Secure Access to Your Application with SSL
As the Internet becomes a bigger and bigger part (if it isn’t already) of commerce and business, the desire to keep those very things safe and secure is growing. Online theft is growing just as fast, or faster, than the business that it takes advantage of. SMBs have to take this into account as they take their businesses online. Developers especially need to not only be informed but have plans in place to make sure that they, or their customers, become victims of online theft.
Do you need it?
Every e-commerce site needs to ensure that its transactions are secure. For that matter, any site that does any kind of online transactions need to make sure that they have a way to encrypt communications between their servers and their customers. Unfortunately, every piece of information, every byte of data that travels across the Internet, including emails and previously visited web sites, is a possible target for hijacking by online thieves. So…
What’s the answer?
Certificate Authorities and SSL Certificates
Every online user wants to ensure that their online transactions, purchases, messages and privacy are safe. The way that the developer and SMB can ensure this is by using a “trust provider”, a certificate authority (CA). CAs are providers of Secure Socket Layer Certificates. An SSL provides a protocol that protects private information on the Internet. It keeps data encrypted as it is sent over the Internet so that only the intended recipient is able to access it.
SSL Certificates make sure that your data is kept safe in transit and that only those that you want to see it can. So, let’s see how this works.
Create an environment
1. Go to jelastic.com and sign up if you haven’t done so yet, or log in with your Jelastic credentials by clicking the Sign In link on the page.
2. While in Jelastic dashboard, click the Create environment button at the top left.
3. In the Environment Topology dialog, pick your application server (for example, Tomcat 7), switch on Public IPv4 for your server and type your environment name, for example, myssl.
In a minute your environment with Tomcat 7 will be successfully created.
4. Expand the list of environment and use Additionally button for your instance to see the number of your Public IP.
Domain name and A Record settings
1. Using any domain registrar buy your domain name (we use mycustomdomain.com as an example).
2. Set A Record to point your domain to your Public IP address. You can find the detailed instruction on how to do this here.
Getting SSL Certificate
1. If you already have an SSL provider that you prefer, you can go to them. We suggest that you use the provider that your Jelastic provider (ServInt, Rusonyx, Layershift, dogado or Tsukaeru) recommends. In this how-to, we will use Comodo as our SSL provider.
So that you don’t have to go through the whole process on the Comodo site, we have selected Comodo’s most popular certificates and put the links below that take you straight to their order form, along with a discount:
- Positive SSL: fastest and most cost effective–good for low volume transactions
- Positive SSL Wildcard: same as the Positive SSL, but also covers subdomains
- COMODO SSL: their most popular SSL and suitable for high volume transactions and traffic
- COMODO SSL Wildcard: same their COMODO SSL, but allows for more than just one domain
- COMODO EV SSL: when you want to go above and beyond, the Green Bar Extended Validation Certificate is for you
After providing all the required information you’ll receive an email with CRT files (digital certificate files used with a web browser). If you decide to use another provider, simply follow the same steps of buying a certificate and then once you get your CRT files, you can proceed to the following steps.
2. Install OpenSSL tool on your computer if you haven’t done so yet.
3. Run OpenSSL using command line (C:openssl.exe on Windows,~/openssl.sh on Linux):
4. Generate a private key on the Windows/Linux server that runs your webserver (this key is a 2048 bit RSA key):
OpenSSL> genrsa -out mykey.key 2048
5. Convert your main certificate file (in our case mycustomdomain_com.crt), that you have received from your CA and your private key (mykey.key) to p12 container.
OpenSSL> pkcs12 -export -in mycustomdomain_com.crt -inkey mykey.key -out certificate.p12 -name tomcat -CAfile EssentialSSLCA_2.crt -caname root
Notice: COMODO provides CAfile EssentialSSLCA_2.crt as an intermediate certificate.
9. Import certificate to the keystore. We use Java keytool for these purposes. It’s a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates.
>keytool -importkeystore -srckeystore certificate.p12 -destkeystore my.keystore -srcstoretype pkcs12
Enter the passwords to the destination and source keystores:
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
If all is ok you’ll see the following message:
Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Your keystore will be located in the bin folder (JAVA_HOME/bin/my.keystore). To look through the contents of your keystore you can use the following command:
>keytool -list -keystore my.keystore -storetype pkcs12 -storepass password
1. Go back to the Jelastic dashboard and click the config button for Tomcat.
2. Upload your keystore file to the home folder of Tomcat.
3. Configure the Connector in the server.xml file (server folder).
schema="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" />
4. Comment the listener in server.xml file, which is responsible for using native Tomcat SSL engine:
<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
5. Save the changes and restart Tomcat.
Now you can request to your Tomcat via secure protocol.