Tadek’s Blog

1. MemoryRealm works fine.
2. UserDatabase doesn’t work. The code is ok, but apparently while parsing server.xml file and creating UserDatabase (declared there) the server creates some kind of property file (MBeans), which of course cannot be created for the property which contains sign ‘=’. Therefore it fails.
3. Other realms could possibly work, but they don’t implement authenticate(cert[]) function, which is called to verify the certificates. It’s a bit of a shame and I really don’t see why it could not work.
(more…)

Setting up a connector in /var/lib/tomcat4/conf/server.xml

<Connector className=”org.apache.catalina.connector.http.HttpConnector”
port=”8443″ minProcessors=”5″ maxProcessors=”75″
enableLookups=”true”
acceptCount=”10″ debug=”0″ scheme=”https” secure=”true”>
<Factory className=”org.apache.catalina.net.SSLServerSocketFactory”
clientAuth=”true” protocol=”TLS” keystoreFile=”/home/pie/bla/keystore” keystorePass=”changeit”/>
</Connector>

Setting up trusted certificates (other than cacerts somewhere in Java):
export CATALINA_OPTS=”-Djavax.net.ssl.trustStore=/home/pie/bla/ca -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl”

BTW: Tomcat5 allows to specify trusted certs in server.xml directly.

The last one produces a very usable debug information in the log file. It’s useful together with s_client to debug this setup.
(more…)

Just a few things I learnt playing with openssl:

Generating a root ca certificate. It’s also a self-signed certificate, so if you want just this, you can stop here:

openssl req -new -x509 -keyout -out -days 365 -extenstions v3_ca

Generating a key and a certificate request:

openssl req -new -nodes -keyout -out

Signing a certificate request:

openssl x509 -req -days 356 -in -out -CA ca3cert.pem -CAkey ca3key.pem -set_serial

Signing a certificate:

openssl x509 -days 356 -in -out -CA ca3cert.pem -CAkey ca3key.pem -set_serial

Now with keytool:

keytool -genkey -keystore -dname

Then we can export certificate signing request:

keytool -certreq -alias mykey -file -keystore

Finally import the certificate:

keytool -import -keystore -file

Exporting certificates for mozilla/ie:

cat > tmp
openssl pkcs12 -export -in tmp out -certfile

Viewing certificate:

openssl x509 -in -text | less

Testing if it works:

openssl s_client -connect localhost:8443 -cert user2cert.pem -key user2key.pem -CAfile ca3cert-1.pem
openssl s_server -connect accept:8443 -cert serverCert.pem -key serverKey.pem -CAfile ca3cert-1.pem

Just a few notes:

1. tomcat uses an alias mykey for a it uses for the websites
2. to import certificates in mozilla/ie you also need to include ca certificate in pkcs12 file.
3. there is a scrpit CA.pl which seem to automate many tasks.
4. Watch out for V3 extensions (certificate purpose, CA=TRUE/FALSE, etc.)
5. Most of these options can be specified directly in opensssl.cnf configuration file.

Xdoclet, Jasper2 combined together in an ANT file – classloader problem – classloaredref – set to the same value

I found this website while looking for error bars in R. Well, it seems to explain the confusion
between standard error, deviation and confidence intervals.

An here is how I implement it in R.
(more…)

Axel came up an idea to write an on-line Tripwire – checking the checksums of files before they are executed. This seems to be quite easily doable using LSM. however, they are a few issues that need to be understood:

• Execution of scripts/perl programs, etc. – cannot prevent it
• Dynamic library loading – how to do it in LSM
• Policy loading – how to read policies in Kernel mode

Hum…. such thing already exists and is an open source project
Digsig

Just a few interesting pointers to tools from a book I read:

• WHArsenal – www.whitesec.com (doesn’t seem to be available anymore)
• HTTPush – on the fly modification of requests (in Perl)
• WEBScarab – http://www.owasp.org/software/webscarab.html
• Spikeproxy – http://packages.debian.org/unstable/net/spikeproxy.html
• PenProxy – http://shh.thathost.com/pub-java/html/PenProxy.html