Secure Java Authentication (SSL) to Active Directory

Following on from an old article I wrote, with regards to getting your java applications to authenticate against an LDAP compliant directory server, I thought I’d write another article explaining how to encrypt your communication. It’s all very well getting your users to authenticate against AD, but sending their username/password in cleartext isn’t ideal.

To begin, I have a default installation of Windows Server 2012 R2 onto which I have installed the Active Directory Domain Services role. I created a new user, setup a password and tested I could connect to AD via java using port 389 (unencrypted). It’s also useful to note you can test this with the Microsoft built in client ldp.exe (I’ll be using this later).

You might well have an AD server setup that already supports using port 636 with SSL, but for completeness I’ll explain what I did for testing, as it took a little while to find the correct information. I found various articles about creating a certificate authority, self signing a certificate, then importing into various places using mmc.exe. None of these seemed to work for me and I was unable to establish an SSL connection over port 636 using ldp.exe. In the end I added the role Active Directory Certificate Services (just the Certificate Authority part) and followed the configuration wizard to create an initial certificate. After rebooting the server, the certificate was up and running and a simple Connect using server, port, SSL checked in ldp.exe worked! See the acknowledgements section at the bottom for a guide on installing AD Certificate Services. It’s important you succeed in connecting before moving onto the java code as SSL can with fiddly enough without fighting against other configuration issues as well.

The alterations needed to the code from the original article are pretty small. To keep it short, I assume SSL is required if the default port 636 is used.

LDAPConnection conn = null;
if (port == 636) {
    conn = new LDAPConnection(new LDAPJSSESecureSocketFactory());
} else {
    conn = new LDAPConnection();
conn.connect(host, port);

If you have purchased an SSL certificate from a trusted certificate authority, you should be ready to go. If you are using a self signed SSL certificate you’ll see the following errors when trying to bind. PKIX path building failed: unable to find valid certification path to requested target
Caused by: PKIX path building failed: unable to find valid certification path to requested target
Caused by: unable to find valid certification path to requested target

To stop this, you need to export the certificate from the AD server and import it into a java keystore so you acknowledge you trust it. Using mmc.exe (add the Certificates snapon if it’s not already added), look in Certificates (Local Computer) – Personal – Certificates and find the AD certificate. Right click on it, All Tasks – Export, do NOT export the private key and export in DER format. I called mine ad-server.cer

The following command will create a new java keystore (called cacerts in the current directory) and import the certificate you just exported.

keytool -import -alias -keystore cacerts -file ad-server.cer

You can double check the import with the following command.

keytool -list -keystore cacerts

To run your java code with the new keystore, you need to use and if your keystore requires a password. Pay careful attention to the variable names as there are equivalent ending in keyStore, but it’s important we use trustStore in this case. For example;

java -jar app.jar

If your code is a webapp deployed in something like Apache Tomcat you need to make the addition to the Tomcat startup. For the windows service install, right click on the service monitor and from the menu, Configure…, then under the Java tab update the Java Options: by adding the extra variables. For other Apache Tomcat installs, you need to add to the JAVA_OPTS parameter in catalina.bat or depending if you’re using Windows or Linux.

As a final note, this article describes how to use SSL on port 636. The encrypted channel is setup before any LDAP related communication takes place. If you’re trying to setup TLS it might be working over the default 389 port as TLS is an option that can be enabled by supported clients over unencrypted ports. LDAP communication will take place before the client tries to enable TLS.


SheevaPlug stops responding – USB console required!

My SheevaPlug is still plodding along, at the cost of a replacement PSU in early 2013. Some tweaks, a reboot, no response …. oh dear! I always forget how to do this, so this post is more about reminding me how to connect to the USB console to find out what’s going on.

Regardless of desktop OS, I prefer to do this on a linux machine as it’s much easier (install linux using VirtualPC if you only have a windows desktop). Stick in the micro USB, connect it to the desktop (remember to allow USB on the virtual machine if you install VirtualPC) and

screen /dev/ttyUSB0 115200

You might have to hit ‘Enter’ a couple of times, but you should see a console appear as if you had a monitor connected to the SheevaPlug.

As for my issue, the SD card was throwing read errors and I needed to run fsck manually. Looks like I’ll be writing something up on backing up my SD card and transferring to a new (and bigger) SD card sometime soon! The backup/restore would be quick and easy if I wasn’t interested in changing the partition sizes … from the desktop

dd if=/dev/sdb of=/root/plug.img
dd if=/root/plug.img of=/dev/sdb

Java Internationalisation (i18n) Character Encoding

Internationalisation (i18n) of java applications should not be difficult, although dealing with text in languages you don’t understand can be a little confusing! As a developer, you’ll normally be sent a translated version of the text to use in your application. If you’re really lucky the translator will be able to work directly with a java property file and you’ll get back a translated version to drop into your application.

A common scenario will be a series of java property files along the lines of;

  • – key/value pairs in base language, assumed to be English
  • – key/value pairs in language with country code XX
  • – key/value pairs in language with country code XX, variant YY

Take the file which contains an Arabic translation. Dropping that directly into your application will probably result in it being ignored, cue head scratching … The issue is that java property files must use character encoding ISO-8859-1 and to have been converted into Arabic the file is probably using character encoding UTF8 (or ISO-8859-6). Sun/Oracle solve this problem using native2ascii as follows (rename your original Arabic translation to;

native2ascii -encoding utf8

The resulting file isn’t as readble as the UTF8 version as all values have been converted to unicode – but, at least it now works!

If you want to keep your translations in UTF8 encoded files you need to be using Java 1.5 or greater along with XML based property files.

Xmpp/Jabber commons-logging handler (Tomcat)

I wanted to create a live monitoring system to use with some of the webapps I have running in Apache Tomcat. There were various options, but as I have a secure xmpp/jabber chat system setup already, I thought it’d be handy to use that as the transport medium for any communication.

On one server I have an xmpp chat system (ejabberd running on debian) running over SSL. On other servers I have instances of Apache Tomcat running various web applications.

  • I created a new java.util.logging.Handler that could be used with tomcat.
  • Created xmpp user accounts within ejabberd for each webapp I wanted to monitor.
  • Updated the file for each webapp and restarted.

The handler was setup to auto-accept contact requests (not a problem on an internal chat server), so I added the new xmpp user accounts as contacts on my own account. Step 1 successful, I can now see when the webapps are online and do something about it when I notice they go offline. To receive live logging information, I’d also built the following commands into the handler.

  • !subscribe
  • !unsubscribe
  • !level <LEVEL_NAME>

First two are pretty obvious, they allow you to subscribe and unsubscribe from being sent log messages via chat. The third command allows you to select the minimum level messages you want to see – on production servers I get way too many messages if I listen to ALL, so I tend to choose WARNING as I’m only interested in seeing if things go wrong.

An example file updated from the default one that ships with tomcat;

handlers = org.apache.juli.FileHandler,, java.util.logging.ConsoleHandler = = 5222 = webapp1-name = webapp1-password

org.apache.juli.FileHandler.level = ALL = ${catalina.base}/logs

java.util.logging.ConsoleHandler.level = SEVERE
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter

The code is squeezed into a single file and packaged in a maven project that uses smack/smackx to perform the xmpp communication. I’ve not attached it to this post, but if anyone is interested, leave a comment below and I’ll make it available.

Quake 3 network protocol 43 proxy server

I decided to experiment with java NIO and thought it’d be useful to resurrect my quake 3 proxy server. The completed code may be a useful followup to an original article I wrote many years ago about the Quake 3 network protocol

If I get time I’ll create a version for protocol 68 that can decode the Huffman compressed packet data on the fly, but don’t hold your breath!

Instructions can be found in the code comments, otherwise leave me a message below.


import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.channels.DatagramChannel;
import java.nio.channels.SelectionKey;
import java.nio.channels.Selector;
import java.nio.charset.Charset;
import java.util.Iterator;

 * A Quake3 proxy server that communicates using protocol 43, 1.11 - 1.16 point
 * release of quake3 engine. It's designed to handle a single client and provide
 * a way of experimenting with the quake3 protocol on the fly.
 * Packet fragmentation is ignored for simplicity, with sequenceId being read
 * without performing fragmentation checks.
 * Example handshake (OOB prefixed packets)
 *   CLIENT : getChallenge
 *   SERVER : challengeResponse <ID>
 *   CLIENT : connect "cg_predictItems1sexmalehandicap100color3snaps40rate10000modeldoom/rednameUnnamaedPlayerprotocol68qport<PORT>challenge<ID>"
 *   SERVER : connectResponse
 * Client game data packet
 * +-----------------+-----+----------+-----------+
 * | NAME            | LEN | ENCODING | ENDIANESS |
 * +-----------------+-----+----------+-----------+
 * |  SequenceNumber |  32 |     None |    Little |
 * |           QPort |  16 |     None |    Little |
 * |                 |     |      XOR |           |
 * Server game data packet
 * +-----------------+-----+----------+-----------+
 * | NAME            | LEN | ENCODING | ENDIANESS |
 * +-----------------+-----+----------+-----------+
 * |  SequenceNumber |  32 |     None |    Little |
 * |                 |     |      XOR |           |
 * If anyone gets time to implement the XOR decoding, do let me know! I suspect
 * it's the Netchan_UnScamblePacket() function from qcommon/net_chan.c in the 
 * 1.32 full source release.
 * @author Darren Edmonds
public class Protocol43ProxyServer {

    private static final int BUFFER_SIZE = 1024 * 2;  // size in bytes
    private int localPort;
    private SocketAddress serverAddr;
    private SocketAddress clientAddr;
    private DatagramChannel serverChannel; // proxy <==> quake3 server
    private DatagramChannel clientChannel; // proxy <==> quake3 client
    private boolean running;
    Protocol43ProxyServer(int localPort, String remoteServer, int remotePort) {
        this.localPort = localPort;
        this.serverAddr = new InetSocketAddress(remoteServer, remotePort);

     * Start the proxy server
     * @throws IOException 
    public void start() throws IOException {
        Selector selector =;
        this.clientChannel =;
        this.clientChannel.socket().bind(new InetSocketAddress(this.localPort));
        this.clientChannel.register(selector, SelectionKey.OP_READ);
        this.serverChannel =;
        this.serverChannel.register(selector, SelectionKey.OP_READ);
        ByteBuffer buffer = ByteBuffer.allocateDirect(BUFFER_SIZE);

        this.running = true;
        Iterator<SelectionKey> it = null;
        SelectionKey key = null;
        while (this.running) {
            int n =;
            if (n == 0) continue; // nothing to do
            it = selector.selectedKeys().iterator();
            while (it.hasNext()) {
                key =;
                if (key.isReadable()) {
                    this.handlePacket((DatagramChannel), buffer);

     * Read a packet of data from the client (or server) datagram channel then
     * proxy it over to the other channel.
     * @param channel
     * @param buffer
     * @throws IOException 
    private void handlePacket(DatagramChannel channel, ByteBuffer buffer)
            throws IOException {
        if (channel == this.clientChannel) {
            SocketAddress sender;
            while ((sender = channel.receive(buffer)) != null) {
                if (this.clientAddr == null) this.clientAddr = sender;
                //System.out.println("CLIENT sent " + buffer.position() + " bytes");
                writePacket(this.serverChannel, buffer, this.serverAddr);
        } else {
            while (channel.receive(buffer) != null) {
                //System.out.println("SERVER sent " + buffer.position() + " bytes");
                writePacket(this.clientChannel, buffer, this.clientAddr);

     * Write buffer to channel, transmitting content to recipient
     * @param channel
     * @param buffer
     * @param recipient
     * @throws IOException 
    private void writePacket(DatagramChannel channel, ByteBuffer buffer,
            SocketAddress recipient) throws IOException {
        while (buffer.hasRemaining()) {
            channel.send(buffer, recipient);

     * Chance to inspect/modify packet sent from client before it is relayed
     * to the server
     * @param buffer
    private void inspectClientPacket(ByteBuffer buffer) {
        int sequenceId = buffer.getInt(0);

        if (sequenceId == -1) { // 4 OOB bytes in the header
            byte[] textArr = new byte[buffer.position() - 4];
            int oldPos = buffer.position();

            String command = new String(textArr, Charset.forName("UTF-8"));
            System.out.println("CLIENT " + command);
            if (command.startsWith("connect ")) {
                /* rewrite the qport value to reflect the proxy local port
                 * rather than the client local port - not critical for testing
                 * but required for multiple clients on same IP via NAT */
        } else {
            int qport = buffer.getShort(4);
            System.out.println("CLIENT seq=  " + String.format("%15d", sequenceId));
            System.out.println("CLIENT qport=" + String.format("%15d", qport));

     * Chance to inspect/modify packet sent from server before it is relayed
     * to the client
     * @param buffer
    private void inspectServerPacket(ByteBuffer buffer) {
        int sequenceId = buffer.getInt(0);
        if (sequenceId == -1) { // 4 OOB bytes in the header
            byte[] textArr = new byte[buffer.position() - 4];
            int oldPos = buffer.position();

            String command = new String(textArr, Charset.forName("UTF-8"));
            System.out.println("SERVER " + command);
            if (command.startsWith("connectResponse")) {
                /* server puts client into connecting state and starts sending
                 * game updates */
        } else {
            System.out.println("SERVER seq=  " + String.format("%15d", sequenceId));

     * Main
     * @param args 
    public static void main(String[] args) {
        Protocol43ProxyServer server = new Protocol43ProxyServer(
                "", // CHANGE TO REAL SERVER IP
                27961); // CHNAGE TO REAL SERVER PORT
        try {
        } catch (Exception e) {
        /* now start quake3.exe and connect localhost:27960
         * your connection will end up at, proxied via
         * localhost to allow you to inspect packets on the fly */

Convert java keystore key into DSA (understood by Apache)

I have a wildcard SSL certificate bought from GoDaddy that serves various websites. Most of them run on Apache Tomcat, but when I had the need to run an SSL secured site in Apache HTTP server as well, I had the choice … buy another SSL certificate (which seemed pointless as I already own a wildcard certificate and can use whatever subdomains I need), or work out how to get my certificate up and running on both servers.

The problem isn’t getting my signed certificate in formats that both Apache Tomcat and Apache HTTP will understand, that bit’s easy. The problem is that my certificate request was created using a private key stored in a java keystore, which Apache HTTP doesn’t understand. Quick google later and the solution wasn’t very difficult, here’s what I did!

GoDaddy created my certificate and provide their root CA bundle, let’s call them and gd_bundle.crt respectively.

I created the initial signing request with a java keystore, tomcat.keystore, under alias tilion.

Usage instructions for ExportPriv were quick and easy to follow.

java ExportPriv tomcat.keystore tilion <password> | openssl pkcs8 -inform PEM -nocrypt >

Apache2 configuration parameters:

SSLEngine on
SSLCertificateFile /path/to/
SSLCertificateKeyFile /path/to/
SSLCertificateChainFile /path/to/gd_bundle.crt

Subversion Cheat Sheet

Examples below use an imaginery repository located at svn+ssh://

Create and Import

I prefer to create plain file backed repositories as they don’t suffer the same inconsistency quirks as the berkley database backed repositories. The following will create a new repository called project in the current working directory.

svnadmin create project --fs-type fsfs

If you don’t have any files to import you can start creating files as you develop and then use svn add to put them into version management.


The following will checkout the project into a directory called myproject, created in the current working directory.

svn checkout svn+ssh:/ myproject

Ignoring File/Directories

Build directories or log directories can be annoying when they continue to show up in the svn status command. You can instruct subversion to ignore them using

svn propedit svn:ignore target

Tagging and Branching

Make sure the tags or branches directory is created first.

svn mkdir svn+ssh://

From the base directory of your project, tag the release or create the branch.

svn copy . svn+ssh://

Updating a tagged revision

If you need to make updates to a tagged revision (say 2.1.0) when the main trunk has already progressed with new development (2.2.0 for instance) you can do it as follows.

Copy the 2.1.0 tag into a branch

svn copy svn+ssh:// svn+ssh://

Checkout this new branch and make code updates within it. You can commit changes as you would if you were working on the trunk.

svn checkout svn+ssh:/ myproject-2_1_1

When finished, tag the new version.

svn move svn+ssh:/ svn+ssh:/

Conflict Resolution

If you try to apply changes and end up with a file in conflict (marked with a C next to its name) you have 3 ways to solve this; merge text in the file by hand, copy one of the temporary files over the top of the original, run svn revert on the file.

If you fix the problem by hand, or by copying one of the temporary files over the top, you must let subversion know by using the following command.

svn resolved <FILE>

Merging changes from a tag/branch back into trunk

You need checked out copies of the tag/branch and trunk. It’s easier if changes in trunk are committed as it makes rolling back easier (just use the revert command).

Next, work out which revisions from the tag/branch you want to apply into trunk. You can do this with svn log (within the tag/branch) to see when it was created and what has been committed. From with trunk, run the following command.

svn merge -r 200:204 svn+ssh:/

At this point changes are made locally in trunk (201,202,203,204, 200 is not inclusive). Compile code, check changes work then commit them being very specific of what just happened in the log message, e.g. Merged branch/big_change r200:204 into trunk

Relocating a subversion repository

Maybe the server breaks down, or you just need to move the location of your subversion server. In theory you can do it with the following command.

svn switch --relocate svn+ssh:/ svn+ssh:/ .

The command above should recurse into subdirectories, although when I tried it, it didn’t work for me. Resorting back to sed you can do the same as follows.

for file in `find . -name 'entries'`; do sed s/ $file > $file'A'; done
for file in `find . -name 'entriesA'`; do mv `dirname $file`/entriesA `dirname $file`/entries; done

Restoring a file to a previous version

After making a change to a file (or series of files, even the whole repository) you may decide to roll back. Assume your current version is 100 and it’s the last change you want to roll back on a single file.

svn update
svn merge -r 100:99 FILE
svn commit -m "Rolled back FILE to r99"

If you want to rollback the whole repository, substitute FILE for .

SCORM (Adobe Captivate and ADL Test Suite 1.2.7)

This document describes my experience using Adobe Captivate to generate a SCORM 1.2 content package. This includes the verification of such a package using the ADL test suite.

Using captivate I created a set of multiple choice questions – I won’t go into all the details of how to do this as it was the easy bit! Export the package as a SCORM 1.2 zip file.

Running the output from captivate straight through the ADL test suite you’ll see it fails with an initial error of ERROR: LMS Not initialized. If you look at the content window opened up by the test suite you’ll also notice there are javascript errors, the first one being access denied to scorm_support.js

The details of this fix have been borrowed, then embellished, from

To make sure that your SCO gets launched in the test suite, you need to edit the html file that is generated by Captivate when publishing your content (the .html that has the same name as your project .swf). Open the file with a text editor (Notepad), on the second line you will find <!– saved from url=(0013)about:internet –>. Delete that line.

Restart your test, and your SCO will now launch. But you will get errors in your test now. Fix number two: change the security settings of the Flash player on your machine.

  • Get some Flash content playing in your browser. Any Flash animation will do. Go e.g. to
  • Right-click on the animation, you will get the Flash context menu. Select Settings.
  • You will get a little menu like this:
  • Click the Advanced button. This will bring you to an Adobe Web site.
  • In the table of contents on the left, click Global Security Settings Panel. This will show you a panel like this:
  • Add the location where your ADL TestSuite software is installed to the trusted locations. The location of the TEST SUITE software, not the location of your zip file or your content files. Those get copied automatically to a TestSuite subfolder when you run the test.
  • Close all your browser windows and re-run the test.

From here, I continue the explanation with my own experience … having unzipped the original zip file to make changes to the HTML file I decided to test with it unzipped as the test suite has that option – do not do this. I wasted a great deal of time trying to work out why LMSInitialize() was not being called by my content, to the extent that I actually hardcoded a change in to make sure it was called. This unzipped package now passed the test suite, but having never run anything through the test suite before I couldn’t tell if it was working correctly.

Everything now works, hurrah, so I rezip the package and decide to give it a final test. LMSInitialize() now gets called twice, hence the waste of all my effort – I then removed my hardcoded call. Now, when you run this package through the test suite, not only does it pass, but it shows you all the data communicated from the content package to the LMS (getValue/setValue calls).

In summary, the only thing wrong with the initial Captivate output is that it contains a comment (on line 2) that needs to be removed. I suspect the other fix is only needed to satisfy the test suite running the package from the local disk, as opposed to being served through a web server over HTTP.

Tomcat SSL Certificate – Alias tomcat name does not identify a key entry

A post that may help someone out if they get into the same situation I did with regards to importing SSL certificates into a java keystore for Tomcat.

When renewing my certificate, my CA had the ability to use my old CSR (certificate signing request) which I accepted as it saved me a few minutes. Before, I’d always started with an empty keystore, generated my private key, CSR, then imported my new certificate along with the any needed to complete the chain. It seemed easy, I just needed to import my new certificate into the old keystore, right?

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
Enter keystore password:  
keytool error: java.lang.Exception: Certificate not imported, alias  already exists

I see, I’ve already got a certificate under that alias, so I need to remove it first. Into the manual, -delete option looks good and away we go … I delete and then import 2 certificates that make up the chain and do the same with my newly issued certificate. Update my tomcat config to be greeted by the following:

LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: Alias name tomcat does not identify a key entry

To cut a long story short, when you use the -delete option of keytool on an alias with a private key in it, it doesn’t just remove the certificate, it removes your private key as well. Adding in my new certificate is all well and good if I no longer have a private key associated with it! The correct thing to do is not use the -delete option at all, because keytool will not complain if you’re importing a new certificate like that over the top of an old one, e.g I already have a certificate in the alias ‘tomcat’ but …

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file
Enter keystore password:  
Certificate was added to keystore

Tilion Live Tournament Manager Demo

Imagine the scene … you’re running a pool competition and need some way to coordinate everything on the day. You could use pieces of paper, even excel spreadsheets, but wouldn’t it be easier if you could do it all in one simple software application?

What follows isn’t a new idea and doesn’t necessarily include new concepts. However, it is my take on a solution that allows me to continually extend if necessary – it’s often very difficult to extend someone else’s work, especially if it is closed source.


Players overview: when you announce a competition you’ll get a list of players stating their interest, some even paying you money, but at this point there is no guarantee they’ll turn up on the day.

Competitions overview: most competitions I’ve been involved in include a main event and then a plate event to keep early round losers interested. Competitions have multiple rounds and can be run simultaneously over the available tables.

Teams overview: for most competitions this tab would be better named as Registered Players, but the software is designed to work for single, or team events, in the same way. When the players arrive at the venue you can register them by creating a team entry (1 or more players per team) for a particular competition.

Matches overview: this tab shows a complete list of matches that need to be played. Grouped by competition/round and showing home team and away team.

Tables overview: tables available for use at the venue. Each table has a status so you can tell if it’s in use, or the players on it just happen to be practicing and causing delays!

Status: this page is where the benefit of using a software application comes into its own. At the top you can see the currently in progress matches. At the bottom you can see a list of matches that need to be played and if there are any free tables.

Omissions from this first demo?

Yes, there are some things missing and some things I’ll change as development progresses. For example, most tabs include a data entry area and an Add button which makes development/testing easier, but these will be moved into dialog boxes in time as they clutter up the main UI.

There’s also no obvious way to create matches between teams. This is coming, although it’s a bit more complex than other tabs as it needs to include a manual match creation and a randomised draw creation.

Results, I don’t see anywhere I can see match results! Again, an extra tab to be developed. The reason it’s not in the demo screenshots is that I don’t want it to be a tab in the same way as the other sections. I want it to be a separate window so those that run tournaments with a laptop and second screen can display the results window on the second screen. This allows players to come and see results (as well as the draw) without having to bug the organiser with questions.

Finally, the extra bits only possible by a software application. What if there was an internet forum you planned to update with results throughout the day? Wouldn’t it be nice if there was a Publish button that did everything for you – from logging into the forum, formatting the results and continually updating each time you click the Publish button? And, what about a website? A lot of organisers need their results published in a way they can put on their website.

The development continues …