Kerberos SPNEGO Checksum failed problem

I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:

1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line

[libdefaults]

default_tkt_​enctypes = arcfour-hmac-md5

This is most important thing. This line resolves "Checksum failed" problem

2. On a client:

kinit username

Password for username@MYSERVICE.COM: 

after successful authentication in Kerberos domain we can access Kerberized web apps using curl:

curl -v -k --negotiate -u :  --cacert /etc/ipa/ca.crt  https://myservice.com:8090/krb

3. In FireFox, print about:config in address bar -> I promise -> then find

network.negotiate-auth.delegation-uris​     value     http://,https://

network.negotiate-auth.trusted-uris           value     .myservice.com​

Clojure ClassCastException error

If error occured like this Caused by: java.lang.ClassCastException: bla.bla.bla cannot be cast to [Lbla.bla.bla it means that you need (into-array [bla.bla.bla]) or (into-array BlaClass [])

import openssl keys to JKS

#convert ca chain from PEM to DER
openssl x509 -outform der -in ca-chain.cert.pem -out ca.cert.der

#convert server cert and server private key to pkcs12 storage
openssl pkcs12 -export -in ./hostname.cert.pem -inkey ./hostname.key.pem -out ./hostname.p12 -name mywebservice -passin pass:Secret13 -passout pass:Secret13

#import server cert and private key from pkcs12 to JKS
keytool -importkeystore -srckeystore ./hostname.p12 -srcstoretype PKCS12 -srcstorepass Secret13 -alias mywebservice -deststorepass Secret13 -destkeypass Secret13 -destkeystore server-keystore.jks

#import ca chain
keytool -import -v -trustcacerts -alias ca-cert -file ca.cert.der -keystore ./server-keystore.jks -keypass Secret13

include java sources to clojure project

1. Make src-java dir in a root folder of project.
2. Put usual java classes to src-java/ folder
3. Add following lines to the project.clj in root or in uberjar profile.

:java-source-paths ["src-java/"]
:prep-tasks  ["javac" "compile"]

That's it! 

convert pem to jks (java keystore)

after letsencrypt finish we  must convert our keys to jks.
here is some instructions:

openssl pkcs12 -export -in server-cert.pem -inkey server-private.pem -out server.p12 -name localhost -CAfile ca.pem -caname root 

keytool -importkeystore -deststorepass passw12 -destkeypass passw12 -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass passw12 -alias localhost

secure rabbitmq server and management console.

CentOS 6.5 x64

1. create file /etc/rabbitmq/rabbitmq.config

[

{rabbitmq_management, [{listener, [{port, 15672},{ip, "127.0.0.1"}]}]},

{kernel,[{inet_dist_use_interface,{127,0,0,1}}]}

].

2. create file /etc/rabbitmq/rabbitmq-env.conf

export RABBITMQ_NODENAME=rabbit@localhost

export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1

export ERL_EPMD_ADDRESS=127.0.0.1

3. Establish ssh tunnel from your machine to remote rabbitmq server

ssh -L 15672:127.0.0.1:15672 user@remotehost -p 22

Now, you can connect to admin console using browser http://localhost:15672
This is very useful for hosting machines.

clojure: how to send mail with attachment

It is pretty simple. This code can be used to send email via smtp. Attachment filename may be in unicode.

project.clj

(defproject com.middlesphere/mailer "0.1"
  :description "simple mailer"
  :url "http://www.middlesphere.com"
  :license {:name "Eclipse Public License"
            :url "http://www.eclipse.org/legal/epl-v10.html"}
  :dependencies [[org.clojure/clojure "1.6.0"]
                 [com.draines/postal "1.11.2"]
                 [com.sun.mail/javax.mail "1.5.2"]]
  :main ^:skip-aot mailer.core
  :target-path "target/%s"
  :omit-source true
  :profiles {:uberjar {:aot :all}})

core.clj

(ns mailer.core
  (:gen-class)
  (:require [clojure.edn :as edn])
  (:use [postal.core])
  (:import (javax.mail.internet MimeUtility)))

(defn show-help-exit
  []
  (println "Usage: java -jar mailer.jar \"config-file\" \"email@email\" \"subject\" \"filename-with-body\" \"filename-with-attach\"\n ")
  (System/exit 0))

(defn -main
  "entry point to program."
  [& args]
  (println "start" (-> (java.text.SimpleDateFormat. "YYYY-mm-dd HH:mm:ss")
                       (.format (java.util.Date.))))

  (when (= "-h" (nth args 0))
    (show-help-exit))
 
  (when (not= 5 (count args))
    (println "error: wrong number of arguments!")
    (show-help-exit))

  (try
    (let [[config-file email-to subject body-file attach-file] args
          config (edn/read-string (slurp config-file))
          server-cfg {:host (config :host)
                      :port (config :port)}
          server-cfg (if (config :need-auth?)
                       (assoc server-cfg :user (config :user) :pass (config :pass))
                       server-cfg)
          server-cfg (if (config :use-ssl?)
                       (assoc server-cfg :ssl true)
                       server-cfg)
          server-cfg (if (config :use-tls?)
                       (assoc server-cfg :tls true)
                       server-cfg)]
      (println (format "config in:%s\nemail: %s\nsubject: %s\nbody in: %s\nattach in: %s\n" config-file email-to subject body-file attach-file))
      (println (send-message server-cfg                            
                             {:from (config :from)
                              :to email-to
                              :subject subject
                              :body [:alternative
                                     {:type (config :body-type)
                                      :content (slurp body-file)}
                                     {:type :attachment
                                      :content (java.io.File. attach-file)
                                      :file-name (MimeUtility/encodeText attach-file)
                                      :content-type (config :content-type)}]})))
    (catch Exception e (str "caught exception: " (.getMessage e))))
  (println "\nend" (-> (java.text.SimpleDateFormat. "YYYY-mm-dd HH:mm:ss")
                       (.format (java.util.Date.)))))

mailer-config.edn

{:from "from@gmail.com"
 :host "smtp.gmail.com"
 :port 465
 :use-ssl? true
 :use-tls? false

 :need-auth? true
 :user "MyLogin"
 :pass "dis is passwd"

 :body-type "text/plain; charset=utf-8"
 :content-type "application/octet-stream"}

Test run

java -jar mailer-0.1-standalone.jar mailer-config.edn "to@gmail.com" "test-subject" "file-with-body.txt" "file-to-be-attached.doc"