Enabling SSL on Tomcat with OpenSSL and Keytool on "localhost"

A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration

The guide assumes that you have prior knowledge of the following concepts - 

- OpenSSL ( https://www.openssl.org/ )

- Keytool ( http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html )

- Apache Tomcat ( http://tomcat.apache.org/ )

Introduction

Configuration of all systems for SSL relies on two files, the truststore, which contains the server certificate information (the certificates it will accept from clients) , and the keystore , which manages the client certificate information (the certificates that will be provided to servers), and they are password protected. In SSL handshake, purpose of truststore is to verify credentials and purpose of keystore is to provide credentials. Hence, keystore can be used as a truststore and we will be using keystore in this tutorial.

The following certificate options are available:

• Create your own server and client certificates
• Create your own server certificates, get the server certificate signed by a Certificate Authority (CA), and use a corresponding signed server certificate. This certificate will be used by Tomcat.
• Use a server and client certificate already signed by a CA. Care should be taken with these certificates, as they are associated with specific domains and/or hosts, and may cause problems in a dynamic environment.

This tutorial explains the second option.

Requirement

In our environment, we wanted to create our own "Certificate Authority" for System Testing because relying on "Trusted Certificate Authority" like Verisign, Go Dadddy etc were very expensive. So, we did the following solution approach - 
- Create your own CA
- Use Keytool to create Server ( Tomcat ) Certificates
- Sign the Server Certificates using CA
- Import the Server Certificates signed by CA into Keystore
- Configure Tomcat to use SSL
- Configure Browsers to remove some common Warnings 

Creating Your Own CA

The following websites gives you the instructions to create your CA.

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://penturalabs.wordpress.com/2013/08/19/creating-your-own-certificate-authority/

Use Keytool to create Server ( Tomcat ) Certificates

The following website ( section 4.4.1.2 ) gives the instruction to create "Keystore" and "server certificate requesting to be signed by the CA" 

http://docs.continuent.com/tungsten-replicator-2.1/deployment-ssl-stores.html

Create the "keystore" called "keystore.jks".

shell> keytool -genkey -alias replserver -keyalg RSA -keystore keystore.jks

Create the certificate request called "certrequest.pem". This will be signed by CA.

shell> keytool -certreq -alias replserver -file certrequest.pem \

    -keypass  password -keystore keystore.jks -storepass password

Please note the below value when prompted by "keystore" tool. 

 What is your first and last name?

Sign the server certificate using your own CA

Self Sign the certificate using your CA.

shell> openssl ca -in certrequest.pem -out certificate.pem -config "openssl config location"

Convert the certificate to a plain PEM certificate:

shell> openssl x509 -in certificate.pem -out certificate.pem -outform PEM

Finally, for a self-signed certificate, you must combine the signed certificate with the CA certificate:

shell> cat certificate.pem cacert.pem > certfull.pem

Import the Certificates signed by CA into Keystore

This imports both "CA's public certificate" along with "signed certificate of the server" ( cerfull.pem )

shell> keytool -import -alias replserver -file certfull.pem -keypass password -keystore keystore.jks

Check the contents of the keystore.jks. This should show you two entries - 

shell>keytool -list -alias rpaitomcat -keystore javakeystore\keystore.jks

Enter keystore password:password

rpaitomcat, Aug 18, 2014, PrivateKeyEntry,

Certificate fingerprint (MD5): 40:62:EB:50:1F:A1:22:B6:64:F5:59:AB:2E:E8:96:64

Configure Tomcat to use SSL

Configure the "server.xml" file of your Tomcat server to configure the SSL connector. 

<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25" 

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"           

               keystoreFile="E:\SSL\javakeystore\keystore.jks" 

               keystorePass="password" />

Warnings shown on browser 

On Chrome browser when you connect using the SSL port, browser will prompt you with two options - 

If you accept the option"Proceed Anyway", the SSL's "three way handshake" algorithm is initiated. However, you will see two errors -

Also, you will see that it says that "Identity not verified" for "localhost".

a) Server's Certificate does not match the URL.
The webserver in our local lab ( for testing ) runs on the URL - "localhost". However, the certificate installed on the server with the "keytool" utility has the "first name and last name" which is different from "localhost". 

E:\SSL>e:\Openssl\bin\openssl.exe x509 -in server2\certificate.pem -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 2 (0x2)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=PaiCorporation, OU=Development, CN=RavindraPai/emailAddress=ravindra.pai@misys.com

        Validity

            Not Before: Aug 18 09:20:25 2014 GMT

            Not After : Aug 18 09:20:25 2015 GMT

        Subject: C=xx, ST=xx, O=xx, OU=xx, CN=xx

        Subject Public Key Info:

To correct this error, when using the keytool to create the certificate, mention the common name as "localhost" and get it signed by CA.

E:\SSL>e:\Openssl\bin\openssl.exe x509 -in server\certificate.pem -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=IN, ST=Karnataka, L=Bangalore, O=PaiCorporation, OU=Developme

        Validity

            Not Before: Aug 18 08:07:08 2014 GMT

            Not After : Aug 18 08:07:08 2015 GMT

        Subject: C=US, ST=California, O=Misys, OU=Manufacturing, CN=localhost

In the above case, the common name of the certificate matches the "URL". 

b) Server's certificate is not trusted

The Chrome browser comes with a set of "Trusted Certificate Authorities". However, since we have created our own private "Certificate Authority", we need to add the certificate to the Chrome browser through "Settings->HTTPS/SSL->Manage Certificates and import the certificate ( shown below ) into "Trusted Root Certification Authorities". 
Make sure that you restart Chrome.

Check if the certificate is imported into "Trusted Root Certification Authorities".

With this, the identity of "local host" is verified as seen below and errors are taken care of.

Rajan Murder Case - 1977 - Calicut/Kerala

5) Rajan Case - 1977 - Calicut/Kerala
If "Rageela Rasul" case could be responsible for division of India, the Rajan Case introduced the concept of
human Rights to Independent India and a check on the limitations of power held by the State.

Why is P.Rajan? Why was he kiiled? Who killed him? The background and the imapact -

The May 1969 events in France were a volatile period of civil unrest punctuated by massive general strikes and s
tudents played a key role to almost collapse the regime of Charles De Gualle. Most of the students were influenced by
the death of a charasmatic Argentine Marxist revolutionary, Ernesto "Che" Guevara , in 1967. Needless to say,
these incidents had an impact on the still nascent student movement in India.

India having been born in 1947, was having a mid life crises and Indira Gandhi declared nation wide Emergency
 in India, in 1976. During the nationwide Emergency in India between 1975 and 1977 Fundamental Rights of the
citizen were suspended by the government, hence creating a period of over zealous police activism.

On March 1, 1976, P. Rajan, 21, a final year student of the Calicut Engineering College,
was whisked away from the hostel in the early hours along with another student, Joseph Chali.
Immediately after the arrest, the Princi-pal informed Rajan's father, T.V Eachara Warrior of his son's arrest.
From the day word reached him in Ernakulam/Cochin, where he was resident, Warrior made frantic efforts to trace this son.
He met legislators, he petitioned the concerned authorities, he sought the help of the Home Minister, K. Karunakaran.
All this had no effect. Those were the black days of the Emergency, when issues relating to the citizen's
liberty could not be raised in the courts.

After a period of six months, Joseph Chali suddenly reappeared and it became clear that he was kept in
police custody and was brutally tortured in the prison. He suffered from serious brain cuncussions and
befiore he could tell about the where-abouts of P.Rajan, he died in his coma. This was a major setback for Rajan's Father.

After the Emergency was lifted, Warrior filed a suit of "Habeas Corpus" in the High Court in Ernakulam.
The respondents were Home Minister K. Karunakaran, Home Secretary to Kerala Government, Inspector General of Police and
other senior police officials. From the evidence of eight wit-nesses, it became clear that from the hostel,
 Rajan had been taken to the secluded Bungalow, where he was tortured by six police-men. But as far as the
Government was concerned, Rajan was not arrested. The judge ordered that the boy be produced in court. At a subsequent hearing in a case which made legal history in India, the Division Bench of the Kerala High Court,
held that Mr. Karunakaran had lied to the Court. The verdict created a political furore in the state and following pressures from within the party and
 from the ruling front, Karunakaran had to resign as Chief Minister within one month of his taking oath.

So, what happened to P.Rajan? He died due to the torture of extreme kind, especially something called
"uruttal" - It is a a practice of 'rolling' a heavy wooden log on the body of the victim, till his bones are crushed.
His body was then disposed of by the police, and has never been recovered so far.

Impact -

a) REC, Calicut, organises their annual cultural festival in memory of Rajan.
b) P.Rajan's case had an profound impact on the common citizens of India with respect to - Rigt to Live and Right to Know.
The civil liberties activism movement found its place in Independent India.
c) A Fresh probe in Rajan case sought in 2011.
d) Mr Warrier, a broken man, wrote the book "http://www.scribd.com/doc/57980534/Memories-of-a-Father"

Balwa Murder Case - 1925 - Bombay(British Raj)/Indore(Present day Madhya Pradhesh )

4) Balwa murder case - 1925 - Bombay(British Raj)/Indore(Present day Madhya Pradhesh )

 This case had the ingredients
of a popular potboiler but for the fact that it happened in real life and not reel life - Muslime Coutesan,  Hindu Royalty, Romance, Jealousy,
 Muslim Business Tycoon, British Police, Abdication of throne by a Maharaja, Murder, Papprazzi, felony, blood, revenge and rescue. Also, it showed the
administration might of the British Law Makers and such an impartial judgment would be unthinkable these days.

A motor-car, containing, besides the driver and the cleaner, two men and a woman, drove towards the Hanging Gardens at the top of Malabar Hill.
Almost immediately thereafter another car, a red Maxwell, containing six or seven men drove up, and deliberately bumped into the first car.
Both the cars came to a stop.  The inmates of the red Maxwell jumped out shouting abuses at one of the men and the woman in the other car.
After jumping out, they surrounded the first car on both sides, two or three men mounting the foot-boards on either side.
The first car belonged to one Abdul Kadar Bawla, a wealthy businessman of Bombay.  The other man was his manager named Mathew.

The woman in Bawla's car was Mumtaz Begum, a beautiful Muslim dancing girl, who had been in the keeping of the Maharaja of lndore, Tukoji Rao Holkar III,
the Maharaja of Indore, for about 10 years,
until sometime before the incident of 12th January 1925. She was apparently fed up with her life in the princely harem at Indore;
and had managed a few months back to get away from her gilded cage. She found a harbour, a home, and an unofficial husband in Abdul Kadar Bawla.
This escapade of the girl had apparently caused fierce resentment in high quarters at
Indore, as an affront to the dignity of her princely patron. The young Maharaja gave orders to punish the run-awa Helen of Indore.

The red Maxwell contained this gang of desperate ruffians, determined to kidnap the girl by force.
On the evening of the 12th of January this gang apparently tracked down their intended victims, pursued them on their journey up Malabar Hill,
 and overtook the car near the Hanging Gardens.  The gang first tried to drag Mumtaz from the side of Bawla.
On her resisting this attempt, and crying out for help, and on
Bawla trying to shield her and prevent her from being carried away, one of the gang slashed at the girl's face with a knife, inflicting four
 injuries on her face, which partially disfigured her.  Simultaneously, more than one shot was fired at Bawla.
Bawla was seriously wounded and died shortly after.

He might have got what he wanted if it wasn’t for another car full of English military officers. They joined the fight,
 attacking the men with a golf club that they had just used at the Willingdon Club, snatching the weapons from their hands
and carrying Mumtaz off to their own car. The Brave british officers suffered many causalites - several injuries,
including a gunshot and a knife wound, but the gang was overpowered.

Nine men were tried for the assault, kidnapping conspiracy and Bawla’s murder.
 The trial took several days, drew crowds of spectators to the High Court and fuelled sensationalist stories
in newspapers across the world. The military officer’s testimony helped nail six of the attackers,
but the charges of conspiracy and murder were harder to prove.
The defence lawyers argued that Bawla, who had a license for a revolver, had fired first.
They also claimed that Mumtaz was willing to return to Indore but was being prevented from doing so by Mr. Bawla.

Neither story stuck. the verdict found six accused guilty of murder and one other guilty of the conspiracy charge as well.
Three of the men were sentenced to death, but only two were hanged. The third is said to have gone mad as
soon as he heard his fate.
The Viceroy, Lord Reading, offered The Maharaja of Indore, a commision of inquiry under the resolution of 1920; though he doubted whether
a prince as jealous of his izat as Tukohi Rao had shown himself to be throughout his regime would accept. The Viceroy's
judgement proved correct.

"Rightly or wrongly", wrote the Maharaja by way of reply, "I have all along adhered to the belief that
neither on the analogy of Internation law nor as a matter resting upon treaty is a prince of my position liable to
be tried". Having sealed his fate, Tukoji Rao preemopted the inevitable order for his disposition by abdicating in favour of his son, Prince Yeshwant.

What happened to Mumtaz Begum?  The press pursued Mumtaz, prying into her private life, and dogging her movements at every step and
every spot where she happened to travel. Such is the persistent and pernicious power of modern journalism. Not much is known about her after this incident.


Modern Day impact -

a. The incident spawned a Hindi feature film, Kulin Kanta, which was released in 1925.
b. With the successful cracking of the case, the Bombay police was considered as the best but second next to "Scotland Yard".
c. This case sealed the might of the Indian Maharajas and within the next twenty years, they lost everything.
d. http://en.wikipedia.org/wiki/Tukojirao_Holkar_III
e. http://news.google.com/newspapers?nid=1876&dat=19420928&id=A10sAAAAIBAJ&sjid=7MoEAAAAIBAJ&pg=6817,2312321

Top 7 Murders - Indian Sub-Continent

Since, I had nothing better to do when taking a shower, evil visited my mind. Lucipher kept asking which were the "7" coolest murder"in the Indian subcontinent in the last 100 odd years. The selection was based on two criteria -
  - Committed by people for whom the descent into hell is easy
  - Condoned by a large section of society and, hence, blurring the difference between Right and Wrong.
These crimes will typically have long lasting impact on several generations to come and crimes that
are of most extraordinary and unprecedented nature.

6) Rangeela Rasool Case - 1927 - Lahore.

On a pleasant afternoon, Sept 6 1920, a poor Muslim Carpenter by name, Mr. Ilmuddin, repeatedly stabs a Hindu Publisher by name Mahashay Rajpal. Why? How did this case become the singular most incident which lead to the division of British Raj and changed the relationship between Hindus and Muslims forever in the sub-continent. For this we need to go back a couple of years......

Arya Samjists were provoked by two publications from Punjabi Muslims which were considered offensive to the religious sensibilities of Hindus and they were titled - "Krishna Teri Geeta Jalani Padegi" and "Unnisvin Sadi Ka Maharishi". The latter had very obnoxious references to Swami Dayanand Saraswati, founder of the Arya Samaj.

A man of erudition, Pundit Chamupati vowed to revenge the wrong done. He informed Rajpal that he would write a tract-like simple literature answering back to the Muslims. Mahashay Rajpal Ji supported this scheme wholeheartedly and was itching for a headlong confrontation without costing any lives.

And, the book "Rageela Rasool" ("Playboy Prophet") was published in 1927. No one knew who did the proof reading;
who was the Publisher and which Press finally published it. When published, the book did not enrage anybody.
Nights came but caused no arson and into the glow of a rising sun.

Lo and behold! Riots broke out in parts of Punjab. Who was Agent Provocateur? Enter Mr. Gandhi.

Mr. Gandhi wrote in his weekly paper, "Young India", that local leaders must ensure that "Rangeela Rasool" is
withdrawn from circulation and both the writer and the publisher be punished as per law. Under the pressure of diehard
Sunni Muslims, the government of Punjab chose to file a case against Rajpal.
The legal proceedings went on - District Court, then the Sessions Court and finally the High Court of Punjab.

Rajpal who had been sentenced  to one and a half years imprisonment and a fine of Rs 1,000.00 was finally acquitted with honour
by the Punjab High Court. His Lordship (Mr Justice Duleep Singh) agreed with the plea of Rajpal that his book,
Rangeela Rasool contained nothing new and the entire material was borrowed from writings of Islamic scholars. During the
entire course of the trial, Rajpal stood by his promise of not revealving the source of "Rangeela Rasool".

Enter Mr. Ilmuddin and thus ends the life story of Mr. Rajpal.

Enter Mr. Muhammad Ali Jinnah, the future founder of Pakistan.....

Mr. Ilmuddin was arrested and jailed. After pleading guilty, he was sentenced to death. Punjab Muslims appealed the verdict,
and guess who was the Advocate for Mr. Ilmuddin? Mr. Jinnah, worked on
Ilmuddin’s behalf free of charge. But the day after the appeal was rejected, Ilmuddin was hanged.

Much to the consternation of Hindus, more than a million Muslims from Lahore and the surrounding area thronged the
funeral, and the carpenter was given a honorific name, "Ghazi Ilmuddin Shaheed". Muhammad Iqbal, one of the key founders
of Pakistan, personally placed Ilmuddin’s body in the grave with tears in his eyes.
“This carpenter left us, educated men, behind,” he said.

By this time, the polarization between the Hindus and Muslims was complete and led to the division of British Raj.

Impact on Modern day! -

a) It may be mentioned that an international organisation based in Geneva,
International Publication federation decided in 1998 to honour Mr Rajpal for making the supreme sacrifice
to uphold the Right of Publishing

b) The book remains banned in India, Pakistan and Bangladesh.

c) During the protracted trial, the issue became a cause celebre for the Muslims of entire India.
And to avoid such ominous troubles in future, the British Raj introduced the Blasphemy Law in its Penal Code in 1927.
The U.K. government repealed it in only in 2008.

Hadoop Fundamentals......

I started to learn Hadoop by following Michael's excellent articles at

http://www.michael-noll.com/tutorials/running-hadoop-on-ubuntu-linux-single-node-cluster/
http://www.michael-noll.com/tutorials/running-hadoop-on-ubuntu-linux-multi-node-cluster/

This guide will describe efficient ways to solve the setup problems related to Hadoop and also, hacks to solve the most commonly encountered problems.

a) The guide says to use two VMs running on Ubuntu Linux. So, I decided to use Virtual Box ( Oracle ) running two VMs using Ubuntu Linux ( 10.0.04 LTS ). I decided to use Hadoop 1.2.0.

I needed the following Four broad network rules
        - The master should able to SSH/PING to slave
        - Both the master and the slave should be able to ping each other
        - Both the master and the slave should have different I.P address
        - All the IPs should be "static". Hence, using DHCP, is not an option because of the large maintenance work needed to manage /etc/hosts file.

I spent considerable amount of time with the various interfaces and the right interface to use is "Host-only Adapter". This will give you unique IP address for each of the VMs ( 192.168.56.101 for the First VM, 192.168.56.102 for the second VM, and so on ).

If you had used "NAT", Virtual box would have assigned "the same default unique IP( 10.0.2.15 ) address" for each and every VMs. Hence, this would violated the third condition above.

If you had used "Bridged Adapter", it would have used DHCP to allocate the IP address dynamically, violating the fourth condition. You could have disabled DHCP, but, then you would have to request your IT administrator to assign you static IPs. This is not possible in many of the organization.

b) When you bring up your Hadoop cluster, you might get the following error

java.io.IOException: File /user/ubuntu/pies could only be replicated to 0 nodes, instead of 1

This happens when you have not configured your "$HADOOP_HOME/conf/slaves" file properly. You should add your "hostname" to conf/slaves file. You will get the error if your hostname points to "localhost".

hduser@ubu0:/usr/local/hadoop/conf$ cat slaves
ubu0
ubu1

c) Many a times the the "dataNode" at the "Slave" is unable to reach to "Namenode". This is because the dataNode on the slave still refers to IP address of "127.0.0.1" and hence, is unable to reach the "Master". Ensure that you disable the local loopback address in /etc/hosts file.

hduser@ubu0:/usr/local/hadoop/conf$ cat /etc/hosts

#127.0.0.1 localhost

#127.0.1.1 ubu0

192.168.56.101    master

192.168.56.102    slave