Install Apache 2.2 with OpenSSL and Tomcat connector

Jephe Wu -

Objective: Install Apache, Openssl and Tomcat connector with the latest version to address vulnerabilities
Environment: CentOS 4.4, use chroot configuration (/chroot)

1. download the latest softwares from individual websites:
openssl 1.0.0a
tomcat connector 1.2.30

2. install openssl 1.0.0a

if you have installed previous version of openssl, rename /usr/local/ssl to /usr/local/ssl.version
cd /usr/local; mv ssl ssl.0.9.8d
cd openssl-1.0.0a
./config;make;make test;make install

note: all the files will be written to /usr/local/ssl directory.

3. install httpd 2.2.15
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-mods-shared=most ssl rewrite deflate headers expires mime-magic unique-id" \
"--with-ssl=/usr/local/ssl" \

make;make install

note: Some basic Apache configuration in httpd.conf
LoadModule authz_host_module modules/ 

#note: without above, you will get error below when you run 'bin/apachectl configtest' under /usr/local/apache2 directory
#Syntax error on line 167 of /usr/local/apache2/conf/httpd.conf:
#Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

LoadModule deflate_module modules/
LoadModule log_config_module modules/
LoadModule env_module modules/
LoadModule mime_magic_module modules/
LoadModule setenvif_module modules/
LoadModule ssl_module modules/
LoadModule cgi_module modules/
LoadModule mime_module modules/
LoadModule alias_module modules/
LoadModule rewrite_module modules/
Include conf/extra/httpd-default.conf

4.  tomcat connector installation

cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native
./configure --with-apxs=/usr/local/apache2/bin/apxs
cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native/apache-2.0
cp /usr/local/apache2/modules/

add the following line to /usr/local/apache2/conf/httpd.conf LoadModule directive

LoadModule jk_module modules/

1. you can find the building instruction at

5. Hardening apache

a. change conf/extra/httpd-default.conf
ServerSignature Off
ServerTokens Prod
MaxKeepAliveRequests 10000
TraceEnable off  => disable trace method

b. disable SSL2 and weak ciphers


c. put into chroot environment

new method: use apache 2.2. builtin chroot 
Since Apache 2.2.10,  it supports chroot, all you need to do is just put chrootdir /path in the main configuration file httpd.conf. You don't have to create anything under /path

startup Apache with command /usr/local/apache2/bin/apachectl start

Advantage: simplify chroot configuration, Apache 2.2.10 above only, it works with cronolog.
Disadvantage: it doens't work with cognos web gateway, got 'internal server error'. Also, when I tried to use Redirect index.html https://domain/path/to  in Apache virutal host configuration, it doesn't work, I have to change it to RewriteRule ^/$ https://domain/path/to to make this kind of redirection work.

old method: user manual chroot settings
search for 'chroot apache', some page is at

change /etc/init.d/apache starting script for $HTTPD
to  /usr/sbin/chroot /chroot $HTTPD
note: we use /chroot as chroot directory

[root@web1 conf]# ls /chroot
dev  etc  lib  opt  usr  var

note: according to my test, when you use manual chroot, if you use cronolog , you will hit  the problem, apache cannot find the path of the cronolog, so cannot start up Apache

Advantage: Apache 2.2 doesn't work with this kind of chroot if you are using cronolog, has not tried cognos web gateway, I don't think it works either, because when I was testing cronolog, it cannot find the program path
apache 2.0 is working with both cronolog and cognos web gateway
Disadvantage:  configuration is a bit difficult

6. testing Apache configuration
a.  syntax test
cd /usr/local/apache2
bin/apachectl configtest

b. Qualys SSL server test

7. solution for Apache 2.0, chroot and cognos web gateway, cronolog
Using tranditional chroot, Apache 2.0.63, openssl 0.9.8o version.
If you using openssl 1.0.0.a version, apache 2.0.63 cannot compile successfully.


How to restore objects for Oracle database

Jephe Wu -

Objective: restore backup some tables, procedures and packages from daily night backup
Environment: RHEL 5 64bit, Oracle 11g 64bit


1. daily cronjob backup job
put the following inside your cronjob shell script to backup the schema1 and schema2 excluding table JEPHE1

export PATH=/usr/bin:/usr/sbin:/bin:/sbin
export NLS_DATE_FORMAT='DD-MON-YYYY HH24:MI:SS' # So time is shown in logs as well as date

. /u01/app/oracle/product/11.2.0/xe/bin/  # or whatever path of file 

#===========program starts here

DAY=`date +%w`
for i in schema1 schema2
expdp userid=\"/ as sysdba\" directory=cronjob dumpfile=$i.dmpdp.$DAY logfile=$i.logdp.$DAY schemas=$i exclude=statistics parfile=/path/to/excludes.par
sync;sleep 3
rm -f $i.dmpdp.$DAY.gz $i.logdp.$DAY.gz
gzip /path/to/$i.dmpdp.$DAY /path/to/$i.logdp.$DAY

# more excludes.par
exclude=TABLE:"in ('JEPHE1')"

2.  restore preparation
use sql script to delete those procedures and packages first before actual restoration, for tables, you can use table replace action parameter, no need to delete tables first.

# more drop.sql
drop procedure procedure1;
drop package  package1;

# sqlplus schema1  @drop.sql

3. create database directory if necessary
I am going to conigure /home/oracle as database directory name 'oracle and copy those backup files under /home/oracle.
create [ or replace ] directory oracle as '/home/oracle’ 
grant read,write on directory oracle to system
select * from dba_directories

4. actual restoration process  (from schema1 objects backup to schema2 schema)

stop listener - lsnrctl stop

impdp system parfile=schema1.par logfile=schema1.logdp remap_schema=schema1:schema2 remap_tablespace=schema1:schema2 transform=oid:n

# more schema1.par
include=PROCEDURE:"in ('PROC1')"
include=PACKAGE:"in ('PAC1')"
include=TABLE:"in ('TABLE1')"

a. if you need to restore to the objects from the same schema. (from schema1 backup to schema1 schema)
impdp system parfile=schema1.par logfile=schema1.logdp schemas=schema1

impdp system directory=backup schemas=jephe dumpfile=jephe.dmpdp.5 logfile=jephe.logdp.5 include=TABLE:\"=\'CSTB_BACKUP_REQUEST_DET\'\" table_exists_action=replace
impdp system directory=cronjob schemas=jephe dumpfile=jephe.dmpdp.5 logfile=jephe.logdp.5 include=TABLE  table_exists_action=replace

5.  compile all schema objects then check invalid objects
sqlplus / as sysdba
exec dbms_utility.compile_schema('SCHEMA1');

For how to check invalid objects, refer to another article at

6. start listener and register services
lsnrctl start
sqlplus / as sysdba
alter system register;

7. Appendix: how to restore a package from dumpfile and generate sql file without actual restoration.

impdp directory=cronjob dumpfile=jephe.dmpdp.6 schemas=JEPHE include=PACKAGE:\"=\'NAMEOFOBJECT\'\" sqlfile=NAMEOFOBJECT.sql

How to do deployment for Oracle database

Jephe Wu -

Objective: how to do deployment properly for a production Oracle 11g database
Environment: RHEL 5 64bit + Oracle 11g 64bit

1. Check if any user is using the database
The easy way to check is to go to OEM(Oracle Enterprise Manager) page, performance section, CPU usage to check if any schema user is still using database.

2. stop listener -  lsnrctl stop  (login as oracle user)
stop listener to prevent anyone from using the database during deployment.

3. proceed deployment
compile procedures, packages, table changes etc

4. re-compile all the schemas and check invalid objects
sqlplus / as sysdba
> exec dbms_utility.compile_schema('SCHEMA_NAME');

note: SCHEMA_NAME must be in capital letter, e.g. U_1000

 a. the number of invalid objects check, excluding objects beginning with FB_%
select count(*) from dba_objects where owner='U_10000' and status <> 'VALID' and object_name not like 'FB_%'  group by object_type;

b. details for invalid objects
select object_type , object_name from dba_objects where owner='U_1000' and status <> 'VALID' and object_name not like 'FB_%' order by object_type,object_name;

5. start listener  - lsnrctl start

6. register database services with listener to serve the client immediately, otherwise, need to wait for up to 1 minute to register database services with the listener.
sqlplus / as sysdba
> alter system register;

How to securely delete files or erase the whole hard disk

Jephe Wu -

Objective: securely delete files for Windows and Linux or erase the whole hard disk
Environment: Windows and Linux

1. delete files only
a. use free GUI open source tools eraser -
note: When I use version 6.0.7 under Windows vista, it cannot start, saying 'Eraser has  stopped working', you can solve it by deleting C:\Users\Jephe\AppData\Local\Eraser 6\Task List.ersx.

b. use sdelete at

c. use DOS-based tool 'secure erase' at

d. freeraser -

e. use shred for Linux

2. erase the whole hard disk
a. use ISO CD

b. use free version of Active @ killdisk at

c. use dd or ddrescue command
dd if=/dev/zero of=/dev/sda

How to check openssl renegotiation and weak cipher vulnerability

Jephe Wu -
Environment: Apache httpd server with openssl
Objective: check renegotiation and weak cipher vulnerability and patch them

1. How to check if a website supports openssl renegotiation and weak cipher?
method 1: openssl s_client command
use openssl command that comes with CentOS 5.5:

openssl s_client -connect
it will show 'secure renegotiation is NOT supported or supported' message

use openssl ciphers to know all the ciphers on the client Linux PC, then you can use the following commands to check specific cipher support on server:
openssl s_client -connect -cipher LOW:EXP  - check if it suports low or exp ciphers, for what are the low or exp ciphers, see
openssl s_client -connect -cipher EXP-RC4-MD5 - check specific cipher

openssl s_client -connect -cihper MEDIUM

method 2: use public ssl database report

method3: use downloaded tool
download sslciphercheck from
then use sslciphercheck -h to check all supported ciphpers

2. How to patch it
For renegotiation vulnerability, you can upgrade to openssl 1.0a version.
For weak cipher, you can use the  following ciphersuite configuration in Apache


You can disable RC4 also, so it becomes:



1. you can list all ciphers the current openssl supports on the server:

/usr/local/ssl/bin/openssl ciphers | sed -e 's#:#\n#g' | sort

3. References
redhat knowledge base:


How to disable TRACE method for Apache

Jephe Wu -

Environment: Apache web server
Objective: Disable trace/track method

1. How to test to confirm if a website supports trace/track
 a. for port 80

If you see positive response which is 200 code, that means it supports trace. 
If it's 403 Forbidden, it means it doesn't support.
or if you don't have telnet, you can use nc command
nc 80
telnet server/ipaddr 80
OPTIONS * HTTP/1.0  => capital letter.
if you saw 'TRACE' appear in allowed methods, then trace method is allow, although 
you can disable the echo using rewrite rule:


The OPTIONS method can be used by a client to determine which methods are allowed. Even when TRACE is disabled using the mod_rewrite method above, the OPTIONS response will report that TRACE is enabled. However, TRACE will be rejected with a 403 error before it is processed, and the potentially harmful behavior of TRACE — echoing input data to the response — won't be allowed.
b. for port 443
openssl s_client -connect
openssl s_client -connect
2. How to disable it?
method 1: TraceEnable off (Available in Apache 1.3.34, 2.0.55 and later), 
put it in httpd.conf main configuration file
simpler, more direct, and requires less overhead than using mod_rewrite.

method 2:  mod_rewrite in every virtual host
# Block TRACE/TRACK XSS vector
 RewriteEngine On
 RewriteRule .* - [F]
3. why we should disable trace method

The HTTP TRACE method asks a web server to echo the contents of the request back to the client for debugging purposes.
the complete request, including HTTP headers, is returned in the entity-body of a TRACE response. Using features that provide client-side HTTP protocol support, such as XMLHTTP ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACE requests. The site can read the TRACE response, including sensitive header information such as cookies or authentication data.
4. References
a. Web servers enable HTTP TRACE method by default -
b. Secure Apache TRACE Vulnerabilities -