Sunday, February 28, 2021

AMQ9513: Maximum number of channels reached MQ

 

If we get this error means max channels are reached . To see total channels used on the QMGR use below command

DISPLAY CHSTATUS(*) CURSHCNV

This command will give all the running channels to get the exact further modify the command like below

echo " dis chs(*) CURSHCNV " |runmqsc QM1 |grep "CHANNEL(" |wc -l

check if the channel max instances reached or Max channels reached and act accordingly .MAXINST can be found on the channel definition 

Unix the qm.ini is located at: /var/mqm/qmgrs/<QMGRNAME>/qm.ini

The queue manager attribute MaxChannels is set too low for the required number of client connections (default is 100) . See if MaxChannels are sufficient for the application if not increased based on the Load . change to this qm.ini require QMGR restart .

If you hit MaxChannels with a client application, you should be returned MQRC_CHANNEL_NOT_AVAILABLE (2537)/MQRC_MAX_CONNS_LIMIT_REACHED (2025)accompanied by AMQERR01.LOG message: AMQ9513: Maximum number of channels reached. There can also be limits on specific SVRCONN channels using MAXINST and MAXINSTC which will cause the same MQRC and error message.

AMQ9513: Maximum number of channels reached MQ

To see this take a look at the DISPLAY CHSTATUS command. There is a status attribute CURSHCNV that shows the number currently being shared over that one SVRCONN instance.

To see the local connections use command:-
DISPLAY CONN(*) ALL WHERE(CHANNEL EQ ' ')
To see the remote connections use command:-
DISPLAY CONN(*) ALL WHERE(CHANNEL NE ' ')

How to calculate the values that we need to set MAXINST,MaxChannels

Max Channel CALCULATIONS for QMGR:
 Number of sending MCA channels:   #‌send    +
 Number of receiving MCA channels: #‌recv    +
 Total of all MAXINST (if used)             #‌clients +  ( or the value of echo " dis chs(*) CURSHCNV " |runmqsc QM1 |grep "CHANNEL(" |wc -l)

  -------------------------------------------------------------

 Set Max Channels to this:                      #‌total

calculating Channel instances specific for each channel

echo " dis chs(CL.SG) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
echo " dis chs(CL.MY) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
echo " dis chs(CL.IN) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
echo " dis chs(SYSTEM.ADMIN.SVRCONN) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
echo " dis chs(SYSTEM.AUTO.SVRCONN) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
echo " dis chs(SYSTEM.DEF.SVRCONN) CURSHCNV" |runmqsc QM1 | grep "CHANNEL(" |wc -l
The sum of the above equal to the following command
echo " dis chs(*) CURSHCNV " |runmqsc QM1 |grep "CHANNEL(" |wc -l

When we get the error based on the values we need to modify QMGR qm.ini MaxChannels or MAXINST on the channel to solve the issue .

at No comments:

Monday, February 15, 2021

Apache httpd virtualhost sample snippet

Refer below sample apache httpd virtualhost configuration  


Listen WEBHOST1A:4443
<VirtualHost *:4443>
ServerName x01ib01.abc.com
DocumentRoot "/web/apache/WEB1A/var/www/html"

SSLEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On
#Only TLSv1.2 enabled with below tag
SSLProtocol -all +TLSv1.2
TraceEnable off
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#Certificate configured for the site with below files

SSLCertificateFile /web/apache/WEB1A/ssl/httpd.cer
SSLCertificateKeyFile /web/apache/WEB1A/ssl/httpd.key
SSLCACertificateFile /web/apache/WEB1A/ssl/httpd_ca.crt

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(DELETE|OPTIONS)
RewriteRule .* - [F]

#We can configure ProxyPass & ProxyPassReverse here to send request back to App Server

</VirtualHost>

at No comments:

How to list Ciphers and protocols from IP and PORT

To get the list of ciphers and protocols for any JAVA port running on the server we can use below simple script .

Replace Server and port on the below snippet and run the for loop .It will list all the Protocols and ciphers supported by the port on the server 
We can use the same snippet to get the ciphers and protocols from from remote server also 
This can only run from Linux/Aix/Sol server

for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tlsv1_3; do
   for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
     openssl s_client -connect SERVERIP:PORT -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo $v:\t$c
  done
done

For example i have Linux server where 631 port is up and listening .
Now i want to get the list of Protocols and Cihpers that this server and port supporting .
Replace the IP and port on the given ssl snippet and run on the server . Refer below output.
[wlsuser@localhost tmp]$ netstat -tnpl |grep 631
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
[wlsuser@localhost tmp]$ for v in ssl2 ssl3 tls1 tls1_1 tls1_2;

do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 openssl s_client -connect 127.0.0.1:631 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo $v:\t$c
done
done


tls1:tAES256-SHA
tls1:tCAMELLIA256-SHA
tls1:tAES128-SHA
tls1:tSEED-SHA
tls1:tCAMELLIA128-SHA
tls1:tDES-CBC3-SHA
tls1:tIDEA-CBC-SHA
tls1_1:tAES256-SHA
tls1_1:tCAMELLIA256-SHA
tls1_1:tAES128-SHA
tls1_1:tSEED-SHA
tls1_1:tCAMELLIA128-SHA
tls1_1:tDES-CBC3-SHA
tls1_1:tIDEA-CBC-SHA
tls1_2:tAES256-GCM-SHA384
tls1_2:tAES256-SHA256
tls1_2:tAES256-SHA
tls1_2:tCAMELLIA256-SHA
tls1_2:tAES128-GCM-SHA256
tls1_2:tAES128-SHA256
tls1_2:tAES128-SHA
tls1_2:tSEED-SHA
tls1_2:tCAMELLIA128-SHA
tls1_2:tDES-CBC3-SHA
tls1_2:tIDEA-CBC-SHA
[wlsuser@localhost tmp]$

at No comments:

Monday, February 1, 2021

Apache Security Headers [ PEN TEST Fixes ]

 Most of the current Application has a web server as first origin of the request .It is very important to secure the site using headers to prevent the site from being compromised with middleman .

We would like to give some of the important Http headers that can be configured in web server to secure the system 

<IfModule mod_headers.c>
	Header always edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
	Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
        Header always append X-Frame-Options: SAMEORIGIN
     	Header set Server "my web server"
	Header set X-XSS-Protection: "1; mode=block"
	Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header set X-Content-Type-Options nosniff
        Header set Cache-Control "no-cache, no-store"
        Header set Pragma "no-cache"
        Header set Expires 0
        Header set Access-Control-Allow-Origin "*"
        Header always unset "X-Powered-By"
        Header unset "X-Powered-By"
        RequestHeader unset Host
        RequestHeader append Host app.com
	RequestHeader unset Host
        Header set Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self';"
</IfModule>
at No comments:
Subscribe to: Posts (Atom)

Featured

Weblogic Domain Migration

 In this blog we will see domain re-configuration which will be done as part of Weblogic migration from lower version to higher version [ Ex...