iStacked

Explore…Implement… get bored .. start new thing

Implementing Certificate Based Authentication.

I had a requirement where I was told to implement certificate based authentication using PKI (Public Key Infrastructure) for our web application. Normally when PKI term used we think about public and private keys or exchanging client and server certificates and performing validations among them. Thats right you might have heard about SSL or TSL but you might not known how they are implemented in your web-server, their setups and configurations. I will share my knowledge on how to implement certificate based authentication over TSL (Transport Secured Layer) which is predecessor of SSL.

What is client based authentication?
Apart from the certificate being exchanged between client and server over SSL, the certificate based authentication is one step further to procure confidentiality between client and server. That said, the server expects the client(browser) to provide its certificate to authenticate, verify it through server certificate and establish the secure connection between them. After learning about this , I was wondering why would anyone need to setup an additional security when SSL is already takes the things secure. In first place I thought is this the replacement for credential-less entry to access web-application/server? The ans is YES. Client do not require to keyin username and password instead they require certificate to authenticate and proceed with connection establishment with the server.

when to use client based authentication?
It depends on the business requirement if they decide to adapt with stringent mechanism to provide an extra layer of security then this would be the way to go. The certificate which is used by the client will be issued by CA or intermediate and will not be shared outside the organization or trusted client. If anyone tries to tamper the certificate it will be revoked. This implementation will be more secured than password hacking.

Unlike SSL, here the certificate is used as primary method for authenticating the client even before launching the web-application or accessing the server. Some usecase such as the client having smart card where they swipe the card and tries to login to the server/webapplication. In this case, client will not enter credentials they just swipe their card and certificate will be extracted from underlying software/plugin from the smart card. Or other scenario would be the case where the client certificate is pre-loaded to his/her client machine from other source to the client’s trusted store and use it for accessing the server. There is a good explanation about Client based authentication vs username password. read here.

Here is the diagram which holistically illustrates about the certificate authentication workflow
smartcard

How do I setup and deploy client based authentication?
To demonstrate this, I used below setup
1) Ubuntu 14.04 OS
2) Apache2
3) Tomcat 7
4) Java 7

I used Apache2 to handle and delegate the requests to tomcat and deployed sample java servlet in tomcat to display the content of incoming client certificate to the browser.
Since we are dealing with certificates we need to enable SSL in apache. But before enabling we need to create set of certificates which is used by both apache and tomcat.

Below are the five sections that shows step by step procedures to configure certificate based authentication

  • Create digital certificates
  • Enable SSL in apache2
  • Enable TSL in Tomcat
  • Deploy webapplication
  • Copy client certificate

Create digital certificates

For this demo, I will create a self-signed CA certificate, server certificate and client certificate. Assuming that you have basic knowledge about the CA certificate, self-signed certificate and CSR. We need an openssl tool to create certificates.
You can generate certificates either using java keytool or using openssl. The openssl should already be available in Ubuntu. Since we do not have actual CA (certificate authority) like verisign we will create our own self-signed CA certificate for this demo and use this CA certificate to sign other certificates too.

Create CA certificate
Step 1 : Generate private key for CA certificate.
First we need a keypair for our CA. Each certificate has a private key associated with it. Execute below command to generate key.

$openssl genrsa -out ca.key 1024

Step 2 : Next create a CSR (Certificate Signing request) file
Using above private key and enter the values for the set of questions asked during the csr file creation.

$openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

example :
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:CA Admin
Email Address []:madhucm@gmail.com

Now we have ca.crt which is our root certificate. This will be the file imported into browser later. It contains public key and some other information – and it’s self signed (this is cause by -x509 option)
According to openssl standard we need follow few steps for ca root certificate
Let’s create some directory structure according to default openssl.cnf:

$ mkdir -p demoCA/newcerts
Now we need index and serial file for our CA:
$ touch demoCA/index.txt
$ echo ’01’ > demoCA/serial
And now we’re really done with setup of our CA with all things openssl needs.

Create server certificate
This will be a SSL certificate and resides in the server along with CA certificate. If you have multiple web-applications running on different server you can distribute the same SSL certificate or create different SSL certificate for each server which should be signed by CA.

Step 1 : Generate private key for server certificate.

$openssl genrsa -out localhost.key 1024

Step 2 : Generate CSR file for server certificate.
During CSR file creation, provide value for the Common Name as :localhost. we must specify the server name as common name. here I used as localhost since we are testing locally and not the remote machine.

$openssl req -new -x509 -days 3650 -key localhost.key -out localhost.csr

Step 3 : Generate server certificate.
This time there is a slight difference in generating server certificate. We need to use CA key and CA crt file to sign the server certificate.

openssl ca -keyfile ca.key -cert ca.crt -out localhost.crt -policy policy_anything -infiles localhost.csr

Create client certificate
Step 1 : Generate private key for client certificate.

$openssl genrsa -out client.key 1024

Step 2 : Generate CSR file for server certificate.
Enter real name for the Common name.

$openssl req -new -key client.key -out client.csr

Step 3 : Generate client certificate.

openssl ca -keyfile ca.key -cert ca.crt -out client.crt -policy policy_anything -infiles client.csr

Generate PKCS#12 file for server and client certificate
This file contains the combination of certificate and private key. Now lets generate the .p12 file for both server and client. password is important for this file.

$ openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name sercer
$openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name client

Aliases sercer and client are important to remember (especially sercer).
Now we have all the certificates generated along with .p12 files.

Enable SSL in apache2

Step 1 : Execute below command to enable SSL and Rewrite engine and restart apache2

>>a2enmod ssl
>>a2enmod rewrite
>>service apache2 restart



Step 2 : Create vHost
Now create virtual host using http://www.madhucm.com under /var/www

>>mkdir /var/www/www.madhucm.com



Step 3 : Copy default ssl config file to newly created vHost. we will use the same template for vHost.

>>cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-vailable/www.madhucm.com-ssl.conf



Step 4 : Edit http://www.madhucm.com-ssl.conf file and update IP address, ServerAdmin, ServerName, DocumentRoot and SSL details as below.


Along with this update, now we will wire between apache and tomcat. The SSLEngine and RewriteEngine should be ON. RewriteEngine will rewrite the url which will eventually delegate request to tomcat.

ServerAdmin madhucm@gmail.com
ServerName wwww.madhucm.com:443
DocumentRoot /var/www/www.madhucm.com
SSLEngine on
SSLCertificateFile /home/madhu/newCerts/localhost.crt
SSLCertificateKeyFile /home/madhu/newCerts/localhost.key
SSLVerifyDepth 2
RewriteEngine on
RewriteRule ^/$ https://%{HTTP_HOST}:8443/CertTest/TestCertServlet

Once after the update restart the apache server

>>service apache2 restart



Step 5 : Open the browser and enter https://10.2xx.1xx.61. Accept the warning if they are prompting you and if you are able see apache’s home page then you are good to go.

Enable TSL in Tomcat

Navigate to /conf folder and follow the below steps.
Use keytool to generate keystore.jks and cacerts.jks file and point to the location where localhost.p12 file is generated previously.
Step 1 : create .jks file for server and ca certificate

$ keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore ../../newCert/localhost.p12 -srcstoretype PKCS12 -alias sercer

Similarly, generate cacerts.jks and point to the location where ca.crt is located.

$ keytool -import -keystore cacerts.jks -storepass changeit -alias my_ca -file ../../newCert/ca.crt

Now edit server.xml file under conf directory and uncomment the connector port for 8443 and add keystoreFile,keystorePass,truststoreFile and truststorePass attributes and enable clientAuth to true. The final section should as per below settings.

Use same password for keystorePass and truststorePass which was entered at the time of csr file creation for localhost.csr and ca.csr.

Restart the Tomcat and try HTTPS access. You will see that:
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
Thats because your browser is not having the supported client certificate which was created from you.

Deploy web application

Create a sample servlet or JSP program which displays the client certificate details or you can show landing or home page HTML. The sample program is executed after the certificate is validated successfully by the tomcat server.

Below is the simple java servlet code that displays client certificate details

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
X509Certificate certs[] = (X509Certificate[])request.getAttribute(“javax.servlet.request.X509Certificate”);

if(certs != null) {
for(X509Certificate clientCert : certs) {
System.out.println(clientCert.getSubjectDN().getName());

response.setContentType(“text/html”);
PrintWriter out = response.getWriter();
out.println(“”);
out.println(“”);
out.println(“Client Certificate is “);
out.println(clientCert.getSubjectDN().getName());
out.println(“”);
out.println(“”);
}
}else {
response.sendError(407,”Need authentication”);
}
}

Create a war file and deploy the web application in tomcat and create servlet mapping url pattern as /TestCertServlet in web.xml. The URL to access this servlet is already defined in apache’s http://www.madhucm.com-ssl.conf file in RewriteRule property as https://%{HTTP_HOST}:8443/CertTest/TestCertServlet. Which means the request is delegated to the servlet.

Copy client and CA certificate

After all the setups are successful now its time to import the client.p12 and ca.crt files to the browser.
Choose your favorite browser and import the certificate assuming you already know how to import the certificate.

Step 1 : Import client.p12 file
Input the same password given at the time of PK#12 file creation while importing the certificate.

Step 2 : Import ca.crt file

After importing above certificates now try to access the HTTPS url and you should see below dialog box promoting user to select the certificate in the dropdown. If the certificate is validated on the server then you should be able to see client details displayed on the browser.

cert

browser

And thats it…. I know this is long post and I took lot of time to complete this stuff. And this concludes implementing certificate based authentication for webserver.

A quick guide to know about Elastic search.

Few days back I had requirement where I had to search the logs that generated out of our application. possibly generating quite a lot of log files say 60 logs files in different locations. Now with this setup a developer would get lost in searching the text manually. Thinking about amount of time taken for searching and saving the logs is expensive. And now after doing some research on net I came across few search engines and one of them was Elastic search which inspired me with ease of setup and flexibility in terms of usage [will be explained below].
So now the question is – How this is related to logs ?
Ans :  I retrospected few difficulties that developers were facing during production issues. So I replaced this idea with the existing log framework used in our application. And I provided separate UI called Kibana for accessing the logs.
Searching the logs was 50x time faster now than normal search operation. And also the same UI can be used for further analyzing the data in the logs.

By definition of Elastic Search :

Elasticsearch is a flexible and powerful open source, distributed, real-time search and analytics engine. Architected from the ground up for use in distributed environments where reliability and scalability are must haves, Elasticsearch gives you the ability to move easily beyond simple full-text search.

I used Elastic search for only one reason to perform full-text search. I call it as augmented search engine. which is more likely to understand that the search can be performed whatever it takes to search.

So when can I use Elastic search ?
Suppose if you have thousands or millions of documents usually text files and you need to search those documents using keywords and expecting to return small collection of documents as response. Elastic search fits here.
The communication between elastic search engine and client is done via REST based API and requires no sql knowledge. All the transactions is exchanged via JSON object basically CRUD operations and you can call it as lightweight No-Sql database. However if you are looking for complex calculation and aggregation of data then Elastic search is not the right guy. MongoDM or Hadoop can help you with heavyweight features.

The setup –
For better understanding I am demonstrating the setup for window machine. Similar setup would require for Linux/Unix. Assuming Java 7 is installed following steps will guide you to setup elastic search.

1) Based on your OS, download latest Elastic search engine here  and unzip to any path

ins

2) After unzipping, go to /bin directory and click on elasticsearch.bat file. This will start new instance and ready to listen for your transactions. In case of clustered setup you can also open another instance which will act as a failover.

run

3) Open the browser and type localhost:9200 to test whether engine is up and running. The output should be in JSON format.

browser

4) For initiating the CRUD operations one should have a knowledge about REST calls. Because elastic search uses REST api’s to talk.
To start with basic CRUD operations you must install your favorite REST based client tool plugin on the browser or use curl command using cygwin. For firefox you can install  Fiddler or RESTClient and for chrome use Sense. For this demonstration I will use Sense. Good for beginners which will provide you with options like keywords and auto-completion. see here 

Next step is to index some data which means creating data. This is the primary use-case. And later we can query for searching the text, deleting and updating. For this demonstration I will show how to insert and do a search operation on stored data.

Beginning with indexing, we will create a PUT request using Sense tool. And PUT request will be constructed using JSON object using the REST URL. The Rest URL should always go with http://localhost:9200/<index>/<type>/[<id>] example :- http://localhost:9200/logs/uilog/1

<index> value could be represented as a table name in traditional database and <type> is a document type representing row. These two fields are mandatory whereas <id> can be ignored only when you are using POST method. <id> is actually data with an ID which indicates data and these data are structured using key value pairs . If you don’t pass an <id>, the POST method will auto generate for you.
Here is the simple representation of data structure.

Data

Based on the above data format we can index data by categorizing the logs.
Now lets start indexing some data for uilogs. In the Sense tool enter the data as below
data1

The right hand side shows the response after indexing the data and acknowledged as true in created column.
Before moving further lets index few more logs on different types

localhost:9200/logs/uilog/2
PUT
{
“package”: “com.abc.ui.dashboard”,
“class”: “DashboardViewer”,
“method”: “showEvents”,
“logtype”: “debug”,
“message”:”Displaying dashboard events”
}

localhost:9200/logs/syslogs/1
PUT
{
“package”: “com.abc.message”,
“class”: “EventsRecieverAction”,
“method”: “getEvents”,
“logtype”: “debug”,
“message”:”Getting events from UI”
}

Assuming that we have indexed few data and now we need to search. For searching we need to use the GET method and build a JSON object. There are multiple ways you can construct the JSON request for fetching the data. One of the easiest way to search by providing the ID in the REST url and without the JSON object.
For example https://localhost:9200/logs/syslogs/2

search1

The output on the right hand side shows the response for the syslogs whose ID=2. In this method the ID is mandatory.
Suppose if you are constructing typical SQL in relational database using select you would then construct SQL query using select * from logs.syslogs where id=2. One can think that all the search operations if used in elastic search can be equally constructed using sql query. Well ummmm this is true.

Suppose if you want to search all uilogs, then the REST call would go without ID in it.
https://localhost:9200/logs/uilog
search2

For above search, we have to use “_search” keyword endpoint followed by GET/POST method. This will instruct search engine to fetch all the data related to uilog. In the response you can see the total number of hits = 2. [I indexed only two data for uilogs].
Similar search operation can be performed for searching syslogs by replacing the type and id in the REST url. Below are the some of the usecases for searching in various formats.

Now lets start with most useful search by further filtering. This can be done using ElasticSearch’s query DSL (Elastic search’s own domain specific format).Here we will construct JSON object for the REST call.
dsl

The use-case is to search a keyword from the entire index . This can be achieved using query filtering.

REST URL : http://localhost:9200

JSON object :

POST _search
{
“query”: {
“query_string”: {
“query”: “reading”
}
}
}’

Note that in REST url we are not providing any index and document type. we would want to search for entire data. The JSON object has the DSL specific structure for searching the keyword. In this case keyword we would like to use is  “reading” which is defined in “query”.  This will give you below response. If the same keyword found in multiple records then the response will show array of records. In below response there is only one record with the keyword “reading”.

search3JPG

There are other various methods to search using DSL. You can find it here

 

Xiaomi thoughts ….

After so many reviews and news about Xiaomi on 26th August @2PM I was desperate to purchase Xiaomi mobile in flipkart. Fortunately I happened to see the device in my cart and checked out. That day was something like I hit a lottery with that hype [not really]. But i was intrigued to try out this mobile which made a niche in the market in shorter time.

Some interesting points i would like to point out on Xiaomi when comparing with Nexus 5 which has almost similar configuration

1) It looks huge but neat. Although it slippery at the back but lighter than Nexus 5. However in terms of build quality I give +1 for Nexus 5.

2) When exposed to sunlight, the display seems to be more vibrant than Nexus 5 despite both having IPS display.

3) The Age mode feature which enables to beautify your selfie based on the Age and Gender is most appealing which isn’t available in Nexus 5.

4) The Ui – MiUi version 5 looks pretty awesome than plain vanilla Android. That said, the MiUi arguably clone of iphone UI.

5) With this price range, the camera comes with 13MP and quality of the picture is not that great when compare to Nexus 5 with 8MP.
I noticed that the macro mode image from Xiaomi showed blurred image on the subject, with the same distance the Nexus 5 showed better quality. I give +1 for Nexus 5.

Nexus 5 Xiaomi
IMG_20140830_151822 IMG_20140830_151847

6) In terms of battery life with 3050mAH is really a mighty one. With 24hrs of internet you could get a battery life upto 1.5 days which is incredible compared to other phones out there.

7) Another nifty feature is the security which come as built-in feature for MiUi. Basically used for optimization which could extend battery life.

8) Another annoying feature, I rather say poor design – Unlike Nexus, Switching between apps in xiaomi is bit puzzling. You need to long press the menu button to show background apps and at the same time it shows up the app’s menu item which is currently active. This behavior can be changed under settings->buttons.

9) GPS seems to be not working even with Wifi or 3G data in MiUi version 5 [how to fix this ? http://en.miui.com/thread-17794-1-1.html].
or you can do a factory reset after you keep your data backup. that will solve the GPS problem.

10) The SIM card tray which is seen outside is sensitive to pop out where most of the Xiaomi users gripe about handling the SIM card tray. However, the SIM card tray is not be used for micro SIM which is good.

11) When comes to music, MiUi provides its own music enhancement. User can choose between the music output based on their ear phones they are using. Well I am not so excited about this …

Screenshot_2014-08-29-22-38-47[1]

12) When comes to gaming, the performance is outstanding. The response time and graphics rendering have no problem. Mainly, the device wont heat up while playing the game.

Wrap up : With this budget phone none of the other phones in market gives you better features than this one. I would recommend to buy this phone unless if you really do not care about china product ;-p

Guess what : On the other side, yet another mobile like xiaomi called meizu Mx4 (www.meizu.com) is launching on September 9th which is almost similar to iphone6 🙂 and the price is slightly higher than Xiaomi.