Wednesday, December 26, 2012

How to Apply Verified SSL Certificate for Tomcat Using OpenSSL

Before anything else, I suggest that you work all of this in a single directory, something like apache_certs/.

1. Create the CSR (below is an example of generating CSR for http://host.name.com - an actual and existing domain):
openssl req -new -newkey rsa:2048 -nodes -out host_name_com.csr
-keyout host_name_com.key -subj "/C=US/ST=Colorado/L=Denver/O=Name.com
LLC/OU=Test Department/CN=host.name.com"

2. The command above will produce two files : host_name_com.csr and host_name_com.key. You have to submit the contents of host_name_com.csr to the certificate authority, like, DigiCert, VeriSign, CACert, etc. You may use the URL below to validate your csr:
https://ssl-tools.verisign.com/checker/

3. Once the validated certificate has been received, you have to combine the private key and verified certificate into a file as PKCS12 (set password; you may use tomcat's default, 'changeit'):
openssl pkcs12 -export -inkey host_name_com.key 
-in host_name_com.crt -out host_name_com.p12

host_name_com.key = key generated along with the csr host_name_com.crt = certificate received from the certificate authority host_name_com.p12 = the new file that will contain the key and the certificate

4. Add the p12 to your keystore, password should be similar to the one used on #3 (or tomcat's default, 'changeit')
keytool -importkeystore -destalias tomcat -destkeystore keystore.jks 
-srckeystore host_name_com.p12 -srcstoretype PKCS12 -alias 1
keystore.jks = my named keystore, default is ".keystore"

5. Modify tomcat's server.xml under conf folder:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" 
SSLEnabled="true" keystoreFile="~/apache_certs/keystore.jks"
keystorePass="changeit" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

6. Restart the server. And when you access your applications, you should now see the verified certificate on your site.

Friday, November 30, 2012

Super Cow

Today when I woke up, my machine prompted me that an error occurred on retrieving updates.

"An error occurred, please run Package Manager from the right-click menu or apt-get in a terminal to see what is wrong. The error message was ..."

So I tried running apt-get in my terminal and here's the lighter side of ubuntu.


Here's another issued command:


The error wasn't so serious that seeing the Super Cow Powers made my day.

Tuesday, November 27, 2012

Https Spring WSDL Tomcat

Just want to share my experience in my work.

At 4 on a Friday afternoon, we were waiting for the integration of our application to a company's premise server. But unknowingly, the design and architecture we've setup is not the same as the client's system admin is expecting. From http application, the client is requiring us to render it in https, on that same day. It's Friday, c'mon!

Good thing we've used Spring MVC and no configuration else is required for delivering it to https aside from some tweaks on out tomcat container in the cloud.

To avoid some of you, running into same scenario, of any troubles in the way, I'm listing down the things I've executed. So here's what I did.

1. Create keystore. The code below will create .keystore in your home directory.
  
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA


   You will be prompted for password, default password used by tomcat is "changeit".

   Next, you will be prompted for Certificate information. AGoogleour server will be accessed outside of the cloud, in the First and Last Name, eg. CN="ec2-12-345-678-90.compute-1.amazonws .com"

    I didn't use the public domain name of our server before and it caused me trouble when accessing our wsdl file through Spring. Will discuss it later.

    You will be asked for the key password and you must use the same password as was used for the keystore password itself.

2. Using tomcat, edit server.xml and lookfor your JSSE Connector and edit it to look like:
  
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
        SSLEnabled="true"
        keystoreFile="<home.base>/.keystore"
        keystorePass="changeit"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" />


   I've used port 443, rather of tomcat's default of 8443 for SSL, since it's the https default port. Change Connector port 80's redirectPort to "443" instead of default 8443.

3. Add this to your webapps' web.xml files you want to render in https:

    <security-constraint>
      <web-resource-collection>
            <web-resource-name>Automatic SSL Forward</web-resource-name>
           <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>


4. Restart your tomcat. And you may now access your container applications through https://<domain>:443. If you access your applications using http://<domain>/, it will redirect you to https protocol.

If you're using Spring MVC, then everything should be alright, except when importing wsdl file from your newly setup https container. If your using this setup:

<bean id="classWebService" class="org.springframework.remoting.jaxws.
 JaxWsPortProxyFactoryBean">
    <property name="serviceInterface" value="com.service.ClassService" />
    <property name="wsdlDocumentUrl"
      value="https://ec2...compute-1.amazonaws.com/serv/service?wsdl" />
    <property name="namespaceUri" value="http://service.com/" />
    <property name="serviceName" value="ClassWebService" />
    <property name="portName" value="ClassWebServiceImplPort" />
</bean>


It may throw,

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The problem thrown is because of the unregistered certificate on the consumer's machine. To solve the problem, try installing the certificate on consumer's keystore. Here's how:

1. Access the wsdl in http through your browser. Through the browser, download the certificate and save it as "certificate".
2. Add the downloaded certificate. Execute this command:

 sudo keytool -import -alias <domain name>
   -keystore <java-6-sun>/jre/lib/security/cacerts -file ~/certificate

*make sure that the the certificate CN="name" = "domain name" = the address right after the 'http://', else you'll be getting another exception saying that the certificate can't be found in you keystore.

*more on tomcat ssl configuration here.

Wednesday, November 21, 2012

Hibernate Custom Sequence For Oracle

Create sequence annotation for Hibernate entity using Oracle database starting at a custom number.
@Id
@GeneratedValue(strategy=GenerationType.SEQUENCE,
  generator="entity_seq_gen" )
@GenericGenerator(name="entity_seq_gen",
  strategy = "sequence",
  parameters = { @Parameter(name="sequence", value="ENTITY_SEQ"),
                 @Parameter(name ="parameters",
                            value="START WITH 844170")})
@Column(name = "entity_id")
private Long entityId;

Thus, generating this SQL statement
CREATE SEQUENCE  "ENTITY_SEQ"
       MINVALUE 1
       MAXVALUE 9999999999999999999999999999
       INCREMENT BY 1
       START WITH 844190
       CACHE 20
       NOORDER
       NOCYCLE ;
Remove this line if you want to use the default starting number of your sequence:

@Parameter(name ="parameters", value="START WITH 844170" )



Installation of VirtualBox in Ubuntu 12.04

using the terminal:

1. add the virtual box key to our list of repository

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add 

2. add the virtual box repository to our list
sudo sh -c 'echo "deb http://download.virtualbox.org/virtualbox/debian $(lsb_release -sc) contrib" >> /etc/apt/sources.list'

3. update your repository
sudo apt-get update

4. install virtual box
sudo apt-get install virtualbox-<version_number>