Wednesday, February 1, 2012

2 Easy Steps to Enable SSL / HTTPS on Tomcat Server


If you are running tomcat server that runs only on HTTP, follow the 2 easy steps mentioned below, to configure tomcat for SSL.

1. Create Keystore using Java keytool

First use the keytool to create a java keystore as shown below. Make sure to note down the password that you enter while creating the keystore.
# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
 [Unknown]:  Suresh Kumar
What is the name of your organizational unit?
 [Unknown]:  Development
What is the name of your organization?
 [Unknown]:
What is the name of your City or Locality?
 [Unknown]:  
What is the name of your State or Province?
 [Unknown]:  
What is the two-letter country code for this unit?
 [Unknown]: 
Is CN=Suresh, OU=Development, O=Unknown, L=Los Angeles, ST=CA, C=US correct?
 [no]:  yes

Enter key password for
   (RETURN if same as keystore password):
This will create the .keystore file under the /root home directory as shown below.
# ls -l /root/.keystore
-rw-r--r-- 1 root root 1391 Apr  6 11:19 .keystore

2. Modify the server.xml file

Locate the conf/server.xml file located under the tomcat directory. If the Connector port=”8443″is commented out, you should uncomment it first. Please note that the comments in the server.xml file are enclosed in as shown below. You should remove the 1st and last line from the following code snippet.
# vi server.xml
   
Now, add the keystore information to the server.xml as shown below. Replace the your-key-password with the password you provided in the step 1 while creating the keystore.
# vi server.xml
   
Finally, restart the tomcat server and access the application using https://{your-ip-address}:8443/

How to Password Protect Grub Boot Loader in Linux


GRUB security features allows you to set a password to the grub entries. Once you set a password, you cannot edit any grub entries, or pass arguments to the kernel from the grub command line without entering the password.
It is highly recommended to set GRUB password on any critical production systems as explained in this article.

1. Use grub password command in grub.conf

On a system where GRUB is not secured with the password, the following message will be displayed right under the GRUB menu during the system startup.
As you see from this message, anybody who is in front of the console rebooting the server, can edit the grub commands, or even modify the kernel arguments, which probably will cause problems, if someone who doesn’t know what they are doing, plays around with this on production systems.
Use the up-arrow and down-arrow keys to select which entry is highlighted.
Press enter to boot the selected OS,
'e' to edit the commands before booting,
'a' to modify the kernel arguments before booting, or
'c' for a command-line
/boot/grub/grub.conf contains information about the entries that are displayed in the GRUB menu during system startup. On some systems, /etc/grub.conf is a symbolic link to /boot/grub/grub.conf
Add the following “password” line to the grub.conf file.
$ cat /etc/grub.conf
default=0
timeout=15
password GrbPwd4SysAd$
..
Once the “password” command is added to the grub.conf, the following message will be displayed right under the GRUB menu during the system startup.
As you see from this message, without entering the GRUB password that you gave in the grub.conf, nobody can edit the grub commands, or modify the kernel arguments. All they can do is just select one of the displayed entries and boot from here.
Use the up-arrow and down-arrow keys to select which entry is highlighted.
Press enter to boot the selected OS or
'p' to enter a password to unlock the next set of features.

2. Encrypt the grub password using grub-crypt

While reading the above entry, probably you thought to yourself: Yes, the grub is secured by a password. But, the password itself is in clear text in the grub.conf file, which kind of defeats the purpose.
You can use grub-crypt utility to create an encrypted password.
grub-crypt will get the clear text password from the user, and display the encrypted password as shown below.
# grub-crypt
Password: GrbPwd4SysAd$
Retype password: GrbPwd4SysAd$
^9^32kwzzX./3WISQ0C
Modify the grub.conf file, add the “password” entry with the –encrypted argument as shown below. Just copy the output of the grub-crypt command, and paste it after the “–encrypted” argument in the password entry.
$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C
..
By default, the grub-crypt command encrypts the password using SHA-512 algorithm. You can also encrypt the password either using SHA-256 or MD5 alrogithms as shown below.
# grub-crypt --sha-256
# grub-crypt --md5
You can also use md5crypt to encrypt the password. In that case, you should use “password –md5 encrypted-password” in your grub.conf file.
Inside the script section of your grub.conf file, if you specify “lock”, grub will execute the rest of the commands in that section of the menu entry only if the user is authenticated.

3. Load a different file for the Grub Menu

By default, the entries in the GRUB menu during system startup are picked-up from the grub.conf file. i.e based on the line that starts with “title” entry from the grub.conf file.
If you are testing some variation of a new kernel, you might want to create a separate grub menu file that contains the custom menu entries. During the system startup, by default it will show only the entries from the grub.conf. However when you enter a password, you can instruct grub to load your custom menu entries.
This is achived by passing the custom menu file name to the password command as shown below in the grub.conf file.
In the following example, it will load and display the grub menu entries from the /etc/mymenu.lst when you provide the password during the system startup.
$ cat /etc/grub.conf
default=0
timeout=15
password --encrypted ^9^32kwzzX./3WISQ0C /etc/mymenu.lst
..