we are using worker roles to host java apps that are essentially Tompact and App code within an azure package.
We want to be able to setup SSL without having to bake the certs into the app package in a similar way to the .Net side, where you can refer to certs in the certificate store.
How can this be achieved?
I have read this blog post http://blogs.msdn.com/b/avkashchauhan/archive/2010/11/07/adding-ssl-https-security-with-tomcat-java-solution-in-windows-azure.aspx which states we need to create a keystore.bin file from the cert and include it in the package.
The problem is, I dont want to bake the certs into the package for ease of management when rolling out code to multiple environments with different certs etc, and also from a management point of view around cert expiry etc.
Thanks
Amit
The key is how do you want to bring the certificate in the Azure VM to be configured and and used by Tomcat. Another key question is that Tomcat/Java does not use standard Windows CertStore for certificate instead it uses keystore (extended part of your Java runtime) so if you are not using key store configuration in Windows Azure Package then you would need to create on fly during Windows Azure VM configuration.
While others may have different idea, I can propose the following solution:
You need Tomcat Installation done at this point do either you can pack tomcat with Azure
Package or you would need to download and install Tomcat through Startup task
Drop the certificate files on Windows Azure Storage (or some other location on internet)
Create a start up task to download certs either from Windows Azure Storage or your download location
After the certificate is downloaded to local machine, run the same command in Azure VM within startup task to build the key store and be sure to create keystore where your tomcat is going to look it.
This way when the Tomcat starts it knows where to look for key store and configure the endpoint properly.
There is another way is to put together whole Tomcat setup along with keystore etc at Windows Azure Storage and download through Startup task and set it up in the Azure VM. I have described this process in my this blog along with sample source.
In both of above ways whenever you would want to change the Tomcat/certificate, just update the package at your download location and then re-image/Restart the Azure VM and you will have updated VM with new code and you really don't need tore-create Windows Azure Package.
Related
We faced problem with REST calls from GCP Dataflow (Apache Beam/ Java SDK based) to our internal service within GCP with custom Self-Signed Certificate.
We tried to put certificate in Runtime to ../java/../cacerts file and it works well, but Java reads ../cacert during start and we are forced to override SSlContext and X509TrustManager, put it to HttpClient and reload cacert file in Runtime before http call and after custom cert loaded (followed this example).
From my perspective it looks like pretty hard implementation.
So the question: Does this problem has any easy workaround like run .sh script before GCP Dataflow Worker runs and update cacert file via cli before JVM started.
We also up Dataflow via gcloud cli so we cannot just put custom cacert to the project and point JVM to it via Java Options.
Thanks for any suggestions!
We did something similar for authenticating to services which use self-signed certificates.
You could always use custom containers for your workers and copy the certificate to cacerts in the dockerfile? This way the worker will always have the certificate in cacerts. (Custom containers are only supported for pipelines using Dataflow Runner v2)
I'm running two applications on my tomcat sevrer (one is in spring boot, second is in angular which uses the first one) now I want to enable https connections to both of my applications. I have generated the following files:
MyDomain.cer
MyDomain.key
MyDomain.csr
Now I want to secure connection to my applications using TLS 1.2.
And now I'm stuck. According to Tomcat guide i should create a keystore file to store my keys, then I should generate new key. I want to use the files I have already generated, how can I archive this?
Could you describe or redirect me to a page where I can find a step-by-step guide how to configure https on tomcat with the files I have?
found solution:
generate jsk key
put it in tomcat keystore folder (if doesnt exist, create it)
configure server xml to point to key storage with your generated key
more detailed instruction on how to can be found here.
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
I have multiple keystores and I would like the JVM to use all of them without adding extra code (the way it works with one keystore using vm options).
This JVM is going to run on Cloud Foundry and Im going to setup a number of keystore services and bind them all to my app (JVM).
Is this possible? Does cloud foundry does anything special to make this possible? I heard something about CF packing them into some zip file (maybe merges them into one keystore)
When you deploy a Java application to cloud foundry the java build pack will run and will take care of configuring the JVM JKS store. You can read more about this at https://github.com/cloudfoundry/java-buildpack
If you would like to use multiple JKS files I recommend you store these files inside your .jar or .war then read them from the classpath and configure your SSL context as you like.
If must you can modify the Java Buildpack (last resort) to automatically install your JKS files wherever you please in the container. You might want to do a cf ssh into a running container and explore the filesystem layout there to see how you can accomplish what you want.
We are using Maven against an Artifactory instance configured with https (SSL). The problem is that the certificate is signed by our internal CA which forces us to import the CA cert into the cacerts file in Java.
The CA certs are distributed to our Windows platform and are available using the Microsoft CryptoAPI support introduced in Java SE6.
It would be really nice if Maven somehow could access the intermediate CAs from Windows keystores since Maven is Java based (as described in Java access to intermediate CAs from Windows keystores?).
Does anyone know if this is possible?
To understand how Maven implements this code, you'll need to look at the Wagon system, especially the source code. The place I would start is the JSSE property ssl.SocketFactory.provider. If you create a custom SSLSocketFactory, you can have it do the work of getting the certificates from Windows when it initializes. You'll also have to find a way to bundle that code into an extension so that it will be accessible to Maven at runtime.