1. ref
http://chuangmaster.pixnet.net/blog/post/184130259-%5Bjava-ee%5Dapache-tomcat-7.0-%E5%AD%B8%E7%BF%92%E7%AD%86%E8%A8%98%28%E4%B8%8B%E8%BC%89%E3%80%81%E8%A8%AD%E5%AE%9A%E3%80%81
2. change port to 80
http://blog.xuite.net/tolarku/blog/208730160-Tomcat+%E9%81%8B%E8%A1%8C%E5%9C%A8+port+80
2018年6月13日 星期三
2018年6月4日 星期一
Tomcat Jmx 設定與 jmx.password "必須限制密碼檔案讀取存取" 錯誤
1. What is JMX?
JMX(Java Management Extensions,即Java管理擴充功能)是Java平台上為應用程式、裝置、系統等植入管理功能的框架。JMX可以跨越一系列異構作業系統平台、系統體系結構和網路傳輸協定,靈活的開發無縫整合的系統、網路和服務管理應用。JMX 是 Java Management Extensions 的簡寫,它的主要目的為了管理在 JVM 上運行的應用程式試想今天你需要管理在不同機器執行的5個 Services,監控它的執行情況,還要監控機器上的記憶體,CPU,執行緒數量...等,你該怎麼做?
你可能會一台台登入下指令去看 Linux 的 memory,cpu 情況。那應用程式執行情況呢?寫程式將資訊透過網路傳出來?那假如程式是別人寫的呢?那你就需要知道它的溝通方式, 不同 application 就像說著不同語言的人,你需要為每一個 application 寫一個translator,轉成共同的格式,然後透過網路傳給你的 Client 端 不然你的 Client 就需要自己做這個翻譯的工作,它需要懂 N 種不同的溝通方式,哪天需要多監控一個新的application 的時候,Client 就必須修改...
想到就累不是嗎 ? JMX 就是為了解決這個難題而被發明的
ref 1
2. 架構圖:
3. Tomcat Error Message
ref 1barchart-oracle-study/oracle-jdk-7.21-rt/src/main/java/sun/management/resources/agent_zh_HK.java
*/ package sun.management.resources;
/* */
/* */ import java.util.ListResourceBundle;
/* */
/* */ public final class agent_zh_HK extends ListResourceBundle
/* */ {
/* */ protected final Object[][] getContents()
/* */ {
/* 7 */ return new Object[][] { { "agent.err.access.file.not.readable", "存取檔案無法讀取" }, { "agent.err.access.file.notfound", "找不到存取檔案" }, { "agent.err.access.file.notset", "未指定存取檔案,但 com.sun.management.jmxremote.authenticate=true" }, { "agent.err.access.file.read.failed", "無法讀取存取檔案" }, { "agent.err.acl.file.access.notrestricted", "必須限制密碼檔案讀取存取" }, { "agent.err.acl.file.not.readable", "SNMP ACL 檔案無法讀取" }, { "agent.err.acl.file.notfound", "找不到 SNMP ACL 檔案" }, { "agent.err.acl.file.notset", "未指定 SNMP ACL 檔案,但 com.sun.management.snmp.acl=true" }, { "agent.err.acl.file.read.failed", "無法讀取 SNMP ACL 檔案" }, { "agent.err.agentclass.access.denied", "存取 premain(String) 遭到拒絕" }, { "agent.err.agentclass.failed", "管理代理程式類別失敗 " }, { "agent.err.agentclass.notfound", "找不到管理代理程式類別" }, { "agent.err.configfile.access.denied", "存取配置檔案遭到拒絕" }, { "agent.err.configfile.closed.failed", "無法關閉配置檔案" }, { "agent.err.configfile.failed", "無法讀取配置檔案" }, { "agent.err.configfile.notfound", "找不到配置檔案" }, { "agent.err.connector.server.io.error", "JMX 連接器伺服器通訊錯誤" }, { "agent.err.error", "錯誤" }, { "agent.err.exception", "代理程式發生異常 " }, { "agent.err.exportaddress.failed", "將 JMX 連接器位址匯出至設備緩衝區失敗" }, { "agent.err.file.access.not.restricted", "必須限制檔案讀取存取權" }, { "agent.err.file.not.found", "找不到檔案" }, { "agent.err.file.not.readable", "檔案無法讀取" }, { "agent.err.file.not.set", "未指定檔案" }, { "agent.err.file.read.failed", "無法讀取檔案" }, { "agent.err.invalid.agentclass", "com.sun.management.agent.class 屬性值無效" }, { "agent.err.invalid.jmxremote.port", "com.sun.management.jmxremote.port 號碼無效" }, { "agent.err.invalid.jmxremote.rmi.port", "com.sun.management.jmxremote.rmi.port 號碼無效" }, { "agent.err.invalid.option", "指定的選項無效" }, { "agent.err.invalid.snmp.port", "com.sun.management.snmp.port 號碼無效" }, { "agent.err.invalid.snmp.trap.port", "com.sun.management.snmp.trap 編號無效" }, { "agent.err.invalid.state", "無效的代理程式狀態" }, { "agent.err.password.file.access.notrestricted", "必須限制密碼檔案讀取存取" }, { "agent.err.password.file.not.readable", "密碼檔案無法讀取" }, { "agent.err.password.file.notfound", "找不到密碼檔案" }, { "agent.err.password.file.notset", "未指定密碼檔案,但 com.sun.management.jmxremote.authenticate=true" }, { "agent.err.password.file.read.failed", "無法讀取密碼檔案" }, { "agent.err.premain.notfound", "代理程式類別中不存在 premain(String)" }, { "agent.err.snmp.adaptor.start.failed", "無法使用位址啟動 SNMP 配接卡" }, { "agent.err.snmp.mib.init.failed", "無法初始化 SNMP MIB,出現錯誤" }, { "agent.err.unknown.snmp.interface", "不明的 SNMP 介面" }, { "agent.err.warning", "警告" }, { "jmxremote.AdaptorBootstrap.getTargetList.adding", "正在新增目標: {0}" }, { "jmxremote.AdaptorBootstrap.getTargetList.initialize1", "配接卡就緒。" }, { "jmxremote.AdaptorBootstrap.getTargetList.initialize2", "SNMP 配接卡就緒,位於: {0}:{1}" }, { "jmxremote.AdaptorBootstrap.getTargetList.processing", "正在處理 ACL" }, { "jmxremote.AdaptorBootstrap.getTargetList.starting", "正在啟動配接卡伺服器:" }, { "jmxremote.AdaptorBootstrap.getTargetList.terminate", "終止 {0}" }, { "jmxremote.ConnectorBootstrap.file.readonly", "必須限制檔案讀取存取權: {0}" }, { "jmxremote.ConnectorBootstrap.noAuthentication", "無認證" }, { "jmxremote.ConnectorBootstrap.password.readonly", "必須限制密碼檔案讀取存取: {0}" }, { "jmxremote.ConnectorBootstrap.ready", "JMX 連接器就緒,位於: {0}" }, { "jmxremote.ConnectorBootstrap.starting", "正在啟動 JMX 連接器伺服器:" } };
/* */ }
/* */ }
4. Key word file
jmx.password
5. How to solved? ref 1 from oracle ref 2 3
- In Windows Explorer, navigate to the directory containing the jmxremote.password file.
- Right-click on the jmxremote.password file and select the Properties option.
- Select the Security tab
If you are using Windows XP Professional Edition and the computer is not part of a domain, then the Security tab will not be automatically visible. To reveal the Security tab, you must perform the following steps.
- Select the Advanced button in the Security tab.
- Select the Owner tab to check if the file owner matches the user under which the Java VM is running.
- Select the Permissions tab to set the permissions.If there are permission entries inherited from a parent directory that allow users or groups other than the owner access to the file, then clear the "Inherit from parent the permission entries that apply to child objects" checkbox.
6. appending JMX setting
1 . https://gist.github.com/buonzz/7ba34958a029df19a2a6
2. http://www.andowson.com/posts/list/424.page
1.修改setenv.sh,加上下列設定 1 | CATALINA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=${JMX_PORT} -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false" |
修改後的完整內容如下:
1 | JAVA_HOME="/usr/java/latest" |
2 | JAVA_OPTS="-server -XX:NewSize=503m -XX:MaxNewSize=503m -XX:SurvivorRatio=8 -XX:MaxPermSize=128m -Xss768k -Xms2013m -Xmx2013m -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true" |
3 | CATALINA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=${JMX_PORT} -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false" |
3. apache http://tomcat.apache.org/tomcat-6.0-doc/monitoring.html
4. Start using the content , good link : 1
in Tomcat8w.exe -> Java -> Java Options
set CATALINA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=%my.jmx.port% -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false
7. Windows Authoritor
1. https://ithelp.ithome.com.tw/questions/10080019
2. tomcat install http://fecbob.pixnet.net/blog/post/38258323-tomcat%E9%85%8D%E7%BD%AE%E7%9A%8410%E5%80%8B%E6%8A%80%E5%B7%A7-
2018年6月1日 星期五
Java keytool 與 keystore
1. 說明 key tool refref1
Keytool是一個Java資料證書的管理工具,Keytool將金鑰(key)和證書(certificates)存在一個稱為keystore的檔中 在keystore裡,包含兩種資料:
- 金鑰實體(Key entity):金鑰(secret key)又或者是私密金鑰和配對公開金鑰(採用非對稱加密)
- 可信任的證書實體(trusted certificate entries):只包含公開金鑰
JDK中keytool常用指令:
- -genkey:在用戶主目錄中創建一個預設檔".keystore",還會產生一個mykey的別名,mykey中包含用戶的公開金鑰、私密金鑰和證書(在沒有指定生成位置的情況下,keystore會存在使用者系統預設目錄,如:對於windows系統,會生成在系統的C:\Documents and Settings\UserName\檔案名為“.keystore”)
- -alias:產生別名
- -keystore:指定金鑰庫的名稱(產生的各類資訊將不在.keystore文件中)
- -keyalg:指定金鑰的演算法 (如 RSA DSA(如果不指定默認採用DSA))
- -validity:指定創建的證書有效期多少天
- -keysize:指定金鑰長度
- -storepass:指定金鑰庫的密碼(獲取keystore資訊所需的密碼)
- -keypass:指定別名條目的密碼(私密金鑰的密碼)
- -dname:指定證書擁有者資訊 例如: "CN=名字與姓氏,OU=組織單位名稱,O=組織名稱,L=城市或區域名稱,ST=州或省份名稱,C=單位的兩字母國家代碼"
- -list:顯示金鑰庫中的證書資訊 keytool -list -v -keystore 指定keystore -storepass 密碼
- -v :顯示金鑰庫中的證書詳細資訊
- -export:將別名指定的證書匯出到檔 keytool -export -alias 需要匯出的別名
- -keystore:指定keystore -file 指定匯出的證書位置及證書名稱 -storepass 密碼
- -file:參數指定匯出到檔的檔案名
- -delete:刪除金鑰庫中某條目 keytool -delete -alias 指定需刪除的別名; -keystore 指定keystore;-storepass 指定密碼
- -printcert:查看匯出的證書資訊 keytool -printcert -file yushan.crt
- -keypasswd:修改金鑰庫中指定條目指令:keytool -keypasswd -alias 需修改的別名 -keypass 舊密碼 -new 新密碼 -storepass keystore密碼 -keystore sage
- -storepasswd:修改keystore指令:keytool -storepasswd -keystore e:\polin.keystore(需修改口令的keystore) -storepass 123456(原始密碼) -new polinwei(新密碼)
- -import:將已簽名數位憑證導入金鑰庫 keytool -import -alias 指定導入條目的別名 -keystore 指定keystore -file 需導入的證書
ref2
1-2 ref2
C:\Program Files\Java\jdk1.8.0_111\bin>keytool Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name
N Example:
keytool -v -list -keystore .keystoreref2
1. 匯入憑證到keystore
keytool –import –alias xxx –file xxx.cer –keystore .keystore
2. 查詢keystore的內容
keytool –list –v –keystore .keystore
3. 刪除keystore內的其中一個憑證
keytool –delete –alias xxx –keystore .keystore
4. 產生金錀對(RSA為非對稱加密的演算法)
keytool -genkey -alias xxx -keyalg RSA -keystore .keystore
5. 產生憑證申請檔
keytool -certreq -alias xxx -file certreq.txt -keystore .keystore
6. 查詢PKCS12類型keystore的內容
keytool –list –v –keystore .keystore -storetype pkcs12
7. 建立一個含有私鑰的keystore
keytool -genkey -alias keyAlias -keyalg RSA -keystore keystore.jks
8. 修改keystore的密碼
keytool -storepasswd -new newPassword -keystore keystore.jk
9. Look ca content ref
C:\j2sdk1.4.2_04\jre\bin>keytool -list -keystore ./cacerts
2. 使用時間:
當 java 連線到 https 時候有時
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http://blog.51cto.com/huangwq/1859536
3. Solution1
https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target
https://blog.csdn.net/catoop/article/details/51155224
##使用程式建立 jsssert
will display the complete certificate and then added it to a Java KeyStore named 'jssecacerts' in the current directory.
To use it in your program, either configure JSSE to use it as its trust store or copy it into your $JAVA_HOME/jre/lib/security directory. If you want all Java applications to recognize the certificate as trusted and not just JSSE, you could also overwrite the cacerts file in that directory.
4. CA 相關檔案 ref1
我對cacerts和jssecacerts文件的區別很嚴重。
我知道默認情況下,java查找jssecacerts文件,然後查找cacerts文件。
但是jssecacerts文件的要點是什麼?
我的理解是,如果需要使用一個新的信任庫,那麼應該創建一個cacerts副本,所有新的信任的CAs都應該添加到這個副本。 ( 使用新的CAs ) 應該是由 -Djavax.net.ssl.trustStore system屬性引用的。 這樣,運行在該機器上的其他java應用程序不會意外信任 non-default CAs 。
- 系統屬性 javax.net. ssl.trustStore
- java-home/lib/security/jssecacerts
- java-home/lib/security/cacerts ( 默認附帶)
我認為這是基於約定優於配置概念的。 如果沒有額外的編碼工作,cacert將被使用。 額外的私人ca/簽字確實的事情,開發人員可以使用第一或第二種方式,前可能只包含一個特定證書但後來包含一個確實的事情的列表
5. 處理無法透過SSL抓取網站資料的問題
6. How to get ceritifcate
import os
import re
os.system('keytool -printcert -sslserver google.com:443 >cert.txt')
fh = open("cert.txt", "r")
content = fh.readlines()
fh.close()
content = content[2]
m = re.search('CN=(.+?),', content)
if m:
found = m.group(1)
print found7. Secirty Look
ref1
8. Java Parameter
ref 1
- eystore file, keystore.jks, contains the Application Server’s certificate, including its private key. The keystore file is protected with a password, initially changeit. Change the password using keytool. For more information about keytool, read Using the keytool Utility.
Each keystore entry has a unique alias. After installation, the Application Server keystore has a single entry with alias s1as. - Truststore file, cacerts.jks, contains the Application Server’s trusted certificates, including public keys for other entities. For a trusted certificate, the server has confirmed that the public key in the certificate belongs to the certificate’s owner. Trusted certificates generally include those of certification authorities (CAs).
In the Platform Edition, on the server side, the Application Server uses the JSSE format, which uses keytool to manage certificates and key stores. In the Enterprise Edition, on the server side, the Application Server uses NSS, which uses certutil to manage the NSS database which stores private keys and certificates. In both editions, the client side (appclient or stand-alone), uses the JSSE format.
By default, the Application Server is configured with a keystore and truststore that will work with the example applications and for development purposes. For production purposes, you may wish to change the certificate alias, add other certificates to the truststore, or change the name and/or location of the keystore and truststore files.
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name
|
I could set the keystore and truststores to be used as jvm parameters or system properties as follows: ref
java -Djavax.net.ssl.keyStore=serverKeys
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=serverTrust
-Djavax.net.ssl.trustStorePassword=password SSLApplication
You used the following JVM java -D system property command arguments to specify the keystore and truststore files:
- -Djavax.net.ssl.keyStore specifies the keystore file.
- -Djavax.net.ssl.keyStorePassword specifies the passphrase of the keystore.
- -Djavax.net.ssl.trustStore specifies the truststore file to use to validate client certificates.
- -Djavax.net.ssl.trustStorePassword specifies the passphrase to access the truststore file.
set CLIENT_CERT=C:\Endeca\PlatformServices\workspace\etc\eneCert.jks set CATALINA_OPTS=-Djavax.net.ssl.keyStore=%CLIENT_CERT% -Djavax.net.ssl.keyStorePassword=endeca -Djavax.net.ssl.trustStore=%CLIENT_CERT% -Djavax.net.ssl.trustStorePassword=endeca cd c:\tomcat\bin call c:\tomcat\bin\startup.bat endlocal
Flow ref
- A client tries to access https://
- And thus, Server responds by providing a SSL certificate (which is stored in its keyStore)
- Now, the client receives the SSL certificate and verifies it via trustStore (i.e the client's trustStore already has pre-defined set of certificates which it trusts.). Its like : Can I trust this server ? Is this the same server whom I am trying to talk to ? No middle man attacks ?
- Once, the client verifies that it is talking to server which it trusts, then SSL communication can happen over a shared secret key.
9. Flow Create ref
用keytool创建Keystore和Trustsotre文件
JSSE使用Truststore和Keystore文件来提供客户端和服务器之间的安全数据传输。keytool是一个工具可以用来创建包含公钥和密钥的的keystore文件,并且利用keystore文件来创建只包含公钥的truststore文件。在本文中,我们学习如何通过下面的5步简单的创建truststore和keystore文件:
生成一个含有一个私钥的keystore文件
验证新生成的keystor而文件
导出凭证文件
把认凭证件导入到truststore文件
验证新创建的truststore文件
JSSE使用Truststore和Keystore文件来提供客户端和服务器之间的安全数据传输。keytool是一个工具可以用来创建包含公钥和密钥的的keystore文件,并且利用keystore文件来创建只包含公钥的truststore文件。在本文中,我们学习如何通过下面的5步简单的创建truststore和keystore文件:
生成一个含有一个私钥的keystore文件
验证新生成的keystor而文件
导出凭证文件
把认凭证件导入到truststore文件
验证新创建的truststore文件
10. ref
There were a few ways I found to do this:
- Firefox: Add Exception -> Get Certificat -> View -> Details -> Export...
- KeyMan (http://www.alphaworks.ibm.com/tech/keyman) You can get SSL cert directly from the File -> Import menu
- InstallCert (Code by Andreas Sterbenz)
java InstallCert [host]:[port]
keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert
訂閱:
文章 (Atom)