Wednesday, January 29, 2014

Liferay Portal SSL Configuration

Objective:

Configure SSL (Secure Socket Layer) for Liferay portal.

What is SSL?

SSL is secured socket layer which secure our application data in the network  means it will protect application data while are exchanging data from web browsers to web servers.SSL is mechanism to protect application data when it travel in the network.SSL use the https protocol in the network

We have two protocols


HTTP, HTTPS

HTTP is simple protocol we use in web applications to communicate client and server.

HTTPS is same like http but this protocol will work in the secure socket layer so that application data can be protected while data travel in the network.

When we send any request using https protocol it need SSL help to protect data.


How SSL is working?

SSL use the https protocol to communicate client with server with secured layer and to make it work we need SSL certificates
.
What is SSL certificate?

SSL certificate is like information which contain the public key, private key and data Encryption algorithm information.

This information will used by server to encrypt data and decrypt data when the client and server communication is occurred. Similarly Clint also uses same information to encrypt and decrypt the request and response data.

This public and private key information shared by Client and Server when Server and Clint are in the communication.

SSL Working Mechanism
  • We already know SSL uses the Https protocol in the client server communication.
  • When it is https protocol communication then application data will travel in secure layer in the network.
  • When client send the request to server before request travel in network then request data will be encrypted by using SSL certificate information. This certificate provides the encryption algorithm and public key and private to encrypt the data.
  • Once data is encrypted then application data will be travel in secure layer because its https request.
  • As soon as request reached by server then server will take the request and it will decrypt the data by using same encryption algorithm, public and private key.
  • This information will be available in SSL certificate so that server can get this information and able to decrypt. We already know client and server will use same certificate information and the certificate will be shared by the server and client.
  • Once request is decrypted then server processes the request and it will prepare the response. Now server is responsible to encrypt response by using SSL certificate information.
  • Once the data is encrypted it will send to client and it will use secure layer while travel in the network.
  • As soon as response reached by client then it can decrypt the data by using SSL certificate information.
  • This process will apply to each and every request and response while in the communication.

Note:

Here we need to communicate server and client using HTTPS protocol then only server and client can understand the communication secure type and https protocol use 443 port by default.

How to get the certificates?

 We need get SSL certificates from SSL certificate vendors in the market. We need to purchase certificate and we need to use for our application. In production environment we have to use trusted certificates from reputed vendors. Verisign is one of SSL certificate vendor.

How can I implement SSL in local environment?

We will use self signed certificate in local development environment.

How to create Self-Signed SSL Certificates in Local Development Environment?

We will use Java Key Tool or Open SSL tool to create certificates in Local environment.

Java Key Tool by default will come with JDK so that we need install JAVA in our machine to create Self-Signed Certificates.

How to Configure SSL in Server?

We need to add SSL certificate to server JRE so that server can use these certificates. After add the certificate to server JRE we need to configure certificate information in server configuration files and we need to enable https protocol to server.

Note:

SSL configuration is varying from server to server based on server vendor.  And server will always look for certificate information JRE/lib/security folder this is default location for certificates. Server will search certificates information from cacerts file this file available in jre\lib\security of any JDK.

SSL configuration for Liferay Portal

The following are the steps to configure SSL in Liferay Portal.
  1. Create SSL certificate using Java Key Tool
  2. Configure SSL in Liferay Portal Server

Create SSL certificate using Java Key Tool

The following are the steps to create certificate using Java Key Tool
  • Generate Key
  • Export Key Information into Certificate
  • Import certificate into Server JRE

Java Key Tool is default tool which comes with JAVA. Before use these we need to install java. Once install java then we can use Java Key Tool. WE use Java Key Tool from Command Prompt to create certificate.

Open command prompt and go to java installation bin path because there java key tool available.

The following screen shows the example java bin path


Note:

If you set java path in your system then you can access java key tool from any directory. Otherwise we need to point to java bin path from command prompt.

Generate Key

For generating key we need use following command and we need to pass some input values
The following are input options:


-alias:    this is just reference name to key

-keyalg:  which specify the encryption algorithm and the algorithm will use when data will encrypt like RSA.

-keypass:  password for key and default we will use changeit


Enter following command in command prompt


keytool -genkey -alias tomcatserver -keypass changeit -keyalg RSA


Once enter this command it will ask some information please provide accordingly and please make sure first name and last name should be name of your host (localhost) or domain name. We should not provide IP Address.

The following is information will ask by tool once we enter above command


Enter keystore password: changeit
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  ASW
What is the name of your organization?
  [Unknown]:  ASW
What is the name of your City or Locality?
  [Unknown]:  HK
What is the name of your State or Province?
  [Unknown]:  HK
What is the two-letter country code for this unit?
  [Unknown]:  HK
Is CN=localhost, OU=ASW, O=ASW, L=HK, ST=HK, C=HK correct?
  [no]:  yes


Now key was generated and it was Stored in the default key store file that is called .keystore file

The default keystore (.keystore) file available in C:\Users\<username> directory of your computer

The following is example to .keystore in my computer



Note:

If we want store generated key in our own keystore file then use following command


keytool -genkey -keystore c:\users\localhost.keystore -alias tomcatmeera -keyalg RSA

Provide –keystore value this is path to our keystore file



Export Key Information into Certificate

We already generated key and that key information stored in .keystore file. Now we need export this key into some certificate and name of certificate is our choice and the extension should be .cert

Example for name of certificate myserver.cert

Enter following command that will export key into given certificate file


keytool -export -alias tomcatserver -keypass changeit -file myserver.cert


Note:

The above command will search the key information in .keystore file in default location i.e. C:\Users\<username>

We need to give exact alias name that is we previously used when we generate key in previous step

If the key stored in our own keystore file then we need to provide keystore file path with following command


keytool -export -alias tomcatmeera -keypass changeit -file
myserver.cert  –keystore c:/users/localhost.keystore




Import certificate into Server JRE

Now we need to import certificate into server JRE Because Server will always search certificate information in JRE which used by server.

Generally all certificates available in jdk1.6.0_43\jre\lib\security location and server will always search the certificates from this location.

We will import all certificates in cacerts file this default file to server. Now we need to import our created certificate into cacerts (jdk1.6.0_43\jre\lib\security\cacerts)

Use following command to import certificate into cacerts


keytool -import -alias tomcatserver -file
"C:\Users\E5410\myserver.cert" -keypass changeit -keystore "C:\Program Files\Jav
a\jdk1.6.0_43\jre\lib\security\cacerts"


As soon as you enter above command it will ask password and enter password then it will show certificate information then you need enter yes then certificate will be imported into JRE default certificate file location (jre\lib\security\cacerts).

The following is information after enter above command


Enter keystore password:changeit
Owner: CN=meera, OU=meera, O=meera, L=meera, ST=meera, C=meera
Issuer: CN=meera, OU=meera, O=meera, L=meera, ST=meera, C=meera
Serial number: 52e7aad6
Valid from: Tue Jan 28 21:04:22 CST 2014 until: Mon Apr 28 21:04:22 CST 2014
Certificate fingerprints:
         MD5:  02:FC:FA:21:68:D1:26:57:07:3B:DB:B0:A2:1C:9A:5E
         SHA1: D8:52:61:D6:A3:33:97:1E:F9:2F:8C:56:38:26:0D:6C:59:CC:5E:AC
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore


Note:

We need to give full qualified path information of JRE default certificate location and our created certificate path and paths are enclosed in quote so that we never see any errors.

Alias name we used in all steps because it is reference name to identify the certificate.

The following is complete screen to create Self Signed Certificate and which use the Default Keystore file (C:\Users\<username\.keystore)



Note:

Key pass every where changeit

Please concentrate on red colored rectangle areas in above screen.

The following is complete screen to create Self Signed Certificate and which use the Our Own Keystore file



Note:

Key pass everywhere is changeit

Please concentrate on red colored rectangle areas in above screen.

Configure SSL in Liferay Portal Server

Now we ready with certificate and we need to configure SSL in server. We already know SSL configuration will change server to server.

Now we need to configure SSL to Liferay Portal Server. We are very familiar with following Liferay Portal Servers
  1. Liferay Portal Tomcat Server
  2. Liferay Portal JBoss Server

Liferay Portal Tomcat Server

To configure SSL in tomcat server we will use server.xml file and we wil add connector tag with some SSL related attributes.

Go to Liferay Portal Tomcat Server configuration directory and open server.xml file in any editor.

The following is server.xml location in server


tomcat-7.0.40/conf/ server.xml


Add following connector xml tag in server.xml

The following configuration will always look for certificate information from JRE default certificate location or .keystore in default system user location

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="200" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" />


The following configuration explicitly specify the keystore file location

<Connector protocol="HTTP/1.1"
 port="7443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 keystoreFile="C:/Users/localhost.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>


Note:

keystorePass this is password we provided at the time of certificate creation.

Connector tag has more additional attributes which will give some addition support and in the configuration we just use some basic required attributes to connector.

SSL configuration Connector tag already defined in server.xml file but it’s in comment mode. We just uncomment that SSL configured connector tag and modify accordingly instead of adding new connector tag.

Generally in development environment we will configure server to eclipse. When we configure server to eclipse it will create separate sever instance and server instance have its own configuration files.

Whenever we did SSL configuration in the original server.xml (tomcat7.0.40/conf/server.xml) file. These configurations not update in the existed eclipse local server configuration files.
So we should remove old server in eclipse again add new local server to eclipse so that new server instance have SSL configuration.

The following is screen shows local server in eclipse



Go through following link to get more information about SSL configuration


Liferay Portal Jboss Server

In Jboss also we will use server configuration file to configure SSL. Jboss will use standalone.xml file to configure SSL.

The following is location of standalone.xml file


jboss-7.1.1\standalone\configuration\ standalone.xml


Now open standalone.xml file and look for following tag this is for http connector tag
.

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>


Add following SSL configuration below the above tag as follows and this is for https connector tag.

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
   <ssl/>
 </connector>

When configure above configuration then server enables with https protocol and it will use SSL.

<Connector/> tag has many additional attributes so that it will give more support to SSL. We just use basic configuration.

Same like tomcat server Jboss also look for certificates information in JRE default certificate location i.e. jre\lib\security\cacerts

The following is more information about SSL configuration Jboss server


Note:

Very important thing is we need to add certificates to server using JRE.

Same like tomcat when we use jboss in eclipse please update eclipse server once we completed SSL configuration in original server configuration files i.e. standalone.xml (jboss-7.1.1\standalone\configuration\ standalone.xml)

When we update server in eclipse then it will get SSL support for eclipse server instance

Access Application in Secure Layer

To access application in secured network we need to use https and application will use default 443 port when it uses the https protocol.

The following is URL to access Liferay Portal Application with https in secured way.


Note:

When we use self signed certificates to access our application in browsers then browser will prompt some message like certificate in not trusted. Simple accept and follow further steps which showed by browser.

The following is the screen to show Liferay Portal in Chrome when we use Self-signed certificates.

Simple click on Proceed button so that you can view Liferay Portal in browser.


The following is screen to show Accessing Liferay Portal using SSL


Important Pints
  • SSL use the https protocol to provide secure layer for application data while in the network.
  • We need to add trusted certificates information in server JRE so that data will be encrypted or decrypted when the client server communication is occurred.
  • In the real environment or production environment we need to get SSL certificate from SSL vendors.
  • In the development environment we will use Self Signed Certificates and which can be created by using Java Key Tool
  • We need to add self signed SSL certificates to Server JRE default SSL certificates location i.e jre\lib\security\cacerts
  • To configure SSL information in server we will use server configuration files these file name varying from server to server.
  • To enable SSL is we need to enable HTTPS connector and there we need pass SSL certificate information as attributes values.

Author

Monday, January 27, 2014

Web Application Artifacts in Servlet Technology

When we develop web applications in java servlet technology we need some of artifacts.

Before read this article please go through following article which will give more information about web application technologies in java


We need following artifacts. These are all very important to build servlet application in java
  1. Web application Directory Structure
  2. Deployment Configuration File
  3. Servlet Java Class
  4. Servlet-api.jar file
  5. Servlet Container Provider Servers (Tomcat)

Web application Directory Structure

In any web application java that should have some particular directory structure. Once we done all development we need package as .war file.

What is war (Web Archive)?

A Web Archive is web application standard package that represent the web application. A war can be understood by any web container/server. We need to package ad war and deploy into servers.

We have java commands to package web application as war file. We can also make war file from eclipse IDE tool.

The following is example web application directory structure.




The following is more about web application directory structure


Deployment Configuration File

Deployment configuration provides the full information about application and its resources. This information we will provide through the web.xml file and it have many predefined tags all tags information provided in DTD file.

Coming to servlet web application on web.xml we need to configure the servlet. Container will use this information and execute the appropriate servlet when client is requested for dynamic response through simple http URL notation.

The following is full details of tags in web.xml


The following is simple servlet information in web.xml file

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 <servlet>
    <servlet-name> helloWorldServlet </servlet-name>
    <servlet-class>com.liferaysavvy.meera.HelloWorldServlet</servlet-class>
 </servlet>
 <servlet-mapping>
    <servlet-name>helloWorldServlet </servlet-name>
    <url-pattern>/helloworldservlet </url-pattern>
 </servlet-mapping>
</web-app>

Servlet

Servlet is parent tag here servlet definition will start. This tag has two child tags servlet name and servlet class.

Servlet name:

 Servlet name is simple human understandable name which is reference name to servlet class.

Servlet class:

Servlet class is simple java class and it contains the servlet behavior

Servlet mapping

Servlet mapping is simple URL information to servlet container which helps to the container when client request for dynamic request. From the URL it will identify which servlet to be invoke/execute

Servlet mapping tag will map the servlet with some url pattern. This tag has two child tags i.e. Servlet Name and url-pattern

Servlet name we already know

url-pattern

url pattern tag will map the servlet with simple http url pattern. This url pattern will be used by client to invoke servlet.

Note:

When we map servlet class with URL pattern we need to use servlet name as common tag.

Servlet Java Class

Servlet java class is simple java class which should implements the java servlet interface. Servlet interface is simple java interface have certain abstract methods. To get servlet behavior to java class we need to implement servlet interface.

Servlet API implementation provides some servlet implementation classes. We will use those classes and interfaces to get servlet behavior to our class.

Generally we need to implement servlet interface to our java class but in the implementation we will use another java class that already implemented servlet interface.

The following is servlet implementation hierarchy



Note:

We will use Http Servlet and it will use http protocol to invoke the servlet from client. We can also implement servlet for other protocols and as of now we will have http protocol based servlet implementation is available.

Servlet API implementation packaged as servlet-api.jar file which is from sun micro system implementation.

Servlet-api.jar file

Servlet-api jar is set of java classes and interfaces implemented by sun micro system. This is one of the servlet API implementation.

If we develop any application we need this jar file. We will use many classes and interface from this jar file.This jar should be available in application class path or server global class path

What is class path?

Class path is a place where all java classes and interfaces will be available.We will use following things as class path
  1. Application WEB-INF/classes directory
  2. Application WEB-INF/lib directory
  3. Server lib directory

Application WEB-INF/classes directory

Every web application have WEB-INF/classes directory where all java compiled classes will be available. This directory is only specific to respective web application. If any class available in WEB-INF/classes directory will be loaded by server in the JVM memory as soon as application is deployed in server.

Application WEB-INF/lib directory

WEB-INF/lib another class path for server here all required jar files will be placed. The jars which are available in WEB-INF/lib directory will be used by respective application. These are application specific jar files.

Server lib directory

Server lib directory is called global class path this directory shared by all web application which are deployed in server. Any jar file or java class available in server lib then it is available to all applications.

Note:

Server global class path or global lib will be varied based on server.

If any jar file available in server global class path that particular jar should not be available in application class path if such cases we will get class conflicts.

For tomcat it will be tomcat-7.0.40\lib this is default directory for tomcat and we can also change this by configure the details in catalina.properties.

Application Class path priority


WEB-INF/classes > WEB-INF/lib > Server lib directory


Servlet Container Provider Servers (Tomcat)

Servlet container is required to run servlet. This container is responsible for manage the life cycle of servlet.

Servlet container can be provided by different server vendors by default. So we can run servlet application in any server if the server have servlet container.

Tomcat is one of servlet which provide the servlet container. We will use tomcat server to run servlet based web applications.

Servlet Execution Flow
  • We already know servlet information is available in web.xml file.
  • When the application is deployed in the server then servlet container is responsible to read all servlets information from web.xml file
  • In web.xml file servlet name and its URL mapping will be available. Servlet container will create servlet mapping objects in the server memory that object contains servlet URL pattern and its respective servlet class.
  • When client is requested through http URL and the URL will have servlet mapping pattern.
  • As soon as server receives the request from client then server will delegate the request to servlet container because the request is dynamic request.
  • As soon as request received by servlet container then it will check with servlet mapping objects in the server memory.
  • If any mapping object find for client request then it will get the respective servlet class information and it will create the object for servlet and it will execute the appropriate methods on behalf of servlet object.
  • These servlet methods are responsible to prepare dynamic response in the form of html or other browser understandable format.
  • Once response preparation is completed then servlet container collect the response data from servlet then the container give the response back to server.
  • As soon as server gets the response from container then it will give to client then client will display response in browser so that it is able to viewed user.

Request for servlet/Call servlet:

In web application we need to request to the servlet in particular URL pattern

The following is generic URL request to servlet


http://<hostName>:<port Number>/<application context>/<servlet url pattern>

Example:

http://localhost:8080/myapp/helloWorl


Host Name:

Host name is name of computer or domain name where server is running.

If we run in server in local computer then it is localost/127.0.0.1

If server is running in local area net work or in the internet then we will have domoan name or IP address

Example:

198.168.34.23

Application Context:

Application context is name of our web application name. this is our application start point.
We can see the application context name in server deployments directory in general application name itself is application context.

Example:  MyApp

Note:

Application Name/Context name should not have spaces or special characters.

Servlet URL pattern:

Servlet URL pattern is simple string which will used in client requested URL. We need to append servlet URL pattern to client request so that servlet container can identify the servlet and it will be executed. Servlet URL pattern we can see in web.xml file.

Example configuration in web.xml

<servlet-mapping>
    <servlet-name>helloWorldServlet </servlet-name>
    <url-pattern>/helloworldservlet </url-pattern>
 </servlet-mapping>


Related Articles


Reference links for Servlet Technology and its Development


Author

Recent Posts

Recent Posts Widget

Popular Posts