Archive for Security

Importing Existing Keys and SSL Certificates Into Apache Tomcat

I rarely use Tomcat, but one of my clients is a Java guy and, as makes logical sense, uses Tomcat to serve the applications he writes. One of which required an SSL certificate. It’s no problem to create a new key, CSR, and import the certificate and certificate authority chains, but what if we already have an existing key and certificate for the same domain?

In our case, we had Apache serving the non-application stuff (in PHP, natch) on ports 80 and 443, with Tomcat on 8000 and 8443 (take that, Plesk!), and already had a certificate issued for the domain on the Apache side. Since the stuff used by Apache was in PEM format, I’ve added one of the steps required to convert it to PKCS12, which is what we’ll use for the Java keystore. These instructions are taken from a CentOS box, so you may need to make some modifications for other operating systems. It’s only here to serve as a guideline (and for my own future reference, primarily, because I know damned well I’ll forget again next year).

First, we need to concatenate the key, certificate (granted us by the CA) and the CA bundle into one single file. This is done most simply like so:
cat your_domain.key your_domain.crt your_ca_bundle.crt > your_domain.key_crt_bundle.pem

Next, we convert the concatenated PEM data into PKCS12:
openssl pkcs12 -export -out your_domain.key_crt_bundle.p12 -in your_domain.key_crt_bundle.pem

Create a password for the resultant PKCS12 file, and remember the password for a moment. Because you’ll need it when you import this PKCS12 into your Java keystore using the following command:
keytool -importkeystore -srckeystore your_domain.key_crt_bundle.p12 \
-srcstoretype pkcs12 -destkeystore your_domain.key_crt_bundle.jks -deststoretype jks

You’ll need to create a new password for the keystore, and then enter the password for the PKCS12 you created two steps back.

Then, edit your Tomcat server.xml file and define the full path and filename of the newly-created keystore, as well as your keystore’s password. In our case, the default location was /etc/tomcat6/server.xml. If you don’t know how to configure Tomcat6 for SSL at all, that’s beyond the scope of this particular post, and you will need to do some research. Also, do not pass GO!. Do not collect $200. And may God have mercy on your soul.

Finally, restart Tomcat doing the good ol’-fashioned service tomcat6 restart (or equivalent), and you should be good to go. And, if not…. sucks to be you.

Script to Automate Multi-User Development Permissions In Linux: Part II

As discussed in the previous entry a few moments ago:

While deploying a large virtual server for a client, one of the obstacles they had faced with their previous setup was multi-user permissions with regard to everyone modifying files and directories with their own FTP and/or SSH accounts. Unfortunately, for reasons that won’t be divulged here (quite frankly because I don’t know), and even after I suggested alternatives such as updating policies and standard operating procedures, the client opted to continue using previous methods, but still wanted a resolution to issues they faced in their multi-developer environment.

The following simple Bash script is called directly via a cron job every fifteen minutes:


#!/bin/bash

mode='4771';

# The directory in which "multiUserPermissionsFix" resides.
dir='/danbrown/scripts/';

if ( test "`whoami`" != 'root' ); then
echo "$0 MUST be run as root!";
exit -1;
fi;

if ( test "$1" == "" ); then
echo "You must specify the base directory.";
exit -1;
fi;

if ( test "$2" == "" ); then
echo "You must specify the group ownership to set.";
exit -1;
fi;

if [ -d "$1" ]; then

echo -n "Verifying ownership and group ownership of all files.... ";
chown -R $2:$2 $1;
echo "Done.";

cd $1;

echo -n "Resetting permissions now.... ";
find . -type d -exec chmod $mode '{}' \;
# for i in `find . -type d`; do
# chmod $mode $i;
# done;
echo "Done.";

echo -n "Verifying ownership requirements.... ";
find . -type d -exec chmod o+s '{}' \;
# for i in `find . -type d`; do
# chmod o+s $i;
# done;
echo "Good.";

echo -n "Verifying group requirements.... ";
find . -type d -exec chmod g+s '{}' \;
# for i in `find . -type d`; do
# chmod g+s $i >> /dev/null 2>&1
# done;
echo "Good.";

if [ "$?" != "0" ]; then
echo "That group does not exist!";
exit -1;
fi;

echo -n "Fixing bad permissions.... ";
$dir/multiUserPermissionsFix $1;
echo "Done.";

echo "Task Complete.";

exit 0;

else

echo "That directory doesn't exist!";
exit -1;

fi;

Script to Automate Multi-User Development Permissions In Linux: Part I

While deploying a large virtual server for a client, one of the obstacles they had faced with their previous setup was multi-user permissions with regard to everyone modifying files and directories with their own FTP and/or SSH accounts. Unfortunately, for reasons that won’t be divulged here (quite frankly because I don’t know), and even after I suggested alternatives such as updating policies and standard operating procedures, the client opted to continue using previous methods, but still wanted a resolution to issues they faced in their multi-developer environment.

To address one particular issue, I wrote the following very simple Bash script and set it on a cron running every 15 minutes, dumping all errors and standard output to a black hole.


#!/bin/bash
# Name: multiUserPermissionsFix
# Mode: 0755

function usage {
echo "USAGE: $0 base_directory";
exit -1;
}

# If we didn't even bother to pass an argument to this script, die.
if ( test "$1" == "" ); then
usage;
fi;

# Set up find correctly.
export IFS=$'\n';

# If this is a valid directory, do the work.
if [ -d "$1" ]; then

# Force a trailing slash - workaround for symlinked directories, etc.
d="$1/";

# Find and fix all file permissions --- but ignore all 'cache' cases.
find . -type f -not -path "*cache*" -exec chmod 0664 '{}' \;

exit 0;

# If it wasn't a valid directory passed to this script, die on an error.
else
echo "That directory does not exist!";
exit -1;
fi;

This script is actually not called directly, but instead by a parent script. It recursively runs through all files and sets the permissions to 0664 (owner read/write, group read/write, world read) so that users within the group can update or delete the files within the directory without requiring administrative intervention.

“Logon Process Has Failed To Create The Security Options Dialog” Error

Despite my preference for non-Windows operating systems, I do keep some Windows versions and at least one Windows machine in my arsenal. Here in my home office I have a desktop running Mandriva (I’ll get into that at another time) with a laptop next to it running Vista. I know, I know…. “bad Dan.” Save it. I already know.

Anyway, in the last week or ten days, Vista locked up on me. It would slug itself along as if a process was using up 100% of the available CPU and memory. It’s not a top-shelf machine, it’s just a Dell Inspiron 6400 w/ Core2Duo CPU and 2GB RAM – my wife, Debs, and I have similar systems.

Vista would hang, nearly unresponsive, and 15 minutes or so after I hit CTRL+ALT+DEL (nearly immediately, due to my severe lack of patience with personal computers), I finally had a response, though still no task manager. Less helpful than most BSOD‘s, the dialog stated simply:

Logon process has failed to create the security options dialog
Failure – Security options

Neat.

After poking around the Windows internals as best I could, while still being a good boy and not violating any possible terms of my license (yes, it’s a Genuine copy), I confirmed my suspicions: Vista still sucks.

However, after working around a few things, it was actually Microsoft’s “Safe” Mode (sic) bootup that helped me out. By trimming down the processes, I was able to debug the issue and narrowed-down the culprit: AcroRd32Info.exe. In fact, the whole Adobe Acrobat Reader installation was crapped-up. It turned out, every time I would load a multilayer PDF, it was causing a serious buffer overflow issue that was spiking CPU usage as high as 100%, memory usage to 99.6% of available RAM (spilling over into virtual memory) and maintain those levels until I hard-booted the machine. All total, between the three screwups, I lost about 3.5 full weeks of research for an AI neural network application I’ve been building, but nothing permanent. It’ll be like a drunken bender to the brain. It will survive.

Anyway, the lock-ups were primarily my fault, as should be expected. I was using an outdated version; I was using 8.1, whereas 9.x is the current version as of this writing. I installed the latest version and tried to reproduce the overflows — nothing. Keeping my fingers crossed, I think I can mark this as solved.