WebSphere sMash on Amazon EC2:

Securing WebSphere sMash applications

on Amazon EC2
Using BasicAuth and SSL authentication methods to secure the applications

Level: Intermediate

Dustin Amrhein (damrhei@us.ibm.com), Technical Evangelist, IBM

08 April 2009

This tutorial guides you through securing WebSphere sMash applications deployed on
Amazon Elastic Compute Cloud (EC2), and provides step-by-step guidance to secure an
application using both BasicAuth and SSL authentication methods. Using BasicAuth and
SSL is especially important considering applications are not deployed on infrastructure
directly controlled by the user, but are instead deployed on Amazon EC2 infrastructure.

Securing WebSphere sMash applications on EC2

This tutorial addresses two methods, BasicAuth and SSL, to use to secure WebSphere
sMash applications that are deployed on EC2. The AppBuilder application that is
available with sMash is used to demonstrate how you can apply these security measures.
You should be familiar with the Amazon EC2 infrastructure, and you should have a basic
familiarity with managing and deploying instances of Amazon Machine Images through
EC2.

About this tutorial

This tutorial provides instructions to secure WebSphere sMash applications deployed on

EC2, discusses both BasicAuth and SSL methods of securing applications, and showcases
how to interact with sMash applications deployed on EC2.
Objectives

In this tutorial, you learn how to secure WebSphere sMash applications deployed on
Amazon's EC2 cloud using both BasicAuth and SSL.

Prerequisites

In order to complete this tutorial, you should have a general knowledge of Amazon's EC2
and WebSphere sMash. In addition, you need an Amazon EC2 account, and you need to
deploy an instance of the WebSphere sMash Amazon Machine Image on that account.
Instructions for deploying the WebSphere sMash Amazon Machine Image can be found
on the Amazon Web Services site

System requirements

You need an internet connection and a valid Amazon EC2 account. Additionally, ensure
you can make SSH connections in your environment.

Getting Started

Verifying deployment

Ensure you take all of the steps to deploy the WebSphere sMash AMI. After following
the instructions for deploying the WebSphere sMash AMI, the instance should be
displayed in your AWS console:
Figure 1. AWS Console

Connecting with SSH

Use the public IP address of the deployed instance to establish an SSH connection to your
deployed instance. You must have a valid private key to make the connection. See the
sMash AMI instruction guide for steps to generate the key. If you use Putty, first load
your key for the session.

Figure 2. Loading key in Putty

Now we are ready to make the SSH connection. Type the address into Putty, and click
Open.

Figure 3. Opening the connection in Putty

If this is the first time you are connecting to the instance, you must accept the terms of the
Novell SLES10 License Agreement.

Figure 4. Novell License Agreement

Configuring BasicAuth

Creating a user registry

After you establish an SSH connection, you can set up the BasicAuth authentication
method for an application. First, navigate to the /opt/ibm/zero/installed/
appbuilder directory, and ensure that the JAVA_HOME and PATH environment
variables are correctly configured. Set the JAVA_HOME variable to a location such as /
opt/ibm/zero/java-i386-60/jre, and augment the PATH variable to include /opt/
ibm/zero.

Figure 5. Configuring the environment

Next, create a user registry that you can use to secure the AppBuilder application.
WebSphere sMash supports different registry types including file registries, LDAP
registries, and custom registries. This tutorial uses a file registry, but note that file
registries are not sufficient for production-level applications.

To setup the file-based registry, we will use a special sMash command. From the /opt/
ibm/zero/installed/appbuilder directory, type zero user. This will cause an
interactive menu to prompt you for information about users, passwords, and groups.
Provide the necessary information.
Figure 6. Setting up user registry

You configured a user registry for your application.

Configuring application settings

After you configure the user registry, configure the application to use BasicAuth.. Run the
zero secretkey command from the /opt/ibm/zero/installed/appbuilder directory
to generate a secret key that is associated with the application.

Figure 7. Generating a secret key

Next, edit the zero.config file in the /opt/ibm/zero/installed/appbuilder/config
directory to provide the secret key, what URLs and HTTP methods to secure, and what
users and groups are authorized to access the protected resource.

Figure 8. Updating the zero.config file

In the preceding configuration file, you secure all URLs associated with the AppBuilder
application when the URLs are accessed using an HTTP GET request, and you grant the
appBuilderAdmin user in the smashAdmins group access to this resource. The
AppBuilder application is now protected using BasicAuth.
The AppBuilder application should now be protected using BasicAuth.

Verifying BasicAuth

Restarting the AppBuilder application

After you update the application security configuration, you can verify that the
AppBuilder application is protected with BasicAuth. Run the appbuilder stop and
appbuilder start commands to stop and start the AppBuilder for the new settings to
take place.
Figure 9. Recycling the AppBuilder

Log in to the AppBuilder. Ensure that you know the public IP address of the deployed
WebSphere sMash instance. In this case, open the http://
ec2-174-129-129-51.compute-1.amazonaws.com:8070/ URL in a browser. Type
appBuilderAdmin and appBuilderAdmin as the user name and password. Verify that the
AppBuilder application deployed on Amazon EC2 is secured using BasicAuth.

Figure 10. Username/password prompt

After entering our username, 'appBuilderAdmin', and password, 'appBuilderPW', we will

be granted access to the AppBuilder application. We have now verified that our
AppBuilder application deployed on Amazon's EC2 is secured using BasicAuth.
Configuring SSL

Setting up the SSL environment

If you decide that you want additional security for your WebSphere sMash application
after you set up BasicAuth, you can configure the application to use SSL for
communications. Ensure the JAVA_HOME is set appropriately, and add the bin directory
of the JRE to the path.

Figure 11. Configuring environment for SSL

Generating SSL artifacts

You can now generate the key store and trust store used during SSL communications to
the AppBuilder application. In the following example, the Sun keytool command is used
to generate these artifacts.
Figure 12. Generating the key store

When you generate the key store, the appBuilderKS.jks file is created in the current
directory. The key store is protected by the supplied password, passw0rd, and is
associated with the supplied name.

You can now export a certificate based on the newly created key store, as shown in the
following example:

Figure 13. Exporting a certificate

Run the preceding command to generate a certificate. The certificate is created in the
same directory.

Next, use the keytool command to create the trust store.

Figure 14. Generating a trust store

As a result, the appBuilderTS.jks file of a JKS trust store is created. Create a password
and accept the certificate to complete the process.

Configuring the application for SSL

Update the zero.config file with information about HTTPS ports, key store, and trust
store information. Edit the /opt/ibm/zero/installed/appbuilder/config/
zero.config file. See the following example for the additional information to include in
the zero.config file.
Figure 15. SSL configuration in zero.config

In addition to defining the key and trust store information, you also disabled trust
verification because you are using self-signed certificates. In a production environment,
where certificates often come from a Certificate Authority, this configuration is not
necessary.

Configuring EC2 for SSL

Update your security groups in your Amazon EC2 account. From the AWS console,
select Security groups and select the security group you want to allow HTTPS access
through. This tutorial uses the default security group, but you might have restricted access
to the AppBuilder application to certain groups in your environment. Regardless of the
group, allow an HTTPS connection over port 8444 as shown in the following example:
Figure 16. Allowing HTTPS in EC2

All configuration steps are now complete, and you can access the AppBuilder using
HTTPS on port 8444. Remember to recycle your AppBuilder application by stopping and
starting the application before attempting access over HTTPS.

Resources

 Our Blogs - Read and react to what we have to say about cloud computing.

 IBM AMIs A link to the collection of IBM Amazon Machine Images.

 IBM's Cloud Read the latest IBM news in cloud computing.

 DeveloperWorks Cloud Space A DeveloperWorks space devoted to cloud

computing.

 Cloud Computing Journal A collection of stories, blog entries, and general

information in cloud computing.