krypted.com

Tiny Deathstars of Foulness

Some apps have defaults domains that don’t work the same as other apps and you need to use the -app option in defaults. This option is available for most apps, and sometimes I’ll use it to specifically crawl around for a specific setting I’m looking for. But for other apps, you need to interact with them there. So let’s look at Eclipse. Here, we can do a read with -app followed by the path:

defaults read -app /Applications/eclipse/Eclipse.app/

The output would be as follows:

{
NSNavLastRootDirectory = “~/smb/smb”;
NSNavPanelExpandedSizeForOpenMode = “{712, 426}”;
NSScrollAnimationEnabled = 0;
WebKitJavaEnabled = 0;
}

Now, let’s say you had a specific setting, like fixing an anti-aliasing issue:

defaults write -app /Applications/eclipse/Eclipse.app AppleAntiAliasingThreshold 19

#thanksaloteclipseupdaters

June 4th, 2017

Posted In: Java, Mac OS X, Mac OS X Server, Mac Security

Tags: ,

I love being asked questions about career trajectories. I alway preface my answers with the fact that it’s just my reaction to things and I’m weird and maybe not everyone agrees. I recently provided some answers about careers of developers, from the perspective of a hiring manager. Luckily there are others that answered more intelligently than I! So, feel free to read the article here.

Screen Shot 2016-05-16 at 11.53.31 AM

May 17th, 2016

Posted In: Agile, Java

Tags: , ,

OS X Server 5 dropped last week. It’s the first time I’ve seen an OS X Server version drop before an OS release. I’m guessing there was an impetus to get it out the door before OS X 10.11 ships, so that caching and software update servers can facilitate quicker adoption and tools like Profile Manager will work on 0-day. But, there are some funny issues that are popping up. One of these is OS X Server usurping some ports that would otherwise potentially be used by other tools. Notably for Casper administrators, this includes port 8443. So here are some issues I’ve seen with Apache in the latest OS X Server.

Ports are in use that shouldn’t be

This is of particular interest to people running Tomcat sites (e.g. Casper admins). If you have a 3rd party service that isn’t loading, you may find that a port is already in use. For example, let’s say that you’re trying to start a JSS on port 8443. Well, let’s say you run stroke and you see this (when the JSS is stopped):

/System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke 127.0.0.1 8443 8443

And let’s say you get this response (again, with the JSS stopped):

Open TCP Port:      8443      pcsync-https

Well, that means that the server has probably just totally ganked port 8443 for that funky new proxy thing. In /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf there are a few new funny things due to proxy services (that whole proxy folder is new btw). One of which is the fact that the server listens on some ports you might not mean for it to listen on, by default including 80, 443, 8008, 8800, 8443, and 8843. The server always had a default site listening on ports 80 and 443, but now Caldav response is using 8443 for a Virtual Host for the CalendarServer that redirects to /webcal on port 443. Arg. There are a few things you can do to correct this. One would be to comment out one of the lines for the listeners. For this, find the line that reads:

listen 8443

And replace it with:

#listen 8443

This would likely spawn some errors in your apache logs when the virtual hosts that also use 8443 try and load. So you’ll likely also want to comment out the virtual host section of the file. For this, look for <VirtualHost *:8443> to that virtual hosts </VirtualHost> and comment out the whole section. Another option, if you do actually want to use the server as a calendar server as well, might be to replace the asterisk in the definition with an IP address or hostname, which would bind that port to a specific IP address or hostname.

This would be true if you have something using 8008, 8800 (think Kerio), etc.

Also, consider that there’s a /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites*.conf entry. For 5.03 and 5.04, this isn’t an issue, but any time you see an include like that, you could be loading up multiple includes in the future. Which could introduce additional tasks. Also, keep in mind that you’ll want to keep a backup of this file handy. It’s in a place in your system where Apple can change things in the file without any concern around customizations you previously made in the file. Therefore, in a subsequent software update, you may need to restore that file.

You don’t get prompted that there’s a new version of OS X Server

When you install OS X Server 5, the next time you open the Server app, you should get prompted that the Server app has been replaced and then go through a little assistant. If you don’t, reboot, throw the Server.app in the trash, redownload and reopen the app. That should take care of that issue.

Certificates don’t get migrated

The /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf file will have a number of certificates. These include SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile. In /etc/certificates, you’ll have some certificates. For example, on my server, I have:

4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.cert.pem
4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.chain.pem
4A94D0AE-7DD6-4D8D-A721-D62DE2AAE092.C174963A4CB567837EE8B5FD7EC8DCBE03143CCB.concat.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.cert.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.chain.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.concat.pem
Server Fallback SSL Certificate.AD80FE0DDF4D16419A158AAA901594FF15D48A2A.key.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.cert.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.chain.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.concat.pem
odr.krypted.com.00EA9C581A8C85D48D295807946C0703DAF88F67.key.pem

One is built based on the promotion of OD, another is a fallback, and the one with the funny GUID in front of it is usually the one that you’d use when defining these fields. If OS X Server doesn’t see the correct pem files that it’s expecting it will just create new ones. The old ones are still there. So, if a service like Profile Manager is totally busted, you can backup the /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf and edit the path to the certificates in the file to correct them. Reboot and see if Profile Manager fires up. On one machine, I also had to trash the Server app again and install it again, but just pointing the paths to the correct location worked for the most part (also, note that I had to use the full path of a file rather than just the name of the file). Oh, don’t forget, this would need to be done for each virtual host with an offending certificate chain.

 

Apache binds ports to all IPs

A final issue I’ll point out is that servers that I’d customized the IP that Apache listens on needed to be reconfigured. This is done in the see /Library/Server/Web/Config/Apache2/httpd_server_app.conf configuration file. Here, look for a line for Listen. It will be commented out as so:

#Listen 12.34.56.78:80

If you want to only have a given port listen on a given IP, use that section of that file to customize how the listener should operate. For example, if you have an IP on your machine of 10.0.0.100 and you only want port 80 listening on that port, use the following

Listen 10.0.0.100:80

Conclusion

Overall, I would say that if you haven’t upgraded to Server 5 on a Yosemite system, that I’d hold off. There are some funny kinks that need to be worked out and I’d hate to be the one figuring some of this out if I wasn’t planning on a funky upgrade session (e.g. if I had a limited downtime window).

September 22nd, 2015

Posted In: JAMF, Java, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

When I was just getting started with AngularJS, I found jsfiddle.net, a site that allows you to enter some code and run it straight from a browser. So, what do you do first: Hello World of course. This one with a little input twist…

<!DOCTYPE html>
<html ng-app>
<head>
<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/angularjs/1.0.7/angular.min.js"></script>
</head>
<body>
Enter Your Name:
<input type="text" ng-model="name" />
<h1>Hello {{ name }}</h1>
</body>
</html>

Screen Shot 2015-09-08 at 1.58.35 PM

September 8th, 2015

Posted In: Java

Tags: , , , , ,

There’s an excellent tool that can be used to grab a heap dump from a Java process. It’s called jmap. To do so, run the jmap command, followed by a format and a file path as the format and file operators. Also, provide the PID, as follows:

jmap -dump:format=b,file=~/memdump.hprof 80446

Once dumped, you can view the dump file in the Memory Analyzer Tool (MAP) and find objects that use use too much memory and/or have memory leaks, as part of your troubleshooting. You can also replace the pid with a name of an executable or a core. Run the map tool along with a -h option for a help summary.

A sister tool is jps, which can be used to just list running processes by pid and then path. To run, assuming the same pid as earlier:

jps 80446

You can also run a java debugger daemon using jsadebugd, which attaches a process as a debug server. Then stack, map and info can attach via RMI. Finally, not everyone has access to every path on a file system. So jinfo can be used to view a configuration for a Java process or core. To run, simply run jinfo followed by a pid, executable or core name, as follows (assuming 80446 is the pid for the java process in question:

jinfo 80446

July 25th, 2015

Posted In: Java, Mac OS X

Tags: , , , , , ,