Migrating ext3 to ext4 on an encrypted root disk (ubuntu 9.04)

Ext4 is supposed to be much faster than ext3. Anything that makes development of EJBCA a bit quicker is interesting, so I just had to migrate to ext4 now that Ubuntu 9.04 is out.
The usual ext3 to ext4 migration guides are for normal unencrypted disk. Since my laptop has full disk enryption a few addition steps are needed.
Also the guides mention that you have to do 'grub-install' after migration. I did not have to do that.
Either it is because:
- I only migrated / and not /boot
- The standard upgrade to Ubuntu 9.04 already installed a new grub for me.

Anyhow, here are the steps hwo to migrate an encrypted root disk from ext3 to ext4.

Shut down computer properly, don't hibernate.
Boot from Ubuntu 9.04 cd and use it as a live cd (no changes to computer).
Open a terminal and become root.
#sudo su -

Set up crypto add encrypted disk to lvm
#cryptsetup luksOpen /dev/sda1 root
#lvm vgchange -a y

Mount root disk and just check that it's the correct disk before migrating
#mkdir /mnt/root
#mount /dev/tlap/root /mnt/root

Unmount and do the migration to ext4 (as described in the ext4 wiki and numerous other sites)
#umount /mnt/root/
#tune2fs -O extents,uninit_bg,dir_index /dev/tlap/root
#e2fsck -pfD /dev/tlap/root

Mount new ext4 disk and change fstab to ext4
#mount /dev/tlap/root /mnt/root
#cd /mnt/root/etc/
#vi fstab

Change ext3 to ext4 for you / disk (/dev/sda1 for me).
# /dev/mapper/tlap-root
UUID=ca86bf3d-40fb-4b4d-89c6-15ce94674fa0 / ext4 relatime,errors=remount-ro 0 1

Save, unmount /mnt/root and reboot.
After reboot check /etc/fstab and 'mount' and you will see that it's ext4 now.

tomas@tlap:~/tmp$ mount
/dev/mapper/tlap-root on / type ext4 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
...

Update:
I migrated my rather slowish home computer (AMD 4200+, 4GB, WD Raptor) running 'ant clean; ant' both before and after migration. The conclusion is that it takes 1 minute, give or take a few seconds, on both ext3 and ext4. Not huge leaps in speed there unfortunately.

What to do when you mac address of eth0 changed (debian/ubuntu)?

It always takes me too long to google up this answer so I'll write it here..

Either edit or delete this file:
/etc/udev/rules.d/70-persistent-net.rules

If you delete it, a reboot will create a new one with your new mac address.

External RA improvements

In the upcoming EJBCA 3.9 the External RA is finally getting some long waited improvements.
The CA component will now run as a service in EJBCA. This means that you do most of the configuration in the admin-GUI of EJBCA and that it runs very nicely in a CA cluster. You can also configure multiple external RAs, as many as you need.
Setting up a cluster of external RAs is now very simple, if you have a cluster of two external RAs simply configure two external RA services in EJBCA and you're done. No need to use complicated database clusters etc on the external RAs, each external RA node can be simple and stand-alone.

Installation of the external RA is also much much simpler now. Configure the path to the external RA package in EJBCA and the needed CA service is automatically pulled into EJBCA so it is available to be configured in the Admin-GUI. The only thing that needs some though is the configuration of datasources in your application server.

To summarize:
- Easier to install and configure
- Runs nice in a CA cluster
- Runs nice against multiple external RAs

As an added bonus, it's also now almost trivial for developers to implement new types of external RA messages. Internally it uses java reflection, so all you have to do is implement the message classes and handlers. The rest is handled automatically.

EJBCA 3.8.2 released

"This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes."
Check out the change-log for all the details.

A pretty cool feature that hides behind the "RFC 5019" improvement is that you can now cache OCSP responses. If you use HTTP GET you will be able to use simple network components like a HTTP/1.1 cache (Apache httpd config included in the docs) for caching and load-balancing between your responders. I'd love to see someone try this out on a massive scale and report back to me with some statistics.. =)

Using smart card browser authentication in Ubuntu

To use smart card authentication in Firefox on Ubuntu 8.10 you have to install pcscd, a working card reader driver (if the built in ccid does not work for you) and a pkcs#11 module.

This example works for Ubuntu 8.10. In my case I have an OmniKey CardMan 3021 USB card reader and a smart card with 2048 bit RSA keys. To be able to use 2048 bit keys using the OmniKey reader I have to use their driver.

- Download driver from omnikey.com and put in /tmp

# sudo su -
# apt-get install pcscd
# cd /tmp
# tar -zxvf ifdokccid_lnx_x64-3.5.1.tar.gz
# cd /usr/lib/pcsc/drivers
# cp -r /tmp/ifdokccid_lnx_x64-3.5.1/ifdokccid_lnx_x64-3.5.1.bundle .
# rm -rf ifd-ccid.bundle/
# /etc/init.d/pcscd restart
# apt-get install mozilla-opensc

Finally open pkcs11.html in Firefox and click "Install opensc in linux".

--- pkcs11.html ---
<HTML>
<HEAD>
<TITLE>opensc</TITLE>
</HEAD>
<BODY>
<SCRIPT>
PKCS11_PUBLIC_READ_CERT = 0x1<<28;
function doInstallPkcs11Windows()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.dll", PKCS11_PUBLIC_READ_CERT, 0);
}
function doInstallPkcs11Linux()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.so", PKCS11_PUBLIC_READ_CERT, 0);
}
function doUninstallPkcs11()
{
pkcs11.deletemodule("opensc");
}
</SCRIPT>
<a href=javascript:doInstallPkcs11Linux();>Install opensc in Linux</a><br>
<a href=javascript:doInstallPkcs11Windows();>Install opensc in Windows</a><br>
<a href=javascript:doUninstallPkcs11();>Uninstall opensc</a><br>
</BODY>
</HTML>

EJBCA 3.8.1 released

This is a minor release, targeted for adding support for JBoss 5 and fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.

See the full changelog at ejbca.org for details.

HTC G1 android phone and tele2

Hardly surprising the G1 works perfectly also in sweden. To configure for tele2 I only configured five items in the APN configuration.
- Name: Tele2
- APN: internet.tele2.se
- MMSC: http://mmsc.tele2.se
- MMS proxy: 130.244.202.30
- MMS port: 8080
After this this phone works like a charm. Buying the phone from google was easy and delivery was fast, only a week.
Now all we have to do is run EJBCA on the phone :-)

To re-encode movies to show on the phone (using cinema app for example) do this on Ubuntu:
- apt-get install avidemux, and start avidemux. Avidemux works great as a mobile media encoder.
- Open the file you want to convert.
- In Video dropdown select MGEG-4 ASP (lavc).
- Click Configure->Encoding Mode->Single pass - bitrate, enter 384 kb/s and click ok.
- Click Filters, double click MPlayer resize, width 480, height 320, click OK then close.
- In Audio dropdown select AAC (FAAC).
- Click Configure and select bitrate 96.
- In Format dropdown select MP4.
- Finally click Save and enter the new filename with .mp4 ending.

Now just make sure you copy the file to sdcard intact.