- MemoryRealm works fine.
- UserDatabase doesn’t work. The code is ok, but apparently while parsing server.xml file and creating UserDatabase (declared there) the server creates some kind of property file (MBeans), which of course cannot be created for the property which contains sign ‘=’. Therefore it fails.
- Other realms could possibly work, but they don’t implement authenticate(cert) function, which is called to verify the certificates. It’s a bit of a shame and I really don’t see why it could not work. (more…)
Archive for November, 2004
Setting up a connector in /var/lib/tomcat4/conf/server.xml
<Connector className=”org.apache.catalina.connector.http.HttpConnector” port=”8443″ minProcessors=”5″ maxProcessors=”75″ enableLookups=”true” acceptCount=”10″ debug=”0″ scheme=”https” secure=”true”> <Factory className=”org.apache.catalina.net.SSLServerSocketFactory” clientAuth=”true” protocol=”TLS” keystoreFile=”/home/pie/bla/keystore” keystorePass=”changeit”/> </Connector>
Setting up trusted certificates (other than cacerts somewhere in Java): export CATALINA_OPTS=”-Djavax.net.ssl.trustStore=/home/pie/bla/ca -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl”
BTW: Tomcat5 allows to specify trusted certs in server.xml directly.
The last one produces a very usable debug information in the log file. It’s useful together with s_client to debug this setup. (more…)
Just a few things I learnt playing with openssl:
Generating a root ca certificate. It’s also a self-signed certificate, so if you want just this, you can stop here:
openssl req -new -x509 -keyout <keypem> -out <certPem> -days 365 -extenstions v3_ca
Generating a key and a certificate request:
openssl req -new -nodes -keyout <keyPem> -out <csrfile>
Signing a certificate request:
openssl x509 -req -days 356 -in <csrfile> -out <certfile> -CA ca3cert.pem -CAkey ca3key.pem -set_serial <serial>
Signing a certificate:
openssl x509 -days 356 -in <csrfile> -out <certfile> -CA ca3cert.pem -CAkey ca3key.pem -set_serial <serial>
Now with keytool:
keytool -genkey -keystore <keystore> -dname <dname string --- see man>
Then we can export certificate signing request:
keytool -certreq -alias mykey -file <csrFile> -keystore <keystore>
Finally import the certificate:
keytool -import -keystore <keystore> -file <certPem>
Exporting certificates for mozilla/ie:
cat <keyPem> <certPem> > tmp openssl pkcs12 -export -in tmp out <file.p12> -certfile <cacert.pem>
openssl x509 -in <cert> -text | less
Testing if it works:
openssl s_client -connect localhost:8443 -cert user2cert.pem -key user2key.pem -CAfile ca3cert-1.pem openssl s_server -connect accept:8443 -cert serverCert.pem -key serverKey.pem -CAfile ca3cert-1.pem
Just a few notes:
- tomcat uses an alias mykey for a it uses for the websites
- to import certificates in mozilla/ie you also need to include ca certificate in pkcs12 file.
- there is a scrpit CA.pl which seem to automate many tasks.
- Watch out for V3 extensions (certificate purpose, CA=TRUE/FALSE, etc.)
- Most of these options can be specified directly in opensssl.cnf configuration file.
Xdoclet, Jasper2 combined together in an ANT file – classloader problem – classloaredref – set to the same value
Axel came up an idea to write an on-line Tripwire – checking the checksums of files before they are executed. This seems to be quite easily doable using LSM. however, they are a few issues that need to be understood:
- Execution of scripts/perl programs, etc. – cannot prevent it
- Dynamic library loading – how to do it in LSM
- Policy loading – how to read policies in Kernel mode
Hum…. such thing already exists and is an open source project Digsig
Just a few interesting pointers to tools from a book I read:
- WHArsenal – www.whitesec.com (doesn’t seem to be available anymore)
- HTTPush – on the fly modification of requests (in Perl)
- WEBScarab – http://www.owasp.org/software/webscarab.html
- Spikeproxy – http://packages.debian.org/unstable/net/spikeproxy.html
- PenProxy – http://shh.thathost.com/pub-java/html/PenProxy.html