February 2007

These days I have a very good experience on installing a CA-signed certificate to our Faculty server. I found that it is much more complicated than a self-signed certificate that I used before. There are lots of formats, types and others things that arouse my concerns during the installation. Let’s walk through some of these.

Before my work, the Faculty of mine bought a certificate from a CA named GeoTrust (which also refers to Equifax). The certificate from this CA has already been installed in more than 90% browsers nowadays, so it is quite a common one compared with those like Verisign and Thawte. That certificate bought is used on one Apache HTTP Server, and my work is to install it to Apache Tomcat on the same machine.

For the usage in Apache HTTP Server, there are two files, which are named like mycert.crt and mykey.key. These two files are the public key and private key respectively. I don’t know what format they are, but I can’t use either of them as the keystore provided to tomcat. Tomcat will throw javax.net.ssl.SSLException and saying that: No available certificate or key crresponds to the SSL cipher suites which are enabled.

After that, I sent an email to the support and asked for help. The guy there provide me a way to go, which is to convert the certificate to the format that Tomcat can use. The procedure is like this:

1. Run the following command to create a keystore named “mycert.p12″ with an alias “tomcat” inside (The alias must be “tomcat”, as it is recognized by Apache Tomcat)

openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile GeoTrustRootCA.cer -caname root -chain

Where GeoTrustRootCA.cer’ is the GeoTrust Root CA available for download here: http://www.geocerts.com/support/roots.php , ‘mycert.crt’ is your current ssl certificate, ‘mykey.key’ is your current private key.

For the GeoTrust Root CA, either Base-64 and DER format can be used. There is no difference after all the works.

2. After running the command, it will ask you for the password, typed in “changeit”. Oh, why “changeit”? Actually, the password is up to you, but it is used by Tomcat to access this keystore. If you used other password, you have to explicitly provided in the Tomcat configuration, which we will talk in Step 4.

3. The keystore named “mycert.p12″ is created, it is a X.509 certificate with PKCS#12 format. The format is different from the self-signed certificate created by “keytool”, which is JKS (Java KeyStore)

4. Configure the Tomcat server to switch on secure connection as usual with some additional settings as below:

You then have to specify Tomcat that the keystore is in pkcs12 format by inserting keystoreType=”pkcs12″ in the ssl configuration, also the keystore location pointing to where mycert.p12 is located.

After configuring this, the SSL should be ready using this CA-signed certificate.

Remarks:

There are still some questions that I didn’t solve, which are all related to the command used in Step 1. Some of the options like “-caname” and “-chain” are still unknown to me. Perhaps, someone can give me an answer.

Reference:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
http://www.geocerts.com/support/install/install_tomcat.php

One of the major change for this 2.4 version of web.xml is the ordering of tags. As the use of XML Schema provides the flexibility on the ordering of tags, you can put the tag in any ordering as you like.

Besides this, one another change is the use of tag library. Starting from 2.4, we have to surround all <taglib> with a new tag <jsp-config>, as required by the mechanism of XML Schema, like the following:

<web-app xmlns=”http://java.sun.com/xml/ns/j2ee”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd”
version=”2.4″>

<description>StrutsTest</description>

<jsp-config>

<taglib>
<taglib-uri>http://jakarta.apache.org/tomcat/debug-taglib</taglib-uri>
<taglib-location>/WEB-INF/jsp/debug-taglib.tld</taglib-location>
</taglib>

</jsp-config>

</web-app>

Seems that there is still not much resource on Java Persistence, which is included in EJB3. If I want to learn more about EJB-QL, the only way is to look at the resources of EJB2.1. The articles may not be updated, but most of the contents still apply.

However, I found one EJB-QL that is in the spec. seems not supported by most of the vendors, which is OFFSET and LIMIT. I found some articles on people asking Sun about the issue, but no one answers. Then I do a search on Google, and only found Resin which supports it.

These keywords are used together to limit the number of entity instances returned in a list, especially useful for entity storing up to ten thousand records. Your memory size must be a main issue by then. Actually, it is just similar to the ROWNUM functions provided by Oracle, but don’t know why so few vendors implement such a useful function.

When I am thinking using autoReconnect will resolve the disconnection problem, a new error comes to me.

java.net.SocketException
MESSAGE: Software caused connection abort: recv failed

This error appears in occasional case, but also after a long hours of idle. I used Java Persistence to connect mysql. Today morning, when I was back to office. My application seems fine when doing the querying functionalities. However, when I used persist() and merge() operations which updated the DB, this error occurred.

Someone said this also the same problem as previous, which MySQL disconnects the connections after idle for 8 hours, but I am amazing that the error only throw for updating operations. Is it mechanism for Java Persistence, since it can store part of DB details in memory, so it didn’t actually query the database?

Reference:
http://forums.mysql.com/read.php?39,55337,95721#msg-95721

These days, this exception always occur in my new developing application using persistence, especially on the morning when I came back to office. At the beginning, I think it may be due to the use of Java Persistence. However, when I do a search on Google, at the top of the list, I got this post:

http://www.yannicafe.info/wp/2006/11/25/53.html

This post describes the case in detail. It is due to the mechanism of MySQL, where this DB will disconnect all the active connections after 8 hours if there is no activity. After that, if your application try to work on some activities, the above exception is caused.

Normally, the exception should be caught in the application, and direct to a reconnect logic. However, the persistence provider (Oracle TopLink) that I am using does not provide auto reconnect function. So, I need to change the connection URL to the following:

jdbc:mysql://localhost:3306/test?autoReconnect=true

This allow the application to auto reconnect in case MySQL disconnects all the connections. Nevertheless, the bad thing is that  this is not recommended by MySQL community and this parameter may even be removed from future versions of MySQL.

Reference:
http://forums.java.net/jive/thread.jspa?messageID=189962