AWG Blogs

  • Getting ADB Working for SPH-M840 - Had a SPH-M840 Galaxy Ring Virgin Mobile 3G Android version 4.1.2, attempting to install apps from Android Studio failed to detect device. Installed SAMSUN...
    4 months ago
  • How to check if I have write permissions to an Oracle table - SELECT CASE WHEN COUNT(*) > 0 THEN 'YES' ELSE 'NO' END AS PERMISSIONS FROM ( SELECT privilege FROM ( select * from dba_tab_privs where (grantee = 'MY_USE...
    4 months ago
  • JSF vs Struts 2 - JSF was designed in part by the authors of Struts to create a "Struts" that did a more accurate implementation of MVC (Struts is technically "Model 2") a...
    5 months ago
  • XML Beans vs JAXB - Seems XML Beans is superior: JAXB provides support for the XML schema specification, but handles only a subset of it; XMLBeans supports all of it. Also, by...
    9 months ago
  • Algorithms and OOP - In addition to DCI, "generic programming" as well as the move to functional programming appears to add nuance to the OOP notion of joining behavior with da...
    11 months ago
  • Flyweight vs Singleton - Implementations seems to be virtually identical, differing only in style, where the flyweight object is created and held by associated objects (containers:...
    1 year ago
  • init-param vs context-param - see http://javahash.com/difference-between-servlet-init-and-context-parameter/ for background. Gist: context-param variables are global and accessible thro...
    1 year ago
  • rbenv vs RVM - RVM is responsible not only for changing Ruby versions, but for installing rubies and managing gemsets, as well. ...Along with rbenv [to manage ruby versi...
    1 year ago

Saturday, July 23, 2016

Enabling Debugging in Eclipse for Tomcat Installation

When using the option "Use Tomcat installation (takes control of Tomcat installation), to enable debugging from Eclipse, you may need to adjust the VM arguments of the launch configuration as follows:

Double click the Tomcat server in the Servers tab, then click "Open launch configuration"
In the Arguments tab append the following line to the VM arguments text box:
 -agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n

Then restart the server.

Here is a screenshot:

Saturday, March 5, 2016

Two-way authentication with Tomcat

Start by creating a private key, cert, and keystore using openssl then convert to jks using Java's keytool so it can be used in Tomcat:
MyOwnPC+Joe@MyOwnPC ~/temp
$ openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:myownpc
Email Address []:.

MyOwnPC+Joe@MyOwnPC ~/temp
$ ls
servercert.pem  serverprivatekey.pem

MyOwnPC+Joe@MyOwnPC ~/temp
$ openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem -name myownpc -passout pass:changeit

MyOwnPC+Joe@MyOwnPC ~/temp
$ ls
servercert.pem  serverkeystore.pkcs12  serverprivatekey.pem

MyOwnPC+Joe@MyOwnPC ~/temp
$ keytool -importkeystore -alias myownpc -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Enter destination keystore password:  changeit
Re-enter new password: changeit
Enter source keystore password:  changeit

MyOwnPC+Joe@MyOwnPC ~/temp
$ ls
keystore.jks  servercert.pem  serverkeystore.pkcs12  serverprivatekey.pem

MyOwnPC+Joe@MyOwnPC ~/temp
$ cp keystore.jks ../certs
Add (or modify) so that Tomcat's conf/server.xml contains reference to the new keystore:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        keystoreFile="C:/cygwin64/home/Joe/certs/keystore.jks" keystorePass="changeit"
               clientAuth="false" sslProtocol="TLS" />
Restart Tomcat. Then browse to https://myownpc:8443/someapp. Accept the certificate browser warnings and verify that the presented certificate's details contains 'myownpc' as the 'issued for'. Also you can check using the following keytool command to ensure 'myownpc' is an alias for the imported cert: keytool -list -v -keystore keystore.jks Now create a client certificate and add it to the keystore used by tomcat:

MyOwnPC+Joe@MyOwnPC ~/temp
$ openssl genrsa -out clientprivatekey.pem 2048                                 Generating RSA private key, 2048 bit long modulus
.......................+++
.............+++
e is 65537 (0x10001)

MyOwnPC+Joe@MyOwnPC ~/temp
$ openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:joe
Email Address []:.

MyOwnPC+Joe@MyOwnPC ~/temp
$ ls
clientcert.pem        keystore.jks    serverkeystore.pkcs12
clientprivatekey.pem  servercert.pem  serverprivatekey.pem

MyOwnPC+Joe@MyOwnPC ~/temp
$ openssl pkcs12 -export -out clientkeystore.pkcs12 -in clientcert.pem -inkey clientprivatekey.pem -name joe -passout pass:changeit

MyOwnPC+Joe@MyOwnPC ~/temp
$ keytool -importkeystore -alias joe -srckeystore clientkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Enter destination keystore password:  changeit
Enter source keystore password:  changeit

MyOwnPC+Joe@MyOwnPC ~/temp
$ ls
clientcert.pem         keystore.jks           serverprivatekey.pem
clientkeystore.pkcs12  servercert.pem
clientprivatekey.pem   serverkeystore.pkcs12

MyOwnPC+Joe@MyOwnPC ~/temp
$ cp keystore.jks ../certs
Now modify the server.xml SSL connector, adding keyAlias, truststoreFile, and truststorePass attributes and set clientAuth to true:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        keystoreFile="C:/cygwin64/home/Joe/certs/keystore.jks" keystorePass="changeit"
               clientAuth="true" sslProtocol="TLS"
  keyAlias="myownpc" truststoreFile="C:/cygwin64/home/Joe/certs/keystore.jks"
  truststorePass="changeit"
 />
Restart Tomcat. Now loading the https page will give an error like
An error occurred during a connection to myownpc:8443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) 
So in Firefox, do Options, Advanced, View Certificates, Import and import the file clientkeystore.pkcs12 and enter the password when prompted. Try loading the page again and Firefox should present you with the option to use the certificate you imported; accept and load the page.

Refs: http://venkateshragi.blogspot.com/2013/04/two-way-ssl-authentication-on-tomcat.html main flow here. Correction, the truststoreFile was actually required for me.
http://www.cloudera.com/documentation/enterprise/5-3-x/topics/cm_sg_openssl_jks.html found correction to above blog, adding -name option to openssl exports.