Proxy configuration for Gradle

6 05 2017

Are you using gradle behind corporate proxy? Here is how to configure proxy data for gradle (urls and credentials)

gradle.properties file

Gradle (and gradlew as well) is automatically reading gradle.properties file that is either in project directory or in USER_HOME/.gradle directory.

Inside of gradle.properties file set properties:

systemProp.http.proxyHost=http_proxy_ip_or_url
systemProp.http.proxyPort=port
systemProp.http.proxyUser=username
systemProp.http.proxyPassword=pwd
systemProp.https.proxyHost=https_proxy_ip_or_url
systemProp.https.proxyPort=port
systemProp.https.proxyUser=username
systemProp.https.proxyPassword=password

The configuration above concerns both http and https traffic.

Inline properties

As an alternative you can specify properties in each gradle command by:

gradle build -Dhttp.proxyHost=http_proxy_ip_or_url ...




SSL Certificate with Subject Alternate Names

14 12 2014

This post is a continuation of Creating HTTPS SSL Self Signed certificate. SSL Certificates are created for one particular ‘cn’. This can be your domain name (www.example.com).

Certificate Validation Exception may occur when you try to access your host another way (for example using IP address instead of domain name or accessing it from localhost).

Java keytool has an extention: SAN (Subject alternative name), where you can specify all names that are acceptable by you (like ‘localhost’ or IP ‘127.0.0.1’). Both IP and DNS can be specified with the keytool additional argument:

-ext SAN=dns:abc.com,dns:localhost,ip:127.0.0.1

so the full command is:

keytool -genkey -alias keyAlias -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore myKeystore.p12 -validity 3650 -ext SAN=dns:abc.com,dns:localhost,ip:127.0.0.1

Did I help you?
I manage this blog and share my knowledge for free, sacrificing my time. If you appreciate it and find this information helpful, please consider making a donation in order to keep this page alive and improve quality

Donate Button with Credit Cards

Thank You!





Spring Boot: SSL/HTTPS for embedded Tomcat

22 11 2014

If your Spring Boot app is running on embedded Tomcat, you need to use the TomcatConnectionCustomizer class to set up the HTTPS in Tomcat.

Get the source code

Source Code for this tutorial is available on my github under the SpringBootHttps tag: https://github.com/yacekmm/looksok/tree/SpringBootHttps

1. Prepare keystore and certificate

First you need to have your certificate. If you already have it, go to point 2., else, follow the step 1 and 2 from this tutorial: https://looksok.wordpress.com/2014/11/16/configure-sslhttps-on-tomcat-with-self-signed-certificate/

2. Put your keystore in defined location

You need to locate your keystore file in path on your machine. On my machine this is:

D:\keystore\server.p12

This path I will use in my app configuration.

3. Customize Tomcat Connection

Create class implementing the TomcatConnectorCustomizer, and override its customize(Connection) method. As you can see, in customize() I set exactly the same properties as in stantalone Tomcat xml configuration (see this post). Note that in class constructor I convert the alias string to lowercase – in keystore only these are allowed.

public class MyTomcatConnectionCustomizer implements TomcatConnectorCustomizer {

  private String absoluteKeystoreFile;
  private String keystorePassword;
  private String keystoreType;
  private String keystoreAlias;

  public MyTomcatConnectionCustomizer(String absoluteKeystoreFile,
      String keystorePassword, String keystoreType, String keystoreAlias) {
    this.absoluteKeystoreFile = absoluteKeystoreFile;
    this.keystorePassword = keystorePassword;
    this.keystoreType = keystoreType;
    this.keystoreAlias = keystoreAlias.toLowerCase();

  }

  @Override
  public void customize(Connector connector) {
    connector.setPort(443);
    connector.setSecure(true);
    connector.setScheme("https");
    
    connector.setAttribute("SSLEnabled", true);
        connector.setAttribute("sslProtocol", "TLS");
        connector.setAttribute("protocol", "org.apache.coyote.http11.Http11Protocol");
        connector.setAttribute("clientAuth", false);
        connector.setAttribute("keystoreFile", absoluteKeystoreFile);
        connector.setAttribute("keystoreType", keystoreType);
        connector.setAttribute("keystorePass", keystorePassword);
        connector.setAttribute("keystoreAlias", keystoreAlias);
        connector.setAttribute("keyPass", keystorePassword);
  }
}

4. Create containerCustomizer Bean

Now to use the TomcatConnectionCustomizer, create the bean as follows:

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() throws FileNotFoundException {

  final String absoluteKeystoreFile = ResourceUtils.getFile("D:\\keystore\\server.p12").getAbsolutePath();

  final TomcatConnectorCustomizer customizer = new MyTomcatConnectionCustomizer(
      absoluteKeystoreFile, "keyPwd", "PKCS12", "keyalias"); 

  return new EmbeddedServletContainerCustomizer() {

    @Override
    public void customize(ConfigurableEmbeddedServletContainer container) {
      if(container instanceof TomcatEmbeddedServletContainerFactory) {
        TomcatEmbeddedServletContainerFactory containerFactory = (TomcatEmbeddedServletContainerFactory) container;
        containerFactory.addConnectorCustomizers(customizer);
      }
    };
  };
}

5. Test it

Start Spring Boot App and go to the:

https:\\127.0.0.1

Your browser will propably warn you about the untrusted certificate:

Przechwytywanie

Note: Don’t use Self_signed certificates in production! Use it only in test / dev environment

Get the source code

Source Code for this tutorial is available on my github under the SpringBootHttps tag: https://github.com/yacekmm/looksok/tree/SpringBootHttps

Did I help you?
I manage this blog and share my knowledge for free, sacrificing my time. If you appreciate it and find this information helpful, please consider making a donation in order to keep this page alive and improve quality

Donate Button with Credit Cards

Thank You!





Configure SSL/HTTPS on Tomcat with Self-Signed Certificate

16 11 2014

Regarding security, the https with SSL is a minimum requirement. Moreover it has relatively low cost in implementation. Thanks to it your transport layer will be encrypted, preventing sniffing and main in the middle attack. Thanks to it your server validity will be verified with a certificate (In this tutorial I will use self-signed certificate. If you need trusted certificate, follow the trust agency instructions).

1. Generate keystore with self-signed certificate in it

You can generate keystore with java’s keytool. Open the windows command line or shell and check if you have keytool command in your path. If command is not recognized, find keytool app in your %java_home%\bin directory.

Execute this command:

keytool -genkey -alias keyAlias -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore myKeystore.p12 -validity 3650

The keytool will generate key (-genkey) with alias (-alias), PKCS12 storetype (-storetype), RSA algorthm 2048 bytes long stored under myKeystore.p12 file with validity equal to 3650 days (10 years).

Executing this command will ask you few identity questions:

Enter keystore password: keyPwd
Re-enter new password: keyPwd
What is your first and last name?
  [Unknown]:  127.0.0.1
What is the name of your organizational unit?
  [Unknown]:  LooksOK!
What is the name of your organization?
  [Unknown]:  LooksOK!
What is the name of your City or Locality?
  [Unknown]:  Minsk Mazowiecki
What is the name of your State or Province?
  [Unknown]:  mazowieckie
What is the two-letter country code for this unit?
  [Unknown]:  PL
Is CN=127.0.0.1, OU=LooksOK!, O=LooksOK!, L=Minsk Mazowiecki, ST=mazowieckie, C=PL correct?
  [no]:  yes

2. Check keystore contents – find your certificate in there

Issue list command to ensure that keystore contains certificate:

keytool -list -keystore keystore.p12 -storetype PKCS12

This is the output:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

keyalias, 2014-11-14, PrivateKeyEntry,
Certificate fingerprint (SHA1): 5A:3C:63:EC:CD:A9:AE:AA:D1:92:B3:3A:68:5A:95:C2:98:E3:69:01

So, the certificate is truly there!

3. Copy your keystore file to Tomcat dir

You can put your keystore file whenever you want, providing you will enter the path in tomcat config. I encourage you to put it under %Tomcat_home%/conf/myKeystore.p12.

4. Configure Tomcat

Tomcat configuration file is located in %Tomcat_home%/conf/server.xml. Find this section:

<!-- Define a SSL HTTP/1.1 Connector on port 8443
   This connector uses the BIO implementation that requires the JSSE
   style configuration. When using the APR/native implementation, the
   OpenSSL style configuration is required as described in the APR/native
   documentation -->

And uncomment the configuration below it. I will use the default 443 port (not the suggested 8443) and add four green lines specific to myKeystore:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
  maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" 
  keystoreFile="conf/myKeystore.p12"
  keystoreType="PKCS12"
  keystorePass="keyPwd"
  keyPass="keyPwd"
/>

5. Test it

Start Tomcat and go to the:

https:\\127.0.0.1

Your browser will probably warn you about the untrusted certificate:

Przechwytywanie

6. Verify the CN (Common Name)

The Common Name is the url I provided when creating keytool: 127.0.0.1. If this particular address is used in a browser, the browser will not warn you. If you’ll open the

https:\\localhost

instead, the browser will warn you also that the url entered does not match the url provided on certificate creation.

Note: Don’t use Self_signed certificates in production! Use it only in test / dev environment

Did I help you?
I manage this blog and share my knowledge for free, sacrificing my time. If you appreciate it and find this information helpful, please consider making a donation in order to keep this page alive and improve quality

Donate Button with Credit Cards

Thank You!








%d bloggers like this: