Gheek.net

July 22, 2011

How to use curl to access a HTTPS URL using a Client Certificate

Filed under: Apache, linux, nix, shell scripts, tomcat — lancevermilion @ 11:14 am

I needed to check a HTTPS URL that required authentication of a client Certificate from the command line.

Using curl was a perfect fit.

curl --insecure --cert-type pem --cert /home/dummyuser/client-cert-stacked.pem --interface eth0:1 "https://192.168.1.2/GetKeepAlive"

Note: I use double quotes " " around the url because if there are any special characters or spaces it will not be read correctly.

Options Option Description
--insecure or -k Disable Certificate Verification against a Root/Intermediate
--cert or -E (HTTPS) Tells curl to use the specified certificate file. The certificate must be in PEM format.

If the optional password isn’t specified, it will be queried for on the terminal. Note that this certificate is the
private key and the private certificate concatenated!

If this option is used several times, the last one will be used.

--cert-type (SSL) Private key file type (DER, PEM, and ENG are supported).
--interface Query the URL using a specified interface.
Advertisements

October 20, 2008

Tomcat 5.5 – JMX managmenet

Filed under: java, jmx, snmp, tomcat — Tags: , , , — lancevermilion @ 9:40 am

I have had the need to monitor Java webapps. There are two ways of doing this. One is via SNMP into the JVM and the other is via JMX. Once you make the configuration changes you will need to restart tomcat. Once tomcat is restarted you will want to make sure those ports were opened and are currently being listened on by java. Run “sudo /usr/sbin/lsof | grep :” then look for your port numbers you chose to bind SNMP/JMX to. If they are not listed then they did not bind and you are going to want to simplify your JAVA_OPTS down to just the bare basics + the port commands. Keep in mind applying these configuration to JAVA_OPTS means it will try to do these are start/stop of the JVM which will result in an error in your logs saying something like “the port is already bound”

Add this to your “/etc/sysconfig/tomcat5”. Comment out any JAVA_OPTS (if they are redundant to what is below) you have uncommented and move them to this one if you have extra values. Exclude the all after the snmp line if you only want SNMP monitoring.

# WITH AUTHENTICATION

JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib Dcom.sun.management.snmp.port=9004 -Djava.awt.headless=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9003 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=adminsvr"

# NO AUTHENTICATION

JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib -Dcom.sun.management.snmp.port=9004 -Djava.awt.headless=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9003 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=adminsvr"

# Specify the RMI server name which is used when RMI connect comes inbound. This is sent to the client connecting to the RMI server.

-Djava.rmi.server.hostname=

# Disable use of authentication (options: true/false). True requires passwd file and access file.
-Dcom.sun.management.jmxremote.authenticate=false

# Specifies the location of the password file for JMX management access. (chmod 600, chown user/group )

-Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password

# Specifies the location of the access file for JMX management access. (chmod 600, chown user/group )

-Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access

# Disable SSL support (I have not played with getting it setup yet) (options: true/false)

-Dcom.sun.management.jmxremote.ssl=false

# Specify the JMX management port

-Dcom.sun.management.jmxremote.port=

# Enable local jmx management from the localhost

-Dcom.sun.management.jmxremote

# Suppose to enable headless connection where X is required…aka forward jconsole from the server to your X server.

-Djava.awt.headless=true

# Used to enable SNMP access to the JVM interface. If you use this you will need to enable the snmp.acl as well to set the community/access control

-Dcom.sun.management.snmp.port=

# /usr/java/jdk1.6.0_03/jre/lib/management/snmp.acl (you should already have a smp.acl.template installed as a part of your JDK) (chmod 600, chown user/group ). IF YOU HAVE A DIFFERENT JDK AND/OR LOCATION KEEP THAT IN MIND!!!

acl = {
    {
      communities = public
      access = read-only
      managers = localhost, 10.0.6.151
    }
  }

# $CATALINA_HOME/conf/jmxremote.access (chmod 600, chown user/group ).

opennms     readonly
monitorRole readonly
controlRole readwrite

# $CATALINA_HOME/conf/jmxremote.password (chmod 600, chown user/group ).

opennms     OpenNMS
monitorRole tomcat
controlRole tomcat

# Need to add a proxy line so snmp proxy will hit the JMX snmp port when we query the server for the SNMP info. Get system and JMX info in one query.
proxy -v 2c -c cotssnmp localhost:9004 .1.3.6.1.4.1.42

#
# Trouble shooting
#
A good set of tools to have are same JMX server/client java tools that you can run outside your tomcat JVM containers to make sure your system is accessable.

JMX Java Tutorial for MXBeans
jmx_examples.zip

Not sure what connect string to put in jconsole/etc. This is the default.

The default container name is jmxrmi
The JMX Service URL is:
service:jmx:rmi:///jndi/rmi://localhost:/jmxrmi

Create a free website or blog at WordPress.com.