Peter On Java: 2013

Friday, December 20, 2013

Importing SSL Certificates to a Keystore with Java Keytool

Java Keytool is a key and certificate tool for managing cryptographic keys, X.509 certificate chains, and trusted certificates.

Keytool Functions

Administration of public/private key pairs and associated certificates.
Administration of secret keys used in symmetric encryption/decryption (e.g. DES)
Storing keys and certificates in a keystore

In this blog I focus on the last aspect.

SSL Basics

File types

We distinguish between certificates and keystores:

Certificate: A digitally signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.
Keystore: Archive file (database) for storing many cryptography objects such as certificates as a single file.

Certificate encodings and extensions

.DER: Binary DER encoded certificates. Not routinely used by anything in common usage.
.PEM: ASCII (Base64) encoded DER certificates used for different types of X.509v3 files which contain data surrounded with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. PEM stands for Privacy-enhanced Electronic Mail.
.CRT: Used for certificates in DER or PEM format. Most common in *nix systems.
.CER: Alternate extension of .CRT. Microsoft convention.

Keystore formats and extensions

.JKS: Keystore in Java format, e.g. $JAVA_HOME/jre/lib/security/cacerts
.P12, .PKCS12, .PFX: PKCS12 certificate keystore file format. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

Keytool Commands for Storing Keys and Certificates in a Keystore

Listing all imported certificates

keytool -list -keystore keystore.jks -storepass ***

Importing a single certificate to a keystore

keytool -importcert \
    -file mycert.pem \
    -destkeystore keystore.jks \
    -deststoretype jks \
    -deststorepass ***
    -alias myalias

Importing a PKCS12 keystore to a JKS keystore

This time we import not only a simple certificate but a whole keystore:

keytool -importkeystore \
    -srckeystore cert-and-key.p12 \
    -srcstoretype pkcs12 \
    -srcstorepass *** \
    -destkeystore keystore.jks \
    -deststoretype jks \
    -deststorepass *** \

If the destination keystore does not already exists it will be built. So the importing process becomes a format change process. If you do not enter the source or destination store passwords, you will be prompted for it. You may skip the type information if you are lazy and trust the keytool that it will recognize the correct type for you.

Importing a JKS keystore to a PKCS12 keystore

The same command as above but vice versa:

keytool -importkeystore \
    -srckeystore keystore.jks \
    -srcstoretype jks \
    -srcstorepass *** \
    -destkeystore cert-and-key.p12 \
    -deststoretype pkcs12 \
    -deststorepass *** \

Further Sources

Saturday, November 2, 2013

How to check if your iPhone is unlocked or not?

Find the IMEI (International Mobile Equipment Identiy) number of your iPhone (Settings -> General -> Info section)
Visit http://iphoneimei.info/ and enter your IMEI
See the result

Helpful (and a little bit scary...)

Sunday, June 23, 2013

FUSE ESB / Apache ServiceMix Basic Authentication

Find below a guide to setup up Basic Authentication for a Restful service running in a JBoss FUSE ESB 6.0 / Apache ServiceMix OSGI runtime. The service itself is not special. The notable configuration is found in blueprint.xml and in pom.xml.

Important note: this setup only works for JBoss FUSE ESB 6.0 or newer but not for FUSE ESB 7.1.0 or older!

The Restful service implementation CustomerService.java:

package ch.keller.servicemix.restws.server;

import java.util.Date;

import javax.annotation.Resource;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;

import org.apache.cxf.jaxrs.ext.MessageContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("/customers")
public class CustomerService {
 
 private static final Logger LOG = LoggerFactory.getLogger(CustomerService.class);

 @Resource
 private MessageContext jaxrsContext;
 
 @GET
 @Path("/")
 public String listAll() {
  isUserInRole();
  return new Date()+": Yess!! "+jaxrsContext.getSecurityContext().getUserPrincipal();
 }

 private void isUserInRole() throws WebApplicationException {
  LOG.info("user = " + jaxrsContext.getSecurityContext().getUserPrincipal());
 }

}

The associated blueprint.xml configuration:




    
    <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>

    
        
            <ref component-id="customerSvc"/>
          
        
            <ref component-id="authenticationFilter"/>
        
    

    <bean id="customerSvc" class="ch.keller.servicemix.restws.server.CustomerService"/>
 
    
         <property name="contextName" value="karaf"/>
    
        
    
        
     users = $[karaf.base]/etc/users.properties
        
    
 
    
    
        <bean class="org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory" />

The format of the properties in users.properties is as follows, with each line defining a user, its password and associated roles:

user=password[,role][,role]...

And finally, the Maven pom.xml build script:


 4.0.0
 ch.keller.servicemix
 restws
 0.0.1-SNAPSHOT
 bundle

 
     2.6.8
     2.3.5
 

 
  
    org.apache.cxf
   cxf-bundle
   provided
   ${cxf-version}
  
 

 
  
   
    org.apache.felix
    maven-bundle-plugin
    true
    ${felix-version}
    
     
      ${project.artifactId}
      ${project.description}
      
       org.apache.karaf.jaas.config,  
       org.apache.karaf.jaas.boot.principal,
       org.eclipse.jetty.plus.jaas,
       org.apache.karaf.jaas.boot,
       *
       
      
        ch.keller.servicemix.restws.server

Especially important is the import-package section that guarantees that no java.lang.ClassNotFoundException is thrown during runtime:


    org.apache.karaf.jaas.config,  
    org.apache.karaf.jaas.boot.principal,
    org.eclipse.jetty.plus.jaas,
    org.apache.karaf.jaas.boot,
    *

Eclipse with Eclemma: java.lang.NoClassDefFoundError: oracle/security/pki/OracleWallet

Trying to determine the code coverage of my JUnit 4 tests with EclEmma an java.lang.NoClassDefFoundError was thrown. As we all love Java stack traces, here a short excerpt:

java.lang.NoClassDefFoundError: oracle/security/pki/OracleWallet
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:169)
 at org.hibernate.connection.DriverManagerConnectionProvider.configure(DriverManagerConnectionProvider.java:57)
 at org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:124)
 at
 ...

What does my JUnit Test wants from the OracleWallet? The application uses JDBC for the access of the Oracle DB, but OracleWallet is never directly used in my application. Without Eclemma the tests are running successfully. Not nice.

This seems to be a known problem which is fixed in EclEmma 2.1.3, see http://sourceforge.net/p/eclemma/bugs/108/. If you don't want (or are not allowed...) to update, then the workaround is to exclude oracle.* from the coverage agent in the Code Coverage preferences, see http://www.eclemma.org/userdoc/preferences.html.

Saturday, June 15, 2013

Setup AppDynamics for FUSE ESB / Apache ServiceMix in 5 Minutes

AppDynamics is a powerful tool for the analysis of distributed Java and .NET applications. As it has only low overhead costs (according to the vendor < 2%), it can also be used in production environments.

I use JBoss Fuse 6.0.0 on MacOS. But the setup is similar on other operation systems.
Follow theses steps:

Download AppDynamics Lite Java version from http://www.appdynamics.com/. Name and E-Mail address must be provided (and normally you will be contacted by the vendor...).
Unzip the downloaded ZIP file AppDynamicsLite.zip to your desired installation directory :
```
unzip AppDynamicsLite.zip -d <APP_DYNAMICS_HOME>
```
Go to the installation directory:
```
    cd <APP_DYNAMICS_HOME>
```
Unzip the viewer package:
```
    unzip LiteViewer.zip
```
Enter the viewer directory:
```
    cd LiteViewer
```
Start the viewer:
```
    java -jar adlite-viewer.jar
```
Open URL http://localhost:8990/ with your browser. Default user is admin with password admin. You see an empty dashboard.
If you monitor an OSGI runtime with AppDynamics you have to extend the boot delegation parameter of FUSE ESB. SSee http://litedocs.appdynamics.com/display/ADLite/OSGi+Infrastructure for further explanations. As I use Felix, I have to add com.singularity.* to the org.osgi.framework.bootdelegation property. For easier upgrade of FUSE ESB, I do not edit /etc/config.properties but /etc/custom.properties. It is important that you don't forget to add all default values. And of course these values may change if you upgrade your FUSE ESB installation. Finally, I add following line to /etc/custom.properties:
```
    org.osgi.framework.bootdelegation=com.singularity.*,org.osgi.framework.bootdelegation=org.apache.karaf.jaas.boot,sun.*,com.sun.*,javax.transaction,javax.transaction.*,org.apache.xalan.processor,org.apache.xpath.jaxp,org.apache.xml.dtm.ref,org.apache.xerces.jaxp.datatype,org.apache.xerces.stax,org.apache.xerces.parsers,org.apache.xerces.jaxp,org.apache.xerces.jaxp.validation,org.apache.xerces.dom
```
If your are not sure which OSGI framework you use, you can query your configuration in your Karaf console with
```
    shell:info
```

Configure AppDynamics agent for FUSE ESB. E.g., set $KARAF_OPTION in your shell:

    export KARAF_OPTS="$KARAF_OPTS -javaagent:<APP_DYNAMICS_HOME>/javaagent.jar"

Or alternatively, add following statement to your start script /bin/karaf:

    KARAF_OPTS="$KARAF_OPTS -javaagent:<APP_DYNAMICS_HOME>/javaagent.jar"

Start your FUSE ESB (in the same shell where you set $KARAF_OPTIONS):
```
    cd <FUSE_ESB_HOME>/bin/fuse
```
Create some traffic on your FUSE ESB, e.g. invoke a web service etc.
Go back to your AppDynamics viewer browser window at http://localhost:8990/ and you should see some business transactions.
Finito.

Friday, June 7, 2013

FUSE ESB / Apache ServiceMix Worries...

Starting JBOSS FUSE ESB and received a million error messages in the log (short extract):

[510]% ./fuse
Please wait while JBoss Fuse is loading...
29% [====================>                                                   ]ERROR: Bundle org.ops4j.pax.web.pax-web-spi [97] Error starting mvn:org.ops4j.pax.web/pax-web-spi/1.1.11 (org.osgi.framework.BundleException: Uses constraint violation. Unable to resolve bundle revision org.ops4j.pax.web.pax-web-spi [97.0] because it is exposed to package 'javax.servlet' from bundle revisions org.apache.geronimo.specs.geronimo-servlet_3.0_spec [269.0] and org.mortbay.jetty.servlet-api [263.0] via two dependency chains.

Chain 1:
org.ops4j.pax.web.pax-web-spi [97.0]
    import: (&(osgi.wiring.package=javax.servlet)(version>=2.3.0)(!(version>=3.0.0)))
     |
    export: osgi.wiring.package=javax.servlet
org.apache.geronimo.specs.geronimo-servlet_3.0_spec [269.0]

Chain 2:
org.ops4j.pax.web.pax-web-spi [97.0]
    import: (&(osgi.wiring.package=org.ops4j.pax.web.service)(version>=1.1.11))
     |
    export: osgi.wiring.package=org.ops4j.pax.web.service; uses:=org.osgi.service.http
org.ops4j.pax.web.pax-web-api [99.0]
    import: (&(osgi.wiring.package=org.osgi.service.http)(version>=1.0.0)(!(version>=2.0.0)))
     |
    export: osgi.wiring.package=org.osgi.service.http; uses:=javax.servlet.http
osgi.cmpn [273.0]
    import: (osgi.wiring.package=javax.servlet.http)
     |
    export: osgi.wiring.package=javax.servlet.http; uses:=javax.servlet
    export: osgi.wiring.package=javax.servlet
org.mortbay.jetty.servlet-api [263.0])
...

WTF? Deleted $FUSE_HOME/data directory, started FUSE again, and the errors are gone. It's a pain.

JBoss FUSE ESB vs. Apache ServiceMix vs. Apache Karaf vs. Apache Felix

What is JBoss FUSE ESB? And what is its relation to OSGI, Apache Felix, Eclipse Equinox, Apache Karaf and Apache ServiceMix?

Felix and Equinox are both OSGI core runtimes

Karaf is the ServiceMix Kernel and provides a "distribution" based on Felix or Equinox by adding features such as an admin console and blueprint configuration.

ServiceMix is an integration container aka ESB powered by OSGI unifying the features of ActiveMQ, Camel, CXF, and Karaf (and other)

JBoss Fuse ESB is an ESB based on ServiceMix adding bug fixes and extended documentation

Sources:

Sunday, April 21, 2013

Migrating Plug-in Configuration when updating Eclipse Release

I just downloaded the latest Eclipse Juno Release with the latest fixes etc. But how to migrate my plugins from my "old" Eclipse to the "new" one?

1. Export

First, you must export your plug-ins from your "old" Eclipse installation as follows:
1.0 Start your "old" Eclipse instance
1.1 Package explorer, right mouse click, choose Export

1.2 Choose Install: Installed Software Items to File

1.3 Select All and export to p2f file (remember the file path, as you will import this file into your "new" Eclipse instance)

2. Import

After exporting, you must import the exported p2f file to your "new" Eclipse installation as follows:
2.0 Shutdown the "old" Eclipse instance if you want to use the same workspace as used for the export and start your "new" Eclipse instance
2.1 Package explorer, right mouse click, choose Import

2.2 Choose Install: Install Software Items from File

2.3 Select your exported p2f file (see step 1.3 above)
2.4 Select All and Finish

That's it. Let me know if this was helpful!

Pages