Wednesday, July 31, 2013

Chromecast

This small device is just awesome!  I got it, connected it to my AV Receiver, and setup took about 5 mins after that.

For $35 -
I got it before the Neflix subscription offer expired - so 3 months of Netflix
the Chromecast device
A HDMI extender
A charger for the Chrome cast with the USB cable.

This is a awesome device and I highly recommend it!



Sunday, July 28, 2013

Downloading a sites certificate with openssl

I keep running into an issue where I need to get a server certificate sometimes, and its not always accessible via the browser.

When I need it from the server  - this handy comment on this site worked like a charm http://serverfault.com/questions/139728/how-to-download-ssl-certificate-from-a-website


echo -n | openssl s_client -connect HOST:PORTNUMBER | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$SERVERNAME.cert
That will save the certificate to /tmp/$SERVERNAME.cert.
You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcertsecho -n gives a response to the server, so that the connection is released
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' removes information about the certificate chain. This is the preferred format to import the certificate into other keystores.


Thanks to the person who gave that comment, it has helped me immensley.

Weblogic - App having javax.net.ssl.SSLHandshakeException

If you use Weblogic and have an application that connects to the outside world via HTTPS, you could be in for a treat.

If you have the DemoIdentityTrustStore configured or any keystore configured and the JDK keystore configured, it looks like Weblogic randomly decides which keystore for Trust to use.

We ran into an issue, where the application would randomly complain of invalid cert chain similar to this:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

After many many days of troubleshooting, wondering why even thoguh the java CACERTS had the correct certs, I decided to try accessing the site with the DemoTrust keystore instead.  Whola...the error manifested itself again.

What is insanely annoying is that this is not repeatable in WLS.  Every restart seems to have a different behavior.

To import a certificate you already have into the keystore - use the "keytool" utility.


cd $JAVA_HOME/jre/lib/security
 keytool -import -alias VerisignC3PPCA   -keystore cacerts -trustcacerts -file /root/getrootcert.cer


I found this great piece of code online (InstallCert.java)  (below) which helped me troubleshoot.

If you want to use the Weblogic Identity store - below is some useful data.  You will need to modify the below code to point to this JKS if you want to (change the "File file = new ... " block) .  To add the certificate, you can do it using "keytool" as well if you have the certificates you care about.

This table was very neatly done at : http://itguykelly.wordpress.com/2010/05/20/default-weblogic-keystore-passwordpassphrase/ which I've borrowed.


Property
Value
Trust store location
%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoTrust.jks
Trust store password
DemoTrustKeyStorePassPhrase
Key store location
%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoIdentity.jks
Key store password
DemoIdentityKeyStorePassPhrase
Private key password
DemoIdentityPassPhrase
Property
Value
Trust store location
%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoTrust.jks
Trust store password
DemoTrustKeyStorePassPhrase
Key store location
%ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoIdentity.jks
Key store password
DemoIdentityKeyStorePassPhrase
Private key password
DemoIdentityPassPhrase


Copy and paste the below code into a file called "InstallCert.java"
javac InstallCert.java
java InstallCert.java



/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
/**
 * Originally from:
 * http://blogs.sun.com/andreas/resource/InstallCert.java
 * Use:
 * java InstallCert hostname
 * Example:
 *% java InstallCert ecc.fedora.redhat.com
 */

import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

/**
 * Class used to add the server's certificate to the KeyStore
 * with your trusted certificates.
 */
public class InstallCert {

    public static void main(String[] args) throws Exception {
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out.println("Usage: java InstallCert [:port] [passphrase]");
            return;
        }

        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP
                    + "lib" + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();

        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf =
                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory factory = context.getSocketFactory();

        System.out.println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }

        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }

        BufferedReader reader =
                new BufferedReader(new InputStreamReader(System.in));

        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println
                    (" " + (i + 1) + " Subject " + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }

        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }

        X509Certificate cert = chain[k];
        String alias = host + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");
        ks.store(out, passphrase);
        out.close();

        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out.println
                ("Added certificate to keystore 'jssecacerts' using alias '"
                        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }

        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            throw new UnsupportedOperationException();
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }
}

Monday, July 08, 2013

Apache 64-bit on Solaris 10 & Weblogic

Solaris 10 comes with Apache 32- bit by default.  This was a surprise.

My task here is to get Apache 64-bit and then hook it up to Weblogic on the SSL channel.  I will detail the Apache + Weblogic SSL communication.  Setting up Weblogic to listen on SSL is a different post, that I may or may not write up :)

I will be installing apache at /usr/local/apache (Many folks like to install it at /usr/local/apache2 etc, but I'm keeping it simple here)

I have a staging directory to compile / install the required packages.  This is a Whole Root zone, with Solaris 10 fully installed with all the packages on the Global Zone.

I need
0. Apache 2.2.4 -- I tried Apache 2.4 and as of this writing is not supported with the mod_wl.so library.
1.  PCRE (Perl-Compatible Regular Expressions Library)
2. Apr
3. Apr-utils

A gist of what is required is available on Apache's documentation site ( Apache Documentation for Installation )

For PCRE, I downloaded it from: PCRE
Download APR & APR-UTIL from here.

Initial settings on the terminal
export CFLAGS="-m64"
export LDFLAGS="-L/usr/sfw/lib/sparcv9"
export LD_LIBRARY_PATH=/usr/sfw/lib/sparcv9:/usr/local/lib/sparcv9 
the CFLAGS setting is  really important, otherwise, you wont get it compiled in 64 bit.  Make sure your LD_LIBRARY_PATH and LDFLAGS point to the accurate directories.

Compiling PCRE

This installs PCRE in /usr/local/pcre

/root/apache-compilation/pcre-8.33
./configure --disable-cpp CFLAGS="-m64 -g"
make
make install
Compiling APR

/root/apache-compilation/apr-1.4.8
./configure
make
make install

APR gets installed in /usr/local/apr.  The CFLAGS setting set in the environment should carry on.

Compiling APR-UTIL

/root/apache-compilation/apr-util-1.5.2
./configure --with-apr=/usr/local/apr
make
make install

Compiling Apache
I use the prefix /usr/local/apache  - but some people prefer to use "apache2".  Make it your own.  The prefix designates where apache gets installed.

/root/apache-compilation/httpd-2.2.24
./configure --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr --prefix=/usr/local/apache --enable-mods-shared=most --enable-ssl --with-ssl=/usr/sfw
make
make install

After the installation, I like to test to make sure its 64 bit (as I've gotten bitten a number of times).

# cd /usr/local/apache/modules
# file mod_vhost_alias.so
mod_vhost_alias.so:     ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped, no debugging information available

That tells you its a 64 Bit file.

To get Weblogic working, I copied the wls 1.1 plugins *.so files (which are only 64 bit) to the /usr/local/apache/modules directory.  Then followed the instructions from Oracle here

Good luck.  Comments are welcome.