jwallace.us

tech, tunes, and other stuff

Tomcat 7 HTTPS Setup

First you will need a server certificate. There are a couple of ways to get one. The certificate format is x509. Thats all good, however the choice you need to make is what type of keystore (container) you wish to store the certificate AND key. You basically have two choices: JKS or PKCS12

If you choose a JKS keystore, then the easiest thing to do is to create your own key using the keytool. So, to create a JKS keystore from scratch, issue these two commands:

keytool -genkey -keyalg RSA -alias tomcat -keystore my_keystore

This will create the “my_keystore” container, and store within it a self generated key with the alias “tomcat” and you will be good to go after you edit server.xml and web.xml (see below).

FYI if you ever need to delete the certificate, you can do it with this command:

keytool -delete -alias tomcat -keystore my_keystore

Now, lets say you don’t want to use the keytool generated certificate, but you would rather use one from a certificate authority such as CAcert. After deleting the keytool generated certificate, you will want to import your key that we created from cacert.org:

keytool -import -v -trustcacerts -alias cacert -file server.crt -keystore my_keystore

When it comes time to update the cacert certificate, delete first delete the old one from the keystore:

keytool -delete -alias cacert -keystore my_keystore

…and then import the new one as before, Finally, to list the keys in the keystore, issue the following command:

keytool -list -keystore my_keystore

THERE IS JUST ONE PROBLEM. The keytool utility has no facility for simply importing a key! Amazing.

So now what do you do? Well, the easiest solution is to just use a PCKS12 keystore, but you’ll have to tell Tomcat its PCKS12 as Tomcat defaults to JKS. So here is the command:

openssl pkcs12 -export -in server.crt -inkey server.key -out my_cert.p12 -name tomcat -CAfile cacert/root.crt -caname root -chain

1
2
3
4

your certificate from CAcert: server.crt
your key from CAcert: server.key
the PCKS12 keystory to be created: my_cert.p12
CAcert's root certificateL cacert/root.crt

In server.xml find the section with the comment “Define a SSL HTTP/1.1 Connector on port 8443” and define the following (around line 90):

/var/lib/tomcat7/conf/server.xml 
1
2
3
4
5

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
   keystoreFile="/var/lib/tomcat7/conf/my_cert.p12" keystorePass="2yQknGdBtBKo"
   clientAuth="false" sslProtocol="TLS"/>

Next if you want to enable UTF-8 responses, make sure the URIEncoding is properly set (around line 75):

/var/lib/tomcat7/conf/server.xml 
1
2
3
4

<Connector port="8080" protocol="HTTP/1.1"
   connectionTimeout="20000"
   URIEncoding="UTF-8"
   redirectPort="8443" />

Next, to force re-direction of all HTTP traffic to HTTP/S, you will need to add a security-restraint element at the bottom of the web.xml file. This will be just below the welcome-file-list element and right above the web-app element. The very bottom of your web.xml file should look like this:

/var/lib/tomcat7/conf/web.xml 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Entire Application</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
</web-app>

Server Certificates

Need a new certificate for your Apache or Nginx web server? These are the steps you’re looking for.

First you’ll need a certificate signing request (CSR). To get that you’ll first need a key.

1
2

$ sudo openssl genrsa -out mydomain.com.key 2048
$ sudo openssl req -new -sha256 -key mydomain.com.key -out mydomain.com.csr

During creation of the CSR you will be asked a few questions. You can ignore “Organizational Unit Name”. One you definitely cannot ignore is Common Name. That is your domain, so when asked for common name enter your domain (eg: mydomain.com). You will be asked for “A Challenge Password”. Leave this one blank unless you will be there to type in the password when your web server starts up. In most cases, you won’t be so leave it blank.

Now go to your certificate authority such as CACerts.org. When you generate a new certificate, it will ask you for the CSR. Just cut & paste it into the text area when asked. With that you will be given a new certificate. Place your new certificate and key into the appropriate web server directory. Be sure to give the key 600 permissions, and the key’s group and owner should be the same as the web server. The certificate should have 644 permissions.

Linux Mint Distro Upgrade

To upgrade your Linux Mint distribution from the commandline, perform the following steps. In this case, we’ll be upgrading 17.1 (Rebecca) to 17.2 (Rafaela):

1
2
3
4

sudo cp -v /etc/apt/sources.list.d/official-package-repositories.list /etc/apt/sources.list.d/official-package-repositories.list.bak
sudo sed -i 's/rebecca/rafaela/g' /etc/apt/sources.list.d/official-package-repositories.list
sudo apt-get update
sudo apt-get dist-upgrade

Windows 10

This is a simple reference posting about all things Windows 10.

You can freely download Windows 10 here:

If you wish to upgrade using a USB or DVD drive:

There are privacy concerns about Windows 10:

Free antispy tools for Windows 10:

This is a list of Microsoft update KB numbers to uninstall based on the articles listed above:

OS Versions KB Number Description To Uninstall
7 2670838 unknown purpose – can break AERO functionality wusa /uninstall /kb:2670838
7 2977759 System scanner wusa /uninstall /kb:2977759
7 3035583 Get Windows 10 nagware program GWX wusa /uninstall /kb:3035583
7 3083710 Update client, unknown purpose wusa /uninstall /kb:3083710
8 2976978 unknown purpose wusa /uninstall /kb:2976978
7, 8.1 2505438 unknown purpose wusa /uninstall /kb:2505438
7, 8.1 2952664 Microsoft snooping patch – triggers telemetry runs wusa /uninstall /kb:2952664
7, 8.1 3021917 unknown purpose wusa /uninstall /kb:3021917
7, 8.1 3022345 Diagnostics and Telemetry tracking service wusa /uninstall /kb:3022345
7, 8.1 3035583 unknown purpose wusa /uninstall /kb:3035583
7, 8.1 3068708 Diagnostics and Telemetry tracking service wusa /uninstall /kb:3068708
7, 8.1 3075249 Diagnostics and Telemetry tracking service wusa /uninstall /kb:3075249
7, 8.1 3080149 Diagnostics and Telemetry tracking service wusa /uninstall /kb:3080149
8.1 2976978 System scanner wusa /uninstall /kb:2976978
8.1 3083711 Update client, unknown purpose wusa /uninstall /kb:3083711

What Is a Bail-in, and Why Should I Care?

The next financial crisis worn’t be known for its bank bail-outs, but will be known for its bail-ins. You may be asking, um wut’s a bail-in? A bail-in is when the bank can (and will) take your money from you. Its all legal stealing. Read on..

Here are a few of links about Bail-Ins.

So who holds the derivatives now?

What are the troubled banks?

The Texas ratio gives you an idea of the health of a financial institution.

No to FCC Control of Net

Beats me why anyone thinks the government can regulate the internet any better than anything else. What we need is to keep the internet free and open. Private industry should be in control of it.

I like what Milton Friedman had to say about government regulation: “If you put the federal government in charge of the Sahara Desert, in 5 years there’d be a shortage of sand.”

eMusic Download Manager for Linux

eMusic DLM 6.03

I am an eMusic subscriber, but I also run Linux Mint 17.1 as my primary desktop operating system. You may be surprised to learn that eMusic actually does have a Linux version of their download manager available, but they have made it darn near impossible to find it and have no instructions how to use it. If you’re looking for this information, then here it is:

First you’ll need the eMusic download manager. You only need one of these:

Open the file with something like Archive Manager. This will extract the emusic-dlm executable. There is no installer or package. Simply extract it and put it into a folder of your choosing. Mine is in $HOME/emusic

Next, you’ll need to download and set a cookie so your browser will know how to interact with emx files. The emx file is what you’ll download when you download a track or an entire album.

Visit http://www.emusic.com/dlm/install/ to set the cookie

Next, buy a track or album. When the “Your Music Is Now Downloading” screen appears, the browser will prompt a download for “0.emx”. When you open it, the OS should prompt you to choose an application to handle it… choose the emusic-dlm executable you extracted earlier. It should start downloading immediately.

Alternate instructions in case you didn’t find the preceding paragraph useful: After downloading the emx file with your browser, right click on it and choose “Open With…” and then choose “Open with another application”. A new window will pop up. At the bottom you’ll see “use a custom command”. Choose that then click the “Browse”. Find the emusic-dlm app and choose that. Your music should begin downloading right away.

Good People and Problem Clients

It is possible that a good person can be a problem client. As a freelancer it is important that you know how to spot these characters or they can end up costing you money.

I found this video on YouTube. It is a good reference on how identify these clients and how to (and when not to) deal with them. I am of the opinion that in most cases you’re better off without them.