Wednesday, November 24, 2010

SSL on Tomcat

I have found a very nice Tutorial on making SSL on Tomcat.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/

The only thing which needs a notice is that port SSL is now 443 instead of 8080. So, to try if you set up SSL successfully, you must open the url: https://localhost:443

However, this is only the self-sign certificate. You will need OpenSSL to create a true certificate or probably buy a comercial one from VeriSign.

More about this topic:
http://download.oracle.com/javaee/5/tutorial/doc/bnbxw.html
-----------------------
Setting up SSL on Tomcat is easy and you don’t have to do much for converting your web application to work with the Https protocol. But however, the problem you would find to set up SSL is the documentation available over the web. The documentation source is available on the Apache site but it starts off good and ends with a lot of confusion. Especially I was confused on the OpenSSL part where it says to use OpenSSL.
It might be good in a production environment to use OpenSSL but if you just want to test out SSL with Tomcat alone then it is more than enough to just have your JDK and Tomcat setups. So I would make you walk through the same steps which I did while getting SSL up and running and building a secured web app within a matter of minutes.
The things which I have used to setup SSL consists of:
JDK 1.6
Tomcat 6
Even though I have used the latest version I don’t see any problems which you might face in carrying out the same set of steps for JDK 1.5 which I am about to explain. JDK comes shipped with a keytool executable which is required to generate a keystore. The keytool can be found in the earlier version of JDK too. The 3 steps which would make you to get started with setting up SSL are:
Generating the Keystore file
Configuring Tomcat for using the Keystore file
Configuring your web application to work with SSL
Let’s get this party started now.
1. Generating the KeyStore file
The keystore file is the one which would store the details of the certificatesnecessary to make the protocol secured. Certificates contain the information as to who is the source from which you are receiving the application data and to authenticate whether it is the intended party or not. To make this keystore you would have to use the keytool. So open command prompt in Windows or the shell in Linux and type:
cd %JAVA_HOME%/bin on Windows
cd $JAVA_HOME/bin on Linux
You would land up in the Java bin directory. Now time to run the keytool command. You have to provide some parameters to the command as follows :
keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin
The highlighted words are the ones which you would have to change according to your requirements. But keep one thing in mind that both thekeypass and storepass passwords should be the same. The .bin file is actually your keystore file. It would now start a questionnaire. So fill in therelevant details accordingly. Look below for a reference as to what to answer for the questions.
What is your first and last name?[Unknown]: nitin paiWhat is the name of your organizational unit?[Unknown]: homeWhat is the name of your organization?[Unknown]: techtracerWhat is the name of your City or Locality?[Unknown]: mumbaiWhat is the name of your State or Province?[Unknown]: maharashtraWhat is the two-letter country code for this unit?[Unknown]: INIs CN=nitin pai, OU=home, O=techtracer, L=mumbai, ST=maharashtra, C=IN correct?[no]: yes
The command would then conclude. It would make a .bin file with the name you had provided inside the bin directory itself. In my case it wastechtracer.bin which was located in
C:\Program Files\Java\jdk1.6.0_02\bin\
Put the .bin file in the webapps directory of Tomcat. This is required to avoid the need to give an absolute path of the file in the next step.
2. Configuring Tomcat for using the Keystore file
Here we would be making some changes to the server.xml file inside tomcat to tell it to use the keystore which was created in the earlier step for configuring SSL. Open the file server.xml which can be found as:
/conf/server.xml
Now you have to modify it. Find the Connector element which hasport=”8443″ and uncomment it if already not done. Add two lines. The highlighted lines are the newly added ones.

You can notice that I have given the path to the keystoreFile property asrelative to tomcat bin directory because the startup command will look for the .bin file. Now all you have to do is start your server and check the working of SSL by pointing your browser to the URL to:
https://localhost:8443/
Now that you have your tomcat running in the SSL mode you are ready to deploy an application to test its working. You must note that still your tomcat can run in normal mode too at the same time i.e on port 8080 with http. So it is but obvious that any application deployed to the server will be running on http and https at the same time. This is something that we don’t want. We want our application to run only in the secured mode.
3. Configuring your web application to work with SSL
In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e
securedapp/*CONFIDENTIAL
Explanation of the fragment is beyond the scope of this tutorial but all you should notice is that the /* indicates that now, any resource in your application can be accessed only with https be it Servlets or JSP’s. The termCONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead ofCONFIDENTIAL. That’s it!
Conclusion
These were the 3 easy steps in which you can make Tomcat to work in the SSL mode and also it tells you how easily you can turn the SSL mode on and off. If you find any difficulty or are not clear on any of the above steps feel free to drop in your queries. If you like this tutorial it would be nice of you to drop in a comment of appreciation or feedback as to how this tutorial can be improved.

Sunday, November 21, 2010

Cài đặt 1 Single sign on server + Ldap

Single sign on (SSO) và Ldap là 1 chủ đề được thảo luận rất nhiều trong những năm qua. Nhiều người có suy nghĩ rằng việc thiết lập các hệ thống sử dụng single sign on và Ldap là công việc phức tạp , đòi hỏi chuyên môn cao. Tuy nhiên, với sự phát triển của các công nghệ mã nguồn mở, việc sở hữu SSO và Ldap đã trở nên rất dễ dàng. Cái khó nhất lại nằm ở chỗ: thiếu các tài liệu cập nhật về các công nghệ này. Bài viết này sẽ giới thiệu từng bước thực hiện các công việc trên.

1. Cài đặt Single sign on server:
Hiện tại, CAS (Central Authentication System - http://www.jasig.org/cas) là 1 phần mềm mã nguồn mở xuất sắc được dùng để thiết lập các Single sign on server. Phát triển trước tiên bởi ĐH Yale, từ năm 2008, được quản lý bởi nhóm yêu thích kiến trúc Java - JASIG.
Trên webpage của Jasig có 1 tutorial hòan chỉnh hướng dẫn các cài đặt CAS

Tuy nhiên, ở bước 10, thay vì property userName phải được đổi thành --> userDn
độc giả không chỉ nên tham khảo cho biết

2. Cài đặt Ldap server
Apache đã phát triển 1 phần mềm gọi là Directory Apache http://directory.apache.org/
Download và cài đặt phần mềm này
Chú ý: sau khi cài vào Control panel/administarive/service và start dịch vụ này lên
3. Now try the CAS by opening browser and type: http://localhost:8080/, it will redirect to a CAS login page. After login, all resources in http://localhost:8080 can be accessed.
-------------------------------
Prerequisites
Apache tomcat is installed and running
Java(JDK) is installed.
Instructions
Download Apache directory server from http://directory.apache.org/
Run the setup with all the defaults and test that the server is working on localhost using telnet:
Start->Run->telnet
In the telnet console, type the following: open localhost 10389
If you get a screen that lets you type, Apache Directory Server is configured properly
Download the CAS installation and find the war file e.g. \cas-server-$VERSION\modules\cas-server-webapp-$VERSION.war
Start the Tomcat server, e.g. $TOMCAT_HOME/bin/startup.bat.
Add the CAS war file, cas-server-webapp-3.2.1.war, to the webapps folder, $TOMCAT_HOME\webapps.
Confirm the following directory exists, which indicates a successful deploy, {{$TOMCAT_HOME\webapps\cas-server-webapp-$VERSION},
You may also examine the Tomcat stardard output log file for errors, $TOMCAT_HOME/logs/catalina.out.
Stop the tomcat server, e.g. $TOMCAT_HOME/bin/shutdown.bat.
Add the following to the pom.xml file in the META-INF folder, $TOMCAT_HOME\webapps\cas-server-webapp-$VERSION\META-INF\maven\org.jasig.cas\cas-server-webapp:

${project.groupId}
cas-server-support-ldap
${project.version}

Edit $TOMCAT_HOME\webapps\cas-server-webapp-$VERSION\WEB-INF\deployerConfigContext.xml as follows:
Add the following bean LDAP authentication:
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">



ldap://localhost:10389










Remove the demo authentication handler, org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler, from the authenticationHandlers property of the org.jasig.cas.authentication.AuthenticationManagerImpl bean.
Add the LDAP fast bind authentication handler:




Add the cas-server-support-ldap-$VERSION.jar from the CAS installation to $TOMCAT_HOME\webapps\cas-server-webapp-$VERSION\WEB-INF\lib.
Start tomcat and confirm there are no errors in the $TOMCAT_HOME\logs\catalina.out log.
Open a browser to the URL http://localhost:8080/cas-server-webapp-$VERSION/ and authenticate with the following credentials, admin/secret.