Certificate Chaining

If you are required to install a new certificate (say for example cacerts) then you will potentially need to chain the certificates.

Don’t be phased by this, the concept is relatively straightforward….

When chaining certificates your starting point will be the new certificate you’ve been provided with, inspect the cert with the following command and note the subject and the issuer lines

openssl x509 −in .crt −noout −text
Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority  L1C
Subject: C=GB, L=Wales, O=MY Group, OU=IT&T, CN=my.url.com

To build the chain you need to obtain the next certificate (ie Issuer) and repeat this process until you reach the root certificate, you know when you’ve reached the root certificate because the subject and the issuer will have the same details ie. a self signed certificate like below:

Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority

For this example I have my new certificate and 3 other pem files that complete the chain, to link all these certificates ready for importing into the cacerts file use the following command, this will build the chain and output a p7b file all in one line:

openssl crl2pkcs7 −nocrl −certfile newcert2013.cer −out certificate.p7b −certfile cert2.pem −certfile cert3.pem −certfile cert4.pem

Next you’ll need to import the newly created p7b file into the cacerts file, this is done like so (obviously you’ll need the cacerts password!):

keytool import −alias my.new.cert −file certificate.p7b −keystore cacerts

And that’s all there is to it!!!

Eclipse freezes/hangs on Secure Storage dialog box

Image

Every now and again I’ll start up eclipse/myeclipse and as soon as the Secure Storage password dialog pops up eclipse freezes – slightly annoying because all you can do is kill off eclipse.  From my research it appear this problem is caused by a thread deadlock and apparently upgrading to jdk 1.7 fixes the issue however there is another way to combat it…..

My initial work around was to clone my workspace, wipe the original workspace and fire eclipse back up pointing at the newly wiped workspace (then copy my projects back into this workspace), a tedious way to get back into the action but it does work.

A slicker way round the problem is to completely wipe the security folder situated beneath your home folder.  In my case I’d navigate to

/home/csw/.eclipse

and totally remove the folder org.eclipse.equinox.security, this folder holds the secure storage password and if not present will not prompt the password dialog box on startup. The only downside is that you will need to relog when connecting to various services like cvs/svn etc etc…

Footnote: there are several solutions on stackoverflow addressing the issue but by far the most effective is the method mentioned above!

http://stackoverflow.com/questions/2621081/eclipse-galileo-not-responding-ubuntu-64-bit

Struggling with usb-creator then use….

I struggle for the best part of an evening trying to install ubuntu onto a usb stick. My first google searches results pointed towards usb-creator which from the outset looks good but continued to get various errors (Installation failed was the main annoying message).

Anyway, after googling various error messages I stumbled across this little beaut which saved the day, UNetbootin:

http://unetbootin.sourceforge.net/

Why resizing a partition took 3 hours I’ll never know :(

Add additional IP address to and existing interface

Environment: Linux 2.6.32-220.23.1.el6.x86_64 #1

It is possible to assign more than one IP address to one physical interface.

Why would you want to do this? There may be several reasons for wanting additional IP addresses on one card, in my case I want to fire up an additional instance of Jboss but to do this I need to bind to a unique IP address. In linux (in this example its centos) its simple, follow these steps:

First run an ipconfig to see what you have configured:

 bash |  copy code |? 
  1. > ifconfig
  2. eth0      Link encap:Ethernet  HWaddr 00:50:56:87:00:1E  
  3.           inet addr:192.168.57.54  Bcast:192.168.57.255  Mask:255.255.255.0
  4.           inet6 addr: fe80::250:56ff:fe87:1e/64 Scope:Link
  5.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  6.           RX packets:186158343 errors:0 dropped:0 overruns:0 frame:0
  7.           TX packets:586031577 errors:0 dropped:0 overruns:0 carrier:0
  8.           collisions:0 txqueuelen:1000
  9.           RX bytes:41119255272 (38.2 GiB)  TX bytes:814282374844 (758.3 GiB)

You can this interface is assigned the IP address of 192.168.57.54, next we need to edit a file so cd to /etc/sysconfig/network-scripts (this may be slightly different depending on your flavour of linux).

 bash |  copy code |? 
  1. > cd /etc/sysconfig/network-scripts

In this folder you will find the config files for the interfaces, we are interested in the interface eth0 so we need to create a new file called ifcfg-eth0:1 (or ifcfg-eth0\:1) and add the following:

 bash |  copy code |? 
  1. DEVICE=eth0:1
  2. NM_CONTROLLED=yes
  3. ONBOOT=yes
  4. HWADDR=00:50:56:87:00:1e
  5. TYPE=Ethernet
  6. BOOTPROTO=none
  7. IPADDR=192.168.57.55
  8. PREFIX=24
  9. GATEWAY=192.168.57.254
  10. DNS1=192.168.57.11
  11. DEFROUTE=yes
  12. IPV4_FAILURE_FATAL=yes
  13. IPV6INIT=no
  14. NAME="System eth0:1"
  15. DNS2=192.168.57.12
  16. USERCTL=no

Notice the hardware address is the same as eth0 interface but the IP address is not, this IP address will be our new IP address but uses the same interface…

To enable the new IP address bring it up with ifup and the run an ifconfig to see the new settings, hopefully will look something like this:

 bash |  copy code |? 
  1. > ifup eth0:1
  2. > ifconfig
  3. eth0      Link encap:Ethernet  HWaddr 00:50:56:87:00:1E  
  4.           inet addr:192.168.57.54  Bcast:192.168.57.255  Mask:255.255.255.0
  5.           inet6 addr: fe80::250:56ff:fe87:1e/64 Scope:Link
  6.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  7.           RX packets:186162124 errors:0 dropped:0 overruns:0 frame:0
  8.           TX packets:586035365 errors:0 dropped:0 overruns:0 carrier:0
  9.           collisions:0 txqueuelen:1000
  10.           RX bytes:41119647929 (38.2 GiB)  TX bytes:814285419799 (758.3 GiB)
  11. eth0:1    Link encap:Ethernet  HWaddr 00:50:56:87:00:1E  
  12.           inet addr:192.168.57.55  Bcast:192.168.57.255  Mask:255.255.255.0
  13.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

Adding a certificate to cacerts (java)

If you are supplied a certificate by someone and you want to insert this certificate into your cacerts file under the jdk/jre/lib/security folder then you will need to do the following:

Firstly, convert the certificate to a pem format using the openssl command:

openssl x509 -inform pem -in certfile.cer -out outfile.crt

Next import this file into your cacerts file using the keytool command:

ktool -import -alias cacert-root -file outfile.crt -keystore cacerts

Job done!

 

Proxy says yes!

There’s nothing more annoying than sitting behind your works proxy and being denied access to your favorite blogging/social websites so here’s a way round it…. Most companies would frown on this kind of activity – tread carefully, you have been warned!!

What you need:

  • A linux server sat at home connected to the net running ssh, change the default port from 22 to 443 (https port)
  • You’ll need the ip address for this machine too

Let’s begin… On your restricted machine install proxychains, (debian based: sudo apt-get install proxychainsrpm based: yum install proxychains), we use proxy chains to channel our command line apps through the internal proxy. Once installed you’ll need to edit the config file which is located (on my machine anyway) @ /etc/proxychains.conf, there’s a couple of minor changes you need to make and an addition, I’ve removed a lot of the commented out options and added my proxy details to the bottom of the script too:

 bash |  copy code |? 
  1. #<!--DVFMTSC--> proxychains.conf<!--DVFMTSC--> <!--DVFMTSC--> VER<!--DVFMTSC--> 3.1
  2. #
  3. #<!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> HTTP,<!--DVFMTSC--> SOCKS4,<!--DVFMTSC--> SOCKS5<!--DVFMTSC--> tunneling<!--DVFMTSC--> proxifier<!--DVFMTSC--> with<!--DVFMTSC--> DNS.
  4. #
  5. #<!--DVFMTSC--> The<!--DVFMTSC--> option<!--DVFMTSC--> below<!--DVFMTSC--> identifies<!--DVFMTSC--> how<!--DVFMTSC--> the<!--DVFMTSC--> ProxyList<!--DVFMTSC--> is<!--DVFMTSC--> treated.
  6. #<!--DVFMTSC--> only<!--DVFMTSC--> one<!--DVFMTSC--> option<!--DVFMTSC--> should<!--DVFMTSC--> be<!--DVFMTSC--> uncommented<!--DVFMTSC--> at<!--DVFMTSC--> time,
  7. #<!--DVFMTSC--> otherwise<!--DVFMTSC--> the<!--DVFMTSC--> last<!--DVFMTSC--> appearing<!--DVFMTSC--> option<!--DVFMTSC--> will<!--DVFMTSC--> be<!--DVFMTSC--> accepted
  8. #
  9. strict_chain
  10. #
  11. #<!--DVFMTSC--> Strict<!--DVFMTSC--> <!--DVFMTSC-->−<!--DVFMTSC--> Each<!--DVFMTSC--> connection<!--DVFMTSC--> will<!--DVFMTSC--> be<!--DVFMTSC--> done<!--DVFMTSC--> via<!--DVFMTSC--> chained<!--DVFMTSC--> proxies
  12. #<!--DVFMTSC--> all<!--DVFMTSC--> proxies<!--DVFMTSC--> chained<!--DVFMTSC--> in<!--DVFMTSC--> the<!--DVFMTSC--> order<!--DVFMTSC--> as<!--DVFMTSC--> they<!--DVFMTSC--> appear<!--DVFMTSC--> in<!--DVFMTSC--> the<!--DVFMTSC--> list
  13. #<!--DVFMTSC--> all<!--DVFMTSC--> proxies<!--DVFMTSC--> must<!--DVFMTSC--> be<!--DVFMTSC--> online<!--DVFMTSC--> to<!--DVFMTSC--> play<!--DVFMTSC--> in<!--DVFMTSC--> chain
  14. #<!--DVFMTSC--> otherwise<!--DVFMTSC--> EINTR<!--DVFMTSC--> is<!--DVFMTSC--> returned<!--DVFMTSC--> to<!--DVFMTSC--> the<!--DVFMTSC--> app
  15. #
  16. #<!--DVFMTSC--> Quiet<!--DVFMTSC--> mode<!--DVFMTSC--> (no<!--DVFMTSC--> output<!--DVFMTSC--> from<!--DVFMTSC--> library)
  17. #quiet_mode
  18. #<!--DVFMTSC--> Proxy<!--DVFMTSC--> DNS<!--DVFMTSC--> requests<!--DVFMTSC--> <!--DVFMTSC-->−<!--DVFMTSC--> no<!--DVFMTSC--> leak<!--DVFMTSC--> for<!--DVFMTSC--> DNS<!--DVFMTSC--> data
  19. #proxy_dns<!--DVFMTSC--> 
  20. #<!--DVFMTSC--> Some<!--DVFMTSC--> timeouts<!--DVFMTSC--> in<!--DVFMTSC--> milliseconds
  21. tcp_read_time_out<!--DVFMTSC--> 15000
  22. tcp_connect_time_out<!--DVFMTSC--> 8000
  23. [ProxyList]
  24. http<!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <proxy<!--DVFMTSC-->−ip<!--DVFMTSC-->−here><!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> 80<!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> <!--DVFMTSC--> Proxy<!--DVFMTSC-->−User<!--DVFMTSC--> Proxy<!--DVFMTSC-->−Password

Once this is in place you should now be able to ssh to your linux box from behind the proxy:

 bash |  copy code |? 
  1. proxychains<!--DVFMTSC--> ssh<!--DVFMTSC--> <!--DVFMTSC-->−p<!--DVFMTSC--> 443<!--DVFMTSC--> username@home<!--DVFMTSC-->−machine<!--DVFMTSC-->−ip

You’ll see something like the following if proxychains is working correctly:

|S-chain|-<>-192.168.1.1:80-<><>-6.224.156.252:443-<><>-OK

6.224.156.252’s password:

So what is going on in the line above? We’re asking our local machine to ssh to the home machine on port 443. Why port 443? Well from my works pc every single external port is blocked, if I want to access anything externally I need to direct traffic through the proxy which has 2 ports open (80 for http access & 443 for https access). We’re also preceding the ssh command with the proxychains command, this directs the traffic via the internal proxy!

So that’s great, you can now ssh to your home linux box which you we’rent allowed to before! Superb, so what can we do with this?

Well to start with you can fire up a browser over your ssh connection using the -X flag on the ssh command:

 bash |  copy code |? 
  1. proxychains<!--DVFMTSC--> ssh<!--DVFMTSC--> <!--DVFMTSC-->−p<!--DVFMTSC--> 443<!--DVFMTSC--> <!--DVFMTSC-->−X<!--DVFMTSC--> username@home<!--DVFMTSC-->−machine<!--DVFMTSC-->−ip

Once connected to your linux box you can then fire up your browser (user@~$ firefox) and start surfing as if you were sat at your home machine (ie no restrictions!!), now I’m excited! It’s probably at that point you will want to jump up and share your ability to access you’re favorite sites with your colleagues – but please refrain from doing this as I’ve mentioned before it’s likely to be frowned upon so the longer you can keep this secret the better!!