jueves, enero 22, 2015

Self-Signed Certificate for Apache TomEE (and Tomcat)



Probably in most of your Java EE projects you will have part or whole system with SSL support (https) so browsers and servers can communicate over a secured connection. This means that the data being sent is encrypted, transmitted and finally decrypted before processing it.

The problem is that sometimes the official "keystore" is only available for production environment and cannot be used in development/testing machines. Then one possible step is creating a non-official "keystore" by one member of the team and share it to all members so everyone can locally test using https, and the same for testing/QA environments.

But using this approach you are running to one problem, and it is that when you are going to run the application you will receive a warning/error message that the certificate is untrusted. You can live with this but also we can do it better and avoid this situation by creating a self-signed SSL certificate.

In this post we are going to see how to create and enable SSL in Apache TomEE (and Tomcat) with a self-signed certificate.

The first thing to do is to install openssl. This step will depend on your OS. In my case I run with an Ubuntu 14.04.

Then we need to generate a 1024 bit RSA private key using Triple-DES algorithm and stored in PEM format. I am going to use {userhome}/certs directory to generate all required resources, but it can be changed without any problem.

Generate Private Key

openssl genrsa -des3 -out server.key 1024

Here we must introduce a password, for this example I am going to use apachetomee (please don't do that in production).

Generate CSR

Next step is to generate a CSR (Certificate Signing Request). Ideally this file will be generated and sent to a Certificate Authority such as Thawte or Verisign, who will verify the identity. But in our case we are going to self-signed CSR with previous private key.

openssl req -new -key server.key -out server.csr

One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. In case of development machine you can set "localhost".

Now that we have the private key and the csr, we are ready to generate a X.509 self-signed certificate valid for one year by running next command:

Generate a Self-Signed Certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

To install certificate inside Apache TomEE (and Tomcat) we need to use a keystore. This keystore is generated using keytool command. To use this tool, the certificate should be a PKCS12 certificate. For this reason we are going to use openssl to transform the certificate to a PKCS12 format by running:

Prepare for Apache TomEE

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name test_server -caname root_ca

We are almost done, now we only need to create the keystore. I have used as the same password to protect the keystore as in all other resources, which is apachetomee.

keytool -importkeystore -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcalias test_server -destalias test_server

And now we have a keystore.jks file created at {userhome}/certs.

Installing Keystore into Apache TomEE

The process of installing a keystore into Apache TomEE (and Tomcat) is described in http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html. But in summary the only thing to do is open ${TOMEE_HOME}/config/server.xml and define the SSL connector.

<Service name="Catalina">
  <Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="${user.home}/certs/keystore.jks" keystorePass="apachetomee"
               clientAuth="false" sslProtocol="TLS" />
</Service>

Note that you need to set the keystore location in my case {userhome}/certs/keystore.jks and the password to be used to open the keystore which is apachetomee.

Preparing the Browser

Before starting the server we need to add the server.crt as valid Authorities in browser.

In Firefox: Firefox Preferences -> Advanced -> View Certificates -> Authorities (tab) and then import the server.crt file.

In Chrome: Settings -> HTTPS/SSL -> Manage Certificates ... -> Authorities (tab) and then import the server.crt file.

And now you are ready to start Apache TomEE (or Tomcat) and you can navigate to any deployed application but using https and port 8443.

And that's all, now we can run tests (with Selenium) without worrying about untrusted certificate warning.

We keep learning,
Alex.

Dog goes woof, Cat goes meow, Bird goes tweet and mouse goes squeek (What Does the Fox Say - Ylvis)

Music: https://www.youtube.com/watch?v=jofNR_WkoCE

lunes, enero 12, 2015

Apache TomEE + JMS. It has never been so easy.


I remember old days of J2EE (1.3 and 1.4) that it was incredibly hard to start a project using JMS. You needed to install a JMS broker, create topics or queues and finally start your own battle with server configuration files and JNDI.

Thanks of  JavaEE 6 and beyond using JMS is really easy and simple. But with Apache TomEE is even more simpler to get started. In this post we are going to see how to create and test a simple application which sends and receives message to/from a JMS queue with Apache TomEE

Apache TomEE uses Apache Active MQ as a JMS provider. In this examples you won't need to download or install anything because all elements will be provided as Maven dependency, but if you plan (and you should)  use Apache TomEE server you will need to download Apache TomEE plus or Apache TomEE plume. You can read more about Apache TomEE flavors in http://tomee.apache.org/comparison.html.

Dependencies

The first thing to do is add javaee-api as provided dependency, and junit and openejb-core as test dependency. Note that openejb-core dependency is added to have a runtime to execute tests, we are going to see it deeply in test section.


Business Code

Next step is creating the business code responsible for sending messages and receiving messages from JMS queue. Also it contains a method to receive messages from queue. For this example we are going to use a stateless EJB.

The most important part of Messages class is to note how easy is to inject ConnectionFactory and Queue instances inside code. You only need to use @Resource annotation and container will do the rest for you. Finally note that because we have not used name or lookup attributes to set a name, the name of the field is used as resource name.


Test

And finally we can write a test that asserts that messages are sent and received using JMS queue. We could use for example Arquilian to write a test but for this case and because of simplicity, we are going to use an embedded OpenEJB instance to deploy the JMS example and run the tests.

Note that that test is really simple and concise, you only need to start programmatically an EJB container and bind the current test inside it so we can use JavaEE annotations inside test. The rest is a simple JUnit test.

And if you run the test you will receive a green bullet. But wait, probably you are wondering where is the JMS broker and its configuration? Where is the definition of ConnectionFactory and JMS queue? And this is where OpenEJB (and Apache TomEE) comes into to play.

In this case OpenEJB (and Apache TomEE) will use Apache Active MQ in embedded mode, so you don’t need to install Apache Active MQ in your computer to run the tests.  Moreover Apache TomEE will create all required resources for you.  For example it will create a ConnectionFactory and a Queue for you with default parameters and expected names (org.superbiz.Messages/connectionFactory for ConnectionFactory and org.superbiz.Messages/chatQueue for the Queue), so you don’t need to worry to configure JMS during test phase. Apache TomEE is smart enough to create and configure them for you.

You can inspect console output the realize that resources are auto-created by reading next log message: INFO: Auto-creating a Resource



And that's all, really simple and easy to get started with JMS thanks of Java EE and TomEE. In next post we are going to see how to do the same but using a Message Driven Beans (MDB).

We keep learning,
Alex.
No se lo qué hacer para que me hagas caso, lo he intentado todo menos bailar ballet, ya va siendo hora de mandarte a paseo, si consigo olvidarte tal vez pueda vivir. (Voy A Acabar Borracho - Platero y Tú)
Music: https://www.youtube.com/watch?v=aK6oIQikjZU