Wednesday, September 27, 2017

Enabling SSL in Tomcat


To install and start tomcat server is a really straight forward, but to run it securely needs some extra configuration. In this article I am going to describe the steps needed to enable encryption in tomcat server so that the communication between client and server is being carried by encrypting the data traffic, and nobody in between client and server can read the information.

Creation of KeyStore

The first and foremost requirement to implement SSL is creation of keystore file. The documentation says only three formats are supported  (JKS, PKCS11 or PKCS12) and I am gonna use JKS format because it is java standard keystore and can be created using keytool commands that comes with Java installation. 

So, lets create keystore. Just execute the command, it creates a jks file with private key and certificate. 

keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.jks -storepass ***** -validity 3650

Please the note keystore password used while creation. This is needed in tomcat configuration. Yes, tomcat.jks should be placed in a very secured location in the server. 


Configuration

After creation of keystore file, the next step is to copy this file to the server. It is best practice to copy it in conf folder of tomcat installation directory. 

So, we go to the tomcat installation directory. In the conf folder there, we open the server.xml file where can enable SSL and provide the keystore file location along with keystore password. 


So, basically, we add the following connector element in  service element:
<Service name="Catalina">
.
.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.jks" keystorePass="****" /> 
.
.
.
</Service>


Limiting SSL Usage

Obviously, we want to disable plaintext communication after enabling SSL. So far we have configured, supports both encrypted and plain communication. So, we disable plain text communication. 

Now, we add the following lines at the end of the file inside tags of the web.xml file.

   
    <security-constraint>
    <web-resource-collection>
        <web-resource-name>secure-tomcat-app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

   


Restart Tomcat server and now the connection to the tomcat server is always secure. 



Monday, September 18, 2017

Ubuntu Basics

In this article, I am going to write some basic Ubuntu operations which we need day today. I am gonna describe everything like a list and this list goes on updated.

Font Installation

One of the frequently facing problems we get is the required fonts are not installed and we have to install by ourselves. Yes, there are several ways to install fonts in Ubuntu system. First of all, we have to know where the fonts are located and what is the purpose of the fonts.

First of all, we have to know about user-defined fonts i.e. every defines their fonts in their home directory:

~/.fonts

The fonts in this directory are only for the specific user and not available globally.

If we have to make the fonts globally available, then we have to copy the fonts into other locations.The locations can be defined in

/etc/fonts/fonts.conf 

The default directories are
/usr/share/fonts, 
/usr/local/share/fonts 
and
~/.fonts

So, if we copy directly into the /usr/share/fonts or /usr/local/share/fonts to make the font available for all users. Of course, you have to be an administrator to copy the fonts into the above-mentioned directories.

Here is the sample fonts to test. 

Sample Fonts


After copying into the corresponding directories, we have to run the following commands:

sudo fc-cache -fv

If the system is rebooted, we do not need to execute the above command, fonts are loaded automatically.

After installation is complete, we check if the fonts have been successfully installed.

sudo fc-list |grep verdana

If the font is successfully installed, then it shows the newly installed font.

Note: we need to restart the application which is using the font to reflect the newly installed fonts.

Localization

This is one of the common problems I have faced. Basically, when using the German alphabets with umlauts, they are not properly displayed because of unicode related problems.

Here, I will try to explain as simple as possible to work around with that:

  • Check the current local settings:
      $ locale

  • See the available locales
      $ locale -a  

  • If locale is not in the list, then it should be generated(installed)
     $ locale-gen fr_FR.UTF-8


  • To regenarate locales, 
     $ locale-gen  
  • The default settings are stored in /etc/default/locale file. 
      We can directly change the contents of this file. Or we can use the command update-locale.
      $ update-locale LANG=de_DE.UTF-8

Note: the supported locales are located in the file /usr/share/i18n/SUPPORTED.

Shortcut Method:  

From a terminal, run the following command, and select the required locales. That does everything we needed!

$ sudo dpkg-reconfigure locales


Yes, it is recommended to restart the system to properly load the locales.

Quickly Test USB Boot

  • Install qumu

            sudo apt install qemu

  • Test ISO
      qemu-system-x86_64 -cdrom filename.iso
  • Test USB
      qemu-system-x86_64 -hda /dev/sdx



Date Time Settings


This section describes how can we set date and time in the Ubuntu system from the command terminal. The auto-update of date-time is carried out through the NTP server, the configuration of datetime sync server is a different topic. We simply set the date and time here.

First of all, there are two clocks: 1) System clock, 2) Hardware clock

Here, the date-time set in the hardware clock is what we see the time in Bios, and if Bios time is not correct, then the system time could be also incorrect because when system boots, it gets time from Hardware clock.

So, if the hardware clock is wrong by any chance, the system time also gets wrong.

1) See system date and time
$ date
2) Set system date and time
$ sudo date -s '2017-10-04 16:31:32'
3) See hardware clock time
$ sudo hwclock
4) Set hardware clock time from system time
$sudo hwclock -w
5) Set system time from hardware clock time
$sudo hwclock -s

In the above commands, -w can be replaced with --systohc and -s can be replaced with --hctosys.

Enable Remote Desktop in Ubuntu Server  

If we install a standalone Ubuntu server and want it to be accessible via remote desktop, we have to do some extra tasks. Since, ubuntu-server comes without any desktop application, i.e. no GUI possible, only terminal. That's cool if you are familiar with the command line terminal. If you still want to make your server available via remote desktop, we have to install the desktop application on the server. The program we need for remote desktop is xrdp.

So, we install it using the terminal as follows:

sudo apt update
sudo apt upgrade
sudo apt install xrdp
sudo apt install ubuntu-mate-core ubuntu-mate-desktop 
echo mate-session >~/.xsession
sudo service xrdp restart


Then we are ready to connect using rdesktop from Linux and remote desktop from windows based systems.