Two-in-one DNS server with BIND9

On this page

1. Footnotes

This tutorial shows you how to configure BIND9 DNS server to serve an internal network and an external network at the same time with different set of information. To accomplish that goal, a new feature of BIND9 called view is used. As a tutorial it'll walk you through the whole set up, but initial knowledge of BIND and DNS is required, there are plenty of documents that cover that information on the Internet.
Continue reading at original site or download PDF.

Contents

• 1 The problem
• 2 Initial configuration
• 3 Internals and externals
• 4 Security
• 5 Configuration files
  • 5.1 /etc/bind/named.conf.local
  • 5.2 /etc/bind/externals/db.example.com
  • 5.3 /etc/bind/internals/db.example.com
• Bibliography

1 The problem

It is a typical problem in organizations that are growing that they have to resolve two problems at once:

• To have a DNS server for the internal network of the company because long ago there were already too many computers to remember their IPs¹ and even too many computers to maintain a set of host files².
• To have a DNS server for the external servers, for external clients, etc.

to solve this problems become a bigger problem when the growing organization can't supply more resources than one DNS server³. It is a bigger problem because if you just configure your server with all your names, public and private, you'll end up polluting the Internet with private addresses, something that is very bad, and also showing the world part of the topology of your internal network. Something you don't want a possible attacker/cracker to have.
The other part of the problem is that for efficiency you may want to resolve to internal IPs when you are inside and external IPs when you are outside. Here I am taking about computers which have public and private connections.
There are many different solutions to this problem and I remember solving it even with BIND4, but now I am going to use BIND9 to make a solution that is very clean. This was deployed in a Debian GNU/Linux 3.1 server but it should also work for other operating systems that run BIND9, just be sure to change your paths appropriately.

2 Initial configuration

Let's imagine the organization I work for makes examples... of what ? I don't know, but you can order them on example.com. Examples Corporation has been assigned the network 192.0.2.0/24 and internally we are using 10.0.0.0/24.
Let's start serving the external names and IPs, we edit /etc/bind/named.conf.local⁴ and add:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

and then we create /etc/bind/db.example.com with the following contents:

; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       192.0.2.1
ns1     IN      A       192.0.2.1
mail    IN      A       192.0.2.128 ; We have our mail server somewhere else.
www     IN      A       192.0.2.1
client1 IN      A       192.0.2.201 ; We connect to client1 very often.

As you can see, our start up has one computer to serve all, except mail, it even holds the IP forwarding and a couple of databases.
Now, a good DNS set up has at least one secondary server and in fact, some registrars (where you register domain names) enforce this. Since we don't have a second computer, we go to XName, open an account and register example.com as secondary with 192.0.2.1 as IP to transfer from. We now need to let XName's IP do the transfer; we are a small organization but since we want to be a successful start up we try to do everything as smartly as possible. So we use the BIND9 configuration directive acl to define an identifier that aliases to the XName's IP addresses; at the beginning of /etc/bind/named.conf.local we add:

acl slaves {
    195.234.42.0/24;    // XName
    193.218.105.144/28; // XName
    193.24.212.232/29;  // XName
};

and we change the zone declaration to:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { slaves; };
};

We could have just typed the IPs where we type "slaves".

3 Internals and externals

Now that we have a solid base, we can start to thing about serving different contents to the internal and external network, but first, we have to define what is internal and what is external.
On /etc/bind/named.conf.local we add the following definition (at the top or below the definition of slaves):

acl internals {
    127.0.0.0/8;
    10.0.0.0/24;
};

If we had more internal networks, we could just add them there. We don't define externals because everything that is not internal is external. You may, if you want, define sets of different externals if you want to serve different content to different chunks of the Internet.
We will use a new feature of BIND9 called views. A view let's put a piece of configuration inside a conditional that can depend on a number of things, in this case we'll just depend on internals. We replace the zone declaration at /etc/bind/named.conf.local with:

view "internal" {
    match-clients { internals; };
    zone "example.com" {
        type master;
        file "/etc/bind/internals/db.example.com";
    };
};
view "external" {
    match-clients { any; };
    zone "example.com" {
        type master;
        file "/etc/bind/externals/db.example.com";
        allow-transfer { slaves; };
    };
};

The match clients configuration directive allow us to conditionally show that view based on a set of IPs, "any" stands for any IP. Internal IPs will be cached by the internal view and the rest will be dropped on the external view. The outside world can't see the internal view, and that includes XName, our secondary DNS provider, but we removed the allow-transfer from the internal view since we don't want anyone to be able to transfer under any circumstances the contents of the internal view.
We also changed the path, we will have to create the directory /etc/bind/externals and /etc/bind/internals and move /etc/bind/db.example.com to /etc/bind/externals/.
On /etc/bind/internals/db.example.com we put a zone file similar to the counterpart on external but holding the internal IPs:

; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      A       10.0.0.1
boss    IN      A       10.0.0.100
printer IN      A       10.0.0.101
scrtry  IN      A       10.0.0.102
sip01   IN      A       10.0.0.201
lab     IN      A       10.0.0.103

Great, we can now ping our boss' computer with

ping boss.example.com

but trying to reach mail.example.com will disappoint us, what happened ? There's no reference to mail.example.com on the internal zone file and since we are in the internal network we can resolve mail.example.com. Fine, let's just copy the contents of the external zone file to the internal zone file. That'll work.
But we are a small, smart start up, we can do better than copy-paste each modification to the zone file, furthermore, that is very error prone (will you always remember to modify the internal zone file when you modify the external one, or will you forget and spend some days debugging network problems ?).
What we will do is include the external zone file in the internal file this way:

$include "/etc/bind/external/db.example.com"
@       IN      A       10.0.0.1
boss    IN      A       10.0.0.100
printer IN      A       10.0.0.101
scrtry  IN      A       10.0.0.102
sip01   IN      A       10.0.0.201
lab     IN      A       10.0.0.103

and voila! Finding the $include directive in the current documentation was hard.. Just remember to change the serial of the external zone file whenever you change the internal one, but it is not a big deal, if you forget, nothing bad will happen since you are not likely to have caching servers inside your own small network.

4 Security

It is not recommended to use the same DNS server as primary for some domain (in our case example.com) and as caching DNS server, but in our case we are forced to do it. From the outside world 192.0.2.1 is the primary DNS server for example.com, from our own internal network, 192.0.2.1 (or its private address, 10.0.0.1) is our caching name server that should be configured as the nameserver to use on each workstation we have.
One of the problems is that someone might start using our caching nameserver from the outside, there's an attack called cache-poisoning and many other nasty things that can be done and are documented on [SINS] (including how to avoid them).
To improve our security a bit, we'll add a couple of directives to the configuration file:

view "internal" {
    match-clients { internals; };
    recursion yes;
    zone "example.com" {
        type master;
        file "/etc/bind/internals/db.example.com";
    };
};
view "external" {
    match-clients { any; };
    recursion no;

    zone "example.com" {
        type master;
        file "/etc/bind/externals/db.example.com";
        allow-transfer { slaves; };
    };
};

That will prevent anyone on the dangerous Internet to use our server recursively while we, on our own network, can still do it.

5 Configuration files

5.1 /etc/bind/named.conf.local

acl slaves {
    195.234.42.0/24;    // XName
    193.218.105.144/28; // XName
    193.24.212.232/29;  // XName
};

acl internals {
    127.0.0.0/8;
    10.0.0.0/24;
};

view "internal" {
    match-clients { internals; };
    recursion yes;
    zone "example.com" {
        type master;
        file "/etc/bind/internals/db.example.com";
    };
};
view "external" {
    match-clients { any; };
    recursion no;
    zone "example.com" {
        type master;
        file "/etc/bind/externals/db.example.com";
        allow-transfer { slaves; };
    };
};

5.2 /etc/bind/externals/db.example.com

; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       192.0.2.1
ns1     IN      A       192.0.2.1
mail    IN      A       192.0.2.128 ; We have our mail server somewhere else.
www     IN      A       192.0.2.1
client1 IN      A       192.0.2.201 ; We connect to client1 very often.

5.3 /etc/bind/internals/db.example.com

$include "/etc/bind/external/db.example.com"
@       IN      A       10.0.0.1
boss    IN      A       10.0.0.100
printer IN      A       10.0.0.101
scrtry  IN      A       10.0.0.102
sip01   IN      A       10.0.0.201
lab     IN      A       10.0.0.103

Bibliography

SINS

Securing an Internet Name Server

Footnotes

... IPs¹

For me, two computers already qualify as too many computers to remember their IPs.

... files²

The host file resides on /etc/hosts and is a simple mapping for the local computer from names to IP. It was the first way to resolve names to IPs and long ago a central big hosts file was maintained, latter distributed by FTP or similar. It rapidly grow into a problem which was solved by the invention of DNS. Try not to let your hosts file grow into a problem before you turn it into DNS, learn from the pioneers!

... server³

Or when you are a perfectionist and believe that this should be doable with only one server.

.../etc/bind/named.conf.local⁴

It may be just /etc/bind/named.conf in your operating system if it is not Debian.

 

sumber : https://www.howtoforge.com/two_in_one_dns_bind9_views

Read more »

How to enable mod_rewrite in Apache2 on Debian or Ubuntu

If you have installed Apache2 web server via apt-get or aptitude on Debian or Ubuntu systems, it has mod_rewrite module installed, but not enabled by default. After Apache2 installation, you need to enable mod_rewrite explicitly in order to enjoy its benefit.

What is mod_rewrite?

Apache2 web server boasts of extensible features which are realized by the notion of pluggable modules. When building Apache2, you compile a set of modules you think are necessary, into it. One such module is called mod_rewrite which is responsible for rewriting website URLs at the server side. For example, when user asks for "http://myserver.com/my_category/my_post.html", the requested URL is translated by mod_rewrite to "http://myserver.com/post.php?category=100&post=200", which is then handled by the web server.

Why use mod_rewrite?

Webmasters generally use mod_rewrite to improve user-friendliness and search engine friendliness of web sites by exposing more memorable and crawlable URLs to the world with mod_rewrite. Also, it can help hide any sensitive information such as query strings from URL requests, and hence can enhance website safety.

How to enable mod_write on Apache2

The default installation of Apache2 comes with mod_rewrite installed. To check whether this is the case, verify the existence of /etc/apache2/mods-available/rewrite.load.

$ cat /etc/apache2/mods-available/rewrite.load

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

To enable and load mod_rewrite, do the rest of steps.

$ sudo a2enmod rewrite

The above command will create a symbolic link in /etc/apache2/mods-enabled.

$ ls -al /etc/apache2/mods-enabled/rewrite.load

lrwxrwxrwx 1 root root 30 Dec  9 23:10   /etc/apache2/mods-enabled/rewrite.load -> ../mods-available/rewrite.load

Then open up the following file, and replace every occurrence of "AllowOverride None" with "AllowOverride all".

$ sudo vi /etc/apache2/sites-available/default

Finally, restart Apache2.

$ sudo service apache2 restart

Read more »

setup-nginx-for-codeigniter-on-ubuntu

I recently launched my site - Curriculum Vitae - which is built , mostly, with PHP and MySQL, the regular LAMP stack. And of course I used the great Twitter Bootstrap and Codeigniter Frameworks.
The site is running a on a VPS with Ubuntu 11.10. It all was very easy to setup as at first I used Apache2 which is a great server and the site was running for 2 weeks with this configuration but I kept reading on Nginx and saw a real benefit to having a reverse proxy already setup handling requests.
So I set out create a server that would run my CodeIgniter Site and keep PHP as fast as I could.

Step 1 - Updating Apt with sources

As we are running Ubuntu (But this should work in Debian too, worth a try right?) we would want to use apt. So first let's get a fresh package list.

sudo apt-get update

Step 2 - Installing Nginx

Thanks to apt this is really easy.

sudo apt-get install nginx

That just too easy isn't it no need to compile! Test that you Nginx is indeed working by going to localhost:80, if not use some Google-fu.

Step 3 - Installing PHP5

Again thanks to Apt this is just as easy. This is the usual suite of modules that I install so customize to your own needs.
 

sudo apt-get install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Check if install by successful by issues the command

php -v

If your Version of PHP is shown all is OK if not, check for any errors that may have occurred during install.

Step 4 - Installing PHP-FPM

Nginx is quite diffrent from Apache. First and foremost it's non-blocking while Apache blocks, but for our context Nginx does not run PHP itself. Nginx was built as a reverse proxy, so it simply forwards requests to the specified url / address. So to run PHP we need a container that would run the PHP and act as the host where Nginx is sending requests to. This is where PHP-FPM comes in. PHP runs as a container and runs the PHP files when requests come in. Great so lets install it!
 

apt-get install php5-fpm

That should install FPM and start the service. Great so we are half-way there!

Step 5 - Configure Nginx to forward requests for PHP to PHP-FPM

Now we have a default installation of Nginx and PHP-FPM running. Wow! Let's configure Nginx to forward requests to PHP-FPM and in a way that would allow CodeIgniter to run just as it would have on Apache with Rewrite. I'm assuming your using Rewrite and no Query String Url. Edit Nginx's Site Configuration at /etc/nginx/sites-available/default and include the following configuration:

server {
    server_name example.com;
    root path_to_your_public_root_dir;

    index index.html index.php index.htm;

    # set expiration of assets to MAX for caching
    location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ {
        expires max;
        log_not_found off;
    }

    location / {
        # Check if a file exists, or route it to index.php.
        try_files $uri $uri/ /index.php;
    }

    location ~* \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

}

Replace servername, root, fastcgipass with your enviroment values.
If you plan on hosting multiple CodeIgniter sites with this Instance, think about moving the common settings to a file and including the file.
So the  /etc/nginx/sites-available/default would contain:

server {
    server_name example.com;
    root path_to_your_public_root_dir;
    include /etc/nginx/ci_host;
}

and /etc/nginx/ci_host would contain:

index index.html index.php index.htm;

# set expiration of assets to MAX for caching
location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ {
    expires max;
    log_not_found off;
}

location / {
    # Check if a file exists, or route it to index.php.
    try_files $uri $uri/ /index.php;
}

location ~* \.php$ {
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Step 6 - Restart and Rejoice !

After all the configration is done restart Nginx by using:

sudo service nginx restart

If you visit your configured site you it should show and behave just like to would have under Apache 2 with Rewrites. Good Job!
For a bit of a speed boost consider install PHP-APC too. The combination of Nginx, PHP-FPM and PHP APC is very fast!

Read more »

Setting Up SSL on Tomcat In 3 Easy Steps

Setting Up SSL on Tomcat In 3 Easy Steps

Setting up SSL on Tomcat is easy and you don’t have to do much for converting your web application to work with the Https protocol. But however, the problem you would find to set up SSL is the documentation available over the web. The documentation source is available on the Apache site but it starts off good and ends with a lot of confusion. Especially I was confused on the OpenSSL part where it says to use OpenSSL.
It might be good in a production environment to use OpenSSL but if you just want to test out SSL with Tomcat alone then it is more than enough to just have your JDK and Tomcat setups. So I would make you walk through the same steps which I did while getting SSL up and running and building a secured web app within a matter of minutes.
The things which I have used to setup SSL consists of:

• JDK 1.6
• Tomcat 6

Even though I have used the latest version I don’t see any problems which you might face in carrying out the same set of steps for JDK 1.5 which I am about to explain. JDK comes shipped with a keytool executable which is required to generate a keystore. The keytool can be found in the earlier version of JDK too. The 3 steps which would make you to get started with setting up SSL are:

1. Generating the Keystore file
2. Configuring Tomcat for using the Keystore file
3. Configuring your web application to work with SSL

Let’s get this party started now.
1. Generating the KeyStore file
The keystore file is the one which would store the details of the certificates necessary to make the protocol secured. Certificates contain the information as to who is the source from which you are receiving the application data and to authenticate whether it is the intended party or not. To make this keystore you would have to use the keytool. So open command prompt in Windows or the shell in Linux and type:

cd %JAVA_HOME%/bin on Windows
cd $JAVA_HOME/bin on Linux

You would land up in the Java bin directory. Now time to run the keytool command. You have to provide some parameters to the command as follows :

keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin

The highlighted words are the ones which you would have to change according to your requirements. But keep one thing in mind that both the keypass and storepass passwords should be the same. The .bin file is actually your keystore file. It would now start a questionnaire. So fill in the relevant details accordingly. Look below for a reference as to what to answer for the questions.

What is your first and last name?
[Unknown]: nitin pai
What is the name of your organizational unit?
[Unknown]: home
What is the name of your organization?
[Unknown]: techtracer
What is the name of your City or Locality?
[Unknown]: mumbai
What is the name of your State or Province?
[Unknown]: maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=nitin pai, OU=home, O=techtracer, L=mumbai, ST=maharashtra, C=IN correct?
[no]: yes

The command would then conclude. It would make a .bin file with the name you had provided inside the bin directory itself. In my case it was techtracer.bin which was located in

C:\Program Files\Java\jdk1.6.0_02\bin\

Put the .bin file in the webapps directory of Tomcat. This is required to avoid the need to give an absolute path of the file in the next step.
2. Configuring Tomcat for using the Keystore file
Here we would be making some changes to the server.xml file inside tomcat to tell it to use the keystore which was created in the earlier step for configuring SSL. Open the file server.xml which can be found as:

<CATALINA_HOME>/conf/server.xml

Now you have to modify it. Find the Connector element which has port=”8443″ and uncomment it if already not done. Add two lines. The highlighted lines are the newly added ones.

<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”../webapps/techtracer.bin”
keystorePass=”ttadmin” />

You can notice that I have given the path to the keystoreFile property as relative to tomcat bin directory because the startup command will look for the .bin file. Now all you have to do is start your server and check the working of SSL by pointing your browser to the URL to:

https://localhost:8443/

Now that you have your tomcat running in the SSL mode you are ready to deploy an application to test its working. You must note that still your tomcat can run in normal mode too at the same time i.e on port 8080 with http. So it is but obvious that any application deployed to the server will be running on http and https at the same time. This is something that we don’t want. We want our application to run only in the secured mode.
3. Configuring your web application to work with SSL
In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Explanation of the fragment is beyond the scope of this tutorial but all you should notice is that the /* indicates that now, any resource in your application can be accessed only with https be it Servlets or JSP’s. The term CONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead of CONFIDENTIAL. That’s it!
Conclusion
These were the 3 easy steps in which you can make Tomcat to work in the SSL mode and also it tells you how easily you can turn the SSL mode on and off. If you find any difficulty or are not clear on any of the above steps feel free to drop in your queries. If you like this tutorial it would be nice of you to drop in a comment of appreciation or feedback as to how this tutorial can be improved.

Reference : http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/

Read more »

How to enable SSL in TOMCAT 6

How to enable SSL in TOMCAT 6

Last Modified: 02/26/2009

---

To install and configure SSL support on Tomcat 6, you need to follow these simple steps.

0. Download a default keystore

The "keytool" command is a Key and Certificate Management Tool provided by Java. You can use keytool command to generate public/private key pair or use it to import a public key from a third party. The keystore is essentialy a "encrypted" and passowrd protected file residing in your home directory (/home/cs144). First download the deafult keystore file and unzip it to your home directory.

/* Download the keystore file */
cs144@cs144:~$ wget http://oak.cs.ucla.edu/cs144/projects/project5/vm_keystore.zip

/* Unzip the keystore file into you home directory */
cs144@cs144:~$ unzip vm_keystore.zip -d ~/

When you unzip the file, the keystore file named ".keystore" will be added to your home directory (this is a hidden file that is listed only when you use "ls -a" command). The keystore file is protected by the default password "changeit".

1. Generate a private/public key pair

In order to activate the HTTPS protocol of Tomcat, you first need create a public and private key pair to be used for encryption. You can use keytool command to generate a key pair. The following sequence of commands show you how to do it:

cs144@cs144:~$ keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  cs144
What is the name of your organization?
  [Unknown]:  UCLA
What is the name of your City or Locality?
  [Unknown]:  Los Angeles
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=localhost, OU=cs144, O=UCLA, L=Los Angeles, ST=California, C=US correct?
  [no]:  yes

Enter key password for <tomcat>
 (RETURN if same as keystore password): 

NOTE:

• Type password for keystore, which is "changeit".
• [firstname and lastname] give the fully qualified host name. In this project, you will have to use localhost becuase this is the machine name that you use to access the Tomcat server from the VM.
• You need type some information about your organization, location, etc. (You can make it up as you like)

When you execute the above command, keytool will generate a public key and private key pair and store it to your keystore file. More precisely, the generated public key is stored in the form of certificate. A certificate is nothing more than a statement like "the name of this host is localhost and its public key is XX:XX:...:XX:XX. This certificate is valid from XX/XX/XX until XX/XX/XX". All certificates need to be signed by a certificate authority (CA), but since you have not asked any third party CA to sign your certificate, it has been signed "by itself" at this point. This type of certificate is often referred to as a "self-signed certificate".

2. Enable SSL in TOMCAT 6

Now that your key pair is ready, the final step is to change your $CATALINA_HOME/conf/server.xml file to enable the SSL connection, An example <Connector> element for an SSL connector is already included in the default server.xml file, which looks something like this:

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" /> 
    -->

Remove the comment around <Connector> node. (Red code) to enable SSL.

3. Restart your tomcat

Now that everything is ready, you need to restart your Tomcat server. Stop:
> $CATALINA_HOME/bin/catalina.sh stop
Start:
> $CATALINA_HOME/bin/catalina.sh start

4. Test your https

Use Firefox to open url "https://localhost:8443/" which tries to establish an HTTPS connection to the Tomcat server through the port number 8443.
You shall see something similar to the following screen:


Note that the Firefox reports that the secure connection has failed because localhost is using "invalid" certificate. This is because the certificate of your tomcat server (that was generated by keytool in an earlier step) has not been signed by one of the CAs trusted by Firefox. Since Firefox cannot verify the authenticity of the certificate, it cannot trust any statement in the certificate and cannot be really sure that it is really talking to "localhost". You can simply ignore this warning and proceed by adding a "security exception". Ignoring this warning is OK if all you care about is the secure communication between your browser and the Web site, not the authenticity of the site. Even though the certificate has not been signed by a trusted CA, it still contains a public key of the site that the browser is currently communicating with, so the browser can use this public key to encrypt any message that it sends to the site for confidentiality. In most cases, however, users will be turned away by a warning message like this, being too scared of what they see. Now let us get your certificate to be signed by one of the trusted CA to avoid this warning.

5. Install a trusted certificate

The first step to obtaining a trusted certificate (your certificate signed by one of the trusted CA) is to create the "certificate signing request".

Create a certificate signing request

> keytool -certreq -keyalg RSA -alias tomcat -file certreq.txt

If you run the above command, you will see that a request file, named certreq.txt, is generated in your current directory. A request file is nothing more than your public key together with some information about your site (like the fully qualified name of your site and other information that you provided when you created your public key/private key pair).

Obtain a trusted certificate

In real world, you will have to send the certificate signing request to one of the real trusted CA. Once a CA receives a signing request, the CA uses a number of different mechanisms to ensure that the request really came from the authentic owner of the site (like calling the company over the phone, asking the requester for an government-issued document, etc.) Only when the CA is confident that the request really came from the owner of the site, it signs the certificate for your site with the its own private key and return the certificate back to the requester. All broswers come with a default list of the trusted CAs and their public keys, so when a browser sees a certificate signed by the private key of one of the trusted CAs, it can safely assume that the statements in the certificate have been validated and are trustable. The Firefox browser in our VM, fortunately, has "oak.cs.ucla.edu" as one of the trusted CAs, so you do not really have to go through all the hassle and the expense of getting your certificate signed by a trusted CA. All you have to do is to upload your request to http://oak.cs.ucla.edu/cs144/projects/project5/cert/, and get it signed by oak.cs.ucla.edu. After uploading your request file certreq.txt through the above page, download the generated certificate file and save it inside your VM.

Install the certificate for tomcat

Now that you have a trusted certificate, import it to your keystore, so that your Tomcat server can use it. > keytool -import -alias tomcat -file <downloaded, signed cert file>

6. Restart your tomcat

Now everything is ready. As the final step, restart your Tomcat server. Stop:

> $CATALINA_HOME/bin/catalina.sh stop

Start:

> $CATALINA_HOME/bin/catalina.sh start

7. Test your https again

Use Firefox to open url "https://localhost:8443/".
If you can successfully open the page, you are done.

---

Reference: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
http://oak.cs.ucla.edu/cs144/projects/project5/ssl_tomcat_tutorial.html

Read more »

How to Configure HTTPS (SSL) in Tomcat 6 and 7 Java Web Server

Setting SSL (Secure Socket Layer) in Tomcat is often a requirement, especially while developing  secure web application, which requires access over https protocol. Since Tomcat web server doesn't provide SSL settings by default, you need to know how to configure SSL in tomcat, and even worse it varies between different tomcat versions. for Example SSL setup which works on tomcat 6, doesn't work as it is in tomcat 7. In this article we will see, how to configure tomcat for https in both tomcat 6 and 7. For those programmers who are not very familiar with SSL and https here is a quick overview of SSL, certificates and https, and I suggest reading that article to get better understanding of How SSL works and How websites are accessed security over internet.

Once we know ,what is SSL, https and Certificates we are ready to setup SSL and https in tomcat web server. As I explained you need to have some certificate (inside keystore)  in tomcat/conf folder which tomcat will present, when a connection is made via https. If you use Spring security you can use some of test certificates present in there sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.

Once you have certificate ready, Open your server.xml from tomcat/conf folder and search for Connector which defines https, it may be commented ,better look for this string "Define a SSL HTTP/1.1 Connector on port 8443". Once found replace with following setup which is different for tomcat 6 and tomcat 7

SSL Configuration for Tomcat 6 :

<Connector protocol="org.apache.coyote.http11.Http11Protocol"

            port="8443" minSpareThreads="5" maxSpareThreads="75"

            enableLookups="true" disableUploadTimout="true"

            acceptCount="100"  maxThreads="200"

            scheme="https" secure="true" SSLEnabled="true"

            clientAuth="false" sslProtocol="TLS"

            keystoreFile="${catalina.home}/conf/server.jks"

            keystoreType="JKS" keystorePass="changeit"    />

You also need to make one more configuration change for setting up SSLEngine="off" from "on" like in below text:
 

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

Look for this String on top of Server.xml

SSL Configuration for Tomcat 7

SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7, as you only need to make one configuration change for replacing SSL Connector with following settings :
 

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

             maxThreads="150" scheme="https" secure="true"

             clientAuth="false" sslProtocol="TLS"

             keystoreFile="${catalina.home}/conf/server.jks"

             keystoreType="JKS" keystorePass="changeit"    />

Settings which may vary if you setup your own certificate is keystorFile which points to a keystore, which stores certificates, keyStoreType I am using "jks", which stands for “Java Key Store” and keystorepass, which is password for opening key store file. That's it now your tomcat 6 or tomcat 7 is ready to server https client. Though you may need to configure https for your web application ,if you not done already.

Read more: http://javarevisited.blogspot.com/2013/07/how-to-configure-https-ssl-in-tomcat-6-7-web-server-java.html#ixzz2a6parbSY

Read more »

How to install GUI on Ubuntu 12.04 (Precise) Server 

We have already discussed how to install ubuntu 12.04 LAMP server .If you are a new user and not familiar with command prompt you can install GUI for your ubuntu LAMP server using one of the 2 options

1) Install desktop Environment
2) Install Webmin

1) Install desktop Environment
First you nee to make sure you have enabled Universe and multiverse repositories in /etc/apt/sources.list file once you have enable you need to use the following command to install GUI

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install ubuntu-desktop

The above command will install GNOME desktop
If you wan to install a graphical desktop manager without some of the desktop addons like Evolution and OpenOffice, but continue to use the server flavor kernel use the following command

sudo apt-get install --no-install-recommends ubuntu-desktop

If you want to install light weight desktop install xfce using the following command

sudo apt-get install xubuntu-desktop

If you want to install KDE desktop use the following command

sudo apt-get install kubuntu-desktop

Read more »

Installation of openmeetings on Ubuntu 10.04.

Installation of openmeetings on Ubuntu 10.04.

Introduction

with many references from http://openstudio.info/component/content/article/60 http://code.google.com/p/openmeetings/wiki/InstallationDebianhttp://wiki.swftools.org/index.php/Installation

Details

Edit the sources to include partner so that the sun-jre will install

sudo apt-get install sun-java6-bin sun-java6-jdk sun-java6-jre sun-java6-fonts mysql-server imagemagick gs-gpl libt1-5 zip unzip subversion git-core checkinstall yasm texi2html libfaac-dev libfaad-dev libmp3lame-dev libsdl1.2-dev libx11-dev libxfixes-dev libxvidcore-dev zlib1g-dev libogg-dev sox libvorbis-dev libgsm1 libgsm1-dev libfaad2 flvtool2 lame gcc-multilib autoconf automake1.9 libtool ffmpeg automake

and now the openoffice bits

sudo apt-get install openoffice.org-writer openoffice.org-calc openoffice.org-impress openoffice.org-draw openoffice.org-math openoffice.org-gcj openoffice.org-filter-binfilter openoffice.org-java-common

now the prerequisites for swftools http://www.swftools.org need to be installed

Starting with freetype, get the latest from here http://download.savannah.gnu.org/releases/freetype/

mkdir freetype
cd freetype
wget http://download.savannah.gnu.org/releases/freetype/freetype-2.4.5.tar.gz
tar -zxvf freetype-2.4.5.tar.gz
cd freetype-2.4.5
./configure
make
sudo make install

now jpeglib

sudo apt-get install libjpeg-progs libjpeg62 libjpeg62-dev  

and some more

sudo apt-get install libgif-dev libgif4 

now we can progress with swftools

get the latest from here http://www.swftools.org/download.html

mkdir swftools
cd swftools
wget http://www.swftools.org/swftools-2011-01-23-1815.tar.gz
tar -zxvf swftools-2011-01-23-1815.tar.gz
cd swftools-2011-01-23-1815

because of some missing items from later versions of libjpeg, xpdf needs to be put into the build

get the latest from ftp://ftp.foolabs.com/pub/xpdf/

cd ./lib/pdf
wget ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02.tar.gz

now we can get on with the build

cd ../..
./configure
make
sudo make install

With all pre-reqs now installed, we can get on with openmeetings, get the latest version fromhttp://code.google.com/p/openmeetings/downloads/list

mkdir openmeetings
cd openmeetings
wget http://openmeetings.googlecode.com/files/openmeetings_1_7_0_r3822.zip
sudo mkdir /opt/red5
sudo cp openmeetings_1_7_0_r3822.zip /opt/red5
cd /opt/red5
sudo unzip openmeetings_1_7_0_r3822.zip
sudo rm openmeetings_1_7_0_r3822.zip

now make the scripts executable and change the ownership.

sudo chmod +x /opt/red5/*.sh
sudo chmod +x /opt/red5/webapps/openmeetings/jod/*.sh
sudo chown -R nobody\: /opt/red5

now you need to create a red5 startup script

sudo nano /etc/init.d/red5

#! /bin/sh
#
# red5 red5 initscript
#
# Author: Simon Eisenmann .
#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Red5 flash streaming server"
NAME=red5
RED5_HOME=/opt/red5
DAEMON=$RED5_HOME/$NAME.sh
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
# Read config file if it is present.
if [ -r /etc/default/$NAME ]
then
            . /etc/default/$NAMEfi
#
# Function that starts the daemon/service.
#
d_start() {
            start-stop-daemon --start -c nobody --pidfile $PIDFILE --chdir $RED5_HOME --background --make-pidfile --exec $DAEMON}
#
# Function that stops the daemon/service.
#
d_stop() {
            start-stop-daemon --stop --quiet --pidfile $PIDFILE --name java
            rm -f $PIDFILE}
case "$1" in
            start)
   echo -n "Starting $DESC: $NAME"
   d_start
   echo "."
            ;;
            stop)
   echo -n "Stopping $DESC: $NAME"
            d_stop
   echo "."
            ;;

            restart|force-reload)
   echo -n "Restarting $DESC: $NAME"
   d_stop
   sleep 1
   d_start
   echo "."
            ;;

            *)
   echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
   exit 1
            ;;
esac
exit 0
exit 0

now make it executable and set to autostart

sudo chmod +x /etc/init.d/red5
sudo update-rc.d red5 defaults

the database needs to be configured

echo "CREATE USER openmeetings@localhost;" | mysql -u root -p
echo "CREATE DATABASE openmeetings DEFAULT CHARACTER SET 'utf8';" | mysql -u root -p
echo "GRANT ALL PRIVILEGES ON openmeetings.* TO 'openmeetings'@'localhost' IDENTIFIED BY '<password>' WITH GRANT OPTION;" | mysql -u root -p
echo "FLUSH PRIVILEGES;" | mysql -u root -p

where

<password>

is the password that you want to use for the openmeetings user

The openmeetings configuration file needs to be updated with the database details

sudo nano /opt/red5/webapps/openmeetings/conf/hibernate.cfg.xml

Change

<property name="connection.username">root</property>
<property name="connection.password"></property>

to

<property name="connection.username">openmeetings</property>
<property name="connection.password"><password></property>

where

<password>

is the password that you used when configuring MySQL

Go to a browser and go to http://f.q.d.n:5080/openmeetings/install to complete the install

Read more »