How to install ERPNext

ERPNext is an ERP tools web based  with lot of features (accounting, stock, project,…)

Before start the installation

Check your ip address

$ ifconfig

Make an update / upgrade

$ sudo apt-get update

$ sudo apt-get upgrade

Installation

Install the requirement for python

$ sudo apt-get install python-minimal

$ sudo apt-get install build-essential python-setuptools

Download the easy installation script

$ wget https://raw.githubusercontent.com/frappe/bench/master/playbooks/install.py

Run the script

$ sudo python install.py –production

How to run the site in HTTPS, with let’s encrypt certificate

Log as frappe user

$ sudo su root

$ sudo su – frappe

Go to folder sites

$ cd frappe-bench/sites

$ mv site1.local erp.drawde.net

Modify

$ nano erp.drawde.net/site_config.json

$ cd ..

$ bench config dns_multitenant on

$ sudo -H bench setup lets-encrypt erp.drawde.net

Error to solved

When you go to the help on ERPNext, you have this error:

To avoid this, you need to migrate the bench framework. With this command:

$ bench –site erp.drawde.net migrate

 

For more details:

https://erpnext.org/

 

Install Webmin via APT

If you like to install and update Webmin via APT on debian.

Edit the file on your system :

/etc/apt/sources.list 

and add the line :

deb http://download.webmin.com/download/repository sarge contrib

You should also fetch and install GPG key with which the repository is signed, with the commands :

cd /root

wget http://www.webmin.com/jcameron-key.asc

apt-key add jcameron-key.asc

You will now be able to install with the commands :

apt-get update

apt-get install apt-transport-https

apt-get install webmin

All dependencies should be resolved automatically.

More info: http://www.webmin.com/deb.html

 

Tibco Spotfire Server – Single Sign On Guide

 

Introduction

How to implement a login authomation method for Spotfire Server 7.0.

PS: Most of this guide come from the official documentation of Tibco Spotfire Server 7.0. So it's just a quick help for the implementation.

Server Designed

Spotfire infra:

Spotfire Server

Activate NTLM

To activate the NTLM module. You must download the jcifs component:

http://public.tibco.com/pub/tibco_oss/jcifs/

Version jcifs_1.3.17.zip

Unzip and copy

jcifs.jar

to

D:\tibco\tss\7.0.0\tomcat\webapps\spotfire\WEB-INF\lib

Restart the server and you don’t have any error in the logs

D:\tibco\tss\7.0.0\tomcat\logs

Warning Logs

A security issue has been logged by default:

WARN 2015-06-08T10:46:26,875+0200 [*Initialization*] spotfire.server.LifecycleManager: The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy does not seem to be installed. Please consider installing it for improved security.

To solved this issues, download the following zip files:

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Unzip and copy to:

D:\tibco\tss\7.0.0\jdk\jre\lib\security

Rename the existing before copy

Restart the service and message not show.

SSO Authentication

The single sign-on protocol that allows for secure authentication even over unsecure networks. The Kerberos protocol uses tickets for authentication instead of user names and passwords. The tickets are issued by a centralized Kerberos server and contains information that only the intended target of the ticket can decrypt. In Microsoft Windows environments, the domain controllers act as Kerberos servers, and every user automatically signs in to Kerberos when logging in to the Windows desktop. Kerberos can be a bit hard to set up, but once it is fully working you have a very secure authentication system with the benefits of single sign-on.

Prerequisites

 Windows Domain Controllers running Windows Server 2003 SP1 or later.

 A computer with the Microsoft Active Directory Users and Computers MMC snap-in.

 A computer with the Microsoft Support Tools installed.

 A domain administrator account or a user account which is a member of the built in Account Operators domain group, or any account with similar permissions.

 Windows Domain accounts for all Spotfire users

 A fully working User Directory in place, either in

 LDAP mode (recommended) or

 Spotfire database mode, provided that the built-in Post-Authentication Filter is auto‐creating

It usually a good idea to first create a working setup where the server uses Basic/LDAP authentication and a User Directory in LDAP mode and then proceed with switching from Basic/LDAP to Kerberos.

Configuration Instructions

The following instructions are required to configure Spotfire Server for the Kerberos authentication method.

As a Domain Administrator:

1 Create a Kerberos service account:

In this step the Kerberos service account is created. The following examples will assume that the account’s name is spotsvc.

Logged in as a domain administrator or a user which is a member of the built in Account Operators domain group, launch the Active Directory Users and Computers MMC snap-in and create a normal user account with the following properties:

 Use the same identifier in the Full name and User logon name (pre‐Windows 2000) fields and make sure to use only lower case characters and that there are no spaces in these fields.

 Select the Password never expires option.

 Clear the User must change password at next logon option.

 If Kerberos unconstrained delegation is to be used for Information Services data sources, the account option Account is trusted for delegation must also be selected.

 Kerberos constrained delegation can also be used for Information Services data sources, but is set up on a service-by-service basis and is not described here.

2 Register Service Principal Names:

While still logged in as a domain administrator or as a user which is a member of the built in Account Operators domain group, use the setspn.exe command-line tool to register two Service Principal Names (SPNs) for the Kerberos service account. The setspn.exe command-line tool is a part of the Microsoft Support Tools package which is typically installed on domain controllers. The Support Tools can also be downloaded from Microsoft’s web page.

The setspn.exe tool for Windows Server 2008 or later has been improved with extra argument checking to prevent that no duplicate Service Principal Names are created. If you use the improved version of the setspn.exe tool, then execute the following two commands to register the Service Principal Names :

> setspn ‐S HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn ‐S HTTP/<hostname>[:<port>] <service account name>

If you are using the setspn.exe tool for Windows Server 2003 or earlier, the extra argument checking is not supported. Instead, execute the following two commands to register the Service Principal Names:

> setspn ‐A HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn ‐A HTTP/<hostname>[:<port>] <service account name>

Note: It is recommended not to have multiple Kerberos-enabled HTTP services on one machine.

Replace the <fully qualified hostname>, <service account name>, <hostname> and <port>with the appropriate values. Note: It is vital to note that all values are case sensitive

fully qualified hostname: The fully qualified DNS hostname of the computer hosting Spotfire Server (written in lower case)

hostname: The short DNS hostname, without domain suffix, of the computer hosting Spotfire Server (written in lower case)

service account name: The user login name of the previously created Kerberos service account (written in lower case)

port: The TCP port number that Spotfire Server is listening on

Note: You must use the name of an A record for Spotfire Server. A CNAME record will not work.

Note: Avoid explicitly specifying the port number if Spotfire Server is using the default HTTP port 80.

Example: Registering Service Principal Names for the spotsvc Kerberos service account to be used by a Spotfire Server installed on the spotfireserver.research.example.com computer and listening on the default HTTP port 80 or the default HTTPS port 443:

> setspn ‐A HTTP/spotfireserver.research.example.com spotsvc

> setspn ‐A HTTP/spotfireserver spotsvc

This will create these two Service Principal Names:

HTTP/spotfireserver.research.example.com

HTTP/spotfireserver

Example: Registering Service Principal Names for the spotsvc Kerberos service account to be used by a Spotfire Server installed on the spotfireserver.research.example.com computer and listening on the non-default HTTP port 8080:

> setspn ‐A HTTP/spotfireserver.research.example.com:8080 spotsvc

> setspn ‐A HTTP/spotfireserver:8080 spotsvc

This will create two SPNs

HTTP/spotfireserver.research.example.com:8080

HTTP/spotfireserver:8080

To list the resulting Service Principal Names for a Kerberos service account, you can execute the following command:

> setspn ‐L <service account name>

Example: Verifying Service Principal Names for the spotsvc Kerberos service account

> setspn ‐L spotsvc

3 Create a keytab file for the Kerberos service account:

While still logged in as a domain administrator or as a user which is a member of the built in Account Operators domain group, execute the following command:

> ktpass /princ HTTP/<fully qualified hostname> [:<port>]@<realm> /ptype krb5_nt_principal /crypto rc4‐hmac‐nt /mapuser <service account name> /out spotfire.keytab ‐kvno 0 /pass *

Replace the <fully qualified hostname>, <port>, <realm>, and <service account name>with the appropriate values.

Note: It is vital to note that all values are case sensitive.

fully qualified hostname: The fully qualified DNS hostname of the computer hosting Spotfire Server, which must exactly match the fully qualified hostname used when registering the SPNs (written in lower case)

port: The TCP port number that Spotfire Server is listening on (only specified if the port number was explicitly included in the registered SPNs)

realm: The name of the Kerberos realm, which is the DNS domain name written in upper case

service account name: The user login name of the service account with the registered SPNs (written in lower case)

The tool will prompt for the password of the service account. Enter the same password as when creating the service account.

It is not critical to use the name spotfire.keytab for the keytab file. However, the remaining instructions will assume that this is the name of the keytab file.

Note: If you ever change the password of the Kerberos service account in the future, you must re-create the keytab file.

Note: Older versions of the ktpass.exe tool will fail to create the keytab file when it is not being run on an actual domain controller.

Example: Creating a keytab file for the spotsvc Kerberos service account in the research.example.com domain for Spotfire Server listening on the default HTTP port 80 on the spotserver.research.example.com computer:

> ktpass /princ HTTP/spotfireserver.research.example.com@RESEARCH.EXAMPLE.COM / ptype krb5_nt_principal /crypto rc4‐hmac‐nt /mapuser spotsvc /out spotfire.keytab ‐kvno 0 /pass *

Example: Creating a keytab file for the spotsvc Kerberos service account in the research.example.com domain for Spotfire Server listening on the HTTP port 8080 on the spotserver.research.example.com computer:

On Spotfire Server:

4 Copy the Kerberos service account’s keytab file to Spotfire Server:

Copy the spotfire.keytab file to the directory <installation dir>\jdk\jre\lib\security(Windows) or <installation dir>/jdk/jre/lib/security (Unix) on Spotfire Server.

Note: Since this file contains sensitive information it must be handled with care. The file must not be readable for unauthorized users.

To list the contents of the keytab file, use the klist command-line tool which will list the principal name and security credentials. The tool is included in the bundled JDK and is only available when installed on Windows:

> <installation dir>\jdk\jre\bin\klist.exe ‐k ‐t ‐K <keytab file>

To test the keytab file, use the kinit command-line tool which is also included in the bundled JDK on Windows platforms:

> <installation dir>\jdk\jre\bin\kinit.exe ‐k ‐t < keytab file> HTTP/<fully qualified hostname> [:<port>]@<realm>

If the keytab file is correctly set up, a ticket cache file will be created in the logged in user’s home directory. It can typically be found with the path C:\Users\<user>\krb5cc_<user>. As soon as you have verified that the ticket cache was created, you must delete the ticket cache file to prevent future problems.

5 Configure Kerberos for Java:

Open the file krb5.conf located in the directory <installation dir>\jdk\jre\lib\security(Windows) or <installation dir>/jdk/jre/lib/security (Unix) and edit the following values to reflect your environment:

MYDOMAIN: The name of the Kerberos realm, usually the same as the name of the Windows Domain, written in upper case

mydomain: The name of the Windows Domain, written in lower case

mydc: The name of the domain controller, written in lower case

Note: The arguments are case-sensitive. It is critical to use the correct case for these values!

For more information, See « krb5.conf » on page 181.

Example: Configuring Kerberos for Java in the research.example.com domain, with the two domain controllers dc01.research.example.com and dc02.research.example.com:

===============
Krb5.conf
===============
[libdefaults]
default_realm = RESEARCH.EXAMPLE.COM
default_keytab_name = spotfire.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
RESEARCH.EXAMPLE.COM = {
kdc = dc01.research.example.com
kdc = dc02.research.example.com
admin_server = dc01.research.example.com
default_domain = research.example.com
}
[domain_realm]
.research.example.com = RESEARCH.EXAMPLE.COM
research.example.com = RESEARCH.EXAMPLE.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

6 Select Kerberos as the Spotfire login method:

Use the Configuration Tool

or

Use the config‐kerberos‐auth command (page 217) to configure the Kerberos authentication method. The command takes the following two parameters:

Keytab file: The fully qualified path to the spotfire.keytab file. If the keytab file is named spotfire.keytab and has been copied to the recommended directory, the default path ${java.home}/lib/security/spotfire.keytab is already correct. The shorthand ${java.home} refers to the directory <installation dir>\ jdk\jre (Windows) or the <installation dir>/jdk/jre (Unix)

Service Principal Name: Specify the same Service Principal Name that was used when creating the keytab file. Example: HTTP/ spotfireserver.research.example.com

Use the set‐auth‐mode command (page 277) to activate the Kerberos SSO authentication method.

Import the configuration and restart the server for the changes to have effect.

7 Disable user name and Password fields in client login dialog:

Since the Kerberos authentication method provides single sign-on capabilities, there is no need to prompt an end user for user name and password in the Spotfire client login dialog. In fact, any entered user name and password is unlikely to work, even if the credentials are fully valid.

Use the Configuration Tool or the following config‐login‐dialog command to disable the user name and password fields in the Spotfire client login dialog:

> config config‐login‐dialog ‐‐allow‐user‐provided‐credentials=false

(For more information about the config-login-dialog command, go to page 218.)

Note: If you are using the Configuration Tool, select Never display login dialog for the Login dialog option.

Then, import the new configuration and restart the server.

Web Player

Modify web.config:

Go to:

D:\TIBCO\Spotfire Web Player\7.0.0\webroot

Change the Spotfire Server in the web.config file:

<authentication serverUrl= »http://servername » enableAutocomplete= »false »>

Quick tutorial to Install, Run and Monitor Logstash in Elastic infrastructure

Logstash is an open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to your favorite “stash.”

For this tutorial, I use a Ubuntu server installation with default package and default installation of Elastic stack.

Installation

Download the logstash package, the last version is available here.

$ wget https://artifacts.elastic.co/downloads/logstash/logstash-5.1.2.deb

Run  the dpkg command to install:

$ sudo dpkg -i  logstash-5.1.2.deb

Logstash config

Each .conf files in the /usr/share/logstash folder contains the scripting for each « flow ». Just add an other script file to create a new logstash instance.

The script example below, will analyse the network connection port based on syslog event.

So, go to the default logstash folder and create a new scripting file:

$ cd /usr/share/logstash
$ sudo nano logstash-simple.conf

Copy / paste this script:

input {
 tcp {
 port => 5000 # syslog port. can be changed
 type => syslog
 }
 udp { #optional. required if syslog events are sent using UDP.
 port => 5000
 type => syslog
 }
}
#Do not change the contents of filter codec
filter {
 if [type] == "syslog" {
 grok {
 match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:hostname} $
 }
 date {
 match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
 }
 }
}

output {
 elasticsearch {
 hosts => ["127.0.0.1:9200"] #change host as required
 user=> "elastic"
 password=> "changeme"
 }
}

And save the file.

Edit the rsyslog.conf to activate the event:

$ sudo nano /etc/rsyslog.conf

And add this:

*.* @@127.0.0.1:5000
*.* @127.0.0.1:5000

START logstash

The command below start an new agent based on the config file:

$ cd /usr/share/logstash
$ sudo bin/logstash -f logstash-simple.conf

Monitoring

Now, I create a new config file for monitoring Logstash. The script reads log files and import the data into Elasticsearch. The final touch was it will be available on Kibana!

First, create a config file to specify the log and the Elasticsearch cluster:

input {
 file {
 path => "/var/log/logstash/logstash-plain.log"
 start_position => "beginning"
 type => "logs"
 }
}
output {
 elasticsearch {
 hosts => "127.0.0.1:9200"
 user => "elastic"
 password => "changeme"
 index => "logstash-test-%{+YYYY.MM.dd}"
 }
}

Copy it to the default conf.d folder of Logstash:

Now restart the service with the service command:

$ sudo service logstash restart

Finally, go to Kibana and create a new index pattern name « logstash-test-* »

All logs are now available via Elasticsearch and Kibana.

MONITOR with kibana

To see beautifull graphs about logstash, you need x-pack features.

install x-pack

run the command below to install x-pack for logstash:

$ sudo ./bin/logstash-plugin install x-pack
Configure x-pack

Modify the yml files and add parameter at the end of the file:

xpack.monitoring.enabled: "true"
 xpack.monitoring.elasticsearch.url: "http://localhost:9200"
 xpack.monitoring.elasticsearch.username: "elastic"
 xpack.monitoring.elasticsearch.password: "changeme"
Restart

Restart logstash and kibana with the service command,

A welcome dashboard is now available about your Logstash agent.

How to Backup and Restore with Elasticsearch

The snapshot and restore module allows to create snapshots of individual indices or an entire cluster into a remote repository like shared file system, S3, or HDFS.

The full detailed documentation is here.

Requirements

Check if the config files have « path.repo »:

$ nano /etc/elasticsearch/elasticsearch.yml

 SNAPSHOT

Create snapshot with this command:

PUT /_snapshot/backup
{
  "type": "fs",
  "settings": {
      "compress": true,
      "location": "/usr/share/elasticsearch/backup"
  }
}

This command show snapshot path:

GET /_snaptshot/

BACKUP

 Initiate the backup with this command based on the snapshot:

PUT /_snapshot/backup/snapshot_1
{
  "indices": "recipes",
  "ignore_unavailable": true,
  "include_global_state": false
}

To show the status of the snapshot:

 GET /_snapshot/backup/snapshot_1

The files created:

RESTORE

Create also the same snapshot path:

Execute this type of command to restore:

 POST /_snapshot/my_backup/snapshot_1/_restore

DELETE

How to delete a snaptshot:

$ delete /_snapshot/backup/snapshot_1

How to quickly install Elasticsearch on Ubuntu server

This guide contained a quick reference on how to install Elastic search on ubuntu server 16.04 via deb package.

Download the package via wget command (click here for the last version):

 $ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.2.2.deb

Then unpackage the deb file:

$ sudo dpkg -i elasticsearch-5.2.2.deb

The command to set as startup:

$ sudo update-rc.d elasticsearch defaults 95 10

 And the usefull startup command:

$ sudo -i service elasticsearch start
$ sudo -i service elasticsearch stop

Now start your browser to check if Elasticsearch running (default port is 9200) :

The Debian package places config files, logs, and the data directory in the appropriate locations for a Debian-based system:

Type Description Default Location Setting
home Elasticsearch home directory or $ES_HOME /usr/share/elasticsearch
bin Binary scripts including elasticsearch to start a node and elasticsearch-pluginto install plugins /usr/share/elasticsearch/bin
conf Configuration files including elasticsearch.yml /etc/elasticsearch path.conf
conf Environment variables including heap size, file descriptors. /etc/default/elasticsearch
data The location of the data files of each index / shard allocated on the node. Can hold multiple locations. /var/lib/elasticsearch path.data
logs Log files location. /var/log/elasticsearch path.logs
plugins Plugin files location. Each plugin will be contained in a subdirectory. /usr/share/elasticsearch/plugins
repo Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. Not configured path.repo
script Location of script files. /etc/elasticsearch/scripts path.scripts

How to install free SSL (Let’s encrypt) Certificate on Debian server

Let’s Encrypt is a free, automated, and openCertificate Authority. The goal is to implemented the certificate on a web server. I used a standard Debian 7 server with webmin installed. Webmin is a web interface to manage your server. You can find more info here.

First connect to your Webmin interface (usually port 1000):

Click on the left menu and go to webmin configuration:

Click on « SSL Encryption »:

Select the last tab « Let’s encrypt » and enter your full hostmane, like: « server1.example.be » (whithout quote). Select the options below and click on « Request Certificate »:

With the menu, expand the « Servers » items and click on « Apache Webserver »

Select your default Virtual Server with the support of encryption (by default it is the 443 port):

Select « SSL Options » icon and enter the paths below:

Click « Save »  and then « Apply Changes », the apache service will restart and you have now your free certificate on your web server:

 

How to deploy your GIT repository to FTP server

In this article, I will explain how to deploy your code, hosted on Github to an FTP server.

Here was my requirements for deploying my php code to a standard FTP server:

  • Compatible with Bitbucket
  • Fully automated
  • FTP deployment
  • Free (with a possibility for upgrading to a paid version)
  • Web hosted

Solution founded:

After a bit of surfing I found this web service:

https://ftploy.com/

https://www.deployhq.com/

But after testing, I choosed DeployHQ.

This is the list of compatible source code platform :

You just need to create an account. If you have only one project hosted, the registration is free.

The dashboard view of your project with last deploiment and the number of servers:

The definition of your FTP server (you can use also SSH, Amazon S3,…):

To publish to multiple server in one time, you can set a group of server:

When you commit and push to your Git repository, you can transfer your files automatically:

The deployment window with the start and end commit. You have also the possibility to « Preview » your deployment: