Supporting https URLs on your Tomcat server.

Goal

Couple of posts back we saw how we can write a normal server in Spring MVC ( Spring MVC Hello Wold Example  ). If you notice the URL was something like "http://localhost:8080/GreeterProject/welcome.htm". Notice the protocol used is http. But you must have seen some sites using a more secure protocol called https. Specially sites which have payment transactions. In this post we will see how can we support those. So by the end of this post we should be able to hit URL like "https://localhost/GreeterProject/welcome.htm".

Prerequisite

For this post I am assuming you have the setup equivalent to how the setup at the end of post Spring MVC Hello Wold Example  . Also you should have Java SDK with you. We will need it ti create a self signed certificate which is essential for SSL connections (https). Do not worry about it as of now. Just make sure you have Java SDK installed.

Basics

SSL (and its successor, TLS) is a protocol that operates directly on top of TCP (although there are also implementations for datagram based protocols such as UDP). This way, protocols on higher layers (such as HTTP) can be left unchanged while still providing a secure connection. Underneath the SSL layer, HTTP is identical to HTTPS.

When using SSL/TLS correctly, all an attacker can see on the cable is which IP and domain you are connected to, roughly how much data you are sending, and what encryption and compression is used. He can also terminate the connection, but both sides will know that the connection has been interrupted by a third party.

Getting Started

So lets get started. First lets edit the configuration for the Apache tomcat server so that it can now support SSL(https) connections.

Go to server.xml file . If you are using Eclipse IDE then there should be a separate folder created for servers in the projects directory. In that you will have multiple servers (you have configured) configurations. If you see the previous post on how to create a simple Hello World Spring MVC project we create a new server instance to run it on. That would be present in that servers folder. If not when you run your project by selecting run as -> Run on server Eclipse will ask you to configure one. 

If you are using plain Apache tomcat installation i.e no eclipse then you can find this file in path TomcatInstallation/conf/server.xml . Here TomcatInstallation is the folder where you have installed tomcat.

In this file you would see a commented line like

<Connector SSLEnabled="true" clientAuth="false"  maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

It would be commented. You can see <!-- --> tags. Remove them i.e un-comment it. You need to add some more properties like keystoreFile and keystorePass. The line should now look like

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="${user.home}/.keystore" keystorePass="mypasswd" maxThreads="150" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

Do not worry about keystoreFile and keystorePass. I will come to it. Notice other than that I have changed the port from 8443 to 443. You can leave it at 8443 but 443 is the default port for SSL. So I used it. If you change this you don't have to explicitly add a port in your URL.

You can view your server config from Eclispe itself. Double click your server in servers tab.

Understanding and Creating a keystore

For secure connection between server and client (browser in this case) server needs to send a certificate signed by some trusted authority. Client must trust the authority who has signed this certificate. What are the contents of the certificate, how client knows that the certificate comes from the proper server etc questions are out of scope for this discussion. If interested you can go through the Important links section at the bottom of this post. 

Important point is we need a certificate on server. For demonstration purpose i am going to create a self signed certificate and use it. Yes when browser hits this URL it would not be something broweser automatically trusts so we would have to give permission to the browser to trust it. But we can see that later. Create a self signed certificate. You can go through my earlier post on it ( Creating a self signed certificate for SSL using java keytool ) .  This will be created in your root folder with name .keystore. Now if you looks back at the configuration changes we made in tomcat server.xml file keystoreFile is the path to this certificate and keystorePass is the password you used while creating the certificate.

That's it start the server now. You should get screen like below.

Go ahead select "I Understand the Risks" and select "Add Exception". You will again get a popup screen to conform security Exception. You can also View the details of the certificate by clicking View Details.

After you select conform security Exception you can see your webpage with https.

And you are done :) Let me know if you still have any question.

Important Links

• How does SSL work?
• Difference between trustStore and keyStore in Java - SSL
• Truststore and Keystore Definitions
• Creating a self signed certificate for SSL using java keytool

Creating a self signed certificate for SSL using java keytool

Goal

In this post we will see how to create a self signed certificate using keytool  utility provided in java SDK. You should have Java SDK installed for this and set it in the classpath.  Simplesway to check if it is added in the classpath is to open command prompt and type java -version. It should show you which java version you are using.

Getting Started

So lets get started.

1. Run the following command from the command line -
   
   

   keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass mypasswd -validity 360 -keysize 2048
   

2. You will be asked to enter some details. Enter your first and last name (same line).
3. Then enter your organizational unit name.
4. Then name of your city / locality.
5. Name of your state / province.
6. Two letter country code.
7. And finally the key password. Hit enter if it is same as keystore password.

 Your keystore.jks should be create in your root folder or the PATH (if you have explicitly provided one).

 

More Details...

To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:

Windows:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA   

Unix:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Note 1 : The RSA algorithm should be preferred as a secure algorithm, and this also ensures general compatibility with other servers and components.

Note 2 : This command will create a new file, in the home directory of the user under which you run it, named ".keystore". To specify a different location or filename, add the -keystore parameter, followed by the complete pathname to your keystore file, to the keytool command shown above.

For detailed post on how to configure and support https on your tomcat refer following -

• Supporting https URLs on your server. 

Important Links

• To Generate a Certificate by Using keytool
• Supporting https URLs on your server. 
  
  
  
   

How to enable developers option in your android device?

I really though they are enabled by default but as it turns out it is not. And why should it be ? It of no use for a normal android smart phone user. Why would be care is USB debugging is enabled or not? But we as a developers do. So lets see hoe we can enable developer mode in android.

1. Go to System Settings - > About Phone
2. You will see Build number listed there.
3. Tap on it about 7 times and you must see a toast saying "Developers mode is turned on".
4. Then developers options should be available in your System Settings.

Then you can view all your Developer options including enabling/disabling USB debugging.

How to run adb shell always as a root?

 Goal

How can we run adb shell every time with root permissions. Procedure is shown below.

You can try this method, but be carefully as this allows any app to gain root access. You can say this may led to "Security Hole!"

Procedure

Make your suid binary insecure by typing the following commands.

1. Go to platform-tools directory inside sdk folder.
2. Open command prompt in that directory and execute following commands.
3. adb shell
4. su
   User will be prompted to grant super user privileges to adb shell.
   
   
   
5. mount -o remount,rw /system (or: adb remount)
6. ls -la /system/bin/sh (Observer the output)
7. chmod 4755 /system/bin/sh
8. ls -la /system/bin/mksh (Again observe the output. Notice the SUID bit set)
9. exit

Above steps will make your adb shell run as root every time. If you do not understand how SUID bit works in Linux (android has linux kernel after all) you can look at following post : Quick introduction to SUID: What you need to know .

How to change host file in an Android device?

Goal

In this post we will see how can we edit host file in an android device.

Prerequisites and Background

You must have a rooted device!! You cannot really alter system files if your device is not rooted. Next you need android SDK. Device of course and data cable. We will be using adb tool that comes with the SDK. You can go through my earlier post on What is Android Debug Bridge (adb)?  You can also go through some helpful posts like Android Partitions and Kernel Explained  and Android Partitions Basic. If you want to root your android device you can go through that post to : How to root your Android device?

Editing the host file

1. Navigate to the window where you adb tool is located. That would be adt-bundle-windows-x86_64-20140321\adt-bundle-windows-x86_64-20140321\sdk\platform-tools.
2. There open the terminal and type adb devices. You should see your device listed there. If you cannot see your device listed here try steps provided here Troubleshooting steps when Eclipse ADT does not recognizing your Android device and Troubleshooting steps when Android device is detected but not recognized by Eclipse ADT.
   
   
   
3. Next pull the host file using the following command
   
   adb pull /system/etc/hosts ./
   
   
   
   
   
   You should get host file in the current directory.
   
   
4. Change the host file as per the mapping you want.
   
   
   
5. Push the file back to the device using following command.
   
   adb push hosts /system/etc/That should push your host file back to system/etc folder. And you are done. Your host file is successfully changed.
6.  You can cross verify your changes by logging into adb shell and viewing the host file.
   
   
   
   
7. For above step you will have to grant adb shell su privileges. It will prompt you on the device.
   
   
   
   
8.  Finally you can test your changes by typing test.domain.com in your android browser.  You may have to restart your phone to refresh DNS cache. It wont load because there is no server running with that URL. If you map facebook.com to this URL even facebook will not load.