Configure Tomcat 7 Two way SSL Authentication

Software: 1. Functional EJBCA PKI (Do not have one? You could use keytool instead. Follow the 2nd section of this post for configuration). 2. Apache Tomcat 7.0.52 ***Section I: To complete the configuration,you have to have your CA root certificate (LeopardRootCA.pem as example). That will be used to sign all client certificates and server certificates. By default Tomcat uses the certificate trust store provided with JDK which can be found in $JAVA_HOME/jre/lib/security/cacerts. Here I am going to create a new certificate trust store in my configuration. 1. Create Key store for Tomcat

keytool -genkeypair -alias tomcat-server -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks
Enter keystore password: apache123
Re-enter new password: apache123
What is your first and last name?
[Unknown]: Use FQDN of your server
What is the name of your organizational unit?
[Unknown]: Center Research Cancer
What is the name of your organization?
[Unknown]: SHH
What is the name of your City or Locality?
[Unknown]: CityName
What is the name of your State or Province?
[Unknown]: StateName
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=FQDN, OU=Center Research Cancer, O=SHH, L=CityName, ST=StateName, C=US correct?
[no]: yes

Enter key password for 
(RETURN if same as keystore password): apache123
Re-enter new password: apache123

2. Create certificate request for Tomcat server:

keytool -certreq -alias tomcat-server -file FQDN.csr -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks

3. Sign the request in EJBCA: Copy signed certificate, FQDN.pem, file to current working path. 4. Import signed server certificate into Tomcat: Before importing signed server certificate into Tomca,t you might need to import your CA root certificate into Tomcat first or you might see the following error: "keytool error: java.lang.Exception: Failed to establish chain from reply.".

keytool -importcert -alias leopardrootca -file LeopardRootCA.pem -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks

4.1 import signed server certificate

keytool -importcert -alias tomcat-server -file FQDN.pem -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks

5. Create Trust store for tomcat and put yout CA root certificate into it:

keytool -import -keystore cacerts.jks -storepass changeit -alias leopardrootca -file leopardrootCA.pem

6. Configure Tomcat conf/server.xml by uncommenting the following section and edit 7. start Tomcat

bin/startup.sh

8. Create client certificate using the same root CA in EJBCA and import it into Firefox. ***Section II: Using keytool as example 1. create keyp air for rootCA

openssl genrsa -out rootCA.key 1024

2.create root certificate

openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt

3. create necessary folder for openssl

mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo '01' > demoCA/serial

4. create server certificate keypair

openssl genrsa -out localhost.key 2048

5. create server certificate singing request file

openssl req -new -key localhost.key -out localhost.csr

6. sing the server CSR using CA

openssl ca -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -out localhost.crt -infiles localhost.csr

7. create client certificate keypair

openssl genrsa -out client.key 2048

8. create client certificate singing request

openssl req -new -key client.key -out client.csr

9. sing client CSR use CA

openssl ca -keyfile rootCA.key -cert rootCA.crt -out client.crt -policy policy_anything -infiles client.csr

10. convert created server and client certificate into pk12 type:

openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name sercer ##password: sercer
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name client
#password: client

11.create tomcat keystore

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore localhost.p12 -srcstoretype PKCS12 -alias sercer #pass is sercer

12. configure tomcat server.xml file 13.

keytool -import -keystore cacerts.jks -storepass changeit -alias rootca -file rootCA.crt

Upgrade PostgreSQL from 9.1 to 9.3 on Ubuntu

At the time of writing, you could not install postgreSQL 9.3 on Ubuntu using apt-get. Here is simple instruction of updating postgreSQL on Ubuntu to v9.3

#install dependency
sudo apt-get update
sudo apt-get -y install python-software-properties
#add repository
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
#setuop repository
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ precise-pgdg main" >> /etc/apt/sources.list.d/postgresql.list'
#install
sudo apt-get install postgresql-9.3 postgresql-server-dev-9.3 postgresql-contrib-9.3
#upgrade
sudo su -l postgres
psql -d template1 -p 5433
CREATE EXTENSION IF NOT EXISTS hstore;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
\q #logout from database
service postgresql stop
/usr/lib/postgresql/9.3/bin/pg_upgrade -b /usr/lib/postgresql/9.1/bin -B /usr/lib/postgresql/9.3/bin -d /var/lib/postgresql/9.1/main/ -D /var/lib/postgresql/9.3/main/ -O " -c config_file=/etc/postgresql/9.3/main/postgresql.conf" -o " -c config_file=/etc/postgresql/9.1/main/postgresql.conf"
exit # logout postgresql back to previous user
sudo apt-get remove postgresql-9.1
sudo vim /etc/postgresql/9.3/main/postgresql.conf # find old port of 5433 and change it to 5432
sudo service postgresql restart

Issues you may encounter: when you run the real update command above (/usr/lib/postgresql/9.3/bin/pg_upgrade...), you may notice failure and show error of "Problem of connection to database failed: fe_sendauth: no password supplied " The solution would be modify pg_hba.conf of two data directories in trust mode (NO PASSWORD) authentication then re-run pg_upgrade command. Example, # Database administrative login by Unix domain socket local all postgres trust