Category Archives: Tomcat

Certificates, what to know…

Certificates is a tough and complex world to be in.

Here are the main things to remember when renewing old certificates, or requesting new ones 🙂

  • CAis a short for “Certificate Authority” and is usually a party that ‘Signs’ certificates on behalf of the requester. Because someone other then the party hosting a site signed the certificate it is assumed that dualism applies.
  • CSR is a short for “Certificate Signing Request” and contains the hash needed by any CA to create a “Signed” certificate.
  • Private Key Is the server keyportion of the certificate that enables the server to “Decrypt” traffic generated by a remote client using the provided certificate. This part of the certificate should always be kept save, and should never be exchanged with any 3rd party. He who has the private key can assume the identity of the server/service on which the certificate applies.
  • Public KeyIs the client keyportion of the certificate that allows a client to decrypt the traffic that is generated by the remote server. This key is exchanged encrypted using the certificate during connection time, and because only the server holds the server portion of the privatekey, he is the only one in the world who can theoretically decode this traffic containing the key.
  • Certificates CN (Common Name) should always comply with the url used by the visiting client. i.e. for google the CN would be http://www.google.com.
  • Certificates O (Organization) should match the company listed in the whois that is performed on the domain name. i.e. for google it would be “Google Inc.” http://www.whois.net/whois/google.com
  • When you want to use the Certificates for Mobile Devices, a special certificate should be used. Check ssl.nu for more information.
  • SAN – is a short for “Subject Alternative Name” not to be mistaken with “Storage Active Network”, it is a special certificate that allows for multiple CNs. (multiple sites) http://www.digicert.com/subject-alternative-name.htm, also used in a number of Microsoft products.
  • If you have an option on this point dont use certificates that use MD5 cryptographic hash . These are considered to be weak, and might be blocked by future browsers being insecure. Weaknesses allow hackers to create a ‘valid’ certificate and steal the identity of you site by applying it. (though read, for the wiz-kids http://www.win.tue.nl/hashclash/rogue-ca/)

This should help you on your way 🙂

this might also be usefull, CSR Checker that will also perform a few checks to make sure all the info inside the CSR adds up.
https://www.networking4all.com/en/support/tools/csr+check/

Advertisements

Tomcat https and automatic redirect

Here is an example tomcat configuration that configures SSL and a automatic redirect from TCP 80 (HTTP) to TCP 443 (HTTPS).

This may sound obvious, but in order to allow the automatic redirect to work you need to be sure that you also configure the connector for port 80 in conjunction with the 443 port in the server.xml configuration file.

Next create an ssl directory inside the tomcat directory. If you are going to use a different path, make sure tomcat can access these files. I usually try to keep all application server related files inside the catalina home.

cd /opt/tomcat   #or any other path you used
mkdir ./ssl

First create the keyfile and a csr file for the certificate using openssl. My advice would be to execute the following command inside the ssl directory you created previously.

cd /opt/tomcat/ssl #or any other directory you used.
#alter the names to match your requirements
openssl req -newkey 4096 -nodes -keyout dev.amis.nl.key -out dev.amis.nl.csr

This file will output a dev.amis.nl.key file and (after answering the questions) an dev.amis.nl.csr file. In the configuration i have also added a date portion to the file names for future reference. You can use the CSR (Certificate Request File) to either get a valid public certificate or generate a self signed certificate (google the answer on how this is done). Make sure you finally get these files available in the ${catalina.base}\ssl directory.

#alter the names to match your own requirements, best practice usually includes creating self descriptive filenames.
dev.amis.nl.ddmmyyy.cer
dev.amis.nl.ddmmyyy.key

If you have the private-key and certificate in place you can create the connectors inside the server.xml needed by Catalina (tomcat) to handle the network requests that will be made by remote users on ports 80(http), 443(https). Default Catalina is configured on port 8080. You can safely delete the default entry and replace it with the config below.

Make sure that the <Connector> entries are added between the <Service name=”Catalina”> XML Tags.

Open the server.xml file and create the following connectors. Tweak the settings to match you own requirements.


<!-- Connector definition for TCP port 80 -->
<Connector port="80"
           maxHttpHeaderSize="8192"
           maxThreads="150"
           useBodyEncodingForURI="true"
           enableLookups="false"
           acceptCount="100"
           connectionTimeout="20000"
           disableUploadTimeout="true"
           compression="on"
           compressionMinSize="2048"
           noCompressionUserAgents="gozilla, traviata"
           compressableMimeType="text/html,text/xml"/>

<!-- Connector definition for SSL port 443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150"
               compression="on"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/ssl/dev.amis.nl.16032011.cer"
               SSLCertificateKeyFile="${catalina.base}/ssl/dev.amis.nl.16032011.key"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript"/>

In some occasions you want tomcat to automatically redirect any incomming request on TCP port 80 (HTTP) to be redirected to TCP port 443 (HTTPS). If this is required then this this behavior can be forced by adding the following to the web.xml configuration located in
${catalina.base}/conf/ directory

Make sure you add this entry just before the ending </web-app> tag.

  <!-- Automatisch alle requests redirecten naar https -->
  <security-constraint>
        <web-resource-collection>
                <web-resource-name>Automatic SSL Forward</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>
  </security-constraint>

If you also want to redirect someone from the /* (ROOT) location to a deployed application in a tomcat subdir you might add the following to the default index.jsp inside the ${catalina.base}/webapps/ROOT directory. Make sure this is added in the top of the file before any content is send to the receiving browser. Else an error will occur. The cleanest way is to remove all content except the entry below.

<%
    String redirectURL = "/appname";
    response.sendRedirect(redirectURL);
%>

Hope this helped, any comments clarifications please post them below 🙂 🙂

RHEL5 init script for tomcat catalina

I have written an init script for Tomcat Catalina running in RHEL version 5. I have tested this script using Oracle Enterprise Linux 5.5 Carthage. The script should comply to the init standards defined for RedHat Enterprise Linux using the INIT Functions lib.

The script also alows the use of chkconfig eventhough you might want to alter the used priorities (56 10)

#!/bin/sh
#
# "$Id: catalina ,v 1.0 2010/08/10 Chris_g Exp $"
#
#   Startup/shutdown script for tomcat(Catalina) Application server.
#
#   Linux chkconfig stuff:
#
#   chkconfig: 2345 56 10
#   description: Startup/shutdown script for the tomcat application server.
######

# Source function library.
######
. /etc/init.d/functions

# Define where the catalina.sh script is located.
######
CATALINA_BIN='/u01/tomcat/bin/catalina.sh 1> /dev/null';

# Find the catalina process using ps / awk.
# The match function will return 0 when no match is found with the string "java".
# Position $9 should contain the path to the Java executable used by catalina.
######
PROC=`ps -efc | grep apache.catalina | awk 'BEGIN { FS=" "}; { if( match($9, "java") != 0 ) print $9;}'`

# Replace a potential empty string with a fake process so the RH daemon functions are able to parse
# it properly
######
if [[ "$PROC" == '' ]]; then
    PROC='Tomcat_JVM';
fi

# Define the application name that is listed in the daemonize step.
PROG='Tomcat JVM';

# LOCKFILE
LOCK='/var/lock/subsys/tomcat';

start () {
        echo -n $"Starting $PROG: "

        # start daemon
        daemon $CATALINA_BIN start
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch $LOCK
        return $RETVAL
}

stop () {
        # stop daemon
        echo -n $"Stopping $PROG: "
        killproc $PROC
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f $LOCK
}

restart() {
        stop
        start
}

case $1 in
        start)
                start
        ;;
        stop)
                stop
        ;;
        restart)
                restart
        ;;
        status)
                status $PROC
                RETVAL=$?
        ;;
        *)

        echo $"Usage: $prog {start|stop|restart|status}"
        exit 3
esac

exit $RETVAL

# INSTALL
1. Touch a new tomcat file in your init directory.
>touch /etc/init.d/tomcat
2. Copy paste the code above into this file using vi
vi /etc/init.d/tomcat
(putty users)
press the insert button (this should put vi in insert mode)
Alter the tomcat catalina.sh path and copy the altered code to your clipboard and paste it into putty using a richt mouse click.
press esc (this should get you out of insert mode)
next press ” shift + : “, “w”, “enter” (this should save the file)
3. If catalina.sh was able to start tomcat (all vars/java configured) then now the tomcat script should be able to handle the startup.
4. If catalina was allready running, try;

     service tomcat status
     This should allready give a result equal to;
     java (pid 14389) is running…

5. Add tomcat to the chkconfig for automatic startup
     chkconfig –level 2345 tomcat on

Hope this helps 😉

Compiling Tomcat APR-Native on OEL5.2

This is just a short tutorial on how to compile APR on Oracle Enterprise Linux 5.2. If you ever need to install Apache Portable Runtime on a Oracle Enterprise linux machine, Then this is what you need, and how to configure it.

Read the rest of this entry