Monday, August 19, 2019

awesome Kubernetes Best Practices videos

there is a whole series, all same good

Wednesday, August 14, 2019

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:



at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(

at weblogic.socket.JSSEFilterImpl.doHandshake(

at weblogic.socket.JSSEFilterImpl.isMessageComplete(

at weblogic.socket.SocketMuxer.readReadySocketOnce(

at weblogic.socket.SocketMuxer.readReadySocket(

at weblogic.socket.NIOSocketMuxer.process(

at weblogic.socket.NIOSocketMuxer.processSockets(


at weblogic.socket.SocketReaderRequest.execute(

at weblogic.kernel.ExecuteThread.execute(


the code responsible is:

public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)




     if ((sslEngine != null) && (!sslEngine.getUseClientMode()))


       if (!clientInitSecureRenegotiation) {




       if (isLoggable()) {

         SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");




   else if (isLoggable()) {

     SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");



so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE

in JSSESocketFactory:
  JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

    throws IOException


    SSLEngine sslEngine = getSSLEngine(host, port);

    return new JSSEFilterImpl(connectedSocket, sslEngine, true);


in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

    throws IOException


    this(sock, engine, clientMode, false);  // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE



  public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted)  // this constructor is ultimately invoked

    throws IOException


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)

Thanks to Carlo for the excellent analysis.

Sunday, August 11, 2019

Audit the content of a series of folders against a file

the audit.txt contains the list of original files:


this script checks that in the folders


there are no extra files or folders:

Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced

Saturday, August 10, 2019

OpenShift CI/CD good video on CI/CD, part 1 part 2 OpenShift 4 CI/CD

essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" Openshift Pipelines with Tekton and here is the code

rpm useful commands

list files installed by an INSTALLED rpm (for an UNINSTALLED rpm, add -p and provide full path to .rpm file):

rpm -ql nginx.x86_64

or also (if the rpm is not installed yet) repoquery --list nginx.x86_64

verify that rpm installed files have not been tampered

rpm -V nginx.x86_64

display the postinstall and postuninstall scripts

rpm -q --scripts nginx.x86_64

which rpm provides a given file:

rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx

for a REALLY verbose verification output:

rpm -Vvv nginx.x86_64

Ref: fantastic all-in-one rpm cheat sheet


Excellent side-by-side comparison

Useful terminology:

Bearer Tokens

Holder of Key

Sender Vouches

Proof of Possession


Openshift RedHat plugin for Intellij

Sample video on how to use it

I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....

It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...

However, Intellij has its own Cloud support for Openshift

CTRL-ALT-S, Cloud, Openshift

see also

Openshift 4, interesting readings ( not working for me.... ) see also

I have deployed with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".

.\oc.exe new-app openshift/java:8~ --name=sbhwpv3
.\oc.exe expose service sbhwpv3

This makes still a very good Developer introducton (a bit outdated) by Grant Shipley, really intense and focused. amazing on Openshift infrastructure management what is ignition what is terraform

Thursday, August 1, 2019

Linux. find broadcast address of a given network interface

It's grotesque how in 2019 we still have to rely on primitive, ambiguous tools like grep and awk to extract information from a linux command

This is what I could came up to "find broadcast address of a given network interface":

ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'

To subtract 1 from IP (see here ):

cat checkip.ksh
echo "Enter ip:"
read IP_val
awk -F"/" -vvalip="$IP_val" '{if($NF==valip){split($1, A,".");A[4]-=1;VAL=A[1] OFS A[2] OFS A[3] OFS A[4]}} END{print VAL}' OFS="." ip_list

It's a mad world.

The broadcast address is always (?) the highest IP in the subnet range:
Hosts/Net: 62

and the gateway will be (broadcast-1) =

To find out what the default gateway is:
cat /etc/sysconfig/network

initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*