configuration Posts

How to Connect to Red Hat AMQ using Artemis and SSL

We can protect our AMQ end point using a specific SSL, preventing those who doesnt have the exact certificate to connecting to my AMQ server’s endpoint.

In order to do so, first we need to create a very simple certificate to be use by our AMQ server with a simple keytool command

keytool -genkey -alias artemists -keyalg RSA -sigalg SHA1withRSA -keystore artemis.ts -keysize 2048

It will generate a new file, artemis.ts

And generate a new keystore,

keytool -genkey -v -keystore broker02.ks -alias broker02 -sigalg SHA1withRSA  -keyalg RSA -keysize 2048 -validity 10000

Put string “password” if you need to input a password while generating those two items.

And reference those files on our AMQ broker.xml configuration,

<acceptor name="core">
tcp://0.0.0.0:61617?protocols=CORE;sslEnabled=true;
	keyStorePath=D:/tmp/broker02.ks;keyStorePassword=password;
	trustStorePath=D:/tmp/artemis.ts;trustStorePassword=password;
	enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,RSA;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;
	sslProvider=JDK;sniHost=localhost;anycastPrefix=jms.queue.;multicastPrefix=jms.topic;tcpSendBufferSize=1048576;
	tcpReceiveBufferSize=1048576;useEpoll=true;
	amqpCredits=1000;amqpMinCredits=300
</acceptor>

Start our server,

artemis run

We can connect using our artemis client with below command,

artemis producer --url tcp://127.0.0.1:61617?sslEnabled=true --message-count 1

The first time connected, it will shows error on your client’s side,

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

And on your server’s side,

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) [java.base:]
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) [java.base:]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) [java.base:]
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285) [java.base:]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) [java.base:]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) [java.base:]
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:685) [java.base:]

Means you need to use your server’s cert on your client while making request, there are multiple ways of doing that. The simplest is by putting your server’s certificate on your local client’s trust store.

keytool -exportcert -alias artemists -keystore artemis.ts -file artemis.cer
keytool -exportcert -alias broker-server -keystore broker02.ks -file broker02.cer

keytool -import -alias artemists -file artemis.cer -cacerts
keytool -import -alias broker-server -file broker02.cer -cacerts

Use password “changeit” while importing your certificate to client’s cacerts.

When re-run artemis producer again, it should gives a successful message like this

\bin>artemis producer --url tcp://127.0.0.1:61617?sslEnabled=true --message-count 1
Producer ActiveMQQueue[TEST], thread=0 Started to calculate elapsed time ...

Producer ActiveMQQueue[TEST], thread=0 Produced: 1 messages
Producer ActiveMQQueue[TEST], thread=0 Elapsed time in second : 0 s
Producer ActiveMQQueue[TEST], thread=0 Elapsed time in milli second : 27 milli seconds
Google+

Starting JBoss EAP or Wildfly with a Specific XML Configuration

We can run EAP or Wildfly with a specific XML configuration, not just the default one. For example we have a new configuration with the name of standalone-full-ha_1.xml, and want to run EAP based on it. First we need to put corresponding XML on below directory,

%WILDFLY_DIRECTORY%\standalone\configuration

And run using below command,

standalone.bat -c standalone-full-ha_1.xml

(Y)

Google+

Run as a Root User on Openshift

Sometimes my docker images got permission issue when deployed to Openshift, due to Openshift gives a random userid as enforced by its default security policy. In order to “bypass” those constrain and run my image as root, i run below command,

oc adm policy add-scc-to-user anyuid -z default -n project-name
Google+

Create an Expirable Token Using Java

On this article, im trying to create a simple java app that will hold a value that have an expiration time. I usually use this for handling request session or to hold a value that have a time limitation. Btw, i’m using EhCache for handling expiration time.

First is a simple pom.xml,

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.edw</groupId>
    <artifactId>ExpirableToken</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>ExpirableToken</name>
    <url>http://maven.apache.org</url>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>net.sf.ehcache</groupId>
            <artifactId>ehcache</artifactId>
            <version>2.7.4</version>
        </dependency>           
    </dependencies>
</project>

And a simple xml file to hold ehcache configurations,

<ehcache updateCheck="false" monitoring="off" dynamicConfig="false">
    
    <diskStore path="java.io.tmpdir" />
    
    <defaultCache maxEntriesLocalHeap="0" eternal="false"
                  timeToIdleSeconds="1200" timeToLiveSeconds="1200">
    </defaultCache>
    
    <!-- a 3 seconds -->
    <cache name="token" maxElementsInMemory="1000" eternal="false"
           overflowToDisk="true" diskPersistent="false" timeToIdleSeconds="3" 
           timeToLiveSeconds="3" memoryStoreEvictionPolicy="LFU" statistics="false" transactionalMode="off">       
    </cache>                
    
    <!-- a 10 seconds -->
    <cache name="action" maxElementsInMemory="1000" eternal="false"
           overflowToDisk="true" diskPersistent="false" timeToIdleSeconds="10" 
           timeToLiveSeconds="10" memoryStoreEvictionPolicy="LFU" statistics="false" transactionalMode="off">       
    </cache>        
    
</ehcache>

And this is my java class that i use for testing,

package com.edw.expirabletoken;

import java.util.Date;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Element;

public class App {

    private CacheManager cacheManager= CacheManager.create();
    private Cache tokenCache = cacheManager.getCache("token"); // a 3 seconds cache
    private Cache actionCache = cacheManager.getCache("action"); // a 10 seconds cache

    public App() {
    }

    private void action() throws Exception {
        // add into a 3 seconds cache
        Element regElement = new Element("name", "edwin 3 seconds");
        tokenCache.put(regElement);
        
        // add into a 10 seconds cache
        Element regElement2 = new Element("name", "edwin 10 seconds");
        actionCache.put(regElement2);
        
         // 2 seconds sleep
         Thread.sleep(2000);
         getCacheContent();
         
         // 5 seconds sleep
         Thread.sleep(5000);
         getCacheContent();
         
         // 10 seconds sleep
         Thread.sleep(10000);
         getCacheContent();
    }
    
    private void getCacheContent() {
        Element element3 = tokenCache.get("name"); // get value from a 3 seconds cache
        if (element3 != null) {
            String value = (String) element3.getObjectValue();
            System.out.println(new Date()+" -- "+value);    
        } else {
            System.out.println(new Date()+" -- Empty Cache");
        }
        
         Element element10 = actionCache.get("name"); // get value from a 10 seconds cache
         if (element10 != null) {
            String value = (String) element10.getObjectValue();
            System.out.println(new Date()+" -- "+value);    
        } else {
            System.out.println(new Date()+" -- Empty Cache");
        }
    }
    
    public static void main(String[] args) throws Exception {
        App app = new App();
        app.action();
    }
}

This is what the result on my Netbeans’ console,

This is my Netbeans’ project structure,

Well i hope this helped others, have fun using ehcache.

Google+

A Simple HTTPS Configuration Example on Apache Tomcat 6

This idea comes suddenly on my head while i was reading a question on Kaskus’ programmer forum about how to setup a https connection on Apache Tomcat, thats why today im trying to write a simple how-to example on creating a simple HTTPS connection using Apache Tomcat 6. Who knows perhaps someone would find it useful.

Let’s start with creating a simple certificate file using keytool.exe

C:\Program Files\Java\jdk1.6.0_19\bin>keytool.exe -genkey -alias tomcat -keyalg RSA -keystore edw.jks

after you insert your keystore password (i entered “secret” as my password) and several simple questions such as “What is your first and last name?”, it would create a file.

What you need to do next is to link your certificate to Tomcat’s server.xml configuration. This is what i add to my server.xml configuration.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="D:\edw.jks" 
               keystorePass="secret" />
<!-- keystorePass use the same password -->

And i also add this to my web.xml file, located under my tomcat’s conf folder

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Automatic SLL Forwarding</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

This is what my page will look like,

Hope it would help others, cheers (B)

Google+