Wednesday, September 25, 2013

Configure SSL for Single instance Tomcat in AWS

How to configure SSL for Single instance Apchae Tomcat in AWS environment

1. Create private key using open SSL
   >openssl genrsa 1024 > privatekey.pem
2. Create a certificate signing requests
   >openssl req -new -key privatekey.pem -out csr.pem

Normally, you would submit your CSR to a Certificate Authority (CA) to apply for a digital server certificate. 

However, you can also generate a self-signed certificate for testing purposes only. 

3. How to generate self signed certificate
>openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt

4. In you jee application create a folder name  .ebextensions in \src\main\resources
5. Create a file name 01run.config under the new directory and add the following code

      Type: "AWS::EC2::SecurityGroupIngress"
          Ref: "AWSEBSecurityGroup"
        IpProtocol: "tcp"
        FromPort: "443"
        ToPort: "443"
        CidrIp: ""

5. Build and create your new .war file
6. Login to your EC2 instance using PuTTy as root user and install mod_ssl using yum
            yum install mod_ssl
7.Creates(if not exsists) an ssl.conf file in your /etc/httpd/conf.d/ directory and add/modify the following details

mode: 000777
    owner: ec2-user
    group: ec2-user
    content: |
      LoadModule ssl_module modules/
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
        Order deny,allow
        Allow from all
        SSLEngine on
        SSLCertificateFile "/tmp/server.crt"
        SSLCertificateKeyFile "/tmp/private.key"
        ProxyPass / http://localhost:8080/ retry=0
        ProxyPassReverse / http://localhost:8080/
        ProxyPreserveHost on
        LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
        ErrorLog /var/log/httpd/elasticbeanstalk-error_log
        TransferLog /var/log/httpd/elasticbeanstalk-access_log


8.Copy the generated private key and certificate to /tmp in EC2
9. Following commands will be useful to handle any issues 

rm -f  /var/lock/subsys/httpd
sudo netstat -ltnp | grep ':80'

sudo kill -9 xxxx
fuser -k -n tcp 80

service httpd restart