Sunday, December 24, 2006

Sun Java System Application Server 9.x (glassfish) SSL/TLS Authentication Setup

I am providing the basics needed to get a CACert org signed certificate loaded on your application server.

Prerequisites:
  1. You need an account at CACert.org
  2. You need to install and configure Sun Java System Application Server 9.x or Project Glassfish

Instructions:

1. Go to the domains/domain/config directory of the application server installation.

You will find two JKS keystores located in the directory. One is called cacerts.jks and the other is keystore.jks. The cacerts.jks file is used to store the Certification Authority (CA) certificates. The keystore.jks file is used to store locally generated certificates. There is a default key located in both the keystores called s1as which is created when you install the application server.

To view the certificates in the keystore use the keytool utility as follows

keytool -list -v -keystore keystore.jks -storepass changeit

This will display the certificates in the keystore.

2. Import the CACert.org root (class 1) and class 3 certificates from here. Select the PEM format files and save them to the local drive.

NOTE: You will want to import these files into both the cacerts.jks and keystore.jks files. You will need the files in your keystore.jks file to import the signed certificate later.

Import the files as follows:

keytool -import -v -alias cacert -trustcacerts -keystore cacerts.jks -storepass changeit -file root.crt

keytool -import -v -alias cacert -trustcacerts -keystore keystore.jks -storepass changeit -file root.crt

keytool -import -v -alias cacert3 -trustcacerts -keystore cacerts.jks -storepass changeit -file class3.crt

keytool -import -v -alias cacert3 -trustcacerts -keystore keystore.jks -storepass changeit -file class3.crt


3. Create a new certificate for the server using the following

keytool -genkey -keyalg RSA -alias server -keystore keystore.jks -keypass changeit -storepass changeit -noprompt -v -dname "cn=yourdomain.com, ou=Sun Java System Application Server, o=your company name, s=your state, c=your country"

Change the dname values as appropriate. Afterwards check the keystore.

keytool -list -v -alias server -keystore keystore.jks -storepass changeit

You should get an output similar to this accounting for your domain:

Alias name: server Creation date: Dec 24, 2006 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=yourdomain.com, OU=Sun Java System Application Server, O=your company name, ST=your state, C=your country Issuer: CN=yourdomain.com, OU=Sun Java System Application Server, O=your company name, ST=your state, C=your country Serial number: 458ed092 Valid from: Sun Dec 24 14:10:10 EST 2006 until: Sat Mar 24 15:10:10 EDT 2007 Certificate fingerprints: MD5: 0D:62:DA:52:34:DE:65:40:C5:34:DB:97:EE:58:20:22 SHA1: 2B:AA:0F:A0:6D:C6:DE:C2:20:19:72:85:97:B1:6B:DA:B5:7D:AC:D0

4. Create the Certificate Signing Request (CSR) using the following command:

keytool -certreq -v -alias server -keystore keystore.jks -storepass changeit -file server.csr

5. Copy the contents of the file to the CSR request form on the CACert.org site.



Here is an example of the data in the server.csr file

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBzzCCATgCAQAwgY4xFTATBgNVBAYTDHlvdXIgY291bnRyeTETMBEGA1UECBMKeW91ciBzdGF0 ZTEaMBgGA1UEChMReW91ciBjb21wYW55IG5hbWUxKzApBgNVBAsTIlN1biBKYXZhIFN5c3RlbSBB cHBsaWNhdGlvbiBTZXJ2ZXIxFzAVBgNVBAMTDnlvdXJkb21haW4uY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCETXJQCNJz9rDLBuE8RBV/IK4sfVt1MC0DJLd6Ph94uTy+kz9mkVml41KV zd9UORdp4VCFXd9ssS5UiophTvHzcntJpAVONTwjUkdaukYA5bE5HrKsS7BjdnJTYnoeUHJ6g1ig 6NrUt2GouQGQYeiIUCoPfXsB9g8+S/0tPI6X/wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAYjAR My7nevIe3HM2NrilO29ls1PrjP4h6ApppCdaGrvn8RlSaXp4kPIb5s1/vHWbIB6CIeSZvlmXk2NG 649iTBK6+wLw0RTotcQXtCx7S9YnguBeWBA+zb2fJRfdWYJhCwbm9cyAfJbP80N3lyB7/XKyvq/N fjqp30oTQiiq75U=
-----END NEW CERTIFICATE REQUEST-----



5. You should get an immediate response on the site as well as an email with the certificate located in it. Copy the certificate from the site and save it in a file called signed.crt. The file should contain something that looks like the following.
-----BEGIN CERTIFICATE-----
MIIEYjCCAkqgAwIBAgIDAwmZMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTA2MTIyNDE3MDQxNVoXDTA3MDYyMjE3MDQxNVowIDEe
MBwGA1UEAxMVYmx1ZWxvdHVzaG9sZGluZ3MuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQChU0hgVKaULE1W7gDLGaKwmhRXBqUgH7pboozXO61eT6rOwHPi
dEBjYWNlcnQub3JnMB4XDTA2MTIyNDE3MDQxNVoXDTA3MDYyMjE3MDQxNVowIDEe
MBwGA1UEAxMVYmx1ZWxvdHVzaG9sZGluZ3MuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQChU0hgVKaULE1W7gDLGaKwmhRXBqUgH7pboozXO61eT6rOwHPi
dEBjYWNlcnQub3JnMB4XDTA2MTIyNDE3MDQxNVoXDTA3MDYyMjE3MDQxNVowIDEe
MBwGA1UEAxMVYmx1ZWxvdHVzaG9sZGluZ3MuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQChU0hgVKaULE1W7gDLGaKwmhRXBqUgH7pboozXO61eT6rOwHPi
5lWu+N26F+Y0xopIhlechSByXXtwwh2bX5cgock0MHBP0qvwx6pNYglqWArxbnoV
qFoNewxtkM6Riu0uYU31jZadzO7dP8ZR/CrF4AlZ8DKU7I7faWFu5HK0YwIDAQAB
o4HPMIHMMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUF
BwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDIGCCsGAQUF
BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzBFBgNV
HREEPjA8ghVibHVlbG90dXNob2xkaW5ncy5jb22gIwYIKwYBBQUHCAWgFwwVYmx1
ZWxvdHVzaG9sZGluZ3MuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQCTOLgns8xTkgwC
YozYkLqFN+bc6zmR+iu9yWY59Ayu0xR+4e9nxqfm1SsHaKo/1tQX3CyBVGm4MhMg
9uA2sNhjJPPy7y/2oafK2R6olHHkVsLfX6MXddRPNzyjQeGgxeH9FtPz9fd9b3OP
z2fAdCSgeOhH9bn2myvRPAcX7X/wh89Gmybg52jlhl6wgumg1SQlyQ60Ht4zZYyL
7Viu6WWsCPHAWUTLQ1k7XdgLDAY0JMwRBMkCCT0w7CVdC1PkGe2WTsgnEB5RHTF5
c1fQ+fiiJC+giEMI/YwfV0AkSF9ILhm/y9DDdQ6KjkxdQne3WxaUek7cm1H/xdM9
QLBkfyNfLDanySS7dDTZK28pSSItYedpzOGIQHsDY3LfSv1kdqTEEwVGZDXW6OO5
/v/efWTLn6weuypTMVrXWZ4ednz09WP5BQ7RZjPmUX8sE+IZ3SRycCH6cZERp+dN
D3UZYBuRmQ5rWx32XNDf9wY2AiuSWFvWGnDQmpjfCAi47Q4wugk7y63xl7b+LAJC
Bp5YNJnD4zFWgvMPxo8IeJk+Dd0sNcEPAd/VJH9jymqaTbx3Dv9W5ZwGxmdNv7em
3h3544G4dVuuq24ZDbCeFdLVUcS+74407fIBHMgCf3fRXCBhJbaL90srZSAV3sX3
g7DyVvIlt035V+MMwdjgg3wmF55tww==
-----END CERTIFICATE-----

6. We imported the CACert.org certificates so that we could do the next step without issues. We will want to import the new certificate to the keystore and combine it with our private key. We do this by using the same alias we assigned to the private key (keyEntry).

keytool -import -v -trustcacerts -alias server -keystore keystore.jks -keypass changeit -storepass changeit -file signed.crt

7. Delete the cacert and cacert3 certificates from the keystore.jks

keytool -delete -v -alias cacert -keystore keystore.jks -storepass changeit
keytool -delete -v -alias cacert3 -keystore keystore.jks -storepass changeit

8. Configure the application server to use the new key. I try it on the HTTP Service --> HTTP Listeners --> http-listener-2. Select the security enabled, SSL3, TLS, and All supported ciphers checkboxes. Fill in the Certificate Nickname as server. Save and restart the application server.



9. Check the configuration by going to https://localhost:8181

FINISHED

Congratulations you are on SSL. Once I am sure that everything is working, I immediately set the admin site to use SSL/TLS as an important security measure.


Thursday, November 30, 2006

FindBugs Installation in Netbeans 5.5

I have found that there is no really good description on how to download and install the FindBugs plug-in for Netbeans 5.5. The plug-in is part of a larger project on java.net called Software Quality Environment (SQE) If you want to use SQE and FindBugs. Do the following:

1. Start Nebeans 5.5 and go to the Tools --> Options --> Advanced Options (located on bottom left corner of Options screen)

2. Navigate to the IDE Configuration --> System --> Autoupdates Types item in the tree. See below


3. Right click on the Autoupdate Types item to bring up the context menu. Select New --> General Update Center. This will bring up the menu below. I named my update center FindBugs and pressed Finish. See Below.

4. Click on the new FindBugs update center in the tree and change the Server URL entry to




5. Close the window and you can now use the update center to install and update FindBugs

Sunday, November 05, 2006

How to convert an InputStream to a String and Back

There are four methods listed below to convert InputStream to String and String to an InputStream.

Subversion 1.4.0 Build Configuration (Solaris 10) (SPARC)

Set the library path using crle
crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib:/usr/sfw/lib

***You may need to unset the LD_LIBRARY_PATH
unset LD_LIBRARY_PATH

set make to gmake
export MAKE=/opt/sfw/bin/gmake

Add additional directories to the path
export PATH=$PATH:/usr/ccs/bin:/usr/sfw/sparc-sun-solaris2.10/bin

CONFIGURE SCRIPT

./configure --enable-maintainer-mode --enable-javahl --with-zlib --with-apxs=/usr/apache2/bin/apxs --with-jikes=no --with-jdk=/usr/jdk/jdk1.5.0_07 --without-berkeley-db --with-apr=/usr/apache2/bin/apr-config --with-apr-util=/usr/apache2/bin/apu-config --with-editor=/opt/sfw/bin/pico

Friday, November 03, 2006

Coding for Performance

Here are some performance tips gathered from various sources and personal experience. I have sorted them by category (General, J5SE, J5EE)

General
  1. Always use the simplest classes possible to get the Job Done.

  2. Never code your own frameworks unless the performance is lacking. Reuse code and frameworks.

  3. Use open source frameworks which are established and tested.

  4. "Never do today what can be put off till tomorrow. " - Aaron Burr


    • If a class proves difficult to code, put it off until you have a rest. You can then look at it with a fresh set of eyes

    • Delegate the hard parts to code to another class

    • Do not attempt to resolve all scenarios while coding, i.e., Wait to do locale specific encodings until after the initial code is complete.


  5. Place design notes in your code. Explain the performance requirements in your comments. If there are specific SRS requirements, note the number, date, and revision of the SRS document.

  6. Avoid object creation and destruction except as necessary. Reuse existing objects.

  7. Learn Collections and use them correctly. Use "lightweight" collections and avoid "heavyweight" collections where synchronization is not required.

  8. Initialize objects using a constructor with the least amount of requirements. If you need to use a number of parameters other than the default values, consider using the inverse of the object. In other words, if the object contains an int which is initialized to zero (0), then use the object with the default value and treat initialization parameters as the exception.

  9. Use findbugs to find common errors and performance problems.

  10. Reduce the distance between objects during operation. It is better to perform complex operations locally.

  11. Use System.currentTimeMillis() for performance measurements to determine execution time

  12. Use the -verbose:gc flag on the JVM to determine if the heap size is too small.

  13. Use constants where possible by using static final in the variable declaration.

  14. Use Enum instead of integer constants. Enums are more flexible and are typesafe.

  15. Avoid casting and using instanceof

  16. Use synchronized methods instead of code blocks.

  17. Avoid synchronized calls within a synchronized method or code block.

  18. Avoid using synchronization over IO operations except as required to maintain correct operation. For example: JPA inside a servlet.

  19. Turn off auto-commit and use transactions to improve throughput.

  20. Use -Xms and -Xmx flags to set the minimum and maximum heap sizes. Try to size appropriately to prevent wasting resources.


J5SE

Looping


  1. Do not recalculate constants inside a loop.

  2. "Fast Fail" - If a method fails, or throws an exception have it exit the loop quickly. Break loops early.

  3. Use local variables in loops. javac can assign an exact location of a local variable for a method at compile time.


Strings


  1. Avoid using Strings when you are modifying them. Strings are immutable. Therefore to "modify" a String, object creation and destruction must occur. Use StringBuilder and StringBuffer when Strings must be modified.

  2. Create Strings using the short form syntax to avoid creating additional objects.

    For example use: String s1 = "ABC";

    instead of: String s1 = new String("ABC");

  3. Never use String or StringBuffer for parsing characters. Use a character array.

  4. Try to set the StringBuilder or StringBuffer to the size required, or maximum size required during initialization to prevent a performance penalty while resizing.

  5. Avoid using StringTokenizer if there is a performance requirement. Use a more specific (custom) tokenizer to split Strings. StringTokenizer is a generic utility that is synchronized internally.

  6. Use StringBuilder instead of StringBuffer unless synchronization is required.


Collections


  1. Avoid using generic object collections. Use generics with collections to avoid having to cast objects.

  2. Use a LinkedList over an ArrayList if there a large number of insertions and deletions.

  3. Use a HashMap instead of a TreeMap unless there is a requirement to maintain a sort order.

  4. Use a HashSet over a TreeSet unless there is a requirement to maintain a sort order.

  5. When using Vector, try to set the initial size to the expected maximum size to prevent having to grow the Vector. If you must grow a Vector use a reasonable value to increase the size.

  6. It is extremely important to try to appropriately size a HashTable to prevent reorganization.


J5EE


  1. Reduce the number of network operations by returning complete results rather than smaller intermediate results.

  2. If database design constraints impose a specific database, use the advantages of the database where possible.


    • If operations are performed on the database, consider using stored procedures and making JDBC calls.

    • Do not use Entity Beans unless you must, use Java Persistence API (JPA) instead.

    • Do not use Java Persistence API (JPA) unless you need it, or want to use some of its advanced capabilities.

    • Limit the subset of data required to the minimum required for your program. Do not pull a whole row of data from table when you require only a few fields.


  3. When given a choice use local interfaces and local method calls on EJBs

  4. Shorten the distance between servers. Try to maintain dependent servers as close as possible. In clustered environments, try to keep remote communications on a separate private network interface.

  5. It is generally better to use a coarser stateless session bean to avoid JNDI lookups for fine grained operations.
  6. Avoid stateful session beans except as necessary.

  7. Set timers for non-activity on stateful session beans as low as possible to prevent "dead" connections waiting to timeout.

  8. Use Data Transfer Objects (DTO) to maintain granularity. DTOs must be Serializable.

Thursday, November 02, 2006

Subversion 1.3.2 Build Configuration (OS X)

Here are the parameters I used to install subversion on OS X.

./configure --with-ssl --with-libs=/usr/include/ssl --enable-maintainer-mode --enable-javahl --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr --with-zlib --with-editor=/usr/bin/pico --with-apxs=/usr/local/apache2/bin/apxs --with-jikes=no --with-junit=/Users/jyeary/Library/Java/PrivateExtensions/junit-4.1 --with-jdk=/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home

Please note that I have the junit libraries stored in an alternate location.

Tuesday, October 31, 2006

Netbeans 5.5 Enterprise Pack Failure on OS X

I completely removed Netbeans including all directories in my home folder. I also removed glassfish and started with a complete new installation.

Once I performed the installation, everything worked as it was supposed to do. The only difference between this install and the previous installations was that I downloaded updates to the IDE after installing and before I installed the Enterprise Pack.

I could not reproduce which I could do consistently two days ago. I have installed the updates and it continues to work. I closed the issue on Issuezilla.

This was very strange.

Sunday, October 29, 2006

Persistence Unit or Persistence Context?

Which to use for a particular application depends entirely on the environment, or preference.

  • @PersistenceUnit annotation is used in J5SE applications to handle Java Persistence API (JPA) persistence management. You may use a PeristenceUnit in an application inside a container, but it must be managed by the developer instead of the container.
  • @PersistenceContext annotation is used for Container Managed Persistence (CMP). This relieves the developer of having to worry about connection management.

Netbeans 5.5 Released

Netbeans 5.5 was released today. The new visual web pack preview is included. The visual web pack provides the same level of functionality from Creator 2 to Netbeans. I am so excited to get it running on my Mac.

The visual components of JSF are realized for the first time in Netbeans. So far the only thing I do not like is that Creator 2 projects are not interchangeable with Netbeans. If you Open a Creator 2 project in Netbeans it will not work again in Creator 2.

I installed the Enterprise Pack with an existing installation of Glassfish 9.1 (V2 Build 19 Milestone 2), and the server would not start. I tried a number of things but it appears some corruption occurs. If you use the default included application server everything works as expected.

The failed server was running on:
PowerMac G5 Dual 2GHz 6.5GB RAM
OS X 10.4.8 (PPC)
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-112)
Java HotSpot(TM) Client VM (build 1.5.0_06-64, mixed mode, sharing)
Glassfish 9.1 (Version 2 Build 19 Milestone 2)

I opened an issue on the entpack at Netbeans. Issue # 88197

Saturday, October 28, 2006

Providence

I was just trying to decide if I wanted to open a Blogger account, and I selected a random person going by... Little did I know I would pick someone from my home state who does not live very far from me. Rachel Parker is her name and here is her blog.

Strange coincidence...or fate. One can never tell, but it was definitely the deciding factor. I shall leave it as providence.

Miscellaneous Notes

I tried to see about creating a blog on java.net, but have not found a link to where to sign up. I may need to ask a moderator.

I am working on completing a list of Java SE/EE performance tips. Once I have compiled the list I will post it to the blog.

Greenville Java Users Group Graduates Incubator

Finally I have had a chance to complete the steps required to graduate the GreenJUG site from the java.net incubator. I still need lots of assistance from the Java user community to make our JUG a success, but this will come with time and perseverance.

I have asked for some items to give away at meetings from Sun, O'Reilly, and JetBrains. Sun and O'Reilly have really stepped up to offer a bunch of goodies. We will see if JetBrains will offer some goodies.

Popular Posts