Thursday, November 8, 2012

Addressing OpenJDK bug with SSL on Ubuntu 12.04 Server (javax.net.ssl.SSLException)


Introduction

After countless hours, you finally finished a secure java server ready for deployment.
If you installed clean copy of Ubuntu 12.04 server or updated it, you may face following error during run time.


 javax.net.ssl.SSLException: java.security.ProviderException: 
 sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID


Problem

This is known bug with OpenJDK that has not been resolved yet.

Solution

This can be fixed by editing following file:


 /etc/java-6-openjdk/security/java.security



Find following line:


 security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg


And change to following lines:



 security.provider.9=sun.security.ec.SunEC
 security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg



Now your server will not crash!! or you have another fun problem with deal with!


[Tutorial] How to SSH into Amazon EC2 Server




Introduction


Amazon AWS is relatively new web service but its been growing rapidly since its initial launch.
They have thousands of large clients including banks and federal government.
I have recently started using their services for a start-up I am working on.

Amazon AWS EC2 server is set up little different than other common servers in a sense that it only allows access through a private key. Upon creation of Amazon AWS EC2 Server you will receive private key.
It is important to have this key saved somewhere secure and NEVER LOSE IT!!! or else you are going to have bad time.

Requires Private Key

Simply accessing the server over SSH will give you Permission Denied (public key) error.


 ssh root@your-ip


You need to use your private key to access.



 ssh -i your-key.pem your-ip



Requires Permission Change


If you get following error:



 It is required that your private key files are NOT accessible by others.
  This private key will be ignored.





This means your private key is not protected and you need to change the permission.


 chmod 400 your-key.pem




Know your user

If you will still see Permission Denied (public key) error, it is very likely that you have wrong user.
Depending on your linux distribution, you probably wont be able to log in with root.
For Ubuntu distribution available in AWS repository, the default user is "ubuntu"



 ssh -v -l ubuntu -i your-key.pem your-ip





There you go! You should be able to log into your server now.

[Tutorial] Run script at bootup in linux (cronjob or bashscript)



Introduction

If you are lazy programmer like me, you would like to automate everything rather than having to do stuff manually. Usually bash script / python script can become extremely handy getting things done. You can have these scripts to start automatically at bootup or at scheduled time.

Running script/program at bootup under linux environment

In order to run your custom script at bootup under linux environment, you need to copy your script to /etc/init.d/ directory


 cp custom_script.sh /etc/init.d/.


Then you need to change permission to make it executable.


 chmod +x /etc/init.d/custom_script.sh


Create link to your script in rc.d directory.


 ln /etc/init.d/custom_script.sh /etc/rc.d/custom_script.sh


You are all ready to go and your script will be running next time you reboot your computer!

Cron Job


If you want to run your custom script at specific time, then you can use crontab to schedule and automatically run it.

Make sure you have crontab available on your linux machine and edit your crontab file by typing following:


 crontab -e


Crontab syntax is pretty simple. Each line consists of this simple syntax consisting of 6 columns.


 Minute Hour Day Month Week_Day Command


You can specify the script to run every unit (hour, minute etc.) time by using * instead of real number.
Following cron line will run cmd every minute of every hour of every month.


 * * * * * cmd

You can specify the script to run at specific time interval using dash.
For example, following cron line will run the command every weekday between 9 am and 5 pm.

 00 09-17 * * 1-5 cmd



That's it!
Now you can just relax and let the script start automatically.
If you want the script to keep running all the time, you can write a bash script to keep restarting it when it dies.
For more info, look at my another posting here.



[Tutorial] Never dying program (How to automatically restart a program if it dies/crashes


Introduction

When you have an unstable server that keeps crashing, normally you would have to access the server via SSH and restart the server. This is a tedious work and if you need the server up and running and if you don't have access to the computer then it can be extremely annoying.

Solution

In order to solve this problem, you can write a simple bash script that checks periodically if a specific program is running and run it if not.


 #!/bin/bash
 ps ax | grep -v grep | grep custom_app



** Ill include the script in a few hours.

Now you don't have to worry about restarting your server again!
But just keep in mind, this script will not be able to do anything if your server freezes!

Sunday, October 28, 2012

[Tutorial] How to run processes over SSH (or linux) in background


Introduction

If you are new to linux scene and SSH, you would have probably realized whenever you run a program over SSH and if you terminate the session, the program you ran also terminate as well.
This can be a problem if you would like to leave a server running.

Solution #1

Simplest solution would be to run the program in the background.
You can do that by running


 your_app&
 bg %1
 exit


Even if you terminate your SSH session, the program would still be running.

Solution #2

Another simple solution is to use nohup.
It is a POSIX command that ignores hangup signal so even if session is closed, the program would still be running. You can use nohup simply by calling the program with nohup.


 nohup your_app&
 exit


Simple solution would be nohup

Solution #3

More complicated and redundant solution would be screen.
Screen is a software that allows multiple virtual consoles to be accessed through single terminal.
You can detach the session so that it keeps running even when you close your terminal.


 screen -d -m bash



Last solution needs an update.


Wednesday, August 22, 2012

[Tutorial] How to generate certificate authority and server certificates using OpenSSL



Introduction

Many people struggle when they first have to generate correct certificates to work with ssl libraries. There are many tools out there and a number of different file formats and things can get confusing quickly. This tutorial will help you generate your own certificate authority and server certificates to be used for your secure server/client.

Generating Certificate Authority

Certificate Authority is a trusted third party that vouches for servers a client is trying to talk to.
We will be setting up our own CA for our application. This can be useful if you are just looking to test your server or your server will not be accessible by the public.

 openssl req -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 365  

Enter appropriate passphrase when prompted.
This will generate two files:
ca-key.pem - certificate authority private key
ca-cert.pem - certificate authority public certificate

Notice that this CA certificate will only be valid for 365 days.

Generating Server Certificate

Now we need to generate server private key and certificate signing request.
Certificate signing request file is later sent to certificate authority to be signed and generate server public certificate. During SSL handshake, the server sends this signed public certificate to the client and the client can verify it with CA public certificate to make sure the server is trustworthy.

 openssl genrsa -aes128 -out server-key.pem 4096

Set appropriate passphrase for server private key when prompted.
This command will generate RSA server private key of size 4096 bits using 128bit AES algorithm.
Generally key size of 2048 or higher is recommended.

 openssl req -new -key server-key.pem -out server.csr

This command will generate server certificate signing request file. This file is later sent to certificate authority (in this case, our own) to be signed to generate signed public certificate for the server.

Signing Server Certificate with our own Certificate Authority

Once server certificate signing request file is generated, we can send it to well known certificate authority like GoDaddy to be signed but usually there is a fee associated with it.
In our case, we will be signing the certificate signing request file with our own certificate authority generated earlier.

 openssl x509 -req -days 365 -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

This will generate server-cert.pem signed by our own certificate authority and ready to be used!

Removing the Passphrase from Server Private Certificate

Server private key is protected by a passphrase. The private key is to be never shared with anyone else. However if adversary somehow get his or her hands on the private key then this passphrase will protect the file. It is very unlikely that this will happen and also we need to enter the passphrase everytime we run our server and this can get somewhat annoying. Also our cyassl example will fail to load the key with error code NO_PASSWORD if passphrase isn't provided.
As a simple solution, we will simply remove the passphrase from the server private key.

 openssl rsa -in server-key.pem -out server-key-nopass.pem

This command will generate password-free server private key, server-key-nopass.pem.

Generating Java Keystore and Importing CA certificate

In case you are using Java server, you need to generate a keystore where CA certificates are stored.
This can be generated using "keytool" included in Java package.

 keytool -genkey -keyalg RSA -keystore keystore.jks -keysize 4096

This will generate keystore.jks. Now that you have a keystore, we need to import our ca-certificate generated earlier.

 keytool -import -trustcacerts -alias MyCA -file ca-cert.pem -keystore keystore.jks

Testing Generated Certificates

You can install generated certificates using CyaSSL.
Download CyaSSL tutorial code from their website.

 http://www.yassl.com/documentation/ssl-tutorial-2.0.zip

Under finished_src directory, you will notice echoclient and echoserver directories.
We need to copy our own generated certificates to echoclient and echoserver directories.
cp ca-cert.pem /ssl-tutorial-2.0/finished_src/echoclient/.

 cp ca-cert.pem ./ssl-tutorial-2.0/finished_src/echoclient/.
 cp ca-cert.pem ./ssl-tutorial-2.0/finished_src/echoserver/.
 cp server-key-nopass.pem ./ssl-tutorial-2.0/finished_src/echoserver/server-key.pem
 cp server-cert.pem ./ssl-tutorial-2.0/finished_src/echoserver/.

Now compile and run the echoserver and echoclient and see if it works!

Please let me know if there are any mistakes.
I would also appreciate if someone can tell me how to load password-protected server private key.

Tuesday, May 8, 2012

[Tutorial] How to remove default Samsung Apps from Galaxy S2


Galaxy S2 comes with default samsung apps that are often never used.

If you are neat freaks like me when it comes to files/apps, you will be pleased to know that there is a way to remove default apps easily.

All you need is a root capable browser like Root Explorer.

In this example, I will be using MIUI file explorer which also has root capability.


1. Change the setting of your browser to allow root previlege.




2. Go to /system/app where all default system apps are located and find the file you want to delete.



3. On some browsers, you might need to change the permission of the directory from RO (read-only) to WR (writeable and readable).

4. Delete the file!




It is as simple as that!

Just remember that removing some system apps might break the OS so you have to be careful.


Here is a list of system apps that are safe to remove:

(I found the list from my hard drive. I don't remember where I got it from. If you know where the list is from, please let me know.)



SamsungWidget_WeatherClock.apk
Dlna.apk
LiveWallpapers.apk
SamsungWidget_News.apk
BluetoothOpp.apk
BuddiesNow.apk
TouchWizCalculator.apk
TouchWizCalendar.apk
TwCalendarAppWidget.apk
CalendarProvider.apk
TwWallpaperChooser.apk
Camera.apk
ChocoEUKor.apk
AnalogClock.apk
PressReader.apk
PRUI.apk
lcdtest.apk
SamsungAppsUNAService.apk
ScreenCaptureService.apk
SnsImageCache.apk
Days.apk
Bol.com_version_1.0.3.3.apk
DigitalClock.apk
DownloadProviderUi.apk
DualClock.apk
Email.apk
EmailWidget.apk
FactoryTest.apk
FmRadio.apk
Gallery3D.apk
GameHub.apk
GoogleQuickSearchBox.apk
HelvNeueLT.apk
Protips.apk
HTMLViewer.apk
SamsungIM.apk
IMEITracker.apk
Browser.apk
KiesAir.apk
kieswifi.apk
Kobo.apk
PanningTryActually.apk
Divx.apk
Memo.apk
Mms.apk
Microbesgl.apk
MiniDiary.apk
PostIt.apk
MmsProvisioning.apk
MobilePrint.apk
MobileTrackerEngineTwo.apk
MusicPlayer.apk
MusicHub_U1.apk
MyFiles.apk
GenieWidget.apk
SecretWallpaper1.apk
PhotoRetouching.apk
PicoTts.apk
PolarisOffice.apk
SamsungWidget_ProgramMonitor.apk
ReadersHub.apk
signin.apk
SamsungApps.apk
MMM_Smartphone_1.5.1_final.apk
ApplicationsProvider.apk
SetupWizard.apk
shutdown.apk
Stk.apk
SnsProvider.apk
SnsDisclaimer.apk
SnsAccountFb.apk
SnsAccountLi.apk
SnsAccountMs.apk
SnsAccountTw.apk
SocialHub.apk
SevenEngine.apk
syncmldm.apk
SoundPlayer.apk
SpeechRecorder.apk
Tasks.apk
Term.apk
TrimApp.apk
Kies.apk
UserDictionaryProvider.apk
VideoEditor.apk
VideoPlayer.apk
VoiceToGo.apk
VoiceRecorder.apk
VpnServices.apk
FTS.apk
FTM.apk
SecretWallpaper2.apk
wipereceiver.apk
WlanTest.apk
wssyncmlnps.apk
SamsungWidget_StockClock.apk
Zinio.apk