encrypt (www.letsencrypt.org)
It is strange because I have a signed wildcard certificate.
certfiles:
- "/etc/letsencrypt/live/forumanalogue.fr/*.pem"
I can see the service with my client (Gajim) but when I try to send a file to another local account, I receive an error Access denied by service policy, see the complete log:
<iq xml:lang='en' to='foo#forumanalogue.fr/gajim.HCLJ4BZI' from='upload.ejabberd.forumanalogue.fr' type='error' id='1dd35274-90e9-4b3b-9608-0fab59afe34e'>
<request xmlns='urn:xmpp:http:upload'>
<filename>a.out</filename>
<size>27232</size>
<content-type>application/octet-stream</content-type>
</request>
<error code='403' type='auth'>
<forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text>
</error>
</iq>
I had to enable debug logging in order to see something. It is quite verbose, but I think that the relevant part, which is non redundant with the client message, is
2019-11-11 20:53:08.329 [debug] <0.501.0>#mod_http_upload:process_slot_request:544 Denying HTTP upload slot request from foo#forumanalogue.fr/gajim.HCLJ4BZI
Thank you for your help.
I tried with ejabberd 18.01, a configuration similar to yours, and it works for me.
Looking at the source code, that "process_slot_request:544 " error means that the account attempting to use the upload feature is not allowed by the "local" Access rule in the vhost it sended it to. Probably it's a remote account. Remote to that upload service. In other words, the service upload.whatever can only be used by accounts like user12#whatever.
In your case, you are attempting to use upload.ejabberd.forumanalogue.fr from account foo#forumanalogue.fr, which is not local to that upload service.
Several ideas, I hope one of them suits your specific setup:
A) don't mess with vhosts. If it's forumanalogue.fr, keep it that everywhere
B) use #HOST# in host and put_url options
C) Or if you really want to mess with hosts, then add Access rights so accounts in that vhost are considered "local" to the upload service.
I have an instance of Tomcat 8.0.9, running on GNU/Linux 2.6.32-642.6.2.e16.x86_64, that responds with "401 Unauthorized" when I try to access the manager UI, no matter what I try.
I know Tomcat is running, because I get that page.
I know it is that specific instance of Tomcat, because if I shut it down and revisit the URL (https: //host.name:port/manager/html), I get a connection refused.
The browser doesn't even prompt me for username and password; it just goes straight to the "401 Unauthorized" page.
The server's catalina.out log even reports that it has deployed the manager webapp (paraphrased):
*.a few seconds ago* INFO [localhost-startStop-1] o.a.c.s.H.deployDirectory Deploying web application directory /path/to/webapps/manager
*milliseconds later* INFO [localhost-startStop-1] o.a.c.s.H.deployDirectory Deployment of web application directory /path/to/webapps/manager has finished in 22 ms
I started with the Apache docs (https: //host.name:port/docs/manager-howto.html), and then with several versions of this question on SO for troubleshooting, including one that seems to have the most answers.
Since I've never used the manager before, my go-to theory is that 'obvious' was exactly what I was missing; however, I tried all of the obvious stuff below:
I restarted Tomcat, multiple times in this process, verifying that a reload of the URL was indeed firing a connection refused with the server stopped, and then back to the 401 error with the server started.
I added admin-gui to the user's roles:
<role rolename="admin-gui" />
<role rolename="manager-gui" />
<user username="tomcat" password="s3cret" roles="admin-gui,manager-gui" />
The XML above is not inside a comment block - if I edit it in Gvim with syntax highlighting turned on, this is very obvious.
tomcat-users.xml is owned by tomcat, and is readable (it's mode 775, in fact). I know it's being read, because if I add nonsense elements to it, catalina.out reports this on startup.
I also added the other role to tomcat-users.xml, just in case (manager-jmx, admin-script, etc.). (I'm still not sure what's supposed to happen if you left those out, misspelled them, etc. I imagine the manager webapp wouldn't recognize rolenames outside its specific set, but naturally I can't confirm this yet.)
The following element exists in server.xml, inside an Engine element:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
</Realm>
In case it's relevant, there's also this, earlier in server.xml:
<GlobalNamingResources>
<Resource auth="Container" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase" />
</GlobalNamingResources>
In the Tomcat startup script, CATALINA_HOME points to the exact install path of Tomcat. There is no TOMCAT_HOME or JAVA_HOME, but JRE_HOME points to a symbolic link that points to an actual Java install (I followed that link and confirmed).
In the manager webapp, META-INF/context.xml, the Valve element is commented out.
Is there even a report of why I'm unauthorized, that gives me more information? I've tried scouring the manager webapp directory in the hopes there was yet another log there. (There isn't.)
I installed the CEP ( Proton ) through the official documentation, https://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/CEP_GE_-_IBM_Proactive_Technology_Online_Installation_and_Administration_Guide
After that, I watched this recommended video to learn more about CEP. https://edu.fiware.org/pluginfile.php/653/mod_resource/content/1/CEP-Tutorial.mp4
But I can't check engine instance state, because appears this error in response:Could not read instance state, message: Error activating jmx proxy:
It seems that JMX is not properly configured.
As described in the installation guide, in the Apache Tomcat users configuration file you need to add manager-jmx role, and add it to the manager user name:
<tomcat-users>
...
<role rolename="manager-jmx" />
<user username="manager" password="manager" roles="manager-gui,manager-status,manager-script,manager-jmx" />
...
</tomcat-users>
You need to enable JMX access on Apache Tomcat, by adding it to CATALINA_OPTS, as described in the installation guide.
You also need to specify the JMX service port in the ProtonAdmin.properties file, as described in the same installation guide.
I am trying to get the Bluemix Liberty container connect and use the Bluemix Session cache service.
What I did so far:
Create bridge application and add Session cache service
Create Liberty container and connect with bridge application
Followed this link: http://www.ibm.com/developerworks/cloud/library/cl-sessioncache-app/index.html to get a sample Application using Session caching and being able to see progress in the Service overview dashboard
Installed Websphere Extreme scale inside the liberty container and verified that feature is activated by liberty server and can be used.
Now if I try to use the application and navigate with the browser to the contextRoot I am getting the following Exceptions:
com.ibm.ws.xsspi.xio.exception.InvalidXIORefException <br />
Source = com.ibm.ws.xsspi.xio.actor.XIORegistry <br />
probeid = 659<br />
Stack Dump = com.ibm.ws.xsspi.xio.exception.InvalidXIORefException [originating=127.0.0.1:0;exid=79]: unable to find actor at index=17 <br />
com.ibm.ws.xsspi.xio.exception.InvalidXIORefException<br />
Source = com.ibm.ws.xsspi.xio.actor.XIORegistry<br />
probeid = 651<br />
Stack Dump = com.ibm.ws.xsspi.xio.exception.InvalidXIORefException [originating=127.0.0.1:0;exid=64]: XIORef at 17 does not have the same id as target xioref
java.lang.RuntimeException<br />
Source = com.ibm.ws.xs.sessionmanager.GridAvailability.run<br />
probeid = 164<br />
Stack Dump = java.lang.RuntimeException: org.omg.CORBA.TRANSIENT: java.net.SocketTimeoutException: connect timed out
I am providing all the required values, e.g. objectGridName, catalogHostPort Hardcoded inside the server.xml since the environment variables to fetch the service information like documented were also not working.
Any hints or solutions to this? Where am I missing the crucial connection so that it magically works?
Update: server.xml
<featureManager>
<feature>webProfile-6.0</feature>
<feature>eXtremeScale.webapp-1.1</feature>
<feature>icap:appstate-1.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="443" />
<keyStore id="defaultKeyStore"
password="Liberty" />
<xsWebApp id="mysession"
objectGridName="value of session credential gridName"
objectGridType="REMOTE"
catalogHostPort="value of session credential catalogEndPoint"
securityEnabled="true"
credentialGeneratorClass="com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator"
credentialGeneratorProps="value of session credential username and password"
/>
<httpSession idReuse="true" />
<application name="sessionCacheSample" context-root="/" location="sessionCacheSample.war" type="war"/>
it sounds like the client connectivity issue, that cannot connect from the client app to the docker container.
So, docker container running the https session web app? and it points to BM session cache service? Is this the use case? if yes, the problem could be the connectivity between the docker container and the session cache server. please comfirm.
I am working on a Notification Service using IBM MQ messaging provider with JBoss eap 6.1 environment. I am successfully able to send messages via MQ JCA provider rar i.e. wmq.jmsra.rar file. However on consumer part my current configuration looks like this
#MessageDriven(
activationConfig = {
#ActivationConfigProperty(propertyName="destinationType", propertyValue="javax.jms.Queue"),
#ActivationConfigProperty(propertyName="destination", propertyValue="F2.QUEUE"),
#ActivationConfigProperty(propertyName="providerAdapterJNDI", propertyValue="java:jboss/jms/TopicFactory"),
#ActivationConfigProperty(propertyName="queueManager", propertyValue="TOPIC.MANAGER"),
#ActivationConfigProperty(propertyName="hostName", propertyValue="10.239.217.242"),
#ActivationConfigProperty(propertyName="userName", propertyValue="root"),
#ActivationConfigProperty(propertyName = "channel", propertyValue = "TOPIC.CHANNEL"),
#ActivationConfigProperty(propertyName = "port", propertyValue = "1422")
})
My problem is that consumer of this service does not want to add any port numbers, hostName, queueManager properties in these beans. Also they do not want to use ejb-jar.xml to externalize these configs. I have researched and found that we can add a domain IBM Message Driven Bean but with no success. Any suggestions on what I can do here to externalize all these configurations ?
EDIT: Adding --> The JCA resource adapter is deployed at consumer end if it makes it any easier.
Thanks
You can actually externalize an MDBs activation spec properties to the server configuration file.
Create the ejb-jar.xml file, but do not put the actual value in the file, use a property placeholder:
<activation-config-property>
<activation-config-property-name>hostName</activation-config-property-name>
<activation-config-property-value>${wmq.host}</activation-config-property-value>
</activation-config-property>
Do this for all of the desired properties.
Ensure that property replacement for Java EE spec files (ejb-jar.xml, in this case) is enabled in the server configuration file:
<subsystem xmlns="urn:jboss:domain:ee:1.2">
<spec-descriptor-property-replacement>true</spec-descriptor-property-replacement>
Then, in the server configuration file, provide values for your properties:
<system-properties>
<property name="wmq.host" value="10.0.0.150"/>
Once your MDBs are packaged, you will not need to change any of the files in the MDB jar - just provide the properties in the server configuration.
you can avoid to add host name, port number and so on in MDB, you just want to define destinationType in MDB, and rest of the thing u can configure in your application server, like Activation Specification, Queues and Queue Connection Factories.
I have done the same thing but i used IBM Websphere Application Server.