john pfeiffer

Centos6 x64 openssh java7 tomcat7 ssl

centos6 x64 default hard drive and user values su - yum update yum install nano openssh-server nano /etc/ssh/sshd_config LoginGraceTime 2m PermitRootLogin no AllowUsers oadmin # at the very end

chkconfig --level 2345 sshd on
chkconfig --list # verify

sudo vi /etc/inittab id:3:initdefault: # default boot in Console, not GUI runlevel5

optionally: visudo and modify .bashrc for ll='ls -ahl'

download jdk-7u13-linux-x64.rpm (easiest via browser from oracle.com)

sudo rpm -Uvh jdk-7u13-linux-x64.rpm # ignore file not found errors java -version

ls /usr/java

vi /etc/profile # AND vi ~/.bashrc AND vi /root/.bashrc export JAVA_HOME="/usr/java/jdk1.7.0_06/bin/" export JAVA_PATH="$JAVA_HOME" export PATH="$PATH:$JAVA_HOME"

source /root/.bashrc # reload with the new settings

from http://tomcat.apache.org/download-70.cgi

wget http://apache.spinellicreations.com/tomcat/tomcat-7/v7.0.35/bin/apache-tomcat-7.0.35.tar.gz tar -xf apache-tomcat-7.0.35.tar.gz mv apache-tomcat-7.0.35 /var/lib/ mv apache-tomcat-7.0.35 tomcat7

vi /etc/init.d/tomcat # tomcat start on boot, depends on /etc/profile and .bashrc with correct $JAVA_HOME

    #!/bin/bash
    # description: Tomcat Start Stop Restart
    # processname: tomcat
    # chkconfig: 234 20 80

CATALINA_HOME=/var/lib/tomcat7

case $1 in start) sh $CATALINA_HOME/bin/startup.sh ;; stop) sh $CATALINA_HOME/bin/shutdown.sh ;; restart) sh $CATALINA_HOME/bin/shutdown.sh sh $CATALINA_HOME/bin/startup.sh ;; esac exit 0

chmod 755 tomcat chkconfig --add tomcat
chkconfig --level 234 tomcat on

/etc/init.d/tomcat start ps aux # verify /usr/bin/java -Djava.util.logging...tomcat7

less /var/lib/tomcat7/logs/catalina.out # verify tomcat started in the logs

http://10.10.10.29:8080 # verify tomcat is available remotely

remove * in /var/lib/tomcat7/webapps as ROOT and manager etc. are a security risk in PRODUCTION

deploy your apps or .war's into /var/lib/tomcat7/webapps

PORT REDIRECTION

port < 1024 means 443 needs authbind or iptables

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

? SSLCipherSuite="AES256-SHA:HIGH:MED:!DHE-RSA-AES256-SHA" ?

SSL PEM versus JAVA Keystore format = have your cert.crt , cert.key , and intermediate.crt...

easiest: mkdir -p /var/lib/ssl , THEN /var/lib/ssl/cert.crt , /var/lib/ssl/intermediate.crt , /var/lib/ssl/cert.key

openssl x509 -outform der -in cert.crt -out cert.der

openssl pkcs8 -outform der -in cert.key -out key.der -topk8 -nocrypt

openssl x509 -outform der -in intermediate.crt -out intermediate.der

maybe needs cat cert.der intermediate.der > chain.der?

use a special ImportKey.java (javac ImportKey.java becomes ImportKey.class)

java ImportKey key.der cert.der "oxygendrobosgw.o2cloud.net"

this saves the result into ~/keystore.ImportKey with storepass changeit

mv /root/keystore.ImportKey /root/.keystore

keytool -import -trustcacerts -alias "RapidSSL CA" -file /var/lib/ssl/intermediate.crt -keystore /root/.keystore -storepass changeit

BROWSERS ARE OK BUT CANNOT PROVIDE THE INTERMEDIATE!

                                                          • -s

Grab your handy cacerts file from your sun jdk installation (/etc/java-7-sun/security/cacerts ?)

keytool -import -trustcacerts -alias root -file root.crt -keystore cacerts-java7 -storepass changeit keytool -import -trustcacerts -alias "RapidSSL CA" -file intermediate.crt -keystore cacerts-java7 -storepass changeit

Have the root.crt and the intermediate.crt all in one big mycert.pem

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

cat intermediate.crt root.crt > chain.crt openssl x509 -outform der -in chain.crt -out new.der keytool -import -alias kittyandbear.net -keystore cacerts-java7 -file new.der

VERIFY...

keytool -list -v -keystore cacerts-java7 -alias kittyandbear.net -storepass changeit keytool -delete -keystore cacerts-java7 -alias kittyandbear.net -storepass changeit # if you make a mistake...

Have the cert.key , cert.crt , and the intermediate.crt all in one big mycert.pem

-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

WITHOUT APR CAN'T USE THE OPENSSL SETTINGS =( vi /var/lib/tomcat7/conf/server.xml

note this requires the /var/lib/ssl/cert.crt etc. to exit AND the user running tomcat to have access

ERROR = SEVERE: Failed to load keystore type JKS with path /root/.keystore

ls -ahl /root will show you that it does not have .keystore

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA # presumably sudo for /root storepass = changeit

CN=oxygen, OU=oxygen, O=oxygen, L=oxygen, ST=oxygen, C=us

enter password (just hit enter to make it the same as before)

ls -ahl /root will show you that you havce created /root/.keystore

find the mirror link and wget from http://tomcat.apache.org/download-native.cgi tar -xf tomcat-native-1.1.24-src.tar.gz cd tomcat-native-1.1.24-src/jni/native

sudo yum install gcc (required prerequisite?)

yum install apr-devel openssl-devel # openssl-devel.x86_64

sudo ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/java/jdk1.7.0_13 --with-ssl=/usr/include/openssl --prefix=/usr/lib64

make

make install

ls -ahl /usr/lib64/lib

mv * /usr/lib64 # should the prefix be different to skip this? don't move the pkgconfig

/etc/init.d/tomcat6 start # verify that /var/log/tomcat6/catalina.out does not report the APR warning

OPTIONAL

byobu screens http://pkgs.org/centos-6-rhel-6/epel-i386/byobu-5.21-4.el6.noarch.rpm.html

yum install screen wget http://dl.fedoraproject.org/pub/epel/6/i386/byobu-5.21-4.el6.noarch.rpm rpm -Uvh byobu-5.21-4.el6.noarch.rpm

unfortunately seems to crash in putty

optionally configure to boot in run level 3 (multi user console with networking)

vi /etc/inittab

id:5:initdefault:

id:3:initdefault:

sudo yum install gcc apr apr-devel java-1.6.0-openjdk-devel.x86_64 openssl-devel.x86_64

import java.security.; import java.io.IOException; import java.io.InputStream; import java.io.FileInputStream; import java.io.DataInputStream; import java.io.ByteArrayInputStream; import java.io.FileOutputStream; import java.security.spec.; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.util.Collection; import java.util.Iterator;

/ * ImportKey.java *

This class imports a key and a certificate into a keystore * ($home/keystore.ImportKey). If the keystore is * already present, it is simply deleted. Both the key and the * certificate file must be in DER-format. The key must be * encoded with PKCS#8-format. The certificate must be * encoded in X.509-format.

*

Key format:

*

openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der * -outform der

*

Format of the certificate:

*

openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform * der

*

Import key and certificate:

*

java comu.ImportKey YOUR.KEY.der YOUR.CERT.der


*

Caution: the old keystore.ImportKey-file is * deleted and replaced with a keystore only containing YOUR.KEY * and YOUR.CERT. The keystore and the key has no password; * they can be set by the keytool -keypasswd-command for setting * the key password, and the keytool -storepasswd-command to set * the keystore password. *

The key and the certificate is stored under the alias * importkey; to change this, use keytool -keyclone. * Created: Fri Apr 13 18:15:07 2001 * Updated: Fri Apr 19 11:03:00 2002 * * @author Joachim Karrer, Jens Carlberg * @version 1.1 / public class ImportKey {

/**
 * <p>Creates an InputStream from a file, and fills it with the complete
 * file. Thus, available() on the returned InputStream will return the
 * full number of bytes the file contains</p>
 * @param fname The filename
 * @return The filled InputStream
 * @exception IOException, if the Streams couldn't be created.
 **/
private static InputStream fullStream ( String fname ) throws IOException {
    FileInputStream fis = new FileInputStream(fname);
    DataInputStream dis = new DataInputStream(fis);
    byte[] bytes = new byte[dis.available()];
    dis.readFully(bytes);
    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
    return bais;
}

/**
 * <p>Takes two file names for a key and the certificate for the key, 
 * and imports those into a keystore. Optionally it takes an alias
 * for the key.
 * <p>The first argument is the filename for the key. The key should be
 * in PKCS8-format.
 * <p>The second argument is the filename for the certificate for the key.
 * <p>If a third argument is given it is used as the alias. If missing,
 * the key is imported with the alias importkey
 * <p>The name of the keystore file can be controlled by setting
 * the keystore property (java -Dkeystore=mykeystore). If no name
 * is given, the file is named <code>keystore.ImportKey</code>
 * and placed in your home directory.
 * @param args [0] Name of the key file, [1] Name of the certificate file
 * [2] Alias for the key.
 **/
public static void main ( String args[]) {

    // change this if you want another password by default
    String keypass = "changeit";

    // change this if you want another alias by default
    String defaultalias = "changeit";

    // change this if you want another keystorefile by default
    String keystorename = System.getProperty("keystore");

    if (keystorename == null)
        keystorename = System.getProperty("user.home")+
            System.getProperty("file.separator")+
            "keystore.ImportKey"; // especially this ;-)


    // parsing command line input
    String keyfile = "";
    String certfile = "";
    if (args.length < 2 || args.length>3) {
        System.out.println("Usage: java comu.ImportKey keyfile certfile [alias]");
        System.exit(0);
    } else {
        keyfile = args[0];
        certfile = args[1];
        if (args.length>2)
            defaultalias = args[2];
    }

    try {
        // initializing and clearing keystore 
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");
        ks.load( null , keypass.toCharArray());
        System.out.println("Using keystore-file : "+keystorename);
        ks.store(new FileOutputStream ( keystorename  ),
                keypass.toCharArray());
        ks.load(new FileInputStream ( keystorename ),
                keypass.toCharArray());

        // loading Key
        InputStream fl = fullStream (keyfile);
        byte[] key = new byte[fl.available()];
        KeyFactory kf = KeyFactory.getInstance("RSA");
        fl.read ( key, 0, fl.available() );
        fl.close();
        PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
        PrivateKey ff = kf.generatePrivate (keysp);

        // loading CertificateChain
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream certstream = fullStream (certfile);

        Collection c = cf.generateCertificates(certstream) ;
        Certificate[] certs = new Certificate[c.toArray().length];

        if (c.size() == 1) {
            certstream = fullStream (certfile);
            System.out.println("One certificate, no chain.");
            Certificate cert = cf.generateCertificate(certstream) ;
            certs[0] = cert;
        } else {
            System.out.println("Certificate chain length: "+c.size());
            certs = (Certificate[])c.toArray();
        }

        // storing keystore
        ks.setKeyEntry(defaultalias, ff, 
                       keypass.toCharArray(),
                       certs );
        System.out.println ("Key and certificate stored.");
        System.out.println ("Alias:"+defaultalias+"  Password:"+keypass);
        ks.store(new FileOutputStream ( keystorename ),
                 keypass.toCharArray());
    } catch (Exception ex) {
        ex.printStackTrace();
    }
}

}// KeyStore

Published

Category

linux

~1222 words

Tags