Jun 22, 2017

set up an ssh tunnel

Today, I ran into a situation where I (temporarily) needed access from external to one of our test machines running a web GUI on a special port. As the external access was only possible via ssh on port 22, one of my peers pointed me to the ssh tunnel feature which instantly worked like a charm. The basic command pattern is:

ssh -L localport:localhost:remoteport user@remotehost.com

So, e.g.

ssh -L 80:localhost:8080 john@remotehost.com

would create me a tunnel from the remote host's port 8080 to my local macbook's port 80, so I can simply point the Safari browser to localhost, and  I am there!


Jun 4, 2017

getting started with ansible

Today, I came across this extremely helpful tutorial on how to get started with ansible. It took me under half an hour to understand all the basic concepts and start working with playbooks. Here's where you can find it:

https://serversforhackers.com/an-ansible-tutorial

Apr 15, 2017

Raspberry Pi: Cloning SD Cards

I am currently getting started on exploring the Pi. In order to have a clean fall-back point, I'd like to copy an image of the SD flash card that came with the controller onto my MacBook. Haven't done it yet, but came across this post that explains the how-to:

https://computers.tutsplus.com/articles/how-to-clone-raspberry-pi-sd-cards-using-the-command-line-in-os-x--mac-59911

Thought that might help...

Jan 14, 2017

SSL with Wildfly and Let'sencrypt

I am currently in the process of converting all my private machines to SSL only communication. I personally think that this has become a must-have not only in business but also in your private life.
For my private applications, I have been trying to avoid the cost for SSL certificates, but at the same time, use of self-signed certificates seemed insufficient. So I was happy when I came across letsencrypt, a free and automated certificate authority.

I am running a couple of PLESK managed machines, and there is a (beta stadium) plugin available that fully covers the communication with the letsencrypt service and also takes care of the automatic renewal of certificates before they expire. While this plugin works out of the box for the Apache http server and NGINX, there is no full support yet for servlet containers and application servers such as e.g. Tomcat or Wildfly. As I am experimenting with Wildfly based applications, that is exactly what I would need. So here's what I did to get it to work:

For the static html part of my website, I am still using the Apache service. So, I am letting the Plesk plugin mentioned earlier take care of the automated certificate retrieval and renewal process. As a result, symlinks to the current components of my certificate and the verification chain can always be found under /etc/letsencrypt/live/[mydomainname].

The challenge was that letsencrypt provides everything in form of PEM formatted files. Wildfly however works with Java keystores which by definition cannot directly process PEM.

So, in a first step, I had to convert everything to PKCS12, which is fairly simple using the openssl tools once you know the required parameters:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.pkcs12 \
             -alias [mydomain] -CAfile chain.pem -caname root

This command created the pkcs12 formatted file I need (cert_and_key.pkcs12). It contains the full certificate chain as well as the private signing key. The other file names are the ones generated by letsencrypt. You will be asked for an export password. Here, you can use something very simple ('secret' in my example), as you will only need it once for the following step.

keytool -importkeystore -srckeystore cert_and_key.pkcs12 -srcstoretype PKCS12 \
             -srcstorepass secret -destkeystore mykeystore.jks -deststorepass [strongpassword] \
             -destkeypass [strongpassword]

Please make sure to keep the passwords for store and key in a safe place.

Okay, so now we have a java keystore holding everything required to enable secure communication between client software and my server. In a final step, I needed to let Wildfly know where to find my keystore and how to use it.

This is a pretty straight-forward process. I am using the Wildfly server in standalone mode, so the config file I have to edit is standalone.xml. Please check the documentation to find out which configuration file is the one to modify for your particular run mode.

...not done yet, here. This portion will follow soon. Keep hanging in...


Jan 23, 2016

API gateway options

I have started to look around and find options I have in terming of using an API gateway. I have taken a brief look at JBoss'es apiman which provides basic features and seems to be easy to use. But I'd like to see if there are other options out there. I came across Tyk. It seems to be by far more comprehensive, but I am not really sure if it is a good candidate to go for. It is written in GoLang, a language that I am not familiar with at all.
Looking forward to your suggestions...

Mac OS X: launching an application from the terminal window

Ever wondered how you can start an application from the terminal command line in Mac OS? Graphical applications come packaged (typically with the .app extension). Besides the actual binary executable, the package contains any additional resources (e.g. libraries) that the application might require to run. The executable can be found in the /Applications/NameOfApp.app/Contents/MacOS folder.
It is however not advisable to launch it with this fully qualified path, as the program wild be started as a child process to your current terminal session. If you close the terminal window, the application will be terminated, too. Mac OS'es resume features might also be troubled with this approach.
There is however a utitliy named open that you can use for this purpose. I am for instance using the Atom editor for simple edits, and I have added a corresponding alias in my .bash_profile file in order to be able to launch it while working the terminal command line:
alias atom='open -a Atom'
The above open command mimics launching the application from within the graphical user interface.

Jan 18, 2016

Linux: find which process is listening on a port

A while ago, I couldn't get my WildFly fired up, because some other process was already listening on port 8080. This is how I figured out who it was:
sudo lsof -i :8080 | grep LISTEN
lsof stands for list open files, and that's actually what it does. The good thing is that this also works for network 'files' (i.e. open ports). It generates output like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
tomcat7 1213 tomcat 3u IPv4 14721 TCP *:www (LISTEN)
So, the output showed me that I had a zombie Tomcat running with a process id of 1213 which was easy to fix (kill).