Tagged: Ubuntu

Securing Foscam IP camera access over SSL with Apache reverse proxying

UPDATED: 5/7/14 Important security vulnerabilities for Foscam cameras

UPDATED: 9/27/13  (The solution below does not include audio support; for audio over stunnel please see this post over at warped.org)

Recently I was assisting a local business setup their Foscam IP cameras and make them remotely accessible for monitoring purposes from anywhere in the world. The particular models they had installed are the FI8910W line. These camera’s are pretty cool and for ~$100 retail they are a pretty good deal in my opinion. The cameras can be accessed via a browser over HTTP and also support a rudimentary HTTP/CGI API. However one of the biggest issues with these cameras security wise is the lack of SSL support. The embedded webserver on these things only supports HTTP and basic auth in the clear which, outside of your local network is not a good thing if your requirements is to be able to view/manage them remotely from over the internet.

One solution for this is to simply front all access to your cameras with a SSL secured reverse proxy. We did this using Apache’s mod_proxy. I’m not going to go into every detail of how to do this below, but the point is to give the reader a starting point. You can lookup the details on all these apache configuration specifics elsewhere on the web, there are tons of examples out there.

The example below would be for securing access to 2 (two) Foscam IP cameras on your local network, living on an example subnet 192.168.1.0. It assumes the local network is fronted by a router that supports port forwarding, which most consumer/business routers do. The end objective here is that when you access https://myproxy.host.com:10001 you will be accessing CAM1 and when you access https://myproxy.host.com:10002 you will be accessing CAM2.

Secondarily you can also set it up so that you could hit CAM1 at https://myproxy.host.com:10000/cam1/ and CAM2 at https://myproxy.host.com:10000/cam2/

  1. CAM1 IP = 192.168.1.100 listening on port 80
  2. CAM2 IP = 192.168.1.101 listening on port 80
  3. Reverse Proxy Server = 192.168.1.50 listening on ports 10000, 10001, 10002
  4. Router IP address: 192.168.1.1  configured with port forwarding as follows: Port 10000 -> 192.168.1.50:10000, 10001 -> 192.168.1.50:10001 and 10002 -> 192.168.1.50:10002

OVERVIEW

  • First off you need to setup a computer/server running Apache. The Apache webserver is available for almost every operating system known to man from linux to windows, to os-x. This server’s IP address is 192.168.1.50 and ensure that name based virtual host support is enabled as well as mod_ssl.
  • Next ensure that apache is listening on all the necessary ports (the 3 mentioned above). You will want to have Apache listen on a separate unique port for each IP Camera it is proxying access to, or at least one unique port if you are proxying the cameras of of a sub-path: For this example we are assigning port 10000 -> [CAM1 & CAM2 via sub-dir proxies], port 10001->CAM1 only and 10002->CAM2 only. Within your apache configuration you will want to ensure that you have statements like the following configured:
NameVirtualHost *:10000
NameVirtualHost *:10001
NameVirtualHost *:10002
Listen 10000
Listen 10001
Listen 10002
  • Now that Apache is configured to listen on the necessary ports, we need to configure the actual virtual hosts and the reverse proxying directives within each host, see the example below:
###############################
# Reverse proxy config for BOTH
# CAMs (1 & 2) via sub-paths
# @ 192.168.1.100
###############################
<VirtualHost 192.168.1.50:10000>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyVia On
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>

 # CAM1 (note trailing / is important)
 ProxyPass /cam1/ http://192.168.1.100:80/
 ProxyPassReverse /cam1/ http://192.168.1.100:80/

 # CAM2 (note trailing / is important)
 ProxyPass /cam2/ http://192.168.1.101:80/
 ProxyPassReverse /cam2/ http://192.168.1.101:80/

 CustomLog /path/to/apachelogs/access_cam1.log combined
 ErrorLog /path/to/apachelogs/error_cam1.log
 ServerName cam3

 SSLEngine On
 SSLCertificateFile /path/to/sslcert/mysslcert.crt
 SSLCertificateKeyFile /path/to/sslkey/sslkey.key

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
 SSLOptions +StdEnvVars
 </Directory>

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

###############################
# Reverse proxy config for CAM1
# @ 192.168.1.100
###############################
<VirtualHost 192.168.1.50:10001>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyVia On
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / http://192.168.1.100:80/
 ProxyPassReverse / http://192.168.1.100:80/
 CustomLog /path/to/apachelogs/access_cam1.log combined
 ErrorLog /path/to/apachelogs/error_cam1.log
 ServerName cam3

 SSLEngine On
 SSLCertificateFile /path/to/sslcert/mysslcert.crt
 SSLCertificateKeyFile /path/to/sslkey/sslkey.key

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
 SSLOptions +StdEnvVars
 </Directory>

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

###############################
# Reverse proxy config for CAM2
# @ 192.168.1.101
###############################
<VirtualHost 192.168.1.50:10002>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyVia On
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / http://192.168.1.101:80/
 ProxyPassReverse / http://192.168.1.101:80/
 CustomLog /path/to/apachelogs/access_cam2.log combined
 ErrorLog /path/to/apachelogs/error_cam2.log
 ServerName cam3

 SSLEngine On
 SSLCertificateFile /path/to/sslcert/mysslcert.crt
 SSLCertificateKeyFile /path/to/sslkey/sslkey.key

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
 SSLOptions +StdEnvVars
 </Directory>

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
  • Ok, so before you start up apache, you need to generate your own self-signed SSL certificate/key. See those lines above in the configuration for “SSLCertificateFile” and “SSLCertificateKeyFile”? You will need to generate your own SSL private key, certificate request, and then self sign it. The results of those openssl commands yield files that you point to on your local proxy server. You can read here for an example on how to generate the necessary files
  • Next ensure the router that sits in front of your proxy server @ 192.168.1.50 has port forwarding enabled and forwards traffic going to port 10000, 10001 and 10002 to your proxy server.
  • Start up apache, work out the kinks and you should be ready to go. If you are outside of your normal network you will need to find your router’s WAN public IP address and go to https://my.external.router.ip:10001 and https://my.external.router.ip:10002 and you will be accessing CAM1 and CAM2 respectively over SSL from anywhere in the world. OR secondarily you can also go to https://my.external.router.ip:10000/cam1/ and https://my.external.router.ip:10000/cam2/ to hit the cameras. Please note that traffic from your browser to your proxy server is encrypted with SSL, however the SSL encryption will terminate at the proxy server. Network traffic from your proxy server to CAM1 and CAM2 is unencrypted but only running over your local network. This article assumes you trust who is on your local network not to be sniffing packets.
  • You will also want to ensure that your proxy server has a firewall on it, permits IP forwarding, limits access to only the necessary ports and is configured securely. You can handle that on your own and that is outside of the scope of this article.
  • Hopefully this helps someone out there who wants to securely access their IP cameras over the internet. Note that what is described above should work with any IP camera on the market that only supports HTTP, however the general procedure described above was only tested to work with Foscam model FI8910W

SOFTWARE FOR VIEWING YOUR PROXIED CAMERAS

I’ve received many questions regarding which apps out there support talking to Foscam’s behind a SSL secured proxy and unfortunately the few I’ve used all fall short in one way or another. Proxying http/https based resources on a network (via ports, sub-paths or other methods) is a technology that has been around for a long time and from an client apps perspective it need not know it is even there. Secondarily, the Foscam camera APIs will work just fine regardless of how they are proxied (from the root url or off of a sub-path in the proxy). Regardless here are some apps I’ve used below with some notes

  • iOS: FoscamPro: Cool app, works great when you are on your internal network, but fails miserably if you try to use it from outside your network when your cameras are behind an SSL secured proxy as described above. Why? The FoscamPro application simply DOES NOT support SSL. (FoscamPro devs: PLEASE IMPLEMENT THIS!) The only way to use FoscamPro in the setup above is if you have a VPN server running behind your router; you then connect to your home VPN which lets you appear “internal” to your local network when you are outside of your network, and then access your cameras directly, bypassing the proxy. The VPN itself is what is encrypting all of your communications.
  • iOS: Live Cams Pro: Cool app, works very similar to FoscamPro but supports other manufacturers and more devices, generic url streams etc. They DO support SSL which works with the proxied setup described above. However they DO NOT support specifying a relative path off of the base IP that you are connecting to a Foscam camera with. This effectively eliminates your ability to proxy your cameras via sub-dirs (i.e. https://my.net/cam1/) which is CRITICAL if you have a lot of cams but your router limits the number of port forwards you can have! (Live Cams Pro devs: PLEASE IMPLEMENT THIS!)
  • Android: tinyCam Monitor PRO: Cool app, I must admit I am pretty sure this supports HTTPS as I was testing with this earlier this summer for the port-> cam based config. I have not tested with the sub-dir path setup. If someone can shoot me an update on this I’ll appreciate it. (I’ve switched to all iOS)

Installing db2 9 express-c on a headless Ubuntu/Redhat (RHEL) box with db2setup and a response file

Ok, so after posting my summarized HOW TO guide on how to manually install and uninstall DB2 9 express-c via db2_install in a situation (headless) where you don’t have an X-Server available, nor forwarding, or you simply just want to install over SSH in a quick bind….via command line only, I received some great pointers from folks about another headless option. That being using response files with the db2setup command.

Just to note, there are two ways you can install DB2 via the command line without any sort of x-server.

  1. Via the process described below in detail below by using a response file and db2setup
  2. Via the db2_install manual method (command line) which is described in detail in my other article.

Assumptions for this article:

a) The steps below were done with db2 Express-C 9.7 and on Ubuntu 9.04 Server edition, but the procedure should apply to other versions within the major versions quite well.

b) The steps below have also been executed on a headless Red Hat Enterprise 5.X (RHEL) server with no problem, so the procedures below will likely work for many other Linux distros as well.

c) This assumes you have root access to the machine, OR where root is referred to below, assumes a literally the user root OR a user with root authority through such means as sudo or other applicable permissions.

d) This assumes you have no previous DB2 installation, or if so, you have already properly removed it d) This assumes the following usernames for the following DB2 users;

  1. db2 instance owner = db2inst1
  2. db2 fence user = db2fenc1
  3. db2 admin owner (das user) = db2das1

e) This assumes that DB2 will be installed in /opt/ibm/db2/V9.7 (or whatever the version is you are installing. This path will be referred to throughout the rest of this document as DB2DIR

f) This article only shows configuring a single DB2 instance called db2inst1, bound to the instance owner (user) named db2inst1

g) You can certainly change MORE options than what I specifically call out below in the response file editing section (such as the install path etc), however I am just pointing out the options you MUST change to get the install rolling with a basic install.

INSTALLING WITH DB2SETUP AND A RESPONSE FILE

  1. The following instructions are taken from the official document located here.
  2. Login as root
  3. As root, open up /etc/services and add the following line at the end of the file db2c_db2inst1 50000/tcp # DB2 connection service port, (NOTE you can change the port to something other than the default if you want, i.e. security reasons)
  4. Go to IBM and download DB2 Express-C
  5. Save the tarball file in /tmp/db2expc9
  6. cd /tmp/db2expc9 and extract the tarball with tar -xvzf the_db29_tarball_filename.tar.gz
  7. cd expc
  8. cd db2/linux/samples
  9. cp db2expc.rsp my-db2expc.rsp
  10. chmod +w my-db2expc.rsp
  11. vi my-db2expc.rsp or if you don’t like the vi editor use your editor of choice.
  12. Ok, this is a response file which is basically automated input which will be fed into the db2setup “wizard” so you can feed it all the input without running it in GUI mode. Its time to party and get going on this file so lets move on to the next bullet. An IMPORTANT note, any line with a * or # is a COMMENT within the file and is not processed.
  13. Before we continue, click here to view a handy reference that contains descriptions of all the configurable settings within a response file
  14. Scroll down to LIC_AGREEMENT and change “DECLINE” to say “ACCEPT” after reading the license agreement.
  15. Scroll down to INTERACTIVE and change to “YES” so that the db2setup will interactively prompt us for the location of the install files (from the tarball we downloaded)
  16. Scroll down to CONFIG_ONLY and set this to “NO”
  17. Scroll down to INSTALL_TYPE and set this to “CUSTOM”
  18. Just below the INSTALL_TYPE is a list of 6 commented out options. Now given this is a headless machine you are installing to, you probably only care about uncommenting the DB2_DATA_SOURCE_SUPPORT, DB2_SAMPLE_DATABASE and LDAP_EXPLOITATION options as the other ones are options for GUI tools which you don’t care about.
  19. Just below those 6 options, comes the “non-typical” instal options. You will need to evaluate each one to see if you want it installed. Again, given you are on a headless machine, you probably want to skip
    everything that is a GUI tool. The item I kept was TEXT_SEARCH
  20. Next is the languages section, again, I don’t need all that so I left them commented out which will result in english being the default installed
  21. Next is the “upgrade” section, again you need to evaluate this, however given the assumptions of this article (brand-new install) you will leave these alone (commented out)
  22. Now scroll to the Instance Creation Settings section. This is an important one as here is where we specify instance information and the users that are to be created.

Instance Creation Settings

  1. Ok, we are still within the response file and you should be at the “Instance Creation Settings” section. This section contains the parameters for the db2inst1 user that will be created, who is also the instance owner for the single db2 instance that will be created called db2inst1
  2. In this section you will see a bunch of db2inst1.SOMEPROPNAME settings. I am only going to point out the ones you might consider changing below, the defaults should be fine for you.
  3. db2inst1.GROUP_NAME = I changed the value to be db2inst1 so the group name is the same as the username. This is optional of course but just my preference.
  4. db2inst1.HOME_DIRECTORY = /home/db2inst1
  5. db2inst1.PASSWORD = set to some password, you might want to change after the install manually via a command line with passwd db2inst1
  6. db2inst1.AUTOSTART = leave to YES if you want db2 to start on reboots
  7. db2inst1.PORT_NUMBER = 50000, you might want to change this from the default for security reasons, you call, remember to update your iptables scripts as well as the /etc/services that we made earlier!

Fenced User Creation Settings

Yes there is more! Lets keep going….

  1. Ok, we are still within the response file and you should be at the “Fenced User Creation Settings” section. This section contains the parameters for the db2fenc1 user that will be created.
  2. In this section you will see a bunch of db2fenc1.SOMEPROPNAME settings. I am only going to point out the ones you might consider changing below, the defaults should be fine for you.
  3. db2fenc1.FENCED_GROUP_NAME = I changed the value to be db2fenc1 so the group name is the same as the username. This is optional of course but just my preference.
  4. db2fenc1.FENCED_HOME_DIRECTORY = /home/db2fenc1
  5. db2fenc1.FENCED_PASSWORD = set to some password, you might want to change after the install manually via a command line with passwd db2fenc1

Instance DBM Config Settings

This section contains a bunch of configuration settings for our db2inst1 instance. If you just want to get up running, you can skip this and they can be changed later, however you will need to know what you are doing as these are tweaks to the instance for performance and other optimizations. Skip mucking with this for now.

Administration Server Creation Settings

Yes it continues, but this is an important one. This section covers the administration server and our DAS user which we are calling db2das1

  1. I am only going to point out the ones you might consider changing below, the defaults should be fine for you.
  2. DAS_USERNAME = db2das1
  3. DAS_GROUP_NAME = db2das1
  4. DAS_HOME_DIRECTORY = /home/db2das1
  5. DAS_PASSWORD = set to some password, you might want to change after the install manually via a command line with passwd db2das1

Global Profile Registry Settings

Giddyup… vi is reporting we are 71% done….. Again this is a configuration setting section however you may want to change certain ones, I will point out the ones I changed for my basic install needs.

  1. DB2CODEPAGE I set mine to the value “1208” which is UTF-8
  2. DB2COMM = TCPIP

Database Settings and the remainder of the file (skip it)

This section pertains to any “default” databases that you want the installer to automatically create and some other sections which are not necessary at this point. I skip these remaining sections.

MOVING ON TO THE INSTALL

  1. Ok, so if you have not already done so, save the my-db2expc.rsp file and exit your editor.
  2. cd /tmp/db2expc9/expc
  3. Execute ./db2setup -r /tmp/db2expc9/expc/db2/linux/samples/my-db2expc.rsp. This will fire off the installation
  4. If there are any errors in your response file, you should get them now, and can correct them, re-run if necessary
  5. Assuming that db2setup is running, just sit and wait it out…..
  6. When the install is done, you can view the log file (review it!) @ /tmp/db2setup.log
  7. To test your install, logout as root then login as db2inst1
  8. Exec db2stop followed by a db2start
  9. Verify that DB2 is listening on your port by typing netstat -na and look for your port listed in the output.
  10. Yeah! DB2 is now running on this box and you are good to go to begin creating databases etc. Remember to adjust your iptables firewall rules accordingly per your requirements to restrict access to only the hosts you want to permit.

VERIFY

Hey, lets create a basic database and verify we can use it to see that DB2 works.

  1. Login as db2inst1, the db2 instance owner
  2. execute a db2 create database bitsoi
  3. Connect with db2 connect to bitsoi user db2inst1
  4. Enter the password
  5. You are now connected if you seee the “database connection information” output
  6. Fire up the CLP with db2
  7. At the prompt type create table myTest (name varchar(10))
  8. If successful, insert a record with insert into myTest (name) values ('bitsofinfo')
  9. Select it with select * from myTest
  10. Yeah, it works, exit with a quit and when back at the command line type db2 terminate

UNINSTALL

There is a method to uninstall DB2 via a response file as well. See the official DB2 document here.

  1. BEFORE doing this, you STILL have to drop your db2 instances and admin server: click here and scroll to the uninstall section
  2. Login as root
  3. cd /tmp/db2expc9/expc
  4. cd db2/linux/samples
  5. cp db2un.rsp my-db2un.rsp
  6. chmod +w my-db2un.rsp
  7. vi my-db2un.rsp or if you don’t like the vi editor use your editor of choice.
  8. This is the uninstall response file. To remove everything just uncomment the first REMOVE_PROD link to remove everything
  9. cd /tmp/db2expc9/expc
  10. execute ./db2_deinstall -r db2/linux/samples/my-db2un.rsp
  11. When prompted enter your DB2DIR install dir (should be /opt/ibm/db2/V9.7 (or your version)
  12. Once this finishes, everything will be removed

The above process is not much different than reading my other article and scroll towards the bottom to read the uninstall procedure. I guess the response file uninstall method gives you better control over what you want removed…

THOUGHTS

Now, all of that said, I just want to express a concern I have with the DB2 docs online. Your average joe, maybe a new user wanting to try out DB2, who needs to install DB2 on a headless box, is going to start by reading the “Installing DB2 servers (Linux and UNIX)” document in the IBM docs.. They will quickly see the following note:

The DB2 Setup wizard is a graphical installer. You must have X windows software capable of rendering a graphical user interface for the DB2 Setup wizard to run on your machine. Ensure that the X windows server is running. Ensure that you have properly exported your display. For example, export DISPLAY=9.26.163.144:0.

Ok great, but hey, wouldn’t it be great if this document stated something to the effect of: “If you X windows software is not available you can either manually install via the db2_install command [link here], OR click here [link to response file instructions] to learn how to install via db2setup using response files”

Unfortunately it is not and the information about response file installs is buried down in the table of contents under “Response file installation”.. Which unfortunately is not really titled appropriately (nor linked to from the db2setup page) for the average new user to associate that “oh, this is how I can install without a GUI from the command line”.

The net result? A new user to DB2 express c, might just bail immediately and go with another piece of database software, because they can install much easier right out of the box on a headless machine without laboring through a dozen or so online HTML documents. Also don’t forget that since they are installing headless, they can’t even view those if the only machine they have is the box they are installing on. Not likely, but possible, and I for one would have no desire to bust out lynx or elinks etc. Ugh!

Installing and uninstalling DB2 9 express c on a headless Ubuntu/Redhat (RHEL) box (i.e. from the command line)

I’ve used DB2 for years and it has proved to be a rock solid database, that is stable, performs well, has awesome features like HADR for high availability and with the Express-C edition you can use it for your own projects free of charge…..however …one of the frustrating things I have always found is that something which in reality can be done fairly simply (headless install), is presented in such a complex fashion when you are reading the online DB2 documentation. As a user you have to waste all this time wading through DB2’s extensive online documentation which is presented in a format which seems to be catered towards full time DBAs who have the time to wade through link after link after reference after reference and on and on. They simply don’t have quick one page summaries that cover it all in simple straightforward HOWTOs . Secondly, if you want to install/uninstall DB2 on a headless machine via the command line (that being one without an X windows server), DB2 does not seem to provide any easy way to do that. (db2_install just installs files under /opt/ibm/…) The default automated tool that will install DB2, configure users and setup services etc, is the db2setup program which is a wizard app that requires as GUI by default, so if you are on a headless machine…. good luck and get ready to search online for help.

That said, there are two ways you can install DB2 via the command line without any sort of x-server.

  1. Via the process described below in detail, with the manual db2_install method (and uninstall).
  2. Via the db2setup -r [responsefile] method which is described in detail in my other article.

That said, this article is to present you with what is lacking: a simple straight forward HOWTO on how to install/uninstall DB2 (express-c 9 in particular) on a headless Ubuntu or Red Hat (RHEL) (server) box via the db2_install method from the command line only. I’ve included links to all the relevant DB2 docs so you don’t have to search around for them and secondly try to provide quick summaries of each step along the way.

Assumptions for this article:

a) The steps below were done with db2 Express-C 9.7 and on Ubuntu 9.04 Server edition, but the procedure should apply to other versions within the major versions quite well.

b) The steps below have also been executed on a headless Red Hat Enterprise 5.X (RHEL) server with no problem, so the procedures below will likely work for many other Linux distros as well.

c) This assumes you have root access to the machine, OR where root is referred to below, assumes a literally the user root OR a user with root authority through such means as sudo or other applicable permissions.

d) This assumes you have no previous DB2 installation, or if so, you have already properly removed it

d) This assumes the following usernames for the following DB2 users;

  1. db2 instance owner = db2inst1
  2. db2 fence user = db2fenc1
  3. db2 admin owner (das user) = db2das1

e) This assumes that DB2 will be installed in /opt/ibm/db2/V9.7 (or whatever the version is you are installing. This path will be referred to throughout the rest of this document as DB2DIR

f) This article only shows configuring a single DB2 instance called db2inst1, bound to the instance owner (user) named db2inst1

INSTALLATION

This section is a summary of the steps laid out at this official DB2 install document:

  1. Login as root
  2. Go to IBM and download DB2 Express-C
  3. Save the tarball file in /tmp/db2expc9
  4. cd /tmp/db2expc9 and extract the tarball with tar -xvzf the_db29_tarball_filename.tar.gz
  5. cd expc
  6. Optionally execute ./db2prereqcheck followed by (required) ./db2_install. The db2prereqcheck simply will check your system requirements and quit, basically doing the same thing that db2_install does at startup, but db2_install will continue on to install if the pre requirements are met. (see next bullet).
  7. Now at this point you may get one or more of the following errors or warnings saying something to the effect of The required library file libaio.so.1 is not found on the system OR you might get a warning stating Can't use the string to find the version of libstdc++. The solution to either of these errors/warnings, is to run the following commands:
    • apt-get install libaio1 (ubuntu)
    • apt-get install libstdc++5 (ubuntu)
    • yum install libstdc++ (rhel)
    • yum install libaio (rhel)

    After installing these 2 packages you may STILL get the warning about libstdc++ however just ignore than and run the following forced install with the command ./db2_install -f sysreq. If you still continue to get some sort of error please read the system requirements

  8. Assuming the install command completed successfully (check the output, at the end of the install process you should see The Execution completed successfully and review the install log located at /tmp/db2_install.log.XXXX). You now have the core db2 express c files installed under your DB2DIR which is /opt/ibm/db2/V9.7... however conveniently DB2 IS NOT READY to run, we still need to do more configuring....

CONFIGURING

Ok, now that you have the core db2 express C files installed under your DB2DIR /opt/ibm/db2/V9.7 it is time to manually do what a DB2 install program should be doing for you, you now get to act like a bash script and do all the things below manually, have fun...

  1. The steps below are a summary of this DB2 install document. In short we are going to create the required DB2 users, create the DB2 admin server instance, create our single usable DB2 instance, then configure DB2 to talk over TCP/IP (I feel like this is 1995....)
  2. login as root
  3. Lets create the our single DB2 instance owner user by executing: useradd -m db2inst1
  4. set a good password for this user with: passwd db2inst1
  5. Create the db2 fenced user: useradd -m db2fenc1
  6. Set a good password for this user with: passwd db2fenc1
  7. Create the db2 admin server user: useradd -m db2das1
  8. Set a good password for this user with: passwd db2das1
  9. Now we have our base users and we now need to create the db2 administration server instance with the command: DB2DIR/instance/dascrt -u db2das1.
  10. Ok, now we can create the actual usable db2 instance with the following command: DB2DIR/instance/db2icrt -a server -u db2fenc1 db2inst1.
  11. Now that the instance if created lets create some links with: DB2DIR/cfg/db2ln
  12. Awesome! We are almost there, but FIRST we must jump into our time machine and go back to the early 1990's when software was not really pre-configured to use TCP/IP for communications....as is DB2 by default... so lets configure it to talk via TCP/IP on a particular port.
  13. As root, open up /etc/services and add the following line at the end of the file db2c_db2inst1 3700/tcp # DB2 connection service port, (NOTE you can change the port to something other than the default if you want, i.e. security reasons)
  14. Now lets logout
  15. Login as db2inst1 using the password you set earlier
  16. execute a db2stop followed by a db2start
  17. Execute the following command to configure db2 to use the TCP/IP settings as follows: Bring up the db2 CLP with db2. Next type the following command in the CLP prompt: update database manager configuration using svcename db2c_db2inst1. REMEMBER to adjust the service name and port number accordingly if you used something different in your /etc/services above.
  18. The output should be "The update database manager command completed successfully". Execute a db2stop followed by a db2start
  19. Next you can verify that the TCP/IP comm settings took effect by typing (while still in the db2 clp prompt): get database manager config, in the resulting output you should see the "TCP/IP Service name" which matches the service name in your /etc/services file.
  20. Exit the db2 CLP prompt by typing quit
  21. Now lets fire up the actual TCP/IP communication by entering the following command: db2set DB2COMM=tcpip, followed by a db2stop followed by a db2start
  22. Verify that DB2 is listening on your port by typing netstat -na and look for your port listed in the output.
  23. Yeah! DB2 is now running on this box and you are good to go to begin creating databases etc. Remember to adjust your iptables firewall rules accordingly per your requirements to restrict access to only the hosts you want to permit.

VERIFY

Hey, lets create a basic database and verify we can use it to see that DB2 works.

  1. Login as db2inst1, the db2 instance owner
  2. execute a db2 create database bitsoi
  3. Connect with db2 connect to bitsoi user db2inst1
  4. Enter the password
  5. You are now connected if you seee the "database connection information" output
  6. Fire up the CLP with db2
  7. At the prompt type create table myTest (name varchar(10))
  8. If successful, insert a record with insert into myTest (name) values ('bitsofinfo')
  9. Select it with select * from myTest
  10. Yeah, it works, exit with a quit and when back at the command line type db2 terminate

UNINSTALLING

So you are probably thinking, "hey, how about we just run that db2_deinstall command?" Wrongo buddy, that would be way too obvious and easy. Instead we need to follow the steps below.

  1. The steps below are a summary of the official document located here.
  2. Optionally backup, then DROP all of your databases, this is your call.. and at your own risk....
  3. Login as the db2 admin server owner, in our example case this is db2das1 and stop the db2 admin server by executing a db2admin stop command.
  4. when completed logout
  5. login as root
  6. execute DB2DIR/instance/dasdrop to drop the das server instance
  7. logout and login as the db2 instance owner db2inst1
  8. execute a db2stop force
  9. execute a db2 terminate
  10. logout and login as root
  11. execute DB2DIR/instance/db2idrop db2inst1 to drop the our db2 instance
  12. Finally... now we get to actually run the deinstaller, as root execute DB2DIR/install/db2_deinstall -a

DB2 should now be completely removed, except for your users db2inst1, db2fence1 and db2dasusr1. You can optionally remove those by doing a userdel USERNAME from the command line as root for each user as well as remembering to cleanup their home directories.

SUMMARY

I hope this document helped you out. DB2 is a great product and don't let lack of thousands of user blog posts/articles/howtos etc. on the web scare you away from it. Please send any comments to improve this HOW TO my way.