Coding

Adding Content Security Policy (CSP) Support to Embedded Tomcat 10

Continuing the series of hardening embedded Tomcat in Java to meet Nessus security scans, I am back with an example of adding a Content Security Policy to your app. There are some ways in a more standard Tomcat server to provide CSP policies, but with an embedded server that can be more difficult.

I have used an embedded Tomcat server for years to build applications. The following example is using Tomcat 10, but the principle is the same or Tomcat 9. The main difference as a Tomcat 9 to 10 transition is moving from the javax namespace to jakarta. With more and more libraries, such as Jooq, moving to more modern Java versions; as well as, some of the new Java versions offering good performance improvements out of the box, it may be time for everyone to move to the Jakarta namespace. (Even if that means leaving some libraries such as Google OAuth behind)

In my recent example project going over how to use Pac4J for Oauth with Tomcat 10, I have added an example here of what the FilterBase class would look like. You then need to initialize the filter where you are starting the Tomcat thread. That will add the needed header to all the web requests your application processes.

Pac4J Integration with Embedded Tomcat 10 using Generic OAuth via Keycloak

(I will ramble for a bit, if you just want the guide jump below) I want to start a series more around programing than the other articles I have put up here. I know everyone here knows me as the good-looking hardware hacking guy, but most of my time at work is spent on programming and systems automation. I haven’t used the programming tag on this blog in a while, and I want to start this new series beginning with discussing upgrading to Tomcat 10.

I have for years been using an embedded Tomcat + Servlet backend, with a jQuery frontend for different small webapps I have made. I know for anyone who learned webdev in the recent past that sounds very old. I am using more and more Dropwizard and React these days, but that does leave my legacy projects on this old framework. While not the newest or flashiest thing, it does perform well with some systems handling hundreds to thousands of calls a second. (My hope is to get approval and open source some of them soon.) With the changes in the Java universe, (after Oracle bought Sun and decided to ruin everyone’s fun and causing splintering) I had to start moving from the traditional JavaX servlet namespace that Tomcat 9 and before used to Tomcat 10s Jakarta namespace. Migrating the servlets themselves was not so bad. The first big issue arose around Google’s OAuth library. I have used this library for a long time. It provides the easy-ish ability to connect to any OAuth server you want (I have specific ones at work I use) for authentication. Recently Google, doing what they do, marked this library as Maintenance Mode Only, stating they would only do emergency security fixes, but overall, its abandoned. Not what you want to hear from your authentication library. They also are not planning to move it over the Jakarta namespace making me stuck on Tomcat 9 for as long as it has support. This should be a long-time sine many big companies and projects are right where I was, and the plan is for 9 and 10 to develop together for a long time. This does mean that I cannot use the newer features of Java though. From this I knew I had to start looking at other options.

Every time I have to work on auth systems, it is maze, and once I get it working, I want it to stay working for a while, where I hopefully don’t have to touch it. There are not a ton of OAuth libraries for Java backend systems, and I wanted one that I knew had community support and would last for a while. That brought me to the popular PAC4J project. A lot of the guides I found for using this were around using JavaX and/or using PAC4J to integrate with Google Auth, or Facebook Auth, or other auth systems. I want to be able to use the systems at work, or a more generic provider such as Keycloak. I spent a good amount of time bringing different bits of information together to get a fully working PAC4J 5.7 + Tomcat 10 + Servlets setup working. I posted it on Github, and below has a guide on how to configure Keycloak in Docker to demonstrate this. This took a fair amount of time to put together, I hope it helps you out there, if it does, please give the post a like or star the repo, it pushes me to keep doing these tutorials.

Keycloak Setup

To start at the beginning, Keycloak is a webserver that works as an Identity Provider (IDP). It has its own database for users and groups, or can link into many other systems such as Google, Facebook, and many more. When hooking up to it, you can decide to use SAML or OpenID. I tend to use OAuth which is a subset of the OpenID standard (I think thats the order). This guide will use Keycloak as our IDP, then connect to that with RAC4J. I do believe PAC4J has a more native and easier to use Keycloak integration, but where is the fun in that.

Keycloak out of the box has a Docker image for development. You optionally can attach persistent storage to make users and groups stay after you delete and rebuild the container. Using this container with local storage is not a good setup this way for production, you should use a database like Postgres to back the container instead. But for our home testing this setup is fine and will work well. I use persistent storage so I can have a local Keycloak that can be updated without recreating everything. More information about the Keycloak docker container can be found here.

Setting up Keycloak with persistent storage

docker volume create keycloak
# We need to set the keycloak user to be the owner of that folder
docker run --rm --entrypoint chown -v keycloak:/keycloak alpine -R 1000:0 /keycloak
docker run -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v keycloak:/opt/keycloak/data/h2 quay.io/keycloak/keycloak:20.0.2 start-dev --http-relative-path /auth

Setting up Keycloak WITHOUT persistent storage

docker run -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.2 start-dev --http-relative-path /auth

After a minute you should be able to browse to “http://127.0.0.1:8081/auth” and get:

Keycloak can use OpenID as its connector which is more of a superset of OAuth itself. For this guide I want to go over using OAuth; so we will tweak some of the Keycloak configs to work how we want, as a generic OAuth provider.

  • Login with the username and password of “admin” that we set in creating the container
  • Click in the top left dropdown where it says “master” and create a new realm, we will call it “example
  • Now that we are in your new realm, go to “Users” on the left
    • Create a new user, lets name this new user “Jon” (or whatever your heart desires)
    • Once created, click the “Credentials” tab, and set a password, I disable “temporary password” because this is not a production auth system
  • Click “Client Scopes” in the top left
    • Create client scope
    • Name “openid”
    • Type “Default
    • Save
    • Mappers” tab
    • Add predefined mapper
    • I did “full name”, “email”, “username”, “groups”
    • Note: I found the add screen here buggy, if you page to the next list of mappers, saving doesn’t work, so do one page at a time
  • Click “Clients” in the top left
    • Create client
    • Client-id “example-client”, I like to enable “Always display in console”, “Next”
    • Enable “Client Authentication”, then save.
      • “Client Authentication” enables “confidential access type”, this is the classic OAuth where you need a client secret to access the server
    • For this demo we need to enter “http://127.0.0.1:8080/oauth/redirect*” to the “Valid redirect URIs“, and save
    • Go up to “Client scopes” and add the “openid” scope as a “Default” type
    • Note: I have found with PAC4J + Keycloak specifically, if you do not add the openid type, then you will get through auth but when PAC4J goes to get user information you will get an error of WARN org.keycloak.events type=USER_INFO_REQUEST_ERROR, realmId=59d04435-daf4-4ca7-8623-195769911c0e, clientId=null, userId=null, ipAddress=172.17.0.1, error=access_denied, auth_method=validate_access_token. You may also see WARN org.keycloak.services KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request. If your client is not requesting the openid scope.
    • Go to the “Credentials” tab, view the “Client secret” and save that for later

At this point going to http://127.0.0.1:8081/auth/realms/example/.well-known/openid-configuration will give you the OAuth endpoints we need.

Using The Example Code

Clone down the repository over at my Github. The README.md should contain what you need to get going! After adding your client secret from above, if you followed this guide, that demo should work for you with http://127.0.0.1:8080/ being the web app, and http://127.0.0.1:8081/auth being the auth server.

In the end you get a simple screen like this one that lets you play around with the functionality and experiment with the code.

Updated Windows Sudo

Recently I updated my Windows sudo program and added a command for Super Conduit, this is what I call some tweaks that you can make to a Windows Vista+ system. This allows someone to copy sudo.exe to a systems, system32 folder; then after running “sudo cmd” you can run “sudo /write” so add ls, ifconfig, and superc as a option in the command line.

Superc has options of enable, disable, and show. Making it easy to run. ūüôā

Newest build is always here https://github.com/daberkow/win_sudo/raw/master/sudo/sudo/bin/Release/sudo.exe

Java Windows Shortcut Library (Parsing and Creating!)

Recently I have been working on a project that involves extracting a bunch of files from zips. The problem I faced was all the shortcuts within the zips were hard coded to locations, making it impossible for me to move the extracted zip data to wherever I may want. I wanted a native library that could read and modify Windows Shortcuts so I could drop my zip data anywhere; my project is in Java, and its instant cross compatibility was needed. I know all my clients have Java installed, so that made its dependency not a issue. After looking around on the internet and finding several options, including the popular¬†https://github.com/jimmc/jshortcut. Now the downside the this popular jShortcut library is you need a DLL, why you need a DLL to write a binary file, I am not sure. More specifically, you need a DLL for your PCs instruction set, ick! After searching the far reaches of github, and getting to the end of my rope I found¬†https://github.com/kactech/jshortcut, written 5 years ago, and not really popular on github I thought I would give it a try. IT’S AMAZING! With no dependencies, and just a single include, you can write, modify, and create new Windows Shortcuts! There is example code included, and it couldn’t be easier to use. I just wanted to make sure anyone who has had the same problem knows about this great library.

WQL, SQL Queries for Windows Backend (Part 1)

If you have been writing web apps for a while, or other apps you more than likely have used SQL. SQL allows you to query a database and interact with your applications data. Instead of trying to find a users profile, what if we wanted to find out what a user was printing on their local machine? If there was an easy interface for that, it could make programming for a platform like Windows a lot easier. Well Microsoft years ago added this ability to Windows; the technology is called WQL. This was added with the other components of WMI (Windows Management Instrumentation) at Windows ME. For Windows 9x and NT you can download the WMI core. This article will be a brief over view of what it can do and how you can play around with it.

First like when we looked at LDAP, we want a tool that will let us quickly play around with what is available, and then code that into our application. The tool I use is WMI Explorer,¬†http://www.ks-soft.net/hostmon.eng/wmi/, it provides a easy interface to look at all the data available. With the WMI core it works with everything back to Windows 95! You can download and run the program for free, no installation required. Once open, there is a upper portion of the window that lists all the spaces you can access, these would be the ‘tables’ in SQL. Depending on your version of Windows, there will be separate options available. I have used this interface before for network cards (6to4 Cleaner) and printers.

WMI Explorer

WMI Explorer

For this example I will go over to the Win32 framework and access the Win32_Printer ‘table’. I get a list of printers the machine has installed, as well as attributes to each of these printers. Any¬†administrator, or any program attempting to manager printers (I say attempting because printers can he a horrible experience) information – like what port the printer is using – is here, in addition what type of connection this machine has to the printer. At the bottom of the Window there is a Query that is building as you select different fields. This query can be moved into a application later to get the same data in code. WMI Explorer also allows for a user to write Queries directly without this interface; that is the second tab at the top of the window.

One downside I have found in using WMI is the setup process time, in C#/.NET using WMI is easy, but it takes time to start accepting queries. About a year or two ago I was working on querying network card information on Windows Vista. The first call could take a few seconds to respond, after that first call it would speed up, this is just something that has to be accounted for in the applications design. I found running WQL queries in a separate process, and starting them as soon as possible would allow the process to finish before the user needed the data.

I just wanted to get everyone started looking at what is available, in a later article I will go into more depth about programming with this and how you can interact with this data in a C#/.NET program.

LDAP Authentication RPI Tutorial (Part 2)

Last time I spoke of how to setup ldap with PHP and briefly touched on using the “ldapsearch” command. I would like to go more¬†in-depth¬†on “ldapsearch”, and show you how you can use it to craft searches for your PHP application. Specifically¬†for RPI, if the user has a RCS account, they can ssh into “rcs-ibm.rpi.edu” and run the following commands. (RCS-IBM puts you on either clark.server.rpi.edu or lewis.server.rpi.edu, these two have the commands you need on them and run AIX) To briefly review the command:

  • First we add the¬†command, then enter the¬†host¬†you are searching, tell the server to try¬†simple¬†anonymous¬†authentication.¬†Next give the server a¬†base to start the search¬†(I am using RPI specific domain components), finally we have to give the heart of our¬†search. I am looking for any Unique ID (username) that starts with ‚Äúberk‚ÄĚ, and ends with anything ‚Äú*‚ÄĚ.
  • ‚Äúldapsearch¬†-h ‘ldap.rpi.edu’¬†-x¬†-b ‘dc=rpi, dc=edu’ ‘uid=berk*’‚ÄĚ

The main part of the search we will be editing is the ending. Here we specify a filter to find the information we are attempting to access. Each LDAP server has different attributes it can give about each object. For example, the ldap.rpi.edu server gives out “givenName, objectClass, cn(full¬†concatenated¬†name, or common name), sn (surname), loginShell,” and many others; while at the same time “ldap1.server.rpi.edu” returns a much different lists of results.

Finding Which Attributes Will be Returned

The best way to find which fields are available is by doing a search without a filter. Just running the search below will return an unfiltered list of everything in the directory, up till you hit the individual servers limit. I am purposefully not publishing results from these searches for privacy reasons; here is some results for me with some data omitted.

  • ‚Äúldapsearch¬†-h ‘ldap.rpi.edu’ -x¬†-b ‘dc=rpi, dc=edu’‚ÄĚ
  • # berkod2, accounts, rpi, edu
    dn: uid=berkod2,ou=accounts,dc=rpi,dc=edu
    sn: Berkowitz
    cn: Berkowitz, Daniel
    objectClass: top
    objectClass: posixAccount
    objectClass: inetOrgPerson
    objectClass: eduPerson
    objectClass: rpiDirent
    objectClass: mailRecipient
    objectClass: organizationalPerson
    objectClass: person
    uid: berkod2
    loginShell: /bin/bash
    uidNumber: #####
    mailAlternateAddress: berkod2@rpi.edu
    givenName: Daniel
    gecos: Daniel  Berkowitz
    rpiclusterhomedir: /home/berkod2
    description: PRIMARY-STU
    homeDirectory: /home/06/berkod2
    gidNumber: ###

Now that we have an idea about the data structure and what this server has on it we can reverse the lookup and tweak it. I know ‘uid’ will be the username, and I can get the users name from that! So using CAS¬†I can log a user in and get their username, then I can lookup there LDAP information. (EXAMPLE 1) If a user enters a name, then a user can search for their UID doing the reverse. (EXAMPLE 2) The wild card can also be used if the full name is not known. (EXAMPLE 3) Last we can use multiple fields,¬†combining¬†these ideas to narrow down the result. (Example 4)

  • Example 1
    • ‚Äúldapsearch¬†-h ‘ldap.rpi.edu’ -x¬†-b ‘dc=rpi, dc=edu’ ‘uid=berkod2’‚ÄĚ
  • Example 2
    • ‚Äúldapsearch¬†-h ‘ldap.rpi.edu’ -x¬†-b ‘dc=rpi, dc=edu’ ‘sn=Berkowitz’‚ÄĚ
  • Example 3
    • ‚Äúldapsearch¬†-h ‘ldap.rpi.edu’ -x¬†-b ‘dc=rpi, dc=edu’ ‘sn=Berko*’‚ÄĚ
  • Example 4
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berko*’ ‘uid=berkod*'”

LDAP Authentication RPI Tutorial (Part 1)

After writing about how to use CAS with PHP, I thought I would write a post about how to use LDAP(Lightweight Directory Access Protocol) at RPI but these methods can be used anywhere. LDAP is a protocol to query user databases, this is a protocol that can be sed along with Active Directory, or another directory system for computers and user accounts. This protocol is widely used to allow different applications to interact with your user database. Here I will be showing how to implement search with LDAP to a web application. This guide will be using LDAP with PHP, this requires the LDAP module to be enabled within PHP; that will be the purpose of this article, then the next one will discuss how to actually query LDAP.

LDAP Linux (Debian/Ubuntu) Install

Linux is easy to get LDAP working with PHP, as long as you have a standard installation of Apache, with PHP 5 working.

  1. Install the LDAP module onto the machine, using either aptitude or apt-get
    • “sudo aptitude install php5-ldap”
    • OR “sudo apt-get install php5-ldap”
  2. PHP should now be able to use LDAP, if it is not working yet, you will need to restart Apache.
    • “sudo service apache2 restart”

LDAP Windows (XAMPP) Install

Xampp for Windows comes with LDAP, but there is a bug in their implementation and a file needs to be copied before LDAP will work. I am going to use “C:\xampp”, the default directory for Xampp in this example.

  1. Go into the PHP folder, C:\xampp\php\
  2. Edit the file “php.ini” with any text editor
  3. Find the line “;extension=php_ldap.dll”, and remove the semi-colon. “extension=php_ldap.dll”
  4. Now if you were to reboot Apache it should be working, but its not! Why not? There is a missing DLL. You need to
    copy libsasl.dll from c:\xampp\php\libsasl.dll to C:\xampp\apache\bin\.
  5. Now restart Apache

LDAP Search

Now that PHP can search LDAP we are going to want to start creating queries in PHP; but it is much easier to tweak the search in the command line, and then put that query into PHP. The following are steps that can be taken on a Linux computer (again Ubuntu/Debian) to install and use a ldap command line search.

  1. First we need to install the OpenLDAP utilities that will give us the “ldapsearch” command
    • “sudo aptitude install openldap-utils”
    • OR “sudo apt-get install openldap-utils”
  2. Now we are making our query
    • First we add the command, then enter the host you are searching, tell the server to try simple¬†anonymous¬†authentication.¬†Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
    • ldapsearch -h “ldap.rpi.edu” -x -b “dc=rpi, dc=edu” “uid=berk*”
    • Now this gives one result, and this can be used to see what data will be returned from this server. You can also try “ldap1.server.rpi.edu” this returns a entirely different list of¬†variables, and sometimes more users.
    • If you are interested in researching this command more, die.net has a great¬†resource.¬†http://linux.die.net/man/1/ldapsearch
    • Troubleshooting: For those of you here at RPI trying to follow this guide specifically, if you¬†do not¬†get any results or a error connecting, RPI firewalls the LDAP servers heavily. I have found a lot of the time I have to be in the VCC to make this work, you can also VPN in, then your network connection is within the VCC and it will work. I have VPNed in, while on campus in the Union to get LDAP to work.

UPDATE: I added a little about what LDAP is

RPI phpCAS Authentication Tutorial

After much tinkering with RPI’s CAS (Central Authentication System) in PHP, I thought I would put together a guide to make it easy for anyone to put together a site that uses it. This would work for anyone at another location with a CAS server, but this example is for RPI.

  1. Get the CAS Library
  2. Download the tar file under “Current Version”
  3. Extract the contents, using a program such as 7-Zip, and put it in the root of whatever web folder you want
  4. Download the latest CA bundle for SSL
  5. Create a index.php, login.php, logout.php
  6. The index has to load the library, check if the user is logged in, then print out text.
    • <?PHP

      include_once(“./CAS-1.3.2/CAS.php”);
      phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (phpCAS::isAuthenticated())
      {
      echo “User:” . phpCAS::getUser();
      echo “<a href=’./logout.php’>Logout</a>”;
      }else{
      echo “<a href=’./login.php’>Login</a>”;
      }

      ?>

       

    • First we load the library for CAS from the subfolder
    • Then we select which will be our central server
    • We have to select our ca bundle, setCasServerCert does this
    • Now we have fully loaded and configured the library
    • Finally, I can ask CAS if a user has logged in, if so writeout some options, if not others
  7. This is the login page
    • <?PHP

      include_once(“./CAS-1.3.2/CAS.php”);
      phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (!phpCAS::isAuthenticated())
      {
      phpCAS::forceAuthentication();
      }else{
      header(‘location: ./index.php’);
      }

      ?>

       

    • Similar setup of authentication as before
    • Now we check if the user is NOT authenticated, if the user is not authenticated we force login
    • If the user already is logged in, then we redirect to the index
  8. The logout page:
    • <?PHP

      include_once(“./CAS-1.3.2/CAS.php”);
      phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (phpCAS::isAuthenticated())
      {
      phpCAS::logout();
      }else{
      header(‘location: ./index.php’);
      }

      ?>

       

    • Same configuration (this can be done by including a core file that everything else calls, but for this example I wanted to keep it simple)
    • If they are not logged in, then we push the user back to login

That is the basic configuration, the example is available for download below. If there are any questions feel free to post a comment.

Download: https://github.com/daberkow/daberkow.github.io/blob/master/CASExample.zip

Extra Notes:

  • If you want to save server space, the docs folder under the CAS folder can be removed
  • I have ran into problems with CAS on a Windows Apache server, and CAS on a Linux Apache server reference the CACert.pem file differently

QuickLogs v3.3.0 (and quickly v3.3.1) (and then v3.3.2)

Recently there was a big update the to QuickLogs product, on the face of it, it looks like the buttons have been changed a little bit. That is the small part of the upgrade, the main change is how the stats page works. Now the stats page is run by the HighCharts JavaScript engine instead of the PHP libchart that was used in the past. This takes the load of creating charts off of the server, and moves it to JavaScript  Also this increases the flexibility to add more charts in the future.

I started the new stats page (v3.3.0) with a drop down to select different types of graphs, the Activities, User, and Overall graphs were used with the drop down. A quick comment made by people at the Helpdesk was “why not use all the space available, I dont like having to navigate again after refreshing.” v3.3.1 brought back the single page, but more importantly sorted the data in the charts. By default Highcharts plots by order the data is put into it; but it was not largest category to smallest. A quick sort was put in, and then we were back to where v3.2 ws with charts but a new engine. The new engine also allows for the charts to be looked at under different time periods instead of only 30 days.

The morning the program moved to version 3.3.2, this was a pure bug fix with CAS having a certificate issue under the login page. At this time, I decided to centralize the CAS information for all pages under the ‘core.php’ page. That way if the certificate moves there is one place to do it.

QuickLogs represents a early version of my app design; these days I tend to make core.php and ajax.php heavy with most of the application functions, and subsequent pages call them with ajax. This is a older app where a lot of the functions are hard coded in the page. I have started migrating to using a wrapper on MySQL like I have with the time cards app. But I only changed it on functions I was modifying so most of QuickLogs remains doing manual queries.

Looking to the future there are many ideas for QuickLogs, yet little time to compete them. One person suggested a achievement system for different things you can do at work. Another suggestion was a Nemesis  a person who is right ahead of you for tickets, and having competition. The final suggestion was for some different types of charts. I wanted to do charts, I just have to find time.

At this point, QuickLogs is going on the shelf. (Unless I get a itch to add more charts) I am shifting to more time on Time Tracker and getting this product finished, before I leave RPI. Documentation for both products should be updated soon as well.

Time Tracker

Recently I have been working on an hour keeping system for my work at RPI; we have an old time card system that is running on a Windows 2000 server. The code no longer works, as in the JavaScript is not supported by modern browsers. The old system has been running for over 11 years, and it is time to let it retire.

The new system is at version 0.1 right now, with basic functionality working. The system is split into groups, so while one server runs separate departments can run a ‚Äúgroup‚ÄĚ and have their employees under there. Once a user is given privileges to one group in the system, when that user logins in, that group will automatically come up.

The old system had a html page that managers could edit, to give announcements to workers. This was a bit of a tedious process to go in and manually edit these pages, now there is a field for the manager of each group to drop html to edit their page. The system has two levels of accounts and privileges, there is the privilege within a group, and the privilege for the entire system. While a user can be administrator of a group and edit their group, they may not have administrative rights over the entire server. By having administrative rights to the entire server, a user can change the splash page before a user is logged on, or create new groups in the system.

The system allows for templates to be made of weeks, so if a student worker works the same hours every week, then they can save it and deploy it easily. I am working on integrating email reminders by using a .Net application that integrates with MySQL. By having the application read who has yet to enter logs this pay period  I can use the students CAS login to get their email.

Below are some photos of the system, and it is all open source at the attached link.

Source: https://github.com/daberkow/RPI_timetracker