Professional Documents
Culture Documents
Level: Intermediate
08 April 2009
This tutorial guides you through securing WebSphere sMash applications deployed on
Amazon Elastic Compute Cloud (EC2), and provides step-by-step guidance to secure an
application using both BasicAuth and SSL authentication methods. Using BasicAuth and
SSL is especially important considering applications are not deployed on infrastructure
directly controlled by the user, but are instead deployed on Amazon EC2 infrastructure.
This tutorial addresses two methods, BasicAuth and SSL, to use to secure WebSphere
sMash applications that are deployed on EC2. The AppBuilder application that is
available with sMash is used to demonstrate how you can apply these security measures.
You should be familiar with the Amazon EC2 infrastructure, and you should have a basic
familiarity with managing and deploying instances of Amazon Machine Images through
EC2.
In this tutorial, you learn how to secure WebSphere sMash applications deployed on
Amazon's EC2 cloud using both BasicAuth and SSL.
Prerequisites
In order to complete this tutorial, you should have a general knowledge of Amazon's EC2
and WebSphere sMash. In addition, you need an Amazon EC2 account, and you need to
deploy an instance of the WebSphere sMash Amazon Machine Image on that account.
Instructions for deploying the WebSphere sMash Amazon Machine Image can be found
on the Amazon Web Services site
System requirements
You need an internet connection and a valid Amazon EC2 account. Additionally, ensure
you can make SSH connections in your environment.
Getting Started
Verifying deployment
Ensure you take all of the steps to deploy the WebSphere sMash AMI. After following
the instructions for deploying the WebSphere sMash AMI, the instance should be
displayed in your AWS console:
Figure 1. AWS Console
Use the public IP address of the deployed instance to establish an SSH connection to your
deployed instance. You must have a valid private key to make the connection. See the
sMash AMI instruction guide for steps to generate the key. If you use Putty, first load
your key for the session.
If this is the first time you are connecting to the instance, you must accept the terms of the
Novell SLES10 License Agreement.
Configuring BasicAuth
Next, create a user registry that you can use to secure the AppBuilder application.
WebSphere sMash supports different registry types including file registries, LDAP
registries, and custom registries. This tutorial uses a file registry, but note that file
registries are not sufficient for production-level applications.
To setup the file-based registry, we will use a special sMash command. From the /opt/
ibm/zero/installed/appbuilder directory, type zero user. This will cause an
interactive menu to prompt you for information about users, passwords, and groups.
Provide the necessary information.
Figure 6. Setting up user registry
After you configure the user registry, configure the application to use BasicAuth.. Run the
zero secretkey command from the /opt/ibm/zero/installed/appbuilder directory
to generate a secret key that is associated with the application.
In the preceding configuration file, you secure all URLs associated with the AppBuilder
application when the URLs are accessed using an HTTP GET request, and you grant the
appBuilderAdmin user in the smashAdmins group access to this resource. The
AppBuilder application is now protected using BasicAuth.
The AppBuilder application should now be protected using BasicAuth.
Verifying BasicAuth
After you update the application security configuration, you can verify that the
AppBuilder application is protected with BasicAuth. Run the appbuilder stop and
appbuilder start commands to stop and start the AppBuilder for the new settings to
take place.
Figure 9. Recycling the AppBuilder
Log in to the AppBuilder. Ensure that you know the public IP address of the deployed
WebSphere sMash instance. In this case, open the http://
ec2-174-129-129-51.compute-1.amazonaws.com:8070/ URL in a browser. Type
appBuilderAdmin and appBuilderAdmin as the user name and password. Verify that the
AppBuilder application deployed on Amazon EC2 is secured using BasicAuth.
If you decide that you want additional security for your WebSphere sMash application
after you set up BasicAuth, you can configure the application to use SSL for
communications. Ensure the JAVA_HOME is set appropriately, and add the bin directory
of the JRE to the path.
You can now generate the key store and trust store used during SSL communications to
the AppBuilder application. In the following example, the Sun keytool command is used
to generate these artifacts.
Figure 12. Generating the key store
When you generate the key store, the appBuilderKS.jks file is created in the current
directory. The key store is protected by the supplied password, passw0rd, and is
associated with the supplied name.
You can now export a certificate based on the newly created key store, as shown in the
following example:
As a result, the appBuilderTS.jks file of a JKS trust store is created. Create a password
and accept the certificate to complete the process.
Update the zero.config file with information about HTTPS ports, key store, and trust
store information. Edit the /opt/ibm/zero/installed/appbuilder/config/
zero.config file. See the following example for the additional information to include in
the zero.config file.
Figure 15. SSL configuration in zero.config
In addition to defining the key and trust store information, you also disabled trust
verification because you are using self-signed certificates. In a production environment,
where certificates often come from a Certificate Authority, this configuration is not
necessary.
Update your security groups in your Amazon EC2 account. From the AWS console,
select Security groups and select the security group you want to allow HTTPS access
through. This tutorial uses the default security group, but you might have restricted access
to the AppBuilder application to certain groups in your environment. Regardless of the
group, allow an HTTPS connection over port 8444 as shown in the following example:
Figure 16. Allowing HTTPS in EC2
All configuration steps are now complete, and you can access the AppBuilder using
HTTPS on port 8444. Remember to recycle your AppBuilder application by stopping and
starting the application before attempting access over HTTPS.
Resources
Our Blogs - Read and react to what we have to say about cloud computing.