I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
Related
I have a SAAS which services multiple customers and I want to be able to use client certificate to authenticate the different customers (different certificate for different customers). My services runs on Jetty 9 (not embedded). How do I do that?
If I use <auth-method>CLIENT-CERT</auth-method> I am also required to provide the LoginService in the Jetty configuration, but that doesn't make sense to me because I need to be able to write the authentication code based on the certificate.
I want to stress that I need to do the client authentication per customers, so this needs to be on the application level and not the Jetty level using the SSL setup.
According to the documentation, it looks like the LoginService is what you should use on the application level for the authorisation step.
I would like to secure my Java web app by KERBEROS. Do anyone know what is required to do that and how much I would have to change my app if my current users are stored in MySQL database? Is necessary to use VPN? If I undersatnd right, each of clients authenticate over KDS in same domain, but my app is on remote server (not in same domain?).
You have to give us more details about the your app and your environment. What kerberos does, it provides the way for the user to prove that he is indeed who he claims he is. Optionally you can verify that he is coming from IP address that he is claiming to come from, although later is rarely users due to NAT / Proxies / Load balancers.
What container does your app run in? Most of the modern servlet containers ( JBoss / Websphere ) provide kerberos authentication out of the box. You just need to adjust your web.xml or in case of websphere just configure the app correctly.
Do you have kerberos infrastructure in place? If you are in enterprise windows environment with an Active Directory domain controller you already do. In this case you need to configure workstations to be on the domain. The simplest case is if your workstations are members of the domain and the active directory controller is also your DNS server, and your application is running in the local domain and your browser is IE or Chrome. Otherwise you need to do some extra configuration.
The VPN is not necessary, although if you have one it will simplify things a bit.
As for your domain question there is a lot of confusion especially with Windows admins over what domain actually is. Domain could be DNS domain like stackoverflow.com and domain could be active directory domain which is something completely deifferent. In classical Unix kerberos the kerberos domain is called REALM and there is a configuration file that maps DNS domains to Kerberos realms.
Your app could be in any DNS domain you want, it could be in any Active Directory domain also, but in this case there must be a trust relationship established between different domains.
The bottom line is, as a bare minimum you have to configure two things. The DNS server must have SRV records so that the browser could find the KDC server. And you have to register your app in the KDC.
For more details google look here :
I have a question about whether I really need SSL or not. The scenario is as follows:
I have two applications at the moment, they are both Java webapps. One of them is getting data from another via RESTful web service secured by Spring Security, but my problem is that it sends username and password in URL so the other app can authenticate and authorize it using LDAP. In the end both apps will be running on JBoss AS 7 server so even though one of them is a client and the other one is server they will be running on one server and that confuses me a little bit (even if they will use multiple instances of JBoss they will still be both in the same network). Also signing certificate by third party seems unnecessary here because I don't really care if anyone will trust my server app and again I found that I can implement my own Certificate Authority but it really seems to me as an overkill.
So to summarize it: if I only care about request (or just its parts - username and password) being encrypted do I need to enable SSL and provide all it needs or is there any easier way to achieve it?
we are using worker roles to host java apps that are essentially Tompact and App code within an azure package.
We want to be able to setup SSL without having to bake the certs into the app package in a similar way to the .Net side, where you can refer to certs in the certificate store.
How can this be achieved?
I have read this blog post http://blogs.msdn.com/b/avkashchauhan/archive/2010/11/07/adding-ssl-https-security-with-tomcat-java-solution-in-windows-azure.aspx which states we need to create a keystore.bin file from the cert and include it in the package.
The problem is, I dont want to bake the certs into the package for ease of management when rolling out code to multiple environments with different certs etc, and also from a management point of view around cert expiry etc.
Thanks
Amit
The key is how do you want to bring the certificate in the Azure VM to be configured and and used by Tomcat. Another key question is that Tomcat/Java does not use standard Windows CertStore for certificate instead it uses keystore (extended part of your Java runtime) so if you are not using key store configuration in Windows Azure Package then you would need to create on fly during Windows Azure VM configuration.
While others may have different idea, I can propose the following solution:
You need Tomcat Installation done at this point do either you can pack tomcat with Azure
Package or you would need to download and install Tomcat through Startup task
Drop the certificate files on Windows Azure Storage (or some other location on internet)
Create a start up task to download certs either from Windows Azure Storage or your download location
After the certificate is downloaded to local machine, run the same command in Azure VM within startup task to build the key store and be sure to create keystore where your tomcat is going to look it.
This way when the Tomcat starts it knows where to look for key store and configure the endpoint properly.
There is another way is to put together whole Tomcat setup along with keystore etc at Windows Azure Storage and download through Startup task and set it up in the Azure VM. I have described this process in my this blog along with sample source.
In both of above ways whenever you would want to change the Tomcat/certificate, just update the package at your download location and then re-image/Restart the Azure VM and you will have updated VM with new code and you really don't need tore-create Windows Azure Package.
i have a two web applications running in java wih weblogic server, both the applications have same user name and password, so i decided to use single sign on machanism for sharing the session.
Apart from openSSO configuration, policy agent installation, i have to write java code for redirect the particular page from one application to another application.
if anyone already implemented the single sign on with java, please send me java the part to control the user authentication.
If OpenSSO is setup properly for both the weblogic instances, you can just redirect from one application to the other, you don't have to do anything else.