Monthly Archives: August 2014

SSL Overview | OpenSSL – Cryptography & SSL/TLS Toolkit | Keytool

SSL Overview

SSL is a commonly-used protocol for managing the security of message transmission on the Internet.

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key encryption, a public key and a private key are generated for a server. Data encrypted with the public key can only be decrypted using the corresponding private key and data encrypted with the private key can only be decrypted using the corresponding public key. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.

The public key is embedded in a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide identity for the server.

The data embedded in a digital certificate is verified by a certificate authority (CA) and digitally signed with the CA’s digital certificate. Well-known certificate authorities include Entrust and VeriSign. The trusted CA certificate establishes trust for a certificate.

An application participating in an SSL connection is authenticated when the other party evaluates and accepts the application’s digital certificate. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted CA and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the digital certificate of the CA used to sign it expired. A server certificate can be invalidated if the host name in the digital certificate of the server does not match the URL specified by the client.

OpenSSL

Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. OpenSSl Command Line Tool Document

OpenSSL provides:

  • A command line application to perform a wide variety of cryptography tasks, such as creating and handling certificates and related files. OpenSSL commands
  • A comprehensive and extensive cryptographic library libcrypto.
  • A library for enabling SSL/TLS communications libssl.

Generate self signed SSL certificate using OpenSSL toolkit

Terminology:

Public Keys 

These are keys that are intended to be known to everyone who needs to have trusted interactions with the entity. Public keys are used to verify signatures.

Private Keys 

These are keys, each of which is supposed to be known only to the particular entity who owns it (it’s supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems. Private keys are used to compute signatures.

Signature 

A signature is computed over some data using the private key of an entity (the signer).

Certificate 

A certificate is a digitally signed statement from Certificate Authority that certifies the ownership of a public key by the named subject of the certificate.

Certificate Authority 

Certificate Authority(CA) is a trusted third party that agrees to vouch for the identity of a site, usually for a fee. Most web browsers automatically trust Commercial CAs. Aside from commercial CAs, some organizations entities may have their own CAs for internal signing.

keytool

keytool is a Java Key and Certificate Management Tool comes with JDK. It is an utility to manage the keystore of public/private keys, trusted certificates and certificates chains. JDK keytool

KeyStore

A keystore is a storage facility for cryptographic keys and certificates. In Java, you may encounter these two types of keystores:

  • Identity KeyStore: contains private key and accompanied by the certificate chain for the corresponding public key.

For example, if application server itself needs to provide SSL connections, the private key and SSL certificate should be saved in this keystore.

  • Trust KeyStore: contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties. If the application needs to connect to remote SSL server, the certificate from the remote server should be saved in this keystore.

Although one keystore can be used for both identity and trust, it is recommended using separate keystores for identity and trust because the identity keystore (private key/digital certificate pairs) and the trust keystore (trusted CA certificates) may have different security requirements. For example:

  • For trust, you only need the certificates (non-sensitive data) in the keystore. However, for identity, you add the certificate and the private key (sensitive data) in the keystore.
  • The identity keystore may be prohibited by company policy from ever being put on the corporate network, while the trust keystore can be distributed over the network.
  • The identity keystore may be protected by the operating system for both reading and writing by non-authorized users, while the trust keystore only needs to be write protected.
  • The identity keystore password is generally known to fewer people than the password for the trust keystore.

In general, systems within a domain have the same trust rules — they use the same set of trusted CAs — but they tend to have per-server identity. Identity requires a private key, and private keys should not be copied from one system to another. Therefore, you should maintain separate identity keystores for each system, each keystore containing only the server identity needed for that system. However, trust keystores can be copied from system to system, thus making it easier to standardize trust conventions.

Common keytool Commands

#generate keystore and public/private keys
keytool -genkeypair -alias *.manvirbasra.com -keyalg RSA -keysize 2048 -dname “CN=Manvir Singh, OU=Singh, O=Khalsa, L=Toronto, S=Ontario, C=CA” -keystore server.keystore -storepass password123 -keypass password123

#create csr for certificate signing
keytool -certreq -alias *.manvirbasra.com -file cert.csr -keystore server.keystore -ext san=dns:manvirbasra.com

#import root cert to keystore
keytool -importcert -alias root_cert -trustcacerts -file cacert.cer -keystore server.keystore

#import signed cert to keystore
keytool -importcert -alias *.manvirbasra.com -file cert.cer -keystore server.keystore

Resources:

Gerrit – Web Based Code Review and Project Management for Git Based Projects

Gerrit Overview

  • Web based code review and project management for Git based project
  • Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer
  • Gerrit simplifies Git based project maintainer-ship by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer. This functionality enables a more centralized usage of Git.
  • Gerrit is intended to provide a lightweight framework for reviewing every commit before it is accepted into the code base.
  • Gerrit is firstly a staging area where changes can be checked over before becoming a part of the code base.

Gerrit  in central Git Repo

Resources:

OpenLDAP – Implementation of LDAP – Light Weight Directory Access Protocol

OpenLDAP:

  • Open Source Implementation of LDAP – Light Weight Directory Access Protocol
  • LDAP Protocol is used to access information stored in LDAP directory

Resources:

ArcGIS ArcPy Mapping Module – Python Scripting in ArcGIS Server | arcpy.mapping

ArcGIS ArcPy

The ArcPy Mapping module is a Python scripting library that provides access to the contents of map documents (.mxd) and layer files (.lyr). With arcpy.mapping, you can create scripts that can reference map documents and layers; query and alter their properties; and print, export, or save the modified document.

Resources

ArcGIS REST API

ArcGIS REST API

It is an interface that simplifies interactions between GIS applications (clients) and ArcGIS for Server services.

What is REST?

REpresentational State Transfer, or REST, is a way for software to work when distributed across a network. When software is being run across a network, a client sends a request to a server, the server processes the request, and then the server sends a response back to the client.

A RESTful application programming interface (API) is one that’s based on HTTP and the REST guidelines. By using the REST architecture, distributed applications gain the following benefits.

  • Consistency: Clients and servers know what to expect when working in a RESTful architecture because resource names and request/response syntax follow a consistent structure.
  • Readability: REST uses formats that are easy for both people and search engines to read.
  • Efficiency: RESTful communications are compact and take advantage of cached content to reduce bandwidth requirements and wait times.

ArcGIS Rest Service example: http://services.arcgisonline.com/arcgis/rest/services

Anatomy of a RESTful URL

http://services.arcgisonline.com/ArcGIS/rest/services/Demographics/USA_Median_Age/MapServer/4/query?text=Vermont&returnGeometry=false

Anatomy of ArcGIS REST url

Request

ArcGIS Request

Resources

java persistence api

Java Persistence API – JPA

Java Persistence API

API specification that describes the management of relational data.

  • It is a standard API that provides functionalities to access, manage, persist data between Java Objects (POJO) and relational database in Java EE
  • It  uses annotations or XML to map objects to database. These objects are called Entities
  • It allows querying and retrieval of data using JPQL (Java Persistence Query Language)

Why Java Persistence API?

Because it is strict standard, portable, simple and  supports Persistence Mechanisms for:

  • Java Objects
  • Advanced OO Concepts
  • Transactional Integrity
  • Concurrency
  • Large Data Sets
  • Existing Schema
  • Queries

 Persistence in this context covers three areas:

  • the API itself, defined in the javax.persistence package
  • the Java Persistence Query Language (JPQL)
  • object/relational metadata

Persistence Enitity / JPA Entity Class

Persistence Entity is a lightweight Java class whose state is typically persisted to a table in a relational database. Each row in the table corresponds to an instance of an entity. It is a POJO (Plain Old Java Object) class that is marked (annotated @Entity) as having the ability to represent objects in the database.

Requirements for Entity class

  • Marked with javax.persistence.Entity annotation
  • Must have public or protected no argument constructor
  • class, methods or persistent instance variables cannot be marked final
  • class must implement Serializable interface

EntityManager
In JPA a database connection is represented by the EntityManager interface. Therefore, in order to manipulate an database we need an EntityManager instance. Operations that modify database content also require an EntityTransaction instance.

JPA Implementation

  • Hibernate – Hibernate provides an open source object-relational mapping framework for Java. Versions 3.2 and later provide an implementation for the Java Persistence API
  • EclipseLink
  • OpenJPA
  • DataNucleus, more…

RESOURCE_LOCAL persistence contexts vs JTA persistence contexts

RESOURCE_LOCAL persistence contexts JTA persistence context
  • <persistence-unit transaction-type=”RESOURCE_LOCAL“>
  • <persistence-unit transaction-type=”JTA“>
  • You are responsible for EntityManager (PersistenceContext/Cache) creating and tracking
  • container will do EntityManager (PersistenceContext/Cache) creating and tracking
  • Use EntityManagerFactory to create EntityManager (PersistenceContext)
  • You cannot use the EntityManagerFactory to get an EntityManager
  • You can only get an EntityManager supplied by the container
  • An EntityManagerFactory can be injected via the @PersistenceUnit annotation only (not @PersistenceContext)
  • An EntityManager can be injected via the @PersistenceContext annotation only (not @PersistenceUnit)
  • You are not allowed to use @PersistenceContext to refer to a unit of type RESOURCE_LOCAL
  • You are not allowed to use @PersistenceUnit to refer to a unit of type JTA
  • You must use the EntityTransaction API to begin/commit around every call to your EntityManger
  • The EntityManager given by the container is a reference to the PersistenceContext/Cache associated with a JTA Transaction.
  • If no JTA transaction is in progress, the EntityManager cannot be used because there is no PersistenceContext/Cache.
  • Everyone with an EntityManager reference to the same unit in the same transaction will automatically have a reference to the same PersistenceContext/Cache
  • The PersistenceContext/Cache is flushed and cleared at JTA commit time
  • With a RESOURCE_LOCAL unit and an EntityManagerFactory you should create and use exactly one EntityManager instance in your transaction to ensure there is only one active PersistenceContext/Cache for the given set of data active against the current transaction.
  • In any given transaction you want exactly one PersistenceContext/Cache for a given set of data. Using a JTA unit with an EntityManager created by the container will always guarantee that this is the case.
1 1
1 1
1 1
1 1


Resources

  1. JPA Concepts – http://tomee.apache.org/jpa-concepts.html
  2. Java Persistence API Basics
  3. Obtaining a JPA Database Connection
  4. Why Java Persistence API
  5. Basic Java Persistence API Best Practices
  6. Difference between Java Persistence API vs Hibernate ( JPA Specification vs JPA Implementation)
  7. JPA performance Benchmark – Comparison of JPA providers [ Comparison ]
  8. persistence.xml configurations for major databases and jpa providers

Git Commands | Training | Basics | Videos | Tutorials

Introduction to Git & Git Commands

git

What is Git?

  • Keeps track of changes (text especially)
  • Version control system (VCS)
  • Source Code Management (SCM)

Git is distributed version control system:

  • Different users maintain their own repository instead of working from central repository
  • Track changes not version (change sets or patches)
  • Change sets can be exchanged between repositories ( merge changes or apply patches)
  • No need to communicate with central server when working on a local copy (no network access is required).

Installing git Windows/Mac/Linux

Git configuration

Git can be configured at three levels:

  1. system
  2. user
  3. project

1. System

/etc/gitconfig
Program Files\Git\etc\gitconfig

git config --system

2. User

~/.gitconfig
$HOME\.gitconfig

git config --global
manvirbasra->$git config --global user.name "Manvir Basra"
manvirbasra->$git config --global user.email "manvirbasra@gmail.com"
manvirbasra->$git config --list
user.name=Manvir Basra
user.email=manvirbasra@gmail.com
manvirbasra->$cd ~
manvirbasra->$cat .gitconfig
[user]
	name = Manvir Basra
	email = manvirbasra@gmail.com

3. Project

manvirs_project/.git/config

git config

Git Three Tier Architecture

git three tier architecture

Git Help Commands

manvirbasra->$git help
manvirbasra->$git help log
:f - forward
:b - backward
:q - quit

Initializing a git repo

  • This command creates a .git folder inside the current directory which contains all the tracking information.
manvirbasra->$git init
  • To add everything in the working directory to staging
git add .
  • To commit
git commit -m "commit message"
  • Git Logs
git log --grep="bug fix"
git log -n 2
git log --since=2014-08-02
git log --until=2014-08-02
git log --author="Manvir"
  • HEAD

To show current brach’s head pointing to:

git log HEAD or
cat HEAD
  • To Check Git Status

status between repository, staging directory and working directory

$git status

Resources