Use Signed SSL Certificate with Java

It seems to me like every time I have to do something that has to do with SSL certificates – be they self-signed or signed by a certificate authority – things do not go smoothly. I only do this from time to time, so I am by no means an expert; but I do believe my difficulties result to some degree from the intrinsic complexities within SSL and the systems which support it.

I have created another guide which walks step by step through the process of configuring a Java key store with a signed SSL certificate. If you do want this to succeed, note that you have to follow every step precisely. Even minor omissions can lead to errors (believe me, I’ve tried it myself).

  • Download Portecle (from here) and Unzip it
  • Start portecle.jar by double clicking it
  • Go to File / New Certificate

  • Select JKS and click [OK]
  • Go to Tools / Generate Key Pair

  • Select Algorithm RSA and Key size 2048
  • Increase validity from the default 356 to 1000 or more days

  • In Common Name provide the domain or subdomain of the domain you want to protect
  • Provide some input for all other fields – do not leave any empty
  • Provide a password and remember it
  • Provide an alias – best the name of your domain

  • You should see the following:

  • Right click the key pair you have create and select ‘Generate Certification Request’

  • Portecle will generate file ‘XYZ.csr‘ for you.
  • Provide the contents of this file to the SSL provider of your choice (see a brief comparison here – I’ve had good experiences with RapidSSL certificates from GoGetSSL).
  • Your SSL provider should supply you with an SSL certificate. This file should end with ‘.crt‘. Download it.
  • Go back to Portecle and right click your key pair again. Select ‘Import CA Reply’.

  • Import the .crt file you got from your SSL provider.
  • You can import the ROOT certificate of your SSL provider just in case.
  • Also, your SSL provider will supply you with an intermediate and server certificate. You can import these into your keystore as well.
  • Note that when importing the ROOT certificate of your provider, you might get a warning that no trust chain can be established to the certificate. However, when importing the intermediate and server certificates AFTER importing the root certificate, there should be no warning that no chain can be established.
  • Your keystore should look something like this now:

  • Now go to File / Save Keystore
  • Provide the same password you used before.

Now you can use the created key store in Java servers. For an easy way how to use a keystore with Java, check out step 7 in this post.

Using RapidSSL Certificate from GoGetSSL for Java Server

IMPORTANT: I found it a lot easier and less error prone to use the GUI tool Portecle to go about generating a SSL certificate/key. You can find my instructions to do so in another post.

The following steps show how a RapidSSL certificate obtained through GoGetSSL can be used to secure a Java server.

Step 1: Purchase Certificate

Go to gogetssl and purchase a Standard RapidSSL certificate (should be around $5 / year).

Step 2: Create Keystore

Run:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore server.keystore

When asked for ‘What is your first and last name?’ enter the domain of your server (can also be a subdomain).

Press ENTER when prompted for ‘Enter key password for <tomcat>’

Step 3: Create CSR 

Run:

keytool -certreq -keyalg RSA -alias tomcat -file server.csr -keystore server.keystore

Open the file server.csr and copy its contents into the clipboard.

Step 4: Upload CSR to GoGetSSL

Login to GoGetSSL and select ‘Manage SSL Certificates’ / All.

Next to the certificate you have just purchased should be a [Generate] button. Click it.

Choose ‘Order Type': ‘New Order’

Choose ‘Web Server Software': ‘Jakart-Tomcat’

Paste the CSR you copied from server.csr.

Choose signature algorithm SHA2.

Click [Validate CSR]

Step 5: Perform Email Validation and Give Your Details

Specify an email address to which the validation email should be sent and click [Next Step].

Also give your details and confirm the RapidSSL terms and conditions.

Note: Now wait a few minutes until you get the email and confirm it when you got it.

Step 6: Import RapidSSL Certificates Into Keystore

You will receive an email with the certificate for the server and the intermediate certificate from RapidSSL.

You’ll need to add both to your keystore.

First the intermediate certificate:

Get it from the email and paste it into a file ‘intermediate.crt’ and put it into the same folder as you keystore. Then run:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore server.keystore

You should get a message ‘Certificate was added to keystore’

Then the server certificate:

Get it from the email and paste it into a file ‘server.crt’ and put it into the same folder as you keystore. Then run:

keytool -import -trustcacerts -alias server -file server.crt -keystore server.keystore

You should again get a message ‘Certificate was added to keystore’.

Now you can use server.keystore to secure your Java Webserver with SSL.

Forward All Email from Gmail (even SPAM)

Problem

By default, Gmail does not forward email it considers spam even if it’s configured to forward all email to a designated address.

Solution

You can make Gmail forward ALL emails by following these simple steps:

  1. Go to settings:

  1. Go to Filters and ‘Create a new Filter’

  1. Set Size less than 500 MB and ‘Create Filter with this search’

  1. Then select ‘Never mark as spam’ and [Create Filter]

Note: This will assure that messages marked as SPAM are forwarded. However, it will also result in all messages you sent being copied into your INBOX automatically. To prevent this, add a second filter:

5. Create a new filter

6. In the ‘From’ field put Your Email address and click ‘create filter with this search’.

7. Tick the option ‘Skip the Inbox (Archive it) and click [Create filter]

All done; all your emails should be forwarded from now on.

Remove Hard Disk in Linux in 3 Easy Steps

This guide describes how you can unlink a hard disk from Linux/Unix. This might be useful for instance if you replaced a disk image in Virtual Box or another VM.

WARNING: Do a backup of your virtual machine first or, if you are running on a physical computer, make sure you know what you are doing!

1. Assure the Hard Disk is not mounted

Edit /etc/fstab and assure there is no mount point for any partition of the hard drive.

IMPORTANT: Make sure that as many hard drives are identified by their UUID as possible since Hard Disk ids might change. See here.

2. Delete the Partition

Use fdisk as described here.

fdisk [your disk id eg /dev/sdb]

Note: You can find out the disk id by running fdisk -l (and use sudo if there is no output)

In fdisk running, input:

d

then input (assuming there is only one partition, otherwise give the number of a valid partition and repeat for all paritions):

w

3. Restart Machine

Shut down Linux

Disconnect your hard drive.

Restart Linux.

Your hard disk should be gone and no error should occur when you are staring.

Notes

When you are getting a message upon booting the machine that ‘The superblock could not be read or does not describe a correct ext2 filesystem.’ You are doing something wrong. Just reattach the hard disk in that case and Linux should start again. Make sure your other (not removed disks are identified by UUID as noted above).

 

 

 

Free Cloud Based Load Testing Tools

Good load testing of web and cloud applications should involve many concurrent connections originating from diverse networks. To set up such tests on your own is not trivial and probably very expensive. Thankfully, there are numerous service providers, which allow to use their infrastructure for testing your applications.

A few of these offer free online load tests. These fall into the two categories of free On Demand Tests which usually allow to test a website with 5 to 10 users and free tier accounts, which allow to use a certain number of concurrent users after sign up.

On Demand Tests

The following providers allow to conduct quick on demand tests of websites.

Loadstorm

http://loadstorm.com/

Flood.io

https://flood.io/

Neustar

https://www.neustar.biz/resources/tools/free-website-performance-test

Free Tier Accounts

Furthermore, there are a few services which allow to sign up for a free account, which allows to do some testing with their testing infrastructure:

Blaze Meter

http://blazemeter.com/pricing

=> Free Account with 50 concurrent users

Loader.io

https://loader.io/pricing

=> Free Account with 10000 clients

 

 

Install Oracle JDK with Puppet

Problem

You would like to install Oracle JDK using Puppet.

Using the puppetlabs/java module, you might get an error message such as:

Error: Java distribution oracle-jdk is not supported. at […]/init.pp:57 on node […]

Solution

Use the module puppet-jdk-oracle.

Just follow the installation instruction from the GitHub page.

Note that you might want to set the java version used to the latest available. You can find the latest version and build number from the Oracle JDK downloads page.

To get the build number, you first need to accept the terms and conditions and then check the URL of the link to download the version of the JDK you are interested in:

Also, make sure to configure the right platform: ‘x64′ for 64 bit systems and ‘i586′ for 32 bit systems.

As of 30th of April 2015, this would be the configuration for the latest JDK version on 64 bit Linux:

class { ‘jdk_oracle':

    version => ‘8’,

    version_update => ’45’,

    version_build => ’14’,

    platform => ‘x64′,

    ensure => ‘installed’,

}