The Java bindings for the Network Security Services (NSS) Library is called JSS. NSS provides a key management scheme that is different enough from both standard Java and OpenSSL that trying to do standard Java Socket operations using the Apache HttpClient requires a little bit of extra work.
One thing that is missing in traditional Unix systems is the ability to let a non root user manage group membership. Unix was built around several simple concepts. One of those was: everything is a file. Using this principle, we can specify how group delegation would have worked.
As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.
I’m back on a Java project. Been a while, and I want to capture some of the tricks I’m using.
Right now, I’m just trying to import the project into eclipse. Seems that the current team members don’t use it. I’m an IDE kind of guy, at least when it comes to Java.
Building the .classpath file can be tricky. However, since I know that I have a good build, and that this project it a good participant in the Fedora build process, I have the advantage of knowing that my packages reside in /usr/share/java. Still, all eclipse gives me is a set of classes that it can’t find. how to find them?
This project uses CMake. I could look for all of the Jar files in the CMakeLists.txt files, and I might do that in the future. However, a trick I’ve developed in the past has come in handy.
class2path(){
echo $1 | sed 's!\.!\/!g'
}
JDIR=/usr/share/java
make_alljars(){
for JAR in `find /usr/share/java -name \*.jar -type f `
do for CLASS in `jar -tf $JAR | grep \.class`
do echo $JAR $CLASS
done
done > /tmp/alljars.txt
}
First, the make_alljars function creates a map in (value key) order. The value is the Jar file name, and the key is the class name. To fine a Jar file that contains a given class (in this example netscape.ldap.LDAPConnection) , run:
grep `class2path netscape.ldap.LDAPConnection` /tmp/alljars.txt
And the output is
/usr/share/java/ldapjdk.jar netscape/ldap/LDAPConnection$ResponseControls.class /usr/share/java/ldapjdk.jar netscape/ldap/LDAPConnection.class
This works really well with eclipse, in that the error messages have the name of the class. You can then just highlight the class name, paste it into the command line in place of the class I have above, and when you get the Jar file name, you can highlight to save to the clipboard. From The right click context menu pick Java Build Path and then Add External Archive and then paste the whole path in.
When developing in Python or Perl, it is very common to start with an executable script, and to edit/run/edit/run. Java is slowed down by the cycle of edit/compile/run. Here’s a proof of concept of coding in Java like you do in Python.
As I install, uninstall, and re-install FreeIPA, I start getting:sec_error_reused_issuer_and_serial. This used to be a minor annoyance, solved by clearing the certificates out of, and restarting, the browser. Recent versions of Firefox have complained even after doing this, leading to the current approach: clear your browser cache. Instead, you can update the certificate on the web server, and this should give you a cert with a new serial number, and avoid the error message.
Cross posted from the FreeIPA mailing lists:
The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/
FreeIPA 2.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon.
== Highlights ==
* General client and server installation improvements. Server installation is significantly faster.
* Improved support for IPv6.
* General UI improvements related to navigation and work flow.
* Added UI for automount.
* A Host-based Access Control (HBAC) test tool
* Deprecation of HBAC deny rules
* A CA is no longer required on every replica and may be added post-install to a replica (see ipa-ca-install).
* A new replication tool for dogtag has been added (ipa-cs-manage). This allows you to control the replication topology of your CA.
When running Fedora as a KVM/Qemu host for virtual machines, you have the issue that you don’t know the IP Address for a virtual machine once you create it. IP addresses that are assigned via
The MAC Address is in the config file saved in
/etc/libvirt/qemu/$VMNAME.xml
Once you start the virtual machine, you can fetch the IP Address from the DHCP lease file in:
/var/lib/dnsmasq/dnsmasq.leases
To correlate the two:
#!/bin/bash
VMNAME=$1
MAC=`cat /etc/libvirt/qemu/$VMNAME.xml | xml2 | awk 'BEGIN{FS="="} /mac..address/ {print $2}'`
IP=`grep $MAC /var/lib/dnsmasq/dnsmasq.leases | cut -d' ' -f3`
#$VMNAME has MAC $MAC and IPAddress $IP
echo $IP
This must be called as root or via sudo.
UPDATE:
Chris Lalancette notes that the cannonical version of the MAC address can be found using
virsh -c qemu:///system dumpxml $VMNAME
When working a with a new project, I often find I am searching for the Jar files that fulfill a dependency. Sometimes they come from maven, sometimes from the Fedora RPMS. My approach has been to make a cache of the Jar files in the directories that I care about that contains a map from jar file name to class name:
#!/bin/bash
CACHE_FILE=/tmp/jarcache
echo > $CACHE_FILE
for DIR in /usr/share/java /usr/lib/java
do
for JAR in `find $DIR -name \*.jar`
do
#only do the non-symlinked versions
if [ -f $JAR ]
then
for CLASS_FILE in `jar -tf $JAR | grep \.class`
do
CLASS=`echo $CLASS_FILE | sed 's!/!.!g'`
echo $JAR $CLASS >> $CACHE_FILE
done
fi
done
done
Then call it this way:
grep "org.mozilla.jss.ssl" /tmp/jarcache
Eclipse can automate a lot of stuff for you. One thig is did for me was automating the serialVersionId generation for all the serializable classes in my tree.
They look like this:
/**
*
*/
private static final long serialVersionUID = -9031744976450947933L;
However, it put an empty block comment in on top of them, something I didn’t notice until I had mixed in this commit with another. So, I want to remove those empty comment blocks.
#!/bin/bash
for JAVAFILE in `find . -name \*.java`
do
sed -n '1h;1!H;${;g;s! */\*\*\n *\* *\n *\*/ *\n!!g;p;}' \
< $JAVAFILE > $JAVAFILE.new
mv $JAVAFILE.new $JAVAFILE
done
Thanks to this article for how to do the multiline search and replace.
http://austinmatzko.com/2008/04/26/sed-multi-line-search-and-replace/