Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Apr 2, 2016

Add Let's Encrypt free SSL certificates to WSO2 API Cloud

Let's encrypt is a free and open certificate authority runs for the public benefit. This service is provided by the Internet Security Research Group and there are lots of companies working with them to make the Internet secure. People who have a domain name can get free SSL certificate for their websites using this service for three months. I they need to use for more than that three months we need to renew the certificate and its also for free. But the best thing is that this certificate is accepted by most of the new web browsers and systems by default. So you don't need to add CA certs to you browsers any more.

In this article I will explain how we can use that service to get a free SSL certificate and add that to WSO2 API Cloud. So that you can have your own API store like;

https://store.thilina.piyasundara.org

In order to do that you need to have following things in hand.
  • Domain name.
  • Rights to add/delete/modify DNS A records and CNAMEs.
  • Publicly accessible webserver with root access or a home router with port forwarding capabilities. 

Step 1

If you have a publicly accessible webserver you can skip this step.If you don't have a publicly accessible webserver you can make your home PC/Laptop a temporary webserver if you can do port forwarding/NATing in you home router. I will show how I did that with my ADSL router. You can get help on port forwarding information by referring to this website http://portforward.com.

a. Add a port forwarding rule in your home router.

Get your local (laptop) IP (by running ifconfig/ip addr) and put that as the backend server in your router for. Set the WAN port as 80 and LAN port as 80.


After adding the rule it will be like this.

b. Start a webserver in your laptop. We can use the simple Python server for this. Make sure to check the IPTable rules/Firewall rules.

mkdir /tmp/www
cd /tmp/www/
echo 'This is my home PC :)' > index.html
sudo python3 -m http.server 80

c. Get the public IP of your router. Go to this link : http://checkip.dyndns.org it will give the public IP address. This IP is changing time-to-time so no worries.


d. Try to access that IP from a browser.
If it is giving the expected output you have a publicly accessible webserver.


Step 2

Now we need to update a DNS entry. My expectation is to have a single SSL certificate for both domains 'store.thilina.piyasundara.org' and 'api.thilina.piyasundara.org'.

a. Go to your DNS provides console and add an A record for both domain names to point to the public IP of your webserver (or the IP that we got from the previous step).


b. Try to access both via a browser and if its giving the expected out put you can proceed to the next step.


Step 3

I'm follow the instruction in the 'let's encrypt' guide. As I'm using the python server I need to use the 'certonly' option when running the command to generate the certs.

a. Get the git clone of the letsencrypt project.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

b. Run cert generation command. (this requires root/sudo access)

./letsencrypt-auto certonly --webroot -w /tmp/www/ -d store.thilina.piyasundara.org -d api.thilina.piyasundara.org

If this succeed you can find the SSL keys and certs in '/etc/letsencrypt/live/store.thilina.piyasundara.org' location.

Step 4

Check the content of the certs. (Be root before you try to 'ls' that directory)

openssl x509 -in cert.pem -text -noout

Step 5

Create an API in WSO2 API Cloud if you don't have one. Else start on adding a custom domain to your tenant.

a. Remove both A records and add CNAME records to those two domains. Both should point to the domain 'customdns.api.cloud.wso2.com'.


b. Now click on the 'Configure' option in the top options bar and select the 'Custom URL' option.


c. Make ready you SSL certs. Copy 'cert.pem', 'chain.pem' and 'privkey.pem' to you home directory.

d. Modify API store domain. Click on the modify button, add the domain name click on verify. It will take few seconds. If that succeed you have correctly configured the CNAME to point to WSO2 cloud.

e. Add cert files to the API Cloud. The order should be the certificate (cert.pem), private key (privatekey.pem) and the CAs chain file (chain.pem). Again it will take sometime to verify uploaded details.


f. Update the gateway domain same as the previous.

Now if you go the API Store it will show something like this.



g. Same way you can use the gateway domain when you need to invoke APIs.

curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer ' 'https://gateway.api.cloud.wso2.com:8243/t/thilina/gituser/1.0.0/thilinapiy'

Now you don't need '-k' option. If not make sure you operating system (CA list) is up to date.

Step 6

Make sure to remove port forwarding in you home router if you use that and any changes that you make while obtaining the SSL certificates.

Jan 30, 2013

Symantec PGP decrypt a WDE drive using boot.iso

What we can do if a bootable PGP WDE drive fail to boot the OS correctly? Initially we can try to do a recovery operation using the OS bootable CD/DVD or restore to a previous known best configurations point. But think if those operations also fail to recover the OS boot process. Then the option is to reinstall the  OS. But as the drive is encrypted, we can't simply reinstall the OS on the same drive. If we do it, it will cause a data lost. Therefore, we need to decrypt the drive and install the OS. Then again encrypt the drive.

We can do two things in such a scenario.
1. Remove the drive and connect it to another PGP installed machine as a slave drive and decrypt it via the PGP desktop.
2. Use the boot.iso to boot the machine and decrypt the drive using bootable cd.

In this post I will describe how to do it using the boot.iso or bootable PGP CD.

First you need to get the correct version of the boot image (boot.iso). It is important to have the same version of the Symantec PGP software to avoid any data lost.

Best way to find the boot.iso is to burn a CD image after initial PGP desktop installation. You can get the image file from these location according to the OS.


32-bit :- C:\Program Files\PGP Corporation\PGP Desktop\bootg.iso
64-bit :- C:\Program Files (x86)\PGP Corporation\PGP Desktop\bootg.iso

Or you can download it from the Symantec website.

Then boot from the CD drive. It will prompt the initial PGP login screen. Do not enter the user name and passphrase. If you can go to the "Advance panel" go to it and try to decrypt the drive. (But in my case I haven't got a advance panel.). But if not, press F4. It will direct you to the WDRT window. Get the WDRT from the server and type it. After submitting the WDRT boot disk (CD) will try to decrypt the encrypted drive. This process will take some time (very high). Don't stop it and make sure power supply is OK.

Keep in mind if something goes wrong, it will cause a data lost and you wan't be able to reverse the operation.

Jan 5, 2013

Open a Linux firewall port - IPTables

IPTables is the default firewall in any unix/linux system. If we host a service such as FTP or web server, we need to open some ports in order to use that service from remote hosts. For that we need to edit the configurations in this firewall.

First we can check the status of IPTables by running this command;

service iptables status

By default most systems open the ssh port 22. Now we need to get the running configurations to edit it. To do that;

iptables-save > /tmp/iptables

This command will dump the running iptables configurations in to a file and it will be like this.

# Generated by iptables-save v1.4.7 on ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39:2878]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on ...

Assume that we need to run a web server on this host. Web servers usually runs on port 80. Therefore, we need to allow port 80. To allow that we can add a line similar to the ssh rule.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 

Then you need to feed this configurations to the iptables. To do that;

iptables-restore < /tmp/iptables

Now if you run the 'service iptables status' command, you can see port 80 is also allowed in it. But if you restart the service (service iptables restart) or reboot the machine, those changes will be not there. That's because it use a default configuration file on the service initialization. This default file is different from system to system. In CentOS systems that file is locates in '/etc/sysconfig/iptables'. After all the things are complete, you can save the running iptables configurations on that file it self.

But it is better if you use an alternative method like 'cron job' to run modify this iptables configurations. To do that you need to add a cron job as root by;

crontab -e

and add;

@reboot /sbin/iptables-restore < /root/myiptables

 The modified iptables rule set must be located on that location.

Note: In few Linux distributions there is a another firewall called 'SELinux'. If you have an issue even after changing those settings in IPTables, it is better to check SELinux settings too.