Add ons to help Monitor and Manage OSCAR

UpdatedMarch 13, 2024

By Peter Hutten-CzapskiPeter Hutten-Czapski

Monitoring some metrics using Java Melody and phpmyadmin

Java Melody

Java Melody is an open source tool for monitoring JAVA EE web applications

With this you will be able to :

monitor average response times and number of executions
make decisions before problems become too serious
optimize based on the more limiting response times
find the root causes of response times
verify the real improvement after optimizations

https://github.com/javamelody/javamelody/wiki

Configuration of Java Melody

Java Melody is already integrated in OSCAR 19, but it is disabled by default. If needed certain steps must be taken to enable and secure it’s operation. The first two settings are usually accomplished by the DEB. Note that even with these steps the jdbc is NOT picked up by Java Melody with OSCAR 19 on Tomcat 9

1) Server must be using SSL

2) Turn on headless (add to CATALINA_OPTS)

 -Djava.awt.headless=true

3) Create a user, and add them to “monitoring” role. This is done in tomcat-users.xml. for example. This secures the monitoring to those who provide the credentials.

<role rolename="monitoring"/>
<user username="melody" password="*****" roles="monitoring"/>

4) Turn on your instance in the monitoring filter section of var/lib/tomcat9/webapps/oscar/WEB-INF/web.xml. for example so it looks like

<filter>
	   <filter-name>monitoring</filter-name>
	   <filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
	   <init-param>
	   	   <param-name>system-actions-enabled</param-name>
	   	   <param-value>true</param-value>
	   </init-param>
	   <init-param>
	   	   <param-name>disabled</param-name>
	   	   <param-value>false</param-value>
	   </init-param>                           
</filter>

5) If OSCAR is not reloaded with this change, you will need to restart tomcat

Now access your server with /monitoring in the url, so for example

https://localhost:8443/oscar/monitoring

supply the username and password you set for the monitoring user

and you should see

PhpMyAdmin

Many users prefer a graphic interface to maintain MariaDB rather than using the Shell. As phpMyAdmin is a known target for malicious actors, and the login is your MariaDB password, best practice is to harden the webserver. Apache2 is the default and should be used although it may require additional configuration if you are using Certbot or are running a Tomcat-Apache connector.

PhpMyAdmin with Apache

sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl

When the phpmyadmin installer gives you the choice of Apache or Lighttpd you must hit [Space] to select the option [*] BEFORE you hit [OK] or no configuration of the webserver will take place.

Run the installation as above. Test that the base installation is working by going to http://localhost/phpmyadmin

The following are instructions to secure Apache2 with phpMyAdmin on port 80. It is never a good idea to put anything sensitive on port 80 and expose it to the internet. Additional complication to serve on 443 are beyond the scope of these instructions.

PhpMyAdmin and UFW

One simple approach is to configure your firewall to prevent access to Apaches 80 (and potentially 443) ports. Leave external access only to Tomcat on 8443 which will give access to OSCAR. You will probably want a single or a range of workstations to access phpMyAdmin. This can be set by specific ip (more secure) or CIDR range (more convenient). For example if your workstation’s external IP is 203.0.113.101 and you wish to add access to phpMyAdmin from that workstation you will use the following command on the UFW on the machine that serves OSCAR and phpMyAdmin. (Replace the example with your desired IP or range.)

sudo ufw allow from 203.0.113.101 to any port 80

A reasonable configuration for UFW with OSCAR and the above machines access to phpMyAdmin may look similar to the below.

sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere 
8443 ALLOW Anywhere 
3306 DENY Anywhere 
8080 DENY Anywhere 
80 ALLOW 203.0.113.101
80 DENY Anywhere 
Apache Secure DENY Anywhere 
22/tcp (v6) ALLOW Anywhere (v6) 
8443 (v6) ALLOW Anywhere (v6) 
3306 (v6) DENY Anywhere (v6) 
8080 (v6) DENY Anywhere (v6) 
80 (v6) DENY Anywhere (v6) 
Apache Secure (v6) DENY Anywhere (v6)

Notes: Standard OSCAR installation will configure MariaDb (3306), Tomcat on 8080, and Apache Secure (443) to prevent access or not bind those ports. The above UFW configuration is a belt and suspenders approach to provide a layered defense in case there is a vulnerability in any given layer.

That might be enough if you never touch your firewall. However if you are opening port 80 from time to time for Certbot, there is a (short) time where this will be exposing your phpMyAdmin to the internet. Not to mention something can happen along the way and port 80 will be open for longer than you think. Thus to layer defend phpMyAdmin consider an additional security measure.

PhpMyAdmin and .htaccess

If you want to harden further one way of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess authentication and authorization functionalities.

The older approach would be to use a .htaccess file override and is illustrated elsewhere on the internet. Apache now suggests the more efficient approach when you add htaccess directives to your <directory> configuration by editing, in this case, your phpMyAdmin installation’s Apache configuration file.

Below we will use nano to edit the phpmyadmin.conf file. Feel free to use your favorite text editor in its stead.

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Add lines to the <Directory /usr/share/phpmyadmin> section of the configuration file, like this:

<Directory/usr/share/phpmyadmin> 
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AuthType Basic 
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user 
 .....

</Directory>

Here is what each of these lines mean:

AuthType Basic: This type will implement password authentication using a password file containing the hashed password(s).
AuthName: This used to set the message for the authentication dialog box. This is usually no longer displayed for security. Keep it generic in case.
AuthUserFile: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served.
Require valid-user: This is essential to ensure only authenticated users are given access to this resource.

When you are finished, save and close the file.

The location that you selected for your password file was /etc/apache2/.htpasswd. You can now create this file and pass it an initial user (“restricteduser” here) with the htpasswd utility:

$ sudo htpasswd -c /etc/apache2/.htpasswd restricteduser
New password:
Re-type new password:
Adding password for user restricteduser

You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered. You can cat the file to ensure that the username and (hashed) password are present

If you want to add an additional user to the file, you need to do so without the -c flag, like this:

sudo htpasswd /etc/apache2/.htpasswd anotheruser

Then restart Apache to put it all into effect

sudo systemctl restart apache2

Now, when you access your phpMyAdmin subdirectory (and only that directory), you will be prompted once per session for the additional account name and password that you just configured. Test by logging in to either of the following as appropriate from the Apache machine or the LAN.

http://localhost/phpmyadmin
http://IP/phpmyadmin

After entering the Apache authentication (the username and password you supplied earlier), you’ll be taken to the regular phpMyAdmin authentication page to enter your MariaDB credentials. If you don’t supply correct authentication (worth testing) Apache will serve you an “unauthorized” error page.