Monthly Archives: March 2016

Using keystore in JAVA for Self-Signed SSL certificates

screenshot.2016-03-12
You may observe the next error when working with domains with self-signed certificate:

sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

In this case you have to do next steps to allow java program trust to the given domain:

1. Get SSL certiicate for domain:

openssl s_client -connect somedomain.com:443 > cert1.cert

2. Generate java keystore:

D:\runtime\jdk8u45x64\bin\keytool -import -v -trustcacerts 
-file cert1.cert -keystore cacerts1.jks 
-alias somealias -keypass "changeit" -storepass "changeit"

Type “yes” when promts to accept certificate.

3. Add JVM arguments to your program:

-Djavax.net.ssl.trustStore="D:\projects\my\cacerts3.jks"
-Djavax.net.ssl.trustStorePassword="changeit"

4. (Optional) debug arguments:

-Djava.security.debug=certpath
-Djavax.net.debug=trustmanager

Also available java arguments (in case of self signed certificates not useful):

-Djavax.net.ssl.keyStore="D:\projects\my\cacerts3.jks"
-Djavax.net.ssl.keyStorePassword="changeit"

Thanx to:
https://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html
https://docs.oracle.com/cd/E29585_01/PlatformServices.61x/security/src/csec_ssl_jsp_start_server.html
http://stackoverflow.com/a/20190493
https://github.com/denimgroup/threadfix/wiki/Importing-Self-Signed-Certificates

Execute command from other user in Linux

linux-sudo
Linux OS is fluent to run commands under different user if you are logged as root.
Here are two ways to do it:

1. Using “SUDO” command:

  sudo -u <username> "<commands>"

Example: sudo -u www-data php occ

2. Using “SU” command:

  su - <username> -c "<commands>"

Example: su – www-data -c ‘php /var/www/html/console.php files:scan –all’

Thanx to http://askubuntu.com/a/606149

OwnCloud connection to server error

Owncloud-logo
The OwnCloud is great replacement of google, yandex, dropbox disks. It is really useful and convenient tool to manage your private data.

There are few ways to connect to you server:
- web dav directly from OS
- browser access
- iOS/Android mobile OS

If you OwnCloud service is behind the Nginx server with SSL protection, you can see the next error when access from mobile client:

it is not possible to connect to the server at this time

After spending few days in searching the solution on forum https://forum.owncloud.org no one fix helped.

I paid attention in Admin panel on “Security & setup warnings” section:

The "Strict-Transport-Security" HTTP header 
is not configured to least "15768000" seconds. 
For enhanced security we recommend enabling HSTS 
as described in our security tips.

So, go ahead!

Just add the header to Nginx config (Strict-Transport-Security):

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Restart Nginx and voila – mobile client will ask you to accept SSL certificate!