Quick introduction to OpenSSL

OpenSSL is an open source Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) implementation. I exclusively use this for handling SSL related tasks, and diagnostics. I will explain the OpenSSL commands I frequently use in this blog post. Before we go to the commands, let's do a quick explanation of the terminology used in SSL:

• Certificate Signing Request (CSR): a message format for a certificate signing request for a Certificate Authority. This message is required for generating/requesting certificates.
• Public/Private key: a private key should be kept secret by the owner, and can be used to sign data, or decrypt messages encrypted with the public key. The public key is used to encrypt message which are only to be read by the owner of the private key. The encryption/decryption process tends to be slow compared to using a symmetric encryption key.
• Symmetric key: one key for encrypting and decrypting. This process is fast. When we use SSL in our browser, the public/private key is only used to negotiate a symmetric key encryption method. The actual data transfer encryption is therefore symmetric (fast).
• (Root) Certificate: a certificate contains identification information, a public key that can be used to encrypt messages, and a signature of a Certificate Authority. The signature tells us that the identification information is trusted/verified by the Certificate Authority. If we trust the Certificate Authority, then we also trust the identity of the owner of the certificate (authentication).
• Certificate Authority (CA): an organization we consider to be trusted. A CA will sign and issue certificates. Using the root certificate of a CA, we can verify if other certificates are indeed signed by this particular CA. Your browser has a standard set of root certificates of commonly recognized CA's.

Common commands

To generate a CSR for a certificate with a 2048-bit private key:

openssl req -out certificate.csr -new
  -newkey rsa:2048 -nodes -keyout private.key

Generate a self-signed certificate (we are our own CA):

openssl req -x509 -nodes -days 365 -newkey rsa:2048
  -keyout private.key -out certificate.crt

Print out the information contained in a certificate, such as identification, and the public key:

openssl x509 -in certificate.crt -text -noout

To check a web server for its SSL-certificates:

openssl s_client -showcerts -connect google.com:443 </dev/null

References:

• http://www.openssl.org
• http://en.wikipedia.org/wiki/Transport_Layer_Security
• http://en.wikipedia.org/wiki/Public_key_infrastructure
• http://en.wikipedia.org/wiki/Certificate_authority
• http://en.wikipedia.org/wiki/X.509
• http://www.sslshopper.com/article-most-common-openssl-commands.html

Creating file realm users in JBoss

As promised in an earlier post, I'll show you how to create file realm users in the JBoss application server. A realm is a database that contains user, password, and role information. The application server can use this information to identify users in order to provide container managed security to applications. Realm information can be stored and retrieved in various ways:

• JDBC
  
• Datasource
  
• JNDI
  
• File (JBoss calls this MemoryRealm)
  
• JAAS
  

We'll be only discussing File realm for this blogpost. When you use File realm, the information is stored in a plain text file.

1. Create a realm
The first step is to create a realm by editing server.xml in your deployment directory of your server. For this example, we'll use the default server configuration in the directory: <JBOSS_DIR>/server/default/deploy/jbossweb.sar. Decide if the realm is shared by applications. You can share it at three different levels:

• Shared across all applications on all virtual hosts (<Engine>)
  
• Shared across all applications on a particular host (<Host>)
  
• Not shared, only used by one application (<Context>)
  

Create and place the <realm>-element nested in one of the elements mentioned above. Example: if you want the realm to be shared for all applictions on a host, you nest the <realm>-element in <host>.

<realm
 className="org.apache.catalina.realm.MemoryRealm"
 digest="" pathname="conf/users.xml" />

It is recommended to specify a digest to store the passwords encrypted, otherwise the passwords will be stored in clear text. If the attribute pathname is not specified, the default file conf/tomcat-users.xml is used.

2. Create file with users
Create the file specified in the realm configuration, and add users to the file in the following format:

<tomcat-users>
  <user name="john"
   password="secret"
   roles="user" />
  <user name="peter"
   password="secret"
   roles="admin"  />
  <user name="carol"
   password="secret"
   roles="role,role2" />
</tomcat-users>

3. Restart JBoss
The realm becomes active when JBoss is restarted.

Apache log4j

Apache log4j is a very popular framework for building logging facilities in Java applications. Logging is essential in debugging, localizing problems, and security auditing. Logging statements in the application do not have to be removed when the application is finished for deployment, and will not influence performance.

Log4j is an hierarchical logger, and has 6 logging levels to control/grade logging messages:

1. TRACE
   
2. DEBUG
   
3. INFO
   
4. WARNING
   
5. ERROR
   
6. FATAL
   

The list is ordered by importance, where the last level is the highest in hierarchy. The current log level and hierarchy determine what to log. When a certain log level is used in an application, all lower ranked log statements are also logged. Example: when the current log level is WARNING, all lower log statements like: TRACE, DEBUG, and INFO are logged. But when the log level is TRACE, no other log level messages will be printed, because the DEBUG level is the lowest log level. Log level can be changed during run-time.

Another control mechanism for hierarchical logging, is that classes/objects of the application obtain a logger separately attached to its class hierarchy. Like the statement below in the constructor of Foo.class.

Log log = Logger.getLogger(Foo.class);

This way, you can configure the logger to print log messages of a selection of classes only. You can use the root logger to print log messages from all classes, or use a class specific logger to print only message from this class and/or its children.

Apache log4j can be configured in two ways:

1. Using property files (example: log4j.properties)
   
2. Using XML files (example: log4j.xml)
   

I prefer the properties file way, because it's less verbose. We can configure many things in the configuration file, like:

• output log file
  
• log file name pattern
  
• initial log level
  
• log line format
  
• log file management
  

Example application
Let's create an example application that uses Apache log4j:

package test;

import org.apache.log4j.Logger;

public class LogMain {
   private Logger log;

   public static void main(String[] args) {
       LogMain app = new LogMain();
       app.run();
   }

   public LogMain() {
       System.out.print("Application started.\n");
       this.log = Logger.getLogger(LogMain.class);
   }
 
   public void run() {
       this.log.trace("TRACE message!");
       this.log.debug("DEBUG message!");
       this.log.info("INFO message!");
       this.log.warn("WARN message!");
       this.log.error("ERROR message!");
       this.log.fatal("FATAL message!");
   }
}

To configure Apache log4j, you can use a properties file or an XML file. The properties file looks like this:

log4j.rootLogger=INFO, CONSOLE, FILE

log4j.appender.FILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.FILE.File=logs/app.log
log4j.appender.FILE.datePattern=yyyyMMDD.
log4j.appender.FILE.Append=true
log4j.appender.FILE.layout=org.apache.log4j.PatternLayout
log4j.appender.FILE.layout
.conversionPattern=%d{HH:mm:ss:SSS} - %p - %C{1} - %m%n

log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout
.conversionPattern=%d{HH:mm:ss:SSS} - %p - %C{1} - %m%n

The equivalent XML-file is this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">

<log4j:configuration
xmlns:log4j="http://jakarta.apache.org/log4j/">

 <appender name="file"
  class="org.apache.log4j.DailyRollingFileAppender">
   <param name="file" value="logs/app.log" />
   <param name="datePattern" value="yyyyMMDD." />
   <param name="append" value="true" />
   <layout class="org.apache.log4j.PatternLayout">
     <param name="ConversionPattern"
       value="%d{HH:mm:ss:SSS} - %p - %C{1} - %m%n" />
   </layout>
 </appender>

 <appender name="console"
  class="org.apache.log4j.ConsoleAppender">
   <layout class="org.apache.log4j.PatternLayout">
     <param name="ConversionPattern"
       value="%d{HH:mm:ss:SSS} - %p - %C{1} - %m%n" />
   </layout>
 </appender>

 <root>
   <priority value="info" />
     <appender-ref ref="console" />
   <appender-ref ref="file" />
 </root>

</log4j:configuration>

Put the file in the class path, and Apache log4j will automatically find and load it.

The example configuration uses two log appenders that define the output of logging messages:

1. DailyRollingFileAppender: automatically rotates logs every day
   
2. Console: prints to console
   

The output can also be customized by the layout class, which is configured to use a conversion pattern to format the output. The output of the example is formatted like this:

19:23:54:938 - WARN - LogMain - WARN message!

This blog post gives you enough information to start using Apache log4j. For more information you can also read the manual here.

Extra note
When using Apache log4j for applications in containers (web and EJB), it might clash with the logging used by the container. For example: Oracle Application Server (OAS) also uses Apache log4j for its application server logging, and will not deploy applications that bundle Apache log4j. This problem can be circumvented by disabling the library apache.commons.logging for deployment.

WebScarab

WebScarab is a tool created by OWASP that can be used to analyze the HTTP(S) traffic between your browser and the web server. In order to intercept traffic, you have to configure WebScarab as a proxy server in your browser. Whenever a request is send to the web server by your browser, WebScarab intercepts the request and holds it for reviewing or even modifying before actually sending the request to the web server. The complete request can be analyzed in all its detail, which includes HTTP headers.



It's a great tool for debugging complex problems or reviewing the security of your applications. Download WebScarab here.