Step-by-step instructions for how to deploy a secure Tomcat application

[pabrari]

I've already deploy my WAR file to tcServer and got it working. But now I need to make it secure. I'm a novice at SSL and security certificates. So I've been trying to learn as much as I can and to stitch bits and pieces of information together on how to make my application secure. But there is no set of instructions anywhere on how to do this. CloudFoundry requires a certificate with crt extension and private key with a key extension. The certificates that Amazon creates all have pem extension and don't work here. On the other hand CloudFoundry seems to indicate that the certificates generated in Amazon or by CloudFoundry for the four region (us-west, us-east, ...) are the ones to use for deploying secure application. But these certificates have a pem extension and there aren't easy instructions for how to convert them to crt/key.

I even registered with GoDaddy and created a certificate for my website name. Had to use a tool posted by someone online to export a key file out of the GoDaddy certificate. I got my application deployed successfully. But then when I tried to convert my application URL to https, it gave me a failure message. CloudFoundry by default goes to http even for a secure application. Furthermore, it occured to me that since my certificate is for *.website.com, how does Amazon know about the name of my website? It only sees the web traffic routed to it by the DNS server.

Can someone please provide step-by-step instructions on how to deploy a secure application using CloudFoundry say using GoDaddy or even the certificate generated by Amazon?

Your assistance is much appreciated.

[pabrari]

I finally got this working. When I get a chance I'll post my steps for others.

[YuvalRon]

hello, it would be very helpful to know how you did it.

i use GoDaddy certificates and have two crt files, one is the gd_bungle.crt and the other is mydomainname.crt . i also bought wildcard domain certificate so it's interesting to know how did you deal with the amazon name issue.

thanks
Yuval

[cupidstunt1]

Thanks it would be a great help if the step by step process is given. Excellent work! I've tried to restart with no effect. Does anyone have any other suffestion? www.gazm.com.au

[YuvalRon]

the process, step-by-step:

1. start by generating an SSL .key file and .csr and upload/paste the csr body to your certificate issuer.
Cloud Foundry is using Apache so for GoDaddy use OpenSSL and follow the Apache 2.x ssl generation instructions: http://help.godaddy.com/topic/746/article/5269

2. when you complete the process, you should have a .crt file named after your domain, and possibly also an intermediate certificate .crt file which may be required depending on your certificate issuer. on GoDaddy they are required by the following entries: http://help.godaddy.com/article/5238

3. on Cloud Foundry, select "Require SSL" and place your files as following:
ssl certificate = <domainname>.crt;
private key = the .key file you generated;
the intermediate certificate = dg_bungle.crt;

once deployed, you can make sure they were installed properly by checking your Apache's httpd.conf and seeing that it points to the uploaded certificate files (the filenames are standardized by cloud foundry).

4. after deployment, you will still get the browser security warning. that's because you're trying to go to an EC2 url, while its installed certificate is specifying your domain. unfortunately forwarding your domain to the EC2 instance won't do the trick. the browser always compares the current url to the certificate url.

5. on AWS console, create an elastic ip address and associate it with your to your deployed ec2 instance.

6. then, remove any forwarding from your domain and use your domain provider DNS manager for domain mapping. map the domain's A-record to your allocated ip address.

this update is not an immediate process as DNS services are being updated all over the web. it should take about an hour or so.

7. try entering your website with https - should work without any warnings.

the benefit here is that once you allocated the elastic ip address and mapped your domain name to it, you don't have to do it again if you need to change your ec2 instance. all you'll have to do is associate your ip with the new instance url.

hope this helps!