Fix Inconsistencies by restarting AEM when SegmentNotFound Issue is reported in AEM 6.3

Follow the URL :

https://helpx.adobe.com/experience-manager/kb/fix-inconsistencies-by-restarting-AEM-when-segmentNotFound-issue-is-reported-in-AEM.html

The SegmentNotFound Exceptions in the AEM 6.3 Log

Statement:

Observed SegmentNotFound Exceptions in the logs. Due to some older issues in Oak or some inconsistencies in the repository, a segment can go missing and repository might be inconsistent.

                For example:

[1]

*ERROR* [FelixStartLevel] org.apache.sling.event [org.apache.sling.event.impl.jobs.queues.QueueManager(1431)] The activate method has thrown an exception (org.apache.jackrabbit.oak.plugins.segment.SegmentNotFoundException: Segment da5bcb95-d00a-4c04-a9d9-0f10f2b14e5e not found)

[2]

*ERROR* [pool-6-thread-3] org.apache.sling.commons.scheduler.impl.QuartzScheduler Exception during job execution of org.apache.jackrabbit.oak.plugins.index.AsyncIndexUpdate@1dc173f9 : Segment e669f30b-e886-4b7a-b161-56432601ec6b not found

org.apache.jackrabbit.oak.plugins.segment.SegmentNotFoundException: Segment e669f30b-e886-4b7a-b161-56432601ec6b not found

Environment : AEM 6.0,6.1,6.2

Solution :

     Run consistency check on the repository and find the last good revision [healthy state] and revert back to it. Please do the following:

Step 1: Download a version of oak-run that matches your oak core version from https://mvnrepository.com/artifact/org.apache.jackrabbit/oak-run

§  To revert a corrupt segment store to its latest good state change into CQ's working directory (the one containing the crx-quickstartfolder) and backup all files in ./crx-quickstart/repository/segmentstore/.

Step 2: Run the consistency check:

o   java -Xmx6000m -jar oak-run-*.jar check -d1 -p /path/to/crx-quickstart/repository/segmentstore

o   This searches backwards through the revisions until it finds a consistent one:

Look for message like below:

[main] INFO o.a.j.o.p.s.f.t.ConsistencyChecker - Found latest good revision afdb922d-ba53-4a1b-aa1b-1cb044b535cf:234880

Step 3: Revert the repository to this revision by editing ./crx-quickstart/repository/segmentstore/journal.log and deleting all lines after the line containing the latest good revision.

Step 4: Remove all ./crx-quickstart/repository/segmentstore/*.bak files.

Step 5: Run checkpoint clean-up to remove orphaned checkpoints:

§  java -Xmx6000m -jar oak-run-*.jar checkpoints /path/to/crx-quickstart/repository/segmentstore rm-unreferenced

Step6:   Finally compact the repository:

§  java Xmx6000m -jar oak-run-*.jar compact /path/to/crx-quickstart/repository/segmentstore/

Few list of Apache We server Security and Harding Tips

v  How to disable the directory display in Apache webserver

Environment: Apache Webserver

Solution :

-       In the absence of index file by default apache server will list the default content root directories

-       We can turn off the directory listing by using Options directive in the httpd.conf or apache2.conf configuration file for any specific directory

1.       Open the Httpd.conf or apache2.conf file

Options –Indexes

2.                     Restart the server

3.                     Go to website and access for the content root -/var/www/html or /content

4.                     You must see the Forbiden error(You don’t have permission to access/ on this sever.

v  How to hide Apache Version and OS Identity from Errors in Apache HTTP server

-          When you install apache with source or package through installer like Yum, it display the version of Apache and OS version in the errors.

-          It also shows the module installed in the apache server

         Steps to follow in RHEL, CentOS , Fedora, Debian and Ubuntu

1.       Open the httpd.conf/apache2.conf  file based on the OS

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)

# vim /etc/apache2/apache2.conf (Debian/Ubuntu)

2.       Add the below configuration to httpd.conf/apache2.conf   and Save the file

ServerSignature Off

ServerTokens Prod

3.       Restart the Server and That’s It

# service httpd restart (RHEL/CentOS/Fedora)

# service apache2 restart (Debian/Ubuntu)

v  How to Keep updating Apache Regularly

Environment : Apache Web server

Solution :

1.       Check the apache version by using #httpd –v

2.       Run the below command to update the version

 # yum update httpd

#apt-get install apache2

3.       That’s it!, again check for the version of apache post upgrade #httpd -v

v  Disable the Unnecessary modules

1.       Insert # beginning at the module to comment the unnecessary module for loading

v  Disable Apache’s following of Symbolic Links

-          By default Apache webserver follows symlinks,

-          We can turn off this feature with FollowSymLinks with Options directive.

-          Open the httpd.conf file and add the below line.

# Options -FollowSymLinks

-          If there is a need for FollowSymLinks feature, can be enabled by writing in the rule in “.htaccess” file from that website.

# Enable symbolic links

              # Options +FollowSymLinks

Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.

v  Turn off Server Side Includes and CGI Execution

Environment: Apache

Solution :

-          Steps to turn off server side includes (mod_include)

-          And CGI execution

-          Modify the httpd.conf  or apache2.conf file in the main configuration file.

-          This can be applied to root directory or specific directory

-          Open the main configuration file and add the below details

Options -Includes -ExecCGI

Or

Options -Includes -ExecCGI

-          Restart the server. That’s it!.

v  Statement :Below directives will help to prevent the DoS attacks and completely cannot be prevented

Environment : Apache webserver

Solution :

-          Set the TimeOut :.

                     - Its default value is 300 secs, set the value to lower depending on the website functionalities.

                    - This will wait for the certain amount of time to complete the event. post the request will be failed.

-          MaxClients :

                    - Default value is 256 , set this value to lower to prevent DoS atatcks

                    -  It allows you to set the no of maximum connection and to be served simultaneously.

                    - Once the limit cross the every new connection will be queued up.

-          KeepAliveTimeout :

                   - Default value is 5 sec

                   - Default value indicates the amount of time server will wait for the subsequent request before               closing the connection

-          LimitRequestFields : default value is 100 , set this value to lower to prevent DoS atatcks

-          LimitRequestFieldSize : it helps to set a size limit on the http request headers.

v  Use mod_security and mod_evasive Modules to Secure Apache

-          Mod_security :

§  It will act as Firewall for web application and allow to monitor the traffic on real time basis

§  It also protects the website or web server from brute force attacks

§  Install the Mod_security directive

-          Install mod_security on Ubuntu/Debian

o    $ sudo apt-get install libapache2-modsecurity

o    $ sudo a2enmod mod-security

o    $ sudo /etc/init.d/apache2 force-reload

-          Install mod_security on RHEL/CentOS/Fedora/

o    # yum install mod_security

o    # /etc/init.d/httpd restart

-          Mod_evasive

§  It handle the DoS

§  it handles the DDoS atatcks

§  It handles the Brute force attacks

§  This module detects three atatcks

o    If Multiple requests comes to a same page in a few times per second.

o    If child process creates more than 50 concurrent requests.

o    If temporarily blacklisted IP is trying to make new requests