Interview

Subscribe to: Posts (Atom)

How to install ssl in OFBiz

How to install the ssl certificate for ofbiz based application.

 

Steps to install the ssl certificate in the ofbiz application.

 

1.      Create the certificate signing request and private key files from cPanel.

a.       Go to SSL/TLS heading

b.      Select Generate a SSL Certificate and Signing Request

c.       Enter the details to generate the csr and private key and submit and the key file will store at

/etc/ssl/private/www.globalcompliancepanel.com.key and certificate signing request stores at /etc/ssl/certs/www.globalcompliancepanel.com.csr

2.      Use the CSR file to generate the public key(i.e. self signed certificate) and root certificate from the vendor sites such as verisign, geocerts, geotrust, thawte…

3.      Save the public key and root certificate in ofbizàframeworkàbaseàconfig folder

Note: public key should be saved in both .pem and .crt formats

4.      Create the key store

a.       You convert the private key into PKCS#8 format :

openssl pkcs8 -topk8 -nocrypt -outform der -in [Private Key File Name] -out tmpfile

For example : openssl pkcs8 -topk8 -nocrypt -outform der -in /etc/ssl/private/www.globalcompliancepanel.com.key -out tmpfile

 

b.      Since the Java keytool doesn't allow you to import private keys, you use the following tool:

import java.security.*;

import java.io.IOException;

import java.io.InputStream;

import java.io.FileInputStream;

import java.io.DataInputStream;

import java.io.ByteArrayInputStream;

import java.io.FileOutputStream;

import java.security.spec.*;

import java.security.cert.Certificate;

import java.security.cert.CertificateFactory;

import java.util.Collection;

import java.util.Iterator;

 

/**

 * ImportKey.java

 *

 * <p>This class imports a key and a certificate into a keystore

 * (<code>$home/keystore.ImportKey</code>). If the keystore is

 * already present, it is simply deleted. Both the key and the

 * certificate file must be in <code>DER</code>-format. The key must be

 * encoded with <code>PKCS#8</code>-format. The certificate must be

 * encoded in <code>X.509</code>-format.</p>

 *

 * <p>Key format:</p>

 * <p><code>openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der

 * -outform der</code></p>

 * <p>Format of the certificate:</p>

 * <p><code>openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform

 * der</code></p>

 * <p>Import key and certificate:</p>

 * <p><code>java comu.ImportKey YOUR.KEY.der YOUR.CERT.der</code></p><br />

 *

 * <p><em>Caution:</em> the old <code>keystore.ImportKey</code>-file is

 * deleted and replaced with a keystore only containing <code>YOUR.KEY</code>

 * and <code>YOUR.CERT</code>. The keystore and the key has no password;

 * they can be set by the <code>keytool -keypasswd</code>-command for setting

 * the key password, and the <code>keytool -storepasswd</code>-command to set

 * the keystore password.

 * <p>The key and the certificate is stored under the alias

 * <code>importkey</code>; to change this, use <code>keytool -keyclone</code>.

 *

 * Created: Fri Apr 13 18:15:07 2001

 * Updated: Fri Apr 19 11:03:00 2002

 *

 * @author Joachim Karrer, Jens Carlberg

 * @version 1.1

 **/

public class ImportKey  {

   

    /**

     * <p>Creates an InputStream from a file, and fills it with the complete

     * file. Thus, available() on the returned InputStream will return the

     * full number of bytes the file contains</p>

     * @param fname The filename

     * @return The filled InputStream

     * @exception IOException, if the Streams couldn't be created.

     **/

    private static InputStream fullStream ( String fname ) throws IOException {

        FileInputStream fis = new FileInputStream(fname);

        DataInputStream dis = new DataInputStream(fis);

        byte[] bytes = new byte[dis.available()];

        dis.readFully(bytes);

        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

        return bais;

    }

       

    /**

     * <p>Takes two file names for a key and the certificate for the key,

     * and imports those into a keystore. Optionally it takes an alias

     * for the key.

     * <p>The first argument is the filename for the key. The key should be

     * in PKCS8-format.

     * <p>The second argument is the filename for the certificate for the key.

     * <p>If a third argument is given it is used as the alias. If missing,

     * the key is imported with the alias importkey

     * <p>The name of the keystore file can be controlled by setting

     * the keystore property (java -Dkeystore=mykeystore). If no name

     * is given, the file is named <code>keystore.ImportKey</code>

     * and placed in your home directory.

     * @param args [0] Name of the key file, [1] Name of the certificate file

     * [2] Alias for the key.

     **/

    public static void main ( String args[]) {

       

        // change this if you want another password by default

        String keypass = "globalcp";

       

        // change this if you want another alias by default

        String defaultalias = "globalcp";

 

        // change this if you want another keystorefile by default

        String keystorename = System.getProperty("keystore");

 

        if (keystorename == null)

            keystorename = "/home/globalcp/public_html/cp_LIVE/ofbiz-release4.0/framework/base/config"+

                System.getProperty("file.separator")+

                "globalcp.jks"; // especially this ;-)

 

 

        // parsing command line input

        String keyfile = "";

        String certfile = "";

        if (args.length < 2 || args.length>3) {

            System.out.println("Usage: java comu.ImportKey keyfile certfile [alias]");

            System.exit(0);

        } else {

            keyfile = args[0];

            certfile = args[1];

            if (args.length>2)

                defaultalias = args[2];

        }

 

        try {

            // initializing and clearing keystore

            KeyStore ks = KeyStore.getInstance("JKS", "SUN");

            ks.load( null , keypass.toCharArray());

            System.out.println("Using keystore-file : "+keystorename);

            ks.store(new FileOutputStream ( keystorename  ),

                    keypass.toCharArray());

            ks.load(new FileInputStream ( keystorename ),

                    keypass.toCharArray());

 

            // loading Key

            InputStream fl = fullStream (keyfile);

            byte[] key = new byte[fl.available()];

            KeyFactory kf = KeyFactory.getInstance("RSA");

            fl.read ( key, 0, fl.available() );

            fl.close();

            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );

            PrivateKey ff = kf.generatePrivate (keysp);

 

            // loading CertificateChain

            CertificateFactory cf = CertificateFactory.getInstance("X.509");

            InputStream certstream = fullStream (certfile);

 

            Collection c = cf.generateCertificates(certstream) ;

            Certificate[] certs = new Certificate[c.toArray().length];

 

            if (c.size() == 1) {

                certstream = fullStream (certfile);

                System.out.println("One certificate, no chain.");

                Certificate cert = cf.generateCertificate(certstream) ;

                certs[0] = cert;

            } else {

                System.out.println("Certificate chain length: "+c.size());

                certs = (Certificate[])c.toArray();

            }

 

            // storing keystore

            ks.setKeyEntry(defaultalias, ff,

                           keypass.toCharArray(),

                           certs );

            System.out.println ("Key and certificate stored.");

            System.out.println ("Alias:"+defaultalias+"  Password:"+keypass);

            ks.store(new FileOutputStream ( keystorename ),

                     keypass.toCharArray());

        } catch (Exception ex) {

            ex.printStackTrace();

        }

    }

 

}// KeyStore

 

 

c.       Now you can import the key into the Java Keystore

 

           java ImportKey tmpfile [self signed certificate name(i.e public key)]
 
        Note: Note the password out putted by the ImportKey  
 

d.      Now you have the Java Keystore

 

/home/globalcp/public_html/cp_LIVE/ofbiz-release4.0/framework/base/config

 

e.       Delete the tmpfile:

 

    rm tmpfile

 

5.      Import Root Certificate to keystore using this command:

 

keytool -import -v -noprompt -trustcacerts -alias cacert -file root-cert.pem -keystore globalcp.jks

 

6.      Open the ofbiz-container.xml file and make the following changes

 

      <property name="keystoreFile" value="framework/base/config/globalcp.jks"/>

            <property name="keystorePass" value="globalcp"/>

 

7.      Restart the ofbiz application and test the certificate using

 

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557&actp=LIST

How to uninstall and reinstall MySQL

To uninstall mysql use:

rpm -qa | grep mysql

And then remoove the package that come out of the query above.

rpm -e

And then install the package again with

rpm -ivh

How to Remove Locks. A MySQL crash on Red Hat system resulted with:
/etc/init.d/mysql status
coming back with:
mysql is not running but lock exists

Solved by removing the lock file:
rm /var/lock/subsys/mysql

If this happens again it may also be necessary to remove the pid file from /var/lib/mysql

Complete Installation guide.
http://www.thegeekstuff.com/2008/07/howto-install-mysql-on-linux/

Each distribution comes with a shell script (read as service) to restart / stop / start MySQL server. First login as root user and open shell prompt (command prompt).

First login as root user. Now type the following command as per your Linux distro:

A) If you are using mysql on RedHat Linux (Fedora Core/Cent OS) then use following command:

* To start mysql server:

/etc/init.d/mysqld start

* To stop mysql server:

/etc/init.d/mysqld stop

* To restart mysql server

 /etc/init.d/mysqld restart

Tip: Redhat Linux also supports service command, which can be use to start, restart, stop any service:

# service mysqld start
# service mysqld stop
# service mysqld restart

(B) If you are using mysql on Debian / Ubuntu Linux then use following command:

* To start mysql server:

/etc/init.d/mysql start

* To stop mysql server:

/etc/init.d/mysql stop

* To restart mysql server

/etc/init.d/mysql restart


How to recover MySQL data from Innodb ?

Issue:

Unfortunately some times you need to recover MySQL data from ibdata1. It's many reasons why your getting corrupted Innodb files that cannot automatically be restored of the mysqld daemon.

Solution:

Scenario

We assume that your scenario are like following:

  1. You got backup of your ibdata1, ib_logfile0 and ib_logfile1
  2. You also got backup of your database folder with .frm files
  3. You would like to restore this backup into an MySQL server that's already in production.

Before we start, just one advice: Stop crying, your data isn't lost.

Restore the data backup you got

First of all restore you data on another MySQL server, to not interrupt the services running in your normal production environment. Restore data into the normal MySQL data directory. For our scenario we use /var/lib/mysql.

Be careful to get the right permissions and owners on all your data files. Your MySQL users should own the files and the group should also be assigned to MySQL.

Before you continue you need to find the size of your Innodb logfiles. Simply run the command ls -l to find this. This will output something like this: 

-rw-rw---- 1 mysql mysql 5242880 Jun 25 11:30 ib_logfile0
-rw-rw---- 1 mysql mysql 5242880 Jun 25 11:30 ib_logfile1

Start up MySQL in rescue mode

  1. Some simple steps will start up the MySQL daemon in rescue mode for you:
  2. From your Unix shell su into the mysql user: su mysql
  3. Start up your mysqld process with the logfile size and innodb_force_recovery as parameters.
/usr/sbin/mysqld --innodb_log_file_size=5242880 --innodb_force_recovery=6

If everything goes fine you should get a output like this:

InnoDB: The user has set SRV_FORCE_NO_LOG_REDO on
InnoDB: Skipping log redo
070625 11:59:36 InnoDB: Started; log sequence number 0 0
InnoDB: !!! innodb_force_recovery is set to 6 !!!
070625 11:59:36 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.18' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL

Get your data

The last simple but most important step is now to get your data.

  1. Open a new shell to the server where your MySQL daemon are running in recovery mode.
  2. Simply run a normal mysqldump of your database:
mysqldump -u root -p database > database.sql

If you get a message looking like this, you got corrupted Innodb log files:

Got error: 1146: Table 'database.table' doesn't exist when using LOCK TABLES

What you can do to resolve this problem with keeping the ib_logfile0 file from you most current backup while you restore all the other files from a older backup. This isn't a fail-proof solution, but worth a try.

Restore you data

Now you can copy your SQL dump to your production server and simply restore the data from your MySQL dump file like this:

mysql -u root -p database < database.sql

How to Zip the folder in Linux

To zip a folder in Linux (Red Hat Enterprise Linux 4)
zip -9 -r <zip file> <folder name>
For Example : zip -9 -r abc.zip xyzFolder
To zip a single file:
zip -9 <zip file> <filename>
For Example : zip -9 -r abc.zip xyzFolder.txt
Use "-9" for best compression. The compressed file works fine with Windows XP compression tool.

OFBiz production set up guide

Securing MySQL

Java Security

Apache SSL/TLS mini-HOWTO