Sonarqube Nodejs on Windows

Problem

You’ve done some initial scans with SonarQube and see the potential to help you improve your codebase. You’ve got your builds flowing through Jenkins. There’s gotta be a way to integrate the reports from SonarQube into Jenkins.

Solution

1. Install SonarQube Scanner for Jenkins.
   1. I wanted to only do this on the dev branch.
2. I prefer to use Jenkins configuration rather than adding the bin directory to the path.
   1. This helps keep your builds light on dependencies.
   2. This makes it easier to add new nodes to Jenkins.
3. The below pipeline script will scan your current working directory.

JenkinsFile

References

1. StackOverflow: How to configure a Jenkins Pipeline for SonarQube scan:
2. Analyzing with SonarQube Scanner for Jenkins

IIS + Certs + Powershell = Profit

Problem

Configuring certificates for IIS isn’t always an easy task. This is particularly true if you’re coming from say the software development side of the industry rather than the operations side.

Solution

Certificates often utilize what’s referred to as a chain of trust. Certain certificate authorities publish root certificates. Then often there will be an intermediate certificate that links to the root certificate.

Intermediate Certificate

Here is how to import an intermediate certificate using PowerShell

Import-Certificate -FilePath test.crt -CertStoreLocation Cert:\LocalMachine\CA

Wildcard Certificate

Finally a wildcard certificate will be used, in our case for a website, that is validated by the intermediate certificate which depends on the root certificate. The below PowerShell imports the wildcard pfx certificate into the proper WebHosting certificate store.

Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\WebHosting

Applying Certificates

The below PowerShell shows how you can apply a certificate to an IIS binding that uses https. First you have to get your certificate’s thumbprint

Get-ChildItem -path cert:\LocalMachine\WebHosting

Copy the output and use it in the command below

New-WebBinding -Name site -Protocol "https" -HostHeader "dns.com" -SslFlags 1
$api = Get-WebBinding -Name site
$api.AddSslCertificate({copied thumbprint}, "webhosting");

References

1. Enabling TLS 1.2 using powershell
2. Use Powershell to bind SSL Certificates to an IIS Host Header SiteEnabling TLS 1.2 using powershell
3. Stack Overflow: Powershell – Set SSL Certificate on https Binding
4. When given .crt and .key files, make a .pfx file

Bacula: Disable Job

Problem

Bacula is all setup and humming along. Then you end up no longer needing and decommission a machine. The issue is that now the Bacula job to backup that machine fails since it cannot connect. That makes sense, but how do we preserve the backups that we already have until their retention period expires?

Solution

Update the configuration

1. 1. 1. Backup the file sudo cp /etc/bacula/bacula-dir.conf "/etc/bacula/bacula-dir.conf.backup.$(date +"%Y%m%d-%H%M%S")"
      2. Open the /etc/bacula/bacula-dir.conf
      3. Comment out or remove the job definition

Reload the configuration

1. Open the Bacula console with sudo bconsole
2. type reloadafter the asterisk(*)
3. hit enter
4. Done!

References

1. Stack Exchange Unix & Linux: Copy a file and append a timestamp
2. Bacula – Disable Client
3. Bacula – http://bacula.10910.n7.nabble.com/Reload-Configuration-without-restarting-td57873.html

JWT Lessons from Load Balancer

Problem

I had an Angular front end calling a .NET Web API backend. It would produce a JWT token for authentication. However different calls would fail to the backend with the correct token. I couldn’t always reproduce the failure with Postman either. Both the front-end and the back-end are load balanced.

By default the .NET Web API uses the machine key to produce the JWT token for authentication. The problem was that when server 2 tried to validate the token server 1 produced it failed and vice versa.

Solution

1. Generate a machine key using IIS
2. Add the newly generated machine key to your web.config
3. When you’re done, it will look like below

References

1. StackOverflow:Adding machineKey to web.config on web-farm sites

 

 

Brining Down Your Environment with IIS

Problem

I had a need to generate a unique machine key in IIS so that I could add it to the web.config of a load balanced site. I didn’t realize that by doing it wrong, I’d bring down the other .NET sites that used that machine key.

I went into IIS and clicked on Machine Key. I clicked Generate Keys and I selected “Generate a unique key for each application. This seemed reasonable since the applications were hosted in a multi-tenant environment.

After making that change, the sites that depended on the machine key would get an error stating “ERR_TOO_MANY_REDIRECTS“. The screen would look like the one below.

Solution

As it turns out that is the only combination of Machine Key options that can cause this error. All the other options pictured below will work.

References

1. StackOverflow: IsolateApps causes Decryption key specified has invalid hex characters

 

Jenkins SonarQube MSBuild Pipelines

Problem

You’ve finally got your SonarQube server setup and ready to go. Now you need an automated way to proceed with scanning. If you’ve already got a Jenkins instance up and running, then this post is for you.

Solution

1. Install the SonarQube Scanner for Jenkins plugin
2. Open your Jenkins Pipeline or Jenkinsfile
3. Add the following into one of your stages

Get Installed Programs

Problem

You need to understand how similar or different the programs installed on one or more servers are. There’s many use cases, but for me this was part of a migration effort.

Solution

1. 1. Run the following in PowerShell with Administrator Privileges
   2. Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize | Out-File "C:\Users\$($env:UserName)\Downloads\$($env:ComputerName)_$(get-date -f yyyy-MM-dd_HH-mm-ss)_installed_programs.txt" ​
   3. I stored it in the Downloads folder of the current user to be a good steward on the server
   4. I used the datetime stamp in the filename to ensure it’s clear when this was run.
   5. I used the %COMPUTERNAME% in the filename to make it easier to do this for multiple servers
   6. Not that you would ever have any differences among your web farm.

 

References

1. %username% variable in Powershell
2. PowerTip: Use PowerShell to Get Computer Name
3. Stack Overflow: How do I get the current username in Windows PowerShell?
4. How to Create a List of Your Installed Programs on Windows

Getting IIS Features Installed

Problem

You need to have a better understanding of the IIS as part of a migration or you’d like to scale out your existing environment. You’ve been keeping meticulous records of all IIS features in an easily digestible format, right?!?!?! This post is for anyone that hasn’t.

Solution

For Windows Server 2008 R2 only.

1. Open a command prompt as Administrator
2. Run the following command
3. C:\Windows\System32\ServerManagerCmd.exe -q > C:\Users\%USERNAME%\Downloads\%COMPUTERNAME%_iis_features.txt
4. I stored it in the Downloads folder of the current user to be a good steward on the server
5. I used the %COMPUTERNAME% in the filename to make it easier to do this for multiple servers
6. Not that you would ever have any differences among your web farm.

For Windows Server 2012 and above

1. Open up PowerShell with Administrator Privileges
2. Run the following command
3. ​​​​Get-WindowsFeature > $env:USERPROFILE\Downloads\$env:COMPUTERNAME$(get-date -f yyyy-MM-dd_HH-mm-ss)_iis_features.txt
4. I stored it in the Downloads folder of the current user to be a good steward on the server
5. I used the datetime stamp in the filename to ensure it’s clear when this was run.
6. I used the %COMPUTERNAME% in the filename to make it easier to do this for multiple servers
7. Not that you would ever have any differences among your web farm.

References

1. Hostname Variable Reference
2. Windows Environment Variables Reference
3. Export a list of installed IIS modules
4. Stack Overflow: TimeStamp on file name using PowerShell

Jenkins FreeStyle Tag Git

Problem

It’s often very challenging to determine exactly which version of the code Jenkins deployed through a given build.

Solution

1. You will need to grant your build account access to create tags in your git repository
2. Open your project in Jenkins
3. Click Configure
4. Click Build
5. Click Add a Build Step
6. Click either “Execute a Windows Batch Command” or “Execute a shell” depending upon your OS
7. 
8. Then add the following commands to your Freestyle project and Click Save

It will give you a nice output like jenkins-${JOB_NAME}-${BUILD_NUMBER} in the tag in git.

References

1. Stack Overflow: How do you push a tag to a remote repository using Git?
2. Jenkins BUILD_TAG reference

PING Redirect Gotcha

Problem

After configuring PING Identity Provider’s OpenToken IIS Agent, it will loop back and forth attempting to validate the token but never stopping. Here’s a copy of the IIS log.

Solution

1. Grant the IIS user for the site read access to C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (64-bit)\conf
2. This is the location of the configuration file it is trying to read to validate the token.

References

1. Where are the IIS Integration Kit logs?