Pages

Tuesday, September 23, 2014

How to enable debugging in Apache Tomcat?

To enable debugging in apache tomcat, edit tomcat/bin/catalina.sh file and add following line:



CATALINA_OPTS="$CATALINA_OPTS -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"

SSL different file formats

In my last blog we have created files with different extensions like .crt, .csr, .der

So now what are these formats?

These are the standard file formats using different standards:

CSR(.csr)

This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (not the key), which itself can be in a couple of formats.

PEM(.pem) 

Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.

KEY(.key) 

This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.

Public Keys(.pkcs12 .pfx .p12)

Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes

A few other formats that show up from time to time:

DER(.der) 

A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...
.cert .cer .crt. A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

P7B(.p7b) 

Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.

CRL(.crl) 

A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:

PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

PKCS7 

An open standard used by Java and supported by Windows. Does not contain private key material.

PKCS12 

A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

DER 

The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.


Openssl create SSL certificate

What is SSL?


SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser or a mail server and a mail client (e.g., Outlook, Thunderbird).

So to make our server support SSL, we need to create SSL certificate for our server.

SSL certificate can be either Self-signed or signed by some authority like OpenCA.

How to create a SSL certificate?

To create a certificate we have to use a tool called openssl available for all operating systems.

And, follow these steps:

1. Create a private key using following command:


openssl genrsa -des3 -out server.key 1024

This will ask for a secure password for our key:

Generating RSA private key, 1024 bit long modulus
.......++++++
..............++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
A server.key file will be created in the directory.

2. Remove Passphrase from Key

openssl genrsa -out server.key 1024

This will not ask for pass phrase every time it will be used.

3. Create a signing request (Certificate Signing Request):


openssl req -new -key server.key -out server.csr

This as for server information

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:UP
Locality Name (eg, city) []:NOIDA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Open Source
Organizational Unit Name (eg, section) []:JAVA
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:localhost
A server.csr file will be created in the directory. This file can used to send to the signing authority or can be used to create a self signed certificate.

4. Create a Self signed certificate: 

Create a self signed certificate using private key:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This will create a server.crt file in the directory.


5. Add certificate to trusted certificates list in JAVA:

Create a DER format file of certificate:

openssl x509 -in server.crt -out server.der -outform DER

Adding certificate to trusted certificates using java keytool which is available in java bin directory:

keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.der -alias server


This will add our created certificate to JAVA trusted certificates list which is necessary for java based applications.

6. Configuring SSL Enabled Virtual Hosts

Now edit virtual host configuration to add following lines:

SSLEngine on

SSLCertificateFile /path/to/server.crt

SSLCertificateKeyFile path/to/server.key


Thursday, September 18, 2014

Set Java alternatives in Linux

There are several version of java which are in use. We can have different application written in different versions of java. So to use a particular version we have to set a preferable version of java which will be used by our system. We can set java alternatives using these two methods which i prefer:

1. Scan for alternatives and choose from them
2. Manually assign alternative

1. Scan for alternatives and choose from them


If you have installed two versions of java line Java 6 and Java 7. You must be having directories for these versions in your /usr/lib/jvm directory. Now to choose from alternative use following command:


#update-alternatives --config java

This will scan for available versions of java in your system and give option two choose from them:

There are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status 
———————————————————— 
* 0 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 auto mode 
1 /usr/lib/jvm/jre1.7.0/jre/bin/java 3 manual mode  
Press enter to keep the current choice[*], or type selection number: 1

Now Java 7 will be set as preferable java version.
If you are using development environment, then you have to do same thing for javac:

#update-alternatives --config javac

2. Manually assign alternative

Now, if you want to use some java version which is not installed and you have downloaded its BIN version, in that case you can manually assign java version using following cammand:

#update-alternatives --install "/usr/bin/java" "java" "/home/user/jdk1.6_37/jre/bin/java" 1
#update-alternatives --set java /home/user/jdk1.6_37/jre/bin/java

and for javac,

#update-alternatives --install "/usr/bin/java" "java" "/home/user/jdk1.6_37/bin/javac" 1
#update-alternatives --set java /home/user/jdk1.6_37/bin/javac

Tuesday, September 9, 2014

How to use Syntaxhighlighter?

Edit your template's HTML code and add following code in the end of head tag in your template:

 
    
    
    
    
 

    
    
    
    
    
    
    
    
    
    
    
    
 

To use highlighter add pre tag around your code:

      
System.out.println("Hello!!");

Thursday, September 4, 2014

Install Java in Chrome, Chromium or Firefox in Ubuntu

To enable Java plugin in your Linux browsers, just copy these lines into a script, and run it!

JAVA_HOME=/usr/lib/jvm/jdk1.7.0  or the path where you have installed java

MOZILLA_HOME=~/.mozilla mkdir$MOZILLA_HOME/plugins

For 32-bit systems :


ln -s $JAVA_HOME/jre/lib/i386/libnpjp2.so $MOZILLA_HOME/plugins

For 64-bit systems:

ln -s $JAVA_HOME/jre/lib/amd64/libnpjp2.so $MOZILLA_HOME/plugins

For running a script in linux use following commands:

1. Open terminal.

2. Go to the directory where you have created script. (Note: your file must have extension .sh. For example: file_name.sh )

3. Write following commands:  chmod +x <file_name>.sh

4. Now write ./<file_name>.sh

5. Restart your browser.

Install Oracle Sun JDK in Ubuntu and set JAVA_HOME

To install JDK from Oracle use following steps:

1. Download JDK from Oracle web site:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

2. Extract file will be of .bin format. For example - for 64-bit system we have jdk-6u37-linux-x64.bin.

3. Put this bin file in your home directory.

4. Now need to extract this file to use Java API.

5. Extract BIN file:
  • Make BIN file executable using this command: chmod +x jdk***.bin
  • For executing use: ./jdk***.bin

6. Same named folder will be created in the same directory.

7. Now need to provide JDK path to JAVA_HOME variable in .bashrc file.

8. Edit .bashrc file in editor use following command:

          gedit .bashrc

9. Now put this code in your .bashrc file:

           export JAVA_HOME=/home/jdk***
           export PATH=$JAVA_HOME/bin:$PATH

10. Save file.

11. To refresh your bash settings write this command and hit enter:

            bash

12. To verify configured JDK path use this command:

            which java

This will display your configured path i.e. /home/jdk***/bin/java