Tuesday, 10 April 2012

Jboss 7, HTTPS and EC browser support

While messing around with Jboss AS 7.1 at work I've made some discoveries.

1. JDK7 supports EC key algorithm
./jdk1.7.0_03/bin/keytool -v -genkey -alias https -keyalg EC -keystore /opt/jboss/https.keystore -keysize 409 -validity 730 -dname "CN=*.example.com, OU=TW, O=Home, L=OL, ST=WiM, C=PL" -storepass s0m3p15s -keypass S0m3p15s

max size is -keysize 571

2. Firefox (14.0a1) also supports EC .. partially - only keys generated with -keysize 256 and -keysize 384

3. Opera (12 alpha) doesn't support EC keys at all :(.

To use keys generated with keytool
keytool -v -genkey -alias https -keyalg DSA -keystore /opt/httpdsa.keystore -keysize 1024  -validity 730 -dname "CN=my.domain.com, OU=Lap, O=Home, L=City, ST=State, C=UK" -storepass s0m3Pa5s -keypass s0m3Pa5s

Subsytem must be set : native="false"

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="ssl" key-alias="https" password="s0m3Pa5s" certificate-key-file="/opt/httpdsa.keystore" protocol="TLSv1" verify-client="false"/>

To use keys generated with openssl
Subsytem must be set : native="true"

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="true">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
      <ssl certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>

Generating RSA keys with password

openssl genrsa -des3 -out https-rsa4key.pem 4096
openssl req -new -key https-rsa4key.pem  -out https.csr
openssl x509 -req -days 720 -in https.csr -signkey https-rsa4key.pem -out https-rsacert.pem

To test if browser can handle keys types/size - type password (set at runinng `openssl genrsa...`) when asked
openssl s_server -www -accept 443 -cert https-rsacert.pem -key https-rsa4key.pem

To use in Jboss AS7 standalone.xml (don't froget password="S0m3Pa5s"):
<ssl password="S0m3Pa5s" certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>

I've managed to get Jboss AS7.1 to start with openssl DSA keys

openssl dsaparam -out dsaparam 1024
openssl gendsa -out https-dsa.pem dsaparam
openssl req -new -key https-dsa.pem -out https.csr
openssl x509 -req -days 720 -in https.csr -signkey https-dsa.pem -out https-dsacert.pem

To test if browser can handle keys types/size
openssl s_server -www -accept 443 -cert https-dsacert.pem -key https-dsa.pem

and in standalone.xml
<ssl certificate-key-file="/opt/https-dsa.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-dsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>

Sunday, 8 April 2012

Linux JDK 6 installation - the hard way.

To clarify few things :
- I'm not a big fan of java (or any other bloated framework, especially if major versions are not backwards compatible)
- I hate installers that do things that we could really live without, or without users consent (eyecandy, toolbars, auto updaters etc.)

Last week at work I wanted to get JDk6 for JBoss based project. Since there are no tar.gz/tgz versions for 6u31 (like for JDK7), I dl'ed the i586-bin installer. My office server is openSuse 12.1 x86_64. I tried running the installer in different combinations.
chmod 755 jdk-6u31-linux-i586.bin

sh jdk-6u31-linux-i586.bin

Outcome was mostly the same :
jdk-6u31-linux-i586.bin: line 113: ./install.sfx : Permission denied

Installer is mix of shell script - few hundred lines at beginning of the file, and a self extracting binary.
To determinate where the script ends and sfx starts run
less -N jdk-6u31-linux-i586.bin
less jdk-6u31-linux-i586.bin
and press = to see line numbers currently seen on screen.

exit 0
jdk-6u31-linux-i586.bin lines 144-189/327000 byte 5779/85292206 0%

To get the sfx part run
tail -n +189 jdk-6u31-linux-i586.bin > install.sfx

To run (uncompress) the self extracting binary
chmod 755 install.sfx

I thought that I got what I needed, but at start JBoss 6 spitted out weired error. So I tried to check if everything is fine with the JDK.

cd jdk1.6.0_31
./bin/java -version
Error occurred during initialization of VM
java/lang/NoClassDefFoundError: java/lang/Object

After some googlin' for a reason to what could be the cause of the problem, I found a forum post suggesting that rt.jar could be missing.
find ./ -name rt.*

returned :


In bin folder I found unpack200
./bin/unpack200 --help

So I had the tool and means, next I had to find what needed to be unpacked
find ./ -name *.pack

returned :


So let's get to it
./bin/unpack200  ./lib/tools.pack  ./lib/tools.jar
./bin/unpack200  ./jre/lib/ext/localedata.pack  ./jre/lib/ext/localedata.jar

After that everything worked fine.
If any1 want's to take a look at the script part of the installer :
head -n 188 jdk-6u31-linux-i586.bin > install.sh

Monday, 2 April 2012

Manual PostgreSQL instalation on Windows

This post is for those unlucky ppl who for some dumb reason had to install Postgres on Windows, and had no luck with it. Most common problems I came across are :
1. installation finishes but database isn't initialized - error says that libintl-8.dll is missing
2. installation stops at the beginning - VisualC Redist Setup crashes - most common on Win7

Other reasons to install PG by hand is that even when using installer with command line options, you can't get the result you wanted, like database encoding, service user etc.

What will need is :
1. Postgres binaries
2. Ntrights.exe

Let's copy all files from postgres zip to c:\pgsql.
To create service-user - in cmd as admin
net user pgsql S0m3Pa5sW0rd /add

Now to properly configure service-user
ntrights.exe -u pgsql +r SeServiceLogonRight
ntrights.exe -u pgsql -r SeInteractiveLogonRight
wmic.exe USERACCOUNT WHERE "name='pgsql'" SET PasswordExpires=FALSE

Service-user needs full control over c:\pgsql
cacls "c:\pgsql" /T /E /G "pgsql":F

To properly initialize database we need to run cmd as service-user pgsql. Still as admin run
runas /user:pgsql cmd
typ password when asked S0m3Pa5sW0rd

Now in new cmd window
cd c:\pgsql
mkdir data
cd bin
initdb.exe -D ../data -E LATIN2 --locale="Czech, Czech Republic"

Now back in admins cmd
cd c:\pgsql\bin
pg_ctl.exe register -N PG84 -U pgsql -P S0m3Pa5sW0rd -D "c:\pgsql\data" -w

On Windows Vista and newer you need to uncomment last line in c:\pgsql\data\pg_hba.conf, since those versions have ipv6 support turned on by default - to test if your system qualifies
ping ::1

if echo returns 0, change last line in pg_hba.conf like so (remove # at the beginning of the line)
host    all     all     ::1/128      trust

To start the server - run services.msc , find and start PG84.

Sunday, 1 April 2012

Quick MySQL 5.6 manual instalation on Linux

Lately I've been building most software I need at work. Manually building from source you can minimize dependencies to what you need, and better familiarize yourself with all needed configuration files, than when installing from package - rpm, deb etc.

I got my src from this link.
At work I've been familiarized with PostgreSQL, so my dependency list will be similar to those standard for compiling Postgres : zlib, readline and ssl. CMake is needed for configuring source.

make && make install

Prefix is for keeping everything in one place, no trashing in /etc or /usr.

Server starting script - needs to be copied to proper init folder
cp /opt/mysql/support-files/mysql.server /etc/init.d/

Server configuration - need to peek one cnf file as a base for customizing
cp  /opt/mysql/support-files/my-medium.cnf  /opt/mysql/mysql.cnf

I've set ownership to postgres user & group since I already had those in my system. I was curious if the developers considered using other user than default mysql - fortunately they did.
chown -R -h postgres.postgres /opt/mysql

I've added mysql lib folder to ld cache - just in case, couldn't find anything in /opt/mysql/bin that's linked against it.

echo /opt/mysql/lib > /etc/ld.so.conf.d/my.conf

Time to set proper paths and user in /opt/mysql/my.cnf

socket = /opt/mysql/mysql.sock

collation-server = utf8_general_ci
user   = postgres
socket = /opt/mysql/mysql.sock

Same goes for the starting script /etc/init.d/mysql.server


# lockdir='/var/lock/subsys'


Now we need to create the default database
cd  /opt/mysql 
./scripts/mysql_install_db --datadir=/opt/mysql/data --user=postgres --defaults-file=/opt/mysql/my.cnf

Now all that's left is to start the new server
/etc/init.d/mysql.server start

..and set password for user root
./bin/mysqladmin -u root -S mysql.sock password 'new-password'

To simply connect to server
./bin/mysql -S mysql.sock -u root -p

If you need a user with remote access - for example with MySQL Workbench - connect as root
mysql> use mysql
mysql> create user 'admin' identified by 'admin-pass';
mysql> grant all on *.* to 'admin';
mysql> flush privileges;
mysql> \q

What's weird is this won't work for socket and localhost.
I had to create user 'admin'@'' and 'admin'@'localhost'.

mysql> select host, user  from mysql.user where user='admin';
| host      | user  |
| %         | admin |
| | admin |
| localhost | admin |

To use socket pointed in my.cnf
./bin/mysql --defaults-file=/opt/mysql/my.cnf -u admin -h localhost -p