There are actually alot of guides out there on how to make a keystore for jboss and how to get the certificate signed. But I had to combine all of them to fit our needs.
I reissued the old key. so we already got the tomcat.keystore
download the zip from godaddy and extract in same dir as tomcat.keystore
## create new key with
# keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
##
# verify integrity of tomcat.keystore
keytool -list -v -keystore tomcat.keystore
# import the intermed certificate
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
# import the cross certificate
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt
# import our wildcard certificate
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file _.nsa.gov.crt
if it reply's with:
"java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big"
Then the certificate is too long, and there is some crap \c\r at the end, just edit it and make sure
-----END CERTIFICATE-----
is on the last line.
then re-import and it should say:
Certificate reply was installed into keystore
Replace the chap8.keystore, make sure you have the path in server.xml
restart jboss verify expire date on the certificate.
2009-07-24
2009-07-20
tunneling with socat
Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Really good for tunneling!
Simple example:
You need to be root to establish low-port connectiosn
socat TCP-LISTEN:23,fork,bind=192.168.150.99 TCP4:192.168.157.254:23
port to bind on, fork it, ip to bind on, target:port
Simple example:
You need to be root to establish low-port connectiosn
socat TCP-LISTEN:23,fork,bind=192.168.150.99 TCP4:192.168.157.254:23
port to bind on, fork it, ip to bind on, target:port
How to make a simple portforwarding on the Cisco ASA 5505
IP configuration
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.125.77.191 255.255.255.252
Make sure we are using correct globals and nats.
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
Set a static route between outside interface and inside ip on specified port.
Do NOT use outside ip, that will fail, we need "tcp interface".
static (inside,outside) tcp interface 22 192.168.150.99 22 netmask 255.255.255.255
Then its just the matter of a simple access-list to allow hosts and log errors.
access-list ACL-INBOUND extended permit tcp host 12.120.77.169 host 74.125.77.191 eq 22 log errors
access-group ACL-INBOUND in interface outside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.125.77.191 255.255.255.252
Make sure we are using correct globals and nats.
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
Set a static route between outside interface and inside ip on specified port.
Do NOT use outside ip, that will fail, we need "tcp interface".
static (inside,outside) tcp interface 22 192.168.150.99 22 netmask 255.255.255.255
Then its just the matter of a simple access-list to allow hosts and log errors.
access-list ACL-INBOUND extended permit tcp host 12.120.77.169 host 74.125.77.191 eq 22 log errors
access-group ACL-INBOUND in interface outside
Subscribe to:
Posts (Atom)