Addressing OpenJDK bug with SSL on Ubuntu 12.04 Server (javax.net.ssl.SSLException)

Introduction

After countless hours, you finally finished a secure java server ready for deployment.
If you installed clean copy of Ubuntu 12.04 server or updated it, you may face following error during run time.

 javax.net.ssl.SSLException: java.security.ProviderException: 

 sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID

Problem

This is known bug with OpenJDK that has not been resolved yet.

Solution

This can be fixed by editing following file:

 /etc/java-6-openjdk/security/java.security

Find following line:

 security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

And change to following lines:

 security.provider.9=sun.security.ec.SunEC

 security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

Now your server will not crash!! or you have another fun problem with deal with!

[Tutorial] How to SSH into Amazon EC2 Server

Introduction

Amazon AWS is relatively new web service but its been growing rapidly since its initial launch.
They have thousands of large clients including banks and federal government.
I have recently started using their services for a start-up I am working on.

Amazon AWS EC2 server is set up little different than other common servers in a sense that it only allows access through a private key. Upon creation of Amazon AWS EC2 Server you will receive private key.
It is important to have this key saved somewhere secure and NEVER LOSE IT!!! or else you are going to have bad time.

Requires Private Key

Simply accessing the server over SSH will give you Permission Denied (public key) error.

 ssh root@your-ip

You need to use your private key to access.

 ssh -i your-key.pem your-ip

Requires Permission Change


If you get following error:

 It is required that your private key files are NOT accessible by others.

  This private key will be ignored.

This means your private key is not protected and you need to change the permission.

 chmod 400 your-key.pem

Know your user

If you will still see Permission Denied (public key) error, it is very likely that you have wrong user.
Depending on your linux distribution, you probably wont be able to log in with root.
For Ubuntu distribution available in AWS repository, the default user is "ubuntu"

 ssh -v -l ubuntu -i your-key.pem your-ip

There you go! You should be able to log into your server now.

[Tutorial] Run script at bootup in linux (cronjob or bashscript)

Introduction

If you are lazy programmer like me, you would like to automate everything rather than having to do stuff manually. Usually bash script / python script can become extremely handy getting things done. You can have these scripts to start automatically at bootup or at scheduled time.

Running script/program at bootup under linux environment

In order to run your custom script at bootup under linux environment, you need to copy your script to /etc/init.d/ directory

 cp custom_script.sh /etc/init.d/.




Then you need to change permission to make it executable.

 chmod +x /etc/init.d/custom_script.sh




Create link to your script in rc.d directory.

 ln /etc/init.d/custom_script.sh /etc/rc.d/custom_script.sh




You are all ready to go and your script will be running next time you reboot your computer!

Cron Job

If you want to run your custom script at specific time, then you can use crontab to schedule and automatically run it.

Make sure you have crontab available on your linux machine and edit your crontab file by typing following:

 crontab -e




Crontab syntax is pretty simple. Each line consists of this simple syntax consisting of 6 columns.

 Minute Hour Day Month Week_Day Command




You can specify the script to run every unit (hour, minute etc.) time by using * instead of real number.
Following cron line will run cmd every minute of every hour of every month.

 * * * * * cmd




You can specify the script to run at specific time interval using dash.

For example, following cron line will run the command every weekday between 9 am and 5 pm.

 00 09-17 * * 1-5 cmd




That's it!

Now you can just relax and let the script start automatically.

If you want the script to keep running all the time, you can write a bash script to keep restarting it when it dies.

For more info, look at my another posting here.

[Tutorial] Never dying program (How to automatically restart a program if it dies/crashes

Introduction

When you have an unstable server that keeps crashing, normally you would have to access the server via SSH and restart the server. This is a tedious work and if you need the server up and running and if you don't have access to the computer then it can be extremely annoying.

Solution

In order to solve this problem, you can write a simple bash script that checks periodically if a specific program is running and run it if not.

 #!/bin/bash

 ps ax | grep -v grep | grep custom_app

** Ill include the script in a few hours.

Now you don't have to worry about restarting your server again!
But just keep in mind, this script will not be able to do anything if your server freezes!

[Tutorial] How to run processes over SSH (or linux) in background

Introduction

If you are new to linux scene and SSH, you would have probably realized whenever you run a program over SSH and if you terminate the session, the program you ran also terminate as well.
This can be a problem if you would like to leave a server running.

Solution #1

Simplest solution would be to run the program in the background.
You can do that by running

 your_app&

 bg %1

 exit

Even if you terminate your SSH session, the program would still be running.

Solution #2

Another simple solution is to use nohup.
It is a POSIX command that ignores hangup signal so even if session is closed, the program would still be running. You can use nohup simply by calling the program with nohup.

 nohup your_app&

 exit

Simple solution would be nohup

Solution #3

More complicated and redundant solution would be screen.
Screen is a software that allows multiple virtual consoles to be accessed through single terminal.
You can detach the session so that it keeps running even when you close your terminal.

 screen -d -m bash




Last solution needs an update.

[Tutorial] How to generate certificate authority and server certificates using OpenSSL

Introduction

Many people struggle when they first have to generate correct certificates to work with ssl libraries. There are many tools out there and a number of different file formats and things can get confusing quickly. This tutorial will help you generate your own certificate authority and server certificates to be used for your secure server/client.

Generating Certificate Authority

Certificate Authority is a trusted third party that vouches for servers a client is trying to talk to.
We will be setting up our own CA for our application. This can be useful if you are just looking to test your server or your server will not be accessible by the public.

 openssl req -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 365  

Enter appropriate passphrase when prompted.
This will generate two files:
ca-key.pem - certificate authority private key
ca-cert.pem - certificate authority public certificate

Notice that this CA certificate will only be valid for 365 days.

Generating Server Certificate

Now we need to generate server private key and certificate signing request.
Certificate signing request file is later sent to certificate authority to be signed and generate server public certificate. During SSL handshake, the server sends this signed public certificate to the client and the client can verify it with CA public certificate to make sure the server is trustworthy.

 openssl genrsa -aes128 -out server-key.pem 4096




Set appropriate passphrase for server private key when prompted.
This command will generate RSA server private key of size 4096 bits using 128bit AES algorithm.
Generally key size of 2048 or higher is recommended.

 openssl req -new -key server-key.pem -out server.csr

This command will generate server certificate signing request file. This file is later sent to certificate authority (in this case, our own) to be signed to generate signed public certificate for the server.

Signing Server Certificate with our own Certificate Authority

Once server certificate signing request file is generated, we can send it to well known certificate authority like GoDaddy to be signed but usually there is a fee associated with it.
In our case, we will be signing the certificate signing request file with our own certificate authority generated earlier.

 openssl x509 -req -days 365 -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem




This will generate server-cert.pem signed by our own certificate authority and ready to be used!

Removing the Passphrase from Server Private Certificate

Server private key is protected by a passphrase. The private key is to be never shared with anyone else. However if adversary somehow get his or her hands on the private key then this passphrase will protect the file. It is very unlikely that this will happen and also we need to enter the passphrase everytime we run our server and this can get somewhat annoying. Also our cyassl example will fail to load the key with error code NO_PASSWORD if passphrase isn't provided.
As a simple solution, we will simply remove the passphrase from the server private key.

 openssl rsa -in server-key.pem -out server-key-nopass.pem




This command will generate password-free server private key, server-key-nopass.pem.

Generating Java Keystore and Importing CA certificate

In case you are using Java server, you need to generate a keystore where CA certificates are stored.
This can be generated using "keytool" included in Java package.

 keytool -genkey -keyalg RSA -keystore keystore.jks -keysize 4096




This will generate keystore.jks. Now that you have a keystore, we need to import our ca-certificate generated earlier.

 keytool -import -trustcacerts -alias MyCA -file ca-cert.pem -keystore keystore.jks

Testing Generated Certificates

You can install generated certificates using CyaSSL.
Download CyaSSL tutorial code from their website.

 http://www.yassl.com/documentation/ssl-tutorial-2.0.zip

Under finished_src directory, you will notice echoclient and echoserver directories.
We need to copy our own generated certificates to echoclient and echoserver directories.
cp ca-cert.pem /ssl-tutorial-2.0/finished_src/echoclient/.

 cp ca-cert.pem ./ssl-tutorial-2.0/finished_src/echoclient/.

 cp ca-cert.pem ./ssl-tutorial-2.0/finished_src/echoserver/.

 cp server-key-nopass.pem ./ssl-tutorial-2.0/finished_src/echoserver/server-key.pem

 cp server-cert.pem ./ssl-tutorial-2.0/finished_src/echoserver/.

Now compile and run the echoserver and echoclient and see if it works!

Please let me know if there are any mistakes.
I would also appreciate if someone can tell me how to load password-protected server private key.

[Tutorial] How to remove default Samsung Apps from Galaxy S2

Galaxy S2 comes with default samsung apps that are often never used.

If you are neat freaks like me when it comes to files/apps, you will be pleased to know that there is a way to remove default apps easily.

All you need is a root capable browser like Root Explorer.

In this example, I will be using MIUI file explorer which also has root capability.


1. Change the setting of your browser to allow root previlege.

2. Go to /system/app where all default system apps are located and find the file you want to delete.

3. On some browsers, you might need to change the permission of the directory from RO (read-only) to WR (writeable and readable).

4. Delete the file!

It is as simple as that!

Just remember that removing some system apps might break the OS so you have to be careful.


Here is a list of system apps that are safe to remove:

(I found the list from my hard drive. I don't remember where I got it from. If you know where the list is from, please let me know.)

SamsungWidget_WeatherClock.apk

Dlna.apk

LiveWallpapers.apk

SamsungWidget_News.apk

BluetoothOpp.apk

BuddiesNow.apk

TouchWizCalculator.apk

TouchWizCalendar.apk

TwCalendarAppWidget.apk

CalendarProvider.apk

TwWallpaperChooser.apk

Camera.apk

ChocoEUKor.apk

AnalogClock.apk

PressReader.apk

PRUI.apk

lcdtest.apk

SamsungAppsUNAService.apk

ScreenCaptureService.apk

SnsImageCache.apk

Days.apk

Bol.com_version_1.0.3.3.apk

DigitalClock.apk

DownloadProviderUi.apk

DualClock.apk

Email.apk

EmailWidget.apk

FactoryTest.apk

FmRadio.apk

Gallery3D.apk

GameHub.apk

GoogleQuickSearchBox.apk

HelvNeueLT.apk

Protips.apk

HTMLViewer.apk

SamsungIM.apk

IMEITracker.apk

Browser.apk

KiesAir.apk

kieswifi.apk

Kobo.apk

PanningTryActually.apk

Divx.apk

Memo.apk

Mms.apk

Microbesgl.apk

MiniDiary.apk

PostIt.apk

MmsProvisioning.apk

MobilePrint.apk

MobileTrackerEngineTwo.apk

MusicPlayer.apk

MusicHub_U1.apk

MyFiles.apk

GenieWidget.apk

SecretWallpaper1.apk

PhotoRetouching.apk

PicoTts.apk

PolarisOffice.apk

SamsungWidget_ProgramMonitor.apk

ReadersHub.apk

signin.apk

SamsungApps.apk

MMM_Smartphone_1.5.1_final.apk

ApplicationsProvider.apk

SetupWizard.apk

shutdown.apk

Stk.apk

SnsProvider.apk

SnsDisclaimer.apk

SnsAccountFb.apk

SnsAccountLi.apk

SnsAccountMs.apk

SnsAccountTw.apk

SocialHub.apk

SevenEngine.apk

syncmldm.apk

SoundPlayer.apk

SpeechRecorder.apk

Tasks.apk

Term.apk

TrimApp.apk

Kies.apk

UserDictionaryProvider.apk

VideoEditor.apk

VideoPlayer.apk

VoiceToGo.apk

VoiceRecorder.apk

VpnServices.apk

FTS.apk

FTM.apk

SecretWallpaper2.apk

wipereceiver.apk

WlanTest.apk

wssyncmlnps.apk

SamsungWidget_StockClock.apk

Zinio.apk