stunnel Logo

The stunnel software is awesome. It allows you to encrypt any connection between local or remote systems. We will use it to perform the SSL Offloading for our system. This tool will take care of all the SSL encryption, releasing that burden from the web servers, because web servers are … well, web servers, not SSL managers.

We will use stunnel to:

1. Listen for secure SSL connections on port 443 of our external IPs
2. Manage the encryption/decryption
3. Request (without encryption) the web page from the Web servers
4. Send the request back to the client encrypted

From the Stunnel web page:

The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs’ code. Stunnel uses OpenSSL libraries for cryptography, so it supports whatever cryptographic algorithms you compiled into your library.

Stunnel can benefit from FIPS 140-2 certification of the OpenSSL library, as long as the building process meets its Security Policy.

Stunnel is a free software authored by Michal Trojnara. Although distributed under GNU GPL version 2 or later with OpenSSL exception, stunnel is not a community project. We retain the copyright of the source code. Please contact us for support or non-GPL licenses.

The obsolete 3.x branch is no longer maintained. Use stunnel3 perl script as a drop-in replacement for backward compatibility.

Ideally you could run your own farm of TLS/SSL Offloaders using their own hardware (in combination with a balancing  software tools like HAproxy / Wackamole / Spread  / UltraMonkey you can have your own home made High Availability Load Balancer). As mentioned before, this would allow you to release the encryption load from the Web tier.

Our certificate

But first, we need an TLS/SSL certificate. You can build your own self signed certificate (but it will generate a warnign alert as it is officially signed by a real CA) or buy one from any of the Certificates Authorities (CA).

An important concept: You can only have 1 SSL certificate per IP (in other words, you need to have as many IPs as different SSL domains you have). Why? Simple, the certificate needs to be sent as soon as the HTTP connection is established and at that point the Client still has not sent to the Server which FQDN (domain) they want to get. You have the Apache explanation here. There is a relative exception here. If you use subdomains (sub1.kus.es sub2.kus.es etc) then you can use a wild-card certificate (a cert that is valid for *.kus.es).

The tool

I recommend you to download Stunnel software from source, apply the ‘xforwaredefor’ patch from the HAproxy site and install it. Why? Because this patch will allow Stunnel to send the source IP to the next tier, in this case, to HAproxy. This is a cut&paste from the HAproxy site:

X-Forwarded-For support for Stunnel

Stunnel currently makes a perfect complement to provide SSL client-side support to HAProxy. However, since Stunnel is a proxy an has no knowledge of HTTP, the client’s IP address was lost, which is somewhat annoying. A few patches were available on the Net to add the X-Forwarded-For header, but they introduced an undesirable buffer overflow. So I took my courage and wrote a reliable and secure patch to implement this useful feature. I sent it to Stunnel’s authors but got no feedback. So the patch is provided here for various versions from Stunnel-4.14 and above in the hope it will be useful to some people. At least it seems to be the case, considering the number of people who send updates Note that this patch does not work with keep-alive, see send-proxy below for that.

Get the patches from Exceliance’s public patch repository

 The setup

Ok, now thatyou have Stunnel compiled & installed, let’s set up our stunnel instance. The following configuration file defines some basic settings for the SSL encryption: it forces Stunnel to use only ‘good’ ciphers, don’t use SSLv2, TCP timeouts, etc. I do recommend you to check the Stunnel documentation for

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

; Protocol version (all but not SSLv2)
sslVersion = all
options = NO_SSLv2
;PID location
pid = /var/run/stunnel4.pid
; TCP settings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose = 0
TIMEOUTbusy = 180
TIMEOUTconnect = 30
TIMEOUTidle = 60
;Location of the Common Authorities certificates
CApath = /etc/ssl/certs
;Logging. Set debug to 7 for debugging
debug = 0
output = /var/log/stunnel4/stunnel.log
;Use only strong ciphers
ciphers = HIGH:MEDIUM:!ADH
;libwrap = yes
;Number of sessions to manage (in concordance with the haproxy setup)
session = 300
 
;Specific settings for kus.es
[https-kus.es]
;Certificate files location, for automatic startup remove the passphrase from the key
cert=/etc/ssl/certs/kus.es.crt
key=/etc/ssl/certs/kus.es.key
;where lo listen, change external-ip with your real external IP
accept=external-ip:443
;where is haproxy listeing for Stunnel requests
connect=127.0.0.1:8443
;send the source IP to haproxy via the X-Forwarded-For header
xforwardedfor=yes

With this setup, you tell Stunnel to listen on the external IP of your server in the port 443 (accept=external-ip:443). Once it gets a request, it will use the certificate (cert=/etc/ssl/certs/kus.es.crt) to set up the SSL handshake and encrypt the connection and will connect to HAproxy (connect=127.0.0.1:8443) to obtain the web page the user has requested. Once it gets the page, it will be encrypted and sent back to the client.

Yes, we need to have haproxy listening on the port 8443 of the loopback interface. We will see why and how on the next chapter…

Useful commands

Remove the  passphrase from the certificate key

Careful here, if you remove the passphrase from the key, anyone with access to it maybe be able to use your certificate. If you do this, make sure  you secure the key file:

openssl rsa -in server-with-pass.key -out server-without-pass.key

From crt to pem formats (option I)

Ugly way:

$> openssl x509 -in input.crt -out input.der -outform DER

$> openssl x509 -in input.der -inform DER -out output.pem -outform PEM

From crt to pem formats (option II)

This one embeddds the key in the pem file, needed by some LB software as pound

$> openssl x509 -in server.crt -out server.pem

$> openssl rsa -in server.key >> server.pem

Compile stunnel from source

1. Create a temporary directory /home/yourser/src
   
cd && mkdir src && cd src

2. Download the Stunnel source (in this case, version 4.44) and extract it
   
wget -c http://mirrors.zerg.biz/stunnel/archive/4.x/stunnel-4.44.tar.gz
tar zxvf stunnel-4.44.tar.gz

3. Download the X-Forwarded-For patch and apply it
   
wget -c http://www.exceliance.fr/download/free/patches/stunnel/x-forwarded-for/stunnel-4.44-xforwarded-for.diff
patch -p0 < stunnel-4.44-xforwarded-for.diff

4. Configure and compile it based on your needs (I like to install it in /opt)
   
cd stunnel-4.44
./configure --prefix=/opt/stunnel-4.44 --enable-static --with-gnu-ld --with-threads=pthread
make
sudo make install
sudo ln -s /opt/stunnel-4.44 /opt/stunnel
sudo ln -s /opt/stunnel/bin/stunnel /opt/stunnel/bin/stunnel4


Patch to modify the default’s Ubuntu startup file /etc/init.d/stunnel4

If you have patched Stunnel tool, you need to modify the startup scripts to use the new binary, that is located at /opt/stunnel/bin/stunnel4. You can directly edit your /etc/init.d/stunnel4 or you can apply this patch:

--- stunnel4.dpkg-dist	2009-12-22 08:57:08.000000000 +0100
+++ stunnel4	2011-11-22 20:11:18.000000000 +0100
@@ -11,7 +11,7 @@
 ### END INIT INFO

 DEFAULTPIDFILE="/var/run/stunnel4.pid"
-DAEMON=/usr/bin/stunnel4
+DAEMON=/opt/stunnel/bin/stunnel4
 NAME=stunnel
 DESC="SSL tunnels"
 FILES="/etc/stunnel/*.conf"

Previous: SSH
Next: HAProxy

I personally think this project reflects the best of the Internet: share knowledge thanks to the community efforts and for the community.

If you have a free minute and a dollar to spend, that’s a good project. Go to any of their articles or click in the link below to support them:

The sshd daemon will be used to access the system. If we want to have multiple web instances, each one managed by different individuals, we’d usually think about setting up a FTP server and create virtual users (so we know they cannot log in). Or, we can use the SFTP subsystem, rely on the OS user management and also have Secure FTP only access to our system. Even more, we can create RSA keys for the users so they don’t need to worry about passwords. The main features of the setup would be:

• We will grant only SFTP access to the UNIX accounts of the web instances, this way we will have a Secure FTP server that relies on the system accounts. No shell access will be granted to these users.
• The access to the root user is disabled (we can allow forced commands to run rsync scripts)
• The UNIX group sshusers defines the users that can access to a shell via ssh
• The UNIX group sftpweb defines the users that will only access the system via SFTP (they cannot get a shell).This group contains all the users created to run the Web instances. In fact, they will only be able to access a particular directory (in this example this directory is /home/user/data, where the user will find his htdocs/ and logs/ directories of the web instance)
• In the case that Public Key authentication is going to be used, make sure we manage the public keys, so the users cannot modify them.

Make sure the sshd daemon is installed on your system

$> apt-get install opensshd-server

Let’s have a look at the config file /etc/ssh/sshd_config. This file defines the settings for the sshd daemon (make a backup of your default sshd_config file, in case something goes wrong!):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

#You can modify the default port if you want. Now very useful, really.
Port 22
#Only use prococol 2
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 20
 
#We want to allow root to execute some commands (rsycn) from other servers.
PermitRootLogin forced-commands-only
 
#Make sure the user's directory has the proper permissions
StrictModes yes
 
RSAAuthentication yes
PubkeyAuthentication yes
 
#You can force the users to authenticate only via keys
#Save the user keys into /etc/ssh/users/%u/authorized_keys where %u is the user name
#and set PasswordAuthentication no
#AuthorizedKeysFile     /etc/ssh/users/%u/authorized_keys
 
#Standard setup, modify to fix your needs:
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication no
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
#We only allow users of the sshusers grup to access the system
AllowGroups sshusers
UsePAM yes
 
#Here we define that users that belong to sftpweb can only access the secure-ftp subsystem
#Note we give them access to a subdirectory of their home dir and we do not let them do TCP
#forwarding, etc.
Subsystem sftp internal-sftp
Match Group sftpweb
  ChrootDirectory %h/data
  X11Forwarding no
  AllowAgentForwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

With this setup, the sshd daemon will be ready to prevent shell access to the users we add to both the sshusers and the sftpweb groups.Make sure you reload the sshd server to reflect the changes.

We will see in following entries how to create a user to have only SFTP access. As a small spoiler, 3 thins are needed:

1. Create the user with the shell /bin/false
2. Add the user to the sshusers and sftweb groups
3. Make sure the directories above /home/user/data (including it) belong to root. This is necessary for the SFTP to set up the jail correctly. So yes, /home, /home/user and /home/user/data must belong to root
   

As an example, we can create a user and test the setup:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

groupadd sshusers
groupadd sftpweb
 
#Add any user you want to be able to access via ssh to the sshusers group
#Add any user you want to be restricted to sftp to both sshusers and sftpweb
 
#Let's create a test user:
useradd -G sshusers,sftpweb -c "Test SFTP user" -m -d /home/testsftpuser -s /bin/false testsftpuser
passwd testsftpuser
(...)
mkdir -p /home/testsftpuser/data
chown root /home/testsftpuser
chown root /home/testsftpuser/data
ssh testsftpuser@localhost
(Should fail...Permission denied)
sftp testsftpuser@localhost
(Should work...)
userdel testsftpuser

That user should not be able to access the system via ssh, but would be able to transfer files via SFTP into (and only into) the /home/testsftpuser/data directory. Once the tests have been completed, I’d suggest to remove that user.
There are multiple references on the web about this topic:

1. http://ubuntuforums.org/showthread.php?t=858475
2. http://www.debian-administration.org/articles/590

Previous:  The idea

Next:  Stunnel

I’ve run web servers at home for a quite long time. I used to have my LAMP system (compiled to fit my needs) running on Slackware and it covered all my needs for many years. But during the last years I found myself running very different flavors of Application Servers and I found that my LAMP setup was not flexible enough to deal with such an heterogeneous systems.

I wanted to have a solution that would allow me to run different web servers (Apache, nginx, Jetty…), different Application Servers (Tomcat, WebLogic, JBoss, Django, perl scripts, etc..) all of them isolated as much as possible from the others.

Since this is a home solution and I cannot afford to have a rack full of blades at home, all these services should run in commodity hardware. I’ve chosen to run it on a laptop, that gives me a UPS service (battery) although it has the drawback of not much CPU power and (most important)  not much RAM. Of course, the solution could be extrapolated to multiple machines, having the ability to grow either horizontally or vertically. But for now, this solution will be confined into a single server
My ideal solution should, if possible, cover these needs:

This solution adds also a extra burden. We are not using a single web server with multiple Vrtual Hosts, so we need to add a software that gives us that ability. Our candidate is HAProxy. It will take care of the multiple domain names and also will be a good solution for doing load balancing/failover solutions.

Let’s have a look at a diagram to get an idea of who the elements interact:

Overview of the services and how they interact

The reader will realize there are some elements that have been added to avoid single point of failures (as the redundant router) that will be quite hard to implement in a home network; Other services as stunnel, HAProxy, Web servers and DB backends are easier to  set up in high availability. But since I’m going to install all of this into a single server, there is a HUGE SPOF : The server itself! I just wanted to demonstrate that, having the necessary resources, the setup can be built in a a high-availability fashion.

So, what are the requirements?

Requirements

• A Server. I’ve chosen a Laptop (its batteries are my UPS system   (the more memory, the better!) It may be desireable to have two NICs (my second one is a JME 1xGigabit installed in the ExpressCard expansion slot). If you want to play in a more controlled environment, any virtual setup will work too.
• A Linux/UNIX distro. I’ve chosen Ubutu 10.04 LTS Server because it worked fine with my laptop hw. Slackware, Debian Stable, Fedora, or any other Linux Distro will work fine too. Of course, the BSD  family is an excellent choice too.
• Have that distro installed on the server.
• An Internet connection (DSL will work, don’t expect to be fast if your upload is low).
• Redirect some ports from your router to the Server.
• A DNS domain working (we will cover other day how to run tinydns). If you have a dynamic IP,you may want to use any of the free dynamic DNS solutions available in the net.
• A bit of free time.
• Coffee, tea, lemonade…

Operating System

If you have chosen Ubuntu, make sure you install the Apache, PHP and MySQL packages. You will find yourself with an Apache web server running on port 80 and all its config files located at /etc/apache2. These files will be used as our foundation for our setup.
If you have chosen to have two networks, configure them and do not setup any kind on NAT over them. This is not really necessary but it is always good to have an administration network that can be used for monitoring (Zabbix? Hyperic?), backup (bacula?) and general management.

A bit of security

The following lines just give you some extra features that I recommend to tighten a bit more the security of a Linux setup. Please note that your system may not be secure by only following these instructions. There are many places int he web where you can find very useful documentation about to create a SOX or SAS70 complaint system.

Firewall

Configure your firewall to allow only TCP access to, at least, only the following ports:

• TCP 80 HTTP
• TCP 443 HTTPS
• TCP 22 SSH
• TCP 2222 SSH static

If you don’t want to allow access to SSH from the outside, just open the HTTP and HTTPS ports, or allow SSH only to your trusted IPs. I’d also recommend to add a ny extra IPTables setup to avoid flood attacks, port scannings, etc.

DenyHosts

Id’ recommend to install this simple but powerful HIPS service that audits the ssh accesses and blocks IPs if a user tried to access incorrectly several times. Follow your distribution instructions to install it. In Ubuntu, it is easy:

$> sudo apt-get install denyhosts

Configure it editing the file /etc/denyhosts.conf

You can block all services:

BLOCK_SERVICE = ALL

…but also to add your internal network IPs to the white list file:

/var/lib/denyhosts/allowed-hosts

 accton

This tool keeps a log of the commands executed in the server. Quite useful if you need to find clues after suffering a security event.

$> apt-get install accton
$> lastcomm

Next chapter : the SSHD daemon setup!

Concierto de Kactus

Cada uno se ha ido, más o menos, por su lado y ahora ya nos vemos poco, pero estas fotos me siguen pareciendo la caña (¿Dónde estará esa camiseta que llevaba de Faith No More?)
Por supuesto, la foto es propiedad de Luisa Colado.

Teníamos este comando para ejecutar nuestro script (ojo, acordáos que en en el artículo anterior habíamos definido una serie de variables de entorno!) :

${JAVA_HOME}/bin/java -Dpython.cachedir=/tmp weblogic.WLST \
getRunningservers.py userconfig.properties userkey.properties \
t3://localhost:7001

Vale, la jugada ahora es integrar todos los requisitos que necesitamos para lanzar este script desde otro de bash, a saber:

• Cargar las variables de entorno de WebLogic vía  setDomainEnv,sh
• Definir la JVM en caso de que queramos usar otra que la que usa WL
• Definir los archivos de autorización de WLST
• Definir la URL de administración de WL

Vamos allá

El archivo de configuración

Crearemos un archivo de configuración para almacenar los datos propios del dominio con el que vamos a trabajar. De esta forma, sólo tendremos que modificar este archivo y no el de la lógica de proceso si queremos usarlo con otro sistema.

El archivo podría quedar así:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#------------------------------------------------------------------------------
# Configuracion  - getRunningServers
#------------------------------------------------------------------------------
 
#Usuario UNIX que puede ejecutar el script
GOODUSER=weblogic
 
#nombre de Dominio de WebLogic
DOMAIN_NAME=midominio
 
#Directorio del dominio de Weblogic
DOMAIN_DIR="/home/weblogic/bea103/user_projects/domains/${DOMAIN_NAME}"
 
#Path del script para cargar las variables de entorno del dominio
WL_ENV_FILE="${DOMAIN_DIR}/bin/setDomainEnv.sh"
 
#URL de adminustracion
WL_ADMIN_URL="t3://127.0.0.1:7001"
 
#Archivos de credenciales
userFile="${HOME}/scripts/userconfig.properties"
userKey="${HOME}/scripts/userkey.properties"
 
#Localización del script de python
getStuckThreadsScript="${HOME}/scripts/getRunningServers.py"
 
#Opciones de SSL para el WLST (depende de tu setup pueden variar, para este
#ejemplo, no usamos SSL)
#SSL_OPTS="-Dweblogic.security.SSL.trustedCAKeyStore=${DOMAIN_DIR}/trust.jks -Dweblogic.security.SSL.ignoreHostnameVerification=true"
 
#Opciones para WLST (incluye las de SSL)
WLST_OPTS="-Dpython.cachedir=/tmp ${SSL_OPTS}"

Nada extraño, ¿verdad? Simplemente un archivo de configuración donde definiremos las variables específicas del dominio.

El archivo de ejecución

Bueno, ahora la cosa es crear un script de bash que amalgame todo lo anterior. Intentaremos hacerlo modular y añadirle algo de elegancia aplicando códigos de escape ANSI.

Ojo:, este script, aunque funcional, carece de alguna funcionalidad bastante útil que más adelante añadiremos.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

#!/usr/bin/env bash
#------------------------------------------------------------------------------
# Descripción
#------------------------------------------------------------------------------
#
# Author: Carlos Carus - Kus - kus_at_kus.es
# Name: getRunningServers.sh - borrador 1
#
# Descripcion:
# Obtiene la lista de instancias activas de un dominio de WebLogic
# No es definitivo, le faltan cosas ;-)
#
#------------------------------------------------------------------------------
# Listado de cambios
#------------------------------------------------------------------------------
#
# git+ssh://git-url
#
# 2010/09/28
# VERSION 0.01 -
#
#
 
VERSION=0.01
 
nombreScript=$(basename $0)
nombreConfig=$(echo ${DefaultMonitorName} | sed 's/\(.*\)\..*/\1/').conf
 
#------------------------------------------------------------------------------
# Función de Debug
#------------------------------------------------------------------------------
showDebug() {
  if [[ ${MYDEBUG} == "Y" ]];then
    echo -e "\e[1;33m[DEBUG]\e[0m $@"
  fi
}
 
#------------------------------------------------------------------------------
# Argumentos de entrada
#------------------------------------------------------------------------------
vars=(`echo $@`)
z=0
for option in ${vars[@]}
do
  ((z=z+1)) #apuntamos al siguiente token
  if [[ ${option} == "-h" ]] || [[ ${option} == "--help" ]]; then
    echo -e "${nombreScript}: Obtiene la lista de instancias activas de un dominio de WebLogic"
    echo -e "Uso: ${nombreScript} [OPTION]..."
    echo -e "Las variables pasadas como parámetro tienen preferencia sobre las del archivo de configuración\n"
    echo -e "\t -c, --config FILE:\tArchivo de configuración. Por defecto ${nombreConfig}"
    echo -e "\t -d, --debug:\t\tActiva el modo debug"
    echo -e "\t -h, --help\t\tMuestra esta ayuda"
    echo
    exit 0
  fi
 
  if [[ ${option} == "-d" ]] || [[ ${option} == "--debug" ]]; then
    MYDEBUG=Y
  fi
 
  if [[ ${option} == "-c" ]] || [[ ${option} == "--conf" ]]; then
    CONF=${vars[z]}
  fi
 
done
 
#------------------------------------------------------------------------------
# Tenemos todo?
#------------------------------------------------------------------------------
if [[ ${CONF} == "" ]];then
    CONF=${nombreConfig}
fi
if [[ -f $CONF ]];then
    source ${CONF}
    showDebug "Main: cargado el archivo de configuracion ${CONF}"
else
    echo "El archvio de configuracion ${CONF} no ha sido encontrado."
    echo "Use $(basename $0) --help para ver las opciones"
    exit 1
fi
 
#------------------------------------------------------------------------------
# Variables genéricas
#------------------------------------------------------------------------------
 
#Colores
RED='\e[1;31m'
BLUE='\e[1;34m'
CYAN='\e[1;36m'
YELLOW='\e[1;33m'
GREEN='\e[0;32m'
NC='\e[0m'              # No Color
BOLD='\e[1m'
UNDERLINE='\e[4m'
BLINK='\e[5m'
INVERSE='\e[7m'
NF='\e[m'               # No format
RES_COL=70
RES_CO2=30
MOVE_TO_COL="\\033[${RES_COL}G"
 
#------------------------------------------------------------------------------
# Funciones
#------------------------------------------------------------------------------
checkID(){
  if [[ ${GOODUSER} != ${LOGNAME} ]];then
    showDebug "checkID: Ejecutado como ${LOGNAME}, esperando ${GOODUSER}"
    echo "[ERROR] Este script debe ser ejecutado como el usuario  ${GOODUSER}"
    exit 1
  fi
}
 
compruebaCredenciales(){
  showDebug "compruebaCredenciales: Comprobando ${userFile} y ${userKey}"
  if [[ ! -r ${userFile} ]] || [[ ! -r ${userKey} ]];then
    echo -e "${RED}[ERROR]${NF} Los archivos de credenciales ${userFile} o ${userKey} no son accesibles"
    exit 1
  fi
}
 
compruebaScriptPython(){
  showDebug "compruebaScriptPython: Comprobando el script de python ${getStuckThreadsScript}"
  if [[ ! -r ${getStuckThreadsScript} ]];then
    echo -e "${RED}[ERROR]${NF} El script ${getStuckThreadsScript} no es accesible"
    exit 1
  fi
}
 
cargaEntornoWLST(){
    showDebug "cargaEntornoWLST: Cargando el entorno ${WL_ENV_FILE}"
    if [[ -r ${WL_ENV_FILE} ]] && [[ -x ${WL_ENV_FILE} ]]; then
        source ${WL_ENV_FILE}
        #JAVA_HOME es cargada por el script de WL
        JAVAWLST="${JAVA_HOME}/bin/java ${WLST_OPTS} weblogic.WLST"
    else
        echo "${RED}[ERROR]${NF} El script de carga el entorno ${WL_ENV_FILE} no es accesible o ejecutable"
        exit 1
    fi
}
 
getRunningservers(){
  showDebug "getRunningservers: Obteniendo la lista de instacias activas"
  ${JAVAWLST} ${getStuckThreadsScript} ${userFile} ${userKey} ${WL_ADMIN_URL}
}
 
#------------------------------------------------------------------------------
# Lógica principal
#------------------------------------------------------------------------------
 
checkID
compruebaCredenciales
compruebaScriptPython
cargaEntornoWLST
getRunningservers
 
exit 0

La ejecución

Si lo ejecutamos con el modo de DEBUG activo (-d), nos saldría algo como esto:

weblogic@:scripts/> ./getRunningServers.sh -d
[DEBUG] Main: cargado el archivo de configuracion getRunningServers.conf
[DEBUG] compruebaCredenciales: Comprobando /home/weblogic/scripts/userconfig.properties y /home/weblogic/scripts/userkey.properties
[DEBUG] compruebaScriptPython: Comprobando el script de python /home/weblogic/scripts/getRunningServers.py
[DEBUG] cargaEntornoWLST: Cargando el entorno /home/weblogic/bea103/user_projects/domains/midominio/bin/setDomainEnv.sh
[DEBUG] getRunningservers: Obteniendo la lista de instacias activas

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to http://localhost:7001 with userid admin_user ...
Successfully connected to Admin Server 'admin' that belongs to domain 'midominio'.

Location changed to serverRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainConfig)

Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)

[INFO] The server admin is running
[INFO] The server server1 is running
Disconnected from weblogic server: admin
weblogic:~/scripts>

Vale, parece que funciona, pero para hacerlo más bonito o “reusable”, habría que evitar que salga por pantalla todo esa literatura que los scripts de WLST generan al arranque. No será nada complicado, pero eso lo veremos en el siguiente artículo, donde cambiaremos el script de python para que no genere tanta verborrea y haremos que nuestro script en bash recoga toda esa salida y la “parsee” tal y como queramos!

Boya Cardinal Oeste (wikipedia)

Las boyas y su significado están muy bien explicadas en la WikiPedia.

Un tipo especial de boyas son las usadas por la IALA (International Association of Lighthouse Authorities) ó AISM (Asociación Internacional de Señalización Marítima). La Wikipedia también cuenta con un excelente artículo en español sobre ellas, que serían las señales de tráfico del mar.

Y en Francia es muy típica la bahía de Quiberon:

Este es el inglés:

Transportador inglés

Y éste es el francés:

Y aquí hay varios modelos.

Recorrido de Le Figaro

Años después una de las más famosas Regatas del mundo vuelve a apostar por Gijón como uno de os puntos de atraque (la primera etapa será entre Le Habre y Gijón). Uno de los elementos más bonitos de Le Figaro es que es una regata para navegantes en solitario. En esta ocación 48 navegantes participarán el ella.

Referencias:
http://www.absolutgijon.com/le-figaro-vuelve-a-gijon/
http://www.elmundo.es/elmundo/2010/06/10/nautica/1276185693.html
http://www.elmundo.es/elmundo/2010/07/31/nautica/1280599996.html
http://www.elperiodiconautico.com/?p=33086