Hi all,
I have moved to medium.com
I'll be writing more in medium.com. Please find my blog location below.
https://medium.com/@mshazninazeer
Tuesday, June 13, 2017
Sunday, December 25, 2016
Essentials of Vi editor - part 3
In my previous two posts (1 and 2 below) we looked at vi basic and editing.
1. Essentials of Vi editor - part 1
2. Essentials of Vi editor - part 2
In this post let's look at few advanced commands and techniques we can use in vi editor
Indentation and work wrapping
-----------------------------------------------------
>> indent the current line. e.g 3>> indents 3 lines, >} indents a paragraph
<< outdents the current line
:se ai // Enables auto indent
:se noai // Disables auto indentation
:se wm=8 // Sets the wrap margin to 8. As soon as you enter 8 columns it wraps the cursor
:se wm=0 // Auto wrap set off
Filtering
-----------------------------------------------------
!! - applies the filter to the current line
n!! - applies the filter to n number of lines from current line
!} - filters the next paragraph
!{ - filter the previous paragraph
!% - applies the filter from current location to next parranthesis, brace or bracket
These filters can be can be applied to shell commands like tr (transformation), fmt (formatting), grep (search), sed (advanced editing) or awk (a complete programming language). This would mean like sending the filtered text through these commands and getting the output of it and searching or placing back in file as applicable.
e.g In command mode uf you type
!!tr a-z A-z // And enter. Turns the current line into uppercase. Note however your lower command shows :.!tr a-z A-Z. It converts into a format that vi understands it.
5
Advanced examples with : command
-----------------------------------------------------
: 1,. d // Delete all the lines from the first line (indicated by 1) to current line (indicated by .)
: .,$ s/test/text/g // From current line (indicated by .) to end of line (indicated by $) search and replace all 'test' occurrences to 'text'
: /first/,/last/ ! tr a-z A-Z // Find first line that matches 'first' regexp to the first match following 'last' regex and filter it (indicated by !) using the unix command tr from a-z to A-Z (means convert to upper case)
ma // marks a line by character 'a'
mb // marks a line by character 'b'
!a // jump to the line marked by a
: 'a,'b d // Delete all the lines marked by a through b
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
1. Essentials of Vi editor - part 1
2. Essentials of Vi editor - part 2
In this post let's look at few advanced commands and techniques we can use in vi editor
Indentation and work wrapping
-----------------------------------------------------
>> indent the current line. e.g 3>> indents 3 lines, >} indents a paragraph
<< outdents the current line
:se ai // Enables auto indent
:se noai // Disables auto indentation
:se wm=8 // Sets the wrap margin to 8. As soon as you enter 8 columns it wraps the cursor
:se wm=0 // Auto wrap set off
Filtering
-----------------------------------------------------
!! - applies the filter to the current line
n!! - applies the filter to n number of lines from current line
!} - filters the next paragraph
!{ - filter the previous paragraph
!% - applies the filter from current location to next parranthesis, brace or bracket
These filters can be can be applied to shell commands like tr (transformation), fmt (formatting), grep (search), sed (advanced editing) or awk (a complete programming language). This would mean like sending the filtered text through these commands and getting the output of it and searching or placing back in file as applicable.
e.g In command mode uf you type
!!tr a-z A-z // And enter. Turns the current line into uppercase. Note however your lower command shows :.!tr a-z A-Z. It converts into a format that vi understands it.
5
Advanced examples with : command
-----------------------------------------------------
: 1,. d // Delete all the lines from the first line (indicated by 1) to current line (indicated by .)
: .,$ s/test/text/g // From current line (indicated by .) to end of line (indicated by $) search and replace all 'test' occurrences to 'text'
: /first/,/last/ ! tr a-z A-Z // Find first line that matches 'first' regexp to the first match following 'last' regex and filter it (indicated by !) using the unix command tr from a-z to A-Z (means convert to upper case)
ma // marks a line by character 'a'
mb // marks a line by character 'b'
!a // jump to the line marked by a
: 'a,'b d // Delete all the lines marked by a through b
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
Essentials of Vi editor - part 2
In the previous post we looked at some of the basics of the vi editor. In this post let's walk through searching, replacing and undoing.
Search and Replace
------------------------------------------------------------------
/text - searches the text.
?text - searches backward
n - repeats the previous search
N - repeats the previous search in backward direction
. matches any single character e.g - /a.c matches both abc, adc etc. Doesn't match 'ac'
\ has special meaning. e.g - /a\.c matches a.c exactly
e.g - /a\\c matches a\c, /a\/c matches a/c
^ - matches line beginning. e.g - /^abc matches lines beginning with abc
$ - matches line ending e.g - /xyz$ matches lines ending with xyz
[] - matches single character in a set. e.g - /x[abc]y matches xay, xby and xcy
e.g - /x[a-z]y matches xzy, xay etc
e.g - /x[a-zA-Z]y matches xay, xAy etc
e.g - /x[^a-z]y // matches x followed by anything other than a lowercase letter followed by y. Therefore 'xay' doesn't match, but xBy matches.
* - zero or more matches. e.g - xy*z matches xyz, xyyyyz and also xz
\( \) - e.g - /\(xy\)*z matches xyz, xyxyx, xyxyxyz etc
/<.*> - matches <iwhewoip> and <my_name> etc
/<[^>]*> - matches anything in between <>
:s/old/new/ - replaces the first occurrences of old to new on current line
:s/old/new/g - replaces all in the current line
:%s/old/new/ - replaces the first occurrences of old to new of every line in the document
:%s/old/new/g - globally replace all occurrences in the document
You may use any special character other than / for delimitation. For example you may use | or ;
Few special examples.
:%s/test/(&)/g - Here the replacement string is (&), Here the & says the current match. Therefore whatever test words in the document will be put into parenthesis as in (test)
Undoing
------------------------------------------------------------------
u - undoing the last change in command mode
Ctrl + r - Redo the last change
U - undo all fhe changes in the current line
. (period) - Repeats last change in your cursor locations
yy - yanks (copy) a line (Similar to dd like delete equivalents) - the yanked texts goes to vi's buffer not to the OS clip-board
yw - yanks a word (just like dw deletes a word)
p - pastes the yanked text after the cursor
P - pastes the yanked text before the cursor
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
Search and Replace
------------------------------------------------------------------
/text - searches the text.
?text - searches backward
n - repeats the previous search
N - repeats the previous search in backward direction
. matches any single character e.g - /a.c matches both abc, adc etc. Doesn't match 'ac'
\ has special meaning. e.g - /a\.c matches a.c exactly
e.g - /a\\c matches a\c, /a\/c matches a/c
^ - matches line beginning. e.g - /^abc matches lines beginning with abc
$ - matches line ending e.g - /xyz$ matches lines ending with xyz
[] - matches single character in a set. e.g - /x[abc]y matches xay, xby and xcy
e.g - /x[a-z]y matches xzy, xay etc
e.g - /x[a-zA-Z]y matches xay, xAy etc
e.g - /x[^a-z]y // matches x followed by anything other than a lowercase letter followed by y. Therefore 'xay' doesn't match, but xBy matches.
* - zero or more matches. e.g - xy*z matches xyz, xyyyyz and also xz
\( \) - e.g - /\(xy\)*z matches xyz, xyxyx, xyxyxyz etc
/<.*> - matches <iwhewoip> and <my_name> etc
/<[^>]*> - matches anything in between <>
:s/old/new/ - replaces the first occurrences of old to new on current line
:s/old/new/g - replaces all in the current line
:%s/old/new/ - replaces the first occurrences of old to new of every line in the document
:%s/old/new/g - globally replace all occurrences in the document
You may use any special character other than / for delimitation. For example you may use | or ;
Few special examples.
:%s/test/(&)/g - Here the replacement string is (&), Here the & says the current match. Therefore whatever test words in the document will be put into parenthesis as in (test)
Undoing
------------------------------------------------------------------
u - undoing the last change in command mode
Ctrl + r - Redo the last change
U - undo all fhe changes in the current line
. (period) - Repeats last change in your cursor locations
yy - yanks (copy) a line (Similar to dd like delete equivalents) - the yanked texts goes to vi's buffer not to the OS clip-board
yw - yanks a word (just like dw deletes a word)
p - pastes the yanked text after the cursor
P - pastes the yanked text before the cursor
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
Essentials of Vi editor - part 1
I'm sure if you are a serious programmer that you would agree vi is a programmers editor. Knowing vi's commands and usage helps you a lot with your programming tasks and undoubtedly it's a light weight powerful toolkit in your arsenal. In this post I would like to refresh your know-how on vi commands and usage, although there are hundreds of posts and cheat sheets available online. Some commands are extremely common whereas there are few I think which is not so common but extremely powerful. I cover these using three posts.
Moving around the files
--------------------------------------------------------------
H (left) , J (down), K (up) , L (right)
w (move forward by one word), b (move backward by one word)
e (move forward till end of current word)
) (Forward a sentence), ( (Bacward a sentence)
} (Forward a full paragraph), { (Backward a full paragraph)
^ (Move to beginning of a line)
$ (Move to end of a line)
% (Matching bracket or brace)
Shift+g (Jump to end of file)
1 and then Shift+g (Jump to beginning of the file)
This works to jump on to a line as well.
e.g: 23 and then Shift+g (Jump to line 23)
Ctrl+e // scroll down one line
Ctrl+y // Scroll up one line
Ctrl+d // Scroll down half a screen
Ctrl+u // Scroll up half a screen
Ctrl+f // Scroll down a full screen
Ctrl+b // Scroll up a full screen
Getting the status of the file
--------------------------------------------------------------
Ctrl+g // Shows if the file is modified, the number of lines and the percentage the current line is from the beginning)
Saving and quitting
--------------------------------------------------------------
:w (Saves the file into the disk and keeps it open)
:wq (Save and close the file) // Equivalent to Shift + ZZ
:q (Quit without saving an unedited file. Warns you if edited)
:q! (Quite without saving even if the file is edited)
:vi <filename> // Closes the current file and open the <filename>. Equivalent to :q and then issuing vi <filename>. If the current file is edited as :q does, a warning will be given
:vi! <filename> // Does the same as above but doesn't warn you. Equivalent to :q! and then issuing vi <filename>.
e.g:
vi file1.txt file2.txt // loads both file into memory and shows the file1.txt
:n // Shift to the next file
:N // Shift back to the previous file
:rew // Rewind to first file if you have multiple files open
:r // read a file and insert into the current file you are editing
Ctrl + g // shows line number and file status
Text Editing
--------------------------------------------------------------
a - append at the end of the cursor
A - append at the end of the line
i - insert before the cursor
I - insert at the beginning of the line
o - Open a new line below
O - open a new line above the current line
All above commands switch the file to insert mode
r - change the current character and be in command mode
s - change the current character and switch to insert mode
cc - delete the current line and switch to insert mode for editing
cw - Edit the current word
c$ - Delete from current position to end of line and keep editing
c^ - Delete all from beginning of the line to current location and keep editing
x - deletes the current character e.g - 5x to delete 5 character
dd - deletes the current line - e.g - 5dd to delete 5 lines
dw - deletes the current word
de - deletes till the end of current word including a whitespace
d^ - deletes from beginning of the line to current caret position
d$ - deletes from current caret position to end of the line (Shift + d does the same)
R - enters to overwrite mode. Whatever character you type will replace the character under the caret
~ - Changes the case of the character under the caret
J - join the next line to the current line
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
Moving around the files
--------------------------------------------------------------
H (left) , J (down), K (up) , L (right)
w (move forward by one word), b (move backward by one word)
e (move forward till end of current word)
) (Forward a sentence), ( (Bacward a sentence)
} (Forward a full paragraph), { (Backward a full paragraph)
^ (Move to beginning of a line)
$ (Move to end of a line)
% (Matching bracket or brace)
Shift+g (Jump to end of file)
1 and then Shift+g (Jump to beginning of the file)
This works to jump on to a line as well.
e.g: 23 and then Shift+g (Jump to line 23)
Ctrl+e // scroll down one line
Ctrl+y // Scroll up one line
Ctrl+d // Scroll down half a screen
Ctrl+u // Scroll up half a screen
Ctrl+f // Scroll down a full screen
Ctrl+b // Scroll up a full screen
Getting the status of the file
--------------------------------------------------------------
Ctrl+g // Shows if the file is modified, the number of lines and the percentage the current line is from the beginning)
Saving and quitting
--------------------------------------------------------------
:w (Saves the file into the disk and keeps it open)
:wq (Save and close the file) // Equivalent to Shift + ZZ
:q (Quit without saving an unedited file. Warns you if edited)
:q! (Quite without saving even if the file is edited)
:vi <filename> // Closes the current file and open the <filename>. Equivalent to :q and then issuing vi <filename>. If the current file is edited as :q does, a warning will be given
:vi! <filename> // Does the same as above but doesn't warn you. Equivalent to :q! and then issuing vi <filename>.
e.g:
vi file1.txt file2.txt // loads both file into memory and shows the file1.txt
:n // Shift to the next file
:N // Shift back to the previous file
:rew // Rewind to first file if you have multiple files open
:r // read a file and insert into the current file you are editing
Ctrl + g // shows line number and file status
Text Editing
--------------------------------------------------------------
a - append at the end of the cursor
A - append at the end of the line
i - insert before the cursor
I - insert at the beginning of the line
o - Open a new line below
O - open a new line above the current line
All above commands switch the file to insert mode
r - change the current character and be in command mode
s - change the current character and switch to insert mode
cc - delete the current line and switch to insert mode for editing
cw - Edit the current word
c$ - Delete from current position to end of line and keep editing
c^ - Delete all from beginning of the line to current location and keep editing
x - deletes the current character e.g - 5x to delete 5 character
dd - deletes the current line - e.g - 5dd to delete 5 lines
dw - deletes the current word
de - deletes till the end of current word including a whitespace
d^ - deletes from beginning of the line to current caret position
d$ - deletes from current caret position to end of the line (Shift + d does the same)
R - enters to overwrite mode. Whatever character you type will replace the character under the caret
~ - Changes the case of the character under the caret
J - join the next line to the current line
------- Update - Youtube tutorial of the above (04/01/2023) ---------
Youtube Video
Thursday, August 18, 2016
Unleashing the Git - part 7 - Cherry picking commits
We looked at git branching in one of my previous post. In this post let's look at git's on of the unique and powerful features that ties with branching; cherry-picking.
You might need to merge only a specific commit in a branch to your local branch, rather than merging an entire branch. Opt to cherry pick only if merging is not an option. One use case where you want to cherry pick is to back port a bug fix you have done in another branch.
Since we covered some branching concepts in the previous post, let's remind a few commands first.
To see all the available branches
You might need to merge only a specific commit in a branch to your local branch, rather than merging an entire branch. Opt to cherry pick only if merging is not an option. One use case where you want to cherry pick is to back port a bug fix you have done in another branch.
Since we covered some branching concepts in the previous post, let's remind a few commands first.
To see all the available branches
$ git branchTo switch to another branch
$ git checkout <branch name>Cherry picking a branch, tag or a specific commit could be done using the following command.
$ git cherry-pick <branch name, tag name or commit id> // In case of branch or tag name, only the latest commit will be picked.Cherry picking also does the commit. You can avoid the commit with the following. This is important when you want to cherry pick multiple commits and commit all stages at once to commit in the current branch.
$ git cherry-pick --no-commit release_branch_v1 // Or same as $ git cherry-pick --n release_branch_v1 $ git cherry-pick --edit <commit id> // launches the editor to change te commit message. Same as $ git cherry-pick -e <commit id> $ git cherry-pick --signoff release_branch_v1 // Adds a “Signed-off-by” line followed by your name and email taken from configuration to the commit message. Same as $ git cherry-pick -s release_branch_v1
Saturday, August 13, 2016
Multimedia in HTML5
Playing audio and video in a web page has not been very straight forward in the past. One reason for that is due to the fact that there are various audio and video containers and encoding formats. Some popular video formats are .avi, .mp4, .ogg, .flv, and .mkv. There is also a new format called WebM, which is likely to get popular. These formats are not encoding formats. These are containers of the encoded content.
When a person making an audio or a video, chooses a format to encode their multimedia content. To view this encoded content, the viewer should have a corresponding decoder installed in their system. This encoder and decoder software is often referred to as a codec (meaning; coder/decoder or compressor/decompressor). Some video encoding formats are H.264, VP8, DivX, Theora, etc. Some audio codecs are MPEG-4 Audio, Layer 3, which you might recognize as MP3, and AAC, which is mostly used by Apple. Vorbis is another audio format, mosly used with an Ogg container. Earlier mentioned WebM is meant to be used exclusively with the VP8 video codec and the Vorbis audio codec.
As mentioned earlier, to view audio/video files, browsers should either support those formats or use a plugin program to decipher these formats. Luckily all popular browsers support or have some plugin program for it (mostly 3rd party programs - e.g: Adobe flash). With HTML5 however, the need for such 3rd party plugin is expected to diminish.
The most common way of including multimedia content into a web page has been to embed an audio/video file and making the user click a button and make the content play within the page. For this to happen, the browser that you are using should support the format of the media. Otherwise you'll have to install a plugin (helper program) to support those formats.
In older browsers the way to include multimedia has been to use the <object> or <embed> tag.
In HTML5, there are new tags for these. <audio> and <video>
So how to cope up with all these formats in new HTML5. It's indeed complex. Answer is to use multiple formats and let your web page in clients browser try to use all those formats, so that there's high chance of making your web page viewer view or listen to the content. So to have multiple formats of your audio/video content, you'll have to use some Software that can convert your main data file to those needed formats. Popular VLC media player can be used for basic usages. You can still include flash formats since flash plugin support is still widely used.
To include a video content, in HTML5 we may use the following format for example.
When a person making an audio or a video, chooses a format to encode their multimedia content. To view this encoded content, the viewer should have a corresponding decoder installed in their system. This encoder and decoder software is often referred to as a codec (meaning; coder/decoder or compressor/decompressor). Some video encoding formats are H.264, VP8, DivX, Theora, etc. Some audio codecs are MPEG-4 Audio, Layer 3, which you might recognize as MP3, and AAC, which is mostly used by Apple. Vorbis is another audio format, mosly used with an Ogg container. Earlier mentioned WebM is meant to be used exclusively with the VP8 video codec and the Vorbis audio codec.
As mentioned earlier, to view audio/video files, browsers should either support those formats or use a plugin program to decipher these formats. Luckily all popular browsers support or have some plugin program for it (mostly 3rd party programs - e.g: Adobe flash). With HTML5 however, the need for such 3rd party plugin is expected to diminish.
The most common way of including multimedia content into a web page has been to embed an audio/video file and making the user click a button and make the content play within the page. For this to happen, the browser that you are using should support the format of the media. Otherwise you'll have to install a plugin (helper program) to support those formats.
In older browsers the way to include multimedia has been to use the <object> or <embed> tag.
In HTML5, there are new tags for these. <audio> and <video>
So how to cope up with all these formats in new HTML5. It's indeed complex. Answer is to use multiple formats and let your web page in clients browser try to use all those formats, so that there's high chance of making your web page viewer view or listen to the content. So to have multiple formats of your audio/video content, you'll have to use some Software that can convert your main data file to those needed formats. Popular VLC media player can be used for basic usages. You can still include flash formats since flash plugin support is still widely used.
To include a video content, in HTML5 we may use the following format for example.
<video src="myvideo.mp4" width="360" height="240" controls></video>Some possible attributes of <video> are -
- autoplay - Plays the video when the page loads. generally not a good idea in usability perspective
- preload - This attribute will pre-load the video. This is good if the video is the central part of your page. Not good if it's not since it'll be a wastage of the bandwidth
- controls - Controls attribute determine if a default set of control buttons should appear. Highly recommended to include this
- loop - Restarts playing the video once it finishes playing
- width - Sets the width of the media box
- height - Sets the height of the media box
<video width="360" height="240" controls> <source src="yourvideo.mp4" type="video/mp4"> <!-- Helps in IE and Safari --> <source src="yourvideo.ogg" type="video/ogg"> <!-- Helps in Chrome and Firefox --> <source src="yourvideo.webm" type="video/webm"> </video>What if someone visits your site with browser that still doesn't support HTML5, we may use the older <embed> tag and use the flash application/x-shockwave-flash type to work with the flash plugin.
<video width="320" height="240" controls> <source src="yourvideo.mp4" type="video/mp4"> <source src="yourvideo.ogg" type="video/ogg"> <source src="yourvideo.webm" type="video/webm"> <embed src="yourvideo.mp4" type="application/x-shockwave-flash" width="320" height="240" allowscriptaccess="always" allowfullscreen="true"> </video>Similarly <audio> tag supports all the parameters as the <video> and the syntax is very similar.
Saturday, July 30, 2016
Securing WSO2 ESB proxies with Kerberos - part 2 (Active directory (AD) as the KDC)
In a previous post, we looked at how to secure a WSO2 ESB proxy services using kerberos in which Key Distribution Center (KDC) is the WSO2 identity server. In this post we'll look at securing WSO2 ESB proxy services when the KDC is the Active Directory (AD).
When the Key Distribution Center (KDC) is the Active Directory (AD), the SPN is usually attached with a service account. Contact your Windows Administrators to create an SPN and a service account and generate a key tab file against that. The main difference from WSO2 IS and AD based KDC is that, in AD the SPN doesn’t provide a text password, rather it’s in the keyTab file.
To create an SPN for a related service account, use the following command.
Ask the administrators to create the keytab using the following command.
Get the keytab file and place it in a location accessible by the WSO2 ESB.
In our case the KDC hostname is us.your.domain.com. The ESB configuration is same as like the previous case. But make the following changes in the krb5.conf
Next when you secure the proxy, you have to provide the SPN name as the AD configured SPN. In our case the SPN is HTTP/USESB@US.YOUR.DOMAIN.COM
Also note since you have no password for the SPN, you can provide the service account password which was created at the AD end. In fact that won’t be used in this case, since the password will get resolved from the keyTab file. Once the proxy is secured, we need to do one more change for Java 7. Go to the proxy dashboard and click Policies. In both, Binding echoSoap11Binding and Binding echoSoap12Binding policies add the following line below the service principal name.
This is required to be added due to a bug that was identified in the implementation and require a patch from WSO2. If you are a support customer of WSO2, you may open a support ticket to request the patch WSO2-CARBON-PATCH-4.2.0-1811.
If you are not a support customer, you can run the ESB using JRE 1.6.
That’s it in ESB end.
When you start the server, start the ESB with the following system property,
./wso2server.sh -Djava.security.krb5.conf= /carbon/wso2/esb/wso2esb-4.8.1/repository/resources/security/krb5.conf start
You may insert that property in the wso2server.sh file as well.
Now you can try invoking the echo proxy using soap ui and it should fail saying “security header does not found”. This is because the request didn’t contain any security information, such as the kerberos ticket etc. In fact it’s difficult to create a soap ui project to work with kerberos, as the WS-Security spec demands a format for the soap request, such as signing the message payload from kerberos ticket and so on.
We have written a java client to cater this. Clients need to incorporate same mechanism to call a kerberos secured proxy. Please find the Java client here.
Note: however the Java client should be running in a machine where it can connect to the AD based KDC.
Testing with a Java client
Change the krb5.conf of the java client as the following in the java client.
The rampart configuration of policy should be changed. Client principal name in this case would be the logged in user. In our case we have the following configurations.
Note the Java7.TicketDecoder property, if you are running the ESB in Java 7 (Note: To use with Java 7, you'll need to have above mentioned patch applied in the ESB 4.8.1 and ESB 4.9.0) If you are running in Java 6, you may remove that line.
If your server is using a custom keystore (which is normally the case), following needs to be done.
1. Use the same keystore, its alias and password of primary keystore for RegistryKeyStore. This is due to a known issue in the system (see [1]). This will get fixed in the future releases.
[1] https://wso2.org/jira/browse/CARBON-15786
2. Change the config.property of the Java client to use the new keystore and the password
To build this project you have to point the project to the plugins directory of the WSO2 ESB 4.8.1. You may copy the plugins directory somewhere else and point the project to that and build. If you are running the server in Java 7, make sure the plugins directory also contain the patched jars of the above mentioned issue; wss4j, rampart and TicketDecoder.
Now if you run the client you should see the response of the echo service. You should see an output like the following in the console.
The WCF client used to test the echo proxy is located here.
The WCF client creates a form with a button, when clicked it calls the echo proxy. Open App.Config in the Visual Studio.
The client executable is located in EchoWcfClientServiceVisualStudio\EchoClient\bin\Debug
If the executable is not found, you’ll have to build the project in Visual Studio.
Either run the executable or run the client within Visual Studio. This should bring up a form. Click the echo button. The response should be shown in the message box.
You might have noticed that we used the http address. If you want to use the https endpoint for SSL, you have to add the following element in the app.config.
Once the certificates are imported, you should be able to call the proxy with the https endpoint.
When the Key Distribution Center (KDC) is the Active Directory (AD), the SPN is usually attached with a service account. Contact your Windows Administrators to create an SPN and a service account and generate a key tab file against that. The main difference from WSO2 IS and AD based KDC is that, in AD the SPN doesn’t provide a text password, rather it’s in the keyTab file.
To create an SPN for a related service account, use the following command.
setspn -s HTTP/USESB.your.domain.com us\us-wso2esb setspn -s HTTP/USESB us\us-wso2esbChange the SPN and service account accordingly.
Ask the administrators to create the keytab using the following command.
ktpass /out wso2.keytab /princ HTTP/USESB@YOUR.DOMAIN.COM /mapuser us\us-wso2esb /pass password /crypto All /ptype KRB5_NT_PRINCIPALThis will create a keyTab file named wso2.keytab
Get the keytab file and place it in a location accessible by the WSO2 ESB.
In our case the KDC hostname is us.your.domain.com. The ESB configuration is same as like the previous case. But make the following changes in the krb5.conf
[libdefaults]
default_realm = US.YOUR.DOMAIN.COM
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 aes256-sha1 aes128-aha1
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 aes256-sha1 aes128-aha1
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 aes256-sha1 aes128-aha1
allow_weak_crypto = true
[realms]
US.YOUR.DOMAIN.COM = {
kdc = us.your.domain.com
default_domain = US.YOUR.DOMAIN.COM
}
[domain_realm]
.us.YOUR.DOMAIN.COM = US.YOUR.DOMAIN.COM
us.YOUR.DOMAIN.COM = US.YOUR.DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Have the jaas.conf contents be like the below.Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
isInitiator=false
keyTab="/carbon/wso2/esb/keytab/wso2.keytab"
principal="HTTP/USESB@US.YOUR.DOMAIN.COM";
};
Note the useKeyTab and the keyTab property, which is different from the WSO2 IS as a KDC scenario. Provide the path of the keyTab file location to the keyTab parameter.Next when you secure the proxy, you have to provide the SPN name as the AD configured SPN. In our case the SPN is HTTP/USESB@US.YOUR.DOMAIN.COM
Also note since you have no password for the SPN, you can provide the service account password which was created at the AD end. In fact that won’t be used in this case, since the password will get resolved from the keyTab file. Once the proxy is secured, we need to do one more change for Java 7. Go to the proxy dashboard and click Policies. In both, Binding echoSoap11Binding and Binding echoSoap12Binding policies add the following line below the service principal name.
<rampart:property name="kdc.ticket.decoder">org.wso2.carbon.krb.Java7.TicketDecoder</rampart:property>
This is required to be added due to a bug that was identified in the implementation and require a patch from WSO2. If you are a support customer of WSO2, you may open a support ticket to request the patch WSO2-CARBON-PATCH-4.2.0-1811.
If you are not a support customer, you can run the ESB using JRE 1.6.
That’s it in ESB end.
When you start the server, start the ESB with the following system property,
./wso2server.sh -Djava.security.krb5.conf= /carbon/wso2/esb/wso2esb-4.8.1/repository/resources/security/krb5.conf start
You may insert that property in the wso2server.sh file as well.
Now you can try invoking the echo proxy using soap ui and it should fail saying “security header does not found”. This is because the request didn’t contain any security information, such as the kerberos ticket etc. In fact it’s difficult to create a soap ui project to work with kerberos, as the WS-Security spec demands a format for the soap request, such as signing the message payload from kerberos ticket and so on.
We have written a java client to cater this. Clients need to incorporate same mechanism to call a kerberos secured proxy. Please find the Java client here.
Note: however the Java client should be running in a machine where it can connect to the AD based KDC.
Testing with a Java client
Change the krb5.conf of the java client as the following in the java client.
[libdefaults]
default_realm = US.YOUR.DOMAIN.COM
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
allow_weak_crypto = true
[realms]
US.YOUR.DOMAIN.COM = {
kdc = us.your.domain.com
}
Note the KDC ip address. Change accordingly. Also change the config.properties to match the windows server.keyStorePath=C:\\Users\\smohamednazeer\\Desktop\\DevKeyTab\\wso2carbon.jks keyStorePassword=wso2carbon axis2ClientPath=C:\\Users\\smohamednazeer\\Documents\\codes\\kerberospocsolution\\kerberosJavaClient\\repo\\conf\\client.axis2.xml policyFilePath=C:\\Users\\smohamednazeer\\Documents\\codes\\kerberospocsolution\\kerberosJavaClient\\repo\\conf\\policy.xml serviceEndpoint=https://<ip-address or domain name>:9443/services/echoIf you are using a custom keystore, use that keystore path and password instead.
The rampart configuration of policy should be changed. Client principal name in this case would be the logged in user. In our case we have the following configurations.
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
<rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:timestampStrict>false</rampart:timestampStrict>
<rampart:nonceLifeTime>300</rampart:nonceLifeTime>
<rampart:kerberosConfig>
<rampart:property name="client.principal.name">smohamednazeer@US.YOUR.DOMAIN.COM</rampart:property <rampart:property name="client.principal.password">xxxxxxxxxxxx</rampart:property>
<rampart:property name="service.principal.name">HTTP/USESB@US.YOUR.DOMAIN.COM</rampart:property>
<rampart:property name="java.security.krb5.conf">C:\Users\smohamednazeer\Documents\codes\kerberospocsolution\kerberosJavaClient\repo\conf\krb5.conf</rampart:property>
<rampart:property name="java.security.auth.login.config">C:\Users\smohamednazeer\Documents\codes\kerberospocsolution\kerberosJavaClient\repo\conf\jaas.conf</rampart:property>
<rampart:property name="javax.security.auth.useSubjectCredsOnly">true</rampart:property>
<rampart:property name="kdc.ticket.decoder">org.wso2.carbon.krb.Java7.TicketDecoder</rampart:property>
</rampart:kerberosConfig>
</rampart:RampartConfig>
Enter the username you use to login to Windows machine as the client.principal.name, or you have to enter a username that exists in your AD. Enter the password that you use to login to the Windows machine for the client.principal.password, or enter the password of the respective AD user.Note the Java7.TicketDecoder property, if you are running the ESB in Java 7 (Note: To use with Java 7, you'll need to have above mentioned patch applied in the ESB 4.8.1 and ESB 4.9.0) If you are running in Java 6, you may remove that line.
If your server is using a custom keystore (which is normally the case), following needs to be done.
1. Use the same keystore, its alias and password of primary keystore for RegistryKeyStore. This is due to a known issue in the system (see [1]). This will get fixed in the future releases.
[1] https://wso2.org/jira/browse/CARBON-15786
2. Change the config.property of the Java client to use the new keystore and the password
To build this project you have to point the project to the plugins directory of the WSO2 ESB 4.8.1. You may copy the plugins directory somewhere else and point the project to that and build. If you are running the server in Java 7, make sure the plugins directory also contain the patched jars of the above mentioned issue; wss4j, rampart and TicketDecoder.
Now if you run the client you should see the response of the echo service. You should see an output like the following in the console.
Calling service with parameter - Hello Shazni!!!!!!! Request = <p:echoString xmlns:p="http://echo.services.core.carbon.wso2.org"><in>Hello Shazni!!!!!!!</in></p:echoString> The response is : <ns:echoStringResponse xmlns:ns="http://echo.services.core.carbon.wso2.org"><return>Hello Shazni!!!!!!!</return></ns:echoStringResponse>Testing with a Windows Communication Foundation (WCF) client
The WCF client used to test the echo proxy is located here.
The WCF client creates a form with a button, when clicked it calls the echo proxy. Open App.Config in the Visual Studio.
<endpoint address="http://<ip address or domain name>:8280/services/echo" behaviorConfiguration=""
binding="customBinding" bindingConfiguration="customTextMessageEncoding"
contract="WSO2.Echo.echoPortType">
<identity>
<servicePrincipalName value="HTTP/USESB@US.YOUR.DOMAIN.COM" />
</identity>
</endpoint>
Note the endpoint address and the servicePrincipalName.The client executable is located in EchoWcfClientServiceVisualStudio\EchoClient\bin\Debug
If the executable is not found, you’ll have to build the project in Visual Studio.
Either run the executable or run the client within Visual Studio. This should bring up a form. Click the echo button. The response should be shown in the message box.
You might have noticed that we used the http address. If you want to use the https endpoint for SSL, you have to add the following element in the app.config.
<httpsTransport authenticationScheme="Anonymous" bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard" proxyAuthenticationScheme="Anonymous"
realm="" useDefaultWebProxy="true" />
instead of the following http binding,<httpTransport authenticationScheme="Anonymous" bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard" proxyAuthenticationScheme="Anonymous"
realm="" useDefaultWebProxy="true" />And when you run the WCF client in the Windows machine, you would get an SSL error if you haven’t imported the ESB servers' primary keystore’s certificate to the Windows trusted certificates. Assuming you have generated your keystores and exported the certificate out of it, follow the steps here to import the certificate file to the Windows server.
Once the certificates are imported, you should be able to call the proxy with the https endpoint.
Subscribe to:
Posts (Atom)