KAGAYA's Blog

Spotfire Server 12.0.8とOpenID Connect連携の設定方法

Microsoftのアイデンティティプラットフォームには、IDトークンのv1.0版とv2.0版の2種類があります。これらのバージョンは、トークンに含まれるクレームを決定します。v1.0とv2.0のIDトークンは、それぞれが持つ情報に違いがあります。トークンのバージョンは、それが要求されたエンドポイントに基づいています。新しいアプリケーションはv2.0を使用するべきです。

v1.0の認証エンドポイント: https://login.microsoftonline.com/common/oauth2/authorize
v2.0の認証エンドポイント: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

上記の2種類のトークン、v1.0とv2.0は登録時に両方使用可能ですが、v2.0が推奨されています。登録プロセスについては、以下の手順を参照してください：

1) https://portal.azure.com にログインし、「Microsoft Entra ID」セクションでアプリケーションを登録します。

2) 「アプリ登録」->「新規アプリケーション登録」をクリックします。別のページが表示され、フィールド名、アプリケーションタイプ（Webapp/API）、および「リダイレクトURL」を入力する必要があります。

3) TIBCO Spotfireサーバー設定でカスタムのパブリックアドレスを有効にします。

4) UIConfigの「OpenID Connect」タブを選択し、OpenID Connectを有効にします。

5) Azureで、登録済みのアプリケーションをクリックします。Spotfireサーバー設定ツールからのリターンエンドポイントURL、アプリケーションID、テナントID、オブジェクトIDが表示されます。

6) 「クライアントシークレット」の取得方法：「証明書＆シークレット」をクリックし、「新規クライアントシークレット」をクリックし、説明と期間を入力して保存します。フィールドにキーが生成されるので、クリップボードにコピーします。

7) UIConfig->設定->「Web認証（例：OpenID Connect）」を選択します。

8) UIConfig->「OpenID Connect」->「新規プロバイダー追加」をクリックします。プロバイダー名、ディスカバリードキュメントURL、クライアントID、クライアントシークレットを指定します。

a) UIConfig >> Discovery document URL: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
「Azure Active Directory」>>「アプリ登録」>> アプリ選択 >> 「テナントID」を参照します。
例：https://login.microsoftonline.com/55e98fdf-9ac4-42f6-a35d-6bcb4d9b4bc7/.well-known/openid-configuration
b) UIConfig >> クライアントIDは「アプリケーションID」です。
c) UIConfig >> クライアントシークレットは、アプリからAzureによって生成された「シークレットキー」です。

さらに詳細な情報は以下のリンクで確認できます：

例：

番号	項目名	値
1.	Configuration Start -> Authentication	Web Authentication(e.g. OpenID Connect)
2.	Configuration Start -> User directory	Database
3.	OpenID Connect -> Enable OpenID Connect	Yes
4.	OpenID Connect -> Enable Third Party Login Initiation	Yes
5.	OpenID Connect -> Enable RP-Initiated Logout	No
6.	OpenID Connect -> Enable Back-Channel Logout	No
7.	OpenID Connect -> Enable Front-Channel Logout	No
8.	OpenID Connect -> Return Endpoint	`https://[FQDN]/spotfire/auth/oidc/authenticate`
9.	OpenID Connect -> Third Party Login Initiation Endpoint	`https://[FQDN]/spotfire/auth/oidc/v1/initiate`
10.	OpenID Connect -> Enabled	Yes
11.	OpenID Connect -> Provider name	Azure
12.	OpenID Connect -> Discovery document URL	`https://login.microsoftonline.com/[tenantID]/.well-known/openid-configuration`
13.	OpenID Connect -> Client ID	「アプリケーションID」
14.	OpenID Connect -> Client secret	「シークレットキー」

Migrating Spotfire Server 14 + PostgreSQL Data to a New Server

Importing Spotfire Database on the New Server

Create Database and Role:
- Launch PostgreSQL (psql) as the postgres user.
- Execute the following commands:
  - CREATE ROLE spotfire LOGIN CREATEDB PASSWORD 'yourPassword';
  - CREATE DATABASE spotfire_server OWNER spotfire;
Import Data:
- Use the command below to import data into the spotfire_server database:psql -U spotfire -d spotfire_server -f spotfire14.pgsql > import_spotfire_server.log 2>&1

Importing Spotfire ActionLog Database

Create ActionLog Database and Role:
- Again, use PostgreSQL (psql) as the postgres user.
- Execute these commands:
  - CREATE ROLE spotfire_actionlog LOGIN CREATEDB PASSWORD 'yourPassword';
  - CREATE DATABASE spotfire_server_actionlog OWNER spotfire_actionlog;
Import ActionLog Data:
- To import data into spotfire_server_actionlog, use:psql -U spotfire_actionlog -d spotfire_server_actionlog -f spotfire_actionlog.pgsql > import_spotfire_server_actionlog.log 2>&1

Handling Errors

In case of any operation errors, follow these steps to delete the spotfire_server_actionlog database and the spotfire_server user:

Delete Database and User:
- DROP DATABASE spotfire_server_actionlog;
- Then, check for sequences and views linked to the spotfire_server_actionlog database:
  - Sequences:SELECT sequence_name FROM information_schema.sequences WHERE sequence_catalog = 'spotfire_server_actionlog' AND sequence_schema = 'public';
  - Views:SELECT table_name FROM information_schema.views WHERE table_catalog = 'spotfire_server_actionlog' AND table_schema = 'public';
- Revoke all privileges and drop the role:
  - REVOKE ALL PRIVILEGES ON SCHEMA public FROM spotfire_actionlog;
  - DROP ROLE spotfire_actionlog;

探索RAID技术

RAID 5

硬盘数量：至少需要3个硬盘。
奇偶校验信息：在 RAID 5 中，奇偶校验信息分布在所有硬盘上。对于阵列中的每个数据块，其奇偶校验块存储在不同的硬盘上。这意味着阵列可以承受任意单个硬盘的故障。

RAID 6

硬盘数量：至少需要4个硬盘。
奇偶校验信息：RAID 6 使用两份独立的奇偶校验信息，同样分布在所有硬盘上。这使得 RAID 6 阵列可以承受任意两个硬盘的同时故障。

数据和奇偶校验分布：在这两种类型的 RAID 配置中，数据块和奇偶校验块分布在所有硬盘上，而不是单独存储在特定的硬盘上。

容错性和效率：RAID 5 提供了较高的存储效率（大约为硬盘总容量的 2/3），而 RAID 6 提供了更高的容错性，但以降低存储效率（大约为硬盘总容量的 1/2）为代价。

RAID 0

硬盘数量：至少需要2个硬盘。
数据存储：在 RAID 0 中，数据被分成多个块（striping），然后平均分布在所有硬盘上。
存储效率：RAID 0 提供了100%的存储效率，因为所有硬盘的全部容量都被用于存储数据。
容错性：RAID 0 不提供任何容错性。如果任何一个硬盘故障，整个阵列的数据都会丢失。
性能：RAID 0 通常提供最高的读写性能，因为数据被平行地分布在多个硬盘上。

RAID 1

硬盘数量：至少需要2个硬盘。
数据存储：在 RAID 1 中，数据在两个硬盘上被镜像存储，即每个硬盘都有一份相同的数据副本。
存储效率：RAID 1 的存储效率约为50%，因为每个硬盘的一半容量用于存储数据的副本。
容错性：RAID 1 提供很高的容错性，因为每个硬盘都有数据的完整副本。一个硬盘故障时，数据仍然安全。

RAID 10（也称为 RAID 1+0）

硬盘数量：至少需要4个硬盘。
数据存储：RAID 10 是 RAID 0 和 RAID 1 的组合。首先，数据在两个硬盘上被镜像（RAID 1），然后这些镜像集合又被分条存储（RAID 0）。
存储效率：RAID 10 的存储效率约为50%，因为它将一半的存储空间用于数据镜像。
容错性：RAID 10 提供很高的容错性和良好的性能。它可以承受至少一个硬盘的故障，有时甚至能承受两个硬盘的故障（只要它们不是同一个镜像对中的硬盘）。

RAID 2

特点：RAID 2 使用了位级别的分条（striping），并且使用汉明码进行错误校正。
弱点：这种类型的 RAID 需要大量的硬盘来存储错误校正代码，并且它的复杂性使得它在成本和效率方面不具竞争力。现代硬盘通常已经内置了错误校正功能，使得 RAID 2 变得多余。

RAID 3

特点：RAID 3 使用字节级别的分条，并有一个专用硬盘用于存储奇偶校验信息。
弱点：由于所有读写操作都必须包括奇偶校验硬盘，这限制了其性能。随着技术发展，其他如 RAID 5 的方案以更高的灵活性和效率提供了类似的功能。

RAID 4

特点：与 RAID 3 类似，但使用块级别的分条。它也有一个专用硬盘用于存储奇偶校验信息。
弱点：RAID 4 的主要限制是写入性能，因为所有写入操作都必须更新奇偶校验硬盘。RAID 5 提供了类似的保护，但以更优的写入性能分布了奇偶校验负担。

按存储效率排序（高到低）

RAID 5：提供最高的存储效率。如果使用N个硬盘，存储效率约为 (N-1)/N，因为只有一个硬盘的空间用于奇偶校验数据。
RAID 10：存储效率较低，大约为 50%，因为数据被镜像存储在两个不同的硬盘上。
RAID 6：存储效率最低。如果使用N个硬盘，存储效率约为 (N-2)/N，因为有两个硬盘的空间被用于奇偶校验数据。

按速度排序（高到低）

RAID 10：通常提供最高的读写速度。由于数据镜像和分条，它兼顾了性能和冗余。
RAID 5：提供良好的读速度，但写速度由于奇偶校验计算而受到影响。它在读取操作中表现更优，因为可以从多个硬盘并行读取。
RAID 6：读速度与 RAID 5 相似，但写速度由于额外的奇偶校验计算而更慢。RAID 6的写性能受到双重奇偶校验的影响。

Setting Up a Private VPN with Ngrok + OpenVPN in a Shared Network Environment

In scenarios like community-free networks where router access for port forwarding is not available, setting up a private VPN can be achieved using Ngrok and OpenVPN.

Install PiVPN and Choose OpenVPN (with TCP):

   sudo apt update -y && sudo apt upgrade -y
   curl -L https://install.pivpn.io | bash

Choose OpenVPN (not WireGuard, as it only supports UDP).
Set a local port, e.g., 11111.
Choose DNS, e.g., Google.
Select TCP.

Register and Install Ngrok:

   wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
   sudo tar -xvzf ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin
   ngrok config add-authtoken [yourToken]

Output will confirm auth-token is saved.

Map the Local Port with Ngrok:

   ngrok tcp 11111

Note down the output showing the session status and the forwarding TCP address (e.g., tcp://0.tcp.jp.ngrok.io:[remotedPort]).

Edit the .ovpn File Created by pivpn add:

Reflect the 0.tcp.jp.ngrok.io:[remotedPort] information in the file.
Note: With the free version of Ngrok, the [remotedPort] changes with each restart.

Now, You Should Be Able to Access the Internal Network Using OpenVPN.

Setting Up a Boot Startup Task File:

Create an Auto-start Task:

   crontab -e

Add the following line to start Ngrok with the system:
@reboot nohup ngrok tcp 11111 > /path/to/ngrok.log 2>&1

Or you can make a daemon:

cd /etc/systemd/system
sudo touch ngrok.service
sudo chmod 644 ngrok.service

ngrok.service:

[Unit]
Description=Ngrok Service
After=network.target

[Service]
ExecStart=/home/username/dev/ngrok.sh > /tmp/ngrok.log 2>&1
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target

ngrok.sh(make it executable):

#!/bin/bash
/usr/local/bin/ngrok config add-authtoken [yourToken]
/usr/local/bin/ngrok tcp [yourLocalPort]

then,

sudo systemctl daemon-reload
sudo systemctl restart ngrok.service

You can get the information of that randomized port used by ngrok:

curl http://127.0.0.1:4040/api/tunnels | jq '.tunnels[] | .public_url'

use OpenVPN in Linux as client side:

sudo openvpn --config [yourName].ovpn --connect-retry 0

Dealing with Frequently Changing Public IPs: No-IP DUC Script Setup

For situations where the public IP is constantly changing, install a background script using No-IP’s service:

Install No-IP DUC Client:

   cd /usr/local/src
   tar xzf noip-duc-linux.tar.gz
   cd noip-2.1.9-1
   sudo make
   sudo make install

Create and Configure the No-IP DUC Client:

   sudo /usr/local/bin/noip2 -C

You will be prompted to enter your No-IP username, password, and hostnames you wish to update.

Run the No-IP DUC Client:

   sudo /usr/local/bin/noip2

Check the No-IP DUC Client Status:

   sudo /usr/local/bin/noip2 -S

Set Up Automatic Startup:

Edit the crontab:
sudo crontab -e
Add the following line for auto-start:
@reboot /usr/local/bin/noip2

Android Screen Mirroring to Ubuntu

Need to choose File Transfer/Android Auto

Prepare Android Device:
Enable ‘USB debugging’: Settings > About phone > Tap ‘Build number’ 7 times > Back > Developer options > USB debugging.
Enable ‘USB debugging (Security settings)’.
Setup on Ubuntu:
Install ADB: sudo apt install adb -y
Install Scrcpy: sudo apt install scrcpy -y
Connect Device:
Use USB to connect Android to Ubuntu.
Check connection: adb devices
Restart ADB if needed:
- adb kill-server
- adb start-server
Start Mirroring:
Command: scrcpy --bit-rate 2M --max-size 800
Troubleshooting:
Restart the phone if issues arise.

Configuring Spotfire Server to Access the Internet via a Proxy Server

Navigate to Spotfire Server Installation Path:
- Go to: C:\tibco\tss\12.0.8\tomcat\bin
- Execute Command: tomcat9.exe //ES//Tss1208
Java Configuration:
- Tab: Java
- Initial Memory Pool: 4096 MB
- Maximum Memory Pool: 4096 MB
Setting Java Options for Proxy Configuration:
- -Dhttp.proxyHost=[HTTP Proxy Address]
- -Dhttp.proxyPort=[HTTP Proxy Port]
- -Dhttps.proxyHost=[HTTPS Proxy Address]
- -Dhttps.proxyPort=[HTTPS Proxy Port]
Restart Spotfire Server Service:
- Stop and restart the Spotfire Server service for changes to take effect.

For Linux-based Spotfire server, just edit setenv.sh

Setting Up a Domain xxx.local in Windows Server 2019

Initial Setup

Install Active Directory Domain Services (AD DS)

Open Server Manager.
Click Manage, then select Add Roles and Features.
Follow the wizard, selecting Role-based or feature-based installation.
Select your server, then check Active Directory Domain Services in the roles list.
Click Next until completion, then click Install.

2. Configure Active Directory

After installation, open Server Manager, click the yellow warning sign at the top, and choose Promote this server to a domain controller.
Select Add a new forest and input your domain name, e.g., xxx.local.
Set the DSRM (Directory Services Restore Mode) password.
Follow the wizard to complete the setup and click Install.

3. Verify Installation

The server will restart automatically after installation. Post-restart, check the domain services’ status in Server Manager to ensure everything is running smoothly.

Additional Configuration

DNS Configuration

DNS is usually auto-configured with Active Directory. Ensure it correctly resolves names within the domain.

2. Creating User and Computer Accounts

Open Active Directory Users and Computers.
For users: Right-click your domain (e.g., xxx.local) and select New > User.
For computers: Find or create an Organizational Unit (OU), right-click, and select New > Computer.

3. Configuring Group Policy

Open Group Policy Management.
Right-click on your domain or specific OU, and select Create a GPO in this domain, and Link it here.
Name the new GPO and click OK.
Right-click the new GPO and select Edit to open the Group Policy Editor.
Configure settings under Computer Configuration and User Configuration as needed.
Close the editor when done. Apply the new policy during the next refresh cycle or use gpupdate /force.

4. Joining Computers to the Domain

On each computer, open System Properties, click Change settings and join the domain under the Computer Name tab.

5. Setting Up Shares and Permissions

Set up file shares on the server and configure appropriate access permissions.

6. Security Configuration and Monitoring

Regularly update and maintain the server for security.
Monitor network activity and logs for system stability.

Enable Wi-Fi on Windows Server 2019

PS C:\Users\Administrator> Get-WindowsFeature *Wireless*

Display Name Name Install State
------------ ---- -------------
[X] Wireless LAN Service Wireless-Networking Installed

PS C:\Users\Administrator> Install-WindowsFeature -Name Wireless-Networking

Success Restart Needed Exit Code Feature Result

shutdown –f –r –t 0

PS C:\Users\Administrator> Set-Service WlanSvc -startuptype automatic -passthru

Status Name DisplayName
------ ---- -----------
Running WlanSvc WLAN AutoConfig

PS C:\Users\Administrator> Start-Service WlanSvc -PassThru

Status Name DisplayName
------ ---- -----------
Running WlanSvc WLAN AutoConfig

How to Replace an EC2 Instance’s Volume with One Created from a Snapshot

Preparatory Steps:

1. Identify the Desired Snapshot:

a. Navigate to the EC2 Dashboard in the AWS Management Console.
b. Click on “Snapshots” in the left navigation pane.
c. Sort snapshots by creation time/date to locate the snapshot you want to use.

2. Determine the Corresponding Volume:

a. From the selected snapshot’s details, identify the source volume ID or any other relevant volume information.

3. Locate the Associated EC2 Instance:

a. With the volume information from the previous step, go to “Volumes” in the left pane.
b. Locate the volume and check its “Attachment Information” column. This will display the instance ID with which the volume is associated.

4. Document the Pairing:

Create a table or list documenting the Snapshot ID, Volume ID, and corresponding Instance ID for streamlined operations. eg:
- snap-XXXXXXX 500 GiB 20230530 Standard Completed 2023/05/30 09:48 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node3): /dev/sda1 (attached)
- snap-XXXXXXX 1024 GiB 20230530 Standard Completed 2023/05/30 09:48 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node3): /dev/sdb (attached)
- snap-XXXXXXX 500 GiB 20230530 Standard Completed 2023/05/30 09:47 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node1): /dev/sda1 (attached)
- snap-XXXXXXX 500 GiB 20230530 Standard Completed 2023/05/30 09:47 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node2): /dev/sda1 (attached)
- snap-XXXXXXX 200 GiB 20230530 Standard Completed 2023/05/30 09:47 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-Admin): /dev/sda1 (attached)
- snap-XXXXXXX 1024 GiB 20230530 Standard Completed 2023/05/30 09:47 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node1): /dev/sdb (attached)
- snap-XXXXXXX 1024 GiB 20230530 Standard Completed 2023/05/30 09:47 GMT+9 Available (100%) vol-XXXXXXX i-XXXXXXX (ubuntu-XXX-node2): /dev/sdb (attached)

Main Steps:

5. Create a New Volume from the Snapshot:

a. In the left navigation pane, click on “Snapshots.”
b. Select the snapshot you want to create a volume from.
c. Choose “Actions” and then “Create Volume.”
d. Configure the volume settings. Ensure the volume is in the same availability zone as the EC2 instance.
e. Click “Create.”

6. Stop the EC2 Instance:

a. In the left navigation pane, click on “Instances.”
b. Select your EC2 instance.
c. Click “Instance State” > “Stop Instance.”
d. Wait for the instance to be “stopped.”

7. Detach the Current Volume:

a. On the EC2 Dashboard, in the left pane, click on “Instances.”
b. Select the desired EC2 instance.
c. Below the instances list, click on the “Description” tab. Scroll to the “Root device” entry and click on the link next to it. Note the volume ID.
d. Navigate to “Volumes” in the left pane. Using the noted volume ID, locate and select the current volume.
e. Click “Actions” > “Detach Volume.”

8. Attach the New Volume to the EC2 Instance:

a. In the “Volumes” section, find the new volume made from the snapshot.
b. Click “Actions” > “Attach Volume.”
c. Select your EC2 instance and input the original root device name (e.g., /dev/xvda).
d. Click “Attach.”

9. Start the EC2 Instance:

a. Navigate back to “Instances.”
b. Select your EC2 instance.
c. Click “Instance State” > “Start Instance.”

10. Optional Clean-Up:

a. Navigate to “Volumes.”
b. Select the old volume.
c. Click “Actions” > “Delete Volume.”