Wednesday, November 28, 2012

Useful java Keytool Command

Generate a Java keystore and key pair :

keytool -genkey -alias mycert -keyalg RSA -keystore keystore.jks -keysize 1024
Generate a keystore and self-signed certificate :

 keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
keytool command to view certificate details from keyStore :

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias:
keytool -list -v -keystore keystore.jks -alias mydomain

keytool command option is -printcert which prints details of a certificate stored in .cer file :
keytool -printcert -file test.cer

Export a certificate from a keystore:
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
 keytool -export -alias mydomain -keypass keypass -keystore keystore.jks -storepass jkspass -rfc -file keytool_crt.pem

Note: "keytool -export" command uses DER format by default. The "-rfc" option is to change it to PEM (RFC 1421) format.


Friday, November 2, 2012

How to install mod_jk.so on Cent OS

The Basics - What is mod_jk?


The mod_jk connector is an Apache HTTPD module that allows HTTPD to communicate with Apache Tomcat instances over the AJP protocol.

Steps:


1. Download the latest apache connector from http://tomcat.apache.org/download-connectors.cgi.
2. Untar the download by
         tar zxvf <filename>
3. Goto native directory of connector
         cd <connector dir>/native/
4. Run the buildconf.sh scripts
       ./buildconf.sh
Note: If you get any issue like "autocong" not installed then install following things:
       yum install autoconf
       yum install libtool

5. You need "httpd-devel" tools to build it. So make sure you have already installed it by
         yum list installed | grep httpd-devel    else install it "yum install httpd-devel"
6. From the native directory Run
      ./configure --with-apxs=/usr/sbin/apxs
      make

 

Congrats!! Now you can see the mod_jk.so module under your native directory.

Tuesday, October 30, 2012

Load Balancing on Web Application server clusters

Overview

A cluster is a group of servers running a Web application simultaneously, appearing to the world as if it were a single server. To balance server load, the system distributes requests to different nodes within the server cluster, with the goal of optimizing system performance. This results in higher availability and scalability -- necessities in an enterprise, Web-based application.
High availability can be defined as redundancy. If a single Web server fails, then another server takes over, as transparently as possible, to process the request.
Scalability is an application's ability to support a growing number of users. If it takes an application 10 milliseconds(ms) to respond to one request, then it should take 10 ms to respond to 10,000 concurrent requests.
Of the many methods available to balance a server load, the main two are:
  • DNS round robin and
  • Hardware load balancers.

DNS Round Robin

To balance server loads using DNS, the DNS server maintains several different IP addresses for a site name. The multiple IP addresses represent the machines in the cluster, all of which map to the same single logical site name. Using our example, www.loadbalancedsite.com could be hosted on three machines in a cluster with the following IP addresses:
203.34.23.3
203.34.23.4
203.34.23.5
In this case, the DNS server contains the following mappings:
www.loadbalancedsite.com  203.34.23.3
www.loadbalancedsite.com  203.34.23.4
www.loadbalancedsite.com  203.34.23.5
Diagram.
When the first request arrives at the DNS server, it returns the IP address 203.34.23.3, the first machine. On the second request, it returns the second IP address: 203.34.23.4. And so on. On the fourth request, the first IP address is returned again.

Advantages of DNS Round Robin

The main advantages of DNS round robin are that it's cheap and easy:

Inexpensive and easy to set up

  • The system administrator only needs to make a few changes in the DNS server to support round robin, and many of the newer DNS servers already include support.
  • It doesn't require any code change to the Web application.

Simplicity

  • It does not require any networking experts to set up or debug the system in case a problem arises.


Disadvantages of DNS Round Robin

Two main disadvantages of this software-based method of load balancing are :

No support for server affinity

  • Server affinity is a load-balancing system's ability to manage a user's requests, either to a specific server or any server, depending on whether session information is maintained on the server or at an underlying, database level.
    Without server affinity, DNS round robin relies on one of three methods devised to maintain session control or user identity to requests coming in over HTTP, which is a stateless protocol.
    • cookies
    • hidden fields
    • URL rewriting
    When a user makes a first request, the Web server returns a text-based token uniquely identifying that user. Subsequent requests include this token using either cookies, URL rewriting, or hidden fields, allowing the server to appear to maintain a session between client and server. When a user establishes a session with one server, all subsequent requests usually go to the same server.
    The problem is that the browser caches that server's IP address. Once the cache expires, the browser makes another request to the DNS server for the IP address associated with the domain name. If the DNS server returns a differnt IP address, that of another server in the cluster, the session information is lost.

No support for high Availability

  • Consider a cluster of n nodes. If a node goes down, then every nth request to the DNS server directs you to the dead node.
  • Changes to the cluster take time to propagate through the rest of the Internet. One reason is that many large organizations -- ISPs, corporations, agencies -- cache their DNS requests to reduce network traffic and request time. When a user within these organizations makes a DNS request, it's checked against the cache's list of DNS names mapped to IP addresses. If it finds an entry, it returns the IP address to the user. If an entry is not found in its local cache, the ISP sends this DNS request to the DNS server and caches response.
    When a cached entry expires, the ISP updates its local database by contacting other DNS servers. When your list of servers changes, it can take a while for the cached entries on other organizations' networks to expire and look for the updated list of servers. During that period, a client can still attempt to hit the downed server node, if that client's ISP still has an entry pointing to it. In such a case, some users of that ISP couldn't access your site on their first attempt, even if your cluster has redundant servers up and running.
  • This is a bigger problem when removing a node than when adding one. When you drop a node, a user may be trying to hit a non-existing server. When you add one, that server may just be under-utilized until its IP address propogates to all the DNS servers. Although this method tries to balance the number of users on each server, it doesn't necessarily balance the server load. Some users could demand a higher load of activity during their session than users on another server, and this methodology cannot guard against that inequity.

Hardware Load Balancers

The above problem can be solved through virtual IP addresses. The load balancer shows a single (virtual) IP address to the outside world, which maps to the addresses of each machine in the cluster. So, in a way, the load balancer exposes the IP address of the entire cluster to the world.



Diagram.



When a request comes to the load balancer, it rewrites the request's header to point to other machines in the cluster. If a machine is removed from the cluster, the request doesn't run the risk of hitting a dead server, since all of the machines in the cluster appear to have the same IP address. This address remains the same even if a node in the cluster is down. Moreover, cached DNS entries around the Internet aren't a problem. When a response is returned, the client sees it coming from the hardware load balancer machine. In other words, the client is dealing with a single machine, the hardware load balancer.

Advantages of Hardware Load Balancers

Support Server affinity

  • The hardware load balancer reads the cookies or URL readings on each request made by the client. Based on this information, it can rewrite the header information and send the request to the appropriate node in the cluster, where its session is maintained.
  • Hardware load balancers can provide server affinity in HTTP communication, but not through a secure channel, such as HTTPS. In a secure channel, the messages are SSL-encrypted, and this prevents the load balancer from reading the session information.

High Availability Through Failover

    Failover happens when one node in a cluster cannot process a request and redirects it to another. There are two types of failover:
  • Request Level Failover. When one node in a cluster cannot process a request (often because it's down), it passes it along to another node.
  • Transparent Session Failover. When an invocation fails, it's transparently routed to another node in the cluster to complete the execution.
    Hardware load balancers provide request-level failover; when the load balancer detects that a particular node has gone down, it redirects all subsequent requests to that dead node to another active node in the cluster. However, any session information on the dead node will be lost when requests are redirected to a new node.
    Transparent session failover requires execution knowledge for a single process in a node, since the hardware load balancer can only detect network-level problems, not errors. In the execution process of a single node, hardware load balancers do not provide transparent session failover.
  • To achieve transparent session failover, the nodes in the cluster must collaborate among each other and have something like a shared memory area or a common database where all the session data is stored. Therefore, if a node in the cluster has a problem, a session can continue in another node.
  • Metrics. Since all requests to a Web application must pass through the load-balancing system, the system can determine the number of active sessions, the number of active sessions connected in any instance, response times, peak load times, the number of sessions during peak load, the number of sessions during minimum load, and more. All this audit information is used to fine tune the entire system for optimal performance.

Disadvantages of Hardware Load Balancers

The drawbacks to the hardware route are the costs, the complexity of setting up, and the vulnerability to a single point of failure. Since all requests pass through a single hardware load balancer, the failure of that piece of hardware sinks the entire site.

Load Balancing HTTPS Requests

As mentioned above, it's difficult to load balance and maintain session information of requests that come in over HTTPS, as they're encrypted. The hardware load balancer cannot redirect requests based on the information in the header, cookies, or URL readings. There are two options to solve this problem:
  • Web server proxies
  • Hardware SSL decoders.

Implementing Web Server Proxies

A Web server proxy that sits in front of a cluster of Web servers takes all requests and decrypts them. Then it redirects them to the appropriate node, based on header information in the header, cookies, and URL readings.
Diagram.
The advantages of Web server proxies are that they offer a way to get server affinity for SSL-encrypted messages, without any extra hardware. But extensive SSL processing puts an extra load on the proxy.
Apache and Tomcat. In many serving systems, Apache and Tomcat servers work together to handle all HTTP requests. Apache handles the request for static pages (including HTML, JPEG, and GIF files), while Tomcat handles requests for dynamic pages (JSPs or servlets). Tomcat servers can also handle static pages, but in combined systems, they're usually set up to handle dynamic requests.
Diagram.
You can also configure Apache and Tomcat to handle HTTPS requests and to balance loads. To achieve this, you run multiple instances of Tomcat servers on one or more machines. If all of the Tomcat servers are running on one machine, they should be configured to listen on different ports. To implement load balancing, you create a special type of Tomcat instance, called a Tomcat Worker.
Diagram.
As shown in the illustration, the Apache Web server receives HTTP and HTTPS requests from clients. If the request is HTTPS, the Apache Web server decrypts the request and sends it to a Web server adapter, which in turn sends the request to the Tomcat Worker, which contains a load-balancing algorithm. Similar to the Web server proxy, this algorithm balances the load among Tomcat instances.

Hardware SSL Decoder

There are hardware devices capable of decoding SSL requests.that sit in front of the hardware load balancer, allowing it to decrypt information in cookies, headers and URLs.
Diagram.
These hardware SSL decoders are faster than Web server proxies and are highly scalable. But as with most hardware solutions, they cost more and are complicated to set up and configure.




Conclusion

As per the above information, I guess Hardware load balancing would be more better to go for web Server load balancing. It supports server affinity and High Availability and also the audit information(Metrics) can be used to fine tune the entire system for optimal performance.



Thursday, October 25, 2012

How to create self signed certificates programmatically ?

The most common approach of generating a self-signed certificate is using the  java keytool.

There may be a situation when you want to create a self signed certificates programmatically One approach of programmatically generating these self-signed certificates is through the Bouncy Castle API.

To start with this, you need to have the Bouncy Castle jar in your classpath.(You can download it from here)


Steps to generate self signed certificate key:


1. Create a public/private key pair for the new certificate

 
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(1024, new SecureRandom());
        KeyPair keyPair = keyPairGenerator.generateKeyPair();

 

2. Create new certificate Structure

        // GENERATE THE X509 CERTIFICATE
        X509V3CertificateGenerator v3CertGen =  new X509V3CertificateGenerator();
        v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        v3CertGen.setIssuerDN(new X509Principal("CN=cn, O=o, L=L, ST=il, C= c"));
        v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24));
        v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365*10)));
        v3CertGen.setSubjectDN(new X509Principal("CN=cn, O=o, L=L, ST=il, C= c"));
        v3CertGen.setPublicKey(keyPair.getPublic());
        v3CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
        cert = v3CertGen.generateX509Certificate(keyPair.getPrivate());

3. Store the Certificate with the private key

       KeyStore keyStore = KeyStore.getInstance("JKS");   
        keyStore.load(null, null);
        keyStore.setKeyEntry("YOUR_CERTIFICATE_NAME", key, "YOUR_PASSWORD".toCharArray(),  new java.security.cert.Certificate[]{cert});
        File file = new File(".", "keystore.test");
        keyStore.store( new FileOutputStream(file), "YOUR_PASSWORD".toCharArray() );


I have uploaded the tutorial over here.

How to generate Self-Signed Certificate Using keytool

The example uses the keytool utility to create a new self signed certificate.

  1. Open the command console (Run as Administartor) on whatever operating system you are using and navigate to the directory where keytool.exe is located.
  2. Run the following command (where validity is the number of days before the certificate will expire):
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks  -keysize 1024
  3. Fill in the prompts for your organization information. 

This will create a keystore.jks file containing a private key and  self signed certificate. 

Wednesday, September 26, 2012

MySql: Give Root User Logon Permission From Any Host

I have already updated about this in my previous blog but that was from UI, In this tutorial You can do the same task from MySQL client itself.


To configure this feature, you’ll need to update the mysql user table to allow access from any remote host, using the % wildcard.

Open the command-line mysql client on the server using the root account.
Then you will want to run the following two commands, to see what the root user host is set to already:
use mysql;
select host, user from user;
Here’s an example of the output on my database.

mysql> use mysql;
Database changed

mysql> select host,user from user;
+-----------+------+
| host      | user |
+-----------+------+
| localhost        | root |
| 127.0.0.1 | root |
| ::1       | root |
| localhost |      |
+-----------+------+
4 rows in set (0.07 sec)

Now I’ll update the localhost host to use the wildcard, and then issue the command to reload the privilege tables. If you are running this command, substitute the hostname of your box for localhost.

update user set host=’%’ where user=’root’ and host=’localhost’;
flush privileges;

Now You are able to connect to mysql from any other machine using the root account.

Friday, September 21, 2012

Liquibase Tutorial



What is Liquibase ?

  1. LiquiBase — available since 2006 — is an open source, freely available tool for migrating from one database version to another, It is an open source database-independent library for tracking, managing and applying database changes.
  2. A handful of other open source database-migration tools are on the scene as well, including openDBcopy and dbdeploy. LiquiBase supports 10 database types, including DB2, Apache Derby, MySQL, PostgreSQL, Oracle, Microsoft® SQL Server, Sybase, and HSQL.
  1. All changes to the database are stored in XML files and identified by a combination of an "id" and "author" tag as well as the name of the file itself.
  2. A list of all applied changes is stored in each database which is consulted on all database updates to determine what new changes need to be applied.
  3. LiquiBase executes changes based on this XML file to handle different revisions of database structures and data.
  4. When you first run a changelog, LiquiBase manages those changelogs by adding two tables into your database.
    databasechangelog: maintains the database changes that were run.
    databasechangeloglock: ensures that two machines don't attempt to modify the database at one time.

To install LiquiBase, download the compressed LiquiBase Core file, extract it, and place the included liquibase-version.jar file in your system's path.
Getting started with LiquiBase takes four steps:
  1. Create a database change log file.
  2. Create a change set inside the change log file.
  3. Run the change set against a database via the command line or a build script.
  4. Verify the change in the database.

Sample changeLog file:  The above is an example of creating table EMPLOYEE and adding columns into it.

<?xml version="1.0" encoding="UTF-8"?>
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-2.0.xsd">
      
    <changeSet author="waheed" id="123456789-1">

 <comment> You can add comments to changeSets.</comment>
        <createTable tableName="EMPLOYEE">
            <column autoIncrement="true" name="EMPLOYEE_ID" type="BIGINT">
                <constraints nullable="false" primaryKey="true" />
            </column>
            <column name="NAME" type="VARCHAR(255)" />
            <column name="GENDER" type="VARCHAR(2)" />
            <column name="COUNTRY" type="VARCHAR(255)" />
            <column name="ABOUT_YOU" type="VARCHAR(255)" />
        </createTable>
    </changeSet>
</databaseChangeLog> 



Running LiquiBase from the command line:
After defining the change set, I can run LiquiBase from the command line:
Running LiquiBase from the command line
liquibase --driver=com.mysql.jdbc.Driver \
--classpath=mysql_connector.jar \
--changeLogFile=database.changelog.xml \
--url=jdbc:mysql://localhost:3306/Employees;create=true \ 
--username= --password= \
update



In this example, I run LiquiBase passing in:
  • The database driver
  • The classpath for the location of the database driver's JAR file
  • The name of the change log file “database.changelog.xml”
  • The URL for the database
  • A username and password
Running LiquiBase in an automated build
Instead of using the command-line option, I can make the database changes as part of the automated build by calling the Ant task provided by LiquiBase.

Ant script to execute the updateDatabase Ant task
<target name="update-database">
  <taskdef name="updateDatabase" classname="liquibase.ant.DatabaseUpdateTask" 
    classpathref="project.class.path" />
  <updateDatabase changeLogFile="database.changelog.xml"
    driver="com.mysql.jdbc.Driverr"
    url="jdbc:mysql://localhost:3306/Employees"
    username=""
    password=""
    dropFirst="true"
    classpathref="project.class.path"/>
</target>


I create a target called update-database. In it, I define the specific LiquiBase Ant task I wish to use, calling it updateDatabase. I pass the required values, including the changeLogFile and connection information for the database. The classpath defined in classpathref must contain liquibase-version.jar.



Applying refactorings to an existing database
As new features are added to an application, the need often arises to apply structural changes to a database or modify table constraints. LiquiBase provides support for more than 30 database refactorings.



Add Column
It's sometimes next to impossible to consider all of the possible columns in a database at the beginning of a project. And sometimes users request new features — such as collecting more data for information stored in the system — that can require new columns to be added.
Using the Add Column database refactoring in a LiquiBase change set
<changeSet author="waheed" id=”123456789-2”>
  <addColumn tableName="EMPLOYEE">
    <column name="PHONE_NUMBER" type="varchar(255)"  defaultValue=”SOME_DEFAULT_VALUE”/>
  </addColumn> 
</changeSet>
The new PHONE_NUMBER column is defined as a varchar datatype.


Drop Column
Suppose, you choose to remove the PHONE_NUMBER column you added above. This is as simple as calling the dropColumn refactoring:

Dropping a database column
<dropColumn tableName="EMPLOYEE" columnName="PHONE_NUMBER"/>



Create Table
Adding a new table to a database is also a common database refactoring. Creates a new table called USER, defining its columns, constraints, and default values:

Creating a new database table in LiquiBase
<changeSet author="waheed" id=”123456789-3”>
  <createTable tableName="USER">
    <column name="ID" type="int">
      <constraints primaryKey="true" nullable="false"/>
    </column>
    <column name="NAME" type="varchar(255)">
      <constraints nullable="false"/>
    </column>
    <column name="ADDRESS" type="varchar(255)">
      <constraints nullable="true"/>
    </column>
    <column name="active" type="boolean" defaultValue="1"/>
  </createTable>
</changeSet>



This example uses the createTable database refactoring as part of a change set (createTable was also used back).



Rename Column
<changeSet author="waheed" id=”123456789-5”>
        <comment>Add a username column so we can use "person" for authentication</comment>
        <addColumn tableName="EMPLOYEE">
            <column name="usernae" type="varchar(8)"/>
        </addColumn>
    </changeSet>
The second update will add “usernae” (typo mistakes is on purpose) with width 8 characters
Now, we need to fix the usernae become username
    <changeSet author="waheed" id=”123456789-6”>
        <comment>Fix misspelled "username" column</comment>
        <renameColumn tableName="EMPLOYEE" oldColumnName="usernae" newColumnName="username" columnDataType="varchar(8)"/>
    </changeSet>



Manipulating data
After applying structural database refactorings (such as Add Column and Create Table), you often need to insert data into tables affected by these refactorings. Furthermore, you might need to change the existing data in lookup tables or other types of tables. Below example shows how to insert data using a LiquiBase change set:

Inserting data in a LiquiBase change set
<changeSet author="waheed" id=”123456789-4”>
  <code type="section" width="100%">
  <insert tableName="USER">
    <column name="ID" valueNumeric="3"/>
    <column name="NAME" value="ABDUL"/>
  </insert>
  <insert tableName="USER">
    <column name="ID" valueNumeric="4"/>
    <column name="NAME" value="WAHEED"/>
  </insert>
</changeSet>



Suppose, You may have already written SQL scripts to manipulate data, or the LiquiBase XML change set may be too limiting. And sometimes it's simpler to use SQL scripts to apply mass changes to the database. LiquiBase can accommodate these situations too.

Running a custom SQL file from a LiquiBase change set
<changeSet author="Waheed" id=”123456789-5”>
  <sqlFile path="insert-distributor-data.sql"/>
</changeSet>

How to integrate With Spring:
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
destroy-method="close">
<property name="driverClass" value="com.mysql.jdbc.Driver" />

<property name="jdbcUrl" value="jdbc:mysql://localhost:3306/Employees" />
<property name="user" value="root" />
<property name="password" value="root123" />
<property name="minPoolSize" value="8" />
<property name="maxPoolSize" value="16" />
<property name="maxIdleTime" value="3600" />
</bean>

<!-- Updater is used to automatically update DB  upon startup if
        Application version has changed -->
    <bean id="LiquibaseUpdater" class="liquibase.integration.spring.SpringLiquibase">
        <property name="dataSource" ref="dataSource" />
        <property name="changeLog" value="classpath:db-changelog.xml" />
    </bean>

<!-- Needed here to make sure Liquibase updater runs prior to DAO's startup, Your DAO class -->
    <bean class="com.waheed.spring.hibernate.DaoImpl" id="dao"
        depends-on="LiquibaseUpdater">
    </bean>



Resources:
http://www.liquibase.org

How TOPT Works: Generating OTPs Without Internet Connection

Introduction Have you ever wondered how authentication apps like RSA Authenticator generate One-Time Passwords (OTPs) without requiring an i...