HowTo: Generate Certificate for OpenLDAP and using it for certificate authentication.

Posted on

LDAPS Server Certificate Requirements

LDAPS requires a properly formatted X.509 certificate. This certificate lets a OpenLDAP service listen for and automatically accept SSL connections. The server certificate is used for authenticating the OpenLDAP server to the client during the LDAPS setup and for enabling the SSL communication tunnel between the client and the server. As an option, we can also use LDAPS for client authentication.

Having spent quite some time to make a TLS work, I thought this may be usefull to some :

Creating Self CA certificate:

1, Create the  ldapclient-key.pem private key :

openssl genrsa -des3 -out ldapclient-key.pem 1024

2, Create the ldapserver-cacerts.pem certificate :

openssl req -new -key ldapclient-key.pem -x509 -days 1095 -out ldapserver-cacerts.pem

Creating a certificate for server:

1, Create the ldapserver-key.pem private key

openssl genrsa -out ldapserver-key.pem

2, Create a server.csr certificate request:

openssl req -new -key ldapserver-key.pem -out server.csr

3, Create the ldapserver-cert.pem certificate signed by your own CA :

openssl x509 -req -days 2000 -in server.csr -CA ldapserver-cacerts.pem -CAkey ldapclient-key.pem -CAcreateserial -out ldapserver-cert.pem

4, Create CA copy for the client:

cp -rpf ldapserver-cacerts.pem   ldapclient-cacerts.pem

Now configure the certificates in slapd.conf, the correct files must be copied on each server:

TLSCACertificateFile /etc/openldap/certs/ldapserver-cacerts.pem
TLSCertificateFile /etc/openldap/certs/ldapserver-cert.pem
TLSCertificateKeyFile /etc/openldap/certs/ldapserver-key.pem

# personnally, I only check servers from client.
# If you do, add this :
TLSVerifyClient never

Configure certificate for ldap clients

Key : ldapclient-key.pem
Crt : ldapclient-cert.pem

Error: Fatal Python error: PyEval_AcquireThread: NULL new thread state

Posted on

This might be cause of various issue.

1, mod_wsgi is compiled for a different Python version and/or a different Python installation than the Python virtual environment

2, Python installation it is trying to use at runtime

3, If mod_wsgi and mod_python are both enabled.

In my case, I figured out the third cause. for fixing disabled mod_python because I was running website under wsgi wrapper.

sudo a2dismod python
sudo service apache2 restart


Error: Authz_core:error Client Denied by Server Configuration

Posted on Updated on

I have upgraded apache2.2 to 2.3, now a strange error I faced. Existing Apache authorization directives are not working,

I have done a modification that fixed the issue

Error :

[Wed Jan 28 04:29:51.468839 2015] [authz_core:error] [pid 29764:tid 139708675897088] [client] AH01630: client denied by server configuration: /opt/web-home/raspberrypi/facecount/static-assets/images/detect.png

This changes the way that access control is declared from

  Order allow, deny
  Allow from all

to :

  Require all granted

his means that the total configuration for a Directory is now something like:

  <Directory /path/to/directory>
    Options FollowSymlinks
    AllowOverride none
    Require all granted

Restart apache and it’ll all work nicely.

HowTo: Tomcat Logging – log customized with {X-Forwarded-For}

Posted on Updated on

Tomcat is allowing us to track back logs with enamours of information by customizing the log pattern. There is preset patten is available, we can also implement is in single line

I enabled few more information like execution time , request size , cookies etc..

Default tag should be like this

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>

Common : %{X-Forwarded-For}i %l %u %t “%r” %s %b
Combined : %{X-Forwarded-For}i %l %u %t %r %s %b %{User-Agent}i %{Referer}i %{Cookie}i

You can change either Common or Combined

I have implemented my own pattern like below, so it should more detailed

pattern="%h %{X-Forwarded-For}i %l %u %t  &quot;%r&quot; %s %b  &quot;%{User-Agent}i&quot; &quot;%{Referer}i&quot; &quot;%{Cookie}i&quot; %T"

Access Log pattern new look

----------------------------- - - - [18/Mar/2014:10:52:06 +0530]  "GET /ajax/norm/list/status?ids=23%2C11%2C9%2C7%2C6%2C5%2C2%2C1%2C HTTP/1.1" 200 42  "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" "" "JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8" 0.007
Log Details : : Remote host name (or IP address if resolveHosts is false)
– : X-Forwarded-For – : Remote logical username
– : Remote user that was authenticated
[18/Mar/2014:10:52:06 +0530]  : Date and time, in Common Log Format
GET /ajax/norm/list/…… : First line of the request (method and request URI)
HTTP/1.1 : Request protocol
200 : HTTP status code of the response
42 : Bytes sent, excluding HTTP headers (Content size)
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0: User Agent : Referer
JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8 : Cookie header
0.007 : Time taken to process the request, in seconds

Once every thing has been done you can restart the tomcat to make it effect, more options are given below

%a – Remote IP address
%A – Local IP address
%b – Bytes sent, excluding HTTP headers, or ‘-‘ if zero
%B – Bytes sent, excluding HTTP headers
%h – Remote host name (or IP address if resolveHosts is false)
%H – Request protocol
%l – Remote logical username from identd (always returns ‘-‘)
%m – Request method (GET, POST, etc.)
%p – Local port on which this request was received
%q – Query string (prepended with a ‘?’ if it exists)
%r – First line of the request (method and request URI)
%s – HTTP status code of the response
%S – User session ID
%t – Date and time, in Common Log Format
%u – Remote user that was authenticated (if any), else ‘-‘
%U – Requested URL path
%v – Local server name
%D – Time taken to process the request, in millis
%T – Time taken to process the request, in seconds
%I – current request thread name (can compare later with stacktraces)
%f – X-Forwarded-For IP address
%F – X-Forwarded-For address

HowTo: How to setup basic authentication in tomcat

Posted on Updated on

Container-managed authentication methods control how a user’s credentials are verified when a web app’s protected resource is accessed. When a web application uses basic authentication (BASIC in the web.xml file’s auth-method element), Tomcat uses HTTP basic authentication to ask the web browser for a username and password whenever the browser requests a resource of that protected web application. With this authentication method, all passwords are sent across the network in base64-encoded text.

Note: using basic authentication is generally considered insecure because it does not strongly encrypt passwords, unless the site also uses HTTPS or some other form of encryption between the client and the server (for instance, a virtual private network). But, if you’re just starting to use Tomcat, or if you just want to test container-managed security with your web app, basic authentication is easy to set up and test. Just add <security-constraint> and <login-config> elements to your web app’s web.xml file, and add the appropriate <role> and <user> elements to your CATALINA_BASE/conf/tomcat-users.xml file, restart Tomcat, and Tomcat takes care of the rest.

The example below shows a web.xml excerpt from a club membership web site with a members-only subdirectory that is protected using basic authentication. Note that this effectively takes the place of the Apache web server’s .htaccess files.

For app based Basic authentication you have to edit the web.xml in //webapps/Your-app/WEB-INF/web.xml

For ROOT basic auth  CATILINA_HOME/conf/web.xml

web.xml security tags looks like this

             <web-resource-name> Subdir test </web-resource-name>
             <url-pattern> /* </url-pattern>
             <http-method> GET </http-method>
             <http-method> POST </http-method>

             <!-- the same like in your tomcat-users.conf file -->
             <role-name> manager </role-name>

        <auth-method> BASIC </auth-method>
        <realm-name> iTest Web app resources</realm-name>

       <description> </description>
       <role-name> manager </role-name>

tomcat-users.xml uncomment or add new tag for user credentials

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="anand" password="password" roles="manager"/>

HowTo: Increase The Maximum Number Of Open Files / File Descriptors (FD)

Posted on

Sometimes we will get the error message is like “too many files open“, it is because of you have reached the limits of opened file, You could always try doing a ulimit -n 2048. This will only reset the limit for your current shell and the number you specify must not exceed the hard limit.

Each operating system has a different hard limit setup in a configuration file. For instance, the hard open file limit on Solaris can be set on boot from /etc/system.

[anand@planetcure ~]$ cat /proc/sys/fs/file-max

This show the maxmimum number of opened files for the single user, you can also use the below commad.

# ulimit -Hn
# ulimit -Sn

We can set this as System-wide and userlevel, for Global user configuration we can use /etc/sysctl.conf file under Linux operating systems. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):

System-wide File Descriptors (FD) Limits

# sysctl -w fs.file-max=100000

The command allows to extend the new limit as 100000. You need to append the variable “fs.file-max = 100000” in the file /etc/sysctl.conf for the permanent set. It won’t be change after the reboot.

#sysctl -p

Verify by using below command

#sysctl fs.file-max

User-level File Descriptors (FD) Limits

Some of the case we need to specify the different level of setting for the particular users. This will override the sysetm wide settings and give the new limits for the users.

To specific limits by editing /etc/security/limits.conf file, we can all so use this file for all user limits

For apache:

httpd soft nofile 1024
httpd hard nofile 2048

All user limits

* soft nofile 1024
* hard nofile 2048

Save and close the file. You have to re-login to the console to get the new value.

su httpd -c "ulimit -Hn"
su httpd -c "ulimit -Sn"

Howto: Install ssl with tomcat Appserver.

Posted on Updated on

Five easy steps to enable SSL for tomcat application server.

1, generate Key store

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore planetcure-in.jks

It ask few information that we would like to publish along with the SSL

==Certificate information==

Common Name : *
Organization name: Xtermpro
Country/Region name: myregion
City/Locality: mycity
State/Province: mystate

2, Generate CSR

CSR it to submit to the SSL provider for digital signing Now you receive CRT file from the SSL provider, you may see the signing information in it.

keytool -certreq -alias server -file planetcure-in.csr -keystore planetcure-in.jks

3, Import CA

You may also receive a public CA from the certificate Authority, now you need to import it. This will be called as intermediate CA

keytool -import -alias intermediate -trustcacerts -file intermediateCA.cer  -keystore planetcure-in.jks

4, Now this is the final stage you have to import cert file , you can see that their is another key already installed in the key store that is generated along with the keystore generation, it have to replace with the valid certificate.

keytool -import -alias server -trustcacerts -file planetcure-in.crt -keystore planetcure-in.jks

This will give the success output, now move to the configuration changes.

5, Edit the server.xml for the valid entries.  Default tomcat SSL port is 8443, here I user 443 .

<Connector port="443"
           scheme="https" secure="true" SSLEnabled="true"       
           keystorePass="keystorepassword" keyAlias="server"
           clientAuth="false" sslProtocol="TLS"/>

that’s it, now restart the web server to make the changes effect .